From 2dac1520947ae436d6e23fbc0662a2f020a2b45b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 22 Apr 2026 20:15:10 -0400 Subject: [PATCH] Lock versions for releases: 8.19,9.2,9.3,9.4 (#5972) * Locked versions for releases: 8.19,9.2,9.3,9.4 --------- Co-authored-by: shashank-elastic --- detection_rules/etc/version.lock.json | 4390 +++++++++++++++---------- docs-dev/ATT&CK-coverage.md | 2 +- pyproject.toml | 2 +- 3 files changed, 2707 insertions(+), 1687 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b83a681da..2599555c5 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,21 +1,21 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "9c1281d5315dcf872bc65e6d30af66eeadb4ceaf37d9714629c213e746428336", + "sha256": "f2eff7fde63919cf5ce12fc0a43b396d4f946d0b91202749bb8e1959ba503cbd", "type": "query", - "version": 415 + "version": 416 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "6a4eb911446aa850681cf14d125f358e8b44319da80c66a5b5495c9978aa3004", + "sha256": "2d0d2aab14f6820318d2d580ab212ecacd2dd9da502d4d0af749a8d092f2d655", "type": "eql", - "version": 319 + "version": 320 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "dc08e00d1f093824cd9f6195619de125ea81c97b96ae6c88ff0c310f66786f7c", + "sha256": "a205cef434fbf0d0d84f26733b53e949d9a58f1632332b890a8f21dde8e8c9dd", "type": "eql", - "version": 420 + "version": 421 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", @@ -31,15 +31,15 @@ }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "0a0794d4571cbdfb8dda1babc9d135e75c1bc8108479319cbc4e410da9e8be3f", + "sha256": "91b36ea21ef5f2334a76a399ad91075977d7b149b9bab8bad35c854914d62420", "type": "query", - "version": 7 + "version": 8 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", - "sha256": "32f3b43818d6f5da6596d482417e82040958499d42ebf0de735791d1372a0ef2", + "sha256": "226cb4ca9b14010933649d9bac8285e8266edb900b2d835b38307bc6fb629385", "type": "query", - "version": 212 + "version": 213 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "Deprecated - AWS Redshift Cluster Creation", @@ -74,15 +74,15 @@ "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", - "sha256": "1ac8acc9df54ef208b5dc3742eae3e38ea84b175e82d9cf10ac5196088f5fa42", + "sha256": "539f711b818d81795aaa0685de7d462dde5553ec579eb775fdcf8f69ab9227d5", "type": "eql", - "version": 3 + "version": 4 }, "022c37cd-5a4f-422b-8227-b136b7a23180": { "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", - "sha256": "c70260326562dbb991c5d9fd30f1fac3d3eb355879f7f011c790d239358b2fc2", + "sha256": "71236804fae2460ed5d446795ca47484be4217066c02e16e29684c83d8c4d403", "type": "new_terms", - "version": 2 + "version": 3 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", @@ -98,9 +98,9 @@ }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", - "sha256": "c276363723d8b741ba88a34397b8c1583a2d904e7b15eadff5a03a89e40e51e0", + "sha256": "4aa9842670b9ebc492a4614e4317094998cf31227ac49598907aeb5bec61c692", "type": "eql", - "version": 10 + "version": 11 }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", @@ -109,10 +109,20 @@ "version": 311 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Spike in Group Privilege Change Events", + "sha256": "f1b1c78251514ea08b82d81a68811dcf1756bde9a25d7f17adff4b6f612c523a", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Spike in Group Privilege Change Events", - "sha256": "f1b1c78251514ea08b82d81a68811dcf1756bde9a25d7f17adff4b6f612c523a", + "sha256": "d8194e445c87e8157a08b8aacf0fd3e0cafe76ef4c01be534907b1acb4c90108", "type": "machine_learning", - "version": 5 + "version": 105 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", @@ -128,15 +138,15 @@ }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "M365 Exchange Email Safe Attachment Rule Disabled", - "sha256": "6b1e511c3d8b37b93763904520c805fc95c4a2211edd3bf22f4e25fef9f31db4", + "sha256": "a13cc41b5296170dea0f9410986cbb6e32524cd0655f9b7dd0cde9738b7fe8ae", "type": "query", - "version": 212 + "version": 213 }, "03245b25-3849-4052-ab48-72de65a82c35": { "rule_name": "GitHub Actions Unusual Bot Push to Repository", - "sha256": "80bd309c2d2564487e9fbba7f80c99d9998ac1e9bf023518a0a7c09b7b3940b9", + "sha256": "8299a1ebfbcff5d084b1ffd256aaa5dbf5d7929e8b0a9037bc7d83792b927b4c", "type": "new_terms", - "version": 2 + "version": 3 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", @@ -182,9 +192,9 @@ }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS CloudFormation Stack Creation", - "sha256": "0c9d3ca5caa192699b0063ff1bdd3d1c02fec13775724126cf6820833340921f", + "sha256": "5a13a67e1b4bf143cfe2a0d8d3447f6a60fc0715e8494ee228a0040708d817d9", "type": "new_terms", - "version": 7 + "version": 8 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Renaming of OpenSSH Binaries", @@ -204,27 +214,27 @@ "8.19": { "max_allowable_version": 100, "rule_name": "High Number of Protected Branch Force Pushes by User", - "sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c", + "sha256": "c106d5b9496998b4af456df8d7df3c6ae1357af321309b4d51be2909f20ace09", "type": "esql", - "version": 2 + "version": 3 } }, "rule_name": "High Number of Protected Branch Force Pushes by User", - "sha256": "0f0d9d1fd9f230eb192515220a010111d6391e983624a53e09d45dd85ce721b6", + "sha256": "eafae5474516c5620352bbf6fdc4e5746adb3cf882352bad06a19d7dbfd26020", "type": "esql", - "version": 103 + "version": 104 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "45bafb4d78532d1c14f39e0ec63bd6e8c82780af7b66030bbfcac222cf82913e", + "sha256": "dba859d27b151a923834b39a2c500f09b452ecd18fb17bc42fcedef488f957f8", "type": "eql", - "version": 205 + "version": 206 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Entra ID Global Administrator Role Assigned", - "sha256": "75139c9666c86d615d6ddd72cb47dd16335cd9291d5210f2e393dbbb2d127778", + "sha256": "9e8ad446f3a34d36c690d2af3ab183e06ef27545b244ce0b4f700d573cb8c71d", "type": "query", - "version": 107 + "version": 108 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", @@ -234,15 +244,15 @@ }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", - "sha256": "3203192a8041b77616255d68fb931ef4c85b25bb8448b484b79f26ac5c16eea9", + "sha256": "93d329e98993f74917716c1cbea7708ebbe928e0462d3ae4e8452abe7d55a5c9", "type": "eql", - "version": 217 + "version": 218 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", - "sha256": "35c1046191b7ca47e3823cf1bd6d886e46229c2c7a24ddf6d2a71f52b7756723", + "sha256": "b4a2a0cb67bf979baded41864bc6fa10883535dc419e6b6488ba8b1c8d0fb907", "type": "query", - "version": 1 + "version": 2 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", @@ -252,9 +262,9 @@ }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "51c7cd4dc3b7daf503ea7d0eb1403ef46a8de3611b333180d3db2235aa02650f", + "sha256": "d45133e84dadf2565b8c9a77c4d1aaeb9da6db1a4c0e9d34f47abe0d7f132150", "type": "eql", - "version": 218 + "version": 219 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", @@ -265,15 +275,15 @@ }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "f4e1f9d6d33fedcd444fbe238ea99dbeb66031172f00bdf4cd900ea91586d6fc", + "sha256": "f750da59bfae7e417e2fef8122c3e5b7520f15e8610d3c66dd63557fa6504962", "type": "eql", - "version": 312 + "version": 313 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", - "sha256": "3409362f16f2ea621c13ead1a974ee23f72be8c149f6ddae366e3cd5fecbf50d", + "sha256": "d4df17e4c4a8b6081d4dc4c4682ee25d1ed06862635d77ea153047f150e1b1f7", "type": "query", - "version": 9 + "version": 10 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", @@ -295,9 +305,9 @@ }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", - "sha256": "58ce72a27d22c9c620a894c2cf4c6a7e00dc88f3fa626da7483868a1861765da", + "sha256": "fbb58851e7b0642dbb3d884af38bac704a32fd6065228ae2d97cc8769bf6a93f", "type": "query", - "version": 4 + "version": 5 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", @@ -306,16 +316,26 @@ "version": 114 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Unusual Remote File Size", + "sha256": "565ac2eb82e32aae378c10858021adb00856aa3fcca8dfff5921bec099323be0", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Unusual Remote File Size", - "sha256": "565ac2eb82e32aae378c10858021adb00856aa3fcca8dfff5921bec099323be0", + "sha256": "ea21c2579a2ea6d078cc251597362fa05d6ad0a2b65fc498d6c5059636d8b638", "type": "machine_learning", - "version": 9 + "version": 109 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "16e3f15d9751ac5e7a214666d2ab0a3a815ecba1a81eee2d411339acc726759f", + "sha256": "5692672842a48f71b5253c44265eadb1b0fe0e9353616597fe1608fe528785cd", "type": "eql", - "version": 213 + "version": 214 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", @@ -325,9 +345,9 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "6ca7734eae8382f1a540c93eb25ee68b216e6cafef14039079486562079a8960", + "sha256": "3fcc019c9f5bafedd7220926e16a82edef38b3eeca1d87114c9896a1ae0dd7f7", "type": "eql", - "version": 218 + "version": 219 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", @@ -337,15 +357,15 @@ }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "d1938166ae314b5d65bd7cd0f0e25da8ffee8876a58953b1830890d09a6ea8ae", + "sha256": "60dd574dfe52985d607114c10bf8314dc37801dd9564da1880d7b939d3deef13", "type": "eql", - "version": 316 + "version": 317 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "211d86814c799c776291d2387868439b4ebd6e01c2e243d10d387bab0362ac36", + "sha256": "5b3ad0cab15b804ec79acfddc6075930f20e13bdc9b7df71afa2bab6135aa015", "type": "eql", - "version": 209 + "version": 210 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -355,15 +375,15 @@ }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "393b600688019a02a4e864518e1ac1b5d0b81d5be1f534cfb5137748aae51a7e", + "sha256": "418d19ba1253b26f0ecc3538338efad9c21c676ed4e9c4febe14c040a2c3c0ea", "type": "eql", - "version": 319 + "version": 320 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "1da3405b77ad8ca58161b6fabc9e04c5119b12d8c1daa9f062fcac797b001a35", + "sha256": "cf7654ebd4c213e045aaa2ad22109e5d4d8d75c557757a8402eabe3919da5acb", "type": "query", - "version": 110 + "version": 111 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", @@ -391,9 +411,9 @@ }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", - "sha256": "4c42eef9c2804f93e9e02bcdfa8e0f36f462f32538c84ce59afcb648b391cb53", + "sha256": "9d8dee0764bf2d1de0f34a639b583202562518bd60359cc1e1da1c4188135df1", "type": "new_terms", - "version": 212 + "version": 213 }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", @@ -414,10 +434,20 @@ "version": 8 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", + "sha256": "bc44537711867484c6d568447d16aa07c2bebb17b8e8de3f9d5d4cd27b7877dc", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", - "sha256": "bc44537711867484c6d568447d16aa07c2bebb17b8e8de3f9d5d4cd27b7877dc", + "sha256": "cba194c97b4198045ac48cbff7beb5cf8aa6cd337abe8b945d0e921ea725f96c", "type": "machine_learning", - "version": 4 + "version": 104 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -456,16 +486,26 @@ "version": 100 }, "097ef0b8-fb21-4e45-ad89-d81666349c6a": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in Special Logon Events", + "sha256": "92d7807f355cf385d1fa15849d15c6fb322bf1b9dde07df1b9e0d92899819b0c", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in Special Logon Events", - "sha256": "92d7807f355cf385d1fa15849d15c6fb322bf1b9dde07df1b9e0d92899819b0c", + "sha256": "af7d7f8466de0579c7532f0e4cc5b23f711bc0484f6e516cc0f3962f7e510a6c", "type": "machine_learning", - "version": 4 + "version": 104 }, "098bd5cc-fd55-438f-b354-7d6cd9856a08": { "rule_name": "High Number of Closed Pull Requests by User", - "sha256": "e714dc4c3dc9577f4375fc6de33d23e79e537c2ae0f59f3693fe866dffd42dae", + "sha256": "f46d127ff65faf71c8a8b0f3fb5821e6deb79ff046965cbe27aa8f63f7229354", "type": "esql", - "version": 3 + "version": 4 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", @@ -475,9 +515,9 @@ }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted", - "sha256": "b355161ce513a7d91cd204faecec0dedc264b18e54ef41c242523cbc6c0af30f", + "sha256": "2d00df8fc7b00a913e0c182043c1a112d1b2690af2c81572f80ad04a284e5df0", "type": "query", - "version": 107 + "version": 108 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", @@ -504,10 +544,20 @@ "version": 10 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 311, + "rule_name": "Anomalous Windows Process Creation", + "sha256": "0d38cceb87101c739c8c402c9c084654ab8bea0da9d751f01e82deca56bdf848", + "type": "machine_learning", + "version": 212 + } + }, "rule_name": "Anomalous Windows Process Creation", - "sha256": "0d38cceb87101c739c8c402c9c084654ab8bea0da9d751f01e82deca56bdf848", + "sha256": "4322d572dd7347e0c0b1fe18bb2c528d15656965e263d2d9209a6ccbe24facdd", "type": "machine_learning", - "version": 212 + "version": 312 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", @@ -523,9 +573,9 @@ }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "21c399561ab291f36e2be0da55ac4c17cc2678e91e96df6af3c9cc83a6c711d3", + "sha256": "930b95c69bf6eea872d22434afefa58e36c3427fe3074d3010aa7531c87510b7", "type": "eql", - "version": 6 + "version": 7 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", @@ -535,15 +585,15 @@ }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "ce86f3f1fdb44fad33878a2c180f3a96be54462661ae37cf787ba39b29c9ec78", + "sha256": "b45c9b32d0985a63a0b8a30e5fce78e9384ffa3ab2505761bd8bf9c987ca5449", "type": "eql", - "version": 110 + "version": 111 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", - "sha256": "6c598d2eefbd251000e42180ee7d6cf054a1ee4b470d12f784a85bec03c01cb6", + "sha256": "15b613d3ba0acece6a8253f34df9e3f8528ec9a65642dfb2585425a083f8b7a6", "type": "esql", - "version": 6 + "version": 7 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -559,9 +609,9 @@ }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User", - "sha256": "987496695139074943b504b3399babe5db3f7164fdf9b5915433567a1d24f112", + "sha256": "990caac706a81700f2a8457d690ca56ba943e899e776bb8e8d053ee4aa3d5d13", "type": "new_terms", - "version": 7 + "version": 8 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -577,9 +627,9 @@ }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", - "sha256": "d7f8506e81915c1204c05dd7b7969f115103b046e89d6b214aa261cd5cb72929", + "sha256": "4f07ea069c2931b241dbf307642e681d91e8f159163bbb1a57d9ed0f4f88eeff", "type": "eql", - "version": 314 + "version": 315 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", @@ -588,10 +638,20 @@ "version": 204 }, "0cbbb5e0-f93a-47fe-ab72-8213366c38f1": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "High Command Line Entropy Detected for Privileged Commands", + "sha256": "2e7d5c4df33ef2238bbf97c9d32ff1f30b544cd024426fbf7b8f60efb7289ad8", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "High Command Line Entropy Detected for Privileged Commands", - "sha256": "2e7d5c4df33ef2238bbf97c9d32ff1f30b544cd024426fbf7b8f60efb7289ad8", + "sha256": "e1065505966fda7f392ba493ac2b31b91e6f378c082d6704f3134ac39a389494", "type": "machine_learning", - "version": 4 + "version": 104 }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", @@ -601,21 +661,21 @@ }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", - "sha256": "a99d3f1a878b32334b2cfdb822776bae8b640c73ca2c0f249cfd629a3a8f1e09", + "sha256": "894f2eba51cb0eb9109b09f87d273ae20204ec8d8ff1a5d3cd366e6650808047", "type": "new_terms", - "version": 213 + "version": 214 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", - "sha256": "f65217585fc96240d13bc4de41e59f92b3ce81627267bebed176d7add7fa5697", + "sha256": "80581101499a93d75805b70f6657d1dda36b1132976ac97928460c1110936843", "type": "esql", - "version": 7 + "version": 8 }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "sha256": "b09b50fcb2010ca61ba40393d95ff0b09f587d7f4fb1bde3f3f6208e0d62baf9", + "sha256": "8b4df6f62ced7df33133c2b7bf594a3898364a219f4befbc8f671bf99e073c69", "type": "esql", - "version": 8 + "version": 9 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", @@ -635,15 +695,15 @@ "8.19": { "max_allowable_version": 204, "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b", + "sha256": "e8e890e29bae445289f8b01d876a2e1d4ac019f41b7a8a5192b0a53d6e20c1dc", "type": "esql", - "version": 105 + "version": 106 } }, "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "cd8d3417f90b50eef61c5fcddffc40cfb7abecd4edafc8450af2656eea62ee63", + "sha256": "630d7857ba7bfc940f96a7fd106a6ac040e6a4a6e39bbf8e84d7acdb27704e01", "type": "esql", - "version": 206 + "version": 207 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", @@ -665,21 +725,21 @@ }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "M365 SharePoint Malware File Detected", - "sha256": "14a1af1d926f42ad0025a51954a328ea770e664a871c163227e8597b49329bf3", + "sha256": "219149d921e9d74f4d05b7c228fa56ee3ae14df3a2c0373e981d498069bb89f4", "type": "query", - "version": 212 + "version": 213 }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads", - "sha256": "9d50bbec806493725b1c928813d14b1b29caf88991662a39c748716ba674f690", + "sha256": "f8d745a83d271544f83eefd939f7a08615847df7c8b31a345065cbc06db50ccd", "type": "esql", - "version": 8 + "version": 9 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "b84301cb7a906cc450436d5dcff843dd5b454345301cc97cf7858e2211456588", + "sha256": "a7de922125422835641adbae4ac03d3876d7db4b40c6a39e3039ef79757b5c0a", "type": "query", - "version": 108 + "version": 109 }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", @@ -782,9 +842,9 @@ }, "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", - "sha256": "2eb8cfdb07798166e8e1dd3670510b676d8534e46fcf84abfd701d9b02107dd8", + "sha256": "1531a1d1f980b959ce58e42c0fb6a88915457be59be0697a2a52c266a55d4f25", "type": "new_terms", - "version": 2 + "version": 3 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", @@ -812,27 +872,27 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "31b8cd0b1dd3c87234077a916d0078084f97002f25b5000e7159d3e4d72ec71e", + "sha256": "ab55013a294910af157320c72f929d63b0fde2d711fdef1f5225460860ead3d2", "type": "query", - "version": 108 + "version": 109 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "3e3281f18ce3ea8d213d81c02aa7392e82725b7561db23878c2c8734e0f2f225", + "sha256": "cf5ea7a420443d103bfd583bfa334be57cad024bf5c3a3fbb93390f6b2f6976a", "type": "eql", - "version": 217 + "version": 218 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "c12c3a68af101bcbce58817565be96e65524121b02e8fd152d749b90a8fffc12", + "sha256": "e453b11a4c39805389424db8939d22278809fec08e6172c79bb7cf87ae26c5cd", "type": "eql", - "version": 316 + "version": 317 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "1444babe7dce69629a2222be6a5ffb35d6fe83c286c1b26d6ebf42314a579aa9", + "sha256": "b78786276c865fe5602cfe809acdf9d0912624f137a0cf4049b4b5aefb497f84", "type": "query", - "version": 212 + "version": 213 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -854,9 +914,9 @@ }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "723c1839bba8a00293365b903c123c18dd2d942e2676d4f95090f42a5fd47532", + "sha256": "66bfe584a46f9c27ec808d78ca7f975b9ce6104c3bd2991510676d76e7e38cb5", "type": "query", - "version": 212 + "version": 213 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -865,10 +925,20 @@ "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 210, + "rule_name": "User Detected with Suspicious Windows Process(es)", + "sha256": "a96480b14fddea2a5966e37fb70b54db6e8ef69582f58b9ddd9e0845943ff7ac", + "type": "machine_learning", + "version": 111 + } + }, "rule_name": "User Detected with Suspicious Windows Process(es)", - "sha256": "a96480b14fddea2a5966e37fb70b54db6e8ef69582f58b9ddd9e0845943ff7ac", + "sha256": "f46f877d99943deae9fa5622e50247b35000bc4fa24fcdc5637f394a543ec995", "type": "machine_learning", - "version": 111 + "version": 211 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", @@ -890,33 +960,33 @@ }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", - "sha256": "2cd483d1bf44cc4f659cf2beb1a0364fdb1499c325dc003d1021b3f5602f6efb", + "sha256": "7c11440601de84729a35dfa170c057f749e1ed8943734cdad5d540f97f0900bf", "type": "new_terms", - "version": 210 + "version": 211 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "2a6679b8ec4feee4091109685833d57445de939c658377f5a6a27773a57cb7f6", + "sha256": "957cd8a8925cca175889fadff063ff73d18f178be083cbff70f868dfff58ad72", "type": "query", - "version": 209 + "version": 210 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "505e0b601d7587cbd3f1b7ee9245a75299117258243f44320f661a6adb73c77f", + "sha256": "a4b04a8ff5f2d74ee9e1c5ee8ec133bc74d8ad935cca91ed57dc5f42919de5b9", "type": "eql", - "version": 209 + "version": 210 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "07c7f967479c49447a3c3f046c9c33fd9be4b98f57034bcff997060a3f9e1c06", + "sha256": "dff426ad89e3595df008b1e3eebe381001d991ed6f8556badc8cb7f03602384f", "type": "eql", - "version": 320 + "version": 321 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "9d888cca63e4fd57e41ada2889695309fd3ca6c756c2a2e915512e7462aa586f", + "sha256": "ba6cd7ad1cf9481e24a018cad2d535555cd18ee7f679dc59af979e8ec704498a", "type": "eql", - "version": 414 + "version": 415 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", @@ -925,16 +995,36 @@ "version": 107 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in Group Membership Events", + "sha256": "907893df220287d24f1906748b2da8456e68f29204e8cadd48187f98a98c5688", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in Group Membership Events", - "sha256": "907893df220287d24f1906748b2da8456e68f29204e8cadd48187f98a98c5688", + "sha256": "6833917467dfd8d34a81995993907c41c52722e7afecb30ec5fec5641477c8f2", "type": "machine_learning", - "version": 4 + "version": 104 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Rare User Logon", + "sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Rare User Logon", - "sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f", + "sha256": "e7b1144434301dcf8d3c853460221fd971055d06b21eae12d6434b5e898d91e3", "type": "machine_learning", - "version": 107 + "version": 207 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", @@ -956,51 +1046,51 @@ }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Entra ID External Guest User Invited", - "sha256": "0a9b93490253851dfedef352e382402f47d282ded7e2130400e310d74a3d181c", - "type": "query", - "version": 108 - }, - "143cb236-0956-4f42-a706-814bcaa0cf5a": { - "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "5a9295587f27f717c1fa57077258c0bb56fb9857550ecb7c0773d2755931c5a7", + "sha256": "3cc4581f69c27422b3f2353597665249059ba22ef323c49c2b97218a803eaac9", "type": "query", "version": 109 }, + "143cb236-0956-4f42-a706-814bcaa0cf5a": { + "rule_name": "RPC (Remote Procedure Call) from the Internet", + "sha256": "0b281e8e82d4661b97cd6af7e181d4dd64824ee8db87f2facfd3a23526e92397", + "type": "query", + "version": 110 + }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", - "sha256": "1f2420c1ad0345dcb66852c413a62f765e3499a3c4dbb67f3b14a010ae460a3f", + "sha256": "de38197afabe0ec8c706691eb2ffd5ecc4d06c09433315e4bf0692a57590212a", "type": "eql", - "version": 107 + "version": 108 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "cf1c663833ab749a97c110eb45d0228ed320353b274995fff26ec5b6488b25d8", + "sha256": "b84822387863316ee7e038ffc13bbf210e9d66bdd21bc0c4cbc1806a7a261d09", "type": "eql", - "version": 210 + "version": 211 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "233001ab1d4e9b16df6638802a83a9ccf377e3ef2380ef7d548ee980f5dcaee6", + "sha256": "b8be5282c728a2e9b27bf03d158ab52c0a392cc22d73af245848db7e0c85b5cf", "type": "eql", - "version": 315 + "version": 316 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", - "sha256": "a0052b219c12613b43f3b0b45d8eacc0b4b5ee9ce2ccb167d05ece989b878139", + "sha256": "1d5cd26347a6790ae2294701743b179765b2d5f29842f30b7564687d387f8cc7", "type": "query", - "version": 7 + "version": 8 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "70e1ab79af3934113dbbbaba1ebf4c928eb1200bd4c056ba586728482c6f88a5", + "sha256": "da0623d8382c2550dc8e2605907d304a97ce85101085e93eaae2be757ed6242f", "type": "new_terms", - "version": 208 + "version": 209 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "74c2b1c0304ca426f733863c0419049018042d137c7067b1abde9a4f0418e114", + "sha256": "1e38ba5abce5df6e94d4f7ff4ef607302c6726044195ba8953854867fec17b60", "type": "eql", - "version": 7 + "version": 8 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", @@ -1022,9 +1112,9 @@ }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "f3d8e62676ec8a7f2494ca228c62e29e6bc9f3e5d0bf2415ce40916f2e489335", + "sha256": "9691ff0522d8ff26f5181a8eece5d0bb641efa1550ae3630f08e46a606d4d573", "type": "eql", - "version": 318 + "version": 319 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", @@ -1072,9 +1162,9 @@ }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "413aa0e2013846d270d2adf1b110f8b79db4362d7add6317237811d8f09e7e6d", + "sha256": "090781ceb0f70e5c6d5854c34e2def7e8983a8c0fc34e614674ef24f4a9c74d9", "type": "query", - "version": 107 + "version": 108 }, "163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": { "rule_name": "Potential CVE-2025-32463 Nsswitch File Creation", @@ -1096,9 +1186,9 @@ }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", - "sha256": "0410eb7c7e319a25e36a3370d6a0086693311aa6adeb100e11867aaca931a2c8", + "sha256": "a18672298cd92d568cb52d61601a039e39aa68213d8dc698fcdfa49d06280434", "type": "query", - "version": 211 + "version": 212 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", @@ -1108,9 +1198,9 @@ }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "5fb3e0aae2b1ebf9a5ffcfc74df8cd42f502fbf0feac6a37b7f34237aa31b8ed", + "sha256": "cd60cea70299ec12558b2136864b0035da03a0dd42b4dd2280780e9bc41e6f2f", "type": "esql", - "version": 6 + "version": 7 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", @@ -1137,40 +1227,100 @@ "version": 6 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows Username", + "sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows Username", - "sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb", + "sha256": "439a53c97f890e9069f64ade7995b100cf7c08ab3c4305b076c384db5cf6477d", "type": "machine_learning", - "version": 210 + "version": 310 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows Service", + "sha256": "3c42a7c62094acd7a9859c540f52484dd6a41d3d36d39aeadbc62492967e35ca", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows Service", - "sha256": "3c42a7c62094acd7a9859c540f52484dd6a41d3d36d39aeadbc62492967e35ca", + "sha256": "0eea7398ab7fbbc674a804b6fc2fb7f331e747e7c1a28927089d51e5254a48de", "type": "machine_learning", - "version": 210 + "version": 310 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 310, + "rule_name": "Suspicious Powershell Script", + "sha256": "ba7ac7109c4e1c1acc0a79dd47c42520c2d82b682f5630067a1d609b593859ce", + "type": "machine_learning", + "version": 211 + } + }, "rule_name": "Suspicious Powershell Script", - "sha256": "ba7ac7109c4e1c1acc0a79dd47c42520c2d82b682f5630067a1d609b593859ce", + "sha256": "815e86bb07efd5d73767e45677054f24f0b072412b4ba7210f195289eb9e9832", "type": "machine_learning", - "version": 211 + "version": 311 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "cec4b63c64124b03e92ef65aca7cf18b5a4de706c53935cf74d95cc70cd43693", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "cec4b63c64124b03e92ef65aca7cf18b5a4de706c53935cf74d95cc70cd43693", + "sha256": "ac8baea0b2fd71b85c09a46482ad8e3c79f0334488c25ee2018c79f274231c4c", "type": "machine_learning", - "version": 210 + "version": 310 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows Remote User", + "sha256": "96872a6f89cfe1e8ecc023430fc4349c49cb5b6ef9e4a833d422b6961741f481", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows Remote User", - "sha256": "96872a6f89cfe1e8ecc023430fc4349c49cb5b6ef9e4a833d422b6961741f481", + "sha256": "c2541cadb2d1d9936e120b6daad7cae971b5d2ba79deb01bc3a044a885695f5b", "type": "machine_learning", - "version": 210 + "version": 310 }, "178770e0-5c20-4246-b430-e216a2888b23": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Spike in User Lifecycle Management Change Events", + "sha256": "ef456fac2be7a733d18054b513015e78327fb99ad44dacc99be79140341146a1", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Spike in User Lifecycle Management Change Events", - "sha256": "ef456fac2be7a733d18054b513015e78327fb99ad44dacc99be79140341146a1", + "sha256": "78e9dfe6280543b50244e70ade9ca9266f8f77531dcb55cdc872a95de1c944ae", "type": "machine_learning", - "version": 5 + "version": 105 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", @@ -1186,21 +1336,31 @@ }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "afce4b3088aca5a734f64bc68ba2987653003a735afea849b300a51884c0802c", + "sha256": "bb3548f931c019e5a37efd6dd7f1953464866b7df29b21bf0ebedda27825fab1", "type": "eql", - "version": 216 + "version": 217 }, "17e68559-b274-4948-ad0b-f8415bb31126": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 208, + "rule_name": "Unusual Network Destination Domain Name", + "sha256": "f645b86e534e62a3da7f7b898cd1b0ea974c51d162961a19206bd0f00a67e31f", + "type": "machine_learning", + "version": 109 + } + }, "rule_name": "Unusual Network Destination Domain Name", - "sha256": "f645b86e534e62a3da7f7b898cd1b0ea974c51d162961a19206bd0f00a67e31f", + "sha256": "65a861fcdfcd0c2366b569e4e3c8e7a599512fa2331ece1fb23f58ed93ff1b85", "type": "machine_learning", - "version": 109 + "version": 209 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "36923ae1251f7766d426b5ee10cf1a5b1aa5f47a5effc14763ddac6fe3ed6679", + "sha256": "f4ba8781fb84ae3a347b2d2647b45a6eb41ecd5750e9453a7697157fb02ccd93", "type": "eql", - "version": 208 + "version": 209 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", @@ -1210,9 +1370,9 @@ }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "d121078e9bbaea9a45c53cba4d722ac9a2d6cd6516a442f3a74da808bce2cc7b", + "sha256": "acbdc60b1dddabc74eeaf2f73f1a26c51ced274c1226442b720a366f7bf37d2e", "type": "query", - "version": 108 + "version": 109 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1222,21 +1382,31 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "AWS Secrets Manager Rapid Secrets Retrieval", - "sha256": "2f1bb0bca5c3afffe652e54dbce191f5e119e2c17ab37111b680f7880cee85ec", + "sha256": "800ebd4d1ef253c688e649cd84fca4d2da5b8896f3537ecaa252855132cd0cc6", "type": "threshold", - "version": 7 + "version": 8 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Spike in Number of Connections Made to a Destination IP", + "sha256": "4598c9aad50c787eadce4ce3b88adcfbc87b02c2ac5dcd9a6c3b39a445e3e6f4", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "4598c9aad50c787eadce4ce3b88adcfbc87b02c2ac5dcd9a6c3b39a445e3e6f4", + "sha256": "12ba54701c9c9a48fe730d815cf85aa3e3e17eb721b01045f3015cf5f197813b", "type": "machine_learning", - "version": 9 + "version": 109 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "b7f7a986a5518b0381718c489963d6da245e8d32eff17ebfa2fc78cf9d463fdd", + "sha256": "718358b1e1c35b97028b4230acd16b8d1f36c355982f8acbeef3d773809c1f86", "type": "eql", - "version": 11 + "version": 12 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -1258,9 +1428,9 @@ }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", - "sha256": "a88beb1ee86edcb6bfc98cfe6a5c15756fa5132b0566be0c5ad9a00826635c6a", + "sha256": "3fc864b2b6cb6d2b19dd6cdb17c1cba4aedc02ac2ab30c5493dd863d3cf7bf95", "type": "esql", - "version": 8 + "version": 9 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1269,22 +1439,32 @@ "version": 212 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Spike in Number of Processes in an RDP Session", + "sha256": "29db7dc93ab6eab4b8b87720dd8d95683b744f2e2137115f6f3e48c204792339", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "29db7dc93ab6eab4b8b87720dd8d95683b744f2e2137115f6f3e48c204792339", + "sha256": "fe983ed864521ad6cf3fe4e5be5ab60aef58b86a53412d26c0425b6eb0d442b4", "type": "machine_learning", - "version": 9 + "version": 109 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", - "sha256": "f1fe94865fe02f98d69f15e048bb2c7b7a67fe767897b3534314e214f246e22d", + "sha256": "d44f81cce81f9989e3da9c9690ce5f15e1d0f708db04fecc4fc46560c28e35ba", "type": "esql", - "version": 3 + "version": 4 }, "1a1046f4-9257-11f0-9a42-f661ea17fbce": { "rule_name": "Azure RBAC Built-In Administrator Roles Assigned", - "sha256": "94feb1f75ec27cf9c53ab42c77998c78c6cf56652fb4a8b7fd527863a2083c22", + "sha256": "096328c92f192c547fa70269c2a8869a2b41ea46972ff0b85f91c484b81defcc", "type": "query", - "version": 2 + "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "9.3", @@ -1304,51 +1484,51 @@ }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Entra ID Application Credential Modified", - "sha256": "3972e14bedb7ed262a4bf268bdaf8bf040f8a822a3c94dd74bb2edf42269a26d", + "sha256": "d9a189bab2df94b4b6cd30d792e7891b84d4684c3d1f1b94e30aeb8769e60c62", "type": "query", - "version": 108 + "version": 109 }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", - "sha256": "29750080e44ba02bb3c10e8a58ca3288e54debe1660f33b1e3d7a40247dcc479", + "sha256": "0df4a449dc7ce5abb1bd82b3028d400409e6f30213d93361d62b2157ca31969e", "type": "esql", - "version": 4 + "version": 5 }, "1a3f2a4c-12d0-4b88-961a-2711ee295637": { "rule_name": "Potential System Tampering via File Modification", - "sha256": "01016fb07b4de034fd77a549366e844c1df0ef74f37599b5e5b3dc0e87a4c168", + "sha256": "8e542036316307cb533b6cf1cf8a04645ffae970672c7916e7185605a72e4be8", "type": "eql", - "version": 3 + "version": 4 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", - "sha256": "1ddaf3e1d2b31dd53b6a93cda782926dd5e4279a2661118a1a3c635d64a47f11", + "sha256": "c725e6a7e3475298e151a097dc5c9b9319f746789dae41427246e978eec627e2", "type": "eql", - "version": 318 + "version": 319 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "7bb6798ddcb354c4347fefdf136c66ec0d059e74917c3871807ec7e341085eeb", + "sha256": "a3d4e1675ec84b3af9163b6a3759711bce84c07ff080a118e7208d181665df7c", "type": "query", - "version": 214 + "version": 215 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "dc47b4f6b8b13340fd5675c6b297e3e1a826d680a9630257e8c0093d4af5f198", + "sha256": "2e3c41d3c73b84a6ff5058ca6b56124892b93ac8df1a7460b5ab0691af6b44d9", "type": "eql", - "version": 315 + "version": 316 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", - "sha256": "73f9c594fa7d3c1b5b8a23e0b26fcbd674d5597c657f3d07065f7d7a9f0f6da0", + "sha256": "0fa5a2a328ab55c39a78ae87ec88868fd59afbb127aeb9495fb2be890a7c8083", "type": "eql", - "version": 2 + "version": 3 }, "1aefed68-eecd-47cc-9044-4a394b60061d": { "rule_name": "React2Shell Network Security Alert", - "sha256": "08e985fa35d9303acb5dddf9821bb7615d98d194999ca608123e0952f6ea2989", + "sha256": "0bb3f9c7167e6586c90cc2a0d5c56d1239b7e0eccdfbdb6d4fb9e18757d982fe", "type": "query", - "version": 1 + "version": 2 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", @@ -1364,9 +1544,9 @@ }, "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { "rule_name": "Remote Management Access Launch After MSI Install", - "sha256": "cc1f83a967b60cefd14eb2acfe29dc5ebcafbdac6c0ff14de2939760741d65e3", + "sha256": "001bd6481577ef6818802f143b55dc573592d55255c45279e6eff1651ef1e3c0", "type": "eql", - "version": 2 + "version": 3 }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", @@ -1412,15 +1592,15 @@ }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created", - "sha256": "92302fac0a00aecfab0d26b23d5b798e9a6d692621b76bac74cc4d366c9dfc8a", + "sha256": "872670a07996ff3b1b618f205a314336501baae58b58b0b9eb4df5a182cbe3aa", "type": "query", - "version": 108 + "version": 109 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "rule_name": "New