security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:elastic/detection-rules

Browse Source
This commit is contained in:
Mika Ayenson
2023-11-06 12:58:22 -06:00
parent 172aa04359 d52546eee5
commit 538fc8c4dd
1233 changed files with 22851 additions and 5187 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10'
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11'
jobs:
pr:
CLI.md
+3 -2
View File
@@ -39,6 +39,7 @@ Using the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE` will bypass
Using the environment variable `DR_BYPASS_BBR_LOOKBACK_VALIDATION` will bypass the Detection Rules lookback and interval validation
on the building block rules.
Using the environment variable `DR_BYPASS_TAGS_VALIDATION` will bypass the Detection Rules Unit Tests on the `tags` field in toml files.
## Importing rules into the repo
@@ -63,7 +64,7 @@ Usage: detection_rules create-rule [OPTIONS] PATH
Options:
-c, --config FILE Rule or config file
--required-only Only prompt for required fields
-t, --rule-type [machine_learning|saved_query|query|threshold]
-t, --rule-type [machine_learning|query|threshold]
Type of rule to create
-h, --help Show this message and exit.
```
@@ -324,7 +325,7 @@ Precedence goes to the flag over the config file, so if debug is enabled in your
## Using `transform` in rule toml
A transform is any data that will be incorporated into _existing_ rule fields at build time, from within the
A transform is any data that will be incorporated into _existing_ rule fields at build time, from within the
`TOMLRuleContents.to_dict` method. _How_ to process each transform should be defined within the `Transform` class as a
method specific to the transform type.
detection_rules/cli_utils.py
+4 -4
View File
@@ -140,9 +140,9 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
threat_map = []
while click.confirm('add mitre tactic?'):
tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, required=True)
tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, is_required=True)
technique_ids = schema_prompt(f'technique or sub-technique IDs for {tactic}', type='array',
required=False, enum=list(matrix[tactic])) or []
is_required=False, enum=list(matrix[tactic])) or []
try:
threat_map.append(build_threat_map_entry(tactic, *technique_ids))
@@ -158,7 +158,7 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
continue
if name == 'threshold':
contents[name] = {n: schema_prompt(f'threshold {n}', required=n in options['required'], **opts.copy())
contents[name] = {n: schema_prompt(f'threshold {n}', is_required=n in options['required'], **opts.copy())
for n, opts in options['properties'].items()}
continue
@@ -166,7 +166,7 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
contents[name] = schema_prompt(name, value=kwargs.pop(name))
continue
result = schema_prompt(name, required=name in required_fields, **options.copy())
result = schema_prompt(name, is_required=name in required_fields, **options.copy())
if result:
if name not in required_fields and result == options.get('default', ''):
detection_rules/devtools.py
+19 -13
View File
@@ -205,7 +205,6 @@ def bump_versions(major_release: bool, minor_release: bool, patch_release: bool,
pkg_data["name"] = f"{minor_bump.major}.{minor_bump.minor}"
pkg_data["registry_data"]["conditions"]["kibana.version"] = f"^{pkg_kibana_ver.bump_minor()}"
pkg_data["registry_data"]["version"] = str(pkg_ver.bump_minor().bump_prerelease("beta"))
pkg_data["registry_data"]["release"] = maturity
if patch_release:
latest_patch_release_ver = find_latest_integration_version("security_detection_engine",
maturity, pkg_data["name"])
@@ -537,7 +536,7 @@ def kibana_pr(ctx: click.Context, label: Tuple[str, ...], assign: Tuple[str, ...
@click.option("--token", required=True, prompt=get_github_token() is None, default=get_github_token(),
help="GitHub token to use for the PR", hide_input=True)
@click.option("--pkg-directory", "-d", help="Directory to save the package in cloned repository",
default=os.path.join("packages", "security_detection_engine"))
default=Path("packages", "security_detection_engine"))
@click.option("--base-branch", "-b", help="Base branch in target repository", default="main")
@click.option("--branch-name", "-n", help="New branch for the rules commit")
@click.option("--github-repo", "-r", help="Repository to use for the branch", default="elastic/integrations")
@@ -556,13 +555,13 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool
repo = client.get_repo(github_repo)
# Use elastic-package to format and lint
gopath = utils.gopath()
gopath = utils.gopath().strip("'\"")
assert gopath is not None, "$GOPATH isn't set"
err = 'elastic-package missing, run: go install github.com/elastic/elastic-package@latest and verify go bin path'
assert subprocess.check_output(['elastic-package'], stderr=subprocess.DEVNULL), err
local_repo = os.path.abspath(local_repo)
local_repo = Path(local_repo).resolve()
stack_version = Package.load_configs()["name"]
package_version = Package.load_configs()["registry_data"]["version"]
@@ -574,7 +573,7 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool
click.echo(f"Run {click.style('python -m detection_rules dev build-release', bold=True)} to populate", err=True)
ctx.exit(1)
if not Path(local_repo).exists():
if not local_repo.exists():
click.secho(f"{github_repo} is not present at {local_repo}.", fg="red", err=True)
ctx.exit(1)
@@ -593,7 +592,7 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool
git("checkout", "-b", branch_name)
# Load the changelog in memory, before it's removed. Come back for it after the PR is created
target_directory = Path(local_repo) / pkg_directory
target_directory = local_repo / pkg_directory
changelog_path = target_directory / "changelog.yml"
changelog_entries: list = yaml.safe_load(changelog_path.read_text(encoding="utf-8"))
@@ -624,13 +623,15 @@ def integrations_pr(ctx: click.Context, local_repo: str, token: str, draft: bool
def elastic_pkg(*args):
"""Run a command with $GOPATH/bin/elastic-package in the package directory."""
prev = os.path.abspath(os.getcwd())
prev = Path.cwd()
os.chdir(target_directory)
try:
return subprocess.check_call([os.path.join(gopath, "bin", "elastic-package")] + list(args))
elastic_pkg_cmd = [str(Path(gopath, "bin", "elastic-package"))]
elastic_pkg_cmd.extend(list(args))
return subprocess.check_call(elastic_pkg_cmd)
finally:
os.chdir(prev)
os.chdir(str(prev))
elastic_pkg("format")
@@ -1236,14 +1237,19 @@ def build_integration_manifests(overwrite: bool, integration: str):
@integrations_group.command('build-schemas')
@click.option('--overwrite', '-o', is_flag=True, help="Overwrite the entire integrations-schema.json.gz file")
def build_integration_schemas(overwrite: bool):
@click.option('--integration', '-i', type=str,
help="Adds a single integration schema to the integrations-schema.json.gz file")
def build_integration_schemas(overwrite: bool, integration: str):
"""Builds consolidated integrations schemas file."""
click.echo("Building integration schemas...")
