From 38bc110dc50d090a1acfcf4176fd576c6ca99c0b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Oct 2023 14:01:11 -0400 Subject: [PATCH] Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3223) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 * Update detection_rules/etc/deprecated_rules.json --------- Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit ab6f28a38053a5f28b50477e591e35cd78e454a8) --- detection_rules/etc/deprecated_rules.json | 10 + detection_rules/etc/version.lock.json | 2879 +++++++++++++++------ 2 files changed, 2066 insertions(+), 823 deletions(-) diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index a878ce1ae..7b6d7e5cc 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -1,4 +1,9 @@ { + "041d4d41-9589-43e2-ba13-5680af75ebc2": { + "deprecation_date": "2023/09/25", + "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", + "stack_version": "8.3" + }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "deprecation_date": "2021/04/15", "rule_name": "TCP Port 8000 Activity to the Internet", @@ -89,6 +94,11 @@ "rule_name": "Execution via Regsvcs/Regasm", "stack_version": "7.14.0" }, + "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "deprecation_date": "2023/09/25", + "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", + "stack_version": "8.6" + }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare File Modification", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 5f60b8849..7444b4537 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,24 +1,33 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", + "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", "type": "query", - "version": 106 + "version": 207 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d30c57775c5b17bd01a68c5752337e391ce2d7db5cb8aa6eccbc9a54c200c86c", + "sha256": "c12251f0ebf415936a88178bbe670516848a774c5cf3e9bc888a6a8824a0e13a", "type": "eql", - "version": 108 + "version": 109 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", "rule_name": "System Shells via Services", - "sha256": "8f7269ea080f0c8f9d2257a9ed2e32139f4c2c1cd0dbc9ebf61ee83987b10d83", + "sha256": "629ee62bf64e9993225823b0969be69d7b4494d53adc0ffbcdc501745be3ab8f", "type": "eql", - "version": 107 + "version": 108 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "min_stack_version": "8.4", @@ -35,18 +44,27 @@ "version": 102 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348", "type": "query", - "version": 104 + "version": 205 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", - "sha256": "a149d3ca79d319960c0d9e727ba65ff5e3350567e7f234907d03d7927621b13d", + "sha256": "6f969409e34ce2e04899c197404f8717d28ae3866797966be0653c4a3867fdc6", "type": "threshold", - "version": 3 + "version": 4 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", @@ -106,12 +124,19 @@ "type": "eql", "version": 2 }, + "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { + "min_stack_version": "8.3", + "rule_name": "Potential Network Scan Executed From Host", + "sha256": "247079101b736a6f3dfb963c2106e2d5dfaf9523a631e74b57ca03fa12e6c429", + "type": "threshold", + "version": 1 + }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", "rule_name": "Modification of OpenSSH Binaries", - "sha256": "4cb2b6b77c91784f961b4347413643db618e2f27805ae42c5d6087ba7e5a9794", + "sha256": "77e56ceb38921c2a4b69d7e793e5cebe8412e613b9f767bf3e7d272f297aa00d", "type": "query", - "version": 105 + "version": 106 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", @@ -144,16 +169,23 @@ "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "7f1bba1cf96766fe9d2d0d21e7e7d03114483ebf1d91a52bdc7a370c5751699b", + "sha256": "6df780c2019fb6ff0102a70515a5233d958c58be4522ce64b31da80680965b27", "type": "eql", - "version": 106 + "version": 107 + }, + "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { + "min_stack_version": "8.3", + "rule_name": "Tainted Kernel Module Load", + "sha256": "a546a22d29ab39e34b84e1d2bb96312c59c8c0072948b715eea31b3cae42f3fb", + "type": "query", + "version": 1 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "f31c9a7ea34568a5374ff1710793245daeb9aeb25b3a9a24e97f06a5888a0ca2", + "sha256": "e707dd532d4c099c31f5b95bdc9d237af995a146109cd6caf07576bac95509f4", "type": "query", - "version": 105 + "version": 106 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", @@ -207,16 +239,16 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "5839a3666d7e0133ba8b7e42ac89b59b39e750d0b97a3b3583b69c13de90129a", + "sha256": "8822c17823d2a397a734dabe9b76dc5786f7ea603e234dc22bac765c440f88ad", "type": "threshold", - "version": 3 + "version": 4 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "a31f827db85593474e5766adaf71c535a3a5d7ce628347b6b7e606bdb261bd04", + "sha256": "89428d0f0fc36a5b1ff0704bcfaf222c5592e066c0a1179e4d851b02b8384d67", "type": "eql", - "version": 5 + "version": 6 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "min_stack_version": "8.4", @@ -285,9 +317,9 @@ "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", "rule_name": "Process Termination followed by Deletion", - "sha256": "b47a3759b8145c73009358643478d070d44505235b1c16c6282bf2925986ffaa", + "sha256": "3eef996ce0b596a8c36e90f7b072702cf85d200f1a9683ab6d81d18bf69ed5d1", "type": "eql", - "version": 106 + "version": 107 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -298,9 +330,9 @@ "09bc6c90-7501-494d-b015-5d988dc3f233": { "min_stack_version": "8.3", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "094055b11724accc14288884bea8d069e3e5c1c1d32159a9b78fc9d7808cdc3a", + "sha256": "86eaafcb32b1483e8453f37ecd655c5e8c33aceb5c823ab84d86ff4a4759ca09", "type": "eql", - "version": 1 + "version": 2 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", @@ -319,9 +351,9 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "c33b0262570792c916921cd4645eb950802579016d010a5a0c5672fa4007efc8", + "sha256": "010e64048d380d35b40f806816a62483d54ed2f3cdafafd01f6d92feb6df8f79", "type": "query", - "version": 2 + "version": 3 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -340,9 +372,9 @@ "0b803267-74c5-444d-ae29-32b5db2d562a": { "min_stack_version": "8.3", "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "cd1a313ebc7c4d9e532bb43100c4d5c06d27676750ffde616f9aec4fcb71d086", + "sha256": "c545678521c2df966a1a7b9a11ac1e9e2bb8d0acad65746d1bb12f47607f2149", "type": "eql", - "version": 2 + "version": 3 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "min_stack_version": "8.3", @@ -398,9 +430,9 @@ "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", "rule_name": "Nping Process Activity", - "sha256": "b526d1555e13cf130c9d0129928555065e1f976d20616cd8863f9e2f7c8720e6", + "sha256": "a268355fc0423778888b7e0b1d9b8e7e5dd149344e2b5baa79b585c6189698e4", "type": "eql", - "version": 105 + "version": 106 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", @@ -442,9 +474,16 @@ } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "cd15e73bb94658d23cc9c074c1ace32b319514089fac6deb29e145d0179bb131", + "sha256": "514ea9a49add087a7f2f10f48d370ebfea15dc09db5bb9d5a908453ced80567e", "type": "new_terms", - "version": 106 + "version": 107 + }, + "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "min_stack_version": "8.3", + "rule_name": "Netcat Listener Established via rlwrap", + "sha256": "ff53f0363d8f483a8cedf49e6a907968b544472e09fd83e82d1eb9b2f3b16af0", + "type": "eql", + "version": 1 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -497,24 +536,33 @@ }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", - "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "ab39fe136a7992f299f43bce78b299f1c1491092730e5d6a4c4bf4d3f9231935", + "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "sha256": "73bcd7b6468b86456d40fae00cecf6d091d5f5b42458d68c4ba96cb0f0304967", "type": "eql", - "version": 106 + "version": 107 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "faeaccab4b1a4766cc93a7b427cb7250df74ac218438d547281678e44d7a3cd9", + "sha256": "b0824ce814b7fa05a5a6e8d9f8f54849dd033892fd3ad5d850a4a5e2df77645b", "type": "eql", - "version": 107 + "version": 108 }, "119c8877-8613-416d-a98a-96b6664ee73a": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Export", "sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17", "type": "query", - "version": 104 + "version": 205 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -532,16 +580,25 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "8614adabfa74ea56500abff063edfd0fab24a93e560df2fdfd68d3a60b78fa10", + "sha256": "f48869c0c1a7667d8c8a24d78167a2e33fa2e5db8b4d71bbab951f29a6571875", "type": "eql", - "version": 107 + "version": 108 }, "12051077-0124-4394-9522-8f4f4db1d674": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975", "type": "query", - "version": 104 + "version": 205 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -549,6 +606,13 @@ "type": "query", "version": 100 }, + "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a User", + "sha256": "dce0a6166ccdba29ec3a03d3fbd91c615057e7615daa7020e5a488304719aa3d", + "type": "machine_learning", + "version": 1 + }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", @@ -613,9 +677,9 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "fcf12be61708b748f14f6ae118e930f2c5ebf65992bc3df225f66c5dad6ed0b6", + "sha256": "91ce748803215def5fc3e0a13c3061c7a533494b7bfd86f66b778586a56f4ee9", "type": "eql", - "version": 106 + "version": 107 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", @@ -637,6 +701,13 @@ "type": "query", "version": 100 }, + "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", + "sha256": "2841e9117fd834df97cee4f6d7220cf2c5296a604b9e73f4477e8206eb7f78b3", + "type": "eql", + "version": 1 + }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", "rule_name": "Azure External Guest User Invitation", @@ -654,9 +725,9 @@ "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.3", "rule_name": "Office Test Registry Persistence", - "sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3", + "sha256": "dfc7bc44c6f6d34fee6331a065d25992ba9f2cb18ddddf1d91a9c581eb4f15b8", "type": "eql", - "version": 1 + "version": 2 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", @@ -677,16 +748,23 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "afca97139ffb2af012ea212958cd4118f14e183943e7c030e5ac45d06a430450", + "sha256": "02cd614602c0740f432c413ad474d41900748740202d7ffd5f6103b3096ff544", "type": "eql", - "version": 104 + "version": 105 + }, + "1542fa53-955e-4330-8e4d-b2d812adeb5f": { + "min_stack_version": "8.3", + "rule_name": "Execution from a Removable Media with Network Connection", + "sha256": "395e463813d0cad1e718f84d5a13a564016c82b69dcfd8027af981c0ec07cc2f", + "type": "eql", + "version": 1 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "17c01410a2573124cf140a518366b8a585209a201bfee33b5f7d855fa9b07e2c", + "sha256": "2f29328dabd08f923a8df391ea35c8ea653ed3968d056d71b05ae11f402b17c9", "type": "query", - "version": 107 + "version": 108 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", @@ -724,18 +802,27 @@ "version": 104 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Creation", + "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Creation", "sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3", "type": "query", - "version": 104 + "version": 205 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", "rule_name": "Component Object Model Hijacking", - "sha256": "436bc1aff82273c9504f7df46a2ce3c1653d4dd9864c1580f5ecb99a74c6e3cf", + "sha256": "6f7e78b34dbd113748d1850790a473327c1ae2f910eaed28ea59e14871d611f2", "type": "eql", - "version": 107 + "version": 108 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", @@ -782,9 +869,9 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "bd8754496ad2a53571780aab55b02d8dbe4aa20329da96a586b6f81cb7fecdf8", + "sha256": "4ee6af63081a009901c6f3b4f3f314e8c3dbe15dd4d5751b7c5536708cc01fed", "type": "new_terms", - "version": 4 + "version": 5 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", @@ -823,16 +910,25 @@ "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "1169776f997d618e40607bc71cdd85c338f7c14f158c845f3ab3ab48922d23f4", + "sha256": "f58eb1cacf84d92e06f41776bcc67711b803714568ae64ad82e907c980a3c4d5", "type": "eql", - "version": 1 + "version": 2 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Rare AWS Error Code", + "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Rare AWS Error Code", "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", - "version": 107 + "version": 208 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "8.9", @@ -863,11 +959,20 @@ "version": 106 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc", "type": "query", - "version": 107 + "version": 208 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", @@ -879,23 +984,39 @@ "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", "rule_name": "Connection to Internal Network via Telnet", - "sha256": "68f0d73167458fd1589c365cfb07d8bdf9d49e3368435dd8ad08d5eda2d180a4", + "sha256": "aae5d1cb44fafff6fe643a706d5eef8d83794dfae46ea638507259cb2c9bb041", "type": "eql", - "version": 104 + "version": 105 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0", "type": "query", - "version": 104 + "version": 205 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd", + "sha256": "0b4cbcadf42c525059f293cf8894de62f587e228878dfc70d1d6aafdfebaa221", "type": "eql", - "version": 7 + "version": 8 + }, + "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { + "min_stack_version": "8.3", + "rule_name": "Potential Process Injection from Malicious Document", + "sha256": "585cc415f1c54e220db615a5f052321909100ebc7b9e63b944e6b19a6a4e6404", + "type": "eql", + "version": 1 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", @@ -907,9 +1028,9 @@ "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "3113571e7885f573582d119f9e0905d33369509446e7a2729497380f27d3d077", + "sha256": "d5fac2c07f8912a7aeb5987420d21df972ba3bcfda92b5c66438a6f37625e973", "type": "eql", - "version": 108 + "version": 109 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", @@ -935,9 +1056,9 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", "rule_name": "Remote File Download via Script Interpreter", - "sha256": "6e10cd53c6b8fef5635f3e97892648c45c1ef8219958c3ad9af076a08f6788b7", + "sha256": "9b721a8bd708e3ba1c854f032771bd1fa175535e5dc546a07be290e5c156c6d3", "type": "eql", - "version": 107 + "version": 108 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", @@ -956,9 +1077,9 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "cbdda8fa4a7ee1ebd5708a3bcc4aaf50947d560339f8f8c45effe6f0e8309a64", + "sha256": "09504eee0ca293aed720134b083bcf30791788c02f630b563bfb73e34fe17918", "type": "eql", - "version": 104 + "version": 105 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "min_stack_version": "8.4", @@ -974,6 +1095,13 @@ "type": "eql", "version": 106 }, + "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "min_stack_version": "8.3", + "rule_name": "Potential Linux Hack Tool Launched", + "sha256": "1d7ffe0b0cb484baa86ed92a884c1b7c1ed28b7a8d3591393beaf14d5ffe7fc4", + "type": "eql", + "version": 1 + }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", @@ -1026,9 +1154,9 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "f14eab4a7143c53fcd49fb00bb945fe9f86c0db1e63ad3b4fd1ceced47e484f1", + "sha256": "6005266947232b8c8285b53252c0a3aceb08713658436d0aa268fd92aaa462f0", "type": "eql", - "version": 107 + "version": 108 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", @@ -1040,9 +1168,9 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Code Compilation", - "sha256": "838a9d840a2c93100aa9faf4b4291f9c968db9e541f1cf59807bd041b0d88a94", + "sha256": "94fec9b0c4fecdb1ba512be811459a1cae6d7efcac880fc5d63a308a8f87be8b", "type": "eql", - "version": 106 + "version": 107 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", @@ -1052,11 +1180,20 @@ "version": 106 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3", "type": "query", - "version": 104 + "version": 205 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", @@ -1107,11 +1244,20 @@ "version": 5 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", + "type": "query", + "version": 104 + } + }, "rule_name": "SSH Authorized Keys File Modification", - "sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c", - "type": "query", - "version": 104 + "sha256": "005f7835fa070f7f885e2383bf737e042e166aa86438d213922d52e82ff0cd91", + "type": "new_terms", + "version": 204 }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", @@ -1121,11 +1267,20 @@ "version": 107 }, "227dc608-e558-43d9-b521-150772250bae": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe", "type": "query", - "version": 105 + "version": 206 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "min_stack_version": "8.3", @@ -1143,10 +1298,10 @@ }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", - "rule_name": "Kernel module load via insmod", - "sha256": "716b6003b6a1bbcec145bd5ccdfc5283a40c843dc12fc82ff75fd26cc67b5b7c", + "rule_name": "Kernel Module Load via insmod", + "sha256": "4c816b9ebae8561e4197ef52689ef05de8036037dc74de66afdae2a9aa6a2845", "type": "eql", - "version": 105 + "version": 106 }, "2377946d-0f01-4957-8812-6878985f515d": { "min_stack_version": "8.9", @@ -1165,23 +1320,23 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9567e972186b39d9f4d1a378dfb482b40eae9cc129ee8c83562223fb8f1a9a3a", + "sha256": "7eb4bab3a9d22066a5b70d36c5d06224bd14bf207e4152a20a04bd323f5fc06a", "type": "eql", - "version": 104 + "version": 105 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "e46a905a4613f54e71ebce5fcab1853140ae284c3d0ecc23ad4afa82c5ca69e3", + "sha256": "98913787308b752f32b96a1d2e394c59c7a0c880b2caa632f30c81842f2cb0c9", "type": "eql", - "version": 1 + "version": 2 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "8bd9e051e381430287850aac140060e1c4eb55636e83ae0d010d241069f208cb", + "sha256": "15d66149f0f83ab636bbca6591b3cda98a98989d4e8cbca69c06725499d7fd2e", "type": "eql", - "version": 2 + "version": 3 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", @@ -1193,9 +1348,9 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "158c5a76f4a4ff8441aa5189db7ca3f8677a210f01a9023decd1732862ef8f46", + "sha256": "0f3875681feabc9889f6f06cf0687e0b3f367b347f46f58fe88448b97c69821c", "type": "eql", - "version": 107 + "version": 108 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "min_stack_version": "8.3", @@ -1235,9 +1390,9 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "ed68bcf2e292ec89f9e8f578e9e4847812fd4177fa242725286c16db53ff03e0", + "sha256": "06a344a111e75594161e3a08c78be77d29fd146dec8b6ce48d5cc9330a9166f1", "type": "eql", - "version": 106 + "version": 107 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", @@ -1256,16 +1411,16 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", "rule_name": "Account Password Reset Remotely", - "sha256": "4e81da588d72ce375e5c9d046ebc2d09776070111a26ad970d2a12b048741c4d", + "sha256": "f21f7b41b32d1c07a79ab7a9be75729b18a0dff1cf744238f305d04f3a862ea6", "type": "eql", - "version": 106 + "version": 107 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "8ba669048ae42b7afd8f153bbae5a1b181f3d070db1241c38c847c1fe4dae0e1", + "sha256": "900b6c0dcc73edd29b7f8b445d08d37da743dcd1e18c5a8cc4a545be1c9e4c72", "type": "eql", - "version": 106 + "version": 107 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", @@ -1277,9 +1432,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "6d8b1a876a2e1ce2967be858e2e4cfecd82d84c47b08d8e33c72e22725073eb2", + "sha256": "29566bc20e44999833de4b93b85e993bbca41d4c16ca41f5fe01ea80ad52937a", "type": "eql", - "version": 5 + "version": 6 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1290,30 +1445,39 @@ "28d39238-0c01-420a-b77a-24e5a7378663": { "min_stack_version": "8.3", "rule_name": "Sudo Command Enumeration Detected", - "sha256": "ea5c6d696a82dd4d7d63fb04dd726e8b1fb33ac4622151663d19d31ef7a99a67", + "sha256": "765e6c39bbdfecbbfd3ffa1a44b4838d06c295b53d4b73143316ec99c8b3550b", "type": "eql", - "version": 2 + "version": 3 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da", "type": "query", - "version": 104 + "version": 205 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "47309853f13ad591cfcbb60814b5c1a7c731abfc3f5349fbb5e9acb25b347134", + "sha256": "a6231a8bcd050f72676f997117e09ea1f8873a178971237eb2b54404906f0c95", "type": "eql", - "version": 107 + "version": 108 }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "e1d3e0942816bd8564b7abde73127790f145ce3332346d041fbc1e0421600524", + "sha256": "13c2fcb9dbaf1339d3e3b7e5fa159bc1a2875aee235776f1bb13518d49a8d738", "type": "eql", - "version": 106 + "version": 107 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.6", @@ -1348,9 +1512,9 @@ "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "2f246e33c5b5318512de95d017377941e955a43a607619340a1ee900353ca612", + "sha256": "8dd9f5b2abfa297105040ebfc4e441af646a5bec20f8ee97a6856351c8e1f99b", "type": "eql", - "version": 3 + "version": 4 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1371,16 +1535,16 @@ "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Grep", - "sha256": "8193724c74f8c3bda981c1ea69c1775177c530e3a5d30e2387577bd4abaa66f2", + "sha256": "01993ae1314c912204f7b87a0999c27cd2861f56a7a0b766dd0bbe4119dc0c9f", "type": "eql", - "version": 3 + "version": 4 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", "rule_name": "Adobe Hijack Persistence", - "sha256": "9aeae912e062be1da7e7f26a9a5cb726d945ce4bba3c5b040a131c5636920a59", + "sha256": "6c4da0a89fa984f5f93fd0fa33b26bc6bee17987271ce73792eb19e342bd9289", "type": "eql", - "version": 107 + "version": 108 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", @@ -1408,9 +1572,9 @@ } }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "e66fa90d3d617373ae52b10b1487f5d53b35fea7e11bf4371ccaf37fe0782482", + "sha256": "2fa255256633606f39637f99e60437fd03db8f4721370c5cefa5c65857661e01", "type": "new_terms", - "version": 205 + "version": 206 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1424,9 +1588,16 @@ } }, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37", + "sha256": "2c9cb831e23495341a51736efbfd144c71ae76cd1e9219fdc2078d70cdbc0407", "type": "eql", - "version": 208 + "version": 209 + }, + "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "min_stack_version": "8.3", + "rule_name": "Potential SSH-IT SSH Worm Downloaded", + "sha256": "2235a3c31df521f4cbbff7cf12df793eb343d389777cc8851c382a1434bef647", + "type": "eql", + "version": 1 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", @@ -1452,9 +1623,9 @@ "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", "rule_name": "Potential Process Injection via PowerShell", - "sha256": "58530124be115763c6110e3c32f34e5fc8c70fa063e74e97252e3dcccc45a1f0", + "sha256": "3921a45db23fa07aa23f52a05c6cc6645307b5795c62c52f1ab0e7119b93182b", "type": "query", - "version": 107 + "version": 108 }, "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.3", @@ -1466,9 +1637,9 @@ "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "e19b7c3823c6e134dd116b5b1562e846ca9d4d847a6e25da14c421165a39d028", + "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", "type": "query", - "version": 103 + "version": 104 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", @@ -1487,30 +1658,30 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "ec46e116c1fd77711b1cc1c49189cb9495b50a6d18e577cd1d5214de5233c641", + "sha256": "65b15ece2e91066379c4bf4c8646bde0a3f995c713d228332c5ef3af665e3c0d", "type": "query", - "version": 107 + "version": 108 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable Syslog Service", - "sha256": "2a77643c47329e2c910e5c86d8c3b2f0cf2b93527ad5bc129d7e614c07ba6369", + "sha256": "bdea522d5730e3c4d4239717173a709ebc5ff118296edbcb70faeb3e62cdcc0d", "type": "eql", - "version": 106 + "version": 107 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "2164ee6d1c3cd39e214f6c965e6cbd0a1dd158e51dd0d883fe83d6915d5f4621", + "sha256": "c77de421e7a60ec97356465d4a834fc49fed6b0b7ae28debbac3786b07459d62", "type": "eql", - "version": 107 + "version": 108 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "414eb4b19b8f79b0c86119bc090d5a342e45837af770df8d3365d3ab81bf5036", + "sha256": "1e95c5544b74d84ae96e15fafa7f0ffb9e564fa1552c02adbdf2d0bb9e68e7a3", "type": "eql", - "version": 106 + "version": 107 }, "301571f3-b316-4969-8dd0-7917410030d3": { "min_stack_version": "8.9", @@ -1529,9 +1700,9 @@ "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "min_stack_version": "8.5", "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "9375d07c27d373fae95ace527be0d4a8117abd263b43adfb31536459bda562a9", + "sha256": "7f96205f8ffdfb7be7c57a34dbdf149f99a13961e1477d17815ad48f85b7bdc0", "type": "eql", - "version": 3 + "version": 4 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", @@ -1543,16 +1714,16 @@ "31295df3-277b-4c56-a1fb-84e31b4222a9": { "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "d7b2ec2f04b54fbd827d684086503c9240c5b500bb50c7ba12525842e88890d1", + "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", "type": "query", - "version": 103 + "version": 104 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", "rule_name": "Bypass UAC via Event Viewer", - "sha256": "c52ce2472b85ca6486fe8ffef36ba98c35db8cd02a58a3e00cbdfbe6448fa7e7", + "sha256": "2ca2ed5d2836beb7bbbfd48b039b171774baba1b8995a88ab16943fbbb170fa9", "type": "eql", - "version": 107 + "version": 108 }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", @@ -1585,23 +1756,32 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "bfcb1a92ded4fab88e6d4e463b78405b82e80e00b2b0e1260ba1ff8164ac01dd", + "sha256": "dfea65085c4b690895eb691760b4a9025da59cecbf5c4ff242c26713ede0bb2c", "type": "eql", - "version": 106 + "version": 107 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM User Addition to Group", "sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81", "type": "query", - "version": 107 + "version": 208 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", "rule_name": "ESXI Discovery via Find", - "sha256": "9d95402d5a02b1571ef1d3e5ad966c19fd3cbeff7b5fa58198ac9151e1923ba0", + "sha256": "f71d1a0fc2a3a9498c1c07bb8d19631c82ed04d6216b650b39cf5c767ccd0ea4", "type": "eql", - "version": 3 + "version": 4 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", @@ -1641,9 +1821,16 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", "rule_name": "Port Forwarding Rule Addition", - "sha256": "83831c2c3a4be02d59440da6f570b9d7e7064ecf5fa6df5565f36e68b68cd2ce", + "sha256": "2ec830c30a80eba9d2bfb5dc78d0ce64e7eb8f66ea2f8266e666d077fa916852", "type": "eql", - "version": 106 + "version": 107 + }, + "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "min_stack_version": "8.9", + "rule_name": "Spike in Bytes Sent to an External Device", + "sha256": "a8debadb004c9ca04fb7f3321cd45dc0ad8f93d6437be72cbbc5d09b84382fd1", + "type": "machine_learning", + "version": 1 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", @@ -1668,16 +1855,16 @@ "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Process Started from Process ID (PID) File", - "sha256": "b4e738c5be1bba9711b183dd54a22a8c10aec54e4a5310352cc7ac4ad24b9af1", + "sha256": "cafe78e9310f27ba8cdcfb8fbc318a1a2f55223679ea3d91c3a0877dd578b7d3", "type": "eql", - "version": 106 + "version": 107 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "2684dc4258fdff2568772c371afcba2729e543adeac05d5e8fbad36f45417fec", + "sha256": "dabff5221c0b2f406165374af490dcdb04a568295196b805962ea4b2e88e734e", "type": "eql", - "version": 104 + "version": 105 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "8.9", @@ -1689,16 +1876,25 @@ "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", - "sha256": "46076a578186ec461ee06fdb94def49ec0f94300cea3bd8364ebfc75895b65ae", + "sha256": "0f9b9c003bc39253a948a9da6d7c5b5263d9d1dc3c73abf730550e6c0c3ff687", "type": "eql", - "version": 2 + "version": 3 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Creation", "sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b", "type": "query", - "version": 104 + "version": 205 }, "37994bca-0611-4500-ab67-5588afe73b77": { "min_stack_version": "8.3", @@ -1714,11 +1910,20 @@ "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Execution via System Manager", + "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Execution via System Manager", "sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0", "type": "query", - "version": 107 + "version": 208 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", @@ -1728,11 +1933,20 @@ "version": 104 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b", "type": "query", - "version": 106 + "version": 207 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", @@ -1763,11 +1977,20 @@ "version": 2 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614", "type": "query", - "version": 104 + "version": 205 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "min_stack_version": "8.3", @@ -1786,9 +2009,9 @@ "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "fd0213ea9905c71a65f94da36a92164a378cd8232856a0ac441ae9f7d49fb108", + "sha256": "fb96d295d12b3d405dc93ad509f792885c4e32bb760c7518b005755a6ad6acb4", "type": "threshold", - "version": 106 + "version": 107 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "min_stack_version": "8.3", @@ -1834,9 +2057,9 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", "rule_name": "NTDS or SAM Database File Copied", - "sha256": "cd3c9afd05e54eb93da83e2d90065582aaad08ee77a94fae48f952f89c46e626", + "sha256": "691edf20cc218616ece6013dbbfe102d01c87c91cfd3bd49ea126eb3830c5982", "type": "eql", - "version": 106 + "version": 107 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", @@ -1853,11 +2076,20 @@ "version": 2 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063", "type": "query", - "version": 107 + "version": 208 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "8.9", @@ -1880,6 +2112,13 @@ "type": "eql", "version": 104 }, + "3e441bdb-596c-44fd-8628-2cfdf4516ada": { + "min_stack_version": "8.3", + "rule_name": "Potential Remote File Execution via MSIEXEC", + "sha256": "1d20b245f40477327dbf43e563d8a93eca7531b9c1fa4649a0e9692d0eb33b01", + "type": "eql", + "version": 1 + }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Named Pipe Impersonation", @@ -1920,16 +2159,16 @@ "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "337011e93c02efa090b9a19745d82c3d58fd18bee555ff69edaff5e9ff1466b7", + "sha256": "2bc6f32144a2b110dfc14493dc5930b3aa2c23ca7d00b46924c2643ac2d73c45", "type": "eql", - "version": 1 + "version": 2 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "b3aad2bca92e5e1acd788cfd14d9606aa4b803a48bf303ad37e210739fec9d24", + "sha256": "511ca509d7faf58b68373d12932edd1aef607c53de1314647b3764b976fb35fe", "type": "eql", - "version": 106 + "version": 107 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "min_stack_version": "8.3", @@ -1945,19 +2184,42 @@ "type": "machine_learning", "version": 1 }, + "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a User", + "sha256": "76ae6142111e83c98205115ae9df5b7be5f1c79187429dbf5dba2f51c0cdb4d6", + "type": "machine_learning", + "version": 1 + }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", - "sha256": "5bb822cc67b9581124c21c5f4abb213946ce935b1c3f3ca248d1c2fcd9ce54e6", + "sha256": "0f9c30762b9d866395af98426eb9a784abbf168110167161bb7302fc4402a8dc", "type": "eql", - "version": 104 + "version": 105 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Modprobe File Event", + "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", + "type": "eql", + "version": 3 + } + }, "rule_name": "Suspicious Modprobe File Event", - "sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c", + "sha256": "c6ccd9c0ba411da8142f15ca71dd04dca27e1ec82b527324439621b449f4812d", + "type": "new_terms", + "version": 103 + }, + "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "min_stack_version": "8.3", + "rule_name": "Unix Socket Connection", + "sha256": "38561d8ce173227b49b1459ae11d38bfba76385fa68298e1ddb7b8603d57a8b6", "type": "eql", - "version": 3 + "version": 1 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", @@ -1988,11 +2250,20 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "60954a70897438ce1627fe0aab388688a6c189b04e7eca5543e0c450283c029b", "type": "threshold", - "version": 106 + "version": 207 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", @@ -2018,9 +2289,9 @@ "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "min_stack_version": "8.3", "rule_name": "Linux User Added to Privileged Group", - "sha256": "a48dc7ec63791f8c62b58bfbca37d6765b39621454d2720ac839e13758d02adb", + "sha256": "3730f04f7a829d9ca0f149c00ebd1c6cd07226bad5915f6295d82656e40bf5f8", "type": "eql", - "version": 3 + "version": 4 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", @@ -2039,9 +2310,9 @@ "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "d3d1985a8512a777f4738794f03380c077f3c84594acd1aefdf22211a59bfba8", + "sha256": "ed65c5d1379b83e560f4fa24ff1f51887de783c7e8f3fc329b717a14700a859c", "type": "eql", - "version": 1 + "version": 2 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.3", @@ -2067,23 +2338,23 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "a8e0ecc0284175dcd1f57756fc03477d87d4fecfee80397c01f1490f52ed9b66", + "sha256": "576f44e57f57bcc5a260380c704c2c253b9f8fcefa472e5b4339b0e138c9112b", "type": "eql", - "version": 107 + "version": 108 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "99fb4c9799becbcb9eaf99a6b9a8c21d74415d2a27790c5e52798590df285c07", + "sha256": "5b1155c651c8cba197b8525501a76da112e7941889fa0a8b5b0e27caf1105deb", "type": "eql", - "version": 108 + "version": 109 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "3df00646c1daf36bfe94ebc4e75150121576981877aeb3d5d6c17fc11bb6fb2b", + "sha256": "990b886b92cb87798246a158ca46bf1b61eb1ac09d2e34d3744dee85300efb72", "type": "eql", - "version": 106 + "version": 107 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", @@ -2095,9 +2366,9 @@ "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "ec686d5f69b96d1fefa61938439b2be36a7d62b6ec9a5277294454b9d21f090c", + "sha256": "c231805a854c98302dcc5c774688217904e4960a000e193bb04158fac9a0b743", "type": "new_terms", - "version": 5 + "version": 6 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -2109,9 +2380,9 