GitHub App Installed", - "sha256": "905de7c7445d8245d70d98e20bf1b634c76d420d0abe70959fb9d7efc78cafec", + "sha256": "98cd8a087a11aa53e292618c8047442532a33dc329c2c7c7e264ad92008f574b", "type": "eql", - "version": 208 + "version": 209 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", @@ -1430,15 +1610,15 @@ }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "ef68bc87047a6664816ff4fcb845d3118897328ce84a3fc62faa10243e3b08bc", + "sha256": "b205ced242cd1aea02d4b083ded2c9a8d7e55a6d6b9c2a0e4a62f113c2d1d709", "type": "new_terms", - "version": 212 + "version": 213 }, "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { "rule_name": "Entra ID Domain Federation Configuration Change", - "sha256": "7c6cae6af5252c3ea93d98ec5db837504672509c62a82468357df5c3efb3f4ce", + "sha256": "ad37538a2c191bb69fef32ecee94047d48237b5f045c30faa5d3cbba14fe1aec", "type": "query", - "version": 2 + "version": 3 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", @@ -1454,9 +1634,9 @@ }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", - "sha256": "a2e51b827108578b99dad38b6f4ff3f0a701f0371af606bc18f7563b11c266e2", + "sha256": "2b398592c31c97af1985d6702aea4c8065619b220445521d5b75a1a48b3c1a47", "type": "eql", - "version": 2 + "version": 3 }, "1d485649-c486-4f1d-a99c-8d64795795ad": { "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", @@ -1466,9 +1646,9 @@ }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "179045c4db738ca0cd743b9ddcf7b57fb07c99dbd6d5b708c795dd94b1055b4e", + "sha256": "92e8e6bf07d93b94bbeb7d1af6d2bd2f62f69c4dd3bedc34becebc0961db80c8", "type": "query", - "version": 8 + "version": 9 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -1491,9 +1671,9 @@ }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b", + "sha256": "2ee5832a6b03cfcb8f3188be99ff1ea3ee74672c2e55998bc8417c1932c05804", "type": "eql", - "version": 316 + "version": 317 }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", @@ -1527,9 +1707,9 @@ }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "c7cbda0a1bd62ce7de66a49d9a512d910cd16ab1501fc668c39cdddcc91b5a8e", + "sha256": "a36ca67a74f87b67b969d3970684fafaf17f731179188925f02cc6e2db6c3dd7", "type": "query", - "version": 106 + "version": 107 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", @@ -1550,17 +1730,36 @@ "version": 208 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Sudo Activity", + "sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Sudo Activity", - "sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c", + "sha256": "c191e024e62f5ec95b39f7a502aecbea41301bd8a555cbe351ce2d88a3dc354d", "type": "machine_learning", - "version": 107 + "version": 207 }, "1eb74889-18c5-4f78-8010-d8aceb7a9ef4": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 100, + "rule_name": "Spike in Azure Activity Logs Failed Messages", + "sha256": "9c8b0e80daf7cb337ca4cb7707c9b96e69b175935a5fa7b55707c9270f9a0653", + "type": "machine_learning", + "version": 1 + } + }, "rule_name": "Spike in Azure Activity Logs Failed Messages", - "sha256": "9c8b0e80daf7cb337ca4cb7707c9b96e69b175935a5fa7b55707c9270f9a0653", + "sha256": "b55cf9442601c13334ddbdf9f1c6553c1ee36c6be64b33cc9c2d312f36a43c55", "type": "machine_learning", - "version": 1 + "version": 101 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", @@ -1570,9 +1769,9 @@ }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", - "sha256": "c625e68b89b88e69474d98cf2961b99044f04f96a94fa852d147cfb0244d2ce7", + "sha256": "55d45ab5f5631b527067817a7d2c2d4fd25f4b7740b19d7ed6684b84c9d198b6", "type": "query", - "version": 6 + "version": 7 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", @@ -1580,17 +1779,33 @@ "type": "eql", "version": 108 }, + "1f56f548-94ec-4678-b1ed-b1a14cca4e3a": { + "rule_name": "File Creation in World-Writable Directory by Unusual Process", + "sha256": "4bf3288a105dbff9ff1d8025c12a892327a0c7a5062427686efbbb056082eacc", + "type": "new_terms", + "version": 1 + }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "eab82a81fa79d2c1535f04121103e36d3a2d38892144d98a280602fe1f7d3194", + "sha256": "babe7b00f8c17b6f7c019fb3e52f3acd124bdc6490da993892140aa4941c0fb3", "type": "esql", - "version": 10 + "version": 11 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e", + "sha256": "1a0a985a78e282cb73680c64ef0fd7dd1b06b6888ac9aa29908324720ffd8a52", "type": "machine_learning", - "version": 107 + "version": 207 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", @@ -1606,9 +1821,9 @@ }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", - "sha256": "776b98b92dbd4568e7096e732ead7f52eddf2732f6644902dc3e4d37989d5814", + "sha256": "3e8a4a0639da9faf8ad8d2583d8bbe24e4ad6576965d547481cca13d55b64b6d", "type": "eql", - "version": 317 + "version": 318 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", @@ -1618,15 +1833,15 @@ }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", - "sha256": "a56e29eb9a96103fc4c39153ee8d8e21f84134bcb62944cb04237651e3a4d1de", + "sha256": "3aa8d3bf4c0ecd6f0f97e539bbd67ea18b1d65216ce018a08def21d67e713760", "type": "eql", - "version": 315 + "version": 316 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "f2be664b86234fbaa51823ced7027a936bf9a98ac1533b209d3aabcfbe69a841", + "sha256": "00192d120763a8e01464c5ce0165c7c8c09fd5dc69b8913668ae9889fe86e6ce", "type": "query", - "version": 211 + "version": 212 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", @@ -1636,9 +1851,9 @@ }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "37353d258cf8edf69b0bfd21b13914eada7068fdd37274962245a637ba70257f", + "sha256": "70cf2629f8cf74296ace3eef9c5e688355dc05d9da909ff0c389f306c73a2cbb", "type": "eql", - "version": 207 + "version": 208 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", @@ -1654,15 +1869,15 @@ }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", - "sha256": "069467922720ae9d5c59123eab480682aba33e1683b603c12a13cc2d16d7de61", + "sha256": "73377f66084b1b6f83dae6d763f34bca4b5521dd0aa27ccb836843da0e4edacc", "type": "eql", - "version": 9 + "version": 10 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", - "sha256": "3be6e725cc1b6a531b8b138860f2ccb9b6b88cf7b8c4399d4c26e6a0141a23db", + "sha256": "3e08ddf0b5b1afd3391ad3417aeab29ba5b82004dfea27700df13240aa6f2c1e", "type": "new_terms", - "version": 5 + "version": 6 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", @@ -1672,27 +1887,27 @@ }, "214d4e03-90b0-4813-9ab6-672b47158590": { "rule_name": "New GitHub Personal Access Token (PAT) Added", - "sha256": "0c32db1d0bdc3c62955fe42da52b54866bfdb760a99a75df466ec917fb903caa", + "sha256": "59d60ae7f69e0ad09fed8b4f0d81aa233cb1aa5f95a2c4dbc67893e48c9c6a68", "type": "eql", - "version": 2 + "version": 3 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "b1715617058040be1981a4a2148f4685295b1658eee23805db1daf9a5ba2553b", + "sha256": "8b75d9e37c1f4a0c2bf887e72a428e276adafb073c14a72aa32d6df0f17e18d9", "type": "new_terms", - "version": 10 + "version": 11 }, "21c3536f-b674-43db-9bfc-dcf4cf9dcc37": { "rule_name": "GitHub Secret Scanning Disabled", - "sha256": "60108ce2bea920d768d05e18030a5a231623180aa8a8f88ec58401d4fd5fae49", + "sha256": "aff570e0cf948f93e3441a9f2e00aef71fc0bf2aa0b96863c7c05b6589ebb7d6", "type": "eql", - "version": 1 + "version": 2 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "2bbcf7084bfafdedf47eb0145f4de495e556088a7daf3e7d6c0e0d7784c736a8", + "sha256": "eca7c868189a61e5cf6cc042fae273a0d9e014524dca042d3c65462cf7cdd36e", "type": "eql", - "version": 111 + "version": 112 }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", @@ -1721,9 +1936,9 @@ }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "7d04e6fb99e0091df572932a00000c7665087be144f95263674523f940f9092f", + "sha256": "94bf56921f7182099d52dfb0db8b4469fc67827685348c0e306268756187ba80", "type": "query", - "version": 213 + "version": 214 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -1733,9 +1948,9 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "f9288e22de117a3e3b910bca3924528268bd52d9c84de89acdb6e28e9d88d2d2", + "sha256": "86d21d741eff46da2d15b7f31b033ed32ecda99a9f660857b2f751ee059c149f", "type": "query", - "version": 108 + "version": 109 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via Built-in Utility", @@ -1791,27 +2006,27 @@ }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", - "sha256": "c0175427cf1da2826fa554be27674f044389d71995f24fd50545ed40a819156b", + "sha256": "1dca7f7a9f133b30aeaaf0bcefe7bfa30c7c6d26fa4a0ac58e4bf6ab5ca714f6", "type": "esql", - "version": 211 + "version": 212 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", - "sha256": "f9de2a51923458b9774e07e1d89fb9553a33f03ae4ebd60a5063dda5ee214fd3", + "sha256": "33174dde2dcb90f51dc8b556bf7b9e4042559084fa221d4dc8f0b0d6bda99a8d", "type": "eql", - "version": 210 + "version": 211 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", - "sha256": "2090c343668df6833e9cf0bafba90329cb6b037e741a061fd9374332fdc2722c", + "sha256": "b2b0a82c5bf29922f290efc7dac94e8b576668840052c3300bbdb37b55f1cf21", "type": "eql", - "version": 313 + "version": 314 }, "25368123-b7b8-4344-9fd4-df28051b4c6e": { "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", - "sha256": "3714413319a7bc19d4a891160b2fa7ce870a8296e9da5b0b7811946cb72d49ad", + "sha256": "fe6a9526f2f3cde09ceb6ad2abb75b5c041b596c4c3efb072057e5d8d206557b", "type": "new_terms", - "version": 2 + "version": 3 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", @@ -1846,9 +2061,9 @@ }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "4baf8dd59f661e9f32a10880d9cdb692a077f70531c803d62efa65fa54a9ba77", + "sha256": "a4325d7530e0e1c4d8606448e0fda6086c035e0c00e8a6941f16716a7b0c4be9", "type": "query", - "version": 6 + "version": 7 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", @@ -1870,21 +2085,21 @@ }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Storage Container Access Level Modified", - "sha256": "0d88306546254e65e4e1beab45579c8ed49a79fbba03f5084bde42ff665193c4", + "sha256": "17ad4439d8cff6eb09caa234542cd8b06c1f9431660b61500250cfac88379a95", "type": "query", - "version": 107 + "version": 108 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", - "sha256": "db895e7b67949c6c7700164a14589892cc0b07f890bcd76f290663eba89f0a36", + "sha256": "8e6edb115aadbbe0288142ede56a886b171f90f427e56805c3b403b92787d9b0", "type": "query", - "version": 7 + "version": 8 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "5e89de514cd1bc3b12bfd6f31d05fa567baa8901346c45d9e852313e72ed5846", + "sha256": "da7097593202235ef983f56eee56fedd61251f27a847e34946215f5895b4d5be", "type": "eql", - "version": 317 + "version": 318 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", @@ -1919,15 +2134,15 @@ }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Entra ID High Risk User Sign-in Heuristic", - "sha256": "f1f24452c78281a35fc0521f35bf52cc5613c987d589630ceb5a55d35ffa0a4f", + "sha256": "f2967ce4210d92868dcbb7f81ec19ec93006bdf594453cbf93086d8fb02edd22", "type": "query", - "version": 109 + "version": 110 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "M365 Identity User Brute Force Attempted", - "sha256": "611117d9bf686033e96ae07ecab210040e6ef9f46a896073660c4d23f7fa9635", + "sha256": "9c58ec3123760ea459436000dc14ff9614ede8b7e9bb3615243dd1e7df201d00", "type": "esql", - "version": 416 + "version": 417 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -1943,15 +2158,25 @@ }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "M365 Exchange Mail Flow Transport Rule Modified", - "sha256": "b5245c16c4d310231c399373dcac339d3181528c5d048cc20bb287871d4b7015", + "sha256": "58f1574c18c76838ab7233c8367023b61bc2ee9fe19c6de7f38cfd9a9f760b08", "type": "query", - "version": 212 + "version": 213 }, "27569131-560e-441e-b556-0b9180af3332": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Privilege Type assigned to a User", + "sha256": "6a4a1e539a2599e9b91ee64a6ae3f7c41201c686d380a2965e9e9117ab3860be", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Privilege Type assigned to a User", - "sha256": "6a4a1e539a2599e9b91ee64a6ae3f7c41201c686d380a2965e9e9117ab3860be", + "sha256": "07ea6892290d7a3ab379ca9ae743312e7ac639accd3a42b44ef6d882debc7788", "type": "machine_learning", - "version": 4 + "version": 104 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", @@ -1961,9 +2186,9 @@ }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "8769f6898d63f15502763d54b54d972d28e6940b1bd05bbffb70622861a63f05", + "sha256": "bb286cf8785e506f2b849cf456c03c150eef1646b3cba7375baf550e2adbbe61", "type": "query", - "version": 108 + "version": 109 }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", @@ -1974,9 +2199,9 @@ }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Deprecated - M365 Teams External Access Enabled", - "sha256": "f299af4df51862831053ea8aae2e99c0f8079f2f944aa32131a66dbe4b5820d2", + "sha256": "bc0c0b0a6a0f4f1cdef846be5717cc774ae8cfcf0c777765f28656c16ed58484", "type": "query", - "version": 213 + "version": 214 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", @@ -1986,9 +2211,9 @@ }, "283683eb-f2ce-40a5-be16-fa931cb5f504": { "rule_name": "Newly Observed Palo Alto Network Alert", - "sha256": "55f2451b2b926a62fba0cf39411dbdf9e3ab7b8893f5de6f6f67983d14178ffd", + "sha256": "6950c8ed18d7697993f1a1159f6bc0a7eb141aaff4f0243575894da36997a1b8", "type": "esql", - "version": 2 + "version": 3 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", @@ -2022,9 +2247,9 @@ }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", - "sha256": "b0796e6f0bf03c93415475e92058a12de9609c2227a18556341385cd954bf49f", + "sha256": "7dc5f160fa3c93691ca733218c01f5481e0fe164bd1f9b1f0beb35a7763ec43d", "type": "new_terms", - "version": 8 + "version": 9 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", @@ -2052,21 +2277,21 @@ }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", - "sha256": "4c03899b632f6120813e6c46281e60ba58bfb5cc53b380141fe92b984ea88998", + "sha256": "a2e0780759a02c4f019ded2450fbab0521f281a7495b1d6381ce9a065acc3db6", "type": "query", - "version": 213 + "version": 214 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "4bf7f5f04793e6d5636749a63e62e76cb5bb933038ff25e20247a11a25ad8985", + "sha256": "3333bf53f4e1d4f703ad2bfc61439dbf9db3d734bd3557e083a8d6496bbde552", "type": "eql", - "version": 321 + "version": 322 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "18d1e450aae801746877577fb6bc306f7f3d0957abdde58ea05c5bbdb5ecc84a", + "sha256": "83deebbdaf1d541ffa89b232ca76266b2cca871eb9b318fcc95ed6841e4c8d1b", "type": "new_terms", - "version": 422 + "version": 423 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2076,15 +2301,15 @@ }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", - "sha256": "89d0958894efc5800bc1c37dbe4e22073f736ad6f2e95ae99a95e83421e0f3b3", + "sha256": "84874f4f7a74522df3d63a4e89e6bc212572363bd0df3b91d5d25438b3f96bb5", "type": "esql", - "version": 2 + "version": 3 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "abcf26f5365ecaa93b9183cd4908b02996150f691be796d2200f7e66456ef4f1", + "sha256": "bb3f43e51cf57903cac31eea9b1da4e3c0c5398f11a673b5e3fd5770b25477f4", "type": "query", - "version": 209 + "version": 210 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2100,9 +2325,9 @@ }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", - "sha256": "8e094ed2088f19cd263e2ec6c3f6f66ba0c512f83d405b72d214cc6b4b929c60", + "sha256": "c79bf8bb0d94aaff02709efc88bdd456c06752b9e7d41a5a34bd1eeb99eed3f1", "type": "new_terms", - "version": 7 + "version": 8 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", @@ -2112,9 +2337,9 @@ }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", - "sha256": "e4cccea06a30da3b02e7dbe87de564aa89ade0c37ffd59e8e30bdc6cf4f0c780", + "sha256": "dffee6f1f33580e6cf14dd782f8158c3b7c55b5f30b1db84f04f44d575386b26", "type": "query", - "version": 209 + "version": 210 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", @@ -2123,28 +2348,38 @@ "version": 113 }, "2bca4fcd-5228-4472-9071-148903a31057": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", + "sha256": "7fd9eda6eca11a59a902ae98e5e67013d23113287786c76e64be97d2beaa5b20", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", - "sha256": "7fd9eda6eca11a59a902ae98e5e67013d23113287786c76e64be97d2beaa5b20", + "sha256": "b87efefef846486cad6bc17aa7c220a3833b848d4ca87f09c1f5defda9cb428d", "type": "machine_learning", - "version": 4 + "version": 104 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", - "sha256": "2fd56ecb1298afd514114cf19c5b066b10912b8f46028af6af05cecf9e549595", + "sha256": "c39c39dad78c75217ccc7ae773fe15ad4209cd1942561a8aec4334a3a4d5479b", "type": "eql", - "version": 419 + "version": 420 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "114f9531c6f7277c8cc743ecf821000f04fab47ce28cde1ea88bfa9ca40f90e2", + "sha256": "0d92fc45d3b510335ab010084fce86259f5a97be4efba9d4e0dcc39a186a39f6", "type": "eql", - "version": 317 + "version": 318 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "93fe59d64717619f4032137589ed774e8bb5ecb5057da771c0b32dd7914da4db", + "sha256": "71bee316718a7503183f188206ee519a517752ffe52329a99d25178569a76e4a", "type": "eql", - "version": 216 + "version": 217 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", @@ -2154,9 +2389,9 @@ }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", - "sha256": "2b4448a33d201b761c3884680d789cd2f909456a276b9a125cb4ee55845e6345", + "sha256": "1e6f9b0c45ad9cd728e02a922586c3466a5968c751c337ffefe09be52489aeeb", "type": "eql", - "version": 207 + "version": 208 }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", @@ -2172,9 +2407,9 @@ }, "2d3c27d5-d133-4152-8102-8d051619ec4a": { "rule_name": "Potential Okta Password Spray (Multi-Source)", - "sha256": "aaafdc1afbc528d12bc055c3b9dca2d9057d8a4c2cc482e31728d931115c0b58", + "sha256": "0b3754763f9388a104514203cdb27b710d8d0b5bd654671deb494bdd5568496a", "type": "esql", - "version": 2 + "version": 3 }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", @@ -2184,19 +2419,19 @@ }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "e5d671ad048423ca25d3abeb0d58b6247aeb872604f977aaab7dac050096bccd", + "sha256": "4e77deaa22c866faec27c5fd6a98680db898f41a0261f412455fa88396d28afa", "type": "eql", - "version": 209 + "version": 210 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { - "min_stack_version": "9.1", + "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 105, "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", - "sha256": "09e0db85e9bb2792e16cac43d4386f3e6669fc339ee9f0fd5b9c0766b24390d7", + "sha256": "725ad252d09012d134cb181871423681d29b14c890ee1288e768f23fd7ed72e2", "type": "esql", - "version": 6 + "version": 7 }, "9.0": { "max_allowable_version": 205, @@ -2204,12 +2439,19 @@ "sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842", "type": "threshold", "version": 106 + }, + "9.1": { + "max_allowable_version": 305, + "rule_name": "Entra ID Excessive Account Lockouts Detected", + "sha256": "e22015b3cd61c71a94b4ee9413e7fd3b109b10fae88dcaf1da276ffa0b846144", + "type": "threshold", + "version": 206 } }, "rule_name": "Entra ID Excessive Account Lockouts Detected", - "sha256": "e22015b3cd61c71a94b4ee9413e7fd3b109b10fae88dcaf1da276ffa0b846144", + "sha256": "f5a1ec4caef511f8190ed9a710be895fecebe6b72f29b03da749e5e4dea0b10b", "type": "threshold", - "version": 206 + "version": 306 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Unusual Kernel Module Enumeration", @@ -2237,34 +2479,43 @@ }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", - "sha256": "122da6655602fd538b9bdbe622e072d3731265ff8ba0310878bf547b83631873", + "sha256": "dfbe6f2be34fc93b6ac0c780444a2c505c8154462a23a5c434332da089103385", "type": "new_terms", - "version": 214 + "version": 215 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "1cafc7f308e499aa850d066435ed539f2766f7339c654c9f1806fc8738c7928a", + "sha256": "08b959c36b2fe977428f38fd2a631f354a18d196a41d271526a150016bf3277d", "type": "eql", - "version": 215 + "version": 216 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "00a9820f74b15bcad625b039d2073da2991f8ee19275fd11429e6318ed544d9a", + "sha256": "2727f7933f8eeba04d375c0fb4d6f81aeb767cf77de5af9f5a02dec3d3c84c14", "type": "eql", - "version": 6 + "version": 7 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual GCP Event for a User", + "sha256": "f2c101f62195e21efa9dd47975b9bb08fe09f90a69be64d4d45a731682b74628", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual GCP Event for a User", - "sha256": "f2c101f62195e21efa9dd47975b9bb08fe09f90a69be64d4d45a731682b74628", + "sha256": "dc4770ad5a8fc4f77f6dc6d6459c0bc5cd738459a7a2d9d13172cce489ef203b", "type": "machine_learning", - "version": 2 + "version": 102 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", - "sha256": "bf7e0fde2619d02736e6e4ad87135d1b6463e80fc4f9bbf199eff594e2a34c19", + "sha256": "3686069f5759f5620730b4857af75e3bb324b82244964d8e5975bf7aba19b609", "type": "eql", - "version": 217 + "version": 218 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", @@ -2280,21 +2531,21 @@ }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "279b0690d3f64f1daee0a3359ba854a476b3caa9d9bf86d9c005065b74ee0b61", + "sha256": "a0e669920a05447833a36602262826c5a72fc5c685f0acc4e056c3dc50702987", "type": "esql", - "version": 309 + "version": 310 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "3c4ba4324d491ee03a754021e112bccb471065275193915c992db9115828225d", + "sha256": "7619ad084d53e74be8904ed88f92cefa4efb0957e3a99624a5146a7d5e735580", "type": "query", - "version": 106 + "version": 107 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "056b4b73cde0fd5b004013c93f401196926c99645dc6bcccf0567c87a4c257fe", + "sha256": "73af61a045f616fc8d49c6765d5eed3fa39a1a7197390d2e632a01efb216cac7", "type": "eql", - "version": 315 + "version": 316 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -2328,9 +2579,9 @@ }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "a6bde68683d9c99f460b23f1e21e7f1ab65298609f2036cefc6cad4d24bfdfd4", + "sha256": "fc228f1ed3c5f7bc63093176ace4c1391dd9b9d4242e1e14c6c33b45c524ce3b", "type": "eql", - "version": 217 + "version": 218 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", @@ -2340,15 +2591,15 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "f1ad94a353eccf3aeac4419235229c5ccd90a3383840409db872d7f9e8d04ff5", + "sha256": "b7443e73c34b63ea64aef8d2a73cdda1561793b4fc5ae82d1e23eddb58d45ed8", "type": "query", - "version": 108 + "version": 109 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "1337e852010b0bcdf4249080f5ca94c55575a9ce0eb52bed223f32709bbf23ae", + "sha256": "45bc415cfbe47728cd85f5beb1db8210f3b2d2d740e54e02b7f5fc7ef97b9cad", "type": "eql", - "version": 7 + "version": 8 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", @@ -2370,15 +2621,15 @@ }, "30f9d940-7d55-4fff-a8b9-4715d20eb204": { "rule_name": "Windows Script Execution from Archive", - "sha256": "53b7166d77fbc83702b551e787b1f6eaded8cd5393cf11419067d3d693b3391f", + "sha256": "9769b1271974f7678be7b87ba170a8788616081376dcdc121eeff38f837c3617", "type": "eql", - "version": 2 + "version": 3 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "0273272892c012a2d9fd49a6ba82366bcaef264c4639a58448933fe14d660732", + "sha256": "9096aa293720333cac0af019ee0209adf832956537108d1a8d905ba213834be7", "type": "new_terms", - "version": 8 + "version": 9 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", @@ -2388,9 +2639,9 @@ }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "53d71eb9f5efa44b7312f15518e494dc936ba4d201f4787686cb0872cbd8cdad", + "sha256": "1aeda613e850b7c88717372baca0f5d05f2847c871014efca3813d4fe1a5f47f", "type": "query", - "version": 106 + "version": 107 }, "314557e1-a642-4dbc-af43-321bc04b6618": { "rule_name": "M365 Security Compliance Admin Signal", @@ -2400,21 +2651,21 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3", + "sha256": "6bf5894df0dfec715bb0d2d840a008738c24d0e87bf6b877bbbb0407365e7668", "type": "eql", - "version": 321 + "version": 322 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "0d3383f130023c3e513326852064c621515b898f342d0786cb1946e76e4c29d0", + "sha256": "4ad2ee73bd7cdbe3735b30d3a6b59541b724d90a3fd64c19100f94bb7f778ed6", "type": "query", - "version": 108 + "version": 109 }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", - "sha256": "7ba990105bc83c1f1f4f503531aaaafde90450fc0cc781251c267948e03cef91", + "sha256": "62af95c1449ba7223ea15911806eb60b24ff18d95cfd2a529de8db785480464d", "type": "eql", - "version": 2 + "version": 3 }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", @@ -2430,46 +2681,65 @@ }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure VNet Network Watcher Deleted", - "sha256": "402b21c5a8b90809bf2494832bbded33e11f8858286691ae499bbe87de9fab4c", + "sha256": "a11689594efe1a3ce6bc4114c4104ae80acfd08c3f4d742549b9ff40fc94afb5", "type": "query", - "version": 108 + "version": 109 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Spike in Group Application Assignment Change Events", + "sha256": "08b6d34feb24bfb3ef7b5cd94e07f722386374274b2d87f3277e125ddef5ec78", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Spike in Group Application Assignment Change Events", - "sha256": "08b6d34feb24bfb3ef7b5cd94e07f722386374274b2d87f3277e125ddef5ec78", + "sha256": "881770a8cf25c413c1ddb170eab543e5879b4573f6dd9fd8a4f758493bbba738", "type": "machine_learning", - "version": 5 + "version": 105 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "969099d6bc45bcc29f0de7cdfafd79fcfb95cc5e47922ca6fdbd61d6f3aa1f7e", + "sha256": "aeea0438498c335f924d5024e2d93d26df009adae1297efdeabdffcd66a49aa2", "type": "query", - "version": 108 + "version": 109 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "426407f9d70d47d2798e31bf2fdd499117b8ae0bf6d2144f2543c4ea62d02391", + "sha256": "5434996d5953e2a75f6195c4b3f0be3e76a6b137358f992107e47bad171f93b2", "type": "eql", - "version": 319 + "version": 320 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Travel Location", - "sha256": "da837c9d85b4f3f385517d68f15aae6abe941f8ec854dacc173305a12edcde4c", + "sha256": "7d14aa41f43ff8c51804c5c8a5cd1605804b771df672a36172980974cf2f77a4", "type": "new_terms", - "version": 9 + "version": 10 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "c256b29b343f269dbf21e023ac3abb987eab65c6d60f67b02a81b0fe0b838efc", + "sha256": "c1f88ad08b1275d2beb8997e9a4bef9759d9a7c24926c458ddaff240589ea5c6", "type": "eql", - "version": 420 + "version": 421 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { - "min_stack_version": "9.1", + "min_stack_version": "9.2", + "previous": { + "9.1": { + "max_allowable_version": 102, + "rule_name": "Potential Masquerading as Svchost", + "sha256": "4f6ac75ddc2b31218e382f6dbfe04ffc27077d66ebf97c24740e7c9d12cb028d", + "type": "esql", + "version": 3 + } + }, "rule_name": "Potential Masquerading as Svchost", - "sha256": "4f6ac75ddc2b31218e382f6dbfe04ffc27077d66ebf97c24740e7c9d12cb028d", + "sha256": "7f4183d88c3307824d8ea2bbb7da2223c260019f0cf9cc86dffaf273ac0960cd", "type": "esql", - "version": 3 + "version": 103 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", @@ -2479,9 +2749,9 @@ }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", - "sha256": "86097c4bd776631b3496ac37b81634d2096b7900a55d099857a62a3195ea2570", + "sha256": "8740915ad9d3542a4b6dad50ca626d2efd14c8e2fa9e2dde5944d3f5fa80fa3e", "type": "query", - "version": 214 + "version": 215 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", @@ -2491,9 +2761,9 @@ }, "33c27b4e-8ec6-406f-b8e5-345dc024aa97": { "rule_name": "Kubernetes Events Deleted", - "sha256": "3740512a442422b4a21266e212c408167b5097c243274be72642c1bff27a04a0", + "sha256": "18095b5a2473c932c2b35399552cbb87b2b648148c1ffed71425d9c909e8016d", "type": "eql", - "version": 2 + "version": 3 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", @@ -2533,15 +2803,15 @@ "344e6c7d-ceb0-4f20-ba04-7c75569a7e38": { "min_stack_version": "9.3", "rule_name": "Elastic Defend Alert from Package Manager Install Ancestry", - "sha256": "f9890676b10ae56aad1a991907864958c409724426840b68dda38701a732bd81", + "sha256": "82907c28a7b19202ba4090391333c6d139af03fbe541d603fd674434a6748c6a", "type": "esql", - "version": 1 + "version": 2 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "rule_name": "GitHub Repository Deleted", - "sha256": "5b506ed4d8840b778d0b592753b40d79a8dd07c7bae0cf37aa6fd2b10f8933c6", + "sha256": "9dbead37db4773f09b4ed758283f61fe7e4562772482b18e75416654a8fe2c4c", "type": "eql", - "version": 206 + "version": 207 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -2551,9 +2821,9 @@ }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "7e8ef18d5bc3b460e615980b4eccde93b38278f3ac2e312433a012ffe4a782d8", + "sha256": "98c05891ac1d062019fd7be22d345704b8cce6b75f1ae4ec8d9787e51f40a22b", "type": "query", - "version": 112 + "version": 113 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", @@ -2563,21 +2833,31 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "af1ce4b49ae91b35fdecc84a3dca8953012aaa85054fbb091e70bdac62d0b872", + "sha256": "15f2eb8e59ad6f73f52dc09bd128406057e069f99940823c50c3864bfc57158c", "type": "eql", - "version": 417 + "version": 418 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 107, + "rule_name": "Spike in Bytes Sent to an External Device", + "sha256": "2849aafc536aac7e9741f20e297b001e5b980e2a6a4c77bb1ca6c76b0719472c", + "type": "machine_learning", + "version": 8 + } + }, "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "2849aafc536aac7e9741f20e297b001e5b980e2a6a4c77bb1ca6c76b0719472c", + "sha256": "bff333b259468a39c107b211f1ba6331060aa97c23f5486f3654fce8a3dd4361", "type": "machine_learning", - "version": 8 + "version": 108 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", - "sha256": "6b40afd8ad082d50127a6763205ef715f82e974cdb98e2f2a763d45e4350c00e", + "sha256": "0df6b6334cd27b6de86fc9609cb747ecfa635d0c0051591db6e2c199ad87f4e3", "type": "esql", - "version": 109 + "version": 110 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", @@ -2587,9 +2867,9 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "5642c564df53376c36863f9efb7431f2b9e0cb49e2795659df5a46f7e792cf70", + "sha256": "9200577706bf27015cee581aa26408b2aacd038becc06c64f46059f7c30498bc", "type": "eql", - "version": 320 + "version": 321 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", @@ -2605,9 +2885,9 @@ }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", - "sha256": "42e9d019a6b70159583b39776ba8b2be54dd88eb96698f05f1e01bcb67740de5", + "sha256": "2df20a3faf287100f7908a110473c47694aeb15ef43981bb24b38ee67c8c948f", "type": "esql", - "version": 7 + "version": 8 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", @@ -2623,21 +2903,31 @@ }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "8490f06845e72c6453d237d605f6cf7d0ad70db3477dc1eae14b87f8fb9dc42c", + "sha256": "ec3c0ff47791363712d7c0adefdd532d6e0641f4f5981d2cb44732d9deaa5e8d", "type": "eql", - "version": 313 + "version": 314 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "High Mean of Process Arguments in an RDP Session", + "sha256": "43a13415ff8ef4d8e01e998e3ea19435f75aeaefaf99754435b96099dd0c2468", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "43a13415ff8ef4d8e01e998e3ea19435f75aeaefaf99754435b96099dd0c2468", + "sha256": "1345a788253e2c63d8198472d6d8d2321ce9775b581b4897330441bc864b31eb", "type": "machine_learning", - "version": 9 + "version": 109 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", - "sha256": "75a776871e76a8928fc6bd78caedc961f3637f619f15c66d9411d266f6b68acf", + "sha256": "5009a478ad36abb9aae19914fb9ebb9b7c0d339adfc90f5eb3e76951f4dd5fac", "type": "eql", - "version": 1 + "version": 2 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", @@ -2647,9 +2937,9 @@ }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", - "sha256": "62c30263c62b0ea62ae0a31f58d43a5176807566e40627011d727f6d2f203284", + "sha256": "0affd785d42637b808f650a7103797d5a6bb2c5fc66f186318013a4e888e9cd8", "type": "esql", - "version": 7 + "version": 8 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", @@ -2659,9 +2949,9 @@ }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Entra ID High Risk Sign-in", - "sha256": "0edcf9d044d9b5fb5c991aed926c5901b8a69ace3a70f40cf1d8e9ae506550cd", + "sha256": "dd4b0b5074d56377ff3963b0e687dbe6e92954a3604dd00a66f4749fcff3c16b", "type": "query", - "version": 110 + "version": 111 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", @@ -2671,21 +2961,31 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS SSM `SendCommand` Execution by Rare User", - "sha256": "875a515147c0850d9b1d30b2c70e06da3654d604253413fa960d81ba9df5f424", + "sha256": "b88228a38401d3cfaf88a020153942655bee03db41be8d1b12f2d0468b9a694a", "type": "new_terms", - "version": 215 + "version": 216 }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", - "sha256": "5493474e928e83c1d82c3517327fd02f7f6ae87d55ed41189eb688418d77aa11", + "sha256": "baccf6f03e6b31a9bff677bee667021b4a21f7c8f7ebddfec74e1770a9a30704", "type": "eql", - "version": 5 + "version": 6 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in User Account Management Events", + "sha256": "903df4e7a7b2f1df89ca4373c8cb64f4d3823204bf9d85dbdde3b79ab34a955f", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in User Account Management Events", - "sha256": "903df4e7a7b2f1df89ca4373c8cb64f4d3823204bf9d85dbdde3b79ab34a955f", + "sha256": "8f1c726255a1e3944db11d55a3907a360b2e08797aa0a0789c2980987625af7f", "type": "machine_learning", - "version": 4 + "version": 104 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", @@ -2695,9 +2995,9 @@ }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "be1bd9b556ac557afbe8f745f307835a1dc26a7d90561ccfae0c1e6c05c8e6cd", + "sha256": "d497cf9ebba367ccc27ffa60c83adad1b1c4ca123ed732867ca75c61a9e34383", "type": "query", - "version": 414 + "version": 415 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", @@ -2713,27 +3013,27 @@ }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", - "sha256": "052a0f257369554fcb13f156ac2746ee3f5f386df4e4bce25b278a8427e3865f", + "sha256": "f77d1c2a0262340c0ead77d4fb93456b8c670c291ca6d8a2dd95dbdcd6c73fac", "type": "threshold", - "version": 8 + "version": 9 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "Entra ID User Added as Service Principal Owner", - "sha256": "fcdc0a5fefd0ad8a4bb425cddd97ab658b83831b297a69bb256a86fdbdf0dfc2", + "sha256": "8391a444b3933bf47281a3af89558637258d16499151f4d19fb9bd5010de3f72", "type": "query", - "version": 108 + "version": 109 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", - "sha256": "4db9cfbab66f9abf45a00992d56768ed8511b1cd7d7522656cba31f91ce6361b", + "sha256": "1d4f576cece46f98cac0186d4b7686f927c4329e6bf393a9cbd159dbfb4770d9", "type": "eql", - "version": 6 + "version": 7 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "79e5ede747cc09296988f2f63d6718d9c745a16c784a1e7e596f241a4d91a200", + "sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3", "type": "query", - "version": 212 + "version": 213 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", @@ -2749,9 +3049,9 @@ }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "e33103029ba780783b5d130ae36615d18f9bbc8f6edd624fc3b76f46ddb47475", + "sha256": "96df8547dca02823e81194f8774b0ad1fa26f204bf59394cdbb1ea0dff583de7", "type": "eql", - "version": 312 + "version": 313 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", @@ -2761,15 +3061,15 @@ }, "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", - "sha256": "49b545a296b8c5e373e3800b7b6f270524c9cbb4d7f328cd91e22d93c306c7e0", + "sha256": "7f2bf812108252f0c2cec448e9f10dfff725021983a612df901b4dd4d36b49c7", "type": "eql", - "version": 2 + "version": 3 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "a48541ec5ea28eba5a75f325730d4f1b8492343efbdee7039f65b368fd650367", + "sha256": "254da9f4693aee17ff97de904a4e488f8512f82976e5376f7487778c3b241268", "type": "eql", - "version": 