start_time = time.perf_counter()
build_integrations_schemas(overwrite)
end_time = time.perf_counter()
click.echo(f"Time taken to generate schemas: {(end_time - start_time)/60:.2f} minutes")
if integration:
build_integrations_schemas(overwrite=False, integration=integration)
else:
build_integrations_schemas(overwrite=overwrite)
end_time = time.perf_counter()
click.echo(f"Time taken to generate schemas: {(end_time - start_time)/60:.2f} minutes")
@integrations_group.command('show-latest-compatible')
detection_rules/etc/api_schemas/8.11/8.11.base.json
+453
View File
@@ -0,0 +1,453 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.eql.json
+475
View File
@@ -0,0 +1,475 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.machine_learning.json
+465
View File
@@ -0,0 +1,465 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"anomaly_threshold": {
"format": "integer",
"type": "number"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.new_terms.json
+516
View File
@@ -0,0 +1,516 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"description": "NewTermsFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
],
"type": "object"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.query.json
+465
View File
@@ -0,0 +1,465 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.threat_match.json
+556
View File
@@ -0,0 +1,556 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"items_per_search": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.11/8.11.threshold.json
+514
View File
@@ -0,0 +1,514 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/attack-technique-redirects.json
+1 -1
View File
@@ -132,5 +132,5 @@
"T1536": "T1578.004",
"T1547.011": "T1647"
},
"saved_date": "Mon Aug 14 13:11:43 2023"
"saved_date": "Fri Oct 13 12:24:23 2023"
}
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v8.10.3.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/deprecated_rules.json
+10
View File
@@ -1,4 +1,9 @@
{
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"deprecation_date": "2023/09/25",
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"stack_version": "8.3"
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"deprecation_date": "2021/04/15",
"rule_name": "TCP Port 8000 Activity to the Internet",
@@ -89,6 +94,11 @@
"rule_name": "Execution via Regsvcs/Regasm",
"stack_version": "7.14.0"
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"deprecation_date": "2023/09/25",
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"stack_version": "8.6"
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"deprecation_date": "2022/03/16",
"rule_name": "Potential PrintNightmare File Modification",
detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz → detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/non-ecs-schema.json
+2 -1
View File
@@ -114,7 +114,8 @@
},
".alerts-security.*": {
"signal.rule.name": "keyword",
"kibana.alert.rule.threat.tactic.id": "keyword"
"kibana.alert.rule.threat.tactic.id": "keyword",
"kibana.alert.rule.rule_id": "keyword"
},
"logs-google_workspace*": {
"gsuite.admin": "keyword",
detection_rules/etc/packages.yml
+9 -6
View File
@@ -4,24 +4,27 @@ package:
maturity:
- production
log_deprecated: true
name: '8.11'
name: '8.12'
registry_data:
categories:
- security
conditions:
kibana.version: ^8.11.0
kibana.version: ^8.12.0
elastic:
subscription: basic
description: Prebuilt detection rules for Elastic Security
format_version: 1.0.0
format_version: 3.0.0
icons:
- size: 16x16
src: /img/security-logo-color-64px.svg
type: image/svg+xml
license: basic
source:
license: Elastic-2.0
name: security_detection_engine
owner:
github: elastic/protections
release: ga
type: elastic
title: Prebuilt Security Detection Rules
type: integration
version: 8.11.0-beta.0
version: 8.12.0-beta.0
release: true
detection_rules/etc/stack-schema-map.yaml
+9 -4
View File
@@ -81,11 +81,16 @@
endgame: "8.4.0"
"8.10.0":
beats: "8.9.0"
ecs: "8.9.0"
beats: "8.10.3"
ecs: "8.10.0"
endgame: "8.4.0"
"8.11.0":
beats: "8.9.0"
ecs: "8.9.0"
beats: "8.10.3"
ecs: "8.10.0"
endgame: "8.4.0"
"8.12.0":
beats: "8.10.3"
ecs: "8.10.0"
endgame: "8.4.0"
detection_rules/etc/version.lock.json
+2509 -1020
View File
@@ -1,24 +1,33 @@
{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2",
"type": "query",
"version": 105
"version": 207
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "d30c57775c5b17bd01a68c5752337e391ce2d7db5cb8aa6eccbc9a54c200c86c",
"sha256": "c12251f0ebf415936a88178bbe670516848a774c5cf3e9bc888a6a8824a0e13a",
"type": "eql",
"version": 108
"version": 109
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
"rule_name": "System Shells via Services",
"sha256": "8f7269ea080f0c8f9d2257a9ed2e32139f4c2c1cd0dbc9ebf61ee83987b10d83",
"sha256": "629ee62bf64e9993225823b0969be69d7b4494d53adc0ffbcdc501745be3ab8f",
"type": "eql",
"version": 107
"version": 108
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -35,18 +44,27 @@
"version": 102
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
"sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348",
"type": "query",
"version": 103
"version": 205
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2",
"sha256": "6f969409e34ce2e04899c197404f8717d28ae3866797966be0653c4a3867fdc6",
"type": "threshold",
"version": 2
"version": 4
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
@@ -106,12 +124,19 @@
"type": "eql",
"version": 2
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "247079101b736a6f3dfb963c2106e2d5dfaf9523a631e74b57ca03fa12e6c429",
"type": "threshold",
"version": 1
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "4cb2b6b77c91784f961b4347413643db618e2f27805ae42c5d6087ba7e5a9794",
"sha256": "77e56ceb38921c2a4b69d7e793e5cebe8412e613b9f767bf3e7d272f297aa00d",
"type": "query",
"version": 105
"version": 106
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
@@ -130,9 +155,9 @@
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "242d70865b8ccc44b23dc4c85ec781e9f6de7966acae6376216fe6157df81b72",
"sha256": "900e474f07b795dfe109f252a2d4a9069cdb9a8471cde0a8e19a36b84f3797ba",
"type": "eql",
"version": 106
"version": 107
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
@@ -144,30 +169,44 @@
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "7f1bba1cf96766fe9d2d0d21e7e7d03114483ebf1d91a52bdc7a370c5751699b",
"sha256": "6df780c2019fb6ff0102a70515a5233d958c58be4522ce64b31da80680965b27",
"type": "eql",
"version": 106
"version": 107
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Kernel Module Load",
"sha256": "a546a22d29ab39e34b84e1d2bb96312c59c8c0072948b715eea31b3cae42f3fb",
"type": "query",
"version": 1
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "f31c9a7ea34568a5374ff1710793245daeb9aeb25b3a9a24e97f06a5888a0ca2",
"sha256": "e707dd532d4c099c31f5b95bdc9d237af995a146109cd6caf07576bac95509f4",
"type": "query",
"version": 105
"version": 106
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
"rule_name": "Remote System Discovery Commands",
"sha256": "21369e608f88a1ea5dcd90d5365bba2e9a909fabf973ed66e37e9136f5f0699a",
"sha256": "43d5cfda7bb1c28139045da08dfbda821d56fd45af89f05a4cf932a0b7eee839",
"type": "eql",
"version": 108
"version": 109
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "8534280f701e221bc1312804c5bf3de446a2ef36dd62d6e9bc6e3bb765c9cf76",
"sha256": "79c7e1897310a5fff8e9aa62c967679ae8fb0f6681b13c0fd66289142de0e1d6",
"type": "eql",
"version": 4
"version": 5
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Size",
"sha256": "ad214cde675085b61786dcd969409c869ca6ea48663d0b5227356ec6b1bd906e",
"type": "machine_learning",
"version": 1
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
@@ -200,16 +239,16 @@
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "5839a3666d7e0133ba8b7e42ac89b59b39e750d0b97a3b3583b69c13de90129a",
"sha256": "8822c17823d2a397a734dabe9b76dc5786f7ea603e234dc22bac765c440f88ad",
"type": "threshold",
"version": 3
"version": 4
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "a31f827db85593474e5766adaf71c535a3a5d7ce628347b6b7e606bdb261bd04",
"sha256": "89428d0f0fc36a5b1ff0704bcfaf222c5592e066c0a1179e4d851b02b8384d67",
"type": "eql",
"version": 5
"version": 6
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -258,9 +297,9 @@
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"min_stack_version": "8.3",
"rule_name": "Windows Account or Group Discovery",
"sha256": "9c4c3dc22f5ae081c7fce7c1cb6523dabdd5affb3e5b4ffce5fe00ec5dd65815",
"sha256": "bb76e59c53a0b50ac513121a9591fecea2eac83851584542c8860bb511c0785f",
"type": "eql",
"version": 2
"version": 3
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
@@ -278,9 +317,9 @@
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
"rule_name": "Process Termination followed by Deletion",
"sha256": "b47a3759b8145c73009358643478d070d44505235b1c16c6282bf2925986ffaa",
"sha256": "3eef996ce0b596a8c36e90f7b072702cf85d200f1a9683ab6d81d18bf69ed5d1",
"type": "eql",
"version": 106
"version": 107
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
@@ -291,9 +330,9 @@
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"min_stack_version": "8.3",
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "094055b11724accc14288884bea8d069e3e5c1c1d32159a9b78fc9d7808cdc3a",
"sha256": "86eaafcb32b1483e8453f37ecd655c5e8c33aceb5c823ab84d86ff4a4759ca09",
"type": "eql",
"version": 1
"version": 2
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"min_stack_version": "8.3",
@@ -312,9 +351,9 @@
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "6292561dbd089951c5f89ea4611e1d54d55397b493aa93f8cdba5c3e5f7e09fa",