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "5c400174c733b48a59cb568595f1b992705473fc85698c48a5006a770c99ddb6", + "sha256": "264b7c418b25b248ad38bc172ac651d639a720a652fba044e02596419b889ef5", "type": "eql", - "version": 107 + "version": 108 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", @@ -2129,9 +2400,9 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "bbe5ae3b8a285ccb4c26e9a210d268966a5996803f54073b159507458f48ee7b", + "sha256": "99db297efd0e9e1c456c8eaddae105366196554aa82301813ee7a4aba19911cd", "type": "eql", - "version": 104 + "version": 105 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "min_stack_version": "8.6", @@ -2143,9 +2414,9 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "f29f06799ee7b6289d2ba8ffcd4908551efa144016a33e8eaa47b94f2370da97", + "sha256": "b10222772b435ef7d9cf4dfa4b50a492a7900cc176fdf11e901159c69d62d2b8", "type": "eql", - "version": 4 + "version": 5 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", @@ -2168,6 +2439,13 @@ "type": "query", "version": 104 }, + "48f657ee-de4f-477c-aa99-ed88ee7af97a": { + "min_stack_version": "8.3", + "rule_name": "Remote XSL Script Execution via COM", + "sha256": "19961cd9171e3ef5204e98314fdf573ac68e28c6ab1c5e91b5f1d71c919ea7db", + "type": "eql", + "version": 1 + }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", @@ -2178,9 +2456,9 @@ "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "min_stack_version": "8.3", "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "eb9cf2a2df73743755d82c3d776ba2ffd7f17ef1773d32e3def0fb2fd6c50988", + "sha256": "333fc1776029a4e23f0c6df62d3370c335760abb4aa501be982831e2e71341d7", "type": "eql", - "version": 3 + "version": 4 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "min_stack_version": "8.4", @@ -2215,16 +2493,16 @@ "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "fb2b93218641d75dfdcf31527ed8c4baa8ab8d79de140128a054b9a7eb67aac0", + "sha256": "599489e4a0c4b02a7717d928a5881b6281d1362970adb1074d5362a33c45444b", "type": "query", - "version": 103 + "version": 104 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "8a3258a1db6d86b53f94205b24cc30b455508da7981acdcec7d44df34131b612", + "sha256": "42573412f6b2d0083dfd8c9fc5945f654cc818d4cea60939076a6cf5967a2b7d", "type": "eql", - "version": 2 + "version": 3 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", @@ -2235,10 +2513,10 @@ }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "min_stack_version": "8.3", - "rule_name": "Potential Reverse Shell via Suspicious Parent Process", - "sha256": "92665fcb5d7f54bd4531c913e33b9cd692aa92cf5ee65941d69c6c2a0aa5c260", + "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", + "sha256": "c71a551642317ffccfbd85c414cc689e14d3a2deea09251aa8ac9895963bb204", "type": "eql", - "version": 4 + "version": 5 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", @@ -2261,6 +2539,13 @@ "type": "eql", "version": 1 }, + "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Writing Data to an External Device", + "sha256": "89378fe5870a5d6d2e956d464c722bdba8845495639f22082cb218dfe9c4fbf0", + "type": "machine_learning", + "version": 1 + }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", "rule_name": "Unusual Process Execution Path - Alternate Data Stream", @@ -2271,23 +2556,32 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "c39e8202c6aa104cacdbd7f152f22e19bf2a5e6da299ab44464663d93c2175e1", + "sha256": "0ad222085b8d696dd4df1055275c7fc6989064286734182865e772fbd8aac3c9", "type": "query", - "version": 6 + "version": 7 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "06f6564ca643c6532abb1cdaa5f7b63ff7967e301d6d4c7fb188471da4c03140", + "sha256": "d4da085e36a4b1a471325f7c34f050486db0b5900302611bfda3c2d85305028b", "type": "eql", - "version": 3 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6", + "type": "threshold", + "version": 105 + } + }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "c7f85d799207c359e3f84f41c0473858bad893198ffa7f3d8327d153eb0b422c", "type": "threshold", - "version": 104 + "version": 205 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", @@ -2299,9 +2593,9 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "2f90c20e27fe53e8d19581d66c3700d0e607aeca622f713dffbee083470bdbf7", + "sha256": "cdad95a52719987cf204d9063951cbe05b1e08a28f4d91b3cf8f5d5aa48800d2", "type": "eql", - "version": 107 + "version": 108 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.3", @@ -2313,37 +2607,46 @@ "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "d6507cd42eb759b19bc5d612350f5fee646f38be4fe487ebc7121f70ac057de9", + "sha256": "ed16c35ba79c045b3ae6cd2406ac39e5ee143767a2f8ae4a0a8ac6fb738b16c3", "type": "eql", - "version": 5 + "version": 6 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "93581d9de1f2ecba9d10b0b90fc4802c633fdc525cef6b539c20da833098dbfc", + "sha256": "05f50e5500930fb6e8ed1646e88db67b24a1430eb1fb589bb9976dd052f0f44d", "type": "eql", - "version": 106 + "version": 107 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", "rule_name": "Suspicious Script Object Execution", - "sha256": "3b2f5bb731e55d25192b6e44e2f8e2453784591f0b9be178867e26489f73a694", + "sha256": "41b132e87127770048e08a8d65fb63fd3180ee0d52ad69f666c0abe1ab20afd2", "type": "eql", - "version": 104 + "version": 105 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd", "type": "query", - "version": 105 + "version": 206 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", "rule_name": "Execution via TSClient Mountpoint", - "sha256": "d133f690998687a3f65041994c005ecd901bab7ac5c3504f34a8f2ca04cadbf5", + "sha256": "1717dbef17fd0507846473218f580ffdf11e5ba35497e2beb391d506d75289dd", "type": "eql", - "version": 105 + "version": 106 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", @@ -2362,9 +2665,9 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "b62558c73fd30587a1edeb6e1a36b61cf60b19070b994e570a3f4bd023f546cd", + "sha256": "d098bba4900b382c6cd742182baba85a01b2337fbd4ff36da2bc9fdf6b408b7c", "type": "eql", - "version": 104 + "version": 105 }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", @@ -2383,30 +2686,46 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "f944e30753df250f1d624c4c46ee0f5a60767d7d8ebc3d60af90ca77daab281d", + "sha256": "298d203a01db67a0653310a2665d704f81a97db74789cbe2fdf632ebe7574155", "type": "eql", - "version": 105 + "version": 106 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "da0f4a98171700a7be9bdcc51c7e387d476f86016c7d95dd1313f5d899c34fe3", + "sha256": "4111de70c21f8c5461da2f1b30720b9621c857bc8526b1d4e71bcc108b95c928", "type": "eql", - "version": 2 + "version": 3 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c", "type": "query", - "version": 104 + "version": 205 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "b6f2ca3d5270df9abe50800ebae493a3d6b715de6b3caea02f86fcd29c4f3c7e", + "sha256": "0076c9eafb579f6fb93d35d66309a205f3d0912a8b7a302ea2e917e5e04dd2f8", "type": "eql", - "version": 109 + "version": 110 + }, + "5297b7f1-bccd-4611-93fa-ea342a01ff84": { + "min_stack_version": "8.3", + "rule_name": "Execution via Microsoft DotNet ClickOnce Host", + "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", + "type": "eql", + "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -2444,16 +2763,25 @@ "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "7602af82bdc7fc4962b73c42451d8500e779a3338601f49ea49ea9398fa49613", + "sha256": "1fcaecb0c8b60fb9a393726f18411473957d935a9676d2e345121e3f07f5c200", "type": "new_terms", - "version": 3 + "version": 4 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907", "type": "query", - "version": 104 + "version": 205 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "min_stack_version": "8.3", @@ -2465,16 +2793,16 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "0b1c1a7d64bb481a68482e3f0954ce0e55df7b26264d3e358b230b5670c80094", + "sha256": "ddf1b60a6118bc0c50833a0f13cf88f3838ebcc8f0f60d42ad91bad81b07634d", "type": "eql", - "version": 106 + "version": 107 }, "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.3", "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d", + "sha256": "8ece78d3d804106f87c006fdd8a027648880338a3a56c52e28a393d8f18aff40", "type": "eql", - "version": 1 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", @@ -2486,9 +2814,9 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4258789d2232d8488f2dfcc621c1793b94aa3eb5e24ddc697886a3854fa2e0cc", + "sha256": "b7e3322f384197eb6eef899fcd0dab3032f80e4707f62046e423fe51756f2e9a", "type": "query", - "version": 5 + "version": 6 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", @@ -2507,9 +2835,23 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", "rule_name": "PsExec Network Connection", - "sha256": "9dac69f62fd68c1763945debf1417db0fdb9384fc3200ddb80fad443bd7ed6fa", + "sha256": "ea9ce524558142eeb928e1288478f70877cf06e9b9344009845c85f0257329e7", "type": "eql", - "version": 106 + "version": 107 + }, + "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { + "min_stack_version": "8.3", + "rule_name": "Windows Installer with Suspicious Properties", + "sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753", + "type": "eql", + "version": 1 + }, + "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a Host", + "sha256": "79250afad59e7a34a28a1fc9474da4c16612e73c23032855389f019fa153add8", + "type": "machine_learning", + "version": 1 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", @@ -2558,9 +2900,9 @@ } }, "rule_name": "Execution of an Unsigned Service", - "sha256": "de385d99890c067206d3515ec1c99db389d34cf974afb8ad6478deaf0e14f592", + "sha256": "296152e8a3e1843df21e40fa6f6a05608b99b61ab06971ab80e9a3a35910b4fb", "type": "new_terms", - "version": 102 + "version": 103 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -2593,23 +2935,23 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.3", "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "a7e0bdbc40a12b3b58f7280e709f99363b6d9362d4c0c91bcd926dddeeb4f466", + "sha256": "88ae25fb6df6c66c976902e4f17c39a5af63c217bb4aa298e7f898b003fa484d", "type": "eql", - "version": 1 + "version": 2 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "2d5a85f9eb6c5a5b43149530f52a4cdbf41fb37009ec5f4ea1d572b4a127ba99", + "sha256": "f0914d5ae89b3f5372c087cd0c5983df509da91941322047aaad22d445cfb577", "type": "eql", - "version": 106 + "version": 107 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", "rule_name": "RDP Enabled via Registry", - "sha256": "52fb0f6d5a15c031eb4ebdbb0bf86a16bd94e0aa3d3d4b9c9adb3a7019c79cc8", + "sha256": "a599e437dfc14b51f8ce6559e5595673b50429581388655e03d7999961ec6cf6", "type": "eql", - "version": 107 + "version": 108 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", @@ -2621,16 +2963,16 @@ "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "f0754341d4737d98a3c079a807fdf62a876b2b9e37eddce760a538f8e135a3fb", + "sha256": "a9ada00d22041e1fc97021dfb923cb62dfcafe5849324b04534f7c53a65903d4", "type": "eql", - "version": 106 + "version": 107 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "1bba6c4e3e7130c507b6c959c9bf912171eb7a1f1cdcb69a6cf8bfd62e4ebdae", + "sha256": "04c918e4a5b742f9df828e957a708565731d36df760ffbf94a8dc6f331539f7b", "type": "eql", - "version": 107 + "version": 108 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "min_stack_version": "8.3", @@ -2647,11 +2989,20 @@ "version": 102 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "type": "query", + "version": 106 + } + }, "rule_name": "AWS CloudTrail Log Created", "sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4", "type": "query", - "version": 105 + "version": 206 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", @@ -2663,16 +3014,16 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "8438243430e0b6983e01c039dfab3f7c01111a8f9939c207ef853108907a977a", + "sha256": "21be01742858a1db7d297c338482f5a580a441699ca10d99874c0c9e24f50499", "type": "eql", - "version": 105 + "version": 106 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Java", - "sha256": "64625792213f211d0d8a873101fb7b1569da37e5179bd5f201b2c1f3101de821", + "sha256": "78ec1a1157f2afe9c030908365e734669d12f566fd1992245244eb8def7d4314", "type": "eql", - "version": 3 + "version": 4 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", @@ -2684,37 +3035,37 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b13fb00b87c825ce3f05d65295a6b1a47fec6d46d5fe22058d8b8b164a678d0b", + "sha256": "b57b1fa14361058e949c21cc407ad8e502c41b901b2f7b5a575ffb1d9fb460bd", "type": "eql", - "version": 106 + "version": 107 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", "rule_name": "Virtual Machine Fingerprinting", - "sha256": "2b30d95ee6d6e8bd0ff888cc6609d826560591c7ef3681b5ff74f49f7cc3c888", + "sha256": "cca11b1e320068fb951e6be8baba9a7f49cfef803b613bda1ccaea95922f3a00", "type": "query", - "version": 105 + "version": 106 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "min_stack_version": "8.3", "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "1e8068d0ce5b93ac8598cc1cc3ce47385a0c99bb43ce15b27a514542fe4adb39", + "sha256": "484f49639b052fc38d358f83984230e1a524fdb9d60f221668f8fe55b7485c50", "type": "eql", - "version": 2 + "version": 3 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "min_stack_version": "8.3", "rule_name": "Suspicious which Enumeration", - "sha256": "918d3ee72f0aba9e0a382045c846e04f7dc5e1f942954c077aa639794e809917", + "sha256": "fc50e7f8c6f1d7485f6a164637556906c3e3711d037759cf0c017826a110f6f3", "type": "eql", - "version": 1 + "version": 2 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Browser Process", - "sha256": "2869df554ce679e32f42029716b74524aa21ea7af2872e5a42c55de5ceb7835c", + "sha256": "10846cbf0f6d148b7fc84a14a62f5bc1b44382eda5971d84a0747c8788c93721", "type": "eql", - "version": 1 + "version": 2 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", @@ -2724,25 +3075,34 @@ "version": 104 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b", "type": "query", - "version": 104 + "version": 205 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "3a1daa97831ddf8f5bfcf84698ec8b3deff467d7f1b8770467a760ef355c1a5b", + "sha256": "1021f7351d5cc378ded4585010e7ba4b057a05fab6f8e42157c6facf422bf6ec", "type": "new_terms", - "version": 6 + "version": 7 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "min_stack_version": "8.6", "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5", + "sha256": "c29613a13876b018582e791f2843e3b12181e06c36266665efe4711c52945024", "type": "eql", - "version": 1 + "version": 2 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", @@ -2754,16 +3114,16 @@ "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "min_stack_version": "8.3", "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "361a074bbb3fe56ec08c1430d5b5afc021f8502cb133c1066dd514bdacb37f06", + "sha256": "a4e1f03bf2a4863f8922d20b5ab31fc5fffea4c27e35c47e61634b492dba558e", "type": "eql", - "version": 3 + "version": 4 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "e4796e4f5ba9178180960e592aae8dc79ef969e7b951f2c2fd73dae57d29406f", + "sha256": "c0fd1feebe4607a5b3db25454a63e6c46b64c43070cd6c6487fac57bfd65b53c", "type": "eql", - "version": 104 + "version": 105 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", @@ -2775,9 +3135,9 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.3", "rule_name": "Persistence via PowerShell profile", - "sha256": "5ce8477d708b49d1d38136f4638bc5596e3190949b3e561ff84d56566ca96f61", + "sha256": "421c30d4787b7da4cf4496d67084325210732a4aa854db2cac54429840f044c7", "type": "eql", - "version": 5 + "version": 6 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", @@ -2789,9 +3149,9 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "865a5c61d5bdf21e24120d3b8eb35f82a23286c618fc795dce353491987d04fa", + "sha256": "f99460b7128f713e96cead9f3d34cf8f19a3561e1e51d86f60ca99f765d7d93e", "type": "eql", - "version": 104 + "version": 105 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", @@ -2860,9 +3220,9 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "a5b4ed432583abe86a630527b3026ee3a58f9813bb11868c628754ff414a3c7f", + "sha256": "123e32643dd7c3052f52ade724c9c93759749d28fdb592ffbdccec9ea688d1a2", "type": "query", - "version": 109 + "version": 110 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -2873,9 +3233,9 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "71e064cd3cf1b8dec498d3e054d70ef2121113be1ed24c7e7df6af3b4324f27e", + "sha256": "ac85da0bd50146a9acd21f199d77bcce98ff857d768071bb894e26118b26a239", "type": "eql", - "version": 107 + "version": 108 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", @@ -2922,9 +3282,9 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", "rule_name": "Network Connection via Signed Binary", - "sha256": "f383ad8f33cab31ab158968663de5ed3d540de9a4d8d0fa4a578e19a35ed061c", + "sha256": "e3f5d9f1f0b68b258714156bb2d6558011e846b2fad3ad178aae26c7c0f6c81e", "type": "eql", - "version": 105 + "version": 106 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", @@ -2943,9 +3303,9 @@ "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "min_stack_version": "8.3", "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "60780f0b220f4de4cccb01815d9585964f3d68bd515b23972bc9b881a36a70ea", + "sha256": "b277d6162b8343013d1498f692467e7cec38348da2ba5058ed1fd1aebcc40eaf", "type": "eql", - "version": 1 + "version": 2 