314 + "version": 315 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", @@ -2791,9 +3091,9 @@ }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { "rule_name": "WDAC Policy File by an Unusual Process", - "sha256": "fa6ce5eb9544d8e17eadb7d9a4abbde626516adf4fbea09585e4895b4466cb3e", + "sha256": "fdaaec3f67a8543a962e70dbb7d1cff87e5e18c3917ea44b899e7a46ddaac771", "type": "eql", - "version": 5 + "version": 6 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", @@ -2803,15 +3103,15 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "f647269c70ad9d84b89947c8a54702159cd718e82f39151bb6dee32ecdd6a114", + "sha256": "6c9b9155e809656088fdd932c9134a2986d4809c75cadec68224554ef6c76397", "type": "query", - "version": 110 + "version": 111 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure VNet Full Network Packet Capture Enabled", - "sha256": "989b4fa1803654f264d249a19bf54348f0871954b786c97ad21dbfede9c7d3eb", + "sha256": "e200432935afd9d703887c7f3ef678e67887553e91570a46e0f59f266667eb62", "type": "query", - "version": 109 + "version": 110 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "rule_name": "First Occurrence of IP Address For GitHub User", @@ -2833,15 +3133,15 @@ }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "440c3ea8936f58e36bcf475f0e64f03e4fd2a222675ac584b203256450b3b70e", + "sha256": "be3ca1dd8f6c1fec5379d8d1f57adc596065bc4c1ddf8849c0b0cd8da4312d9a", "type": "eql", - "version": 416 + "version": 417 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", - "sha256": "aa63bdc2a7538eec3f979380907645702455792bf47303a3d54536b535759cbb", + "sha256": "4724c47390291263a89197eb96a4e29f421ecf2548516a11ddbd954d926efff6", "type": "eql", - "version": 319 + "version": 320 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", @@ -2851,15 +3151,15 @@ }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", - "sha256": "52b8cb5230887893f47fd0d99335171ba317de2e290a59aa35ff58ae5f6f071a", + "sha256": "3216757a897e26e81d8b37469ca11d9cd83cf3bde8bc78df45c871a1e4051459", "type": "new_terms", - "version": 5 + "version": 6 }, "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": { "rule_name": "AWS GuardDuty Member Account Manipulation", - "sha256": "40c120e7720460b12e7dec873f00ddc222dc36f6deb8859a453ba1c04ffadc38", + "sha256": "a40514c715a70b1163a1e1f528f68857ffc2122ec3f68c23b33c12e87aee77c9", "type": "query", - "version": 1 + "version": 2 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "min_stack_version": "9.3", @@ -2878,16 +3178,26 @@ "version": 104 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 208, + "rule_name": "Unusual Linux Network Port Activity", + "sha256": "49f89efa536ef4c93f890a07191660e00b3ad881b52b10096aa23ba941d850e7", + "type": "machine_learning", + "version": 109 + } + }, "rule_name": "Unusual Linux Network Port Activity", - "sha256": "49f89efa536ef4c93f890a07191660e00b3ad881b52b10096aa23ba941d850e7", + "sha256": "21ab8bdde2ddb498cb6c6edcdfd953b4b9690ca4b6075b3281943bbb160799e3", "type": "machine_learning", - "version": 109 + "version": 209 }, "3c82bf84-5941-495b-ac41-0302f28e1a90": { "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", - "sha256": "44d6760aa9fba7780a036ff4bc2b1e968789d69f3eea615b8b50f3cdf1680ec9", + "sha256": "f137913826f4dfb346b155061fef745d733d9ac84ad693ed6646cd5fa68123b8", "type": "eql", - "version": 2 + "version": 3 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", @@ -2903,9 +3213,9 @@ }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "53dc2347d00f5a346e2fce380a8a393faa45f1e56c19f24bae86e03b25b61924", + "sha256": "31c5efd3e2588f4bbb9204805340a6f348a20c46d009ce4e27c99b2576368bbb", "type": "eql", - "version": 209 + "version": 210 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -2915,40 +3225,50 @@ }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", - "sha256": "df6f9c223d11d18a3757109d8dc8de28c3e8f6695c5600d3715aa1058e054286", + "sha256": "00f3734aeadad18ecaa1bb530c67b46dd2d9a77276365492a19c14fc174dea3a", "type": "esql", - "version": 5 + "version": 6 }, "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", "rule_name": "LLM-Based Compromised User Triage by User", - "sha256": "08654fdc3bd24c49261ae772ea553f821ca9fe8bd83696f6e95b510b590b2b61", + "sha256": "f9cd4e56fa9681eea1b1e6bd394edb2f54ee3e8a0899cfc001c1970080038fb2", "type": "esql", - "version": 4 + "version": 5 }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", - "sha256": "9b0d126300cb2f308ca0adf5b6329e86fa15c840dc23d16ddf3c528b22e2fed8", + "sha256": "32680ca1127f1b7e76119a007029e178da00282028a5aa539ca6d3520f448c0f", "type": "new_terms", - "version": 9 + "version": 10 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", - "sha256": "81cdf349478dbdf0bfdfbcd929b1aa2273a6a90be984ae7bd6444852d2623544", + "sha256": "781c416727462ac0e014347828b7c261ba04967713972c298db7516882f130ba", "type": "query", - "version": 214 + "version": 215 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Spike in Number of Connections Made from a Source IP", + "sha256": "e4d464262beeebfad9dbb0a00d42af6ae0790919218e2677dd0e4f96f907e872", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "e4d464262beeebfad9dbb0a00d42af6ae0790919218e2677dd0e4f96f907e872", + "sha256": "81349653c7bef22cf29580e3ace788925cb5a9d8b543e05fb97f9a36da0e0796", "type": "machine_learning", - "version": 9 + "version": 109 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "0b21400f37baa5d80cb1f2d3cbac510af8822dfc3d5e1e2c236b07258bcc5b94", + "sha256": "1f39583c1b6369b865b3cec2fc817eb7fa4cac54043993345add12138b6db8dd", "type": "eql", - "version": 211 + "version": 212 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", @@ -2976,9 +3296,9 @@ }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "92988c935ed3e7bcbebd473a3842c0ddee67886760c6842d7ba74c265ef9beb0", + "sha256": "5e02c2bd1ee78f88b93c1695389467410310dd135d79cefc434fec6d0bb3b114", "type": "eql", - "version": 317 + "version": 318 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", @@ -3000,9 +3320,9 @@ }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "3eb94d24ef340393e84bcccc412d51e707667d2b28aaa9d880f3fffa449e518f", + "sha256": "149a70bdcd76cf9bf067b2539841f715ee8df3aa2773e8f4505c24ecda648101", "type": "query", - "version": 105 + "version": 106 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", @@ -3018,9 +3338,9 @@ }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", - "sha256": "c9fbf72f3ad2335fdad1a3bf32efb3f1fa6ce126b64ce499c9bc1e9d48c4ef8a", + "sha256": "ff83a2e78c8fdd0fa7bfc58af6d997e97daefc49b9ca031a3907a26a34f20bce", "type": "eql", - "version": 2 + "version": 3 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -3029,22 +3349,32 @@ "version": 7 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Unusual Time or Day for an RDP Session", + "sha256": "570ebb0e5a2ce71626cfe8f38f75326e77521db306168f490e68636c672152e5", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "570ebb0e5a2ce71626cfe8f38f75326e77521db306168f490e68636c672152e5", + "sha256": "88291719875740ebfe930f0d6526a42e8de7f03c6c6eb67af3bfaa96b77b400d", "type": "machine_learning", - "version": 9 + "version": 109 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", - "sha256": "255a17c6998bc460aa1ef70e094bfa64b27c0bfb7530291b23749c3b7f99db09", + "sha256": "78f26d181e59439ad90202e43409f326d099c71cb8dd9ee5470f06178912a6a2", "type": "eql", - "version": 5 + "version": 6 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Entra ID MFA TOTP Brute Force Attempted", - "sha256": "1393f9d0d39d1816d59b14c249c6f51943fe8913b7e7a32f5e1180f32117f716", + "sha256": "4549f277c1e6b7c9104b7e344042dd83bba99e71b560d0704278cecc583f15e2", "type": "esql", - "version": 7 + "version": 8 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", @@ -3053,10 +3383,20 @@ "version": 108 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 210, + "rule_name": "Unusual Process Spawned by a User", + "sha256": "4c17db59f36b3743d92068c1a5b88c0bbc0e7109294544f30d95ee11f6d5d083", + "type": "machine_learning", + "version": 111 + } + }, "rule_name": "Unusual Process Spawned by a User", - "sha256": "4c17db59f36b3743d92068c1a5b88c0bbc0e7109294544f30d95ee11f6d5d083", + "sha256": "cb675206bfdfdbd51d00586a43ad5ab1b7a4b7cf9df4e553b7a9d967e5f1d711", "type": "machine_learning", - "version": 111 + "version": 211 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", @@ -3072,15 +3412,15 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "56347f9901f8422488710010a3f3dab8b1ca0da5424eed39b8c6252d5dc7e5e8", + "sha256": "db6b78b0609271518bcfd9560dfe5bd4c8ea223360d3bd031fe0992248bded11", "type": "eql", - "version": 316 + "version": 317 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", - "sha256": "616dc23ae1465e1cb66812c91f762c8904b1ae889068e334cb9e1d99dcfff698", + "sha256": "8bc6935db6bda5ca9d6adfaf7c46a30e9041e429a474d22fb9bea08e8129f9e2", "type": "new_terms", - "version": 3 + "version": 4 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", @@ -3090,15 +3430,15 @@ }, "40e60816-5122-11f0-9caa-f661ea17fbcd": { "rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected", - "sha256": "e5ed588398002392894bd097593aa777e7030ebcf8e8edcea1aa31a2f7e2d53b", + "sha256": "e79dc5d558b08aa2d6a5ac711b6839d68982ebf44258c71d341bd4fa6f8a122c", "type": "eql", - "version": 4 + "version": 5 }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", - "sha256": "c6d6c68e59fc466982e011faf97a3276eb020ba84b1b90698c110647756a13c6", + "sha256": "070959c714f7a09d058737cad7ec89cc9e40d1ead7af7e3e6b3448b52335f045", "type": "new_terms", - "version": 4 + "version": 5 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", @@ -3108,15 +3448,15 @@ }, "41554afd-d839-4cc2-b185-170ac01cbefc": { "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", - "sha256": "80381865d90fd48ee541ed47002ee5deddf2d58b4b1566e972b3a9d0ffa684a5", + "sha256": "f35e27ff8f1f926289ec4c5333d1a66e6a4b7bb6e3d244d9024e2e87f621ec0d", "type": "query", - "version": 2 + "version": 3 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "fe7c4d3464cff0dabddfb6424b2fbd4e36eedae5bf156da320f3a9f43d4068cb", + "sha256": "0b5288b232f12dda6f96de22366b55f6309bbc366dc521ee9960265bdceaa7fb", "type": "eql", - "version": 317 + "version": 318 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "rule_name": "First Occurrence of User-Agent For a GitHub User", @@ -3132,9 +3472,9 @@ }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "db41de2f7dde8f87a05ff3b1437f8583a12a119fca5fa5745addf8b45a77ca8b", + "sha256": "a194f601c0396232cfc2cf076aec26674df35dbebda99b88ba26210ab1342940", "type": "eql", - "version": 9 + "version": 10 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", @@ -3182,15 +3522,15 @@ }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Potential Okta Password Spray (Single Source)", - "sha256": "0c7e12d72953b3c07806fef01d5da914e1fadf25c25a821eea63561154a53f74", + "sha256": "d564134d98af7a3d81f0386dc3680e01e1259752b63bdb4657a1220d9d26a3c2", "type": "esql", - "version": 417 + "version": 418 }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", - "sha256": "af0bdd3550a9fa44eb5f5671251f2f55aef0bba46e7bdbaab8b99321c3d913ed", + "sha256": "1a5cfbafaa947d1a30a0e36172836401d4ae9185aa8bc05e1c51245e1adeb397", "type": "new_terms", - "version": 3 + "version": 4 }, "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { "min_stack_version": "9.3", @@ -3206,10 +3546,20 @@ "version": 115 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Login Activity", + "sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Login Activity", - "sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590", + "sha256": "ceada163683a969ff0c09eeb47c2a6548ed0c5540c6489baaba37e1279299e79", "type": "machine_learning", - "version": 107 + "version": 207 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -3225,22 +3575,32 @@ }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "b9df7ce43be836f72812813398926c6d65b207b67ed79c5de0687dc3e1ff82fc", + "sha256": "a96f247d9bddf464a3cbf64241437fcbfbe1926dd7dd985312520f6c372b7a87", "type": "eql", - "version": 314 + "version": 315 }, "444c8fad-874f-4f59-b0ea-cf26cea478bd": { "min_stack_version": "9.2", "rule_name": "AWS Account Discovery By Rare User", - "sha256": "096dc412a8e4d87ca6363764e943466da49ee23c7a29c3a29a43bd7d0779ab4a", + "sha256": "ca6ee51c94c13583db988064c27811dd1667e2ed0c6f855641192291f42480b9", "type": "new_terms", - "version": 1 + "version": 2 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows Path Activity", + "sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows Path Activity", - "sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9", + "sha256": "9521887c113dba587810eda8d843fae683aa907a35cb28d192ad2af4fea6f05c", "type": "machine_learning", - "version": 210 + "version": 310 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -3262,9 +3622,9 @@ }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted", - "sha256": "f76b785c752d68bcdb8b49d66187f8e22fe050f7f4b94f4effc62169e6aa3408", + "sha256": "bdcca3f4e0bc64249b3b8122881ea1261a2d6730802c955c30624c65a57f137f", "type": "query", - "version": 7 + "version": 8 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", @@ -3272,11 +3632,18 @@ "type": "query", "version": 106 }, + "4577d441-0c05-4bfb-9068-39a0cb855269": { + "min_stack_version": "9.4", + "rule_name": "Rare Powershell Script", + "sha256": "9c0511f7439e1c00c5d8282719bc8a3a3264846f0c2da4f4f9ee4cdcf7ec335f", + "type": "machine_learning", + "version": 1 + }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "8ad4d9f18ebddd6e3145aca58b6e2ac3a3b3a7b78e2e3292a031e37fa680bdb2", + "sha256": "e7c9e715dfc5202e3726e02eb0845d9ebc862820f8d6f38bbc831db9a30afacf", "type": "eql", - "version": 7 + "version": 8 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", @@ -3287,51 +3654,61 @@ "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "2e4b3a60f8ae843e4342d145b5e73bf17bbb18b5ef00336ceb23815729bccaf5", + "sha256": "7b879ed09a001f09082376f510753308b5182359730c5dc07397c191919664c7", "type": "esql", - "version": 3 + "version": 4 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "2508e7257e5f68a940fbb8e31ebf364ffa3e653cb4da62b6b4a633c7004d8da7", + "sha256": "49ec1f0c7058261fafbe928089c1b3898c3757ff633e638f8b54619accd7fba0", "type": "eql", - "version": 218 + "version": 219 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "bf0dc3f9af62bcf975d6708ddea0834bfc5563351cec9db10181d602016abb45", + "sha256": "95df7b5a614e15a2757d5a73ff1245888c06e5aef83dbaf3affeec2c18f5c1a3", "type": "eql", - "version": 319 + "version": 320 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "d18a04d7579e8a64d6aa0608271b8d0d292c6cad9aa2ae50d327c58f8b25456e", + "sha256": "fcb2383594f0fb4dd75f8735b7fd9729eabd95ab5b7df4571e47f6072d1c6c5e", "type": "eql", - "version": 316 + "version": 317 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", - "sha256": "e9014c52e069127714e9d007be1265c6a748574c47b1fd862fe6de12473bbfa9", + "sha256": "977af3e64fcc40b130001d57d83585d3b5fd0dc8ed09329bbcbc6dcd9ac3ed97", "type": "eql", - "version": 2 + "version": 3 }, "46f804f5-b289-43d6-a881-9387cf594f75": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Process For a Linux Host", + "sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Process For a Linux Host", - "sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8", + "sha256": "e3f402cd3a598b9f2569f90d33ef2259c22ad46f3dc1bdc3c4c5b17eec84f8bf", "type": "machine_learning", - "version": 108 + "version": 208 }, "472b4944-d810-43cf-83dc-7d080ae1b8dd": { "rule_name": "Multiple Cloud Secrets Accessed by Source Address", - "sha256": "d0c4f9e600d97fef5ad96bac93093b7a8c14fcd1e8984e95303ff1e323528203", + "sha256": "5e4eae6eda373ea926bb58a7a366c5a8f2927a722bf046ea56b6c12f05a39d09", "type": "esql", - "version": 5 + "version": 6 }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", - "sha256": "686ed0f6080d3374bf61df861ee046147736a91b683b9da640369ea7e836f693", + "sha256": "2b8214da1cdbd0bc040957a0d7526d484399595432c8a33204adcf6632c40bc7", "type": "new_terms", - "version": 2 + "version": 3 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", @@ -3341,9 +3718,9 @@ }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", - "sha256": "a9bf06e4bc331b4157e3514a840e539a67615ad8c222659191ef8a6d8c06a775", + "sha256": "80cd369aeb6877b1db2b6c12d1783ea6a5d0a624fa9017500b34cad571cef398", "type": "eql", - "version": 3 + "version": 4 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "9.3", @@ -3413,15 +3790,15 @@ }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "efe13789f0e114a22962a031a630587a9068815b16a6fecfd9212043b5c8e175", + "sha256": "436f45d623c1f92e90c8f8293b9bd4b9f9d7736ef1f9c0d90b4c05ed0b951639", "type": "eql", - "version": 316 + "version": 317 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "M365 Exchange Mailbox Accessed by Unusual Client", - "sha256": "336b24221a2d27495c6571e4c6ffb5247de93322c7e5dd4f48ec48edabde1809", + "sha256": "8a10e8db5467f33d67e8ed3dca2f5a1d079e9d210603960f09e9db3ea9d997c7", "type": "new_terms", - "version": 112 + "version": 113 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", @@ -3443,9 +3820,9 @@ }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", - "sha256": "2330313bf89d5002b03f6099ae7b30f49b7d93976a453057bf758266645dfd8c", + "sha256": "31a61bd9848f272f7d4bcfa1ce96cfa86e6c2c208faa5b17ea0230ce6f03f716", "type": "eql", - "version": 2 + "version": 3 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", @@ -3461,9 +3838,9 @@ }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", - "sha256": "1df7d0b092c017917b74e80d11a42239d82bd0f29749ea069a23d0bd0c0de371", + "sha256": "85739e22b434b14be9315877943b9eb3b82ce63928b065f96cb4631cb598768c", "type": "new_terms", - "version": 3 + "version": 4 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", @@ -3479,9 +3856,9 @@ }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "0f6f14ac9e02bf33ed9ec6898a2612bdaba3ac5eb0def45b43a1fa68b78f761c", + "sha256": "6d87b2fabfb96262dab24abba760dd06624e339e6f6754d5b80da802c4fcc200", "type": "query", - "version": 110 + "version": 111 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", @@ -3527,9 +3904,9 @@ }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "b80cf2ef785fc1f795233217740d1fc3a7699238ea8c1fd5077df451eb9eb5cd", + "sha256": "36f98006e5bfa62be0b6fb497cac3f8e786c601b1856911576321711398ff937", "type": "query", - "version": 108 + "version": 109 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", @@ -3545,9 +3922,9 @@ }, "4ae94fc1-f08f-419f-b692-053d28219380": { "rule_name": "Connection to Common Large Language Model Endpoints", - "sha256": "20f23bd803877535a040a877678ccc9f9bf5b382f9fddfa9b16fd9a803a1d4be", + "sha256": "e3a857464bccee09ed43658511ac90b4b5e1ab9d35a7e6f562e8222fb1c31356", "type": "eql", - "version": 5 + "version": 6 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -3557,15 +3934,15 @@ }, "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - User Risk", - "sha256": "5296ce8af32d0c657d2b2755990e979726a60839a6ec79936ae9ded15f28d90d", + "sha256": "5df9119f737237a17d5b11d6333596ed6cccdcea1c3d4ddb2115cee9fdf15a27", "type": "query", - "version": 3 + "version": 4 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "8b0ebf29f24beae56eb99431550627a0e281254d764c3580a9a8d69ce2e6b145", + "sha256": "1dd177179153675e4f49be04cac02a32b89581992bddd707b323031dcdf94ce8", "type": "eql", - "version": 315 + "version": 316 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "9.3", @@ -3591,9 +3968,9 @@ }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", - "sha256": "d1e04c245358b4f2310c94ba1c6a457cb19ea09b5c8ce402bc4eee4430bb60eb", + "sha256": "88773d78b14a1bcdf590ca88cafbe442d00a5a49f47b498e65a6ac6d4a767133", "type": "new_terms", - "version": 5 + "version": 6 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", @@ -3602,10 +3979,20 @@ "version": 110 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 107, + "rule_name": "Unusual Process Writing Data to an External Device", + "sha256": "94ec426a8004fc2a8a6b335f60ddaa7ac6b2e50638d6e72f242b133e0121c3a1", + "type": "machine_learning", + "version": 8 + } + }, "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "94ec426a8004fc2a8a6b335f60ddaa7ac6b2e50638d6e72f242b133e0121c3a1", + "sha256": "1589cefc5200c7e7996d5300845a603f75f00b8ae38c6b4aaf586efc53f66089", "type": "machine_learning", - "version": 8 + "version": 108 }, "4bae6c34-57be-403a-a556-e48f9ecef0b7": { "rule_name": "M365 Quarantine and Hygiene Signal", @@ -3615,16 +4002,16 @@ }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f", + "sha256": "25b90a6ea0ae4b7aaeb348ef557859fc3a582b543701d6eb60534307e899efd4", "type": "eql", - "version": 314 + "version": 315 }, "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request", - "sha256": "3c68f0231866ff8897de6eae4baef87e065983b91b398db762d9ea714d627a93", + "sha256": "2bd3b29bb1de58aceb5f105d638bee45273c848f3ee80c7cee83e90a04964ee5", "type": "eql", - "version": 2 + "version": 3 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", @@ -3640,15 +4027,15 @@ }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", - "sha256": "7b23580cfc0831ecac7064fc5806bc46292e3561169b89261d0210a0d55ed4fd", + "sha256": "3a0186ed0069a6b04d772c0376819879b9f3230c5f97929c81fa54bb2ba09635", "type": "new_terms", - "version": 1 + "version": 2 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", - "sha256": "8dc9a67886d1c45cb259c5bc2ca6d2a2b56e44b4afdaae58c692f7b3a58b3d6a", + "sha256": "5d59168e802041fc2d8fca82713b3e00ae67bb869dfff26ee15f1920c8cd0894", "type": "eql", - "version": 3 + "version": 4 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", @@ -3664,9 +4051,9 @@ }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "938ad9b1aa03ea75d6296e89dbf5c3de1d26d67e5121154a2e4ea45080a5f5f5", + "sha256": "33007e4af04655ed7b7d38d9aa4047437e04c7a32a683fb1d94d0c6f9c0126bc", "type": "threshold", - "version": 213 + "version": 214 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", @@ -3676,9 +4063,9 @@ }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "9da3a00827b47a5c8bc78213e855c936d592e23250b29822768cbd60a9c7a8de", + "sha256": "5d431fa8f91fbe76fab715cde124a2848b218f2c547f03ff99b30355d27334e6", "type": "eql", - "version": 318 + "version": 319 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", @@ -3694,9 +4081,9 @@ }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "c244bdf6026d00890decfa2967be12774a0a0856e9c2b4648c27e387152ef430", + "sha256": "b89e8d1d8a4c4ed145e778a6535e5f954f7e017ae924603a8a173b3eb7343e3d", "type": "new_terms", - "version": 317 + "version": 318 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", @@ -3706,15 +4093,15 @@ }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "6b269d0d37d97b0a03461eec0b6af4944f4b148500e3bfc4985531bc8eadd82a", + "sha256": "86ae4800d9e3322d8946ef71eadb796219d883ca2d8b3772316c430eff73718e", "type": "query", - "version": 414 + "version": 415 }, "4f2654e4-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint Search for Sensitive Content", - "sha256": "f1b0c07102a00a597a4213a80a301d7d51d4d784c15d6641cd09775742725dfe", + "sha256": "4bad672d48c22df5551ec3342e6f2c08bd9615a39c6c71edae46085f8673643c", "type": "eql", - "version": 1 + "version": 2 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", @@ -3730,27 +4117,27 @@ }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", - "sha256": "206c3fa2a8c36d653d259895a536463f5d900064da14325591ad9af49f42b37c", + "sha256": "e91467439c3544ac933948876d3564d3775402dbd9de32b4331e7677ff28d060", "type": "eql", - "version": 318 + "version": 319 }, "50742e15-c5ef-49c8-9a2d-31221d45af58": { "rule_name": "Okta Successful Login After Credential Attack", - "sha256": "cf4ea6ec96f91bf55c3c6f1eca9cc056966f470e390fcba12bbe8e6264352a14", + "sha256": "6dad6073685bd27507bd1019c4c661b33314e196d1df27fd1d6a4a26a3f6aa32", "type": "esql", - "version": 2 + "version": 3 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "395fd40c8e9df2409d5118bb5c76f930309bfdaee3f866588ee07fb9a8878f06", + "sha256": "9f970647e9f0660e49e6297139d0fac8dea160ad9a626410b76241e0e285dab4", "type": "threshold", - "version": 211 + "version": 212 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", - "sha256": "28b1e5a0e4c3e07dd157f7004dca638856150b66910942f40ebe3de18fc16311", + "sha256": "38d2e2b85d115c468b86078187b4bf2e2692c83671f32a7800c8d87e8327865e", "type": "new_terms", - "version": 5 + "version": 6 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", @@ -3772,33 +4159,33 @@ }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "1210bd635a5f10b91c32ed2675bbce9dd1590f829d331d1646fc29bef344b08f", + "sha256": "6fd64720109c2e09c97b6a4e988da7e80ee584e28558ce57dc51e5eeec79ae7e", "type": "eql", - "version": 416 + "version": 417 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", - "sha256": "53bd9c3536270159cb19465da98cb6b3a08b95f2e506f03252e7064c28226e59", + "sha256": "859bc8f0ef5f23b602f35c59bea15f012d43ae8c80cebb03c3b3b94220e29cd1", "type": "query", - "version": 212 + "version": 213 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "b60fbda9423c2d69feacf0c2cb45af4f4625cfcfba99cb7e40329b540c2ffd29", + "sha256": "511c2959e42c07c74fe71b4f3da197e85d2a1fb979e23918829861b69aa0bd04", "type": "query", - "version": 108 + "version": 109 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", - "sha256": "129e731066612ab4f0fb68a77299875530e032fda26945ae4b97f420099df286", + "sha256": "28527aefe5fe7c0c8de9c21140c346130426079acfb9322df723707b2ef44b14", "type": "eql", - "version": 207 + "version": 208 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "420d5dd09194f845e48192e1792c8e90afa8c05728ada7c91374413c990944b4", + "sha256": "a5c34d9923fd2894a45428381962c575b3377bb30cf355c2869e5344a4e04175", "type": "query", - "version": 7 + "version": 8 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", @@ -3814,9 +4201,9 @@ }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "a5abd99b2a0a622491aabaea8ba35522361bd5a944c646f467b88b38a0852bc8", + "sha256": "0a394ab67c395bcdc27b3ad12d450d8ce316d1f4bb5eb00b82dc41ce9e6713d7", "type": "query", - "version": 211 + "version": 212 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", @@ -3844,10 +4231,20 @@ "version": 213 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Linux Network Activity", + "sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Linux Network Activity", - "sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84", + "sha256": "c3933dcb86a4f1abdb07a73739d56f6fd50701e0ce42c766af4402e47f547ba6", "type": "machine_learning", - "version": 108 + "version": 208 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -3875,22 +4272,31 @@ }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System Deleted", - "sha256": "9502632eccfa0e324016bb477fc6a2d249c08cee1d91e5ac9fa91976bd60e1d6", + "sha256": "8cf6dfd14e01e720347865eb598fe80c73084a718b4f5703b63d214db4d68052", "type": "query", - "version": 211 + "version": 212 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deleted", - "sha256": "aaa470eef5ffb1b82d4233597469b4ad1297f06bc713fa4c327fd8faaec12ad0", + "sha256": "7ca60ba6ad3527a0ae4294e9191284da98a6981a9abccf9356442eafe415f24e", "type": "new_terms", - "version": 108 + "version": 109 }, "5378a829-30c2-435a-a0f2-e3d794bd6f80": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 100, + "rule_name": "Rare GCP Audit Failure Event Code", + "sha256": "68286b273629f0e76ab3ed11d530a7aa0bafc6f2fce33cc438cee7402360c949", + "type": "machine_learning", + "version": 1 + } + }, "rule_name": "Rare GCP Audit Failure Event Code", - "sha256": "68286b273629f0e76ab3ed11d530a7aa0bafc6f2fce33cc438cee7402360c949", + "sha256": "c5481b8a55bd8c39a4b9d76e1630bd8329b9339cb43e40347317861244b7db02", "type": "machine_learning", - "version": 1 + "version": 101 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", @@ -3900,9 +4306,9 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "3326631b740479c77dfe9393b190518a1bbbe724ff0dbb651f1ebd5aced9ebf8", + "sha256": "416708619d4f194738827aae6ef44865a1176fbdf5d7fef320ab7d709e806387", "type": "eql", - "version": 317 + "version": 318 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", @@ -3936,15 +4342,15 @@ }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "0c6aaee25903d5e1cbfe5db0005e367ce387f48993e20dcd324610a7d7e37585", + "sha256": "4f8c9841fe99d399a4934f995654ed5ddf171ae223cf67b8f529c0a7d6364e80", "type": "eql", - "version": 217 + "version": 218 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", - "sha256": "12264a88f6fcad9572c92f14f075c023b869acf3fd69f4ac23d26f7819b71c70", + "sha256": "518282100295984ad22ded511e0efb7a009dbec8d0bbfe2c7fac69778163579b", "type": "esql", - "version": 2 + "version": 3 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", @@ -3966,21 +4372,31 @@ }, "55f711c1-6b4d-4787-930d-c9317a885adf": { "rule_name": "Suspicious Execution with NodeJS", - "sha256": "cd340b2cf9970e3315afe3ca9ac1ac1850b0b408d0192366871ff8ba32e46835", + "sha256": "0988cafc07e2277a8687b5a89074a4ad787b1cc0ad5bf564bdacb5b7c95cfe94", "type": "eql", - "version": 2 + "version": 3 }, "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 209, + "rule_name": "Unusual Process Spawned by a Host", + "sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f", + "type": "machine_learning", + "version": 110 + } + }, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f", + "sha256": "d1bc1e43d67b87351b3a10c4bd73b589d019f0eb8f4519a5fdd013f9c57732a8", "type": "machine_learning", - "version": 110 + "version": 210 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "e5063799ab10aae18df8b80273efb3ce5480722024992f100e3a70f3f4ccd897", + "sha256": "9bc6208af462e05208a3ba998898d18819968882805d9c738507807be1b330c2", "type": "eql", - "version": 209 + "version": 210 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", @@ -4002,15 +4418,15 @@ }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "bbcaf9906f3fe767bcfdc7efa42c388744d4cfdd5c457f9659105daa36947db0", + "sha256": "a41c9b731116a7c1e1a6c3aa9f43347ea30abb1eea8076c45c74804e6b07a048", "type": "query", - "version": 108 + "version": 109 }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", - "sha256": "94be0dc595363ca7f2604e399af5a08685b8fe50a3780c410ab319cb8637a99d", + "sha256": "f4d4d1eefc4ebb9af6274ffc22bdec5b990fa06bf9f9981ed0052e80752281db", "type": "eql", - "version": 2 + "version": 3 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", @@ -4026,9 +4442,9 @@ }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "a12fd0977f48bb7edcf7f3086429bfa96f0be291d5d52080528b98342eb25e24", + "sha256": "5df33e1e630173c386e4532fe8fccafa945c531cdaad3bf9f65a20605287464b", "type": "query", - "version": 110 + "version": 111 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", @@ -4062,21 +4478,21 @@ }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "55fdd67e686833efc05fbb83449c1d2e4371e5dc05b8563accae23d7cc12f8c5", + "sha256": "ee3256c03cbc6a3f1b443e887462f57379d2b2c61a63033957b6c1658f96f1fd", "type": "eql", - "version": 209 + "version": 210 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", - "sha256": "828208f06437553b7fe68b30fc667d644d5f59836cbb6c02e9f58e62f3360da2", + "sha256": "8da226b40be571223b8382299f5497f08742a417a0afe756e9005488a6a3604a", "type": "eql", - "version": 2 + "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", - "sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135", + "sha256": "07bdaa41ff03e3b89676dab7ec128e06ffe3a0a7aa4f2f531ef6d65e01d87225", "type": "eql", - "version": 318 + "version": 319 }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", @@ -4086,21 +4502,21 @@ }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", - "sha256": "483f341a689103f78ee0028c88bc8ff03e6d6ce55e6b3bd6e70f13c790a58d36", + "sha256": "cdac32489551a612c6bdd1002c5f9beb3f39e4e418574f5d004a7307b21e02c3", "type": "esql", - "version": 2 + "version": 3 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", - "sha256": "572350cc1b7ee9eb743fe3f4cfba0c9b6316477ce99490cc1ccffdf8a74bb4ab", + "sha256": "758f40ca7304434bd1db7e03734a5d514e09ffb281d494a73e420f69fa77d6ee", "type": "eql", - "version": 315 + "version": 316 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "dd509b2bcdfcdbc08ba7ffd1496e58a28bd54e96eced8b7cd0cf9443fa96314f", + "sha256": "c200789d227a9970276e70d96c3d7a3dda0bca9cc890d451341d5701dc772fa8", "type": "query", - "version": 105 + "version": 106 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", @@ -4128,27 +4544,37 @@ }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", - "sha256": "7df117f2d8cc2a6407e7ce63ab750f7abac6c399fedb9cd5e5180dcbd3ff2b44", - "type": "query", - "version": 212 - }, - "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "rule_name": "AWS CloudTrail Log Created", - "sha256": "940ef236a8475305598b01c5be9a9cfc9be3fd3f7113b1531e9cdd1175d34659", + "sha256": "52f073fe724020db891045530704a08c294fa95ee10247f3232467f93bd3fb85", "type": "query", "version": 213 }, + "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "rule_name": "AWS CloudTrail Log Created", + "sha256": "820bd96ddd179512b9d5a0163bb9f14bab4331cc45be72aa7718ebace53c28c0", + "type": "query", + "version": 214 + }, "59756272-1998-4b8c-be14-e287035c4d10": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Linux User Discovery Activity", + "sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19", + "sha256": "60849ad13847f09c4d9a8563601b9291916f289bea439f511a4171ec4a013351", "type": "machine_learning", - "version": 108 + "version": 208 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "121e9bd56ba8ea9ccd98b2ae0ce2eb69889ab784ca27660c4edcb3d06b913f2e", + "sha256": "4ee4a4ce4a9ac868a787a8fcadc3d1b7655e2840e1b76969a14ac4571928d40a", "type": "new_terms", - "version": 8 + "version": 9 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", @@ -4158,9 +4584,9 @@ }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "af550c49b54fdde4f457b46291419fcce1a52c87f48f17702fea4f9f646df8a7", + "sha256": "1f54949694e1a11f3a6cfb3b63ee8e578f5bf33cdb23bf40ea319d20845ff3d0", "type": "eql", - "version": 313 + "version": 314 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", @@ -4194,9 +4620,9 @@ }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "52e50adab24a9c98ab490445823f19da1c977fbb1095aa36f198857a03f478f5", + "sha256": "52b32d6c07872ce579e613e8d7d5d8cd1ca9a70f304ead35f716b38f94db14f2", "type": "eql", - "version": 312 + "version": 313 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", @@ -4230,9 +4656,9 @@ }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", - "sha256": "053a68fdd7475f4e88b8e0c17034409f8ce460f18afc33a8f4db9478d0dfa8ff", + "sha256": "18c7e6db68770255ff3cad0f3c1fe15fc327df877f34a012180fdf12f0177df6", "type": "new_terms", - "version": 321 + "version": 322 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", @@ -4248,9 +4674,9 @@ }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "822b3f02a852acf4b757d3db5af307df3d08328bf3cf41433c24fd0c0282215d", + "sha256": "7e201a9f630b65ea3703f55383653c8c701324ea8334853c13efb45ddd45bb79", "type": "query", - "version": 211 + "version": 212 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", @@ -4301,10 +4727,20 @@ "version": 12 }, "5c983105-4681-46c3-9890-0c66d05e776b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux Process Discovery Activity", + "sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75", + "sha256": "e6d2c1bb66e9d94d5a0fc9e25fe3d8dd9a75eb35f100ed631a3df105e5748711", "type": "machine_learning", - "version": 107 + "version": 207 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", @@ -4326,9 +4762,9 @@ }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", - "sha256": "1de4421d5b5299213d99591da32512ca3a1acf592d3d8a5e9f9f512812cf976d", + "sha256": "a8f65b0e862ccc3602854d6c59de958637d279fb804b1f92c2efcf328a07e50d", "type": "eql", - "version": 213 + "version": 214 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", @@ -4339,9 +4775,9 @@ "5d1c962d-5d2a-48d4-bdcf-e980e3914947": { "min_stack_version": "9.3", "rule_name": "Forbidden Direct Interactive Kubernetes API Request", - "sha256": "6d915f910f0bfe2eb31be1eb5e3f7891ec2f9a9307533bb691094acb47ad1ad1", + "sha256": "d27959c1650287e616fb7b235e828792e56a049f59244ffc1d56ad66b4b99d32", "type": "eql", - "version": 2 + "version": 3 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", @@ -4363,15 +4799,15 @@ }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "669f9eeb55c3bcaa2a349d5bd0cf86e3e1de625d92cf11629c560d6d912090af", + "sha256": "048a359ddaed92e5d025d84b05ee14e0aeb65e3c2f980eefac7cd3196a48085b", "type": "query", - "version": 110 + "version": 111 }, "5e23495f-09e2-4484-8235-bdb150d698c9": { "rule_name": "Potential CVE-2025-33053 Exploitation", - "sha256": "d9f93bfa692b5386386beddd97259f5aa071c648c5625585978643e3a843ce9c", + "sha256": "d05a70b154a7b84b4788d0e7a9beb17cf0b147169da42a8f48bafb328c5e8403", "type": "eql", - "version": 2 + "version": 3 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", @@ -4381,9 +4817,9 @@ }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Deprecated - M365 Teams Guest Access Enabled", - "sha256": "5e252d30858559a07fec7cd8c8314f704a835c338724c155213b6526cc3c0cbe", + "sha256": "266a162de1fb161531696272816f4b94596b9e60e70a673859f3162efb4333e6", "type": "query", - "version": 213 + "version": 214 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -4392,22 +4828,32 @@ "version": 100 }, "5eac16ab-6d4f-427b-9715-f33e1b745fc7": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Process Detected for Privileged Commands by a User", + "sha256": "1d71fb265ec9c3ff73874aa4beadd56455b47e89abd56102a39fe0cc342da6af", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Process Detected for Privileged Commands by a User", - "sha256": "1d71fb265ec9c3ff73874aa4beadd56455b47e89abd56102a39fe0cc342da6af", + "sha256": "5ec3183a9be36f68aded429224d36cce68ddfb8a955fcc82adb868c3880f0b8c", "type": "machine_learning", - "version": 4 + "version": 104 }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "rule_name": "AWS S3 Bucket Enumeration or Brute Force", - "sha256": "b7a053aa108ee5047e30b524fc1a2b82f40a836705050ee642605974e87dc47a", + "sha256": "b03598902c032a90bd8c08caf8f74055975dd2b075bd845d15f0d4093459f506", "type": "threshold", - "version": 8 + "version": 9 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", - "sha256": "7ad46e4c1417d9c0c7af9ee3b98ee5787d0f6dbc52ac00412683783a32cfd189", + "sha256": "243733569b61c9258414f81794aa80af97b0ce2a578f54cb1fc3eb3b6ffc5deb", "type": "eql", - "version": 208 + "version": 209 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Potential Docker Escape via Nsenter", @@ -4417,21 +4863,21 @@ }, "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { "rule_name": "NetSupport Manager Execution from an Unusual Path", - "sha256": "2ff13f827d6e3b101978628ae7e81aea2aac534bb49e2e005c4b79ac69887d84", + "sha256": "f49bf2a2ea1c32cc3ab338dd4e8f8b582091b3afe242ad98d6e048aed2256252", "type": "eql", - "version": 2 + "version": 3 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Compute VM Command Executed", - "sha256": "ac7900fe9b05ceca8ab042dd5c2b56878cd81674ea05fffaac4e4a0afedb300a", + "sha256": "8adae74085d1b365f947e33813e55390fedd6e9a18b0a155e3bc3ca16f8b6bb3", "type": "query", - "version": 107 + "version": 108 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Entra ID Service Principal Created", - "sha256": "212f5fd759cc852fe02f5a6c8387e49ca36c98e7e38a7f9f8f15b48443052582", + "sha256": "53b3bb3ed81272c5cd748118879a25c793a01b0a8bad0cf6cf57a42745b3ba2b", "type": "query", - "version": 109 + "version": 110 }, "60c814fc-7d06-11f0-b326-f661ea17fbcd": { "rule_name": "M365 Threat Intelligence Signal", @@ -4447,9 +4893,9 @@ }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", - "sha256": "9006b456e8e5aac1b3083337c8468dc521950f1b2537f6eec97e03cf296f4dfa", + "sha256": "b61525284954c4fc0497d4722706527fd82f0c909a0d9d5d8436eb4eb64c73eb", "type": "query", - "version": 213 + "version": 214 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", @@ -4465,9 +4911,9 @@ }, "616b8d00-05f8-11f1-8f33-f661ea17fbce": { "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", - "sha256": "f561e95790ebad03eb90981d8ebfad155f4b4fadbf0404a9b1cb21fa8b170ec0", + "sha256": "b8a0677840e2ac54c009dfc71b670853c992e15ab05a71bbbeed68c4b46d35e3", "type": "new_terms", - "version": 2 + "version": 3 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", @@ -4477,15 +4923,15 @@ }, "618a219d-a363-4ab1-ba30-870d7c22facd": { "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", - "sha256": "65ef1e5263d2ceb9161e3fcb9722972eaf023a1a3be5b42fdf134c1ac77f1c2c", + "sha256": "1633c7aa0014d0a78d937ad7c074f29e3aae5b3ddaf38ce799a5141b9cdebaec", "type": "esql", - "version": 3 + "version": 4 }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", - "sha256": "432b70fbe0e399988c18b6bd0f70a80bfa5cd7b7d0848ed2fe754ecdae6ea112", + "sha256": "3add80c1e8b09bdfcf8f584070eca230034c9b21f79833ba3fe4693e6f61f11c", "type": "eql", - "version": 2 + "version": 3 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -4507,9 +4953,9 @@ }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "8718b5f7766c49df934b5a358670fd814c176f3dba6835a0ec719cd8c6560b56", + "sha256": "e0477a60892cad9da6b82baf80a54de4df04b8f72415f9f443b405c02849bc35", "type": "threshold", - "version": 210 + "version": 211 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", @@ -4549,9 +4995,9 @@ }, "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { "rule_name": "M365 SharePoint Site Sharing Policy Weakened", - "sha256": "63a28820779cb76eff2c1ea94f27ea65d2813e5a6f361c0b5c78ef4f6cdb9e81", + "sha256": "df946fcbb376eb3a51b2e8299075494cccd95d5229b4b956537d4f162ce80731", "type": "query", - "version": 2 + "version": 3 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", @@ -4561,21 +5007,21 @@ }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "3eb4cf8191b540261c82f3be237b1d7d0d7a6c89daac1922c17723115c99e60b", + "sha256": "e6322acdcf8bfdea43c886c81f1d74c7982802542e500006806f52c422a951b3", "type": "query", - "version": 11 + "version": 12 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", - "sha256": "b5f24bfa2e0ca5124eb8906e21888074cbc74f7ce03972f697e7da5b3a9dd341", + "sha256": "7de86c2aa0f76814053d0f5818bc392c8c2e59db281f8891357f87d0057dfc26", "type": "new_terms", - "version": 11 + "version": 12 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", - "sha256": "67374027e182776c03ce4412cb80c48c6224950afbbd622642c858cd97e5964f", + "sha256": "298014d2796245f46bde784ce5a8c9a9bd75184e6d80bab634ae84b03fa3710c", "type": "new_terms", - "version": 12 + "version": 13 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", @@ -4608,10 +5054,20 @@ "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Anomalous Process For a Linux Population", + "sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Anomalous Process For a Linux Population", - "sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217", + "sha256": "cfbfe676b63f196bd4399206148f3a8920d108155f2abfa3c4bf59600cb422e0", "type": "machine_learning", - "version": 107 + "version": 207 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", @@ -4669,9 +5125,9 @@ }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "5c506cfad2486ff36e966e00f190680828c5177c83f2c6b197061dffdc963b11", + "sha256": "b25056edc655b86fef84b34e0ac3641910735b515a07aedaa5f68db48b4f6937", "type": "query", - "version": 208 + "version": 209 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", @@ -4688,9 +5144,9 @@ }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", - "sha256": "effc61a862d7377ca5db5b1edccd523326415b1fad2a0176cf40a825888b0431", + "sha256": "319471d805dfa2a7447664a2aa86c3e7dec96ca6de3ffb39f7db4c64f6f603b2", "type": "esql", - "version": 2 + "version": 3 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", @@ -4700,9 +5156,9 @@ }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "257ed26a976663a2c37c0dff32d55ea12d1dfc35247da988bf23c9b5274e0855", + "sha256": "c8b7ed1cedb954e68d572f77deae21770e0c4204727df0625f6c6f1e66411a6b", "type": "new_terms", - "version": 209 + "version": 210 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", @@ -4718,9 +5174,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "da6621853cbee76b525a9a6ebbd8670a6e6a3eedf0c961d63667f002491ffa5d", + "sha256": "43d0ac6c3447fd2acf017d3c2152f787341287f92ce0b82509305be74ff84081", "type": "eql", - "version": 129 + "version": 130 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -4742,27 +5198,27 @@ }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "8bcacf46dd663455ae16de208c535608363730de69e4f908f70764c932144785", + "sha256": "f71ab483864d71a48cf0507edbbd3dff6d995b6508879227e0b7e250970c8097", "type": "query", - "version": 414 + "version": 415 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added", - "sha256": "b095d445e046b31bd0ca7453a145f7f2100fbc0a4e7a58ecaa13e83085edccf2", + "sha256": "9e19b7471a462cb1508940d24058f3413af1a9726f051383aea06f04e4d56d76", "type": "query", - "version": 212 + "version": 213 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "73b7832d2d84a9fa85363889cdc9039b97122d38842307ea0cced1a5a7d08a3c", + "sha256": "e5d3b39573d69c986872183396d628615b6c8a73ec566892063f154e05f2f738", "type": "esql", - "version": 6 + "version": 7 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "46ce327e5a7721a4232d054cffea7064e587e8fe9066deaf0b52b4dce137c44e", + "sha256": "e6ecd90c1ffa19eca2a67af1b6c71e975b28190e2c7f1f5c14e41903155bbe1b", "type": "query", - "version": 413 + "version": 414 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -4784,33 +5240,33 @@ }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", - "sha256": "c27202eab20774ab1eb8e25fda99113ea2cdb28f9e3dc0dbc5cea32eff56ace4", + "sha256": "98577dabfec38f164628871b9bb7fb8da7da64c1dc5fd38fbf3177e387f3693f", "type": "eql", - "version": 313 + "version": 314 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", - "sha256": "28ae5b8416e43e899169c33eaf626c5deb33691ac860da166ed83af7e599646e", + "sha256": "ff4eb2e457d5e3ebe7454a8eb3478eb11c7a177531c3ddd4ab3336c25709cc38", "type": "query", - "version": 213 + "version": 214 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "0213339b429615707aed9697fd239830b2cc1c6c0f4d8b8ea9c25c860c76c36d", + "sha256": "944fb024ccefc8bb13bca9d85069633c0bd5b285d5b4e1fc8045e2bc1b44d5b1", "type": "query", - "version": 412 + "version": 413 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "762b94746bef2ca7e80bb657ace66afa3602a6c62a978487f801d78e7d744308", + "sha256": "7f9baf27023307f44d511ff57ee099cdad40f2129fc367ca76d75a969c89d1a1", "type": "eql", - "version": 316 + "version": 317 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "f84e2dcd11a132eea0ca7a43cb5f94e640a1d7c3cfc9966587d144b81d173e2d", + "sha256": "beb7c099e4c87d3147444605e39e6fb2a85af130454c62d43ae6eba5307ce395", "type": "query", - "version": 210 + "version": 211 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", @@ -4820,9 +5276,9 @@ }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "3b6198e952a03a06fb8afe087f6c4f211074808c49106d77b0b354ce5a37554d", + "sha256": "ca809a6bd6c5e473da5a47132318262a0953bf2a6bf09e1a3bcf772bcdea2d77", "type": "query", - "version": 214 + "version": 215 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", @@ -4838,9 +5294,9 @@ }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "77f75f86866b174600e6178727630e93c2e2eb7a46ef23e7e0395d266892854f", + "sha256": "1b42f6edf559e3d2b60263d34ea41d60e23f6ac770cfd98134dd27d88a284084", "type": "eql", - "version": 213 + "version": 214 }, "68e90a9b-0eab-425e-be3b-902b0cd1fe9c": { "rule_name": "Suspicious Path Mounted", @@ -4850,21 +5306,21 @@ }, "6926b708-7964-425f-bed8-6e006379df08": { "rule_name": "FortiGate SOCKS Traffic from an Unusual Process", - "sha256": "984c1410626d079006e9478eb02012d69dbe7ab70c8dcba0271941495d44a43a", + "sha256": "d649b848c5586e36017ccecc790367c99ca06795b3a429e69b524a3653d2bd55", "type": "eql", - "version": 2 + "version": 3 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "b57f22278c53ba1cc8de7db5578aa82c1285592d0b72098ab27156d27b1470df", + "sha256": "746b43837e7ae358433e6c7a94c73a422528fb56a1902ab5a8be4999867587d0", "type": "query", - "version": 112 + "version": 113 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "cde5eb69a93612087164e1626195700bd500e73b3e1248816d9a757a270b15bc", + "sha256": "a9bc6c80faa8050ae1541d7eee9897b8fbdb2612cca00069af0033e33a4817b1", "type": "esql", - "version": 12 + "version": 13 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -4874,21 +5330,21 @@ }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", - "sha256": "6fbeb059f6b42ec54eaba065ad71a2371c3030633c93d0a4620a99782d9977b6", + "sha256": "9454ca1b21ce6bfe21d078e24b4f7889fa8857ff6d3aee43af4c4ffae0519891", "type": "query", - "version": 7 + "version": 8 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "062ebbb18e87088c2415a14ef1813c552955a440c290ca1cd073a4f6e9b42770", + "sha256": "8354a41d02ed3832503dfdff8191253036100d6a51a5c13e71517add5389a4b9", "type": "eql", - "version": 314 + "version": 315 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", - "sha256": "b061c8c53d8a4791c3c962e32cb262dc615e9bb9e4dde98973686f53485082c5", + "sha256": "7b5ac4f195b8c0bbcc320b3d13f89fa4e87ebc1dda5d046a05b109076ae52048", "type": "query", - "version": 212 + "version": 213 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "rule_name": "Attempt to Disable Auditd Service", @@ -4898,21 +5354,21 @@ }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "AWS EC2 AMI Shared with Another Account", - "sha256": "92a73731285ad8a586f20c44168203095329ef10c5faa34456fd4fecdaddbbc2", + "sha256": "38688952422703a3d3b321bdf3df09ef1d9a20fe5477a4b7a6bead6e6c13dcd7", "type": "query", - "version": 6 + "version": 7 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "95af9566aea54e42762a51b57cd302ff63e6aa9f85764d94bf0c073f89f67e72", + "sha256": "5539eab07820ed60e51e720a05ed0dc076e60255efbe124fd01a7c33f8c996ce", "type": "eql", - "version": 313 + "version": 314 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "a5db8d3fbc7120c2f1c28e235a8fd84ef3846e616464880ab4afc3a646a01e9a", + "sha256": "daced640af9a25daf0c116312924b7b3603258acfb8e8b4db92ff8719db4d43e", "type": "eql", - "version": 421 + "version": 422 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", @@ -4922,9 +5378,9 @@ }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "8c0ebef4188bbef987e1a1c3bf87cbe8a894ea61606c8fffac0daa41f6c2ff05", + "sha256": "6ec8f4bf159dc48d6a32fd5c7b6cfcb8dff46b845ca65c6f60ad47e23ae20953", "type": "esql", - "version": 10 + "version": 11 }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", @@ -4962,9 +5418,9 @@ }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "7053d338cd930b84a53a00d6136665d38dcc876ab54572d147dd8d3405482624", + "sha256": "f3614a07dfdade46e6c4790d03b3130608ed99a444e24057a541b80c0cea027d", "type": "eql", - "version": 312 + "version": 313 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", @@ -4979,10 +5435,20 @@ "version": 5 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 315, + "rule_name": "Unusual Process For a Windows Host", + "sha256": "c12d3d95f0d7c995800fde4303065b27add02c60576194f2f91d0515e2aa519c", + "type": "machine_learning", + "version": 216 + } + }, "rule_name": "Unusual Process For a Windows Host", - "sha256": "c12d3d95f0d7c995800fde4303065b27add02c60576194f2f91d0515e2aa519c", + "sha256": "9342a3ec46ad8d944851a0ed0e81e1916668c1c67eb353a745fdabb4ddd0d70e", "type": "machine_learning", - "version": 216 + "version": 316 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", @@ -5021,10 +5487,20 @@ "version": 6 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 310, + "rule_name": "Anomalous Process For a Windows Population", + "sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac", + "type": "machine_learning", + "version": 211 + } + }, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac", + "sha256": "1e7c0617e681eb446d4f478862986e4d1a36fd313f0832c4b7a9a09033adb6d9", "type": "machine_learning", - "version": 211 + "version": 311 }, "6e4f6446-67ca-11f0-a148-f661ea17fbcd": { "rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)", @@ -5046,9 +5522,9 @@ }, "6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", - "sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26", + "sha256": "3af8f483c7ccc43ad152aba81bd1e58d38898b0cf77541189732b33a7f8c2aed", "type": "esql", - "version": 3 + "version": 4 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", @@ -5100,15 +5576,15 @@ }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "fc527a53fbab4895ae11c74a764c12998813fcb3cf9dd606b542904f97b098ab", + "sha256": "87db5b1008a9782f6cdf83f6404d979b3324bcc547da1c4228118130307d4f8f", "type": "new_terms", - "version": 211 + "version": 212 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", - "sha256": "0618d19023bba91b6f6a910920452388192425ec8b426e92ee1d0ff4b8404cc7", + "sha256": "50ac1ff7656d514815a0c4e4c39c449371e045968bc2d901f7d696b6bfaeceba", "type": "query", - "version": 209 + "version": 210 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5124,21 +5600,31 @@ }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "84da8f73568810bc4a06e418203b08260dc85c43867f04478490a2f4a1c53d4b", + "sha256": "8925f6280b9f3ecb2a90fe8de866975f613687315d0cb7246e7d28ba6d14984e", "type": "esql", - "version": 3 + "version": 4 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in Special Privilege Use Events", + "sha256": "9774db65e26243e3f10e5b6d0e36b4993c05c3829a7b6333476c120ac88fa3c7", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in Special Privilege Use Events", - "sha256": "9774db65e26243e3f10e5b6d0e36b4993c05c3829a7b6333476c120ac88fa3c7", + "sha256": "838b61827d24324be69e2a9674684812960a9c05f5a20d8913051d9a8ae60821", "type": "machine_learning", - "version": 4 + "version": 104 }, "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "rule_name": "Multiple Vulnerabilities by Asset via Wiz", - "sha256": "efc967ea17b6d6bd24680496c417b3ce7a00dbe16a1fa6bd08ed0d87e586e737", + "sha256": "0610ae726a3381c2a47b8847eccbe0161250a1617583d4adc8aa5389802803bc", "type": "esql", - "version": 2 + "version": 3 }, "70089609-c41a-438e-b132-5b3b43c5fc07": { "rule_name": "Git Repository or File Download to Suspicious Directory", @@ -5154,15 +5640,15 @@ }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "05f5b1b39bf6f6ec97c024592101ffb50e05e5c4bff8e75680caa2e990b4c47a", + "sha256": "ef329416e88fd93ee0e0517742245b288bd8c1cd49172672a51d8b93a6a83875", "type": "query", - "version": 215 + "version": 216 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", - "sha256": "ec5d6173a7089c9a99c4018cec4613e5b87e0d90954baf0de5c452cfd9fd5e4d", + "sha256": "3fa1996d6fb2e966a0696cc5971c64d5a29c229f00cf24cf2ef9fa58cc3f261e", "type": "query", - "version": 213 + "version": 214 }, "70558fd5-6448-4c65-804a-8567ce02c3a2": { "rule_name": "Google SecOps External Alerts", @@ -5190,15 +5676,15 @@ }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", - "sha256": "db9212a9ffea96d90748a5055e62c90f85285a50161ba40260f808cf99a6a658", + "sha256": "98bb1d28c3cc0f6c239a56a9034dfea2bebed6256e2716dcf375e509c4de8ebd", "type": "eql", - "version": 6 + "version": 7 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "8f33675dd749c5cb67b560c261622230b1bfd0377e232760fbbffa0de39717dc", + "sha256": "f6ead63e1234253e25aea1bb53b931f40995439f8381bf0772392858405f8080", "type": "query", - "version": 11 + "version": 12 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", @@ -5208,9 +5694,9 @@ }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "9c1640b304d2ecfd067fc5ff92db9997add131c76536014281faa3cc13b006d6", + "sha256": "bbb12bcf2f2c3b1e816baf547bd7920207f4a6ae79dd4a5727dec5c58d7c3592", "type": "eql", - "version": 322 + "version": 323 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", @@ -5226,9 +5712,9 @@ }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "5d923d4e7fb3435940f026006987d38713abe2c862ab948e240a293b47aefe1d", + "sha256": "0d241c897dd9c807d936d644c16d714e96efa6b0d3a0742664dc6a58b71cc197", "type": "eql", - "version": 8 + "version": 9 }, "720fc1aa-e195-4a1d-81d8-04edfe5313ed": { "rule_name": "Elastic Security External Alerts", @@ -5238,9 +5724,9 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", - "sha256": "cc254cfd97add19cf373a8fb6f915f1e9746797c89584d302c5e4c48502f660e", + "sha256": "d6f4b7bdab6bfe9124312ba384a8f64ac35e481f8ee848ed5a0e9ed15340afb2", "type": "query", - "version": 214 + "version": 215 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", @@ -5256,15 +5742,15 @@ }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "96c5f06a85108502969730ea53ed051f25f21b9a73a1bcd3f030770ceb560239", + "sha256": "f4492ee7450c2a4666b4a18506e59ba9cb9d94cc04f8edbcd923c1dfd1580dd5", "type": "query", - "version": 414 + "version": 415 }, "72c91fc0-4ac0-11f0-811f-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device", - "sha256": "8026621e50d1b1c883adbac1eae5cc2bf09526a2c68ff5162edbc435265b3295", + "sha256": "1813453768a993697cc1479da5b1308872b3f2f780e62c10476e0809dca043f7", "type": "new_terms", - "version": 2 + "version": 3 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -5286,9 +5772,9 @@ }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "7b56383593ef478eb655aeceb6ff30c991700bd03f1baf060fa76ed4d2b1e0c9", + "sha256": "7b0bda996ce883ad0b2b8d8b3527cd5ff9fb45fe1dcb8bdd7d64d475cf9103ca", "type": "eql", - "version": 208 + "version": 209 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", @@ -5298,9 +5784,9 @@ }, "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", - "sha256": "eb6467c4887ce850c39eb5ee43cd7b05e0b921d03454f0ecc5108a7b8bad916b", + "sha256": "4613606a794054e2bcc448e1d406d42931e2fe1c4b16baf16da9c7202686428f", "type": "new_terms", - "version": 2 + "version": 3 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", @@ -5323,9 +5809,9 @@ }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "3a1f9137b0ac5c869b1a85c1f9cf33b9842c078786d4f226f86133349f0dea88", + "sha256": "21a540abdca1fa56360f1f68e121ab1cc3feebfc055b9922cca7e2f49bfca3b0", "type": "eql", - "version": 216 + "version": 217 }, "74147312-ba03-4bea-91d1-040d54c1e8c3": { "rule_name": "Microsoft Sentinel External Alerts", @@ -5340,16 +5826,42 @@ "version": 211 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Hour for a User to Logon", + "sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Hour for a User to Logon", - "sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192", + "sha256": "ac721977de331da992d8c388a41ca573de3fa2661d93b6d29a41a90a9bc1d896", "type": "machine_learning", - "version": 107 + "version": 207 }, "746edc4c-c54c-49c6-97a1-651223819448": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual DNS Activity", + "sha256": "e1aabfdf1dee210cd9bc10313dc7768d22ebcda60d7349abe52426f526903db3", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual DNS Activity", - "sha256": "e1aabfdf1dee210cd9bc10313dc7768d22ebcda60d7349abe52426f526903db3", + "sha256": "25d810e576a232cff1b05e8e1cafc5777193188de0f8be7a9f076a6512e89705", "type": "machine_learning", - "version": 108 + "version": 208 + }, + "74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61": { + "rule_name": "Long Base64 Encoded Command via Scripting Interpreter", + "sha256": "dd5b413bc795678ac76282ad2b90729974c94632a7d245e19db1783c66b64d64", + "type": "esql", + "version": 1 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "min_stack_version": "9.3", @@ -5380,21 +5892,31 @@ "8.19": { "max_allowable_version": 106, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "a2eea8c5634898435947b89e23f5f99b3be7c34925f6dfc0282bab9e4a8ada0a", + "sha256": "4375163beda09c681b27072b3aa5bdaa3555208e17922ecad6fda6c91a4f2bca", "type": "esql", - "version": 7 + "version": 8 } }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "a3283b48b422c13eab4c7c55de6772ff15c97402cb9b476d130c24cbedad5262", + "sha256": "65a454cc1fce718ec3654010e949dc303832981c0e2ff2728d17fee2c0760e21", "type": "esql", - "version": 107 + "version": 108 }, "751b0329-7295-4682-b9c7-4473b99add69": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Spike in Group Management Events", + "sha256": "46dbe1f415014fc4ff087fd37f1d098ed96134081a662bb61724fb2e6c4e779c", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Spike in Group Management Events", - "sha256": "46dbe1f415014fc4ff087fd37f1d098ed96134081a662bb61724fb2e6c4e779c", + "sha256": "6111ce5b8cc57029859f4d7d1f13628833682f103a77863112e446c6c0cc6f3e", "type": "machine_learning", - "version": 5 + "version": 105 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -5404,9 +5926,9 @@ }, "75c53838-5dcd-11f0-829c-f661ea17fbcd": { "rule_name": "Azure Key Vault Unusual Secret Key Usage", - "sha256": "efd873fb048032b0a290a3986f5614b57744f6cceace4616d5fc25427abfcac1", + "sha256": "697c251dced5fdee5d4b9057aa2f791ab784595cc2b812fc403b7fe96b202bb8", "type": "new_terms", - "version": 3 + "version": 4 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", @@ -5428,9 +5950,9 @@ }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "fad10679c3e41ef62b3464b9a30fea4414b61d69f36e2952798e696aeadbdf0c", + "sha256": "3873bd6f2cb62ec83ea96f063ed37b195de67943416ef7620e3e8fc66c8a5cf5", "type": "query", - "version": 209 + "version": 210 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", @@ -5451,11 +5973,20 @@ "version": 211 }, "76de17b9-af25-49a0-9378-02888b6bb3a2": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual Country for an Azure Activity Logs Event", + "sha256": "5e21adc950dc411f6f016793cc3e07955a770c3440428d18b0d8632c142e8c6e", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Country for an Azure Activity Logs Event", - "sha256": "5e21adc950dc411f6f016793cc3e07955a770c3440428d18b0d8632c142e8c6e", + "sha256": "daad53aa4c99d2d19175b91467d915c42a7f126b889c1a81734f3a78d05f6575", "type": "machine_learning", - "version": 2 + "version": 102 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", @@ -5465,27 +5996,27 @@ }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "903a0a9edd3425864b0a664abd4ee2570f7f877710cd853053f0cb2117135aea", + "sha256": "01ae46d4f651856933ca7c8347ea064170f254722c3796b0dff3566bcd3e9e8c", "type": "eql", - "version": 420 + "version": 421 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "c3cbbc077d9c9f8ede69f2ebf176e93f5a2b8bbcbe05300b799a309f9bf48e5b", + "sha256": "e7afbb0e90528f88d44454c50d04d54ff59ec58fbb9155051deb7b8b84663f67", "type": "eql", - "version": 319 + "version": 320 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "db9af522c30e7e110cc3ea5941e3c91f8dbff26edf880489cc22abbeeddfbd0d", + "sha256": "ae6219be9490a0e14de2854af8b1c2505259fef2476f7d732cf9e98b665cc43f", "type": "esql", - "version": 10 + "version": 11 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", - "sha256": "79f713f7a834c738d2dd71fe53d1981174adb26d8a0a42cf1759c96b5e6cc8d9", + "sha256": "c60444bf7db1c5dbe2aaa41078d472a6d0f4989088577b2fd9de8fd099b0171d", "type": "query", - "version": 108 + "version": 109 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", @@ -5513,21 +6044,21 @@ }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", - "sha256": "ece5f99761b6328f961df02985e273822861903477c8ba2e44859385751ded66", + "sha256": "89f593e9c2cc1086cf274ad161b75d49ea5f24797707c2ace2f1890b733afdb5", "type": "query", - "version": 209 + "version": 210 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified", - "sha256": "85dae539ab2ab3efc92c218e57a9f84ff579284a29bd60b4e06006c5f35ae2b9", + "sha256": "17c1e3c3e1f2363cca5097d1febb1c1fdfe1dbe7ec5c36f72b89312dc365a544", "type": "query", - "version": 110 + "version": 111 }, "78c6559d-47a7-4f30-91fe-7e2e983206c2": { "rule_name": "Unusual Kubernetes Sensitive Workload Modification", - "sha256": "115f836378563ac6d2f1ec97ef92aa0549b2c5418b90645692afcceaa8d7c6ce", + "sha256": "476c9475efcc39f0bfcb65ff6f40dba940e50eb387e43d16645a8701bb24bc15", "type": "new_terms", - "version": 2 + "version": 3 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", @@ -5537,9 +6068,9 @@ }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "a4c7071dd1e4bf182761113041b2da283e2488b49b19fb92ce4696e9530c9c89", + "sha256": "75b51a3ef1302cdcab08d871e051a793a10903dff63584fbca09305e9a61993d", "type": "eql", - "version": 313 + "version": 314 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -5561,12 +6092,12 @@ }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "41bc835f319544568d5ba56f381b1ca5ddb7d18c27cf8763618f6ad915b69cb7", + "sha256": "560c80b54abbb9cafeb5763facbe1bfc1170340cdba87d2d26f437a953ebba55", "type": "new_terms", - "version": 108 + "version": 109 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { - "min_stack_version": "9.1", + "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 103, @@ -5581,12 +6112,19 @@ "sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263", "type": "eql", "version": 104 + }, + "9.1": { + "max_allowable_version": 305, + "rule_name": "Execution of a Downloaded Windows Script", + "sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c", + "type": "eql", + "version": 206 } }, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c", "type": "eql", - "version": 206 + "version": 306 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", @@ -5608,9 +6146,9 @@ }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", - "sha256": "1b443a5458a487078f9004f980c7c23accc89492275a498020941dcfbcf25f8f", + "sha256": "187a0d7e3c56dc3eff8e71a5765b3c8fe286478ffdb02c179a2c13b110e7887e", "type": "eql", - "version": 215 + "version": 216 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", @@ -5626,9 +6164,9 @@ }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { "rule_name": "AWS First Occurrence of STS GetFederationToken Request by User", - "sha256": "7f73b59426def61220e9575ea798d2e13c5f8042e708adb4930dcac5af33f0a6", + "sha256": "e68fa16e0202bd0bc07a1d9c59cc6181f3add4f34d17e2e78a88be517363d37f", "type": "new_terms", - "version": 6 + "version": 7 }, "7ab5b02c-0026-4c71-b523-dd1e97e15477": { "rule_name": "M365 AIR Investigation Signal", @@ -5692,9 +6230,9 @@ }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "27e73369b79facdf452a2eeb38cd0a58ef0d040289eab840a04e14002f4b03b6", + "sha256": "ae791bdb776e660c7036a0cd0a7a5d8657ddacbac0fa524b8c3f09de72e8443b", "type": "query", - "version": 110 + "version": 111 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { "rule_name": "Git Hook Child Process", @@ -5704,9 +6242,9 @@ }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "986520c08328530d000cba6aeabd461662a6aab489f6a5175dcc2962d1ebe543", + "sha256": "79fdf63a5b07ec050f2e4bccf65b9edcd7fa0acde10d5690ad4573db1c639f17", "type": "query", - "version": 108 + "version": 109 }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", @@ -5716,9 +6254,9 @@ }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "2b6cdcd231748c61f53feb9963e71c2ea8b5408fbb62f12921966de5391b23a8", + "sha256": "98b713e30dc1a5a360825e71125517e2765b46a0ac94fb83c2b75e0695d261c7", "type": "query", - "version": 8 + "version": 9 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -5728,15 +6266,15 @@ }, "7dc45430-7407-4790-b89e-c857c3f6bf23": { "rule_name": "Potential Execution via FileFix Phishing Attack", - "sha256": "7552c27d9839591151b20b2777a97138d46a546f73a79af040d8763c0dabe036", + "sha256": "b0942940cb83f01e92f2566f95c101e49dd424f3a7121f93f6fc4199d90c588d", "type": "eql", - "version": 2 + "version": 3 }, "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { "rule_name": "Entra ID Custom Domain Added or Verified", - "sha256": "dd26cd3faf49a87dbdbae5742f5eea1de370b89f32551d8795c9b5175b405cde", + "sha256": "62e7543d4496ac6e879f5717d0348eb2a77d4585482a48073792c0f094f57367", "type": "query", - "version": 1 + "version": 2 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", @@ -5752,21 +6290,21 @@ }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "ce3eab09aed04f923be31c2e962c4f6b205d223e8c70a7fa93f99f55e8cccd73", + "sha256": "fb1813b23c990778e2113f705cadaae578db421390da4bcb1e9be01eb81d56ab", "type": "eql", - "version": 314 + "version": 315 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", - "sha256": "f568ead2710b37deeb2320ef4fc6ea487c4490d7ddb3b1b30f2a50461fbabeb5", + "sha256": "ae3b0d26f8de970a947ef4c78b0874079e3c6f378ae0c0b7722248f3a8cf4835", "type": "eql", - "version": 3 + "version": 4 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { "rule_name": "System File Ownership Change", - "sha256": "cd283fa0bc6b54331bf4d6de31672ac996500854d552589e0fb3d87ee53718d7", + "sha256": "7cfddf05ed43916407c837cb2467df1102044e05c4082006fc9a581488a2407f", "type": "eql", - "version": 2 + "version": 3 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", @@ -5776,9 +6314,9 @@ }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", - "sha256": "ff0ce0b917f4d95e3ba214a663661594a129575d10f91c29992c7832c41b60a9", + "sha256": "cc73b75d6cfcb37cd8e753f3fd5b547f4507ecfb610651a20433dac419ada718", "type": "eql", - "version": 3 + "version": 4 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", @@ -5788,9 +6326,9 @@ }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", - "sha256": "313125e03d372aba438ca517f9c4a42fecac7a75eac9373fec72e311942d809a", + "sha256": "d4e00709ce02e8ab4a968317d474a4f37a488131688236d120d31edc1e5b09ad", "type": "eql", - "version": 2 + "version": 3 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", @@ -5818,15 +6356,15 @@ }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "M365 Exchange Mailbox Items Accessed Excessively", - "sha256": "6fae3da0bf4143abd7787088664f1e758001bec8447d74fb799b599fcebbbd32", + "sha256": "5712eee0f955297e794d9c01a9e2b82c4704a5f852b2a23492292651861f45ff", "type": "query", - "version": 3 + "version": 4 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "40911f3a840c98fc17c16032d0a9b113cba2c4a99423d28a52a4f70d868bb110", + "sha256": "fc200a3dd1eacf187d77b981115f644d11a90ee47affcd553b303b26d9b02e9c", "type": "eql", - "version": 11 + "version": 12 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -5848,9 +6386,9 @@ }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", - "sha256": "7021d0a49f1f181d98e8c95a1f7b133889bb579c31106b36cec007663429cb20", + "sha256": "9ee1ebd6c05bbcb790468a9e8e11271e207a5620aa553dae437bbcb645fceeb7", "type": "new_terms", - "version": 5 + "version": 6 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", @@ -5871,10 +6409,20 @@ "version": 105 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Unusual Remote File Extension", + "sha256": "33a6b5894bf572fe38a6958bae8ae131abc5dc3bbc817b80fd113e9e3864b0ff", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Unusual Remote File Extension", - "sha256": "33a6b5894bf572fe38a6958bae8ae131abc5dc3bbc817b80fd113e9e3864b0ff", + "sha256": "6abbaa944d0c5d273806bc58f6c8e79ceb52c0924dd195ee94aee3930230f16d", "type": "machine_learning", - "version": 9 + "version": 109 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", @@ -5889,17 +6437,26 @@ "version": 5 }, "81892f44-4946-4b27-95d3-1d8929b114a7": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual Azure Activity Logs Event for a User", + "sha256": "7c5faa919e74876e3f34492417b53d9f00eda55ae6d361c298363b9a310af609", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Azure Activity Logs Event for a