"sha256": "010e64048d380d35b40f806816a62483d54ed2f3cdafafd01f6d92feb6df8f79",
"type": "query",
"version": 1
"version": 3
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
@@ -333,9 +372,9 @@
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "cd1a313ebc7c4d9e532bb43100c4d5c06d27676750ffde616f9aec4fcb71d086",
"sha256": "c545678521c2df966a1a7b9a11ac1e9e2bb8d0acad65746d1bb12f47607f2149",
"type": "eql",
"version": 2
"version": 3
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"min_stack_version": "8.3",
@@ -391,16 +430,16 @@
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"min_stack_version": "8.3",
"rule_name": "Nping Process Activity",
"sha256": "b526d1555e13cf130c9d0129928555065e1f976d20616cd8863f9e2f7c8720e6",
"sha256": "a268355fc0423778888b7e0b1d9b8e7e5dd149344e2b5baa79b585c6189698e4",
"type": "eql",
"version": 105
"version": 106
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "b2d0f5656de26bb1163ed5edbb9bf90bde8a599b310b94c0eb3e629ddc0b93a3",
"sha256": "a66ec71c96a9c0d09c09ad1d94067327b19e7db5411461bda17ce482fff03de5",
"type": "eql",
"version": 106
"version": 107
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.3",
@@ -435,9 +474,16 @@
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "cd15e73bb94658d23cc9c074c1ace32b319514089fac6deb29e145d0179bb131",
"sha256": "514ea9a49add087a7f2f10f48d370ebfea15dc09db5bb9d5a908453ced80567e",
"type": "new_terms",
"version": 106
"version": 107
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.3",
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "ff53f0363d8f483a8cedf49e6a907968b544472e09fd83e82d1eb9b2f3b16af0",
"type": "eql",
"version": 1
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
@@ -484,30 +530,39 @@
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
"rule_name": "Abnormally Large DNS Response",
"sha256": "7ae8452448297fae3af27315e9a0cd50e7419f0dec791237656f8859df113c3f",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
"type": "query",
"version": 104
"version": 105
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
"sha256": "6ed2244e093a1870d45df1482662e4f762ce4734090878e0a1d1a06e9675b775",
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "73bcd7b6468b86456d40fae00cecf6d091d5f5b42458d68c4ba96cb0f0304967",
"type": "eql",
"version": 105
"version": 107
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "faeaccab4b1a4766cc93a7b427cb7250df74ac218438d547281678e44d7a3cd9",
"sha256": "b0824ce814b7fa05a5a6e8d9f8f54849dd033892fd3ad5d850a4a5e2df77645b",
"type": "eql",
"version": 107
"version": 108
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Export",
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Export",
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
"sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17",
"type": "query",
"version": 103
"version": 205
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
@@ -518,23 +573,32 @@
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "f455fef003011587f2e1a56fce94b03276f7155952af5cd091a8eadf88a62e68",
"sha256": "d41a56fd39249f9a8ecaea4b7739a996efe8bbd66aa4165345951de99ac2d102",
"type": "query",
"version": 7
"version": 8
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "8614adabfa74ea56500abff063edfd0fab24a93e560df2fdfd68d3a60b78fa10",
"sha256": "f48869c0c1a7667d8c8a24d78167a2e33fa2e5db8b4d71bbab951f29a6571875",
"type": "eql",
"version": 107
"version": 108
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
"sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975",
"type": "query",
"version": 103
"version": 205
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
@@ -542,6 +606,13 @@
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "dce0a6166ccdba29ec3a03d3fbd91c615057e7615daa7020e5a488304719aa3d",
"type": "machine_learning",
"version": 1
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
@@ -606,9 +677,9 @@
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "fcf12be61708b748f14f6ae118e930f2c5ebf65992bc3df225f66c5dad6ed0b6",
"sha256": "91ce748803215def5fc3e0a13c3061c7a533494b7bfd86f66b778586a56f4ee9",
"type": "eql",
"version": 106
"version": 107
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
@@ -630,6 +701,13 @@
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "2841e9117fd834df97cee4f6d7220cf2c5296a604b9e73f4477e8206eb7f78b3",
"type": "eql",
"version": 1
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"min_stack_version": "8.3",
"rule_name": "Azure External Guest User Invitation",
@@ -640,16 +718,16 @@
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "54422260766b12b7477aec8acb27085b1eae0a36285553d26e5730bce422e7a9",
"sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214",
"type": "query",
"version": 102
"version": 103
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.3",
"rule_name": "Office Test Registry Persistence",
"sha256": "2a26bc9292902c92d9bc73a14ff7e20ffa9c0904b209692b1e8e23bd32c88fb3",
"sha256": "dfc7bc44c6f6d34fee6331a065d25992ba9f2cb18ddddf1d91a9c581eb4f15b8",
"type": "eql",
"version": 1
"version": 2
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -670,16 +748,23 @@
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "afca97139ffb2af012ea212958cd4118f14e183943e7c030e5ac45d06a430450",
"sha256": "02cd614602c0740f432c413ad474d41900748740202d7ffd5f6103b3096ff544",
"type": "eql",
"version": 104
"version": 105
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "395e463813d0cad1e718f84d5a13a564016c82b69dcfd8027af981c0ec07cc2f",
"type": "eql",
"version": 1
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "17c01410a2573124cf140a518366b8a585209a201bfee33b5f7d855fa9b07e2c",
"sha256": "2f29328dabd08f923a8df391ea35c8ea653ed3968d056d71b05ae11f402b17c9",
"type": "query",
"version": 107
"version": 108
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
@@ -717,18 +802,27 @@
"version": 104
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Creation",
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Creation",
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
"sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3",
"type": "query",
"version": 103
"version": 205
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "436bc1aff82273c9504f7df46a2ce3c1653d4dd9864c1580f5ecb99a74c6e3cf",
"sha256": "6f7e78b34dbd113748d1850790a473327c1ae2f910eaed28ea59e14871d611f2",
"type": "eql",
"version": 107
"version": 108
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
@@ -775,9 +869,9 @@
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "bd8754496ad2a53571780aab55b02d8dbe4aa20329da96a586b6f81cb7fecdf8",
"sha256": "4ee6af63081a009901c6f3b4f3f314e8c3dbe15dd4d5751b7c5536708cc01fed",
"type": "new_terms",
"version": 4
"version": 5
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
@@ -806,19 +900,42 @@
"type": "eql",
"version": 100
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "92faf5914bec5a5a185f949112f5ff576d15fd69a5f405d73697602768830d77",
"type": "machine_learning",
"version": 1
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "1169776f997d618e40607bc71cdd85c338f7c14f158c845f3ab3ab48922d23f4",
"sha256": "f58eb1cacf84d92e06f41776bcc67711b803714568ae64ad82e907c980a3c4d5",
"type": "eql",
"version": 1
"version": 2
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Rare AWS Error Code",
"sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Rare AWS Error Code",
"sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d",
"sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec",
"type": "machine_learning",
"version": 106
"version": 208
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "c3869d7536ca507bf986047bad80507a729751302776f5a258810c9a9814c2de",
"type": "machine_learning",
"version": 1
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
@@ -842,11 +959,20 @@
"version": 106
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
"sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc",
"type": "query",
"version": 106
"version": 208
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
@@ -858,23 +984,39 @@
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "68f0d73167458fd1589c365cfb07d8bdf9d49e3368435dd8ad08d5eda2d180a4",
"sha256": "aae5d1cb44fafff6fe643a706d5eef8d83794dfae46ea638507259cb2c9bb041",
"type": "eql",
"version": 104
"version": 105
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
"sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0",
"type": "query",
"version": 103
"version": 205
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "8b67ccd035342354a2698b9006811320c186cc7a6caebc0aaff26698e08a45bd",
"sha256": "0b4cbcadf42c525059f293cf8894de62f587e228878dfc70d1d6aafdfebaa221",
"type": "eql",
"version": 7
"version": 8
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "585cc415f1c54e220db615a5f052321909100ebc7b9e63b944e6b19a6a4e6404",
"type": "eql",
"version": 1
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.3",
@@ -886,9 +1028,9 @@
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "3113571e7885f573582d119f9e0905d33369509446e7a2729497380f27d3d077",
"sha256": "d5fac2c07f8912a7aeb5987420d21df972ba3bcfda92b5c66438a6f37625e973",
"type": "eql",
"version": 108
"version": 109
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
@@ -897,6 +1039,13 @@
"type": "query",
"version": 102
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.3",
"rule_name": "New GitHub App Installed",
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
"type": "eql",
"version": 1
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via WinRM Remote Shell",
@@ -907,16 +1056,16 @@
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "6e10cd53c6b8fef5635f3e97892648c45c1ef8219958c3ad9af076a08f6788b7",