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -2979,9 +3339,9 @@ "6641a5af-fb7e-487a-adc4-9e6503365318": { "min_stack_version": "8.5", "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "0711743a3e6d25d5ac8089b3f5e996420a92bc7890f358cb4e23c6d88ba9a615", + "sha256": "2d5c0856617f70f9ed2e5835c40dec8304a2290370c5414745c806fde457e583", "type": "eql", - "version": 3 + "version": 4 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", @@ -2993,16 +3353,16 @@ "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "5ee22642a55e0ff14c438cbc0f77b7746f9fe23b533621103b27df8a9b808d40", + "sha256": "de1f883c87b1b49ce0932b95dd0ebaabede9c5334b6f18e2222c3fc3a5628bec", "type": "eql", - "version": 2 + "version": 3 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "5c79e5fd80163228473cfe5b3b9f61d769a063b5c1372c30928ab2ac59cf0525", + "sha256": "4c82661472cef610b0a6a24cb6654b4f11869bf4401d656eaa68c78289f66302", "type": "eql", - "version": 107 + "version": 108 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "min_stack_version": "8.3", @@ -3021,16 +3381,25 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.3", "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "9546181bdfa5b6f04cab84f0ff7afdbbb59ef9ddeaf7ec7bd070a1808324473d", + "sha256": "086eafbc984aa6480575297071ab4771019ea9eda87148c85e6f2eb40f7674f0", "type": "query", - "version": 6 + "version": 7 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede", "type": "query", - "version": 105 + "version": 206 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", @@ -3040,11 +3409,20 @@ "version": 102 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de", "type": "query", - "version": 105 + "version": 206 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -3055,9 +3433,9 @@ "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", "rule_name": "High Number of Process Terminations", - "sha256": "9654e394fb859d2bbad76596b99237d6f8d15e70526ea0e27711c4c3a680ae77", + "sha256": "21d744da94221fcbec162dddffe8794cefc8fd26321d770c472b47093b28a95a", "type": "threshold", - "version": 108 + "version": 109 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -3068,9 +3446,9 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", "rule_name": "Image File Execution Options Injection", - "sha256": "97b4abe585f163bcdacc300075bf109cb501bbb7d1de90a2cdbbbdfbbd9aef97", + "sha256": "ad88e3a9101259f72a383196f9f474fb828e8dd2b844ef2d61caf9fb986c1028", "type": "eql", - "version": 104 + "version": 105 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", @@ -3080,18 +3458,27 @@ "version": 102 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", + "type": "query", + "version": 105 + } + }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8", "type": "query", - "version": 104 + "version": 205 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "e56e2b209388ed0f70bed3114edcf6d49e83959d733faa801e3d40209152e327", + "sha256": "6223d04f4e618351c760d259ecbc3d42c8da22daf8a9bd58497228d13304bab4", "type": "eql", - "version": 105 + "version": 106 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", @@ -3112,30 +3499,48 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "46775980c978cd2264682497c62b9788b6645243da6b72ddaea5bbff0388df3e", + "sha256": "ebde0ba43ed054967c01f489cd5f2e45b9dddf79b90351dea7e78c5a5c2edfe6", "type": "eql", - "version": 104 + "version": 105 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146", "type": "query", - "version": 107 + "version": 208 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "53f09e4c88d11c0ee66a186321981f9eb31165d73f02b874ca0edbed0844c6da", + "sha256": "0feac3bd75fcc2317ee0e9e91a7f2f35063c0c5a62b5c47076545998d3ac12ae", "type": "eql", - "version": 105 + "version": 106 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 104, + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "type": "query", + "version": 5 + } + }, "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1", "type": "query", - "version": 4 + "version": 105 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.5", @@ -3161,39 +3566,57 @@ "version": 106 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3", "type": "query", - "version": 104 + "version": 205 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "f3cb8da67a3f69a296b53078b37707f55d6852f4c55b7bc074af6e3ab2a01d20", + "sha256": "d6efd876704aecbc61e32f00bc3fc87660de3486490102dee717f3cafeef34ee", "type": "eql", - "version": 105 + "version": 106 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "a9f9aa8f746871dce91e94cba6697e908e9901be0135860b93572a5904b48b04", + "sha256": "2094e45cb6acf5514345f45de5980fa93856dbe2564c14cda824cfb92609fe9b", "type": "eql", - "version": 107 + "version": 108 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "min_stack_version": "8.3", "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "7541e1a6c4200e3961759f0cdadba8eaf793f6e3e9e28dbb34af84aeac5f6fce", + "sha256": "36f237a42a890a47fd41636119b3f4f6cb483699638fa0570dee4cc7ba1bdd6e", "type": "eql", - "version": 1 + "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Sensitive Files Compression", + "sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19", + "type": "query", + "version": 106 + } + }, "rule_name": "Sensitive Files Compression", - "sha256": "24dee3257162b876da6487b55368acb5b38040fd13ce5d0bc7511b0644e2ae48", - "type": "query", - "version": 105 + "sha256": "2665a4bfaf61af8a5033e6aff2ce6950c77fc795eb6bba42b6b5064e84fa8841", + "type": "new_terms", + "version": 206 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", @@ -3212,9 +3635,9 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "dfc2fbc0fab4f84b16f206bb71d59399a3450f5cec21c03daa1fd20d529ccdc9", + "sha256": "6c77473acf3dec0fc8fd9d0d2f4a0de620f5007008bf85e61fc224fa1087b63a", "type": "eql", - "version": 104 + "version": 105 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", @@ -3226,9 +3649,9 @@ "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "min_stack_version": "8.6", "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "cc466d496fd9e306e2a0e4ea3c56d690ff0737b1e3c1506daef475f41db91d6d", + "sha256": "0a052fad94510f59c9efd5ffec0901831516c7ea937d86e3532157035d86466a", "type": "eql", - "version": 1 + "version": 2 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", @@ -3247,9 +3670,9 @@ "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.3", "rule_name": "AdminSDHolder Backdoor", - "sha256": "c6d5f04ccbfb426d106eb3b03f1f20727722e4632689aec4bc9fc11edb28bc83", + "sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1", "type": "query", - "version": 105 + "version": 106 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", @@ -3261,16 +3684,16 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "b93d5773dd0b96dd6d8e331197414f59005cceea42ac2b114e9ace428ca9f578", + "sha256": "bd57722ccc74983106255532898917957a55fafd6c760af95a0650a7a93e5ef4", "type": "eql", - "version": 105 + "version": 106 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "b04895b23aa183e955eac132fe6354b74ae1aea8ce27da447add04c52d265774", + "sha256": "7400438cd326b5fa5137479c92eb2898c709c3338757a1f631cb718de551a551", "type": "eql", - "version": 107 + "version": 108 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -3281,9 +3704,9 @@ "6ee947e9-de7e-4281-a55d-09289bdf947e": { "min_stack_version": "8.3", "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "9b7a1e7596fff4b6d70a4064cf79f606a74f214ef8aeb4234c08842d2c1b910f", + "sha256": "9a958c72f2b71c12da6147cd83e0d798c1e114b362bd577b27f0f921b0a13465", "type": "eql", - "version": 1 + "version": 2 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", @@ -3314,18 +3737,43 @@ "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314", "type": "query", - "version": 107 + "version": 208 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Config Resource Deletion", + "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Config Resource Deletion", "sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9", "type": "query", - "version": 107 + "version": 208 + }, + "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Execution via MSIEXEC", + "sha256": "934721c56a14fb6b1ea672f4cedb14eae9cdafb81a8e9bf35230f542a602740f", + "type": "eql", + "version": 1 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", @@ -3349,11 +3797,20 @@ "version": 3 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0", + "type": "query", + "version": 107 + } + }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "565a3a934715161cb1c0bd792b9694d865ccf9df21072f0e5bd381c947ec3b65", - "type": "query", - "version": 106 + "sha256": "72fea82152115abc97ea9e34b7e9bf40be8d5af11313625404f62dfcf5ca61e1", + "type": "new_terms", + "version": 207 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", @@ -3365,9 +3822,9 @@ "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "44d4d66dea85165137a0d3f86d314a56a2d3de07baedee209e53118864691402", + "sha256": "d442a3b1c1b313c54f0bad14de16f98cd68ae8ada5e87c99e8c29aabe78f2d7f", "type": "eql", - "version": 104 + "version": 105 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", @@ -3377,11 +3834,20 @@ "version": 102 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354", "type": "query", - "version": 105 + "version": 206 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -3425,11 +3891,20 @@ "version": 103 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Suspicious Sysctl File Event", + "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", + "type": "eql", + "version": 3 + } + }, "rule_name": "Suspicious Sysctl File Event", - "sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc", - "type": "eql", - "version": 3 + "sha256": "cdae4cce31893b3eb3b3a3472011e11708a7c9e1fcf4410bb88e18a099a94361", + "type": "new_terms", + "version": 103 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "min_stack_version": "8.3", @@ -3471,16 +3946,16 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.3", "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "d9c6faf2209cb103e1548a470602851ee01bf04f32853d0ed66169fff27e6847", + "sha256": "d2e53030dc005a302f0b5bb530360d58ce429809a0ed1827bc6d5b89de8b351e", "type": "eql", - "version": 7 + "version": 8 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "33f5cbe72ef839be364b1ccf59d5c1a66fbc6991676d75779148d8b4bc812310", + "sha256": "a3536eb13408e7fc538952bee75a1362e3be277b14f1edc18c2f63fda3f5f08c", "type": "eql", - "version": 106 + "version": 107 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -3492,16 +3967,16 @@ "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "22a26a54eac8e02ec72df44fdc261481315acec5885269f591cb5fd1c46d1825", + "sha256": "ee743b928b61e259c3e46fce5b16400121f6ef6affdc122ea1f47e9a199900ea", "type": "eql", - "version": 4 + "version": 5 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "9f85a8053c83ad71c8540a2261dbbc4708549c0de62c0edd99395ef16629cc9f", + "sha256": "df53ce37b5877a6a26f2e5b7d78d60000048e5eaaa3d152f9ead7ef84d700a19", "type": "eql", - "version": 106 + "version": 107 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", @@ -3527,9 +4002,9 @@ "781f8746-2180-4691-890c-4c96d11ca91d": { "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", - "sha256": "806ccc4e0580c650a06132653d58575846b22fd3cc308288981b794a63972905", + "sha256": "e8646ede4715b107643a3098b6e032965f664c38e7341d9d0519b3a8510d2fab", "type": "threshold", - "version": 3 + "version": 4 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", @@ -3555,18 +4030,27 @@ "version": 105 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Spike in AWS Error Messages", + "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Spike in AWS Error Messages", "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", - "version": 107 + "version": 208 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "7b5df51876d17dc0c0978937514b88e32fbb68a471fdbfb5063af60dff04d178", + "sha256": "11fb3b45a1ccc2f104c91997fb4d7093f0efd5534a8f2048aa90ef37cc11f6cd", "type": "eql", - "version": 4 + "version": 5 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "min_stack_version": "8.3", @@ -3585,16 +4069,16 @@ "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "3b177629deb6dd64f254d75b8a4f6b71879b7ff33a70d98c184560b82d67277a", + "sha256": "51fa21c1094b9e214686668956d499fc25f19607d7b1a93fc094aa557eda00d7", "type": "eql", - "version": 1 + "version": 2 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.3", - "rule_name": "Potential Exfiltration via Certreq", - "sha256": "4ef6fb0e47ac848843d2ae9b37eacc7369390ef5ff45ecf6b0a374512ad4b979", + "rule_name": "Potential File Transfer via Certreq", + "sha256": "a74b9849420ed6b7c23bfb51caa8aad585cf535af48bfd4c11d1d7a16c8560f8", "type": "eql", - "version": 4 + "version": 5 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", @@ -3612,9 +4096,9 @@ "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "1dd7950a241f5882d741236f88f61e5ed12437aa16756ce984ee04379e2dcdf9", + "sha256": "d77a6da669fbbb4406a59bd7061baf788f0f9fef20b43321c6fcfbb00a24690b", "type": "eql", - "version": 2 + "version": 3 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -3623,18 +4107,27 @@ "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85", "type": "query", - "version": 104 + "version": 205 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "1a74ce8fd55ca323682377fbd4e17aa7c7cbe45b23fc743465ff882304fff104", + "sha256": "a02a471585a3b5aafa89be56f312db81bad278d8eafbf7463f73cfdebf9c80bb", "type": "eql", - "version": 107 + "version": 108 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -3691,9 +4184,9 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "0d2e9303095644cff713d6cc47bcea144b0fb7d1c8c7026f50ac5fe60e57228b", + "sha256": "c2521f557370eeadd9f5ab09fd706593451e0f0d44ffcb8ee63fd21ec3433862", "type": "eql", - "version": 105 + "version": 106 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "min_stack_version": "8.6", @@ -3714,30 +4207,55 @@ "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "27bee4413c109d7597639a0a60acd77d395ddd1b5f6f4fb09c88c026a699a4fa", + "sha256": "94cbc646d3a0879e403b786c2c25535db4aebbd67a3f041a8bf43b206462b8f2", "type": "new_terms", - "version": 5 + "version": 6 }, "80084fa9-8677-4453-8680-b891d3c0c778": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Enumeration of Kernel Modules via Proc", + "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", + "type": "eql", + "version": 3 + } + }, "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0", - "type": "eql", - "version": 3 + "sha256": "bcfbab89662a36049bb509952b29602fc3e552bc91c4f6851b183c3881604f7b", + "type": "new_terms", + "version": 103 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "min_stack_version": "8.3", "rule_name": "Unusual Process Extension", - "sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed", + "sha256": "892abe65dfb4e821b001077e250ac7619928c9a8ba796ec314d9abce74c74ba8", + "type": "eql", + "version": 2 + }, + "808291d3-e918-4a3a-86cd-73052a0c9bdc": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", + "sha256": "e07fdca00c03cede7dcd07d161752b6a5fa31a5987779dde490803e67071a0f7", "type": "eql", "version": 1 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual City For an AWS Command", + "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual City For an AWS Command", "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", - "version": 107 + "version": 208 }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", @@ -3756,9 +4274,9 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "9c2f8341e807bf0b4ffeb0c40e797f72dbdd69d65b6db7a2a6c7f8ee10708d7a", + "sha256": "cd1b53b5cd9aacd751ae8801be77543c716fd21c184f54a776380edd185e8275", "type": "eql", - "version": 106 + "version": 107 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -3776,9 +4294,9 @@ "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "82f8ec9cc22e111eb627de7426fd99dd540938ed1e0d05473496ea18b54c3cea", + "sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46", "type": "eql", - "version": 6 + "version": 7 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", @@ -3790,9 +4308,9 @@ "835c0622-114e-40b5-a346-f843ea5d01f1": { "min_stack_version": "8.3", "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "fe6cc04fb2e612cab72a6d221db5f03f75c1706355d5c212987ec5de3a2bd3a6", + "sha256": "1dd8817884ca577039baba5ede3be91c85119efdb77f580810c95c223816ebcc", "type": "eql", - "version": 2 + "version": 3 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", @@ -3810,9 +4328,9 @@ "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "min_stack_version": "8.3", "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7bd7ca6309b09a6218ebe05322f1477ad28327ac05cab27ae9eb18267b43563c", + "sha256": "73d35f95e41d651a5e75315cd4b570345c8cc6334b9dec7db8adf08b57f52e30", "type": "eql", - "version": 3 + "version": 4 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.3", @@ -3821,6 +4339,13 @@ "type": "query", "version": 1 }, + "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "min_stack_version": "8.3", + "rule_name": "Potential Upgrade of Non-interactive Shell", + "sha256": "3ab2c7dffde8d59a7f0d31f4f475c98f5325a94adb789cc4096286ae73e70e36", + "type": "eql", + "version": 1 + }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", @@ -3852,32 +4377,59 @@ "version": 208 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be", "type": "query", - "version": 104 + "version": 205 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32", "type": "query", - "version": 104 + "version": 205 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS IAM Group Deletion", + "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS IAM Group Deletion", "sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383", "type": "query", - "version": 104 + "version": 205 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery via Grep", - "sha256": "d5d6fbfe8a86e827bb1f10589d9e8427ba7b59bea1a9707d4359dce6fee0929f", + "sha256": "39e477f562630dea0f3f3b68106d7c699a87d2ab0764247fc8bd0de442981f4f", "type": "eql", - "version": 105 + "version": 106 }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", @@ -3887,11 +4439,20 @@ "version": 108 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719", "type": "query", - "version": 104 + "version": 205 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -3921,11 +4482,20 @@ "version": 104 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 102, + "rule_name": "Potential Sudo Hijacking Detected", + "sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5", + "type": "eql", + "version": 3 + } + }, "rule_name": "Potential Sudo Hijacking Detected", - "sha256": "a4206f33521819d8d7d53c211f4469b0f4d29f90aa303e728ed6c22f0acd0ec3", - "type": "eql", - "version": 2 + "sha256": "90ab70272d3bdc85151e9bc2add9998f4819f17d13c282ae54e1b047602630e4", + "type": "new_terms", + "version": 103 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", @@ -3964,9 +4534,9 @@ "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "min_stack_version": "8.3", "rule_name": "Suspicious Symbolic Link Created", - "sha256": "ffb3cada9e61abf88edfa4d4994b68df4a1c86040ef6344d2d5d2f2fb67e0bb2", + "sha256": "bd4e75d4bef5c733959b047c5466da2d7768bfe892c50c383b7d1d46240bcaf9", "type": "eql", - "version": 2 + "version": 3 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", @@ -3978,30 +4548,48 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "a577ac9fcb46e067f2d9a3dfa1c37db43cf2b744e0701387877da0d9321a209f", + "sha256": "7b1e58c15587d23240b63b8dfd696aa8de530ddbf9be2c384db2620e9c9bd4ad", "type": "eql", - "version": 104 + "version": 105 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b", "type": "query", - "version": 105 + "version": 206 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", + "type": "eql", + "version": 105 + } + }, "rule_name": "Suspicious JAVA Child Process", - "sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16", - "type": "eql", - "version": 105 + "sha256": "9bcba792d96bb90055853bbc119cff04fa2f40b46cd77ea9bab938ab61056074", + "type": "new_terms", + "version": 205 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "577175231e8722658399f535dfe19fa278f3082f7848da4f3c65e77ee2a4118c", + "sha256": "e79736c160e70b66e87aa690264e4ebe08b958d00a2d8178556525a57dae4323", "type": "eql", - "version": 1 + "version": 2 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", @@ -4034,9 +4622,9 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", "rule_name": "Unusual Child Process of dns.exe", - "sha256": "ab6f219326b46640112b041c6a7ccdf841ac3d4aa2e364b34b83a7869e301b70", + "sha256": "32ad67514f438b6e30f64bc4b7b4eb626be6582afadb55c240c2e4efe9b7cfcb", "type": "eql", - "version": 106 + "version": 107 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", @@ -4055,9 +4643,9 @@ "8cb84371-d053-4f4f-bce0-c74990e28f28": { "min_stack_version": "8.3", "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "930f4fe60fcf470067a75a7d6d9b93d3c80d639fcc0cf248c30c9f41cb98f70d", + "sha256": "65f9ce05fea76a9a8692e1eab5ad90ab0904e79b28d0c1f077f5d0422c5a2098", "type": "eql", - "version": 7 + "version": 8 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "min_stack_version": "8.3", @@ -4076,9 +4664,9 @@ "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "9037dac927b76a260a11026c3e893f9f85b2d876004b652c74c012bb7fd93f5f", + "sha256": "bb4dbd0f9903378286cb13efb8f0898a00bf9c3255d58d6a58bd21da8997c9b5", "type": "eql", - "version": 105 + "version": 106 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", @@ -4104,9 +4692,9 @@ "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "min_stack_version": "8.3", "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "818146f18a2aefd065739007ec4aecb61ec4257169528b7a6605b7ff0cc0758c", + "sha256": "d3f17c275351dce43dbed1904257d053abe2a6e174ec12f91eabbc40236f918e", "type": "eql", - "version": 104 + "version": 105 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", @@ -4131,16 +4719,25 @@ "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", "rule_name": "Hping Process Activity", - "sha256": "63e23dabfb3a8535a41b473614245b4df52a35760e0485a6e9f51e55d61615f5", + "sha256": "bca55701a9d9f3c48b1f6d8df6d0672f880ea5e8f7b5252ada7c42af6458802c", "type": "eql", - "version": 105 + "version": 106 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14", "type": "query", - "version": 104 + "version": 205 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", @@ -4170,11 +4767,20 @@ "version": 104 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb", "type": "query", - "version": 104 + "version": 205 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", @@ -4212,25 +4818,52 @@ "version": 7 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8", "type": "query", - "version": 104 + "version": 205 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 202, + "rule_name": "Sudoers File Modification", + "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", + "type": "query", + "version": 103 + } + }, "rule_name": "Sudoers File Modification", - "sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef", - "type": "query", - "version": 103 + "sha256": "6a1a6b3462c4ea5f0ea3cf546684745e51efb7a52a094227c5b2f06e6fa90bc3", + "type": "new_terms", + "version": 203 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454", "type": "query", - "version": 107 + "version": 208 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", @@ -4263,11 +4896,20 @@ "version": 205 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", + "type": "query", + "version": 104 + } + }, "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f", - "type": "query", - "version": 104 + "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", + "type": "new_terms", + "version": 204 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "min_stack_version": "8.3", @@ -4323,23 +4965,32 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "bc300bb67a2279504fbe3225243633c892bbc5b8e695a109b127b1edf673cb5b", + "sha256": "951d63b6557d5c3fb3f155e45999afcdd86791f7d830c26ba0ff9811f2ae0367", "type": "eql", - "version": 107 + "version": 108 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Create Okta API Token", "sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9", "type": "query", - "version": 104 + "version": 205 }, "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "ac2aae146b439c128acf93b6d08c60c1297ef5ce278baed0d2463fed3d109553", + "sha256": "6adb4dbd03b3b5ad0d5318c1e811e89f0c4c560f2c2cac1830b06b007134962c", "type": "new_terms", - "version": 5 + "version": 6 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", @@ -4370,25 +5021,43 @@ "version": 104 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS SAML Activity", + "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS SAML Activity", "sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d", "type": "query", - "version": 104 + "version": 205 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", + "type": "eql", + "version": 107 + } + }, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d", "type": "eql", - "version": 106 + "version": 207 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", "rule_name": "Suspicious Zoom Child Process", - "sha256": "b15108fed1be29ce5b03c10684a269ab6930c9843c4bae00bf62059a1151250f", + "sha256": "f82a785c120d52dcd2123f3f9d2f8b7503d520c6ea8e46fd74f310e8a53dd233", "type": "eql", - "version": 107 + "version": 108 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -4399,9 +5068,9 @@ "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "23394ff5cf8c8530a51e90c2408d609e7000dfbc5dff8724cb29cb88e63a6d09", + "sha256": "cd7035a0017aa4b845f94e3aa665721e72fe1dc535c9cfb0867b4657d8a94ef3", "type": "eql", - "version": 3 + "version": 4 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -4445,11 +5114,20 @@ "version": 102 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056", "type": "query", - "version": 107 + "version": 208 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", @@ -4465,6 +5143,13 @@ "type": "eql", "version": 104 }, + "994e40aa-8c85-43de-825e-15f665375ee8": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "sha256": "58480532047dc1a5936dce3ece1b30e3643a68fe8d7e2343553008f2a0deab18", + "type": "eql", + "version": 1 + }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.8", "previous": { @@ -4477,9 +5162,9 @@ } }, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f", + "sha256": "7fa3b7d91df0f6450cc6e044925c196edd851d9521299f034167bb892f7b39dc", "type": "eql", - "version": 206 + "version": 207 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", @@ -4495,6 +5180,13 @@ "type": "query", "version": 102 }, + "9a3884d0-282d-45ea-86ce-b9c81100f026": { + "min_stack_version": "8.3", + "rule_name": "Unsigned BITS Service Client Process", + "sha256": "095fc86e65f65030c66df81f286788b89fcf9160e7970ddbb409cc824fc40fd2", + "type": "eql", + "version": 1 + }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "min_stack_version": "8.4", "previous": { @@ -4507,23 +5199,23 @@ } }, "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "3d1c09ba378537737bdaa3bc2bbd9e9934d0e9cb7d50f63d33192377614d85f2", + "sha256": "353e07144858914694113a7e9d29ad53687500c1f60ed7c8b02d9c7cd634bad3", "type": "new_terms", - "version": 106 + "version": 107 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", "rule_name": "Suspicious Explorer Child Process", - "sha256": "e8cc9a60bbe510d51bd3ad134669feb9e5cb0fa08160bf27530801138c60e882", + "sha256": "51c78c6f9a1af947f778a0b2a2529d21600647e60786daa70a728174bf87c995", "type": "eql", - "version": 105 + "version": 106 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "b2540b2ad922ec95cfd386da0ca9a614f308ef3262066028d23296d5db87509f", + "sha256": "26cb627c3803eec6cbcf9455a27b56c29ea1f604049232bf2d38813ad0a4d87c", "type": "eql", - "version": 105 + "version": 106 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "min_stack_version": "8.3", @@ -4535,16 +5227,16 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", - "sha256": "9a25dad4f89fd07ae509d365c90397c70feb22604338c0b57ed2c43b1498c278", + "sha256": "cb0771065ca25ee179d357d9e53676141cadf572ac31da5e1f00739f85cf36aa", "type": "eql", - "version": 106 + "version": 107 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", "rule_name": "Hosts File Modified", - "sha256": "acfc1d0db0cb1de8a27ec3ec15a3eea599e9644d56ab8bdd06c8678cf1bcee3f", + "sha256": "8f40a74de7484c5086f69c398cea506911f52935e23a27e3a229439cd5c239ce", "type": "eql", - "version": 105 + "version": 106 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.3", @@ -4556,9 +5248,9 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "33745d6764626a4ad4ef565c71d285cde7a74a318e9622b428483457e45f612a", + "sha256": "594410ed9a140c2439264f3ef7b7bdefa77862b3865a95a2287437856a533db7", "type": "eql", - "version": 106 + "version": 107 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "min_stack_version": "8.4", @@ -4594,9 +5286,9 @@ } }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "b98418a78935c61df5f27bc19586a7013ca07b3044d1a233a8bb38e0258feeff", + "sha256": "fb85a79f99efb89bc92c481ec8e21aae037df490635821d5df16cac9b83057fa", "type": "new_terms", - "version": 205 + "version": 206 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", @@ -4608,16 +5300,16 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "4487327fd533126e8f007f9eb063741a10c3cf9a07a48399c391f9713e58420c", + "sha256": "8cbc8f08a554be1ad891d12df42a2e456602b21ce9cd4062d2c6428a80073296", "type": "eql", - "version": 108 + "version": 109 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "0cc7ec48190d68c5dc8c36a1df944b214f34c599d8425caea77fbf4875d98ff1", + "sha256": "4cf250c89befd6b335e6331fbef794c1a969a7f19e203c159d5a84ff3c54f944", "type": "eql", - "version": 107 + "version": 108 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.6", @@ -4631,16 +5323,16 @@ } }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "1e8c98c86268cb9bdde8af04c845776ed081dd6a07dbfa4b6873755f5d5670dc", + "sha256": "1f08334b425a0821c64aa8990f322f468a74567993e56ff39c7f39cfafb44380", "type": "new_terms", - "version": 206 + "version": 207 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "776c171ad88eb90cf08b8fe5b55c1f9f0303df9c61b6c977aa899c710d7f8348", + "sha256": "b8d4e0bd773e95d96983fb5724ac1405de2f5d491182e453c4dad3af9efe10cd", "type": "query", - "version": 104 + "version": 105 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", @@ -4659,26 +5351,35 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "7bb8484c63f6e1ceb591dc3b6a6aa1e5e3dc34ccfd3d932e3e9c8e1b8e3162be", + "sha256": "e2394c0d8724d9f2e57e47f5a50cbfa2d1645b0cf50c8bfce9ce10a202bcd28f", "type": "eql", - "version": 106 + "version": 107 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via DCSync", - "sha256": "183d1fd02dc0fd574742ae54310b3f93b10da3165738e77fcdf8b460f5f7cdac", + "sha256": "dfd7fcad40d953ee8a27b0f8510db3d0cddfa4002ded1a896dbc248170dfb00a", "type": "eql", - "version": 109 + "version": 110 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3", + "type": "eql", + "version": 106 + } + }, "rule_name": "File Permission Modification in Writable Directory", - "sha256": "479f3fc53ac311718ff6affc4889eeca57ac3a34bf6f10026bf60b6b8e915eb8", - "type": "eql", - "version": 105 + "sha256": "ed6e7a8e67076b9fae1eb03416f9d82c7915364a8c9a99c7e4c881a6ce932693", + "type": "new_terms", + "version": 206 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.6", + "min_stack_version": "8.9", "previous": { "8.3": { "max_allowable_version": 204, @@ -4686,12 +5387,19 @@ "sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe", "type": "query", "version": 106 + }, + "8.6": { + "max_allowable_version": 307, + "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "type": "new_terms", + "version": 208 } }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "7cd0da2ff3ffb5eb309da5e40ce09ddc719465d69413af21aaa59db60bf569ea", "type": "new_terms", - "version": 207 + "version": 308 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", @@ -4700,6 +5408,13 @@ "type": "eql", "version": 8 }, + "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { + "min_stack_version": "8.3", + "rule_name": "Potential Privilege Escalation via Python cap_setuid", + "sha256": "410784f14d7bf622572e26d5b794f3a0c338a4e24485cc977afa183933cd6ba1", + "type": "eql", + "version": 1 + }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", "rule_name": "GCP Pub/Sub Topic Creation", @@ -4717,9 +5432,9 @@ "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", "rule_name": "File Deletion via Shred", - "sha256": "9bb73e05248278c13545b111daf70f5b5b00005f472f1ad9a8ad6dc03a7e4bb8", + "sha256": "6a172e2439d747140f251d1d0e83f556e72ae03725f37bc760d2d4d7649fdd03", "type": "query", - "version": 105 + "version": 106 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", @@ -4752,9 +5467,9 @@ "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "189260746002bccbe31e9ddb6ba7e60d701a6e651c5d2c19efe56cd242c954af", + "sha256": "cf164c11d3db4e9e02e907d5c0aef8c3c4aadaf05536b522bb73c9ab3bdb9560", "type": "eql", - "version": 105 + "version": 106 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "min_stack_version": "8.3", @@ -4766,9 +5481,9 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "7e9cfb7b511344e897eac5189a53654f476437241ee0c37b7600d2e033787ca7", + "sha256": "914a39f1d00e560fa0f28e8f67e57de3b2185f0ca422a7b395f419f567383cbe", "type": "eql", - "version": 105 + "version": 106 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "min_stack_version": "8.4", @@ -4823,9 +5538,9 @@ "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "min_stack_version": "8.6", "rule_name": "Potential Reverse Shell via UDP", - "sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f", + "sha256": "e730ecd8da8e472be98472039b0fe0d3367e75d284b97851b915bac433ec17c2", "type": "eql", - "version": 1 + "version": 2 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "min_stack_version": "8.3", @@ -4835,11 +5550,20 @@ "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a", "type": "query", - "version": 107 + "version": 208 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", @@ -4858,9 +5582,9 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", "rule_name": "Suspicious MS Office Child Process", - "sha256": "e666ba885bd91e597b94e0359330e1a02c9c59b43b48de599aeb78a26c32aaa9", + "sha256": "1b6c475dbb4e03fa67ed24f68234e633e098831572aef47077e72f8dfe6957cb", "type": "eql", - "version": 107 + "version": 108 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", @@ -4943,9 +5667,9 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a73b1eb6b898a6e001202a04fdd4d7fb4c5b701bd88b68a6840f1260506c2e68", + "sha256": "7844ec8c0187f632d87cd6160ec6fbfa6968c5922e6a07bb3372475a6a1b5f31", "type": "eql", - "version": 104 + "version": 105 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", @@ -4964,9 +5688,9 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "ac41e7af0740df6857011b45aeafd5c04aa1172edb2ee9469e0294726e78cea9", + "sha256": "14e5354aa44af54186285133c4a176bf18dd8b2c1dc22c1555bd658ca8aed767", "type": "eql", - "version": 107 + "version": 108 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -4985,9 +5709,9 @@ "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", "rule_name": "Remote Execution via File Shares", - "sha256": "9a5ead5bb94a1738ef4a8c11bf9f462123e5bd0feb2519f360526765f6f33939", + "sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac", "type": "eql", - "version": 107 + "version": 108 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", @@ -5006,23 +5730,32 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", "rule_name": "Suspicious WerFault Child Process", - "sha256": "afa61dc2050d9a7e20f967d9211dda8036fdb4e3a725c969403a31ceb567ba33", + "sha256": "0f822c4116038c91a881a8b8eda9017407457ea3498167dea425f66a161a9067", "type": "eql", - "version": 107 + "version": 108 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual AWS Command for a User", + "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual AWS Command for a User", "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", - "version": 107 + "version": 208 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "85b49fc5764428ee7a05cbde9d031b14b82f8f03824c859dd58ec45f25c8a091", + "sha256": "48bea2e83f12194db4f91544236e97199adeadca828f332acc5c23da9f9d9206", "type": "eql", - "version": 1 + "version": 2 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", @@ -5064,9 +5797,9 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "bedefb3843c8bab1185b36e6c8ced6d50cf2e073be5c0270dbbb3b1b27cb89f9", + "sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23", "type": "eql", - "version": 104 + "version": 105 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", @@ -5100,9 +5833,9 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "908f3060b0c4846a176cfe5ad9f2187c6bf23b09a3fe9833680c524f1b6ff701", + "sha256": "8f2f24455938fb5ea09e3ec7060090a25a269b6678183d00e54a6414e2df8ebf", "type": "query", - "version": 107 + "version": 108 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -5114,16 +5847,16 @@ "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "bb502a72d7b3be033796d389420de72438dbe7d44096a7b8203caa4e7676c5aa", + "sha256": "8cd17e47485c9d7340c14995dfe14cbab3158f5de2a29a64a2e8281e1236dc66", "type": "eql", - "version": 107 + "version": 108 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "min_stack_version": "8.3", "rule_name": "Suspicious Communication App Child Process", - "sha256": "d195fb652753fee06135cdc5beb9fb65b68e7895f9d0fc199416d9269c88cfd6", + "sha256": "0e8ff7a50a23c7b9726e3fce8b74834754c75e9cc4bee21fddbb73b9acde9c43", "type": "eql", - "version": 1 + "version": 2 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.3", @@ -5135,16 +5868,16 @@ "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "26c12224f8502e7fc4d3293edee86f433e5a9232a94ff1ed704587a9c019e640", + "sha256": "aad1b5a33619e6512fe65f763c3bf7efc9340426847e9521aef7529ed7b820a1", "type": "new_terms", - "version": 3 + "version": 4 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "min_stack_version": "8.3", "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "e5a5fa72494c859d18b55169da07fe4402091b7b621b55c497592cfe489f3912", + "sha256": "c98963d7bd8d88e43392beedefd94e993beba6832757358cbd30700b542c64d8", "type": "eql", - "version": 1 + "version": 2 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -5156,16 +5889,16 @@ "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "min_stack_version": "8.3", "rule_name": "Network Activity Detected via cat", - "sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566", + "sha256": "3efeb12f45b961fb82eedcf17858c557c07e762e46a219c0988da6b4f07502f2", "type": "eql", - "version": 1 + "version": 2 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "c8effdbedbafb2183ae0ebbed62b0c5290d8157f7c6cf64bd0f9df02ee6c44d7", + "sha256": "0bf1a7ca2b5b8e549eb4f67bc0935b74f3f25e139397f7b67fa4657d5d14de9f", "type": "eql", - "version": 2 + "version": 3 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", @@ -5197,9 +5930,9 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.3", "rule_name": "Potential Network Share Discovery", - "sha256": "6b2beff828f6dbc7e7b0afe03808d0497daf94d97c99afb60f9b17cf65c76cb9", + "sha256": "eb213dc86c103363dad386e08221252c0d865f53b002b17fe09c36adb6631ec5", "type": "eql", - "version": 1 + "version": 2 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "min_stack_version": "8.3", @@ -5239,9 +5972,9 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "850a993dfb6eda757d5c928ddadb446f3ff907e01cc16c715a8274d56c405fa0", + "sha256": "aa283cd7566eebaa3e98d93024a7710926f4bb3dac4a46d97159d6377f7ee8ca", "type": "eql", - "version": 106 + "version": 107 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.3", @@ -5258,39 +5991,57 @@ "version": 104 }, "b45ab1d2-712f-4f01-a751-df3826969807": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090", "type": "query", - "version": 104 + "version": 205 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.3", "rule_name": "At.exe Command Lateral Movement", - "sha256": "893d370046656c516a3d5b747ce8da0049fd49f11a14f685446dca5ada7bcbcf", + "sha256": "dd7f70787fff06dbfcdc2556f504ad62feda00ed2e1fa5d7effab3a1be31482f", "type": "eql", - "version": 1 + "version": 2 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6", "type": "query", - "version": 105 + "version": 206 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "933503a94667894209a5220b062fe18f2b075d5c0c0608171a3843cb264a4429", + "sha256": "c7deb10ffa59d05fbac1583edf15b565628cec521edbceb803f9b15c91400b85", "type": "eql", - "version": 2 + "version": 3 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Console History", - "sha256": "7cf6587d86fbdfeb3c6513bb3c44adaeeff97831c1afb84ac5aa64fb8ed82298", + "sha256": "9f885fb22e236780df0b7209ca3b783bbbe19b69cd285ad32c8a24005ef089e7", "type": "eql", - "version": 106 + "version": 107 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", @@ -5309,9 +6060,9 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "e83adb7abd38295e3992be00556c51a2381e38d400259af3c0d3ba9e3abe6d2d", + "sha256": "9fbd1c201afd94da2c21d31f6797a87f96380d6cb42df20af7ad7205ffcd05ac", "type": "eql", - "version": 106 + "version": 107 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", @@ -5321,18 +6072,36 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6", "type": "query", - "version": 105 + "version": 206 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3", "type": "query", - "version": 104 + "version": 205 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "min_stack_version": "8.3", @@ -5365,23 +6134,23 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.3", "rule_name": "Kirbi File Creation", - "sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac", + "sha256": "34a4c6af4a0abec4b49761fd3410e7ce843a7cd917929009de084283086d34f2", "type": "eql", - "version": 1 + "version": 2 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "26cd2a27b9188a119adafb00b69b4b1d5bbcbc60cfd384696c76c50e54bcff5d", + "sha256": "c5173c7852d544188783ae8ad6360a27c4dc99276c45cd65516112c2f3a24d88", "type": "eql", - "version": 105 + "version": 106 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", "rule_name": "Chkconfig Service Add", - "sha256": "ed8d32c408ebce2c38e498744b7f617e2d9a2b9a38139ad447c1c100b5844299", + "sha256": "975875643c470662591b7f92890f341af3ec06aaec4d7462d89b555ab08b31ea", "type": "eql", - "version": 106 + "version": 107 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "min_stack_version": "8.3", @@ -5407,16 +6176,16 @@ "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "b52f9a9d5f0c729e51501205cbd24a63482072973a089b57d59e07a4fab75df7", + "sha256": "24e7bf23a9b423f0ee788a5d588692dbf4cb7d5a9de672b20db27deb8f3d05fb", "type": "eql", - "version": 105 + "version": 106 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "6babe233910e674621a9caa5ef06d385da6c55f240c6169e50263b3ee15edba5", + "sha256": "c475fe418c9dd5c5b6a357004cecb0f77ec12520167b225d77dcb436eb1094fd", "type": "eql", - "version": 105 + "version": 106 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", @@ -5428,9 +6197,9 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "2a8f252310526865a66c043e6fce6a09a1f3bb3a23422aefd2e8782f9f25e414", + "sha256": "4e20d0099e197e490805cd6edaf652e4b192b1c67cd120c9583905ac929dd623", "type": "eql", - "version": 104 + "version": 105 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", @@ -5440,11 +6209,20 @@ "version": 102 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba", "type": "query", - "version": 104 + "version": 205 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.3", @@ -5456,9 +6234,9 @@ "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "2b1e4aa7d79164849563312bd9d49b860b58f5f0b4df254ce84a7a65e6a10dfa", + "sha256": "2425bfd3bc54bb802d2646cf30575b92b6de9f1768145e593f3640a9ed1ba450", "type": "threshold", - "version": 3 + "version": 4 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", @@ -5468,11 +6246,20 @@ "version": 102 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Root Login Without MFA", + "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Root Login Without MFA", "sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07", "type": "query", - "version": 107 + "version": 208 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", @@ -5498,9 +6285,9 @@ "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "min_stack_version": "8.3", "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "92fe0317a5bf0deb57dbfeb4dcf96a13fa08ceb7e7a1e13f9f597eb9c94cda33", + "sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26", "type": "eql", - "version": 4 + "version": 5 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "min_stack_version": "8.3", @@ -5516,12 +6303,19 @@ "type": "query", "version": 104 }, + "bcaa15ce-2d41-44d7-a322-918f9db77766": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", + "sha256": "d63cfc91fa9b1bb91389ee64591686beafffd9f84982f78f22bcb437826e0180", + "type": "query", + "version": 1 + }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", "rule_name": "PowerShell Keylogging Script", - "sha256": "3d79fb63abbf974eea35cef0856ce1d799ebbf00d6ca813fc02212c88846a9b9", + "sha256": "e5e42d67e73c95c6558439ae96e3515ae045a15b9cf9349190ccb7ce1a5c3258", "type": "query", - "version": 109 + "version": 110 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.3", @@ -5540,16 +6334,23 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "b1a7f950e8830388985011f13f94ef09e66a8e19ff09652206c060af47049380", + "sha256": "95a277633a730cc76f1f3dd56678af752c6c0b11bd0eca7bf678452efce66786", "type": "eql", - "version": 2 + "version": 3 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "9788f2c111d4f8b2f3e0fe64bf7ae3413c3de45f8b030b8611720aac8b263436", + "sha256": "49544ad4d81ab915c9fd10546c551f9f16cd314bd11afeb39e1d8c2f92d61242", "type": "eql", - "version": 105 + "version": 106 + }, + "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", + "sha256": "5ae04a57c1b38d7e0492041cf77dd21a4f39bbab4665de39b2fa755166cf1faa", + "type": "machine_learning", + "version": 1 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "8.9", @@ -5566,11 +6367,20 @@ "version": 106 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e", "type": "query", - "version": 104 + "version": 205 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", @@ -5579,12 +6389,19 @@ "type": "eql", "version": 2 }, + "bfba5158-1fd6-4937-a205-77d96213b341": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", + "sha256": "5b26c01b0dbc43669ecd86f7d517896559de73bb5322add585302163804f23fc", + "type": "machine_learning", + "version": 1 + }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7571708ba81c1f4c57ec35169932645127841b408009313e8f8135ce0047e56f", + "sha256": "48070e6a13563fdaf1cc968863fd1afaf4838e89682767a13af387858571ec00", "type": "eql", - "version": 107 + "version": 108 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", @@ -5596,9 +6413,16 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "1d3f46774fa553848617bda8c90e9702f60b946e32a622488929bf506f40dae3", + "sha256": "b703ff542262a1b01cce71377aa6ca313a15387e5c2b986a98d27924ecb2782f", "type": "eql", - "version": 105 + "version": 106 + }, + "c0b9dc99-c696-4779-b086-0d37dc2b3778": { + "min_stack_version": "8.3", + "rule_name": "Memory Dump File with Unusual Extension", + "sha256": "d6064fcc8c3a68d8ecb16d376fef04353be367b0f897433bc82b46a6569f0eb5", + "type": "eql", + "version": 1 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", @@ -5610,23 +6434,41 @@ "c125e48f-6783-41f0-b100-c3bf1b114d16": { "min_stack_version": "8.5", "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "2195aa627b79e9257bce750418e362ba1b3e8afcb6b58e9fb9d1e7cb145e171d", + "sha256": "6ce01312cbd857003098b2b0753a1ec8356a09b109b020cdc2ab369082ffbf8c", "type": "eql", - "version": 3 + "version": 4 }, "c1812764-0788-470f-8e74-eb4a14d47573": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8", "type": "query", - "version": 104 + "version": 205 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", + "type": "eql", + "version": 1 + } + }, "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878", "type": "eql", - "version": 1 + "version": 101 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", @@ -5715,9 +6557,9 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "0754db6d4f87bf3dbed35d286a6313e4dd925ac4336f36dfb27b7f5fdb03719d", + "sha256": "0710403c8d618e71c165c7b8eb160bed4e6e439b9d9c904d9b5af9aa9be9588e", "type": "eql", - "version": 105 + "version": 106 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", @@ -5729,9 +6571,9 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "cb3a027cc825279d6ff1f31d31e63c3ce7ddce596ef2f0427bba0b3ffeb643f6", + "sha256": "9703a3f1e0ab87710ef683407452f9491a296fbb9fb21c1270d48f28039443a0", "type": "eql", - "version": 104 + "version": 105 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", @@ -5768,18 +6610,36 @@ "version": 100 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f", "type": "query", - "version": 105 + "version": 206 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32", "type": "query", - "version": 104 + "version": 205 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", @@ -5807,9 +6667,9 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", "rule_name": "Unusual File Modification by dns.exe", - "sha256": "26595f8f9541a3d4b1ce33b50669bb5f8e620a68f9063c6c07ef0eef97271b42", + "sha256": "462a72ca87888591497bad05c41909f4b20b28e8be26d594546e563f178bd706", "type": "eql", - "version": 106 + "version": 107 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", @@ -5855,37 +6715,37 @@ "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "min_stack_version": "8.3", "rule_name": "Parent Process PID Spoofing", - "sha256": "c3dac03f556b89e88f147aed56f297767b5d0a9110cdf317ef621032e9aae739", + "sha256": "e1789b1189d98d1c0dd3e14aef3df67f994982f60001aab44c9785a8bab9bb3a", "type": "eql", - "version": 104 + "version": 105 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "6c899bbc998ab3b8926434c8838a0567b3e9daab6ac42337689be77fa96f4c6b", + "sha256": "d16c1571f4991e8257fc206ff4e66afbab3d14994c0b00534ab992bd948529be", "type": "eql", - "version": 5 + "version": 6 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d820917b8b190283034007d7db8ba4ac8ef6bd82e9d9d8a9f256976c0fa2623d", + "sha256": "1d46ce00fb8fa393c7b0122644b3e0a367bb2ce96e5767209a2e3f101b552c52", "type": "eql", - "version": 107 + "version": 108 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "dfa996d0665851351caf73bca44bb19208342678d818aff4cc77005b0092ca67", + "sha256": "a2dad54c59a4df7c89caa5e11af6d9425532fe82b26ef1c0588f4d7b835f71ec", "type": "eql", - "version": 106 + "version": 107 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "1d87bf52f955049b3e1220e65c69464b5d6c21362b8762df0b397d412b1537ee", + "sha256": "a5e68609def010ae4cea5c31b29ec9740ce793360ee2d0c8995ce5c93286ed58", "type": "eql", - "version": 3 + "version": 4 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -5904,9 +6764,9 @@ "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "min_stack_version": "8.4", "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "94fbed29b0713d997d61575509179ec8a3aaf3580b4c2661a2a42ef4e7e50aef", + "sha256": "cbc3f42a7bcbc551c94f4915bbf898b210a4747c014608e39f4a2a12501d1682", "type": "eql", - "version": 4 + "version": 5 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -5926,9 +6786,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "16d0a37c5a0c0c7de7d31afcbfae78cadf1e1c87ed0eb87f347d3c6a44b1ae00", + "sha256": "5f9d6f9747305b2a9d59f1c2bb89ec12610c7490a57f1ccb24de236f42839d9b", "type": "new_terms", - "version": 