User", - "sha256": "7c5faa919e74876e3f34492417b53d9f00eda55ae6d361c298363b9a310af609", + "sha256": "0c6c500f67d15e6e004f30895284446912eed2946c7433eb1b2e43ac9cb1368d", "type": "machine_learning", - "version": 2 + "version": 102 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "411db9f26f4878e2033a9601ec260076e0ae315d11b48c8c388f3452cc55d9d8", + "sha256": "68ec1c5409871ffee3ab9e22a3efdbb509d98c1c566eec7d583ef51204ee534b", "type": "eql", - "version": 315 + "version": 316 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -5945,21 +6502,21 @@ }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "152b7876dd4317ea25bc84006aecaedf71528a0c13aa89171dbaee06e249ac49", + "sha256": "b8ef5115c9f54595fadd3f284a8b6ea0864837f5fb5bcd3d997bc801d7cb7fb6", "type": "esql", - "version": 12 + "version": 13 }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "8787d0cb27f370bbd955f6698debb537d8d9fd461b6ad06b70e5069711975bdd", + "sha256": "a499f4a8ea232b85a55016c81a941b0cb43d922a742cb338e8788ace8506a2bb", "type": "esql", - "version": 3 + "version": 4 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", - "sha256": "1807ed4b420937b5ad8f9500fd49c97726830c9013d83872b86052b660f36a42", + "sha256": "886e69fd58d0b30bee105947d384e6ea7ca847b28e272a7a462e23162be0cbb7", "type": "query", - "version": 107 + "version": 108 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", @@ -5969,9 +6526,9 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "75bb8f9f31be1e9fd9403b85fb9ce838cae0777b298ceac489a7df0b3d413e08", + "sha256": "6bc2edca28882f897a4e573a672f41b4a793b0dc029c402bd4ddc73b80171e9c", "type": "eql", - "version": 212 + "version": 213 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -5981,9 +6538,9 @@ }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", - "sha256": "9c2b941e2e5930d93bbcee2beff72193ee97b4f901640925d42841c6e3868d87", + "sha256": "4ba4a6143b3e9c0796753566012abd8ce4d00f6dc4a07026f37ecdae32914447", "type": "new_terms", - "version": 8 + "version": 9 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", @@ -6005,9 +6562,9 @@ }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "8624f4e60af1f160aa68e3c6b11686acf57681f4864862952925ef57000708d8", + "sha256": "a2fb338be09ab3380f8af87ac7ed2ffe9b6cefaf284290b3b8f8395f89946705", "type": "eql", - "version": 217 + "version": 218 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", @@ -6036,15 +6593,15 @@ }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "eb7966947b224f71bc5820c2ccdc7483d0ce47586bfb72edca96f14f0a673e78", + "sha256": "186a06a03ae74eeb1b06bd9159f47a0821849d708c51ab72a89944535039494a", "type": "esql", - "version": 10 + "version": 11 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "eb62471735cfd4bfb2cd002ade4f573a5b9115a04dd55af928694604808f56bc", + "sha256": "941cacbf7dfc86fc7816d9a2c8584951737f2b4dcf09ad1841befdc1cfa1ffe5", "type": "query", - "version": 211 + "version": 212 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "Deprecated - AWS RDS Security Group Deletion", @@ -6054,9 +6611,9 @@ }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", - "sha256": "9241124c7f4220175aa98fd31ad23ff6eb875c3ff08d333a6c3c7f80a0346066", + "sha256": "3abaf9bcf2904f994396d8543bd3aaeef43a2e98d31e9eefa381b426864ee55a", "type": "query", - "version": 211 + "version": 212 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "rule_name": "NetworkManager Dispatcher Script Creation", @@ -6078,21 +6635,21 @@ }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", - "sha256": "16a09969e21612a30a1b6a5e8210ee37ea2c34d611997845e31c136980d6de63", + "sha256": "995b9d93f6f7ad1ddab3b2571cafe49df81da43d72ec4b4c13ec151139aa85ed", "type": "eql", - "version": 218 + "version": 219 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "d6f873969ac639bb9e587b0eaa85dc91eddd15cab10aa8065314db4ae93a4698", + "sha256": "e339c78401a6804c63a87a211a0a0487e1e57f189247c6bf1d912d29cfc286d6", "type": "query", - "version": 8 + "version": 9 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "5b16d753e92cc7f4be569cf16c1873cf3dec458ae0e39312cf5031d8a2812c30", + "sha256": "5f457fe98b665b8a9e62cc644d1ab36295835009aa64a66b3ba48a3a15c0e423", "type": "query", - "version": 212 + "version": 213 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { "min_stack_version": "9.3", @@ -6124,9 +6681,9 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "M365 Identity Global Administrator Role Assigned", - "sha256": "7a08a69d94282ffb1752687208e33c672537ee52044eaebec4f2a3f7b0ca5af4", + "sha256": "826d91fd08a94cba97478f637b721a622927885f74aa5e12a9c39555ba33dc67", "type": "query", - "version": 214 + "version": 215 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", @@ -6166,9 +6723,9 @@ }, "896a0a38-eaa0-42e9-be35-dfcc3e3e90ae": { "rule_name": "FortiGate Overly Permissive Firewall Policy Created", - "sha256": "dce4787b06484f9e268d774d7f7f6199d15c9024ebf21b96d01d29eda07c2b61", + "sha256": "d1d718262a55ce4eb2f3109b52008bb31b4730548cc74c0bb2f88c2066874849", "type": "eql", - "version": 1 + "version": 2 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", @@ -6196,9 +6753,9 @@ }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "9bfe18606c0387f329727b706c76b385f09efeb34a8a6009b0590757d8759506", + "sha256": "bfbc2e038be0e058b013edc804ae3cbf9358bf4e7a5e60ec7708fd9335b00208", "type": "eql", - "version": 212 + "version": 213 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", @@ -6220,27 +6777,27 @@ }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", - "sha256": "26e95d71a6ccc8bd7c4b84c6b01b1f8a5690190cce2e844d04b5709d0ec54a0f", + "sha256": "87463c0ee2b94b85ef1a97b095d7804388e7ec85b856a29cf58045acff6110ef", "type": "new_terms", - "version": 5 + "version": 6 }, "8a556117-3f05-430e-b2eb-7df0100b4e3b": { "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", - "sha256": "8a440ac513665ee94c1d34a0b512de1f6e575d5edf5661d50035fb6a66156621", + "sha256": "9dcb51c768e95cbd73655d85347ee0163b46f11470f3d673caf5994a6cf16314", "type": "esql", - "version": 2 + "version": 3 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "1fd50152519656e2f81672b43d60101562d7d075eeeb952663e16a2ce248a807", + "sha256": "9af183f0898497548e96c09ddfe9a51ebc3e65db6be58b64891ede967f7a09ff", "type": "query", - "version": 414 + "version": 415 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "b3ea46a26a077fea90252c502566b8938f20bf14cbd218600f2c4580933deecc", + "sha256": "fae45c38eb0708dc0f2096880ab919cd46343fd1c1823720cae26d411279bb76", "type": "esql", - "version": 10 + "version": 11 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -6256,51 +6813,51 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "795dc8b265d22118111f0d5222bd9a7cd27f3afa85be0ed6cf1a82ebeeeff7b5", - "type": "eql", - "version": 313 - }, - "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { - "rule_name": "Azure Storage Account Keys Accessed by Privileged User", - "sha256": "13c93c67dce22b5c520c5d03a138357b9213cf966ca3d2a2406a76eeef54ce99", - "type": "new_terms", - "version": 1 - }, - "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "99dc7a9c6876fec4e4060cdbcf28d7130c3565fea6a90dd59ca66e76b6b32c09", + "sha256": "20b91f19ec776d6f1179f96ae9d46395ac61e4b7b3be5fc2d317092da66d08ae", "type": "eql", "version": 314 }, + "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { + "rule_name": "Azure Storage Account Keys Accessed by Privileged User", + "sha256": "ef60832a362b19da1ecb80f507f7097c504c401b7bfae720da603f222f294c0f", + "type": "new_terms", + "version": 2 + }, + "8b4f0816-6a65-4630-86a6-c21c179c0d09": { + "rule_name": "Enable Host Network Discovery via Netsh", + "sha256": "43e6b39859e36dc5181e71b0ca64e8e776726b6ad501c173e0c42bdb9e9d47df", + "type": "eql", + "version": 315 + }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", - "sha256": "ad9d0b9037da823dfd02a3e6628966718fc5f862afa0639e15b32821fa763abd", + "sha256": "8e4798edae7eb2301c9219ac5243fe24e10cd947652efff3d972e522037a0d38", "type": "query", - "version": 108 + "version": 109 }, "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "rule_name": "Several Failed Protected Branch Force Pushes by User", - "sha256": "d4cbe77b91140ce9ceba3b2895682426f7950773eabb61ae8972fef8ed09df0f", + "sha256": "161df6cf4be2d2363710a4fe6c657d1b60e3e64c8b7438588f60e9f60d3528b5", "type": "esql", - "version": 3 + "version": 4 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "17e34f9cd4b5886eb1615c875f70160a8bf80caa21d966f5a15dc8399087c7c6", + "sha256": "fd45ed32eef68eefb81f13d7cd4cdc4e12b2ca264c48297ba6efd89e13779907", "type": "query", - "version": 108 + "version": 109 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", - "sha256": "3999c76431ca92c9063d85b4f0354a9cc2237cdf19ecfcce86514ee863069f6e", + "sha256": "115d29537b2bf7faefb1fac91860d7d62bba80d66b4344f46aadb922bd980abd", "type": "eql", - "version": 318 + "version": 319 }, "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": { "rule_name": "GitHub Private Repository Turned Public", - "sha256": "42654e6c2452af15d18ae7b1e5c546972385081b427c52884bb51dd9bd60cd0f", + "sha256": "991c4ac5ed8d79ec82589e11ec67a2d11efbc523875013051b96457b55be274a", "type": "eql", - "version": 1 + "version": 2 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", @@ -6315,10 +6872,20 @@ "version": 2 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", + "sha256": "8d6b03d8b977dac1e4f97975d2503c23388923c451ba2f613c2166c4691efcc8", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", - "sha256": "8d6b03d8b977dac1e4f97975d2503c23388923c451ba2f613c2166c4691efcc8", + "sha256": "b1badadb630b67c0ce5e1097220bb27225d8f7c5aeafd602875395912a5854c2", "type": "machine_learning", - "version": 4 + "version": 104 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -6340,9 +6907,9 @@ }, "8cd49fbc-a35a-4418-8688-133cc3a1e548": { "rule_name": "Proxy Execution via Windows OpenSSH", - "sha256": "b2cbea79be7cb1bdd6745a9aa091c6bab2f473f2dbbb56db20f761cb3b44584d", + "sha256": "161c7eed6e8ad23b0acbb5070135e31fe0572e89abebd989d5ea57f5f01044a4", "type": "eql", - "version": 1 + "version": 2 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", @@ -6368,15 +6935,15 @@ }, "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "rule_name": "Multiple External EDR Alerts by Host", - "sha256": "f7b9e9fbe3d9cfbfb3793b59abf31a5bfa623b9ab49b9c176023b6db3ad28892", + "sha256": "0077b937511f5a727b0060764ebfa1f4678ad32427c76b8c1660dccfc912a23f", "type": "esql", - "version": 3 + "version": 4 }, "8d696bd0-5756-11f0-8e3b-f661ea17fbcd": { "rule_name": "Entra ID OAuth ROPC Grant Login Detected", - "sha256": "ff32f3850f01753a8c4ff52837e697b8cb64952b67c697ee24ad7ea76acf4860", + "sha256": "7c732e1ccfa76a9e4b864a9a5cc905c699b322c8fd19066eb9ae614ad50d1e82", "type": "new_terms", - "version": 3 + "version": 4 }, "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { "rule_name": "Potential Data Exfiltration Through Wget", @@ -6386,9 +6953,9 @@ }, "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { "rule_name": "Entra ID Elevated Access to User Access Administrator", - "sha256": "9319f317c948573adfc9710297958adf4d3497eca03a73b3c687f0080c47bf77", + "sha256": "83c4b5a6c2d976377276bf4663925ff8f4c92cb2bd44e8d4ff715af6e89ca335", "type": "new_terms", - "version": 4 + "version": 5 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", @@ -6398,15 +6965,15 @@ }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "1d8de54598b389563a10a4a6650cef088cf18c737a20de371fc82727a9ec432f", + "sha256": "4310e0e0dd6ef5d366aac17c4b8233b9ed3a2a2603d418aeb156e14b7ca3bc2d", "type": "query", - "version": 107 + "version": 108 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "b34944c55acd8e8a9c5b99ca8febdb20912e263159ba8462274a230690882f4e", + "sha256": "8de5d7598c49e7ede9c1872b705f1f807ca20b88f45edf7ddbe27f571f78ce7b", "type": "eql", - "version": 211 + "version": 212 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -6428,9 +6995,9 @@ }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", - "sha256": "35d4cf378e1864f4bec4f0fb2fa48977ca5e60207aeb39827e0625a6c1473cea", + "sha256": "86d4b8bff899870c31beb92eb469bb066b050c2d60b96d1ea4f924b46e27b5c1", "type": "esql", - "version": 10 + "version": 11 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", @@ -6440,9 +7007,9 @@ }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "90bfca890a90f146165106b1404b8a6885c1a3564652b5582fa49eba3b3ea4a9", + "sha256": "98bfdfffa8b7eb1d9c4ba3130777dade2c4f0998256aed659a1f8988095f51b7", "type": "eql", - "version": 111 + "version": 112 }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", @@ -6458,9 +7025,9 @@ }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", - "sha256": "d28cb031d8ed5b38960fed5ee753e8fcc442cf190199f12d1d7b4e3d117d8de1", + "sha256": "76199312383db1b95ac2268eaada459efb3d102690231973671f8a2c499dfde3", "type": "query", - "version": 107 + "version": 108 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", @@ -6482,9 +7049,9 @@ }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", - "sha256": "3602d27de89394c54e88e9f9e61c85c7fe63a2035148ba390a4631590844b731", + "sha256": "01f5c53e0534cf3e8f1dbc49a95dffba600a0a04c5417d52cf36cd471cf5a624", "type": "query", - "version": 211 + "version": 212 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", @@ -6500,9 +7067,9 @@ }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", - "sha256": "256a589cab0178165256a49917ed4905f485c3158a20f6bb14c3df1d0cf997e7", + "sha256": "04c5ec27d3a9b03f4132d923b9bcf00154388d2360fe8789359516fccfc3187d", "type": "threshold", - "version": 5 + "version": 6 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "rule_name": "InstallUtil Activity", @@ -6519,9 +7086,9 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "a9dbdf2d7d10d4b7b1a9a7cffe83e0df5431c2b815f192a0f94750464cc77708", + "sha256": "a77f8dd88a7a2f66a98b2c3300345871d32db3ec9348ef9a19395e98294d62a3", "type": "esql", - "version": 3 + "version": 4 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", @@ -6531,39 +7098,69 @@ }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Entra ID Unusual Cloud Device Registration", - "sha256": "2a5315299c90071c76c62049a8a83d055add0945a353fa6b2fcedf11b74abfbe", + "sha256": "ef5f1f198548e65c9ed5cb95c3b011532c0de3d57edca67c59a6007529e93b0c", "type": "eql", - "version": 4 + "version": 5 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "15b85ca67f6aed22967d5fccd07283f873fcf31bdf97fe927995ea261e8db35d", + "sha256": "b710a75749f1c2ca395821015bbfa00e3870d75a89785e4506f4029b9d54445c", "type": "query", - "version": 108 + "version": 109 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "61c06b3226a56a2419db79c875557cc018c1da926b89cbbf2e8d3962167808ad", + "sha256": "b772aae4fecd07fc3fda61945a74f84d5f31d5e5371a490c75a2c1f5e39b21d9", "type": "query", - "version": 211 + "version": 212 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Web User Agent", + "sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Web User Agent", - "sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e", + "sha256": "cfcad42e56eaf65d1ad977504ea2a1122b7bec964cd4aa3c09f5aaa0983e206a", "type": "machine_learning", - "version": 107 + "version": 207 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Web Request", + "sha256": "c2a5dcf47a109617f2ae0c83a92116a8d4b1a8335b84b9c65d58ab3333ed2ea0", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Web Request", - "sha256": "c2a5dcf47a109617f2ae0c83a92116a8d4b1a8335b84b9c65d58ab3333ed2ea0", + "sha256": "6674d243b24f7dbdaa41751d1c4dc3244e6757de2c25baff5ebbd5d32e1422d5", "type": "machine_learning", - "version": 108 + "version": 208 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "DNS Tunneling", + "sha256": "f497eccc9233e8257ed6e93ccb53e711b11690bb288e1e79e9d3562fb7773c14", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "DNS Tunneling", - "sha256": "f497eccc9233e8257ed6e93ccb53e711b11690bb288e1e79e9d3562fb7773c14", + "sha256": "6d6bb3df7c940826fbc2cbff1da1ad41b1dd196c901b034d0f7f1bfe259397a0", "type": "machine_learning", - "version": 108 + "version": 208 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -6579,9 +7176,9 @@ }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application", - "sha256": "d6e42a616ed7bbe2472cc4fdc3742e026c67afcb1a0587711b1c43fc7f32d79e", + "sha256": "5b1525d9fb3e1d0b955b43b502826a19998607b96fce7d351b5f2a4b656a61fe", "type": "query", - "version": 4 + "version": 5 }, "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { "rule_name": "First Time Python Spawned a Shell on Host", @@ -6603,9 +7200,9 @@ }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", - "sha256": "d069247b8ddebd603422b604d8a4bce7a860e3e879e680a440c5252f81301fca", + "sha256": "a7f3fb92910eb74a17595421262ef4c0c685a07e4e5512f18cdb96117b34f30b", "type": "new_terms", - "version": 215 + "version": 216 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", @@ -6615,9 +7212,9 @@ }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "a7065e1b8fe61ce3a22ffa4ef3c73475edafa82b86918e0e0c1225bc06fd4203", + "sha256": "c55bac37daa9321802740fb410156e014f7560d5cc079d927f224956d090523e", "type": "query", - "version": 212 + "version": 213 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", @@ -6627,9 +7224,9 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", - "sha256": "8e8b9ac5138c62d2b2a02a20501c1553751117f056094b9ddf235ae808b96ad5", + "sha256": "5591519f37eb40593828317831871b06a4aea555bebe77fb9673d95ebe444d06", "type": "eql", - "version": 417 + "version": 418 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", @@ -6639,9 +7236,9 @@ }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "ef34d40c1057c774d6ef0c63e18c0e86cdd601194cb98eaf32b8ff38c9a1f524", + "sha256": "69b1e02d3a36de758cf981011b13ecfc3134cc52eeaa7686b2f2aef99248120e", "type": "query", - "version": 209 + "version": 210 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", @@ -6663,21 +7260,21 @@ }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "17df1e8317f166bef619db95bf42ae315bcd87b76662babd058636cf0ed7532f", + "sha256": "f17e7d83bdd45c1e35f6acd2012cb04fb0fab1599a5c7174423b616193122af9", "type": "eql", - "version": 214 + "version": 215 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Potential Okta Credential Stuffing (Single Source)", - "sha256": "3582f68249eb42feefbaee5cb78961ee3fdf381c206fd4985291b0a08d16cab3", + "sha256": "c9bdd66f536436153709d92c363c2bfc9637912240daf7eb789913fb2a9f4efe", "type": "esql", - "version": 210 + "version": 211 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", - "sha256": "9e8da7966327e7084cc501b66081920953cc7c1339a8928f7290e52a4d2ef593", + "sha256": "e9260d441ee6bb2650fab753e31ab175e5b98418141b067ed6cd3a942bd81750", "type": "query", - "version": 109 + "version": 110 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", @@ -6699,9 +7296,9 @@ }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", - "sha256": "d2d21e61aaed02eb91ca93acff976be021e0eed60574c4213334cd83c09fd7cc", + "sha256": "4062c9fbacade77b466ba4c8c18199e74c0d56a88a9eeef6fdc5d2d4494315d7", "type": "new_terms", - "version": 4 + "version": 5 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", @@ -6711,15 +7308,15 @@ }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "960e6fd80772b1bd33599bc31c7754c78c9f0f8caa486f7ce3f6a3da2849e4ae", + "sha256": "9bbafc590b50bfd04f203f601c190c6e90803c1c8f1ff4875c4797b2b871fc06", "type": "esql", - "version": 209 + "version": 210 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "7a76f9664f6701830b8f83735fb4063a5318f60a1966f61e7591ede0fd5dc745", + "sha256": "7d65bad7fb01c9df8886dd57509eeb3dab22246cd5bdb3030a6770a70c26d822", "type": "new_terms", - "version": 7 + "version": 8 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "9.3", @@ -6745,15 +7342,15 @@ }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", - "sha256": "c9bee1a192b67f29b4efb6de03dc39731e216acb146248d30b554c9bc0750917", + "sha256": "922c37a1cdb6f1cd90a88e213929b164bbb8346fecf5aaf2548d04f5c1200ffb", "type": "new_terms", - "version": 5 + "version": 6 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", - "sha256": "546289b4c1c2dfc97c6bd7689c6ea92981adbe5b8a4740ea67493bf8946f56a1", + "sha256": "6b1686cc7b6a837576f758cc91736ce0308787558a588f34d90d5cb568304455", "type": "query", - "version": 413 + "version": 414 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -6787,15 +7384,15 @@ }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "M365 Exchange Anti-Phish Rule Modification", - "sha256": "2b964a8c532a4689975a238a7f95f7ce0da79f73064066690a1a3b8ab7648808", + "sha256": "5085f954d4ff259286c61446ad71512f3a21abc0c58e2e492aea0ccb050116d8", "type": "query", - "version": 211 + "version": 212 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "e5aca962f0e6a45c5b8bcd98533ca267135de0e9de2a39cd257cf5da65df8850", + "sha256": "f2cc5c75a97f850533473a4b070a5de9e09cadd3e2d2ab3e3594bf7a4f0bd19c", "type": "query", - "version": 108 + "version": 109 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "min_stack_version": "9.3", @@ -6815,15 +7412,15 @@ }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "208453906aafff3188872be131447a9bbfe2e54cff5582b8edeee4167e7f9be3", + "sha256": "a00d6b454618edd6f83bf6b94f54801e8b62da5ec958f1aba72bba4a4bdffc60", "type": "esql", - "version": 10 + "version": 11 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "e26d7f62021d18acc8dfecd73e65d07df91ece0a39a25b986eef48672e1a5cfa", + "sha256": "101588c75ca495165b4a75b184b63ce8f2ecc204a09f8a1f687e32708adb06e5", "type": "query", - "version": 213 + "version": 214 }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", @@ -6833,15 +7430,15 @@ }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", - "sha256": "5898b2b9e2deecc44bb0867c1299f960eb490ea7a0d595eca75928027eaf8710", + "sha256": "a44033692c37bed24ce3925b6ca42e5bd9fb6b47ee30ff08d20220ff77e28f9c", "type": "eql", - "version": 418 + "version": 419 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", - "sha256": "2f112a9f4661303deb296d1447e823390a464df00c5cf5ee3cc51a00af441846", + "sha256": "b16f4503068a8e8a456ea9f63f32bbedb866b7b79a36e6ae4fa7785f402fb2d8", "type": "eql", - "version": 421 + "version": 422 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -6869,9 +7466,9 @@ }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "3dce30a6e5b5c9a25514018796e1f024fe119037256ea8b06b233d3e32249632", + "sha256": "dafbd42605333aa135c1efb0261e9eb5359dffe444e4979a8dea91630c9e80ff", "type": "eql", - "version": 8 + "version": 9 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", @@ -6893,15 +7490,15 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "fab3fd6a06ce0b5c14b01d3fa576252596d34492533ec8c9e60345dcac76df3f", + "sha256": "9e0d0436cb2a69e6b72f3dc82fd928e79dd5ee95eaf0a59877b5e93864791dc7", "type": "query", - "version": 108 + "version": 109 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "M365 Exchange Management Group Role Assigned", - "sha256": "72314208ea72765e4adb514651f93c4e906e349120ec1ea0285b739e6832ce06", + "sha256": "12f387e3566dfd84bdb25e5380d9df4277a814500ce2286d1b624994ca9552d8", "type": "query", - "version": 212 + "version": 213 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "min_stack_version": "9.3", @@ -6928,9 +7525,9 @@ }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", - "sha256": "52534900cb089a485a4c94a1f500a1360cfdc36c116a0c025538279cd853204d", + "sha256": "dd4667aa3346d5aaf3c34b89d393074ecf11bf0188f022df8a39f52ad5c089a9", "type": "query", - "version": 1 + "version": 2 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", @@ -6987,10 +7584,20 @@ "version": 1 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Spike in Failed Logon Events", + "sha256": "258d2a4aff6f38a12e7faee6637ec4ac5c3e839daa6ead4587fd9871bbdc57ae", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in Failed Logon Events", - "sha256": "258d2a4aff6f38a12e7faee6637ec4ac5c3e839daa6ead4587fd9871bbdc57ae", + "sha256": "6c2a61bfd4d95da96708ad6dd4ffad62c9111f9ab7950b025deef83d487990df", "type": "machine_learning", - "version": 108 + "version": 208 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security (Elastic Defend)", @@ -7012,9 +7619,9 @@ }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", - "sha256": "4ede25035ced2ee53b8ba630714831c1eae23a3c7822356c127d7ace94d90a1b", + "sha256": "5d19110cc2f46e206df1cccc8dc7e4592cd148e313efc696ec6c17e63fa43317", "type": "eql", - "version": 313 + "version": 314 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", @@ -7034,27 +7641,27 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "a18589e10e7f28f4117607f6677da79ad0fff040ad5c9d28e93f837471c51963", + "sha256": "724d3db917545c23628a1ca48afc61add24a5fdc65f8ce91d5735c838391a080", "type": "eql", - "version": 314 + "version": 315 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "86d167e1986ba99c8b7ea81757c48cac39323a28f9f2ac0428b65a90b0687300", + "sha256": "da64cc799df3d7b93ccb5ae04e3e099d02a697837a05f18e35f295b53e2747fb", "type": "eql", - "version": 9 + "version": 10 }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", - "sha256": "46a0569127e7cc1e492606dcf457c00340e9b183ff389fd350f292acea0f7545", + "sha256": "eb78275f8550af643da2fa1a16e9d2e49843ddb5d67da926272cb0f2e51e2b8c", "type": "eql", - "version": 2 + "version": 3 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", - "sha256": "b8021547bfb3e66b179d5a786645be09f322d02542d3b04ed497e64abba92682", + "sha256": "8c4046c8e10aa286e834471735eccdfa372b1419bfbe3dfca6713b231951221e", "type": "eql", - "version": 210 + "version": 211 }, "9b35422b-9102-45a9-8610-2e0c22281c55": { "rule_name": "SentinelOne Alert External Alerts", @@ -7064,9 +7671,9 @@ }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", - "sha256": "c41ecc6deef7ce4de642b215d877cca87c3bdd1c8dbbddece705c8d211f78b82", + "sha256": "bb72fc009b5619a3f32e5104c274cf758853879186b712b2882c25cc6f13ea64", "type": "eql", - "version": 317 + "version": 318 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", @@ -7106,9 +7713,9 @@ }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "379df55e153fd1e17d278871998bcf006f466b6c83ec9dffcb79da7c95d5c2fe", + "sha256": "7b44a9ae01b478c9396159990d5e3a60ba0a814396ac5d734b8ae0e10c12a3cf", "type": "eql", - "version": 313 + "version": 314 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", @@ -7130,15 +7737,15 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "992beaeb7bdd47eff309d7867097199639cbc644bb723b3160d35592777a5c74", + "sha256": "fa74f1ccd35ac20ec3f06710dfc85bfa783c3bcc354f7d1db23262f16b40111a", "type": "eql", - "version": 317 + "version": 318 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "f6ac7fc8d32860bef59151f6f6bd9f35f7f4a0d8c9b4030c1f4ece5e3958cfaf", + "sha256": "ae2f50613dcf0ecc490032648a841e44c7fdcc987584c1b076a221826c54e4d1", "type": "eql", - "version": 218 + "version": 219 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", @@ -7165,17 +7772,27 @@ "version": 111 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux Process Calling the Metadata Service", + "sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565", + "sha256": "f8d8912ae2d8039dc804a4fb2851251923c29ebace475dcf20f4bd3b87bcc4fa", "type": "machine_learning", - "version": 107 + "version": 207 }, "9d312839-339a-4e10-af2e-a49b15b15d13": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Common Utilities", - "sha256": "0d14505286b88870ce711b2d8fd82bf17953609503c68c0d232214333c7b046d", + "sha256": "d0d094b1f3d2824d3f539e132c5573e5b8d9e94f113705086cb90fc35438b8dc", "type": "eql", - "version": 2 + "version": 3 }, "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { "min_stack_version": "9.3", @@ -7186,15 +7803,15 @@ }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", - "sha256": "a38c3966c3b2143e5136aa9701203813508c6670bdc2673c967b15484492d65c", + "sha256": "c99ca37b4a4b58fb57cfc77836e72bbe603e86068b3ea86669df86ac64e69d76", "type": "new_terms", - "version": 7 + "version": 8 }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", - "sha256": "d8a4e3fc4bb049f1a083e2c8df73eca8941cfc9eb80dc2c1b7a531fd8847c0d4", + "sha256": "2cb5a636d4f3e41d3b6e9ba18f297882ae22cb5f69ef6905993a1548ab01758b", "type": "esql", - "version": 1 + "version": 2 }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", @@ -7204,9 +7821,9 @@ }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", - "sha256": "72fa86bb3d91c048d88e6a44f277390be7025a3e3382267559e14dd868db2651", + "sha256": "b08fe11bdf17d81c9516472a841db7993c175996a06773032ef7b92282f89ebc", "type": "query", - "version": 2 + "version": 3 }, "9ed5d08f-aad6-4c03-838c-d686da887c2c": { "rule_name": "Okta AiTM Session Cookie Replay", @@ -7216,9 +7833,9 @@ }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", - "sha256": "1731ee5bc1af80f777474dad331fc0087b9cadcd773e56cac147ca1ab1d96b1d", + "sha256": "2ab8e7a7800653b9e37968900393df0f9f2f5d33441573121f0280acbe34c2cd", "type": "eql", - "version": 3 + "version": 4 }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", @@ -7228,9 +7845,9 @@ }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "73213f9e627c8ac38c4c910438c66c36006496bdf82823ee86646f57b4cdd703", + "sha256": "22b08b978d2a7ffdaf6487814a21eac8a8b3882f05c0c72938e5ada70b2f223d", "type": "eql", - "version": 8 + "version": 9 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -7246,9 +7863,9 @@ }, "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": { "rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP", - "sha256": "92b2699675495cdd2c77a223b88c257d9a4b5c9771dd463394da97c6d82ee6f5", + "sha256": "427dd26601fe597a174af7d832b94eb1a8f5786d002b426dd2946745d63601c8", "type": "new_terms", - "version": 1 + "version": 2 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -7264,9 +7881,9 @@ }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "eb1ea031af0b93072c60fe7de7f74b89ac24f851cffb1cdc9effa0c920bdb9ba", + "sha256": "8795f294df2824f66b4130cdff5d174717d9981c7dd6f859e37bbcb28b3c398b", "type": "new_terms", - "version": 318 + "version": 319 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", @@ -7288,9 +7905,9 @@ }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "a218d4dc79d01dd2a13363d90001f8c870141866f032cfb7f3790965f33ed5a8", + "sha256": "b7563d73159d22dee91b57c70d5c21d5a8a4e1bda6dac44d4d928cd855957b07", "type": "query", - "version": 109 + "version": 110 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", @@ -7312,15 +7929,15 @@ }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "082f848417d0983cbe8afe7fa8da7ba39df370cb36ee01d5ae23e94e2aad6783", + "sha256": "2839edbd2eef88ec655dfeaed2ad94d748e9196dd7842e600c10784e7f19fd4b", "type": "eql", - "version": 213 + "version": 214 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "b65e249cdd670a847b2aaee22255a1445633b93652c02c7da935fb513724cc80", + "sha256": "5c9184b7bbce98b4980ceaaf2d6c8d70b16c21ace2d1ecb51d7c6cfb7050a0dc", "type": "query", - "version": 108 + "version": 109 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", @@ -7336,9 +7953,9 @@ }, "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": { "rule_name": "Azure Storage Account Deletion by Unusual User", - "sha256": "a34ca5e23f6bdc0676fadb6a439653d4c17c1d7123a2399983f25d24ecabd5c6", + "sha256": "352c5821d7eca95826730550a43559e960148a7696f8b66ee023fbedc192978c", "type": "new_terms", - "version": 1 + "version": 2 }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", @@ -7348,9 +7965,9 @@ }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", - "sha256": "c52bd8e1d7d776b7c835c3d44095c8af47658ddc9211239b2d3bb8e976c8a109", + "sha256": "54a26dec737e913d13398210e60b5e0765bc4f57976293f5c9666910f23ef99a", "type": "query", - "version": 2 + "version": 3 }, "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", @@ -7360,9 +7977,9 @@ }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "94a64c4edcc2f609a23704924285d43d501c019eb270aa8ab580371e35072ef5", + "sha256": "5b2ed0b00a9cecc670d81984d3ed972c8781a96409beda27b3ae4ca5bb2e72e6", "type": "esql", - "version": 3 + "version": 4 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", @@ -7372,9 +7989,9 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "f5f6233b37a46200c93eabea190aaca9549c10deb5f9d832bc8cbff7479e5302", + "sha256": "d1742a8f6baeda422ac5e4599f7ad1604189781b7ea6d244389bfc4f0d6cc887", "type": "eql", - "version": 315 + "version": 316 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", @@ -7384,21 +8001,21 @@ }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "c6d2802d60f7cb8fc9b21cb19e1950a297cea7077f518279a4cc9cf62dd449c2", + "sha256": "6935a7b9fd5f67e312b06f45233bc7e9e6e832dc3f93a9c0b1f84cb7624bb384", "type": "new_terms", - "version": 7 + "version": 8 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", - "sha256": "31ca574a5425c352f948873b80bcd8001311f19ddad62b271eba6d788a54f4c2", + "sha256": "8ffc100a7b1d4ce6518d28c266f7b80ca1898c4505645909bdfea0f8f22ac297", "type": "query", - "version": 111 + "version": 112 }, "a2951930-dd35-438c-b10e-1bbdc5881cb4": { "rule_name": "Kubernetes Cluster-Admin Role Binding Created", - "sha256": "53c6415a825693d1082030f2418e73a5c0d9b060e7482c1890ddbd2c48728f5a", + "sha256": "e69d0cfdb03d64b04b04b0301086a748d32f13d2f828a3b71177061780ee9f68", "type": "query", - "version": 1 + "version": 2 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", @@ -7407,10 +8024,20 @@ "version": 113 }, "a300dea6-e228-40e1-9123-a339e207378b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", + "sha256": "553c6e6e65c43d5ee933841dbf34f7d9a9ea80e08e543900e277036686cbddfa", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", - "sha256": "553c6e6e65c43d5ee933841dbf34f7d9a9ea80e08e543900e277036686cbddfa", + "sha256": "a296f2e27d0d4e3f4f6c7ab90fc49f8f4a0b4c14d49775288666a234e4b403b2", "type": "machine_learning", - "version": 4 + "version": 104 }, "a337c3f8-e264-4eb4-9998-22669ca52791": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", @@ -7420,15 +8047,15 @@ }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", - "sha256": "7c519926517b618be19af735311a9b969fe9ea2b081ad68a9f2de5bb02d59c1f", + "sha256": "38c9a1b455477aee830f90a89dae1d703f545c3d857cf4262153a23b2e0c80ba", "type": "new_terms", - "version": 5 + "version": 6 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "777d3b478fb1eea22452ad39f88e4208a133631bc1eab6e7adc5b793bc90c00b", + "sha256": "93b4860b7335468f8a8cb6caa81436cbab24af1f61565d355d12b1c0289bb85e", "type": "eql", - "version": 313 + "version": 314 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -7437,11 +8064,20 @@ "version": 4 }, "a4b740e4-be17-4048-9aa4-1e6f42b455b1": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 100, + "rule_name": "Spike in GCP Audit Failed Messages", + "sha256": "640606acf483065052865e9a6e801d491b8afb375423dfb06058d87b0b54b602", + "type": "machine_learning", + "version": 1 + } + }, "rule_name": "Spike in GCP Audit Failed Messages", - "sha256": "640606acf483065052865e9a6e801d491b8afb375423dfb06058d87b0b54b602", + "sha256": "0293cbc3c1b896acdee5fb53bfe925958fc9d5ec773806a13d9e468e89a65005", "type": "machine_learning", - "version": 1 + "version": 101 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", @@ -7501,27 +8137,27 @@ "8.19": { "max_allowable_version": 314, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "2b5c3815588863a4c53018c1bf78b2e9b33ac20407ad8cf036a4226b127424c4", + "sha256": "ce3fd44cac75566f4e140bffa3f637c3283d0882621b0b5f292369e185473e54", "type": "new_terms", - "version": 215 + "version": 216 } }, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "e6482b504c514d6b1753b89034fad24ee3fc56c8f55c3541c3b8e700adf499fc", + "sha256": "527325250cfdd394de8beb2562d3f3d0b44210d85cdfb77b26cfbcbb2c56a852", "type": "new_terms", - "version": 316 + "version": 317 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Entra ID PowerShell