"sha256": "9b721a8bd708e3ba1c854f032771bd1fa175535e5dc546a07be290e5c156c6d3",
"type": "eql",
"version": 107
"version": 108
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"min_stack_version": "8.3",
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "b1a5f097c5ad6885bbd55d4375fd72cfc09507c502321b80aec6edfe33bc3a75",
"sha256": "d08e975b8630d786933967d9de847dfbdd6fc6a5447715691a1a27ee3b22198a",
"type": "eql",
"version": 106
"version": 107
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.3",
@@ -928,9 +1077,9 @@
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "cbdda8fa4a7ee1ebd5708a3bcc4aaf50947d560339f8f8c45effe6f0e8309a64",
"sha256": "09504eee0ca293aed720134b083bcf30791788c02f630b563bfb73e34fe17918",
"type": "eql",
"version": 104
"version": 105
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
@@ -946,12 +1095,19 @@
"type": "eql",
"version": 106
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "1d7ffe0b0cb484baa86ed92a884c1b7c1ed28b7a8d3591393beaf14d5ffe7fc4",
"type": "eql",
"version": 1
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "3dccbfd612147d0714339a1a2d6ad16efe695f6d5d9ea764a595cec716beff1b",
"sha256": "e1abdaaaa56dcd60699f61e183b6ee3d637065363a4aef48e49785d0f3d52a12",
"type": "query",
"version": 2
"version": 3
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -998,9 +1154,9 @@
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "f14eab4a7143c53fcd49fb00bb945fe9f86c0db1e63ad3b4fd1ceced47e484f1",
"sha256": "6005266947232b8c8285b53252c0a3aceb08713658436d0aa268fd92aaa462f0",
"type": "eql",
"version": 107
"version": 108
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
@@ -1012,9 +1168,9 @@
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "838a9d840a2c93100aa9faf4b4291f9c968db9e541f1cf59807bd041b0d88a94",
"sha256": "94fec9b0c4fecdb1ba512be811459a1cae6d7efcac880fc5d63a308a8f87be8b",
"type": "eql",
"version": 106
"version": 107
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
@@ -1024,11 +1180,20 @@
"version": 106
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
"sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3",
"type": "query",
"version": 103
"version": 205
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
@@ -1079,11 +1244,20 @@
"version": 5
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c",
"type": "query",
"version": 104
}
},
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c",
"type": "query",
"version": 104
"sha256": "005f7835fa070f7f885e2383bf737e042e166aa86438d213922d52e82ff0cd91",
"type": "new_terms",
"version": 204
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"min_stack_version": "8.3",
@@ -1093,11 +1267,20 @@
"version": 107
},
"227dc608-e558-43d9-b521-150772250bae": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
"type": "query",
"version": 106
}
},
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
"sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe",
"type": "query",
"version": 104
"version": 206
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"min_stack_version": "8.3",
@@ -1115,24 +1298,45 @@
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.3",
"rule_name": "Kernel module load via insmod",
"sha256": "716b6003b6a1bbcec145bd5ccdfc5283a40c843dc12fc82ff75fd26cc67b5b7c",
"rule_name": "Kernel Module Load via insmod",
"sha256": "4c816b9ebae8561e4197ef52689ef05de8036037dc74de66afdae2a9aa6a2845",
"type": "eql",
"version": 105
"version": 106
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.9",
"rule_name": "Remote File Creation on a Sensitive Directory",
"sha256": "d175835a59f26f5a7a7607eec8ec9be98bff92a092fcb817859b99170ad0ddd6",
"type": "eql",
"version": 1
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.3",
"rule_name": "New GitHub Owner Added",
"sha256": "360c844a728a8074f32947d9ad6d1b26d414b7aafe87847d5b92dc546b8931f5",
"type": "eql",
"version": 1
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "9567e972186b39d9f4d1a378dfb482b40eae9cc129ee8c83562223fb8f1a9a3a",
"sha256": "7eb4bab3a9d22066a5b70d36c5d06224bd14bf207e4152a20a04bd323f5fc06a",
"type": "eql",
"version": 104
"version": 105
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "98913787308b752f32b96a1d2e394c59c7a0c880b2caa632f30c81842f2cb0c9",
"type": "eql",
"version": 2
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "8bd9e051e381430287850aac140060e1c4eb55636e83ae0d010d241069f208cb",
"sha256": "15d66149f0f83ab636bbca6591b3cda98a98989d4e8cbca69c06725499d7fd2e",
"type": "eql",
"version": 2
"version": 3
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"min_stack_version": "8.3",
@@ -1144,9 +1348,9 @@
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "158c5a76f4a4ff8441aa5189db7ca3f8677a210f01a9023decd1732862ef8f46",
"sha256": "0f3875681feabc9889f6f06cf0687e0b3f367b347f46f58fe88448b97c69821c",
"type": "eql",
"version": 107
"version": 108
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
@@ -1172,9 +1376,9 @@
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "2173b0cc2bec6028b91c5b9a051908ca9d6ea87cae8c881a23622b6239e85eee",
"sha256": "2a8ff80cbf124d75571a8831f389c7e67129f89c0f2d1b512133a48bbf0d3478",
"type": "query",
"version": 2
"version": 3
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.3",
@@ -1186,9 +1390,9 @@
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "ed68bcf2e292ec89f9e8f578e9e4847812fd4177fa242725286c16db53ff03e0",
"sha256": "06a344a111e75594161e3a08c78be77d29fd146dec8b6ce48d5cc9330a9166f1",
"type": "eql",
"version": 106
"version": 107
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
@@ -1207,16 +1411,16 @@
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "4e81da588d72ce375e5c9d046ebc2d09776070111a26ad970d2a12b048741c4d",
"sha256": "f21f7b41b32d1c07a79ab7a9be75729b18a0dff1cf744238f305d04f3a862ea6",
"type": "eql",
"version": 106
"version": 107
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "8ba669048ae42b7afd8f153bbae5a1b181f3d070db1241c38c847c1fe4dae0e1",
"sha256": "900b6c0dcc73edd29b7f8b445d08d37da743dcd1e18c5a8cc4a545be1c9e4c72",
"type": "eql",
"version": 106
"version": 107
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
@@ -1228,9 +1432,9 @@
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "6d8b1a876a2e1ce2967be858e2e4cfecd82d84c47b08d8e33c72e22725073eb2",
"sha256": "29566bc20e44999833de4b93b85e993bbca41d4c16ca41f5fe01ea80ad52937a",
"type": "eql",
"version": 5
"version": 6
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
@@ -1241,37 +1445,62 @@
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "ea5c6d696a82dd4d7d63fb04dd726e8b1fb33ac4622151663d19d31ef7a99a67",
"sha256": "765e6c39bbdfecbbfd3ffa1a44b4838d06c295b53d4b73143316ec99c8b3550b",
"type": "eql",
"version": 2
"version": 3
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
"sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da",
"type": "query",
"version": 103
"version": 205
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "47309853f13ad591cfcbb60814b5c1a7c731abfc3f5349fbb5e9acb25b347134",
"sha256": "a6231a8bcd050f72676f997117e09ea1f8873a178971237eb2b54404906f0c95",
"type": "eql",
"version": 107
"version": 108
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "e1d3e0942816bd8564b7abde73127790f145ce3332346d041fbc1e0421600524",
"sha256": "13c2fcb9dbaf1339d3e3b7e5fa159bc1a2875aee235776f1bb13518d49a8d738",
"type": "eql",
"version": 106
"version": 107
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
"type": "eql",
"version": 108
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
"type": "eql",
"version": 108
"sha256": "6f6f6175fa206cf7e0c3a47488388561ee39b49bc0b1f18f6baede4fe3ded355",
"type": "new_terms",
"version": 208
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342",
"type": "new_terms",
"version": 1
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"min_stack_version": "8.3",
@@ -1283,9 +1512,9 @@
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "2f246e33c5b5318512de95d017377941e955a43a607619340a1ee900353ca612",
"sha256": "8dd9f5b2abfa297105040ebfc4e441af646a5bec20f8ee97a6856351c8e1f99b",
"type": "eql",
"version": 3
"version": 4
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
@@ -1306,16 +1535,16 @@
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Grep",
"sha256": "8193724c74f8c3bda981c1ea69c1775177c530e3a5d30e2387577bd4abaa66f2",
"sha256": "01993ae1314c912204f7b87a0999c27cd2861f56a7a0b766dd0bbe4119dc0c9f",
"type": "eql",
"version": 3
"version": 4
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.3",
"rule_name": "Adobe Hijack Persistence",
"sha256": "9aeae912e062be1da7e7f26a9a5cb726d945ce4bba3c5b040a131c5636920a59",
"sha256": "6c4da0a89fa984f5f93fd0fa33b26bc6bee17987271ce73792eb19e342bd9289",
"type": "eql",
"version": 107
"version": 108
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
@@ -1343,9 +1572,9 @@
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "e66fa90d3d617373ae52b10b1487f5d53b35fea7e11bf4371ccaf37fe0782482",
"sha256": "2fa255256633606f39637f99e60437fd03db8f4721370c5cefa5c65857661e01",
"type": "new_terms",
"version": 205
"version": 206
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
@@ -1359,9 +1588,16 @@
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "df14ef4e07fceb0c56c6aa4890c718fa6bd9c54adc900f5bf264727e7a7c0d37",
"sha256": "2c9cb831e23495341a51736efbfd144c71ae76cd1e9219fdc2078d70cdbc0407",
"type": "eql",
"version": 208
"version": 209
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "2235a3c31df521f4cbbff7cf12df793eb343d389777cc8851c382a1434bef647",
"type": "eql",
"version": 1
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