209 + "version": 210 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -5966,6 +6826,13 @@ "type": "query", "version": 104 }, + "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", + "sha256": "6be5434c46b81e00bf29a5b3c08506bb5fefe291cfffe9666594851bd81d5007", + "type": "machine_learning", + "version": 1 + }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "min_stack_version": "8.4", "previous": { @@ -5990,11 +6857,20 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c", "type": "query", - "version": 106 + "version": 207 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", @@ -6004,11 +6880,20 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", + "type": "query", + "version": 106 + } + }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f", "type": "query", - "version": 105 + "version": 206 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -6026,9 +6911,9 @@ "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", "rule_name": "Kernel Module Removal", - "sha256": "06acdf4e4f36bf4d2e6e3f0d424b81264fc5262e89ef2db45dae483404ffce09", + "sha256": "7b92ec2e6a2290e49b0168c42351731b5a03508b59cbed4d0dd0127f6ab8ded1", "type": "eql", - "version": 105 + "version": 106 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "min_stack_version": "8.3", @@ -6038,18 +6923,36 @@ "version": 1 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate MFA for an Okta User Account", + "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf", "type": "query", - "version": 105 + "version": 206 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Okta User Session Impersonation", + "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", + "type": "query", + "version": 107 + } + }, "rule_name": "Okta User Session Impersonation", "sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7", "type": "query", - "version": 106 + "version": 207 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", @@ -6061,16 +6964,16 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "e749e4d6a22d62d8564e36ff162cddb0342351273f7ae3f914f1781e4a6757e0", + "sha256": "2abbf97e21f0197022ef274f0c7aaf1326d6645628f586e1bbc7e75dd4bf6dac", "type": "eql", - "version": 105 + "version": 106 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "ae06529dfc51404f2a14651c780e0d62070bf088490bbb3215fdefb56904c4f2", + "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", "type": "query", - "version": 104 + "version": 105 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.4", @@ -6109,12 +7012,19 @@ "type": "eql", "version": 108 }, + "cffbaf47-9391-4e09-a83c-1f27d7474826": { + "min_stack_version": "8.3", + "rule_name": "Archive File with Unusual Extension", + "sha256": "6fc1f60a466fb9cafbd52086ffba78f59d5ba996e6301563a12e09205b193e84", + "type": "eql", + "version": 1 + }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "min_stack_version": "8.3", "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "62f6fba73304cb10595e4f538a276512b741e0029111d72087049753411361eb", + "sha256": "400a4ff29714ab2561d2a413f2f404116f8fe1067cb678f32d05daa204ee8316", "type": "eql", - "version": 6 + "version": 7 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "8.8", @@ -6126,23 +7036,23 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "ec194a453dd3acbf1dffd2e109f77cbbc7051fdfa80409701304809ce5654c43", + "sha256": "c206dc61a4c2ae0d1f412a63bcffc413ce72bb6de4d4c86c670d3c066dd1662e", "type": "eql", - "version": 105 + "version": 106 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "da76314ab374a374b6612165cb783f7d25612235f241744919149cb6d00af975", + "sha256": "077587010e7e194ab3d20e99f290d4a9813931fa3a4c1f4bd01f8a875b0a274a", "type": "eql", - "version": 106 + "version": 107 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "min_stack_version": "8.3", "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "58dd943fa10c8dc106e4f561c6a5755a555d7dd1116a6e82a02678f77be051f4", + "sha256": "bcc8530ce8aa18d4efbc4c6c3709e6308cacb5408758aa722e8a7c30dca27138", "type": "eql", - "version": 2 + "version": 3 }, "d197478e-39f0-4347-a22f-ba654718b148": { "min_stack_version": "8.3", @@ -6167,16 +7077,16 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "73e5e14af530fc3c0ff1a000b5b32bc30097045766025d6a7240dc31794faa7e", + "sha256": "52bed23a3a6e8d13a93def9f01fc3f4de6094c7cbd2b55eb10637d659a556dd1", "type": "eql", - "version": 106 + "version": 107 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", "rule_name": "Clearing Windows Event Logs", - "sha256": "14a1097b7ee5b1d73b9dd86e6c7326ea224be99416f6f947d03c968723badf8c", + "sha256": "8ab63a4886ad2a72cbb3c1b616a3f462298f7cc74de154654064c96b035d343e", "type": "eql", - "version": 107 + "version": 108 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.3", @@ -6200,11 +7110,20 @@ "version": 104 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", "type": "query", - "version": 104 + "version": 205 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "min_stack_version": "8.3", @@ -6230,16 +7149,16 @@ "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "min_stack_version": "8.3", "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "a386bc0314dc614dce09c10f76f04e239c85cffb8e305a1a37dc816fe8d0e466", + "sha256": "f5c2c64714e19cc3d5437f0039d3baa83ae9aa8fd5af5dcbd5b6655156c6e9af", "type": "eql", - "version": 1 + "version": 2 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "351666156e6d77e8c9c195311cd45ba8c31b9e97ea0fd1503c48c15a776c1918", + "sha256": "3c95ccf8f67a50f03ac411052a8a2da81d0483634ff43782835b20a2eee49275", "type": "eql", - "version": 2 + "version": 3 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", @@ -6249,11 +7168,20 @@ "version": 104 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a", "type": "query", - "version": 105 + "version": 206 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", @@ -6263,11 +7191,20 @@ "version": 105 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee", "type": "query", - "version": 107 + "version": 208 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", @@ -6306,9 +7243,9 @@ "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", "rule_name": "Command Execution via SolarWinds Process", - "sha256": "e5a39260fe132207d539ea518652001adadec98c3bbe9ddaff7d7e7b0e673a57", + "sha256": "be781bb6c568f6e3338fe8a85423ad7b2bed67673e71befc92524a519bf29602", "type": "eql", - "version": 106 + "version": 107 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", @@ -6327,9 +7264,9 @@ "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "23765713e12113ddb20663a6b929ed119d23f9106635fe4998ce6990dd394d97", + "sha256": "c44526d9a91a1fd72764e5afb5ad5c6a99415825884efde1516a72afc827756a", "type": "eql", - "version": 107 + "version": 108 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", @@ -6355,30 +7292,46 @@ "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", "rule_name": "Untrusted Driver Loaded", - "sha256": "c5ce1faffd687af5423c4bad755a8d5d182a6c74fde100b49092067a43111e70", + "sha256": "aa9adda1ac8dfe9c91e83c7741e046bb1553fda39b7e023d70c58e86fa012e11", "type": "eql", - "version": 5 + "version": 6 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6", "type": "query", - "version": 107 + "version": 208 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "638b38528aaa1d362737de0ee6c2c010913f44c8179a2ac928dbedc9473049f6", + "sha256": "8442e8cbb922de0f547562302bde985f3e343662547902ae1b3ad81817991b14", "type": "eql", - "version": 106 + "version": 107 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.3", "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "8376f30e9c1abd833e2b39242f04ba3f296fe0f2c153e3feda039d77b73ffd6f", + "sha256": "2102e91dda480a20979378bce1f9ce3243b54439c2ac1961ad795862fe956692", "type": "eql", - "version": 5 + "version": 6 + }, + "da7f5803-1cd4-42fd-a890-0173ae80ac69": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", + "sha256": "fd0e143d1c3b97e0d0f5faf7c2574e3a80509905c6d6564cc15eadb49661058d", + "type": "query", + "version": 1 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", @@ -6410,9 +7363,9 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.3", "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "b778970c6f8ec04e3dbcf851f3553e72e19420cdbf1181efb2a8d360ec4f49a2", + "sha256": "f4edf52a98e83ab010153cdffb7067610814b7fcc0414bb5e8dcee5bf8d0d3ff", "type": "eql", - "version": 1 + "version": 2 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.3", @@ -6431,9 +7384,9 @@ "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "min_stack_version": "8.3", "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "f64d050e90fd179771887f3ae5d3ecdd6d9c638572d6ecb8cb513fddcd5496df", + "sha256": "e4df76ec7b5df39c1969e559f1a6da83fa65a42ce5b7d0309e543137738e41d0", "type": "eql", - "version": 2 + "version": 3 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -6444,23 +7397,32 @@ "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "min_stack_version": "8.3", "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "df8a6dcbb0d179f109c810c8d819c0e48c62c8280a2c6196d00ba951b1486594", + "sha256": "d42dea9b11a475bd84ac3a3f2a7556720a15eec56ff92168c87ed712e91e8908", "type": "eql", - "version": 3 + "version": 4 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "2ec7ebca77b749a6e4385185ffcbdbc71c0c3a9600b7599bb7b6462c6d84a28a", + "sha256": "068a220aff143f426d32e403fb68a377e120e375f657e84217c3eb4f399e543f", "type": "eql", - "version": 106 + "version": 107 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "type": "machine_learning", + "version": 108 + } + }, "rule_name": "Unusual Country For an AWS Command", "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", - "version": 107 + "version": 208 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", @@ -6479,9 +7441,9 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", "rule_name": "NullSessionPipe Registry Modification", - "sha256": "cdf948e2a073cb6319fa302acc7b0fc8a11477746659be69cff0c9b7860403b8", + "sha256": "6ff22a837ebb0aeecf0c358977ae439d6e5c872e7d002a5a13622b00638fa02a", "type": "eql", - "version": 105 + "version": 106 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", @@ -6493,9 +7455,9 @@ "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "0ec40a6ffaf45b8d92ca2b163b9aabf5bde1a0fbb801e77ab931a36571295fb1", + "sha256": "e1754aece5bca9de7f3a297a9ebcfde160a4c48fdba1042e55a503c43af3a487", "type": "query", - "version": 105 + "version": 106 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "min_stack_version": "8.6", @@ -6516,9 +7478,9 @@ "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", "rule_name": "First Time Seen Driver Loaded", - "sha256": "e35873c4c836a040e5f558474966d7bd8b224776bcebab71cd3db0279a1068d2", + "sha256": "ad243a0040fbf3b300d379e356e6d3eb10209a2132942ac2f4e08962b1e8bd79", "type": "new_terms", - "version": 5 + "version": 6 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", @@ -6537,9 +7499,9 @@ "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", "rule_name": "Dynamic Linker Copy", - "sha256": "3e2bd8f151616982adae6eeff5311584831c41100d151b5327e9a39e41354ef4", + "sha256": "4c3f4b8b94c3abf50fada6c7104d6fcffb6126ad61920c98219b8ca2d1f7af00", "type": "eql", - "version": 104 + "version": 105 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", @@ -6563,6 +7525,13 @@ "type": "query", "version": 100 }, + "e00b8d49-632f-4dc6-94a5-76153a481915": { + "min_stack_version": "8.3", + "rule_name": "Delayed Execution via Ping", + "sha256": "dea7cf4add6220cd27ddb9f1a641b95436204b87ca0fca1c18dc903d50ce57a4", + "type": "eql", + "version": 1 + }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "min_stack_version": "8.3", "rule_name": "Azure Firewall Policy Deletion", @@ -6585,11 +7554,20 @@ "version": 5 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02", + "type": "threshold", + "version": 107 + } + }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "10ee903471646d3de3429f99b45cf5e5d7fadc3fda75e3d87f0d1f495d30f511", "type": "threshold", - "version": 106 + "version": 207 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.3", @@ -6613,32 +7591,57 @@ "version": 102 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Created", + "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Created", "sha256": "4081dda0ac65323a45109124e0222f68584e912ecdc216ad1e2f5b8f9f431afc", "type": "query", - "version": 104 + "version": 205 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Cluster Creation", "sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32", "type": "query", - "version": 104 + "version": 205 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", "rule_name": "Connection to External Network via Telnet", - "sha256": "812d614780faf4725c6f1f5361fd6e47e40c2ea93429a55d3e577c3517074577", + "sha256": "ecd74e5b4a0d9320b567ccff15b0551b10812d52a6a99e120eb4e09dc3c70a70", "type": "eql", - "version": 104 + "version": 105 + }, + "e1db8899-97c1-4851-8993-3a3265353601": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", + "sha256": "1ce0e6ef09a67c9f0018cebdedc41c09e0f2d980c0892d2c58f1e17af536bd70", + "type": "machine_learning", + "version": 1 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "d5d199aba7de4375e54e1a420264755c1e6c6e2326dabf9ca76f2cd5285ebe46", + "sha256": "c283a96f0e6778b4047079842cb8724e31caef3444301c6475256a53b012ee57", "type": "eql", - "version": 3 + "version": 4 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", @@ -6650,16 +7653,25 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "619ca917a538026a7832ad49ce85327632de2c6218731727c03f1492ef67e712", + "sha256": "8c840abd0eed39efbf4517ceb247d5a1e29c14df891f7fc68b9c8ca19af732fa", "type": "query", - "version": 108 + "version": 109 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS Management Console Root Login", + "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS Management Console Root Login", "sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6", "type": "query", - "version": 107 + "version": 208 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", @@ -6678,9 +7690,9 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "7326c0fdf7b88869ad1306d85488813f482b3ac72e2d30e276978b2d064c29b5", + "sha256": "f4aa9648ae148430d56ec66b1b05383eff95f446f9d746fa618a5fd5d74b932d", "type": "eql", - "version": 107 + "version": 108 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -6697,11 +7709,20 @@ "version": 107 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41", "type": "query", - "version": 104 + "version": 205 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", @@ -6720,16 +7741,25 @@ "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "ac660618b2f53220fa549edf8c4bf12df44b42b26daed8102d9f6cd69d0340f7", + "sha256": "47990704fcf218a068f07339d376b36fe1ff72c831754b08f0dffed5768cc04d", "type": "eql", - "version": 106 + "version": 107 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6", "type": "query", - "version": 105 + "version": 206 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.3", @@ -6741,9 +7771,9 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "f58e148fb90ab12de044fc7afa0a2778b71ecd8643082310872048c0960b54d4", + "sha256": "ff07330e7b280ebe26aff63e3c933ca68bc9e57095f06822a1ce1a766f8aa2d4", "type": "query", - "version": 107 + "version": 108 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", @@ -6770,9 +7800,9 @@ "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "min_stack_version": "8.3", "rule_name": "Bash Shell Profile Modification", - "sha256": "89a6e5c6d2b9b24839bad3982fe4350838838f91a099081af2d9e17bbd48eb02", + "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", "type": "query", - "version": 103 + "version": 104 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", @@ -6782,11 +7812,20 @@ "version": 104 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Possible Okta DoS Attack", + "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", + "type": "query", + "version": 105 + } + }, "rule_name": "Possible Okta DoS Attack", "sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e", "type": "query", - "version": 104 + "version": 205 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", @@ -6802,6 +7841,13 @@ "type": "query", "version": 104 }, + "e707a7be-cc52-41ac-8ab3-d34b38c20005": { + "min_stack_version": "8.3", + "rule_name": "Potential Credential Access via Memory Dump File Creation", + "sha256": "49debe62710e167c237de800f3dd2ce6ad4a3f4a6effd957439d576770b4e7c9", + "type": "eql", + "version": 1 + }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", "rule_name": "Execution of Persistent Suspicious Program", @@ -6828,37 +7874,46 @@ "e74d645b-fec6-431e-bf93-ca64a538e0de": { "min_stack_version": "8.3", "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "3b88ce7678e0afd9133e4614123484e05b3c652f2ee1b555271860a540e9e01a", + "sha256": "b79eae658a0dc89978d022131f60766565b9d713cf71cfa900e632da05719fe3", "type": "eql", - "version": 1 + "version": 2 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "6b4158b68c196337a5ca798c23c4e99e1f5b63dcc09404ce703310ffa3115658", + "sha256": "9dabc489226c779aadc8aebd27fd06248863464f8c3eb77f8e3e65ea9de31581", "type": "eql", - "version": 