Sign-in", - "sha256": "2d6df52bc2882c8b98f3dc43e31ceb65ae06ac225eecffcabbcbebaae55f7dfb", + "sha256": "5d891782faacde7c072c3f8e3819b0e10c0932cbea16e27587b86081ee4e243e", "type": "query", - "version": 109 + "version": 110 }, "a6129187-c47b-48ab-a412-67a44836d918": { "rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme", - "sha256": "66d9cffd3773855d4fd0f97ae360322f71d92a037133a287df4d4ac524497a54", + "sha256": "34085bc10fd883d07e4593354c15c2b5a740f637f8f8a0dac8b18c02556d89dc", "type": "esql", - "version": 1 + "version": 2 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", @@ -7531,21 +8167,27 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "b0f8257a53944308de393b93cad9fec026cd701e9181cec30f96d8cbaa5be52b", + "sha256": "2d47f8a8fe77ba2d20c1d0e420c8c0184d9fce8dec9eb42de083228ee7782763", "type": "eql", - "version": 318 + "version": 319 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", - "sha256": "14361ef9fcfb305ac2f4824cb070fbf348522f67cdd712c8988f563f7615c75e", + "sha256": "ea34a8cd8b428ffac29baa616dc58a516e9d24a3ae30c3525c5fdf5478d1bc34", "type": "eql", - "version": 2 + "version": 3 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "9b5c902d75557d153526704fc38bebd9df6ca630b31a4753c02ff69f55b3afbf", + "sha256": "6ce6628461a895263040879ad1dfccf958216ebc96b9c795d5b3ce688836c641", "type": "eql", - "version": 6 + "version": 7 + }, + "a68da7d6-7eab-45bd-97c5-93b469c0706e": { + "rule_name": "Shell History Clearing via Environment Variables", + "sha256": "947c4f4f578b77ec8de5b9313a87559740ab6d5272631cd859175d57e2c06c80", + "type": "eql", + "version": 1 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", @@ -7555,15 +8197,25 @@ }, "a6d4e070-b9b9-4294-b028-d9e21ad47413": { "rule_name": "Entra ID Protection User Alert and Device Registration", - "sha256": "4876756b256c3aeddfcfdd04f09b0cb7e60f51ae76b94698d9a227ca6d1bc07e", + "sha256": "310fb191964cd8a1481bfde5eabce117f3b6e1f1134007c7bb846f0d233c50c7", "type": "eql", - "version": 3 + "version": 4 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "High Mean of RDP Session Duration", + "sha256": "54d4c476c777d29b060e86d324c7eccca8db5647602b0b9efa9792822185c764", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "High Mean of RDP Session Duration", - "sha256": "54d4c476c777d29b060e86d324c7eccca8db5647602b0b9efa9792822185c764", + "sha256": "0cf7caa172c255e31f5dcf206ca1101b180773c822559efef5ad87fde3d2d054", "type": "machine_learning", - "version": 9 + "version": 109 }, "a750bbcc-863f-41ef-9924-fd8224e23694": { "min_stack_version": "9.3", @@ -7575,9 +8227,9 @@ "a7577205-88a1-4a08-85d4-7b72a9a2e969": { "min_stack_version": "9.2", "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", - "sha256": "9678721291da5cb523dc6ee9387e340cdcc03ee3f81a163f03942dc2201438b8", + "sha256": "ac58b82b1f4cd73a4d16a34212431268142b70229629c67b3e311aa707dcea98", "type": "esql", - "version": 1 + "version": 2 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", @@ -7587,15 +8239,15 @@ }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "7e536fc3989bef73d2411edbb92974c04d3cc027f95843bd49731c3a42aa5367", + "sha256": "05f6d2480b4abed5e937479badcf771d7424a8b6a021962e5fca3c12acc08963", "type": "eql", - "version": 116 + "version": 117 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "6a81227e9d0bdc6b5dfa8718dd52f25b2ded9ee3476c28f289aa5a5f2ac132f2", + "sha256": "2b21f27255a4ac81ad9f467d67b906ed16e22ba90bc5a29f86f4ac561fbf8afe", "type": "eql", - "version": 315 + "version": 316 }, "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": { "rule_name": "M365 Purview Security Compliance Signal", @@ -7605,9 +8257,9 @@ }, "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", - "sha256": "fa03b03f4ae7bbd7463ecc32a9d20f903f89538bd10fe1250ee3e6d6eda108a6", + "sha256": "26c16152fd28558423e9c60d5393ad5482ec38ef5492aeb15ecfb8587231fddc", "type": "eql", - "version": 2 + "version": 3 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", @@ -7617,9 +8269,9 @@ }, "a80ffc40-a256-475a-a86a-74361930cdb1": { "rule_name": "AWS IAM SAML Provider Created", - "sha256": "94732c42b485343065e0774196628119dc2f316080a333102bf203c983c779d0", + "sha256": "8d2440f5b8111e88075595c64071b426a241d0e78819f05d6c66caeca7046f04", "type": "query", - "version": 2 + "version": 3 }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", @@ -7629,9 +8281,9 @@ }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", - "sha256": "d6cb0373e901e7888cbdf65dce494355d38a829de9c102fc07aa2c2274b165f4", + "sha256": "84fcc460d0f329b6494b2756d4cb004798d5c54d8f76ee6b19ac2b149fc59a3a", "type": "query", - "version": 7 + "version": 8 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -7673,27 +8325,47 @@ }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", - "sha256": "49906c7167773c5c88a880e059c18f24adb62337a0b8ef76a5c8bb33623fe4a9", + "sha256": "4cafd5b1d72e9099750d39514142a06221336044dc6ab66d5df8acf39358c552", "type": "new_terms", - "version": 2 + "version": 3 }, "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", - "sha256": "49e45807f197d72382a572c2a9f601aeef490252cf7c11dacd21a726fb810968", + "sha256": "55145a5b782b65b05f5834f544ec591950f607a59669ef53b3cf1cd0dfce7950", "type": "esql", - "version": 3 + "version": 4 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "High Variance in RDP Session Duration", + "sha256": "f9c8c7c261451895bad9202f8a232c6e4062e1d272ece1ec51d009c841579e71", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "High Variance in RDP Session Duration", - "sha256": "f9c8c7c261451895bad9202f8a232c6e4062e1d272ece1ec51d009c841579e71", + "sha256": "3f9e29581657650330798e93e0d4b843c0de67a256b30133da018e49aca461f2", "type": "machine_learning", - "version": 9 + "version": 109 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", + "sha256": "bd9b1c164a07769ffeb8aeb475e7e3e4f8d0a0787d5e419ee1ca1e160d2149c9", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", - "sha256": "bd9b1c164a07769ffeb8aeb475e7e3e4f8d0a0787d5e419ee1ca1e160d2149c9", + "sha256": "8a3a0a541278d7abc6675acd56413d6d3ec869a0bebfb0ef0bbb8f846c5adfc5", "type": "machine_learning", - "version": 4 + "version": 104 }, "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", @@ -7709,27 +8381,27 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "M365 Exchange Email Safe Link Policy Disabled", - "sha256": "7461bc40b2d09bbc574bdb5ec21554865c01cc2c13d11a28cf089e2366cc740c", + "sha256": "6b995af6f7a66f483caeb7f4b0ed5e4fbce766890078ac36b73135b287bebc97", "type": "query", - "version": 212 + "version": 213 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", - "sha256": "f542e1b863cd42eb8bf3b80af48508e5938cb132dba214ba2b8f331d83b03f5a", + "sha256": "ab5be5778aeb2192c5a6b094c17c63ba6bec949da499eff193f5208975a9bf86", "type": "query", - "version": 209 + "version": 210 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "4d255aabd1699229c83718a7915c758e828c189e6dc926bd2c871529233f1cd3", + "sha256": "3b30278eb35bd453721b5e6a3709354920655bc529e57a4de4d76c5c1194a794", "type": "eql", - "version": 214 + "version": 215 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "35e4a6106cba38795de889121dbf12207ff75aef92afcccabe8a806fd0e4c769", + "sha256": "165337503847ed379edc1c1e54e7503406682e6849717aa2668355066215f1c6", "type": "query", - "version": 109 + "version": 110 }, "aa1e007a-2997-4247-b048-dd9344742560": { "rule_name": "Script Interpreter Connection to Non-Standard Port", @@ -7738,16 +8410,26 @@ "version": 2 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in Group Lifecycle Change Events", + "sha256": "117615ae9f7bbcdf2f22d30db030b964809f545f13d82041ceafa1c2b45773da", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in Group Lifecycle Change Events", - "sha256": "117615ae9f7bbcdf2f22d30db030b964809f545f13d82041ceafa1c2b45773da", + "sha256": "65061d6e84d85ff3f20ca8420b9fb9f8bad47f3264055c2fd6c4347a74673750", "type": "machine_learning", - "version": 4 + "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "8757f16023a807b6b2b792ab3d99ad696e95ce9eaf579b679780cee08cc829cb", + "sha256": "08a46011d52f72f80b008709b145d97420698886ef6cd771ecba32a0ed3ac316", "type": "query", - "version": 108 + "version": 109 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", @@ -7799,9 +8481,9 @@ }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "71757caa90c47ad78c9750b701a3a4990bc4f2fcfb319bea634a219e08afc265", + "sha256": "96c2271144d138a553b4c8d8d6212b6d787da68435ae52b0b873834d5679cc43", "type": "esql", - "version": 10 + "version": 11 }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", @@ -7816,10 +8498,20 @@ "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 309, + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "bb1a749f861f7459448bb4e1a2eb19dc2a26f353fb57634eed0ccea7218f3cff", + "type": "machine_learning", + "version": 210 + } + }, "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "bb1a749f861f7459448bb4e1a2eb19dc2a26f353fb57634eed0ccea7218f3cff", + "sha256": "9a73061513a45d35de86697c4b677a0b2e5dbc1f1d9a84b7f5d0d24234dda985", "type": "machine_learning", - "version": 210 + "version": 310 }, "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { "rule_name": "Google Calendar C2 via Script Interpreter", @@ -7835,9 +8527,9 @@ }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", - "sha256": "059547fd67e3b5a221405c2f551459a0e5da4b472574b7b0a9f647824eca93b2", + "sha256": "9510d6d1c33fde4f7387816386c4bb3efcac43bb4c7aaa9dbc936a69409c0f94", "type": "eql", - "version": 418 + "version": 419 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", @@ -7847,9 +8539,9 @@ }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", - "sha256": "d20a637fe702ef3a14ed08bc79e70ce0945d586fcef20fe2e3b0423940fa91ad", + "sha256": "3453811ef45dfeac70ddf054126131c00f9dc9bc32ded269570d7ed0d3c660f1", "type": "eql", - "version": 208 + "version": 209 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", @@ -7858,10 +8550,20 @@ "version": 105 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 312, + "rule_name": "Unusual AWS Command for a User", + "sha256": "6329bd421d92474b7b724414f883a3a46da0190498df4f628e370b759c237af3", + "type": "machine_learning", + "version": 213 + } + }, "rule_name": "Unusual AWS Command for a User", - "sha256": "6329bd421d92474b7b724414f883a3a46da0190498df4f628e370b759c237af3", + "sha256": "39f69f2d45fbc7e8dc0ec930f3b66d28754b3502bea0b2b1b8d0a8b7a229d199", "type": "machine_learning", - "version": 213 + "version": 313 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", @@ -7877,9 +8579,9 @@ }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", - "sha256": "9e2873a47031b6e8b15b6b20da3ac0862ce4124e7ffc8cd818be8eba1efd2c3e", + "sha256": "72223005ab05d709e4988e024d34920e78f0de89f73f36f865dace15179a2abc", "type": "query", - "version": 210 + "version": 211 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", @@ -7895,15 +8597,15 @@ }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "01947c38ddbaf757c9c2706842377b1699f7e65de106e2ee1005a90436e9e8db", + "sha256": "f9f14d7bdc3f0ea9cb07ff8bf681e76bde3b7b5bddc09bd5586187e9d8f0168f", "type": "eql", - "version": 313 + "version": 314 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "401cb7b60b2cf3bb799ffcb99b3d39a35feba91d7146952c4408a2fe5ff97ea5", + "sha256": "449fc1a0e4c9716e7f094c80e0ae792e8d7fc2b6c1ed1428f46cee96994f8410", "type": "eql", - "version": 315 + "version": 316 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -7913,9 +8615,9 @@ }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "dd3bba4447ec0a85398b9bf7a5b42ec6cfc45c5c472e988b56fc51878deb7ade", + "sha256": "c7bbefa6cd24512e29b52401dd4e13dae67b32db59c469837cc5157d7fb8f7ad", "type": "query", - "version": 209 + "version": 210 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", @@ -7924,10 +8626,20 @@ "version": 108 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Decline in host-based traffic", + "sha256": "d3443af533d8c9c71544393bbb3528bab9f2a4528d9d339f101e5d8628f1a384", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Decline in host-based traffic", - "sha256": "d3443af533d8c9c71544393bbb3528bab9f2a4528d9d339f101e5d8628f1a384", + "sha256": "a9db6c29e8b8c460f4f349d40a9db66f98d86d48043a2c992b7cb77ae0d82c0c", "type": "machine_learning", - "version": 5 + "version": 105 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", @@ -7973,9 +8685,9 @@ }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "c5078f597c295cea9a4dedfb0717f3f8db2dfb4a97b14c31721fe7366500128f", + "sha256": "7ee292bade6c57524e7298455f1ee4cee4de58efd67b3d379e2a17e01861dcff", "type": "eql", - "version": 209 + "version": 210 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", @@ -7997,15 +8709,15 @@ }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", - "sha256": "15e48bbd9ec05f38f788fe85d3d314645cc526a65f9154c9c852aa4e46b60822", + "sha256": "4fc095fc9ea36c19a1fb10bbbbccdb154cdd62f352e4dae8ea2ae5159c322f82", "type": "new_terms", - "version": 9 + "version": 10 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", - "sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514", + "sha256": "e58cb7a0d5a166f3b1a068ac2dcd4e57f6cfac80b5ef9c31267d627e2d8faabc", "type": "eql", - "version": 1 + "version": 2 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", @@ -8057,9 +8769,9 @@ }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", - "sha256": "a50c04fdc476c71125eea0ba039cb89bf18e557653c7d2c893bd62b964d5d703", + "sha256": "e2f3ba9603ecde9fab5a70120bb939d2c302deb6e768f79fe28a7cab9af9d869", "type": "eql", - "version": 206 + "version": 207 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", @@ -8127,15 +8839,15 @@ }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", - "sha256": "f86f481f50bb0a81e04e053d44c7884c19126b9335761ec525ef2835a4be5a26", + "sha256": "34ec15b2762501830ba72e2159a10d9fa8710df212375f979160411eb08ffcb5", "type": "query", - "version": 212 + "version": 213 }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", - "sha256": "e9869a2d9ef0ede8759bbae2c633720e4822ae0eaab97d4d123c32340d879b7e", + "sha256": "3bed4972669528914c4056e133fe899c9b4d6e66d957bce8d06c418ce3f1a32e", "type": "eql", - "version": 2 + "version": 3 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", @@ -8145,9 +8857,9 @@ }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", - "sha256": "0f80a00629784a14aee160694167d10df069b573b26579e2bc65a08152b94be1", + "sha256": "9f4fc0bbadb6f42109d9f6264472caa5cfbd9ae6935c6b3e0a098c00ede91f06", "type": "threshold", - "version": 1 + "version": 2 }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", @@ -8157,45 +8869,55 @@ }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", - "sha256": "10699cfc2c120433bed5e971c71194d0acbc72cddecacab5469c0b1d23216ecb", + "sha256": "fcd00363e060ee80ac289741c1c9004fa4bbe11c759b50769070b13d5466008b", "type": "eql", - "version": 2 + "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", - "sha256": "e63520b1ec668be51223850b69f8993bb005a5c45f77738dd229a1d2e4254334", + "sha256": "26ee62ae8a201d334f1e43011a5acaa008ecb5e19c928b921faa25e0d95582b0", "type": "eql", - "version": 2 + "version": 3 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux Username", + "sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux Username", - "sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1", + "sha256": "a673ca8052fc4de0d8f2386e8976429868d4129e24c96fe5d0352c5de423237f", "type": "machine_learning", - "version": 107 + "version": 207 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "7a02506f8453110cac713662233968f74b625854c528b34fe1af2413dc67e6be", + "sha256": "ba3d38a0e3792f9fc94cbca598270b727fea2afd947bc1a201a93fd18ce7746b", "type": "eql", - "version": 8 + "version": 9 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "5b8430098588353df995dbb0f9417305b6c27f4fe205e41393ba1027e5e30ae9", + "sha256": "81012af1ec2f5b6aca2a939f64af5618ba53ef128512f84a5fcb23d368081bcd", "type": "eql", - "version": 320 + "version": 321 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", - "sha256": "56d00977592f10b6f40e65fdea0937ffb2fbae03cbd765c1258d5f1f0f36a508", + "sha256": "c1cabe9f77f729b71ce8bfcf06dcb88571ca28f37d412abeba692fa11b86c1ef", "type": "esql", - "version": 2 + "version": 3 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "b39b64612ea429e5a2ed645157eee033df7f908d4e338f5dc7f27ef9f7257b39", + "sha256": "2d8c220853d43e485848bbcbc8a47d1696a882a2aeadc585c3723f1f7766c763", "type": "eql", - "version": 214 + "version": 215 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", @@ -8217,9 +8939,9 @@ }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "6686019692b13bf91ca12c4dd69c9ca41ffd81d4480b58bce574581fb1ec6335", + "sha256": "09cc425582bd4ac3d390cbb63c58e980708b2e3f438f39b376f3f2a95b4a2346", "type": "query", - "version": 414 + "version": 415 }, "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { "min_stack_version": "9.3", @@ -8252,15 +8974,15 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "87d181da2c1d56e01ef1c972e929acaed2bc1160d0cf3f45b3741f8b073c130f", + "sha256": "7e14c0cb8230746c7ba5053e283ff64b16bde1082cb789657d3a076a5dd63898", "type": "eql", - "version": 318 + "version": 319 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "c6f479ab0fcd76fd0a3254a67a74547f22840b4bde814cf46af69361e36d4d85", + "sha256": "22aeae9e6e806d1a9e4216f3485b6f9bc573e3efebfcb756f488b3510e88378c", "type": "eql", - "version": 316 + "version": 317 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", @@ -8270,9 +8992,9 @@ }, "b625c9ad-16e5-4f16-8d38-3e9631952554": { "rule_name": "AWS CloudShell Environment Created", - "sha256": "08c9c9d81fbaf3d369f67668422c612a9236fbee0687355f1cd7ee32fa413fdf", + "sha256": "5c7433e67902ee4b52322b5abc5120bfc4053b3280ef95a2a30a852c97a66aaf", "type": "query", - "version": 2 + "version": 3 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", @@ -8288,27 +9010,27 @@ }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", - "sha256": "cbdee887cd13d54f550e80a5e90a2a8b627f93cac8d9f8a062df574362cd2878", + "sha256": "76ad7097a9e21934640d465a1c8142aa93e208ca46b9f207d30650fa75e58674", "type": "eql", - "version": 208 + "version": 209 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "b37782b05e4d6c2c899c3c64cf6002bfdabf1b8833b2361b762c9e8e5bb5bf21", + "sha256": "532e09d8ece61905719f3fc43adcae939124bba063c94681bac206f922fab6d1", "type": "eql", - "version": 108 + "version": 109 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "0542bd5e149db60900db304cc0b992f8a1ec8647b377ce665d2b29a57c78f25a", + "sha256": "14d28d7f25487dce62c1587886b4b74480f9c2a4198f69e2e55470d4d623e08d", "type": "query", - "version": 108 + "version": 109 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "44a164cbbee23384317110deaf966d410b9546ff686d8d76040abb21cb1322a6", + "sha256": "fc573fd91afba592e2599a9f648c7f7c87ba1b94a672fe37c1f1bc6f40fc905a", "type": "query", - "version": 414 + "version": 415 }, "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { "min_stack_version": "9.3", @@ -8325,9 +9047,9 @@ }, "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": { "rule_name": "FortiGate Configuration File Downloaded", - "sha256": "8a6732c321ad665cbe34c05fba17c8a2062608ec98c2303074636c1cc82d3e58", + "sha256": "b65dfbbd01ddf09e8bd7de4c17e9af0caeda5f94219d9520352f4f63c62a2c71", "type": "eql", - "version": 2 + "version": 3 }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", @@ -8337,9 +9059,9 @@ }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "135ed590d058ea2d34fc0bf1d1252edd24563787b15e9c1c581989395ea3aeb9", + "sha256": "d606a36377e206ed6b63e174f9aa93773b33099aaf113724d19e45c60c18555f", "type": "query", - "version": 413 + "version": 414 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -8355,9 +9077,9 @@ }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "85f657e35fa459539e836b4889434164e69815e35ee5bf47f09466e436e86414", + "sha256": "15c376a0744fd0c3a4a36e2a0d55d94431d57e9a3c60e075522f0dd830326ef6", "type": "eql", - "version": 416 + "version": 417 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", @@ -8378,6 +9100,12 @@ "type": "query", "version": 1 }, + "b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e": { + "rule_name": "AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure", + "sha256": "9ee4397ac53d88b12b6a16d40ab8c34703453f21aa536fd9946f4989fc31d8f7", + "type": "esql", + "version": 1 + }, "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": { "rule_name": "Potential Credential Discovery via Recursive Grep", "sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0", @@ -8392,15 +9120,15 @@ }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", - "sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e", + "sha256": "1ba1c3f1fd42eca170f3ff7eb6912639769830e43c2bd28c9ad868defd6d905b", "type": "eql", - "version": 314 + "version": 315 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "e3c26b040bafc31479de3af9ed423b2dfc66a6eb7de0d5ab167a95fc721dcd00", + "sha256": "a458c8f1dd0880bd480c3221aa2fc1e68d92b55fb0a6899029388a4bc3ef00b2", "type": "eql", - "version": 312 + "version": 313 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", @@ -8434,9 +9162,9 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "6c98718e177cba9e677d5be51571ab9cd59f1a48d6a9d7d1f9e6267b56b26095", + "sha256": "1dd8d1dbdda33b30bb0324c7779509081b3613c945afd183e5bb0aaa1c0be216", "type": "eql", - "version": 315 + "version": 316 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", @@ -8451,16 +9179,26 @@ "version": 1 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 310, + "rule_name": "Unusual Windows Network Activity", + "sha256": "6dd4b33d728787835db1ae21a3cba7bf99af83a6470d46cbd1476d0dffaa9c59", + "type": "machine_learning", + "version": 211 + } + }, "rule_name": "Unusual Windows Network Activity", - "sha256": "6dd4b33d728787835db1ae21a3cba7bf99af83a6470d46cbd1476d0dffaa9c59", + "sha256": "0833f86da12207c117de1da3165a8d471bbf136effa8f292075b2d66982d01cd", "type": "machine_learning", - "version": 211 + "version": 311 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", - "sha256": "3d73d351f7d7d32b5c4b0b10ddfe73cd017fa245219e660100861063839d6fff", + "sha256": "54a16034019a7ff529433229ee9420420463a6b64f855b1f8182e9c979f31d11", "type": "new_terms", - "version": 5 + "version": 6 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", @@ -8476,27 +9214,27 @@ }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", - "sha256": "1f23630363aa37b8d7166c30043f1f47b8607a6a098292584b4cbbe55915b5e1", + "sha256": "461b925e57497fdcaf88f08873d86a0fb8d0e9ea1252e6c241ef05fffd27a95d", "type": "query", - "version": 7 + "version": 8 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deleted", - "sha256": "3d4454944fd0c9bf2faccc65a985c95158db648c3ddc91784bf036fec605b29e", + "sha256": "4966f18990999e99b3a63b622da1f44cd27813206a0d44992e191ef7efd3f6d8", "type": "query", - "version": 108 + "version": 109 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "7af345a100eb92de91782949bfa1266c3265fbe6a434c89921c79ffad6bd9789", + "sha256": "72ecee4d940e2c2157819f24ecedf8a8cb830b55105eac72e766fe6ced901463", "type": "query", - "version": 212 + "version": 213 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "M365 OneDrive Malware File Upload", - "sha256": "cd0ee58446ad10fef53b9675021f3383a26e3552230434632e711d88af2d5d1e", + "sha256": "f04d6d39681c375512b7e813dc80c792d70026ba6d551afbfa7734b166ea15cd", "type": "query", - "version": 212 + "version": 213 }, "bba8c7d1-172b-435d-9034-02ed9289c628": { "rule_name": "Potential Etherhiding C2 via Blockchain Connection", @@ -8512,9 +9250,9 @@ }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "M365 Teams Custom Application Interaction Enabled", - "sha256": "b9ec0d7e63d1adda464ae0b51112405b884c2b4c466a0a412ff85a22ee6a4b76", + "sha256": "826ec6d81ce8b9a10f38fc995c045cd647df5d059bdac072fb532a9260900581", "type": "query", - "version": 213 + "version": 214 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "Deprecated - AWS Root Login Without MFA", @@ -8524,9 +9262,9 @@ }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", - "sha256": "342c778ee565abc4c34b4a3a8797de7055cda16677ee2bafffd4887b48d1aa0c", + "sha256": "37900dac2079159d4340059ef6567def876171c5672fdfc7278c6c8f0ca6fe79", "type": "query", - "version": 107 + "version": 108 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", @@ -8542,9 +9280,9 @@ }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Entra ID Conditional Access Policy (CAP) Modified", - "sha256": "8ce594b9beda915d155841c38ba5dbd50b378588b08572407d9a468800afdc19", + "sha256": "988c323c28814045bd05e064128d2969aaebf8c51e11e47537a3e2aa3f0767d2", "type": "new_terms", - "version": 109 + "version": 110 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", @@ -8560,9 +9298,9 @@ }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", - "sha256": "43fa018ec25c255dc71671253bbb478cd5f5a122e8e5baf6bf52194fa4b2555b", + "sha256": "c37a8742cc3fe968d7ca34eae92c6bbf6d72f20a731a8e600078e0c76f998332", "type": "query", - "version": 107 + "version": 108 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", @@ -8572,9 +9310,9 @@ }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Entra ID Protection Alerts for User Detected", - "sha256": "7492519d14b8804f657d4ff6510cd4ea2272dcc95fdfe90b5e9aaa2e5fca65d8", + "sha256": "bf979378a73ec562baf65cabd933ec22b6c70d6c288387eed998e3836179e977", "type": "eql", - "version": 4 + "version": 5 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", @@ -8583,10 +9321,20 @@ "version": 4 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Spike in Privileged Command Execution by a User", + "sha256": "99ea8a26e2591f788b098171cdedaae4b59e16b257d990f96f5dc7fda4e3c272", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Spike in Privileged Command Execution by a User", - "sha256": "99ea8a26e2591f788b098171cdedaae4b59e16b257d990f96f5dc7fda4e3c272", + "sha256": "7279a20292c17acab33b638a44a567480719079cc6518fe2f59f35f86e1e2cd4", "type": "machine_learning", - "version": 4 + "version": 104 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", @@ -8602,9 +9350,9 @@ }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "1c15b9f9ecabc1e9ea3b53c43b74d34537d72cfcb2a559de97b42c679cd01e2c", + "sha256": "f236da0018f3c95714b7f47d42df3c3389fcd252069efa50f02ee8bebb468f09", "type": "eql", - "version": 213 + "version": 214 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", @@ -8620,21 +9368,41 @@ }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "e871b5c50d55beb37d562677eaaf824b9df867ed5271d206f1349f94c364ad54", + "sha256": "323b023b910fe57bf68c4ee7c7f42ca105f711cba9f209b1d645d3aed26754b8", "type": "eql", - "version": 109 + "version": 110 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 210, + "rule_name": "Host Detected with Suspicious Windows Process(es)", + "sha256": "78e88e33d9c078480535176d94c745523d1b5cdc53faa7f6dc0c4bb98f303dca", + "type": "machine_learning", + "version": 111 + } + }, "rule_name": "Host Detected with Suspicious Windows Process(es)", - "sha256": "78e88e33d9c078480535176d94c745523d1b5cdc53faa7f6dc0c4bb98f303dca", + "sha256": "65c718364c96010a79d85d5d5f9d03c5177768aef95e93280491ac2544384804", "type": "machine_learning", - "version": 111 + "version": 211 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Unusual Remote File Directory", + "sha256": "3b62f382cca1d5aa8845239afb457e39f5a035382660884911727b4dd5f91aba", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Unusual Remote File Directory", - "sha256": "3b62f382cca1d5aa8845239afb457e39f5a035382660884911727b4dd5f91aba", + "sha256": "a88cb06ef463fb2f2dd4327dd31c5d47692a0c11539c9e458a25c9f32b348668", "type": "machine_learning", - "version": 9 + "version": 109 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", @@ -8644,15 +9412,15 @@ }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "9528420d04a587758e5eaa1726f14ac0ca1f92c1f939f9ed2d5d86484aa588f7", + "sha256": "853a34a2946e5ecec7fb8aa33493f0183af98ee1e12913a1f1ca34a825ff5e66", "type": "eql", - "version": 316 + "version": 317 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "e53e01ad1dad386bc602403ad1b1c7f04959ea318f3613e082d51bf040d08cf0", + "sha256": "4b30455cb83458f81769269a3dcfb5e5d22f50e9966e84c186dacdc5f9522ba9", "type": "query", - "version": 213 + "version": 214 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", @@ -8661,10 +9429,20 @@ "version": 8 }, "bfba5158-1fd6-4937-a205-77d96213b341": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 106, + "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", + "sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0", + "sha256": "e2736f2b927fe65d4fc0264b0645cba4262fbd1677b221588f935a637edb5e29", "type": "machine_learning", - "version": 7 + "version": 107 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", @@ -8674,9 +9452,9 @@ }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", - "sha256": "fff30a21597fa127c872708fa401f4c529403d667c7125ebd8013e5aad23a140", + "sha256": "134cfa1f39eb9de34659e1a3b3376c319f97cac34e9345822e80b746e87ef752", "type": "eql", - "version": 5 + "version": 6 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", @@ -8686,21 +9464,21 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "8982ff1e520c4ea2fac7e7d0c08177e42ec01a9859b6966ac01685fc4a948f22", + "sha256": "63b630a4079956218800fd38dd401b49b8fcbb14220e88d30244daf881f1fcc7", "type": "eql", - "version": 314 + "version": 315 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "rule_name": "AWS IAM Login Profile Added for Root", - "sha256": "5ea4300c4120cd499f435e400fee9a298ff5ccdefb2e57454d86d5af86e773de", + "sha256": "fc6421375be76d4d0aeb919f460c45ddcd0823a216c78aec752e89f1a089b287", "type": "eql", - "version": 6 + "version": 7 }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", - "sha256": "bcd9f7ffa49224ec115854a811b87d190eda31293324e0f9f94550270b0553ea", + "sha256": "1a9df36b88aa341eba95bb3b90d846a7070a161bef16b21afc3a02d9cadfb33b", "type": "esql", - "version": 7 + "version": 8 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -8727,41 +9505,50 @@ "version": 12 }, "c17ffbf9-595a-4c0b-a126-aacedb6dd179": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 100, + "rule_name": "Rare Azure Activity Logs Event Failures", + "sha256": "c7ab4512404f799560ec6c788cef728597921e7cd5a135d3d184b219d3352eea", + "type": "machine_learning", + "version": 1 + } + }, "rule_name": "Rare Azure Activity Logs Event Failures", - "sha256": "c7ab4512404f799560ec6c788cef728597921e7cd5a135d3d184b219d3352eea", + "sha256": "e2a374e0c05a03580026cac6094e7fd3d00628dc2cf6965875239f25a04d15b0", "type": "machine_learning", - "version": 1 + "version": 101 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "4976c842ac56a58e89e3692662b9d7ff044c8e03e60f14cdb0b9e605c1b53a27", + "sha256": "ffae753e96e57c8e771abab86446ad7034e302f6824a3d98b89951e0504bc73c", "type": "query", - "version": 212 + "version": 213 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", - "sha256": "ca2e72f536d6b88239ddbccd6ba2ba34e48002360725af8721e789991edd95b0", + "sha256": "16d7957c1ba269d9800613670f3519ba0d0c45ab20abfbfd3ab60967da2d7b5c", "type": "eql", - "version": 5 + "version": 6 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", - "sha256": "88df0fc3cd338a29ae8295259e9f0d1dadb41f0c776597e8de99f353aac0fa2c", + "sha256": "2b8eebb4194717375909b29a3d0a794425d40404f5ccf9adf851172212ad6a63", "type": "new_terms", - "version": 1 + "version": 2 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", - "sha256": "a9287ee9d3d4bfdbb455e4a588537f4c1168ad937f0b7bef1edde049c7340b82", + "sha256": "53db6d3be010ac57b9e40bf2d75485e498825d37934550bd8ab3cf91ba0d85e7", "type": "new_terms", - "version": 7 + "version": 8 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", - "sha256": "4c7dfeda31d6b9f55e701a3ccf5e3844215e4192a77f9754e1b26786019ec889", + "sha256": "bb336839fab870f4b8ceed4a37e64fa3808c9d4ec3557d5d7eb61cb308f89cab", "type": "new_terms", - "version": 8 + "version": 9 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", @@ -8777,21 +9564,31 @@ }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "0de4bcec251458feeef6095e125d1e7b8c7bc63b1d7765d3d4985b8da3134aa2", + "sha256": "15c9365c2dc0db9a2589e15db7b4b7501e9c649fc3fbb9a88d897d259c436389", "type": "eql", - "version": 317 + "version": 318 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", - "sha256": "a74e5dcb922b935e0a5a8037cb69bdb8c8bac9fd85a6efbce0aba2d6a83cc17c", + "sha256": "3bb7c14559704f363959d8ac1e158dcd85bbb01bd5c2d2cf2c3355b5257e5843", "type": "eql", - "version": 2 + "version": 3 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux Network Connection Discovery", + "sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e", + "sha256": "3dc62da3e3d7eced397232fa5845611453226b59e213bd3c2165f786154ca80d", "type": "machine_learning", - "version": 107 + "version": 207 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", @@ -8825,21 +9622,21 @@ }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", - "sha256": "79f81b31e333915bbf3e7382c64a9a9f90b70d4aeb44491d2533694141db7e60", + "sha256": "7382f00fdf9d126382835eb8bee6dff6b8ee9806023856161c3f82b90b2ca17d", "type": "query", - "version": 4 + "version": 5 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "57e4a08ffa96452406d4b8eb47338b427e8c0f19c4d9c4b6d555820452c0b984", + "sha256": "b9c56c9a20ace3bc3fc78855f5384c2dec88d65867ea54fd2fd45a6624a047ce", "type": "eql", - "version": 413 + "version": 414 }, "c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": { "rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group", - "sha256": "4f7950f2cb33bcd3c247ed3ad7b355be1a37c80d1fd2c9ef6f270eef5505deb3", + "sha256": "a1d9d307839b1e0d90287d6c6ed01a10b4b39429715cb89a1c24aa185ef4492a", "type": "new_terms", - "version": 1 + "version": 2 }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", @@ -8849,9 +9646,9 @@ }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", - "sha256": "2caa4a4c527982a8446df9b6583559e7fa1f9730c1b61832b7d8e8be02e594af", + "sha256": "0e3a9be309a444967ebb0ea0d972afde8a15a17b8b25372f908c366b1d81db60", "type": "eql", - "version": 2 + "version": 3 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", @@ -8861,21 +9658,21 @@ }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", - "sha256": "add88597d7ea3d73b19793a00e9750921e39c153eaefdf2a8a06b9bd6c4e6499", + "sha256": "bb0004476c118e6a0783893ce621cedd20035c35d6205ba320c71448dd2b9e56", "type": "esql", - "version": 1 + "version": 2 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "fdd1ad3da3e246ada1aaa83d67e8f2b8a887e5f1473d9de6e4a45910ca70e4ad", + "sha256": "b69112b9cafbfcd365bebf2c22e596a99a63a10cf01180b523188c55ecc88f55", "type": "eql", - "version": 315 + "version": 316 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "bdbd89ee7db4fd96cf5fb0c39b561b6daedf290cb18f66ed80fa0442e0a5d44b", + "sha256": "943b2811488cda0e376e6e9ef5c029b1def78495ec736595c845aed4b8336700", "type": "eql", - "version": 311 + "version": 312 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", @@ -8886,9 +9683,9 @@ "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "min_stack_version": "9.3", "rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host", - "sha256": "4542646fbec130c4f8575763a13a38d14024a3c708f352f590be00d4942eb20e", + "sha256": "fc81aa909cb501f68b3d1b1b9a5221be71de1100519e486fe5065e5bcb504f44", "type": "esql", - "version": 2 + "version": 3 }, "c55badd3-3e61-4292-836f-56209dc8a601": { "rule_name": "Attempted Private Key Access", @@ -8898,15 +9695,15 @@ }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", - "sha256": "2fc11b38c2f8ec9a736588762b46af650ebd81d71745eec15c0d395e3ac69c4e", + "sha256": "528402d0123fdd13df1569d6585ab53fd0bf3472b4b499fef2548cbcfd86c95f", "type": "esql", - "version": 2 + "version": 3 