@@ -1387,9 +1623,9 @@
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "58530124be115763c6110e3c32f34e5fc8c70fa063e74e97252e3dcccc45a1f0",
"sha256": "3921a45db23fa07aa23f52a05c6cc6645307b5795c62c52f1ab0e7119b93182b",
"type": "query",
"version": 107
"version": 108
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.3",
@@ -1401,9 +1637,9 @@
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "09e550845fb86206a91ec5d634e2a5427e344a491c0c76e59a66b6f4a4d4f99e",
"sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174",
"type": "query",
"version": 102
"version": 104
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
@@ -1422,30 +1658,37 @@
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "ec46e116c1fd77711b1cc1c49189cb9495b50a6d18e577cd1d5214de5233c641",
"sha256": "65b15ece2e91066379c4bf4c8646bde0a3f995c713d228332c5ef3af665e3c0d",
"type": "query",
"version": 107
"version": 108
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "2a77643c47329e2c910e5c86d8c3b2f0cf2b93527ad5bc129d7e614c07ba6369",
"sha256": "bdea522d5730e3c4d4239717173a709ebc5ff118296edbcb70faeb3e62cdcc0d",
"type": "eql",
"version": 106
"version": 107
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "2164ee6d1c3cd39e214f6c965e6cbd0a1dd158e51dd0d883fe83d6915d5f4621",
"sha256": "c77de421e7a60ec97356465d4a834fc49fed6b0b7ae28debbac3786b07459d62",
"type": "eql",
"version": 107
"version": 108
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "414eb4b19b8f79b0c86119bc090d5a342e45837af770df8d3365d3ab81bf5036",
"sha256": "1e95c5544b74d84ae96e15fafa7f0ffb9e564fa1552c02adbdf2d0bb9e68e7a3",
"type": "eql",
"version": 106
"version": 107
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
@@ -1457,9 +1700,9 @@
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.5",
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "9375d07c27d373fae95ace527be0d4a8117abd263b43adfb31536459bda562a9",
"sha256": "7f96205f8ffdfb7be7c57a34dbdf149f99a13961e1477d17815ad48f85b7bdc0",
"type": "eql",
"version": 3
"version": 4
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "8.3",
@@ -1471,16 +1714,16 @@
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"min_stack_version": "8.3",
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "394278b77c3a54380ee197c9763706f2e530452d5b564a4c0d6b14137d57f87e",
"sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446",
"type": "query",
"version": 102
"version": 104
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "c52ce2472b85ca6486fe8ffef36ba98c35db8cd02a58a3e00cbdfbe6448fa7e7",
"sha256": "2ca2ed5d2836beb7bbbfd48b039b171774baba1b8995a88ab16943fbbb170fa9",
"type": "eql",
"version": 107
"version": 108
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
@@ -1499,9 +1742,9 @@
"32923416-763a-4531-bb35-f33b9232ecdb": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "f989ae55a6fdc1e9c9a11c92fd231aa626b1bb662b0a119d8f5cae8d3c0f3577",
"sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea",
"type": "query",
"version": 102
"version": 103
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
@@ -1513,23 +1756,32 @@
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "bfcb1a92ded4fab88e6d4e463b78405b82e80e00b2b0e1260ba1ff8164ac01dd",
"sha256": "dfea65085c4b690895eb691760b4a9025da59cecbf5c4ff242c26713ede0bb2c",
"type": "eql",
"version": 106
"version": 107
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM User Addition to Group",
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM User Addition to Group",
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
"sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81",
"type": "query",
"version": 106
"version": 208
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Find",
"sha256": "9d95402d5a02b1571ef1d3e5ad966c19fd3cbeff7b5fa58198ac9151e1923ba0",
"sha256": "f71d1a0fc2a3a9498c1c07bb8d19631c82ed04d6216b650b39cf5c767ccd0ea4",
"type": "eql",
"version": 3
"version": 4
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
@@ -1555,9 +1807,9 @@
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"min_stack_version": "8.3",
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "6fde829b7083578ace3bcf3cb7d8c73a7cc94241c0a398fbc0d6b2ccf1f46505",
"sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1",
"type": "query",
"version": 103
"version": 104
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"min_stack_version": "8.3",
@@ -1569,9 +1821,16 @@
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
"rule_name": "Port Forwarding Rule Addition",
"sha256": "83831c2c3a4be02d59440da6f570b9d7e7064ecf5fa6df5565f36e68b68cd2ce",
"sha256": "2ec830c30a80eba9d2bfb5dc78d0ce64e7eb8f66ea2f8266e666d077fa916852",
"type": "eql",
"version": 106
"version": 107
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "a8debadb004c9ca04fb7f3321cd45dc0ad8f93d6437be72cbbc5d09b84382fd1",
"type": "machine_learning",
"version": 1
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
@@ -1596,30 +1855,46 @@
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "b4e738c5be1bba9711b183dd54a22a8c10aec54e4a5310352cc7ac4ad24b9af1",
"sha256": "cafe78e9310f27ba8cdcfb8fbc318a1a2f55223679ea3d91c3a0877dd578b7d3",
"type": "eql",
"version": 106
"version": 107
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "2684dc4258fdff2568772c371afcba2729e543adeac05d5e8fbad36f45417fec",
"sha256": "dabff5221c0b2f406165374af490dcdb04a568295196b805962ea4b2e88e734e",
"type": "eql",
"version": 104
"version": 105
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.9",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "43e809e5064a205d0a1e107068d372415cecef22a677dc5acb3bd91b754772b5",
"type": "machine_learning",
"version": 1
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious File Edit",
"sha256": "46076a578186ec461ee06fdb94def49ec0f94300cea3bd8364ebfc75895b65ae",
"sha256": "0f9b9c003bc39253a948a9da6d7c5b5263d9d1dc3c73abf730550e6c0c3ff687",
"type": "eql",
"version": 2
"version": 3
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Creation",
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Creation",
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
"sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b",
"type": "query",
"version": 103
"version": 205
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"min_stack_version": "8.3",
@@ -1635,11 +1910,20 @@
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Execution via System Manager",
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Execution via System Manager",
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
"sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0",
"type": "query",
"version": 106
"version": 208
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
@@ -1649,11 +1933,20 @@
"version": 104
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
"type": "query",
"version": 107
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
"sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b",
"type": "query",
"version": 105
"version": 207
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
@@ -1684,11 +1977,20 @@
"version": 2
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
"sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614",
"type": "query",
"version": 103
"version": 205
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"min_stack_version": "8.3",
@@ -1707,9 +2009,9 @@
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "fd0213ea9905c71a65f94da36a92164a378cd8232856a0ac441ae9f7d49fb108",
"sha256": "fb96d295d12b3d405dc93ad509f792885c4e32bb760c7518b005755a6ad6acb4",
"type": "threshold",
"version": 106
"version": 107
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
@@ -1727,9 +2029,9 @@
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "f452215a79041dee079474e59d224d2fb4c3c03ed44830b5e5d36e4d1ab89007",
"sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3",
"type": "query",
"version": 103
"version": 104
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"min_stack_version": "8.3",
@@ -1755,9 +2057,9 @@
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "cd3c9afd05e54eb93da83e2d90065582aaad08ee77a94fae48f952f89c46e626",
"sha256": "691edf20cc218616ece6013dbbfe102d01c87c91cfd3bd49ea126eb3830c5982",
"type": "eql",
"version": 106
"version": 107
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -1769,16 +2071,32 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "26c1661135e8af69b7d550fd193137f635de465260e8fd9c383708024444180c",
"sha256": "ad925532e35677e84cb73970b142002377617338f4574eb6ca4dbd7bfcdb37a7",
"type": "query",
"version": 1
"version": 2
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
"sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063",
"type": "query",
"version": 106
"version": 208
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "d02ca6fa6392da7a7d8757ae5757e04feb7e340f9b58af698935f60f077e5b80",
"type": "machine_learning",
"version": 1
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
@@ -1794,6 +2112,13 @@
"type": "eql",
"version": 104
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "1d20b245f40477327dbf43e563d8a93eca7531b9c1fa4649a0e9692d0eb33b01",
"type": "eql",
"version": 1
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
@@ -1834,16 +2159,16 @@
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "337011e93c02efa090b9a19745d82c3d58fd18bee555ff69edaff5e9ff1466b7",
"sha256": "2bc6f32144a2b110dfc14493dc5930b3aa2c23ca7d00b46924c2643ac2d73c45",
"type": "eql",
"version": 1
"version": 2
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "b3aad2bca92e5e1acd788cfd14d9606aa4b803a48bf303ad37e210739fec9d24",