4 + "version": 5 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "2199bfaa82c73c0e3d8e7c4dd8d7df67b438163716298173157240784ea80fdc", "type": "query", - "version": 104 + "version": 205 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "9d7d295720f93607b0c637e791d1135a828f9a60edfd04a13aea1c2f444cddfb", + "sha256": "2894b45c8036eb38c332ca6f58cdcc5e872a80caa4e846636d051be8a166fcfe", "type": "eql", - "version": 106 + "version": 107 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", "rule_name": "Installation of Security Support Provider", - "sha256": "07f742804dcc4362c3a6df0146ffd869e3e92a5e39ed19fbc676e1a205762fca", + "sha256": "05e809fb643c5c0b932f08cf325d5b980c1be26c2322a33497bf7931a54612bb", "type": "eql", - "version": 104 + "version": 105 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.3", @@ -6868,32 +7923,66 @@ "version": 4 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { - "min_stack_version": "8.4", + "min_stack_version": "8.6", + "previous": { + "8.4": { + "max_allowable_version": 102, + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "386862fe4e944388b9eada8008e45520c98413131236b3c1dbdffd72bd7b2db3", + "sha256": "b2bf47b2d754b97d1201f5d927c49421ceb71609ac667f07c240495f839cd6be", "type": "new_terms", - "version": 2 + "version": 103 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08", + "type": "threshold", + "version": 107 + } + }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "bb06cc2e64669d793dd0ab51b8f596cf9ed9f9454f861ae51504837bb3552d10", "type": "threshold", - "version": 106 + "version": 207 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd", "type": "query", - "version": 104 + "version": 205 + }, + "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "min_stack_version": "8.9", + "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", + "sha256": "f4946a910d3c5cf165420c1f5768200c1484fdc853e0a53756994d7993255dd4", + "type": "machine_learning", + "version": 1 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "2691fb427b7fddacc7927bc417d5dab77367c0f14203e072f86d3aefe7a62802", + "sha256": "0932a11d1af761dc69c880afac16d9f8543316e5b003ac9c7f31d6a1b903eb5b", "type": "eql", - "version": 107 + "version": 108 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", @@ -6928,12 +8017,28 @@ "type": "query", "version": 100 }, + "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "8.9", + "rule_name": "Unusual Process Spawned by a Parent Process", + "sha256": "e0eb8a5cb723b6d21c3bd60ed9f2fbaa258b957aaf1c3ccb239075cb1bd9e3a2", + "type": "machine_learning", + "version": 1 + }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80", + "type": "threshold", + "version": 108 + } + }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "c03ce8fcb77809e7578333b7e52f0fe9d851c9f6687eb1a7d20a33e2b642ed3f", "type": "threshold", - "version": 107 + "version": 208 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", @@ -6973,9 +8078,9 @@ "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of SELinux", - "sha256": "b8f1ac64b7c560cb7647ffb41b0bcbedc7b257a7f316fcbeb491b84b7b09c94c", + "sha256": "039692bcb30d46067fc586c4ebcd04997a968d5c426694130fea5aeb0a48d46b", "type": "query", - "version": 105 + "version": 106 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", @@ -7012,12 +8117,28 @@ "type": "query", "version": 102 }, - "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "min_stack_version": "8.3", + "rule_name": "Executable File with Unusual Extension", + "sha256": "d740eda69b10b688372f488feab1a6e9af2a26122ee1f6af6de7612aa33706e8", + "type": "eql", + "version": 1 + }, + "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc", "type": "query", - "version": 104 + "version": 205 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "min_stack_version": "8.3", @@ -7029,16 +8150,25 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", "rule_name": "AdFind Command Activity", - "sha256": "84fe4ed20d10995793ab80c3edcadea3a2e6590b1c71d8b0f7ae5f3400276e36", + "sha256": "b3773d30c5a81754f182b5e16112b660ce51afc7217b471c07c135c92343561e", "type": "eql", - "version": 106 + "version": 107 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c", "type": "query", - "version": 105 + "version": 206 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", @@ -7084,16 +8214,16 @@ "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", "rule_name": "BPF filter applied using TC", - "sha256": "dfcaee87ab5815bd4120fc20f1cfd41d481913aa1b077dd7e28539febe9bd5d9", + "sha256": "d3b6a041bc5f899f14ba0e350fbb36350e02d5800b1751b2bff3950a02bab9e4", "type": "eql", - "version": 105 + "version": 106 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "min_stack_version": "8.3", "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "421ac0a4b80d62b16f199e6f04b38b5b8c1c8dbed801722495c596321864b0fb", + "sha256": "fa04606235d591a3a18f27ac11497e0b0b3c0db64ac9d3cdae52dac5bebb9ca1", "type": "eql", - "version": 3 + "version": 4 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", @@ -7102,6 +8232,13 @@ "type": "eql", "version": 107 }, + "ef8cc01c-fc49-4954-a175-98569c646740": { + "min_stack_version": "8.9", + "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", + "sha256": "ae2f3e60d6bf07e3ace4c7be1a9a199dc8b181ae4c472baa2f02f91eb86e6801", + "type": "machine_learning", + "version": 1 + }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", "rule_name": "Unusual Child Processes of RunDLL32", @@ -7117,11 +8254,20 @@ "version": 104 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395", "type": "query", - "version": 104 + "version": 205 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", @@ -7147,9 +8293,9 @@ "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "min_stack_version": "8.3", "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "acc6575e3fa6df0eabd86bf1fa2a16fdcf95a33f0b3c99ef35f473bee3cbea26", + "sha256": "9472c913dfa8869854d45e63066366097bc76d22561deba5f0332c0e764850d5", "type": "eql", - "version": 4 + "version": 5 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "min_stack_version": "8.4", @@ -7175,9 +8321,9 @@ "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "c0d41a9640582655c35bbdf6fd4057c405ea4a82195c458393a2820c413ea5df", + "sha256": "5b99a39e1fe7e357d865152fc9bddaf95dbcdef3438bbdd9a2de4b9ef6351120", "type": "eql", - "version": 106 + "version": 107 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", @@ -7194,11 +8340,20 @@ "version": 106 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS RDS Instance Creation", + "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS RDS Instance Creation", "sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0", "type": "query", - "version": 104 + "version": 205 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "min_stack_version": "8.4", @@ -7207,12 +8362,19 @@ "type": "eql", "version": 3 }, + "f3403393-1fd9-4686-8f6e-596c58bc00b4": { + "min_stack_version": "8.9", + "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", + "sha256": "109d0c7e3887d7f898702bb931801365f78166bc37b58aa04f66b0e30101f41b", + "type": "query", + "version": 1 + }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", "rule_name": "WMI Incoming Lateral Movement", - "sha256": "881b9fd8fe67814ac0e2fd46633b3d14bec837de65f947f3196690da517ec326", + "sha256": "05dfb891d848215da2bda7c42b5229022f92e80d8ee4f97ea007d57196cfd637", "type": "eql", - "version": 107 + "version": 108 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", @@ -7231,23 +8393,23 @@ "f41296b4-9975-44d6-9486-514c6f635b2d": { "min_stack_version": "8.6", "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "9efdc32da856ea0ecfb495756ffd87148d34f4be5d42e19e9839782860cef853", + "sha256": "397ef632c840d0922b83d252b5b41db9cbaa48dbded3e4274d7b714ea636231b", "type": "eql", - "version": 1 + "version": 2 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "6529bb3e9f2e7ba6334ccf83e73cb084a6d4a6b4754c82131a2b29b573db94fc", + "sha256": "292a400f924bdf495a355385c16ff53e68f9f3339a16f03722da0a67d20439f9", "type": "eql", - "version": 104 + "version": 105 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "58fd8199f7eaa97b77809fbe7b9b19e44632eef4618a3a85d269f4c10fc65dda", + "sha256": "26b40ddcaa37e8f078da5fbfc2a20a67103717af9bed0188b9002a14836ffe5a", "type": "query", - "version": 107 + "version": 108 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -7258,16 +8420,16 @@ "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "min_stack_version": "8.3", "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "4a1c0d919c79748efefe5321d5e6652f4806a90a6748a5fbb97472ba5c7b6479", + "sha256": "7c8538ccb98edd565c3e77089791a93f35d6fe22c6f6622b1b5830797dfce87b", "type": "eql", - "version": 2 + "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", "rule_name": "Windows Script Executing PowerShell", - "sha256": "9c28b36b93bb14bdf7618dda4125499529113bf5a991135211322b859581d528", + "sha256": "137fe700650e80f99c3e810ffa7887f243a69e3fd36267afd3685955e5b3a7e4", "type": "eql", - "version": 106 + "version": 107 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "min_stack_version": "8.8", @@ -7279,15 +8441,29 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.3", "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "1985348b300faecebbaac140fff23f888d5eac725cc209b01811dc5cc860b8b1", + "sha256": "9d093df26320c45b314e47dc2317d5b84a706d33b570f9b302014671f4b684de", "type": "query", - "version": 1 + "version": 2 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.3", "rule_name": "WMIC Remote Command", - "sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9", + "sha256": "e1ef94a11c4732f762e8f4e61014834b56c85ac0b9238a537e111d942fb12601", "type": "eql", + "version": 2 + }, + "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "min_stack_version": "8.3", + "rule_name": "Setcap setuid/setgid Capability Set", + "sha256": "05f3189fe09c5f5c72a44871e7af8a36a085d5f5642ee65deed333c490888820", + "type": "eql", + "version": 1 + }, + "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "8.9", + "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", + "sha256": "d95530ac48c152547acc046bef874063d532e0a9f5f639803e3b525025209f22", + "type": "machine_learning", "version": 1 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { @@ -7307,9 +8483,9 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "0e7d1a785743f7bd0167dacf31665648afe6cc0921d859d611decdcf3ca2bf89", + "sha256": "23aef572b50810af907ee7bd6ef6657623f6592f933f9406a58dda38ccecb9d2", "type": "eql", - "version": 106 + "version": 107 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", @@ -7340,11 +8516,20 @@ "version": 102 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "type": "query", + "version": 108 + } + }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9", "type": "query", - "version": 107 + "version": 208 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "8.8", @@ -7363,9 +8548,9 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "84af71d36b636e2785c85ee6e6b0dcfc90b6df18c844ba0627a5605b8aa892d5", + "sha256": "0e07c2995af6088f4c7f371ce44780cab7ffe75d215408752857ac720cea0465", "type": "eql", - "version": 104 + "version": 105 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", @@ -7377,9 +8562,9 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "9c50c505cf44d6eec05e8c2cc96a6569c7c14b193943425c21de51abbea9e5ca", + "sha256": "11ff5b48af4c6fe451b2ce1623b1cb2cb5bb35007bef94018597f897219a10af", "type": "eql", - "version": 106 + "version": 107 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", @@ -7410,11 +8595,20 @@ "version": 7 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.3", + "min_stack_version": "8.10", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", + "type": "query", + "version": 105 + } + }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392", "type": "query", - "version": 104 + "version": 205 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", @@ -7426,16 +8620,16 @@ "fa210b61-b627-4e5e-86f4-17e8270656ab": { "min_stack_version": "8.3", "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a", + "sha256": "fac6f9cee3f43e0193ffc987c11e25fd31bc52cf43af80e9cfabc8dc453c1812", "type": "eql", - "version": 3 + "version": 4 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "df52af5aacf36ea1a7ad6a44b6238bfd08e8feb288d0bb5d1b604d6f8cd513b2", + "sha256": "91a2395bf7620588ccb74be3c35e5550521b5efb2e5268f5e5f700def971d705", "type": "eql", - "version": 4 + "version": 5 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", @@ -7447,23 +8641,32 @@ "fac52c69-2646-4e79-89c0-fd7653461010": { "min_stack_version": "8.3", "rule_name": "Potential Disabling of AppArmor", - "sha256": "84c459fa919be715728e6f1c0a8c4ec19b8480510bb411c3b81bb72ced32586f", + "sha256": "af928c417577e8cc0260d0553a69112ffe4cce0432ff7dd3e11a6bf0e6c446d1", "type": "eql", - "version": 1 + "version": 2 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "6dabae4a91d13a982c01d893b7091d39599ab9bbc1e7e88117adcf8ae0a70a40", + "sha256": "83d55181cc10cf106c86f733adfc8bcd7100be39580cbdaf2784a6237cd2f61b", "type": "eql", - "version": 1 + "version": 102 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", "rule_name": "Network Connection via Registration Utility", - "sha256": "cca4c8c4fe974be12e9a9717eb82caa9cbb509858bba01b5872ad90988772dce", + "sha256": "43bf761ed99e39883a71417804e95161874113a3d08e64e551fe474bb054586c", "type": "eql", - "version": 105 + "version": 106 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -7472,18 +8675,27 @@ "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { - "min_stack_version": "8.3", + "min_stack_version": "8.9", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "type": "query", + "version": 105 + } + }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15", "type": "query", - "version": 104 + "version": 205 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "8975d3c8774ec9437e4cd11148a51508e2c6d7f7d78d7201c4be6cfbaf0004ab", + "sha256": "d82de3a511d6f9d1fdacc568ea1f4f13dcb5c7b1923e37472627edad3bc0e244", "type": "eql", - "version": 105 + "version": 106 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", @@ -7521,12 +8733,19 @@ "type": "new_terms", "version": 207 }, + "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { + "min_stack_version": "8.3", + "rule_name": "Image Loaded with Invalid Signature", + "sha256": "cc47fed45ee058e096104f4c1d2e2068a516895cf8a9e85ab1511686b49de1ee", + "type": "eql", + "version": 1 + }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", "rule_name": "System Binary Copied and/or Moved to Suspicious Directory", - "sha256": "62b9374ecd5f2c092b1940f6dd1481f37a42f04bdda1015b7cb512ba22db08ca", + "sha256": "590ac86e1af3b8706e4cb2a69e8fdd314724e77dbb5799e8fb98370ce40c9e58", "type": "eql", - "version": 1 + "version": 2 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.3", @@ -7538,21 +8757,28 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "a8ea104f14627b5bef865394a5a80d56b351edaa5b4beea10407d3950c42f419", + "sha256": "7e932f33b6e1585cd992ffb8d0c475283c7c7d9e5f8480d9858165a716090f61", "type": "query", - "version": 1 + "version": 2 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "da773bcc4a79e9c08e47654c4abaef1190bd351feb40255c17932f918361f591", + "sha256": "a8eff42378039fb19f5db47284f5c0fc7ac55a01a9ec1c5d9b1a664f91fff887", "type": "eql", - "version": 106 + "version": 107 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "60ec14b09417f0cb76b839ac47aa592120fc5692e363f35cb28840dcb84414be", + "sha256": "f8fb3a902d4649dae09ebfd3622387f97612d9ce93d0c82dc28badc57bf61ae1", + "type": "eql", + "version": 2 + }, + "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { + "min_stack_version": "8.3", + "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", + "sha256": "2d4dac5ee69aa01095329c1850ad5569f1d4d34fe06d5a73ef0f4fb93b1d98b7", "type": "eql", "version": 1 }, @@ -7570,19 +8796,26 @@ "type": "query", "version": 103 }, + "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "min_stack_version": "8.9", + "rule_name": "Potential DGA Activity", + "sha256": "83e50c945d95a5c87970b0f27356a28d98589040cb7698c584b7b41c832a8c24", + "type": "machine_learning", + "version": 1 + }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "3f05ca34ca031232a58c6bdd28c52d7ebc9751646383323594d0514a33322443", + "sha256": "b1a94af889b3bd5f19d461f40cf67ebb70a8c9c19383c1c6b821e829e49477e8", "type": "new_terms", - "version": 4 + "version": 5 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", "rule_name": "LSASS Process Access via Windows API", - "sha256": "89aab4dd5ac4c53bd4096c632d79151c726d6991f64ad42938fde25eed6a3c8b", + "sha256": "592b792af644dd525e7bb61b8ba69a59219b797775997301b8ca62e5e71e03bd", "type": "eql", - "version": 3 + "version": 4 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", @@ -7601,8 +8834,8 @@ "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "min_stack_version": "8.3", "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "16c98c01aec6efd485063babc9daf4aef11f4c6de3c2834b877688f6326a8cb6", + "sha256": "7f5618048d9c9a947da0f5e7789a02590652382297e9fc2355be088f7eb8a2bf", "type": "eql", - "version": 2 + "version": 3 } } \ No newline at end of file