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "e21136bfb6c1f28166ad9f1507c6fae94e9e72605c1e755f3dde075789a00a6b", + "sha256": "da1f84e12659e94d662d1fb025bfd67cce98ae3d0dc8fc7569ab49e95a0c4e8a", "type": "esql", - "version": 9 + "version": 10 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", @@ -8916,15 +9713,15 @@ }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "5d22b0424e8074f59090697192854f19c4859b2ae43a07b5dfe118636a38dc63", + "sha256": "7c840986983f33b226bd6ec8dbb5af504749920819a8f73fcf5c660ed9c2debe", "type": "eql", - "version": 314 + "version": 315 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "f85e79d75f82ee75f3edce31aa9b650ee2f9ea037634e7e151fd698850c792ed", + "sha256": "2c04fe383e0cbfd24a060a3f7df45e8a67ad83994225466b84eee7b04d91bcb4", "type": "query", - "version": 108 + "version": 109 }, "c595363f-52a6-49e1-9257-0e08ae043dbd": { "rule_name": "Pod or Container Creation with Suspicious Command-Line", @@ -8934,15 +9731,15 @@ }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "3b29d97c23b63018824312b0e3bb53aea47e80865bd2e078156b6a7eb1a048f2", + "sha256": "5d9696aa7470d82d5b341d9d9b1c9686dcf33bc837c741f96d4d9c92fb9d9ab8", "type": "eql", - "version": 212 + "version": 213 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", - "sha256": "2c5071fe46db0c491dbbe580964a42198e0d9e80cf5e02cb790b52b95aa3346b", + "sha256": "78689f6260a231bdf8d954f2a1592fb9a7483bb5d51d011e4d227c9095db6931", "type": "eql", - "version": 313 + "version": 314 }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", @@ -8952,15 +9749,15 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "edbd3217e44f72ff853e25abf17ad68fd778160b077a05496ed7287c137fc8e4", + "sha256": "b5e7d3011d917cca11ecc38c4bf883d12027810573c0f810b37ed63b177d26d1", "type": "eql", - "version": 316 + "version": 317 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "847e2b8eecaed755caafcb1b8eddd7fc4b22f1758a6fa63874850974cc588937", + "sha256": "427f6a1dc62cfc31d666ea507e0534d2ccb1b1ab11ded936a7c642aca66c0ac2", "type": "query", - "version": 106 + "version": 107 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "rule_name": "Initramfs Unpacking via unmkinitramfs", @@ -8970,9 +9767,9 @@ }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", - "sha256": "305950cba100ed21b2be7795222a4af5d37fb8e2237f1b3fbcd6a111d76ce8c5", + "sha256": "51caec534b384653b57e7c49545a0af79935172597bcae1c48917fec69296cb3", "type": "eql", - "version": 318 + "version": 319 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -8998,15 +9795,15 @@ "8.19": { "max_allowable_version": 105, "rule_name": "AWS IAM API Calls via Temporary Session Tokens", - "sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89", + "sha256": "98462394a43af08b12e31e4b72725b2ed44e614a442c664eefc4aa99c918bbf4", "type": "new_terms", - "version": 6 + "version": 7 } }, "rule_name": "AWS IAM API Calls via Temporary Session Tokens", - "sha256": "e51a13afb9b1276561368d3c0c84bd100068d5317bcbdf866a80643237f4e16c", + "sha256": "900d6953f4a641966f554449d8d96bb0358a325597f719a61787949c359dcd23", "type": "new_terms", - "version": 107 + "version": 108 }, "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "rule_name": "Mount Launched Inside a Container", @@ -9016,15 +9813,15 @@ }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "c52cfad33cb4e250d22ce58eae016d2063b67a5e56c310c77fd3d68bf7ca8b93", + "sha256": "db008a5c21d6a79b33bf9ea050857ae15016c5c6e40839e50335eb211f5f1295", "type": "query", - "version": 413 + "version": 414 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", - "sha256": "7aba5f4848c54d1dbdf9f339b258ef0b10e8f0ced4be14bbe8731c72fb21c2ae", + "sha256": "2e4dcf9c3c6df85922d74052995819ef82f67954d3d74e3ce29388cb2497151b", "type": "query", - "version": 412 + "version": 413 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -9034,9 +9831,9 @@ }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Client", - "sha256": "f109d4fc8194a0bea030cd351da44fecb6da97d3d264195c2d2f218e04018ff8", + "sha256": "2754c97acd73e4a1a90ee94002f7eb0e7e45f5d98ba148f2d48097b6cf7db360", "type": "new_terms", - "version": 6 + "version": 7 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", @@ -9046,9 +9843,9 @@ }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "9aa019833cca8394d175d9d6f5b2baacae100ed7cb549100a54180eef77ea9bf", + "sha256": "ce477162c8755daf91cd6ec21a989119639bc8eb2c0373f6e74309d5885da2ca", "type": "query", - "version": 209 + "version": 210 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", @@ -9070,9 +9867,9 @@ }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "80690e02a31f15148910ec2ee7236e4bc03cc849563c838fd8af5e90a1444b1e", + "sha256": "42a1def48edf95e66bba9917968e37b02d107299091e27f6e56e91e279f010ff", "type": "new_terms", - "version": 109 + "version": 110 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", @@ -9106,21 +9903,21 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "7371f8792db6004595209da0e87adcbc16e1e4332f7ebd4d5ffa984adab5790f", + "sha256": "0a734ad1795c3fce393559e4e4e0ef121722612a0ce4601020f58a7da3a813eb", "type": "eql", - "version": 318 + "version": 319 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "15827979279c1de9ee31614d226959b7c9932923d85da38e9b599c365263ebbf", + "sha256": "a2220285e98be5aab8154e1950a90b23b8379d2a5f452444cc57a2b7334fcbb7", "type": "eql", - "version": 317 + "version": 318 }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", - "sha256": "c69ebd1e055528c11c168ab190eb8599b27185d2fce7ea7a2e92a40a5426437b", + "sha256": "bd1d6bba6db66e65f1767382604d9b24e1294f3a9ffa4af53d24e543b873f322", "type": "new_terms", - "version": 3 + "version": 4 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", @@ -9130,15 +9927,15 @@ }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", - "sha256": "1f5b1b963a4b1164cc7a7bd1d5e092a5dc02deb402165183832e4dad3cc03f67", + "sha256": "094dc18b50795209d755efb3bdd0584e88c9ec87bae1488a08941d8589795aaf", "type": "eql", - "version": 2 + "version": 3 }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", - "sha256": "4546208062ec7234e2d91a8987203f9e246829ab84b577d600d62df86bc13a38", + "sha256": "f93b27bdd4b70cc82f1cf6f0a3fa8f2039075591b03ecdd285aed4eb6a1fab18", "type": "eql", - "version": 3 + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -9154,9 +9951,9 @@ }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "M365 Exchange Malware Filter Rule Modified", - "sha256": "b107f7712f9a208373f6b2998e169a884c9513c8140ee511d87325185fd7649e", + "sha256": "40e40f2b6cade21188d70b1cc6876d692ccaf50e173a15c2d7f5bc6e26d1448b", "type": "query", - "version": 212 + "version": 213 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", @@ -9166,9 +9963,9 @@ }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", - "sha256": "234b1f812cc26ea5ae0c3204d763111e0adf06969bee74d8d97d614d0467f805", + "sha256": "942738b94399d43ced484e1f6170b1627d22e29e30946bf629ef8b2978c50837", "type": "query", - "version": 5 + "version": 6 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -9184,9 +9981,9 @@ }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "e0fa508f8a66ea03208554588ec6fdeace556b98a7dad66db3bb6d13f40f9328", + "sha256": "8c2d19d60ea0eca73775d4c700e75c6ce53042b1235213dee6ff1a31e37bb5b1", "type": "query", - "version": 211 + "version": 212 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", @@ -9196,15 +9993,15 @@ }, "cbbe0523-33f3-4420-b88d-5c940d9e72c1": { "rule_name": "FortiGate Super Admin Account Creation", - "sha256": "16b6c260bc4650bc90da2cee64b21e22b2c5661ea91d7c4babb2ba055292197a", + "sha256": "d7217f55364d8322b66e8c599721d64499e35c2cfb070e0b4e9ec22e497896a1", "type": "eql", - "version": 1 + "version": 2 }, "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { "rule_name": "Kubernetes Secret Access via Unusual User Agent", - "sha256": "216b03bd8030750a1829b8992b0cedc35d4862d62686159b6ce6dd6438776fd5", + "sha256": "5c721d5177cca18be2b221ec5d1a2c3dbecc53be6c90ecc978f09a0ae0be5672", "type": "new_terms", - "version": 2 + "version": 3 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -9220,39 +10017,49 @@ }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "821fa84a157656b3c90f9017a3af1f8a6c21d8ad85fe4c3b0219312cbff30633", + "sha256": "276e47f1c1a7661fdcc6d3c2b07f2989d6a5b3e39c40c0dfdf0fd3f7b8bc418b", "type": "esql", - "version": 310 + "version": 311 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 106, + "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", + "sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa", + "sha256": "e2f7d9be525edcabce6a79ec3d4e29a0d63faf3b3ce5c662631e46deee74aeb8", "type": "machine_learning", - "version": 7 + "version": 107 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "338376af242b33172d898fba84ece33ffc3f89c31fe7c92c5a081072164b5732", + "sha256": "7ec6f7bcf0fd4a713ff9c6ad38220d76e00bca8d333e36385bc55f3afc788495", "type": "query", - "version": 110 + "version": 111 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "7471cc381cf028628928655debc7fbfb438f73b595c02aac92e7e2c426a66d7b", + "sha256": "0b14b06375574bc3460aa42b0883902a71dda721561cbc763b1346983d30439d", "type": "query", - "version": 108 + "version": 109 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "d7d6be81fb7b35412b0959c15b374ed93f960acb5195bc2d0ca60ac6cd18890e", + "sha256": "f78afd3ef31ec247c8f93c3bded0ef9093593d4a4242d2da616e845a91d47463", "type": "query", - "version": 415 + "version": 416 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", - "sha256": "9df42e5af70c365bde3d6b8c7f2c2fd5602c895442f168e2225bc2f3411e9c6a", + "sha256": "03733a40c7cef679b8f46e2d735e95dae23af1aef4b86abd1f8bcfcc58fb55b8", "type": "esql", - "version": 7 + "version": 8 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -9268,9 +10075,9 @@ }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "cc7b5ab7a7faa4c73249b1efd1b07de83a0946a5cc0c23ca201e6037eda52681", + "sha256": "1f05b381a736d947775748f47767925c574667300ceab8fba31733fe5f0f0fea", "type": "query", - "version": 414 + "version": 415 }, "cd24c340-b778-44bd-ab69-2f739bd70ce1": { "min_stack_version": "9.3", @@ -9286,10 +10093,20 @@ "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Anomalous Linux Compiler Activity", + "sha256": "35c7e422c3df463c1657227267587350013b8a6f6625e624b528caddc9621936", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "35c7e422c3df463c1657227267587350013b8a6f6625e624b528caddc9621936", + "sha256": "d580170ce5f9b525d575b03481dc0cff351e862ea09c42f5d0d27f1e1567dc86", "type": "machine_learning", - "version": 108 + "version": 208 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -9305,15 +10122,15 @@ }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "36660dae7d9205f03ce3876ce3eedb67e5ec8da8ad60110fc05fa3f1a469959c", + "sha256": "d062e4cdfbd30c711e2dc526868a474e5bed707bf2cd718b1b73f589d6d63332", "type": "eql", - "version": 418 + "version": 419 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", - "sha256": "610364b7c0fca876936de34e1d2e6e8a594f33f2c5447b49b5d22711ac4ecc69", + "sha256": "d1e454f298e77b0999edbb6252ad1bb10f84eff94a05ea0522b3bb3c02859802", "type": "query", - "version": 415 + "version": 416 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", @@ -9334,11 +10151,20 @@ "version": 208 }, "ce08cdb8-e6cb-46bb-a7cc-16d17547323f": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual City for an Azure Activity Logs Event", + "sha256": "30df431b2784b5a707dfdd493977ad52e071e6ea4ef199bc4a1474e010c0f823", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual City for an Azure Activity Logs Event", - "sha256": "30df431b2784b5a707dfdd493977ad52e071e6ea4ef199bc4a1474e010c0f823", + "sha256": "e8a2532663bc99ed107bd3f71dfca99a418b5e691dd0c8311d997b2dcbcf37e7", "type": "machine_learning", - "version": 2 + "version": 102 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "rule_name": "GRUB Configuration File Creation", @@ -9348,9 +10174,9 @@ }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "a862f0ee4740add69347de8e985637bb8c15a241001db3f8cc128436def5ac73", + "sha256": "05fcf4923e2ab1c2028bc2b8bb3733a1d28ffc2e7f5bfa85808fdea3a03ed691", "type": "eql", - "version": 316 + "version": 317 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", @@ -9373,15 +10199,15 @@ }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "9abac0d246326bd11a5c0f896b8ca3336ae4a3579c7adfc1acc36ff1c727bbcb", + "sha256": "1b90eba9a9e009732a4566d19620ff6a110c5d3ed75e1459e87850d2b6fa4d07", "type": "query", - "version": 107 + "version": 108 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "3f4624204ae6fd0f1eed09c6fb0f88bdb724fb91f46e9ff02a4313d8db5bdcff", + "sha256": "03ce40b74fdb6629caa18779e5369e9b7cb5144ddcc273d2708ffb29de856174", "type": "query", - "version": 209 + "version": 210 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Deprecated - Unusual Discovery Activity by User", @@ -9397,9 +10223,9 @@ }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "e97d7df79858f61197c671d6926f57ab3b88a69fabed29d9567f93e9f12dc290", + "sha256": "6ba048efa26f81cf99074f9d5ab47e57a06aa6efc47587dc2da656e57cc53c0d", "type": "eql", - "version": 320 + "version": 321 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -9415,9 +10241,9 @@ }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", - "sha256": "cf55391bf0ce9a58032099e6d67ffab973f4413bbb9277d300fcc3580cd93f94", + "sha256": "7daf11e701fa16bab823faa10886c4ccaae4187b0fb8c0bd88c578e3fb308798", "type": "new_terms", - "version": 1 + "version": 2 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "9.3", @@ -9437,21 +10263,21 @@ }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "2c64f99b095d83c721adcf4da78d8dbb39c650eff71ecaf8b311d50c750be7ae", + "sha256": "7e7102b6d2aa5f3df0ba277e4de2f2ced080b82eba0b73f571febad41d3b7de9", "type": "eql", - "version": 315 + "version": 316 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "c72dc96083ad4f6a138434337eeaa80d3c9ee6abf005c9b38b48c3119c21eb71", + "sha256": "dfe87e82b95cd850ed842524e4d16719d5e78ff2a54aaa8a9d58abcbb72f32a8", "type": "eql", - "version": 317 + "version": 318 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", - "sha256": "186fa8e9e48f17bdd811b333cc800a701fa71dbb0a502a7d08b690710e3d4f85", + "sha256": "7b37bd4e071c45f94202000f79dbdb61c43277a88f56832e69af3e5209713192", "type": "query", - "version": 3 + "version": 4 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", @@ -9471,11 +10297,17 @@ "type": "new_terms", "version": 5 }, + "d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7": { + "rule_name": "AWS Rare Source AS Organization Activity", + "sha256": "3aa90af79b03b53c743e4dcd0fd751c08cd550e2cc7cd3d6befd75fe1f03aa3c", + "type": "esql", + "version": 1 + }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "7d5d915447ba165dbd1403ff480fd59335c6ac23888a7f985ead6216cac3831d", + "sha256": "61f85c45874c50154a1dccbfdaa725b0313fe326ded94f01931dc0e5d05735c1", "type": "eql", - "version": 7 + "version": 8 }, "d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": { "rule_name": "Curl or Wget Egress Network Connection via LoLBin", @@ -9508,16 +10340,26 @@ "version": 1 }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", + "sha256": "7d7f91e46122ecfa96e68cf202a12ce57732a41f839a42d4fb9c06d5e92c3f06", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", - "sha256": "7d7f91e46122ecfa96e68cf202a12ce57732a41f839a42d4fb9c06d5e92c3f06", + "sha256": "0cedef065a88abd73d1662ab02552fdeee793d2ccf56f8eb78f729788dd786cf", "type": "machine_learning", - "version": 4 + "version": 104 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "38940757fca1ddd027a120feff3f423b8e79c1e6230955632fd198e0fe178c11", + "sha256": "9d7394a1e4a21cccec0748f65ac1a0f509f0a8bbff30c9057c877b2fd1b699cd", "type": "eql", - "version": 316 + "version": 317 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", @@ -9527,9 +10369,9 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "5d84f22c162fe4ff95b0ecc0aaf1ce02711745197686b3b097a7b8c8fd376267", + "sha256": "c110db8f631894bf1af9acb77a4b25e63ea0f70bc64d8684a10b9cee2659daa8", "type": "eql", - "version": 320 + "version": 321 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", @@ -9563,15 +10405,15 @@ }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "64f021972b8c1ca4a6d06cdfb5fa138082847328da4dc274b4f759003ce1e67c", + "sha256": "6bd7b6a580b9950f4a7a1d4911e00797056e57451d2c13d8236fa85a164dfcc6", "type": "eql", - "version": 7 + "version": 8 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", - "sha256": "55dcaf216c136ee36ab1a0795a0eac62cc5934afc12bf9c3aa62d375c85478ae", + "sha256": "e0d1d6ba9b6ddf06ad72a0643f809d174cf9219b545d4dafb9b3c180160d2b19", "type": "query", - "version": 412 + "version": 413 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -9580,29 +10422,49 @@ "version": 105 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 206, + "rule_name": "Unusual Linux System Information Discovery Activity", + "sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d", + "type": "machine_learning", + "version": 107 + } + }, "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d", + "sha256": "573b1809a649fa13bd4353d662f89857a9fe492c5d4c9c5572453e947abb52da", "type": "machine_learning", - "version": 107 + "version": 207 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Source IP for a User to Logon from", + "sha256": "c9833b1d069a636b244cc7e624faecf1e2964d7a6b4cf53d49455c51c3a33462", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "c9833b1d069a636b244cc7e624faecf1e2964d7a6b4cf53d49455c51c3a33462", + "sha256": "eb3d13a478da5da270de435f9b6c3ac9f2aaa9e410767a5c8d5872f74b1a0e79", "type": "machine_learning", - "version": 108 + "version": 208 }, "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": { "rule_name": "Azure Compute Snapshot Deletions by User", - "sha256": "3b5f8417da6870bbbcd433aa8a0d8ee6fca9e4ba3a22e13e4b4928bf9729e344", + "sha256": "0590c3ea783eef7a74ae9523153050ad013e39861a445e6d94296ba3c30fcb00", "type": "threshold", - "version": 1 + "version": 2 }, "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": { "min_stack_version": "9.3", "rule_name": "Elastic Defend Alert from GenAI Utility or Descendant", - "sha256": "cdaceb7b07acc4eed0fec1f0d29c98302d3dc5d01f0bb281c84fc3555fbcd5d8", + "sha256": "2f69f97c7af3342e8ab161cd591c78a70c34aaa5b8ac43abe43090bb0658f4c5", "type": "esql", - "version": 1 + "version": 2 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", @@ -9630,9 +10492,9 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "6f71886a7c6f57912198b39f952f340684fd719a263e0f0d8b567dfb6623aceb", + "sha256": "072f511c23260ba660cacdaedd1876a631d69a1b695e05b41ea3ca3448285f51", "type": "eql", - "version": 314 + "version": 315 }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", @@ -9642,9 +10504,9 @@ }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "f7406f6e8e4f99730b2de0d9ba6def938c6d07a72f848be0b8200535ccd2b8b2", + "sha256": "3086f8e9b0537db524ac52264f95c531385a9dd43a5942e444649fcad336c138", "type": "query", - "version": 414 + "version": 415 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", @@ -9660,15 +10522,15 @@ }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "00f4d49dfeb68624a5a87a0c501c0520de98b897d23522a52d9087cc2b8b5ae8", + "sha256": "a46f7108d987f5867d7a89f6ebead05786233dab13864eafc0980d67d2bbb886", "type": "query", - "version": 214 + "version": 215 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "6e71e2cf0d9f82acce1ceeef7b183af71e081896822b2f273db61ec4f9205018", + "sha256": "afdbda3dde84fa473ded32b17d3c9c5a7f31bc6f7d069c45b4bd2a449afcae34", "type": "query", - "version": 109 + "version": 110 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -9690,21 +10552,21 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "M365 Exchange Anti-Phish Policy Deleted", - "sha256": "89b6c0d37db190728f7703cf10c9b41edff3a8b275ded8492b41442a5fec841e", + "sha256": "9511b82aeec35d19961ca08da3e0fe578cfd57551921a610cef015721b43bc6e", "type": "query", - "version": 212 + "version": 213 }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", - "sha256": "abcda99d0ac746a4fc37a83d52500fe44b794d2e3de44be7f01e91efeb3365fc", + "sha256": "76594b537309b62a6332acf25ec49b7c7616afa3252db592dcfec57246b789dc", "type": "eql", - "version": 2 + "version": 3 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "f4b6260448b7a26cf9adb6e7177332c244726837dc94096e73f440a181ccc543", + "sha256": "a72ea9c7944a2303732301622a236b1e0a7e378bd01ec1a5d51b697c657509e1", "type": "eql", - "version": 215 + "version": 216 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", @@ -9714,15 +10576,15 @@ }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", - "sha256": "0fa5e6c2ae95f0dfa6d132058644c70bac38f08a2148bf5eb9b6a26dd7ceaf09", + "sha256": "4c02d68cba9c1e12bd6c5c82c6aa0353233a5bd74138dd786dec8c2ab7584ef6", "type": "eql", - "version": 317 + "version": 318 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", - "sha256": "e780cde82962256d0374ac831ca3dc39e6d52813d73183a96cfb483efd87b81e", + "sha256": "3adaab0d509bfe15b688bc4f88053464321d610fa1ec88316130980d84582fb0", "type": "query", - "version": 212 + "version": 213 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", @@ -9750,9 +10612,9 @@ }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", - "sha256": "04d0604eeb569168c49ba3fff5148538e9a7bb8f62ad4d0388884ad098c0b8ae", + "sha256": "ded822ec5092e708b8c124227dbc29b933f95ea146bf4d92834bc41105e150bf", "type": "query", - "version": 109 + "version": 110 }, "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { "rule_name": "Suspicious Apple Mail Rule Plist Modification", @@ -9761,16 +10623,26 @@ "version": 2 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Spike in Logon Events", + "sha256": "317c0266782452758057ef761b442ef54ece9724de45c6cdbb81cc02870772b1", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in Logon Events", - "sha256": "317c0266782452758057ef761b442ef54ece9724de45c6cdbb81cc02870772b1", + "sha256": "c29b7f8eaa644ba59a41c217b164035424b0b42506ea6cae59993fbfea56b596", "type": "machine_learning", - "version": 108 + "version": 208 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "1b97aafbc2e87437583540015fd4a60ee17b8cce9eb2877890ff1b0acaddf00c", + "sha256": "c178e9d7e36e0b5b1cf3a6ea0a34caf464db191f26285fddc7057024630851d4", "type": "query", - "version": 109 + "version": 110 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", @@ -9786,9 +10658,9 @@ }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", - "sha256": "de2bb38e8505e749478ef2557b81ff9eae12440213cdd0c52622a3073c22dc90", + "sha256": "9980c44f4485b07a1b435cab511bf5458e092b30640924be72d91e2438814535", "type": "eql", - "version": 2 + "version": 3 }, "d8f2a1b3-c4e5-6789-abcd-ef0123456789": { "rule_name": "Ollama API Accessed from External Network", @@ -9798,27 +10670,27 @@ }, "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collections Deleted", - "sha256": "ffb8ee8defb030d0393b9f49ecbd35b48e0c588a1fc7aa474c0ea9783cbb4084", + "sha256": "38554163bf5d4d1b147f9137f117e510d8f097d49b32da256957eb1ab28fe4f0", "type": "threshold", - "version": 1 + "version": 2 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "c378e81d539a3f704e304bd4c6d57a1071b11423236b6d9e4e83211c3b44f00b", + "sha256": "f45c32cad0da7a071d36e956585cc06c542c9a29b537439c503a699b2e8937d5", "type": "query", - "version": 215 + "version": 216 }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", - "sha256": "9e5b0489fe8d9d7ae6f525d392c077eeba531a182940f9c7e2e8647bb2dd4cec", + "sha256": "fc8d9dc1c85db27c1778ba643bc164fbce096808d9c5b24515b791f2f1ffe12d", "type": "eql", - "version": 207 + "version": 208 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "22a7a5716153adb0bc953cec387325f9ef05d38345803fda75f633945eb37555", + "sha256": "f0818620cb57af36acddfe05cb87d184601a31dbe28ba5e8bd4f5e367bd4cd38", "type": "eql", - "version": 317 + "version": 318 }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", @@ -9841,9 +10713,9 @@ }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "29d2d57874108eb0bb526cbbe763e14057fb72c2c14d18950933ef078eae2289", + "sha256": "dc6aa3431de19bd229cf92b2a7fd92a72dc57231303e70f142c18278d1252d14", "type": "eql", - "version": 207 + "version": 208 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection", @@ -9865,9 +10737,9 @@ }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "de90093e93bac48091417fa26435ce13733ef66d348b2ee5fcbe5c2ca5699a20", + "sha256": "ac80d6784eef014d5d717bd56c29935396cf714dca8daca8b0f19810e7f879d8", "type": "eql", - "version": 215 + "version": 216 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", @@ -9901,33 +10773,33 @@ }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", - "sha256": "b55e9bf5bab3165f9e92907a31714efd1541a3c27caef7912bdccdb413cad2d6", + "sha256": "7698bb07813a340c67e08c1e0d6c46f4495d8677699f8d9107e8b142f7ca07f9", "type": "eql", - "version": 2 + "version": 3 }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", - "sha256": "42448295211edb528695e38e36a13b0bc15eede7df3a59c5d4c514a550b009ab", + "sha256": "cdc80e68084ebe217495f688541fa82a88b6d61c98e0db63dc780d2bdb4f097d", "type": "new_terms", - "version": 2 + "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", - "sha256": "061f0a3c16c52b4cff078cf8c484ed2bda8d80c37c7dcd4537015b5550b61904", + "sha256": "f6bdc31ea3c2eddf3ce464b3867eaec5b1aa65d326c6a8d9e15c3efe12d9debb", "type": "query", - "version": 110 + "version": 111 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "faf5dd9126ff3012f925802c474c2d340c75c5ba8cd12879dfc2cbabb8338cfa", + "sha256": "6e224c057167fa26aaa27a33f7bd811779c22f5ad9633700f609bb4370bf1391", "type": "eql", - "version": 208 + "version": 209 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "0b959d13263be251adada90be36f876c59b1bb53e7184aba599101af6d35ab4d", + "sha256": "f76ad7b9fb4847f6b40525245b0e29dacce2fa7d10d5ca716e68e408ea6bf73c", "type": "eql", - "version": 215 + "version": 216 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -9937,9 +10809,9 @@ }, "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": { "rule_name": "Entra ID Service Principal with Unusual Source ASN", - "sha256": "ced2a6675c90bdc7a8113fa5ffacb65d0c64c765405c4273ee8ebbd57ef8e50e", + "sha256": "47e4c635bd2fc84b836711971b0d8c151eafaf5a921900bf220e58aea6fc9e00", "type": "new_terms", - "version": 2 + "version": 3 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", @@ -9973,9 +10845,9 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "568324dbf93bcb87f147152b79e01102b76bcd7b14fe051242a4ce8faa280f64", + "sha256": "47d52567d1c3bae001db77709a1e8aff40f889ce53a7aaf7c9c0218fccf56010", "type": "eql", - "version": 316 + "version": 317 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", @@ -9985,22 +10857,31 @@ }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", - "sha256": "1ea6bb8df5954276dbd002347427e291629078ce75a18dfc0ced29444bfc0f2f", + "sha256": "ec304aa55d1d4f1641743ac7118be33facd1da2f08d730f7ba48d716f6a02747", "type": "eql", - "version": 211 + "version": 212 }, "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual Country For a GCP Event", + "sha256": "c007ef6fbd3ab40348587d3c21a2cdd12d03971945ea59b220b0d84cf3b8d802", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual Country For a GCP Event", - "sha256": "c007ef6fbd3ab40348587d3c21a2cdd12d03971945ea59b220b0d84cf3b8d802", + "sha256": "e1b3ec7e1ad5085043b0e15521b9f164298bfc915884a6f8315a6e202ea53c00", "type": "machine_learning", - "version": 2 + "version": 102 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "351f30bfcb339806bbb9af10c53548984316f0e932c351ac864c6c430a64c343", + "sha256": "2b7957639fa00eb4accbdca13a0838679cdaf551e19fa110da943973ad6b4404", "type": "eql", - "version": 215 + "version": 216 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", @@ -10032,15 +10913,15 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", - "sha256": "1216996a5132262ba297122d42364ea18a50edcf869b1069489c8a412c0adb3d", + "sha256": "54670e3e1725944f088814f1b96f6ce63d4af85c48b306a86e95cb55363fb2d1", "type": "eql", - "version": 314 + "version": 315 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "65db2d31f29446ab309635049de6eda871a92d9ca2cc4aaff2e83bd9aea6239f", + "sha256": "ae224b4b5bf9c3ce6f6db645cadbc8352cd2f23dad4cf4b8359ff9cb689618e3", "type": "eql", - "version": 8 + "version": 9 }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "rule_name": "File Creation in /var/log via Suspicious Process", @@ -10050,15 +10931,15 @@ }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", - "sha256": "5fa242623c50bffc4c3c740c31ded763d75588a49530b6f5eb3b31bc12da9a06", + "sha256": "d7a4520dfbdd8876810e3d8b792491901fb5aed727157e67a92fe4b5c8d92212", "type": "esql", - "version": 7 + "version": 8 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "25831887f2b7a10edc4724e5638ad06bd25f32f80be91516cad1f801bfd2738b", + "sha256": "db8b0f9495f33dd6f0ed0e0add94321c88265172b9fe68bff2cc99f47a0b8c91", "type": "eql", - "version": 317 + "version": 318 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", @@ -10074,9 +10955,9 @@ }, "deee5856-25ba-438d-ae53-09d66f41b127": { "rule_name": "AWS EC2 Export Task", - "sha256": "3aa818e94e0ceca563f3161e0dd4718d157e777ceb3844b0fd632a1ab4359fbb", + "sha256": "543ead44f26c16aa26bc746708c06f6531c20c28051bd501212c956b5a5e761c", "type": "query", - "version": 3 + "version": 4 }, "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", @@ -10091,16 +10972,26 @@ "version": 12 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 308, + "rule_name": "Unusual Windows User Calling the Metadata Service", + "sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8", + "type": "machine_learning", + "version": 209 + } + }, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8", + "sha256": "b583da4a2219e9b0c1ca1bbb77ab1d2d1fa46c5e8caddef587789c410db5b995", "type": "machine_learning", - "version": 209 + "version": 309 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", - "sha256": "8feceb0ecaa575745516b5b6fa6e96ed670629de0b072d6623b7a23cf30b3eaa", + "sha256": "48fc5e51a731f7f4cd946c1dd4f14311045c44adaeefced003d70db94d583d69", "type": "query", - "version": 106 + "version": 107 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", @@ -10110,15 +11001,15 @@ }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "6473e4704235670950fe8e088ecbe56511ae0184f0bd6e59a0b9180e5049b37d", + "sha256": "83dd265459b1aa87e352d134366f7a3ddb21c45e95d2c3239472e71faefe7530", "type": "query", - "version": 209 + "version": 210 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "b14d3376a6870792125d64eb34405c64d913f93a299965903e0b1ff9f69959e9", + "sha256": "e4dc1206fa6f829adfd9c13606980e85749ca4905cf5b656b4f4c60403d268c6", "type": "eql", - "version": 8 + "version": 9 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -10134,9 +11025,9 @@ }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "e999cb3a4b0dc22e6bf621d12d34b3c9d972a116d73a59a84cae559c5093f10f", + "sha256": "fabd1d888ece7ed98e8dbde37327e15de97291c9b270edd70a6f55113489b9d4", "type": "eql", - "version": 209 + "version": 210 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", @@ -10146,9 +11037,9 @@ }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", - "sha256": "c5ebf331761eb929cb3aa28abbc6e6e5ff2244812d43b41c3454891a5215d9bd", + "sha256": "42fd83bb3ed5bb7a69511e4c90baba7006569871c9591996af8add54ba3f9535", "type": "query", - "version": 107 + "version": 108 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "rule_name": "KRBTGT Delegation Backdoor", @@ -10164,9 +11055,9 @@ }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "f034b01432ed622dceca33fcee6b0a20e58534b28ebd9f3f19d7e0704c241ee6", + "sha256": "834c73e30108eabb04f904e2f9fb59222b3e3be8401ea3dc2ee9e6d14a39e09e", "type": "threshold", - "version": 416 + "version": 417 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -10182,15 +11073,15 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deleted", - "sha256": "559b805067103320ffad40ebda7a5b86b7d10c1182ba107d81d2f7ce751c65b5", + "sha256": "c2a4134579286f6aa1a9ecb0c4e6b4e70eafff7901ea15b721a52a78df45774d", "type": "query", - "version": 108 + "version": 109 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS EC2 Route Table Created", - "sha256": "b983d55d9f9e65d786d7452230981e4a6660f4a50f8d82e7719771595ab5e928", + "sha256": "9b67864d91e23c630e30222f8b30ed291ee313d56d56ea5b11db2d831b11f177", "type": "new_terms", - "version": 213 + "version": 214 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "Deprecated - AWS RDS Cluster Creation", @@ -10205,10 +11096,20 @@ "version": 213 }, "e1db8899-97c1-4851-8993-3a3265353601": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 106, + "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", + "sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca", + "type": "machine_learning", + "version": 7 + } + }, "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca", + "sha256": "f99d7c4b92f8aa673ebfc37fc27f755a33e5229dfab0fe63a64aeef8a64e7a63", "type": "machine_learning", - "version": 7 + "version": 107 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "rule_name": "Suspicious Mining Process Creation Event", @@ -10217,10 +11118,20 @@ "version": 112 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Spike in Successful Logon Events from a Source IP", + "sha256": "8b21616a77df814353badde453886243eb0d298bd177dfbd772563f9cc9a6229", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "8b21616a77df814353badde453886243eb0d298bd177dfbd772563f9cc9a6229", + "sha256": "c5424dd0ac4759274a714f7da569350b4c2f72b6cda74241734321138dd7a90c", "type": "machine_learning", - "version": 108 + "version": 208 }, "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { "rule_name": "Full Disk Access Permission Check", @@ -10248,9 +11159,9 @@ }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", - "sha256": "49e6685002f2a8bc63d3cf02f27027400fddc6ac909333f6472c52b60845fa6b", + "sha256": "0f802b676e0147391d3eea1fc954cdbc66de1ad2fe46885703ab67114a37fe22", "type": "query", - "version": 213 + "version": 214 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", @@ -10260,21 +11171,21 @@ }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e74a4c87a553413bb19d44ccacdd456c854985a1e328bf286519ec5247e28877", + "sha256": "2a73aa1062382340b6d1c8b5feaa90b1586d271f8c6b877ba90e22197e5635ca", "type": "eql", - "version": 213 + "version": 214 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "4e960095c85a68e958400a6cd5c3532f44c0e0fbc405b12a955034f394db2720", + "sha256": "36b6b5019ee9b7a5b48f7670b52e9a166f90024d81f3bd64985d84d2426e79b1", "type": "eql", - "version": 217 + "version": 218 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", - "sha256": "1ec9e881d24cff075f684cd8fa0e526d97adbdeb15c05ac277f081cd676acc07", + "sha256": "320dce36d39b239293241a690b6787ec6882b7ecdc06c47d04b83e1b21d0242f", "type": "query", - "version": 107 + "version": 108 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "rule_name": "Potential Data Splitting Detected", @@ -10284,27 +11195,27 @@ }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "a6c6153c98664f409adf81e63b32ae1a3ca2b8d144d2a13c573d00499340e5f1", + "sha256": "658786f29cb72468ce246b59c6e70d5dcd04e3f37c00f382a463857d39a3335e", "type": "eql", - "version": 317 + "version": 318 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", - "sha256": "9e1f35b42e0abee84eca783efa5268ffaccabb15ccc59983bf894ab3ffcb55eb", + "sha256": "cae7737dc54b6466c847d786b61bf90bd201f9da376d07c052e4788915499dab", "type": "eql", - "version": 2 + "version": 3 }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", - "sha256": "19bf150a514bcb726c88288192dc659d8509fa1529194019bce292e554cccee9", + "sha256": "e230bd798b5393d0a466b893a16c79efaaaf4e3d9fdbc2065bd6e9b11125eec6", "type": "esql", - "version": 