"sha256": "511ca509d7faf58b68373d12932edd1aef607c53de1314647b3764b976fb35fe",
"type": "eql",
"version": 106
"version": 107
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"min_stack_version": "8.3",
@@ -1852,26 +2177,56 @@
"type": "eql",
"version": 2
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.9",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "649d4962dc3c27de65026dd648d4e7b0e8285a58920fe69e4994449af66eac61",
"type": "machine_learning",
"version": 1
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a User",
"sha256": "76ae6142111e83c98205115ae9df5b7be5f1c79187429dbf5dba2f51c0cdb4d6",
"type": "machine_learning",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "5bb822cc67b9581124c21c5f4abb213946ce935b1c3f3ca248d1c2fcd9ce54e6",
"sha256": "0f9c30762b9d866395af98426eb9a784abbf168110167161bb7302fc4402a8dc",
"type": "eql",
"version": 104
"version": 105
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Modprobe File Event",
"sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "db18497df8258d667278d17da2d21dadbc1c81dedbd75ddcbb22e91e172a8c1c",
"sha256": "c6ccd9c0ba411da8142f15ca71dd04dca27e1ec82b527324439621b449f4812d",
"type": "new_terms",
"version": 103
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
"rule_name": "Unix Socket Connection",
"sha256": "38561d8ce173227b49b1459ae11d38bfba76385fa68298e1ddb7b8603d57a8b6",
"type": "eql",
"version": 3
"version": 1
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "adeea0cfa04ee8759f832217f19f0ce3d6952e72c717c271909ab099034c8659",
"sha256": "1de1e9aa9030d56c6c6629cd92e3ba65d61bfc9063b76ea2abe412899a224d3f",
"type": "eql",
"version": 106
"version": 107
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
@@ -1895,11 +2250,20 @@
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e",
"type": "threshold",
"version": 107
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e",
"sha256": "60954a70897438ce1627fe0aab388688a6c189b04e7eca5543e0c450283c029b",
"type": "threshold",
"version": 105
"version": 207
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
@@ -1925,9 +2289,9 @@
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"min_stack_version": "8.3",
"rule_name": "Linux User Added to Privileged Group",
"sha256": "a48dc7ec63791f8c62b58bfbca37d6765b39621454d2720ac839e13758d02adb",
"sha256": "3730f04f7a829d9ca0f149c00ebd1c6cd07226bad5915f6295d82656e40bf5f8",
"type": "eql",
"version": 3
"version": 4
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.3",
@@ -1946,9 +2310,9 @@
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "d3d1985a8512a777f4738794f03380c077f3c84594acd1aefdf22211a59bfba8",
"sha256": "ed65c5d1379b83e560f4fa24ff1f51887de783c7e8f3fc329b717a14700a859c",
"type": "eql",
"version": 1
"version": 2
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
@@ -1974,23 +2338,23 @@
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "a8e0ecc0284175dcd1f57756fc03477d87d4fecfee80397c01f1490f52ed9b66",
"sha256": "576f44e57f57bcc5a260380c704c2c253b9f8fcefa472e5b4339b0e138c9112b",
"type": "eql",
"version": 107
"version": 108
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "99fb4c9799becbcb9eaf99a6b9a8c21d74415d2a27790c5e52798590df285c07",
"sha256": "5b1155c651c8cba197b8525501a76da112e7941889fa0a8b5b0e27caf1105deb",
"type": "eql",
"version": 108
"version": 109
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "3df00646c1daf36bfe94ebc4e75150121576981877aeb3d5d6c17fc11bb6fb2b",
"sha256": "990b886b92cb87798246a158ca46bf1b61eb1ac09d2e34d3744dee85300efb72",
"type": "eql",
"version": 106
"version": 107
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "8.3",
@@ -2002,9 +2366,9 @@
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "ec686d5f69b96d1fefa61938439b2be36a7d62b6ec9a5277294454b9d21f090c",
"sha256": "c231805a854c98302dcc5c774688217904e4960a000e193bb04158fac9a0b743",
"type": "new_terms",
"version": 5
"version": 6
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
@@ -2016,9 +2380,9 @@
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "5c400174c733b48a59cb568595f1b992705473fc85698c48a5006a770c99ddb6",
"sha256": "264b7c418b25b248ad38bc172ac651d639a720a652fba044e02596419b889ef5",
"type": "eql",
"version": 107
"version": 108
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
@@ -2036,9 +2400,9 @@
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "bbe5ae3b8a285ccb4c26e9a210d268966a5996803f54073b159507458f48ee7b",
"sha256": "99db297efd0e9e1c456c8eaddae105366196554aa82301813ee7a4aba19911cd",
"type": "eql",
"version": 104
"version": 105
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.6",
@@ -2050,9 +2414,9 @@
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "f29f06799ee7b6289d2ba8ffcd4908551efa144016a33e8eaa47b94f2370da97",
"sha256": "b10222772b435ef7d9cf4dfa4b50a492a7900cc176fdf11e901159c69d62d2b8",
"type": "eql",
"version": 4
"version": 5
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
@@ -2075,6 +2439,13 @@
"type": "query",
"version": 104
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "19961cd9171e3ef5204e98314fdf573ac68e28c6ab1c5e91b5f1d71c919ea7db",
"type": "eql",
"version": 1
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
@@ -2085,9 +2456,9 @@
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "eb9cf2a2df73743755d82c3d776ba2ffd7f17ef1773d32e3def0fb2fd6c50988",
"sha256": "333fc1776029a4e23f0c6df62d3370c335760abb4aa501be982831e2e71341d7",
"type": "eql",
"version": 3
"version": 4
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -2108,30 +2479,30 @@
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"min_stack_version": "8.6",
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "b29c0c0615f8cdfe01647648349a42a142712d082bff8d986549ed7b4956c0d7",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 2
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "0f03ec3cf254ddaf2fb897452085888fda783e6d3394923b04505ac968500d17",
"sha256": "37099aca1b1bdce63f77e75103ff60a0d61898af8036c43eaa2f4d672bd326dd",
"type": "eql",
"version": 2
"version": 3
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "4fbdf3bd4ba58ab5558059d13784148c40f700fc0726f9df2b88d02dcd301625",
"sha256": "599489e4a0c4b02a7717d928a5881b6281d1362970adb1074d5362a33c45444b",
"type": "query",
"version": 102
"version": 104
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "8a3258a1db6d86b53f94205b24cc30b455508da7981acdcec7d44df34131b612",
"sha256": "42573412f6b2d0083dfd8c9fc5945f654cc818d4cea60939076a6cf5967a2b7d",
"type": "eql",
"version": 2
"version": 3
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"min_stack_version": "8.3",
@@ -2142,10 +2513,10 @@
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Parent Process",
"sha256": "92665fcb5d7f54bd4531c913e33b9cd692aa92cf5ee65941d69c6c2a0aa5c260",
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "c71a551642317ffccfbd85c414cc689e14d3a2deea09251aa8ac9895963bb204",
"type": "eql",
"version": 4
"version": 5
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
@@ -2168,6 +2539,13 @@
"type": "eql",
"version": 1
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "89378fe5870a5d6d2e956d464c722bdba8845495639f22082cb218dfe9c4fbf0",
"type": "machine_learning",
"version": 1
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
@@ -2178,23 +2556,32 @@
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "c39e8202c6aa104cacdbd7f152f22e19bf2a5e6da299ab44464663d93c2175e1",
"sha256": "0ad222085b8d696dd4df1055275c7fc6989064286734182865e772fbd8aac3c9",
"type": "query",
"version": 6
"version": 7
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "06f6564ca643c6532abb1cdaa5f7b63ff7967e301d6d4c7fb188471da4c03140",
"sha256": "d4da085e36a4b1a471325f7c34f050486db0b5900302611bfda3c2d85305028b",
"type": "eql",
"version": 3
"version": 4
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6",
"type": "threshold",
"version": 105
}
},
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6",
"sha256": "c7f85d799207c359e3f84f41c0473858bad893198ffa7f3d8327d153eb0b422c",
"type": "threshold",
"version": 103
"version": 205
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
@@ -2206,9 +2593,9 @@
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "2f90c20e27fe53e8d19581d66c3700d0e607aeca622f713dffbee083470bdbf7",
"sha256": "cdad95a52719987cf204d9063951cbe05b1e08a28f4d91b3cf8f5d5aa48800d2",
"type": "eql",
"version": 107
"version": 108
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
@@ -2220,44 +2607,53 @@
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "d6507cd42eb759b19bc5d612350f5fee646f38be4fe487ebc7121f70ac057de9",
"sha256": "ed16c35ba79c045b3ae6cd2406ac39e5ee143767a2f8ae4a0a8ac6fb738b16c3",
"type": "eql",
"version": 5
"version": 6
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "93581d9de1f2ecba9d10b0b90fc4802c633fdc525cef6b539c20da833098dbfc",
"sha256": "05f50e5500930fb6e8ed1646e88db67b24a1430eb1fb589bb9976dd052f0f44d",
"type": "eql",
"version": 106
"version": 107
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Script Object Execution",
"sha256": "3b2f5bb731e55d25192b6e44e2f8e2453784591f0b9be178867e26489f73a694",
"sha256": "41b132e87127770048e08a8d65fb63fd3180ee0d52ad69f666c0abe1ab20afd2",
"type": "eql",
"version": 104
"version": 105
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
"type": "query",
"version": 106
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
"sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd",
"type": "query",
"version": 104
"version": 206
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.3",
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "d133f690998687a3f65041994c005ecd901bab7ac5c3504f34a8f2ca04cadbf5",
"sha256": "1717dbef17fd0507846473218f580ffdf11e5ba35497e2beb391d506d75289dd",
"type": "eql",
"version": 105
"version": 106
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
"sha256": "97b96679737e68fddbc04eaf2cdb22e954524acf822f15557c9d8e5de258496c",
"sha256": "2c0c54011671e9e99d2654529520c137188a4bbcf8feb0beb28c196f0525d88e",
"type": "eql",
"version": 2
"version": 3
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"min_stack_version": "8.3",
@@ -2269,9 +2665,9 @@
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "b62558c73fd30587a1edeb6e1a36b61cf60b19070b994e570a3f4bd023f546cd",
"sha256": "d098bba4900b382c6cd742182baba85a01b2337fbd4ff36da2bc9fdf6b408b7c",
"type": "eql",
"version": 104
"version": 105
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"min_stack_version": "8.3",
@@ -2290,30 +2686,46 @@
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "f944e30753df250f1d624c4c46ee0f5a60767d7d8ebc3d60af90ca77daab281d",
"sha256": "298d203a01db67a0653310a2665d704f81a97db74789cbe2fdf632ebe7574155",
"type": "eql",
"version": 105
"version": 106
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66",
"sha256": "4111de70c21f8c5461da2f1b30720b9621c857bc8526b1d4e71bcc108b95c928",
"type": "eql",
"version": 1
"version": 3
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
"sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c",
"type": "query",
"version": 103
"version": 205
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "6290c2857ed36cf95047595761ef26fcbd7d025b31e56eb92016113c70d70c5a",
"sha256": "0076c9eafb579f6fb93d35d66309a205f3d0912a8b7a302ea2e917e5e04dd2f8",
"type": "eql",
"version": 108
"version": 110
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"min_stack_version": "8.3",
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
"type": "eql",
"version": 1
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
@@ -2351,16 +2763,25 @@
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "7602af82bdc7fc4962b73c42451d8500e779a3338601f49ea49ea9398fa49613",
"sha256": "1fcaecb0c8b60fb9a393726f18411473957d935a9676d2e345121e3f07f5c200",
"type": "new_terms",
"version": 3
"version": 4
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
"sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907",
"type": "query",
"version": 103
"version": 205
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"min_stack_version": "8.3",
@@ -2372,16 +2793,16 @@
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "0b1c1a7d64bb481a68482e3f0954ce0e55df7b26264d3e358b230b5670c80094",
"sha256": "ddf1b60a6118bc0c50833a0f13cf88f3838ebcc8f0f60d42ad91bad81b07634d",
"type": "eql",
"version": 106
"version": 107
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "3ab2b049abaa1462ebed7b019dcd5da6957b5328c2ce7d2eb86b87e74a4ec28d",
"sha256": "8ece78d3d804106f87c006fdd8a027648880338a3a56c52e28a393d8f18aff40",
"type": "eql",
"version": 1
"version": 2
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
@@ -2393,9 +2814,9 @@
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.3",
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "7abb75759648c733f8e4b39c60bd36ccf8b431e1fd27097e698724bc33d34e4b",
"sha256": "b7e3322f384197eb6eef899fcd0dab3032f80e4707f62046e423fe51756f2e9a",
"type": "query",
"version": 4
"version": 6
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
@@ -2414,9 +2835,23 @@
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
"rule_name": "PsExec Network Connection",
"sha256": "9dac69f62fd68c1763945debf1417db0fdb9384fc3200ddb80fad443bd7ed6fa",
"sha256": "ea9ce524558142eeb928e1288478f70877cf06e9b9344009845c85f0257329e7",
"type": "eql",
"version": 106
"version": 107
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"min_stack_version": "8.3",
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753",
"type": "eql",
"version": 1
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "79250afad59e7a34a28a1fc9474da4c16612e73c23032855389f019fa153add8",
"type": "machine_learning",
"version": 1
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.3",
@@ -2449,23 +2884,32 @@
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.3",
"rule_name": "PowerShell PSReflect Script",
"sha256": "443cf0180678565fae6aab3fde53464a3fc6f6161ae2be250b2f29d08e3b1071",
"sha256": "8d62732e2d51a8e4d9e1d8705b48e82534ff622c316a9d2a217a2765ae84e988",
"type": "query",
"version": 107
"version": 108
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Execution of an Unsigned Service",
"sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc",
"type": "eql",
"version": 2
}
},
"rule_name": "Execution of an Unsigned Service",
"sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc",
"type": "eql",
"version": 2
"sha256": "296152e8a3e1843df21e40fa6f6a05608b99b61ab06971ab80e9a3a35910b4fb",
"type": "new_terms",
"version": 103
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "57330331ceebc76d136b11b9a4aad37660028ce464cffd529f0023ad0a5399b2",
"sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06",
"type": "query",
"version": 103
"version": 104
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"min_stack_version": "8.3",
@@ -2491,23 +2935,23 @@
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.3",
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "a7e0bdbc40a12b3b58f7280e709f99363b6d9362d4c0c91bcd926dddeeb4f466",
"sha256": "88ae25fb6df6c66c976902e4f17c39a5af63c217bb4aa298e7f898b003fa484d",
"type": "eql",
"version": 1
"version": 2
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "2d5a85f9eb6c5a5b43149530f52a4cdbf41fb37009ec5f4ea1d572b4a127ba99",
"sha256": "f0914d5ae89b3f5372c087cd0c5983df509da91941322047aaad22d445cfb577",
"type": "eql",
"version": 106
"version": 107
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "52fb0f6d5a15c031eb4ebdbb0bf86a16bd94e0aa3d3d4b9c9adb3a7019c79cc8",
"sha256": "a599e437dfc14b51f8ce6559e5595673b50429581388655e03d7999961ec6cf6",
"type": "eql",
"version": 107
"version": 108
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
@@ -2519,16 +2963,16 @@
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"min_stack_version": "8.3",
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "f0754341d4737d98a3c079a807fdf62a876b2b9e37eddce760a538f8e135a3fb",
"sha256": "a9ada00d22041e1fc97021dfb923cb62dfcafe5849324b04534f7c53a65903d4",
"type": "eql",
"version": 106
"version": 107
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "1bba6c4e3e7130c507b6c959c9bf912171eb7a1f1cdcb69a6cf8bfd62e4ebdae",
"sha256": "04c918e4a5b742f9df828e957a708565731d36df760ffbf94a8dc6f331539f7b",
"type": "eql",
"version": 107
"version": 108
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
@@ -2545,11 +2989,20 @@
"version": 102
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS CloudTrail Log Created",
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
"type": "query",
"version": 106
}
},
"rule_name": "AWS CloudTrail Log Created",
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
"sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4",
"type": "query",
"version": 104
"version": 206
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"min_stack_version": "8.3",
@@ -2561,16 +3014,16 @@
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "8438243430e0b6983e01c039dfab3f7c01111a8f9939c207ef853108907a977a",
"sha256": "21be01742858a1db7d297c338482f5a580a441699ca10d99874c0c9e24f50499",
"type": "eql",
"version": 105
"version": 106
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "64625792213f211d0d8a873101fb7b1569da37e5179bd5f201b2c1f3101de821",
"sha256": "78ec1a1157f2afe9c030908365e734669d12f566fd1992245244eb8def7d4314",
"type": "eql",
"version": 3
"version": 4
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
@@ -2582,37 +3035,37 @@
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b13fb00b87c825ce3f05d65295a6b1a47fec6d46d5fe22058d8b8b164a678d0b",
"sha256": "b57b1fa14361058e949c21cc407ad8e502c41b901b2f7b5a575ffb1d9fb460bd",
"type": "eql",
"version": 106
"version": 107
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "2b30d95ee6d6e8bd0ff888cc6609d826560591c7ef3681b5ff74f49f7cc3c888",
"sha256": "cca11b1e320068fb951e6be8baba9a7f49cfef803b613bda1ccaea95922f3a00",
"type": "query",
"version": 105
"version": 106
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"min_stack_version": "8.3",
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "1e8068d0ce5b93ac8598cc1cc3ce47385a0c99bb43ce15b27a514542fe4adb39",
"sha256": "484f49639b052fc38d358f83984230e1a524fdb9d60f221668f8fe55b7485c50",
"type": "eql",
"version": 2
"version": 3
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.3",
"rule_name": "Suspicious which Enumeration",
"sha256": "918d3ee72f0aba9e0a382045c846e04f7dc5e1f942954c077aa639794e809917",
"sha256": "fc50e7f8c6f1d7485f6a164637556906c3e3711d037759cf0c017826a110f6f3",
"type": "eql",
"version": 1
"version": 2
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "2869df554ce679e32f42029716b74524aa21ea7af2872e5a42c55de5ceb7835c",
"sha256": "10846cbf0f6d148b7fc84a14a62f5bc1b44382eda5971d84a0747c8788c93721",
"type": "eql",
"version": 1
"version": 2
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
@@ -2622,25 +3075,34 @@
"version": 104
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
"sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b",
"type": "query",
"version": 103
"version": 205
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "3a1daa97831ddf8f5bfcf84698ec8b3deff467d7f1b8770467a760ef355c1a5b",
"sha256": "1021f7351d5cc378ded4585010e7ba4b057a05fab6f8e42157c6facf422bf6ec",
"type": "new_terms",
"version": 6
"version": 7