6 + "version": 7 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", - "sha256": "1a3343a15af94307a50f89a7591854259c58491683ffa98e7dae0ac77201c3ac", + "sha256": "3b98604c6f720ab440e9969e3346fc5362018681bd80872c3f4fb70111fa3f4c", "type": "query", - "version": 212 + "version": 213 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -10344,9 +11255,9 @@ }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "a46b153b0713389e6a149aad3a4e95a3211eaf71a2a01173ffce0d26f520cae1", + "sha256": "bdb8ba5a49e48f7068f93d065fa8dae667a8f2b828e9d74eeb56ab6119ff210b", "type": "query", - "version": 414 + "version": 415 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", @@ -10360,15 +11271,15 @@ "8.19": { "max_allowable_version": 103, "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", - "sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d", + "sha256": "6c2fc392dbcba443e196542410750563e9e343c482f502df61fa7227e31fc2bb", "type": "eql", - "version": 4 + "version": 5 } }, "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", - "sha256": "ef461777bc1c5b00f31f1b5fdc917e63da77f9e2d0d6688eb02421290903249f", + "sha256": "58839416fc9659a82bb183c3877b216b52626c83025ba5e2caffa9396998ce00", "type": "eql", - "version": 105 + "version": 106 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", @@ -10384,9 +11295,9 @@ }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "4190d8a82f489cf30bdb1c3e459ff20a7fba23cd32e4e1d1335f15f148d7d19e", + "sha256": "a6c636f24c7cf63487a0db4ee93fdb305a9e7766647d78bc310af47ac06f4733", "type": "query", - "version": 209 + "version": 210 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -10420,9 +11331,9 @@ }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", - "sha256": "e15de9b379a466b490e8437eec47e33890de883cde4a19bcecec558f9ab20332", + "sha256": "f9ff8587149b2afa762f584f9089d3731b0b31ba76799adcff06c4fb444ae831", "type": "query", - "version": 413 + "version": 414 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -10432,9 +11343,9 @@ }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "33ff6f60a69292a6c4c66e86ae14dbbdb9b1055b1ff0a5a432a33b39150c5399", + "sha256": "727bfa432760b50171e1894d8c8b244ab5ccfc62c5b925c757c41d179d78d45c", "type": "query", - "version": 109 + "version": 110 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", @@ -10450,9 +11361,9 @@ }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "51288e9d92eab1be4110bbd923499cd63439b5d593f3c03b97113ede4ed854e2", + "sha256": "c8ffadd7d5c18e26face0540aca44a270a072e30adab1cd36908ea93d648dd17", "type": "eql", - "version": 311 + "version": 312 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", @@ -10468,9 +11379,9 @@ }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "64d958d4a218acf01c61ecb66ce870621c7a94e8ecaead58aae78712b51a9b5b", + "sha256": "e80bd4c0aced2a70668f8e19c3570f377d60d152d9baaa79c02cd9bf97d29419", "type": "eql", - "version": 206 + "version": 207 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", @@ -10480,9 +11391,9 @@ }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", - "sha256": "d6e17cd4b7605577f5364b33f69ef8cfeacdc0ff6fa835f466e93041f25078d7", + "sha256": "2205c6c53afda6b21954cb4f3f25c96fc5c6978dda5e38205c466147e8b8c8f4", "type": "new_terms", - "version": 212 + "version": 213 }, "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", @@ -10492,9 +11403,9 @@ }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", - "sha256": "8eab0b2e107b64ff573bea446ad50927cd61e27a98f5c3faa3e127a296d910b4", + "sha256": "c698a5dd73aa46f5357b0934369395a3365cfc47415a97c748d0d46a2d1e3e08", "type": "eql", - "version": 2 + "version": 3 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", @@ -10510,21 +11421,21 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "e5f80c38f4b75c5c41e1df3f31ce447484ec6cd772fef27201c299778c3d9a1c", + "sha256": "d660ece482f75d7cd96afc32f328ef3da75e14c6210256367eff34e2422ec0f8", "type": "eql", - "version": 218 + "version": 219 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", - "sha256": "8f41ce2cba95e21cdd0446de79cfee143daa1fac5ca9af0a52476dc70dda83e4", + "sha256": "7ad0ba6e374e56c67b42d003ece36599d8e4bf876721370e0186aabc23fd43c8", "type": "eql", - "version": 313 + "version": 314 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", - "sha256": "7f3abd6af19c72f509c4ce685dac414568f214d8bb423d4dbb8b96b6bdc89ee7", + "sha256": "afb5abbe83d85e4bfc0c4355dcb0fcdc60a91012e0ee14f6f6fc77e177fcda7a", "type": "new_terms", - "version": 5 + "version": 6 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", @@ -10540,15 +11451,15 @@ }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "1fa214c361aeee1955b244162504604a4d9f3660758b8104be9e4921e015432d", + "sha256": "af263b39de7d96dc66778483b32a18131d2d78f294fccb516b20f02b3561d26a", "type": "eql", - "version": 9 + "version": 10 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", - "sha256": "8294ab72a68c2b751f36db14d3d44d28561d4dcda0696365bacc740b85ccd147", + "sha256": "e9c43384f812c32ac9f5ea58d4ce394b5a607f68a6941a3949ad2dd1c8c6ed49", "type": "new_terms", - "version": 6 + "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", @@ -10564,9 +11475,9 @@ }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "b068510e8bb733899c090234bf1ec0732842b70e90793bb61bdab5fc156be59f", + "sha256": "bf0cca05ac39585a934fe378753788c53700f3e8756741b90086a08ec42e370c", "type": "threshold", - "version": 416 + "version": 417 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "Deprecated - AWS EC2 VM Export Failure", @@ -10575,16 +11486,26 @@ "version": 210 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 107, + "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", + "sha256": "85e2742ed6e3a554393ca3c7c7b3462fbeb726e083b4f63bc562360141a1b8fa", + "type": "machine_learning", + "version": 8 + } + }, "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "85e2742ed6e3a554393ca3c7c7b3462fbeb726e083b4f63bc562360141a1b8fa", + "sha256": "5b22d537d80ab2e0d67e5b165b971868811ca16c1d70bb8c02f4909f50c8945d", "type": "machine_learning", - "version": 8 + "version": 108 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "b561863cf2392c784c3c635360c7d06067db2c64a38ce4d486380f4e9764d4d5", + "sha256": "7344842c79c39ba6f55680e1dedd53f663835cb02806b42e6504959cc143270e", "type": "eql", - "version": 316 + "version": 317 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", @@ -10594,15 +11515,25 @@ }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "ae65f0070012be05d928e6b1ac86c345635c083d43d2d847b0ce313aa91a6787", + "sha256": "6a67a961d41cd19f8d2f02fd3b8e799c0900949f8b7de12b782a1299f0d580fe", "type": "eql", - "version": 109 + "version": 110 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Spike in Remote File Transfers", + "sha256": "2f20bc8bdb8336b52144c14c8d650bf10d1c3cd7ac2005fda6d231be3ce129cd", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Spike in Remote File Transfers", - "sha256": "2f20bc8bdb8336b52144c14c8d650bf10d1c3cd7ac2005fda6d231be3ce129cd", + "sha256": "b5fc44379578795228550e1b83eaeb9e7e0126f4ed99201198f0cefb85c52110", "type": "machine_learning", - "version": 9 + "version": 109 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -10612,15 +11543,15 @@ }, "e9fe3645-f588-43d6-99f5-437b3ef56f25": { "rule_name": "AWS EC2 Serial Console Access Enabled", - "sha256": "903944fba71323174e8453b652660eea7df47c047e60636c873854ef24d3bdbe", + "sha256": "50914bbf617175010dadedcd2ca391ecc37c172b7ed25599aa28b3f97dd1e043", "type": "query", - "version": 2 + "version": 3 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", - "sha256": "8214976ada75f1392c7072b184b4e333f9e13a69726fc7c43c3ee15f2c60bf2d", + "sha256": "7c465669f1e16c050c57c78eaf0a6374fc5a02a2a17346e81ea0e4e1ce2aef99", "type": "query", - "version": 106 + "version": 107 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", @@ -10629,16 +11560,26 @@ "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 210, + "rule_name": "Unusual Process Spawned by a Parent Process", + "sha256": "cde5761fb379a2ebd52bded54373ddfa826286728ad4637aa03d845220da0c91", + "type": "machine_learning", + "version": 111 + } + }, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "cde5761fb379a2ebd52bded54373ddfa826286728ad4637aa03d845220da0c91", + "sha256": "18f984692e2ec7a1945f11db130429aaea89ba4e32aa4187f2def7337275a873", "type": "machine_learning", - "version": 111 + "version": 211 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", - "sha256": "2b7b3ae7b50956a57428f9c334521c176a71f1d3d2d7e9695d1eabb1de626e2a", + "sha256": "aa1c1625dd82eb24ec01c42ec65095f631d903642a4a3e7aed22ba4a1355b97f", "type": "threshold", - "version": 215 + "version": 216 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", @@ -10703,21 +11644,21 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "0b21aaef39779363afa674fe85ae790f2bd67dd153a8c951d0019ab3331332fd", + "sha256": "049ed275f9e00633360dfad95b59e9abe2f62709801aebb1d22d9a27065bf828", "type": "eql", - "version": 416 + "version": 417 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", - "sha256": "639dbba324d05efce28f2d414c6687f844c4a2bf1bf2c510e07a4ab8b7728728", + "sha256": "3ff4f50490412ad0eb518d45b5a7ba368f4fb9dee6cbaa53a7527d538a32f713", "type": "eql", - "version": 316 + "version": 317 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", - "sha256": "a142efdb2037310db7836d7d03a99bebf545ffb3f5260aeb9930d874603d6d63", + "sha256": "637bb29efc1450770161fad323e0a381d7769cb0018aed79ca237ba22083e05d", "type": "eql", - "version": 318 + "version": 319 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "9.3", @@ -10737,9 +11678,9 @@ }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", - "sha256": "d033bf3df19beb0e8f39e0a74b8438439e657b5a940999c60096803581fdc6d8", + "sha256": "09dc580af4f250fb15a73dc047af068447edce0b410ee07b9845a39184a09496", "type": "eql", - "version": 2 + "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", @@ -10773,27 +11714,27 @@ }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", - "sha256": "7f93a3391ea686a14d777dcd48797c99ec342fc1acccbd567b3ecdc8c3ea7cc4", + "sha256": "7cc31a789b7c74143fda38cba04d25c2603889e20c7dcd188f4ece32bf1d1426", "type": "query", - "version": 108 + "version": 109 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", - "sha256": "7e0624287ad182ae9bacc67dc50b8c0dd7eefdfd4cd89c815901306e3312297b", + "sha256": "bbe59d4874b08b8c66c95ee01c8f16869c994e1f101f7277be94a460c6c8b07d", "type": "eql", - "version": 317 + "version": 318 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "3d33d63b18b70ecb260d4753743b10a2f38b083d5fd42f92e86d1a27f815795e", + "sha256": "703363f0e0174c2ee80e6f77652694e5162cc28d87e1c2e204dca58e5356c34c", "type": "query", - "version": 413 + "version": 414 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "8302ac3fdd14c7129217b39eb68513aecbc6e8e75fdde0d16989df01196722dd", + "sha256": "3b95f245108cb93bb029c7af37a858ccd74b435e44b2d3ab3f0278ea77b53cb7", "type": "eql", - "version": 319 + "version": 320 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", @@ -10803,15 +11744,15 @@ }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "rule_name": "Okta FastPass Phishing Detection", - "sha256": "1f5ddb372f0cf39847f187a18845abb51bef25a41e38ce48fd30e9ea7bc6982b", + "sha256": "6dbed41461451dc5040bb4d309300f105a9ff9e96c0e3dcf65baa67ffdd640af", "type": "query", - "version": 311 + "version": 312 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", - "sha256": "54e542eced060164ea48e1acd0e2dad60a507e92b22080e79fefa1717cdb3600", + "sha256": "06c1d7ee0b1821eebdacfbd116ce652a18f22895052fb6c1cd5c386fffa4d507", "type": "eql", - "version": 215 + "version": 216 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -10827,9 +11768,9 @@ }, "ee7726cc-babc-4885-988c-f915173ac0c0": { "rule_name": "Suspicious Execution from a WebDav Share", - "sha256": "ba4424b0263455a683831ed50d76d4acba6b025e45812e7416845faf04c55c54", + "sha256": "193a9582b8a88c80c2ec2d4d03cc840cba670833923fc58cb2815ed2e060ab0f", "type": "eql", - "version": 2 + "version": 3 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", @@ -10889,15 +11830,25 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "4b9b636e3a685b6f6ba574e915d668cab21ca02cc5641de4b11ee1a8bdc146e5", + "sha256": "488f47888a154ee51964246ab9cdc3b28cb10dec24eda5a50776d9de86ac7fc1", "type": "eql", - "version": 217 + "version": 218 }, "ef8cc01c-fc49-4954-a175-98569c646740": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 107, + "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", + "sha256": "501b90c5679e6b9959a55999b1892814f6969d4a2aac60d17835f827a7cda0fd", + "type": "machine_learning", + "version": 8 + } + }, "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "501b90c5679e6b9959a55999b1892814f6969d4a2aac60d17835f827a7cda0fd", + "sha256": "71567755940d538c15fd90849caad5bf4ee4a89e0afd72f43b9ceac4f9ec3f1b", "type": "machine_learning", - "version": 8 + "version": 108 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", @@ -10913,9 +11864,9 @@ }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", - "sha256": "925aff7358596698164c5f9b33bab66d4042ee713892da8d3805c24d65199b85", + "sha256": "2fd1365685f9e79ac576991cdb849afc70a64f0b0a5704b845cb04f44a7892c1", "type": "query", - "version": 414 + "version": 415 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -10925,15 +11876,15 @@ }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified", - "sha256": "d234efe00820b1869f7b07b9a42c409b2276c4803bf4907364ecea05b3ae2950", + "sha256": "8b1cd77d90733f7dbd27b5fa93888a24d03bd9e802b97882331f8fd173e040cf", "type": "query", - "version": 108 + "version": 109 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", - "sha256": "dad1523274411b29ab40efb86f89c772f7a8cdeb2603d7907007291a05e49bc8", + "sha256": "ac361b2d53e2dd03468b9afba8e5c3b38c6d1bda72d386736bc5ea72d23e4365", "type": "esql", - "version": 5 + "version": 6 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", @@ -10961,9 +11912,9 @@ }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", - "sha256": "6c195dfca2a28a28d01a307ee437b722bb378e2ea1c8e923cdf41304d729a75f", + "sha256": "fa20fb477b98059cdcedc8515e55e02f1f0f705253f61f5f68683154a52bf7c8", "type": "query", - "version": 6 + "version": 7 }, "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { "rule_name": "Manual Loading of a Suspicious Chromium Extension", @@ -10973,16 +11924,25 @@ }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "14ba46c9c0f297862c53f3a5dabcf435451495d495c1d15ae6243dd985e3d145", + "sha256": "8ad36bf549c8e2d030b047008548086597c14917e95fb16824216d0b6e03fbc9", "type": "eql", - "version": 8 + "version": 9 }, "f20d1782-e783-4ed0-a0c4-946899a98a7c": { - "min_stack_version": "9.3", + "min_stack_version": "9.4", + "previous": { + "9.3": { + "max_allowable_version": 101, + "rule_name": "Unusual City For a GCP Event", + "sha256": "76586ab01cd08c0c90773f9fd6ddba36eb9b8ee0571614eca39f0de1bb442d29", + "type": "machine_learning", + "version": 2 + } + }, "rule_name": "Unusual City For a GCP Event", - "sha256": "76586ab01cd08c0c90773f9fd6ddba36eb9b8ee0571614eca39f0de1bb442d29", + "sha256": "8eb28f90d5cd908568c9a395131d2080306c30096616c06ee1c3985dbdaa83f9", "type": "machine_learning", - "version": 2 + "version": 102 }, "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", @@ -11036,21 +11996,21 @@ }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", - "sha256": "47389d060af838e9b3ab54a6aa1da8ef352339436cef82bf5ad8b528326c1857", + "sha256": "125f47bc784113a03c612e7b861651d073becc924440dc043d8efa6158370cdb", "type": "eql", - "version": 314 + "version": 315 }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", - "sha256": "281209a49e92e2367ec89f538621f986a7198e5592b2ba61c7b93e3e2ff8dafc", + "sha256": "970354cbf4c8525c8836fda8fdd3ab8f107769ab8b4d4a7c341afd376449a261", "type": "query", - "version": 2 + "version": 3 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", - "sha256": "4de3d5e198211653435573047cfbbcede3b079ce2d9b1e159ebc6c4a8e1bcda3", + "sha256": "f8b9f6caac301f48e046c4f63a72d06bcf1c6fb05d085325ca776a03987d4ca2", "type": "eql", - "version": 314 + "version": 315 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "Deprecated - AWS RDS Instance Creation", @@ -11060,9 +12020,9 @@ }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", - "sha256": "c5c1f181bfd0f814c6079ac55df87c7d8908c680a9aa9a6b4970ad08f892b39b", + "sha256": "9d1a8b1da8853216b701b3b7ccea1089b6689b2a0de289b79746bd6a7db343f0", "type": "eql", - "version": 12 + "version": 13 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", @@ -11072,9 +12032,9 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "7c530140bf12b6317b1633953a2135892b451f0fd02d2ca3be84802b33a9f878", + "sha256": "7e42d9a843e9f3734a065a80f5ab01eee5a9ffdf1a8dbaba1267258f24ddb88e", "type": "eql", - "version": 216 + "version": 217 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", @@ -11102,9 +12062,9 @@ }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "0f61ee6203f327c572d953395eaa56f5f1e41d35e47e6b590f427f379aeec032", + "sha256": "296304247c0cfa14732b0ea9839a5688829341d4bfa67d6cce0efcd197107469", "type": "esql", - "version": 4 + "version": 5 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -11114,9 +12074,9 @@ }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "7f753ea6ff1bc5ae4a855cc1ba35ab3db8c16622e28476c35412ea97e77a5741", + "sha256": "7d16e8e51ca65715b14dd31e7a6ca959bb83460834cbd45523dea6410e1288a9", "type": "eql", - "version": 7 + "version": 8 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", @@ -11126,9 +12086,9 @@ }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "cba4b95ced426d90a06aeb6a7c29ed69852042fa8e4104dfcd4ba0c44c6ed44b", + "sha256": "65c544d6e400d0909d79ad3a1e0f79b5cf5fcdd3fb01a1a073adc46c69aafb31", "type": "eql", - "version": 312 + "version": 313 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Pluggable Authentication Module or Configuration Creation", @@ -11174,15 +12134,15 @@ }, "f541ca3a-5752-11f0-b44b-f661ea17fbcd": { "rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected", - "sha256": "98230e0e75ded9d6ec8d0165892b6be2cf9441831b3080575b66006d7ba1275a", + "sha256": "3f339217cd8eae50f29ce9fcb9124f0a7526f85b0ad85961b8583156f1823d6d", "type": "query", - "version": 2 + "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "264b4899ef3cefac559933fcac41d2d42b656dc38b8b4a595dffa5b6c0bfbb12", + "sha256": "20493eaeeb6c2a2bafdb4f8bcb92ac713feda3a6f78fe3c37d2a40e04c859c85", "type": "eql", - "version": 315 + "version": 316 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -11192,9 +12152,9 @@ }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "rule_name": "Rare SMB Connection to the Internet", - "sha256": "fd652aabce416c86c10c7059fd5ff466d05b4119ca6bc670b78f3fcfde1812a0", + "sha256": "bc595eea9fc115c39d005fb7bf071ada50f9accdda168f2460ccad87c8f0e53f", "type": "new_terms", - "version": 212 + "version": 213 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", @@ -11222,10 +12182,20 @@ "version": 112 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 210, + "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", + "sha256": "5e26435a6c6b152cc9c108374c72cd5a9f0766698e6eaf34ecfb75df00fb5d27", + "type": "machine_learning", + "version": 111 + } + }, "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", - "sha256": "5e26435a6c6b152cc9c108374c72cd5a9f0766698e6eaf34ecfb75df00fb5d27", + "sha256": "6087543daca9986a612585855dcfc77d192fd4a1e20ab80710f3619022cc0cc8", "type": "machine_learning", - "version": 111 + "version": 211 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", @@ -11241,15 +12211,15 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "696b0f2a0dc84944f6e5c874bb805643fba4e2ac642c897e9d439fc5d0a4074b", + "sha256": "e8100696d660a50d4596211f89033aee3ad648aeaa2febbd7f53d1a57151e03c", "type": "eql", - "version": 315 + "version": 316 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "e44cc2803ee91b1dfe83cb1006d9209add5b8ac45d8bac02236bd6a022fe2177", + "sha256": "1dff4a3354ffb01188e7144a8483bb555136a03b278e0b3410d4233e5fd77d8b", "type": "eql", - "version": 8 + "version": 9 }, "f66a6869-d4c7-4d20-ab13-beefd03b63b4": { "min_stack_version": "9.3", @@ -11260,9 +12230,9 @@ }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "4ffb25a4641ad9040be58848570f2509850ed15374327784d814848e21628a93", + "sha256": "735b5c0178f0d409186deaf61c88dfd9243bfa5af003ec187168d54632ca4823", "type": "eql", - "version": 314 + "version": 315 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", @@ -11276,15 +12246,15 @@ "8.19": { "max_allowable_version": 106, "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "b3c32636964b52850bbe219b1d46df5e11ff74998859388137839aa155bb529f", + "sha256": "95b168aaae5816d4dd8032d851a24980d140d4a9e0603b56f4fa88d79af15a4a", "type": "new_terms", - "version": 7 + "version": 8 } }, "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "d6c1961a83a29873b120fdfea8882d1738a1c515182782f9a9b57a2b000e1836", + "sha256": "c07fa7fae81922d04accf363a9e78642676d26e8aee182c0560cf0824f2ac45d", "type": "new_terms", - "version": 108 + "version": 109 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", @@ -11312,9 +12282,9 @@ }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Entra ID Service Principal Credentials Created by Unusual User", - "sha256": "fc57ea21237e412537f32ffd71bcbf98d2bb681ea933271aec872c9083a1121e", + "sha256": "6e45ed34b41c65dea5f26b4fd76c9a2d93cd04c869ff1233f8c9f818ae8ea9fb", "type": "new_terms", - "version": 109 + "version": 110 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", @@ -11324,9 +12294,9 @@ }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "6ada016a934606d912dacab8241969dd93d1076577dd1741588cbbdd0a7a3179", + "sha256": "79d4a35620619779083ee70524a8ef1682a27632b98289f7456caa69d6568239", "type": "query", - "version": 213 + "version": 214 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "9.3", @@ -11346,15 +12316,15 @@ }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", - "sha256": "62ae72c726fceedcc62eca5b723bb6a64e92c8c54e1b2444e2242babdf604457", + "sha256": "0df65b003548a28c9f18c010d2dd59a06433f01121e7a155c496e0b44d3cb6c1", "type": "new_terms", - "version": 5 + "version": 6 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "35d3ea41fa9ffee27aaa289788a090d3a14737ce66c8825d1c8f7b4120bbd05a", + "sha256": "ad8a2614746a15f6354d88c9390f104ef5d781450c281221c897f320cd94903d", "type": "eql", - "version": 316 + "version": 317 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", @@ -11377,15 +12347,15 @@ }, "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { "rule_name": "AWS Suspicious User Agent Fingerprint", - "sha256": "d8f55b7cb56235069f1574c53c746da0a83543aeb82424b30a43b6d6ceebf502", + "sha256": "27d2eb5e6870d7c227dd3a411c07293fecb8f8f2f775777480a7dd0e02bc409d", "type": "eql", - "version": 4 + "version": 5 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "c106cab6e8eb5fb2f17e701d9ba2a7fc83348e1bd9ad61146224fa3a5eafe3d9", + "sha256": "19fa275f01d141046af620130c54383997bbfb159cc343503bd148ff624abf21", "type": "eql", - "version": 314 + "version": 315 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", @@ -11401,9 +12371,9 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "3d21669e611960932ce8953bc186daa36ad6fa5e5de719f84cc5ea2bbf58bdf6", + "sha256": "11caa2095158cf12c8a5df4c3841957a839cba84b092d379e302513aa52a0b85", "type": "eql", - "version": 315 + "version": 316 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", @@ -11425,9 +12395,9 @@ }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", - "sha256": "2161c82acd72e33700b0364812054c76003c9e68b25db81829ca3aed831c74e8", + "sha256": "4861674e448f597aa53a76a1d592c4eeeeb880c7a635868424b52dbd07885f11", "type": "eql", - "version": 2 + "version": 3 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", @@ -11436,10 +12406,20 @@ "version": 208 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 207, + "rule_name": "Unusual Linux Network Configuration Discovery", + "sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf", + "sha256": "b6a7707b778a054c85270746ef3d0855539421ee3103f6c883ea68097524173b", "type": "machine_learning", - "version": 108 + "version": 208 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", @@ -11455,9 +12435,9 @@ }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", - "sha256": "775f70e17e3838a8d2e278660b53423e29621be18e0b48b83607a9eba3dd59a2", + "sha256": "6ddb9411dda1c2bc7aa23ca51558c14539baad53a95a2bc439320a38d13558da", "type": "eql", - "version": 208 + "version": 209 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", @@ -11473,9 +12453,9 @@ }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "6e2937a3d1e9b3398d71d4bd594a454dcd061816ff73f7c83de5de94a21590d2", + "sha256": "3f42d9f4d6c683fa8e24940e81e098732937f7c261ff50f3c743c37d18f8492d", "type": "query", - "version": 412 + "version": 413 }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", @@ -11491,9 +12471,9 @@ }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "1490071c689a9d0493c0a1bdde622ec455d2ac911fbd3d44d6c76a846ff2f1d8", + "sha256": "7a2c5d9cba8758b393e462c2aa3ce04e13a932e002eb0613de28ae480dadbc1b", "type": "eql", - "version": 318 + "version": 319 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", @@ -11509,9 +12489,9 @@ }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "0cd027bc2a6c875c929dcf7cc81896925357907008c382104fa069cdb024cb9a", + "sha256": "f24106e9a11ca37430da8afe3a284545f262b7c06db2297c9b470768e6810f25", "type": "eql", - "version": 319 + "version": 320 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -11533,9 +12513,9 @@ }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "cf2ef18d44f8723b31d04f647c610a7afc8d9dc610321e26c8861181a2a7a635", + "sha256": "bf668bb17c3ea7604e554f63825a99d9153ff36affd8b4b9ebb087cba806ff0f", "type": "threshold", - "version": 208 + "version": 209 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", @@ -11556,10 +12536,20 @@ "version": 2 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Group Name Accessed by a User", + "sha256": "910816869ac69e52dd49d7b50213a32f674a8abcca1169b8dae5d9d0ca26a27d", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Group Name Accessed by a User", - "sha256": "910816869ac69e52dd49d7b50213a32f674a8abcca1169b8dae5d9d0ca26a27d", + "sha256": "667f169cd9b1cccf4aea8c89b3535d32676adf3648fb6ec26bd809d1a57539e4", "type": "machine_learning", - "version": 4 + "version": 104 }, "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { "rule_name": "Dylib Injection via Process Environment Variables", @@ -11575,39 +12565,49 @@ }, "fbad57ec-4442-48db-a34f-5ee907b44a22": { "rule_name": "Potential Fake CAPTCHA Phishing Attack", - "sha256": "0a1986244d8bb19d2fab065d31df99978b0474330486bd0ceaa03fd2727d8675", + "sha256": "33d00e4c6fe087be1ef08b31b40a606e5e9c71ae3c9df80f964991477494d542", "type": "eql", - "version": 2 + "version": 3 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", + "sha256": "b6972d4f3235fe5015a16b59e32f209fef18168efd59112b1173e3341709c0b2", + "type": "machine_learning", + "version": 4 + } + }, "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", - "sha256": "b6972d4f3235fe5015a16b59e32f209fef18168efd59112b1173e3341709c0b2", + "sha256": "2a0c28333cbc2b59a754048dac4ba1ba85e1e32f9407e91291bbe69a9abbcf5d", "type": "machine_learning", - "version": 4 + "version": 104 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "e321ac71904b38ac1d8cd69e2c42acbaddaeb9a13ea72f048fe899741b5e613e", + "sha256": "992873866168b6dc2174c2626fb35218105596756c2e0301459d4c664ae9ea8d", "type": "query", - "version": 211 + "version": 212 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", - "sha256": "6bbf5a0a14f640c392995936cd0704eb2b79897183695742f96a246f51386081", + "sha256": "fd1e26f5a72a073b0f04248104e8a153e66925a0edbac78669638790918671c2", "type": "query", - "version": 5 + "version": 6 }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", - "sha256": "932ab00c7e5ac71de6d9da2454af4619e78995498c9e33eee3ca284013f4ff26", + "sha256": "67f6095aaaf71d37cb9ae1e5b587093cea6fa579d3654a9353068eb9b0edef4d", "type": "eql", - "version": 2 + "version": 3 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "2c4a7c07729a478594b21a511f1a9f979a8312c4a0dc56da8076580881a0c175", + "sha256": "acfd359f8bb2c6823f73b9e352ba057d766bf7ecf267bd531c05151b7147ffd1", "type": "eql", - "version": 313 + "version": 314 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", @@ -11617,15 +12617,15 @@ }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", - "sha256": "c59c8e3d79a2cd6347c827d35bb0e57598f41c6667eda09b298a6bdff4958634", + "sha256": "94198e75f89a28e942b81c0c6d4ec00bdef98a1a2d0363f36836df7118a4f9d3", "type": "eql", - "version": 2 + "version": 3 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", - "sha256": "74ddd66430f2986bde9f01e07df5dfddc8b19563d60db53255f18ad59d59778c", + "sha256": "61bd95935880280101cb47357cfba9fda77a633cad787f7e0f4983dcf66fccf7", "type": "eql", - "version": 3 + "version": 4 }, "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": { "rule_name": "Threat Intel Email Indicator Match", @@ -11641,21 +12641,21 @@ }, "fd00769d-b18d-450a-a844-7a9f9c71995e": { "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", - "sha256": "df1b7a9eee719cedbb64cb235247c2ab465f23806209179a82088f85d0d39f4e", + "sha256": "84051400b1ae5421cfb0710d08885fc6ccb194cced886576497e63909acfa9c9", "type": "query", - "version": 1 + "version": 2 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", - "sha256": "e51549bf7834d3a0abbe08f6469acc71cd816cc3542fb505d9af289c2afae781", + "sha256": "eec1892d492dc25cab5480d300e33e9aac87bcbb4386d100cab35cb223d38ce6", "type": "eql", - "version": 208 + "version": 209 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "65f323aa4c16663d824d2073835378825966b7bba7c5d6a2c0c35e90e5e6803b", + "sha256": "74a0ff1c1a288bfbe8134ef5390dc9c7a9081b9e769c155809243aa52e7bd168", "type": "new_terms", - "version": 8 + "version": 9 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -11665,21 +12665,21 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "d9690771206500e07e7c25755beb650bddea9bff417f6e2bbdf01c97d2926969", + "sha256": "ee9592951cfba0c77e95c2d6dbcd69c923a9ce4d3b15d3f3fc8714437a6bbd8b", "type": "eql", - "version": 317 + "version": 318 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", - "sha256": "939e7894f13daf5708d2c85416fec8b91aeb8951c4cc059f29a99d7c386786c6", + "sha256": "14edb9986ee69201de825852e22903b23b7135b82e16205305f25f9b0cf9c2cd", "type": "eql", - "version": 316 + "version": 317 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "658d4e647f7bfe468cbb5355f6d31f0c7b1dde0c2dfa120eea56e0cd22ca56f8", + "sha256": "0001466c3c028207fb1f7651389bfef6444f3e9cddc410004e2539e96c35fc4d", "type": "new_terms", - "version": 426 + "version": 427 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -11707,15 +12707,25 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "d9c865f4237f4a014bef544884fd6715a5f3bb6ef22bd7e705a40aa286fe445d", + "sha256": "f445ad2da82be34ec4ccb27de355b041ace5ddef57a35205047543bd8361ab48", "type": "eql", - "version": 318 + "version": 319 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 104, + "rule_name": "Spike in host-based traffic", + "sha256": "539f0007ba47959012c3d761d040a6d76269a8994675b2f51c844ca81e899ef4", + "type": "machine_learning", + "version": 5 + } + }, "rule_name": "Spike in host-based traffic", - "sha256": "539f0007ba47959012c3d761d040a6d76269a8994675b2f51c844ca81e899ef4", + "sha256": "907d81f3a0d242ae72cb95a3525f28b646be7b2537e8437b213254a0e2ac1660", "type": "machine_learning", - "version": 5 + "version": 105 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", @@ -11737,9 +12747,9 @@ }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "0ff563e99da750acf3e694ad34679010f0fa64883c84a72877f2fcefe7b762c6", + "sha256": "7948809bbe71f84d5d24dd60e6d8525dc5667f49f8f6422eb66ca506798a35e5", "type": "eql", - "version": 311 + "version": 312 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", @@ -11749,15 +12759,25 @@ }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "b5131178d38397bc930bc5a900e33c256bbf4a95c3a2fc168f30b03bed4d26f9", + "sha256": "b271213c5408f3105b6c293a194441c0a6ee0a8f56895b6c8b5d514a45f29206", "type": "query", - "version": 107 + "version": 108 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "min_stack_version": "9.4", + "previous": { + "8.19": { + "max_allowable_version": 108, + "rule_name": "Potential DGA Activity", + "sha256": "305c65ba2a0c6e6b8dd78bcd8fce09f2491e6ed7c1ad1c495e321db25ddd0c2e", + "type": "machine_learning", + "version": 9 + } + }, "rule_name": "Potential DGA Activity", - "sha256": "305c65ba2a0c6e6b8dd78bcd8fce09f2491e6ed7c1ad1c495e321db25ddd0c2e", + "sha256": "1892ab19dfbba7c5209d5416fac24916cec60b288ae4bbe9f0dfcad7fbb548ad", "type": "machine_learning", - "version": 9 + "version": 109 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", @@ -11767,45 +12787,45 @@ }, "ff18d24b-2ba6-4691-a17f-75c4380d0965": { "rule_name": "Suspicious JavaScript Execution via Deno", - "sha256": "aae2b755e36776da4fd6721b130bedbe3399b5fc5400550fc6ea690072aa8b68", + "sha256": "cb55c046d8dfe8230113d03f862c936b4cc6f55c682a4004ef707a95803af2f3", "type": "eql", - "version": 2 + "version": 3 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "c725902f0e85dff5bad6928200527e7b0f5da156f4dbe5de51b229844a6a11e9", + "sha256": "b1c612a39634c76d3859749ffcf4a66830efa742e42ac76353710085e9a89c75", "type": "eql", - "version": 7 + "version": 8 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "9ac7770cb7a1a1d0348ae3f523fb76bbc3740b98d2354456e5f0495c5c6896c5", + "sha256": "b9d7cc3c34196818c0328f0233de8067dfd91ff0a3deff37e351c25978e98d6e", "type": "esql", - "version": 16 + "version": 17 }, "ff46eb26-0684-4da3-9dd6-21032c9878e1": { "rule_name": "Active Directory Discovery using AdExplorer", - "sha256": "5498c911565a0f24b7ec48e5e494dd62b58ee7efebfd30ae802acb1a12829893", + "sha256": "353ffa18f8623074c6bcf5df58dde56ca9f55c429d7d473c7d29d8b79a4394f7", "type": "eql", - "version": 1 + "version": 2 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", - "sha256": "71c8152bd1f4ea310db48f0487624fb6e55fbd763a1f7a196f392abf4c644b26", + "sha256": "3af2c69e8e417302ef11f5cad05379d42ead8135a8bb69dbf6e400195e16d2e0", "type": "query", - "version": 212 + "version": 213 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "a48e20350f413cf45c9adacf6a299a1b22445bab666f464c05bc37755bb70959", + "sha256": "2f7cfb8b088fdd67f95a4f6ed9fa6715582ba1ea6c790ca89e6749535eec27ea", "type": "eql", - "version": 204 + "version": 205 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "00d05c917b8ab9ff264282af0f59c82fcc130494435e2649d0232f0b3c677c3e", + "sha256": "2d21b1f06254849904bc0f96312aaddd5dbde583bae425bbb2b4e8cd08c5977c", "type": "query", - "version": 108 + "version": 109 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index 7539afb53..7d75334d1 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -176,8 +176,8 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-macos](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-macos.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-365-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender-for-office-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-office-365.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-microsoft-defender-xdr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-xdr.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 18167a9e0..315c28bdc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.23" +version = "1.6.24" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"