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "5941e6650b12bc02b03d289fa389b9f2347c53636e6368753bd5917b5a776cd5",
"sha256": "c29613a13876b018582e791f2843e3b12181e06c36266665efe4711c52945024",
"type": "eql",
"version": 1
"version": 2
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
@@ -2652,16 +3114,16 @@
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "361a074bbb3fe56ec08c1430d5b5afc021f8502cb133c1066dd514bdacb37f06",
"sha256": "a4e1f03bf2a4863f8922d20b5ab31fc5fffea4c27e35c47e61634b492dba558e",
"type": "eql",
"version": 3
"version": 4
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "e4796e4f5ba9178180960e592aae8dc79ef969e7b951f2c2fd73dae57d29406f",
"sha256": "c0fd1feebe4607a5b3db25454a63e6c46b64c43070cd6c6487fac57bfd65b53c",
"type": "eql",
"version": 104
"version": 105
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
@@ -2673,9 +3135,9 @@
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
"rule_name": "Persistence via PowerShell profile",
"sha256": "5ce8477d708b49d1d38136f4638bc5596e3190949b3e561ff84d56566ca96f61",
"sha256": "421c30d4787b7da4cf4496d67084325210732a4aa854db2cac54429840f044c7",
"type": "eql",
"version": 5
"version": 6
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
@@ -2687,9 +3149,9 @@
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "865a5c61d5bdf21e24120d3b8eb35f82a23286c618fc795dce353491987d04fa",
"sha256": "f99460b7128f713e96cead9f3d34cf8f19a3561e1e51d86f60ca99f765d7d93e",
"type": "eql",
"version": 104
"version": 105
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
@@ -2758,9 +3220,9 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "a5b4ed432583abe86a630527b3026ee3a58f9813bb11868c628754ff414a3c7f",
"sha256": "123e32643dd7c3052f52ade724c9c93759749d28fdb592ffbdccec9ea688d1a2",
"type": "query",
"version": 109
"version": 110
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -2771,9 +3233,9 @@
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "71e064cd3cf1b8dec498d3e054d70ef2121113be1ed24c7e7df6af3b4324f27e",
"sha256": "ac85da0bd50146a9acd21f199d77bcce98ff857d768071bb894e26118b26a239",
"type": "eql",
"version": 107
"version": 108
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
@@ -2820,9 +3282,9 @@
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Signed Binary",
"sha256": "f383ad8f33cab31ab158968663de5ed3d540de9a4d8d0fa4a578e19a35ed061c",
"sha256": "e3f5d9f1f0b68b258714156bb2d6558011e846b2fad3ad178aae26c7c0f6c81e",
"type": "eql",
"version": 105
"version": 106
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"min_stack_version": "8.3",
@@ -2841,9 +3303,9 @@
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "60780f0b220f4de4cccb01815d9585964f3d68bd515b23972bc9b881a36a70ea",
"sha256": "b277d6162b8343013d1498f692467e7cec38348da2ba5058ed1fd1aebcc40eaf",
"type": "eql",
"version": 1
"version": 2
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
@@ -2877,9 +3339,9 @@
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "0711743a3e6d25d5ac8089b3f5e996420a92bc7890f358cb4e23c6d88ba9a615",
"sha256": "2d5c0856617f70f9ed2e5835c40dec8304a2290370c5414745c806fde457e583",
"type": "eql",
"version": 3
"version": 4
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.3",
@@ -2891,16 +3353,16 @@
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95",
"sha256": "de1f883c87b1b49ce0932b95dd0ebaabede9c5334b6f18e2222c3fc3a5628bec",
"type": "eql",
"version": 1
"version": 3
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "5c79e5fd80163228473cfe5b3b9f61d769a063b5c1372c30928ab2ac59cf0525",
"sha256": "4c82661472cef610b0a6a24cb6654b4f11869bf4401d656eaa68c78289f66302",
"type": "eql",
"version": 107
"version": 108
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -2919,16 +3381,25 @@
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "9546181bdfa5b6f04cab84f0ff7afdbbb59ef9ddeaf7ec7bd070a1808324473d",
"sha256": "086eafbc984aa6480575297071ab4771019ea9eda87148c85e6f2eb40f7674f0",
"type": "query",
"version": 6
"version": 7
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
"sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede",
"type": "query",
"version": 104
"version": 206
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"min_stack_version": "8.3",
@@ -2938,11 +3409,20 @@
"version": 102
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
"sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de",
"type": "query",
"version": 104
"version": 206
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
@@ -2953,9 +3433,9 @@
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "9654e394fb859d2bbad76596b99237d6f8d15e70526ea0e27711c4c3a680ae77",
"sha256": "21d744da94221fcbec162dddffe8794cefc8fd26321d770c472b47093b28a95a",
"type": "threshold",
"version": 108
"version": 109
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -2966,9 +3446,9 @@
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.3",
"rule_name": "Image File Execution Options Injection",
"sha256": "97b4abe585f163bcdacc300075bf109cb501bbb7d1de90a2cdbbbdfbbd9aef97",
"sha256": "ad88e3a9101259f72a383196f9f474fb828e8dd2b844ef2d61caf9fb986c1028",
"type": "eql",
"version": 104
"version": 105
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"min_stack_version": "8.3",
@@ -2978,18 +3458,27 @@
"version": 102
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
"type": "query",
"version": 105
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
"sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8",
"type": "query",
"version": 103
"version": 205
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "e56e2b209388ed0f70bed3114edcf6d49e83959d733faa801e3d40209152e327",
"sha256": "6223d04f4e618351c760d259ecbc3d42c8da22daf8a9bd58497228d13304bab4",
"type": "eql",
"version": 105
"version": 106
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
@@ -3010,30 +3499,48 @@
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "46775980c978cd2264682497c62b9788b6645243da6b72ddaea5bbff0388df3e",
"sha256": "ebde0ba43ed054967c01f489cd5f2e45b9dddf79b90351dea7e78c5a5c2edfe6",
"type": "eql",
"version": 104
"version": 105
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
"sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146",
"type": "query",
"version": 106
"version": 208
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "53f09e4c88d11c0ee66a186321981f9eb31165d73f02b874ca0edbed0844c6da",
"sha256": "0feac3bd75fcc2317ee0e9e91a7f2f35063c0c5a62b5c47076545998d3ac12ae",
"type": "eql",
"version": 105
"version": 106
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
"type": "query",
"version": 5
}
},
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
"sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1",
"type": "query",
"version": 3
"version": 105
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.5",
@@ -3059,39 +3566,57 @@
"version": 106
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
"sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3",
"type": "query",
"version": 103
"version": 205
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "f3cb8da67a3f69a296b53078b37707f55d6852f4c55b7bc074af6e3ab2a01d20",
"sha256": "d6efd876704aecbc61e32f00bc3fc87660de3486490102dee717f3cafeef34ee",
"type": "eql",
"version": 105
"version": 106
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "a9f9aa8f746871dce91e94cba6697e908e9901be0135860b93572a5904b48b04",
"sha256": "2094e45cb6acf5514345f45de5980fa93856dbe2564c14cda824cfb92609fe9b",
"type": "eql",
"version": 107
"version": 108
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "7541e1a6c4200e3961759f0cdadba8eaf793f6e3e9e28dbb34af84aeac5f6fce",
"sha256": "36f237a42a890a47fd41636119b3f4f6cb483699638fa0570dee4cc7ba1bdd6e",
"type": "eql",
"version": 1
"version": 2
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Sensitive Files Compression",
"sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19",
"type": "query",
"version": 106
}
},
"rule_name": "Sensitive Files Compression",
"sha256": "24dee3257162b876da6487b55368acb5b38040fd13ce5d0bc7511b0644e2ae48",
"type": "query",
"version": 105
"sha256": "2665a4bfaf61af8a5033e6aff2ce6950c77fc795eb6bba42b6b5064e84fa8841",
"type": "new_terms",
"version": 206
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.3",
@@ -3110,9 +3635,9 @@
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "dfc2fbc0fab4f84b16f206bb71d59399a3450f5cec21c03daa1fd20d529ccdc9",
"sha256": "6c77473acf3dec0fc8fd9d0d2f4a0de620f5007008bf85e61fc224fa1087b63a",
"type": "eql",
"version": 104
"version": 105
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.3",
@@ -3121,6 +3646,13 @@
"type": "machine_learning",
"version": 107
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"min_stack_version": "8.6",
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "0a052fad94510f59c9efd5ffec0901831516c7ea937d86e3532157035d86466a",
"type": "eql",
"version": 2
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
@@ -3138,9 +3670,9 @@
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder Backdoor",
"sha256": "c6d5f04ccbfb426d106eb3b03f1f20727722e4632689aec4bc9fc11edb28bc83",
"sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1",
"type": "query",
"version": 105
"version": 106
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
@@ -3152,16 +3684,16 @@
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "b93d5773dd0b96dd6d8e331197414f59005cceea42ac2b114e9ace428ca9f578",
"sha256": "bd57722ccc74983106255532898917957a55fafd6c760af95a0650a7a93e5ef4",
"type": "eql",
"version": 105
"version": 106
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery using WMIC",
"sha256": "a1ae41d886802078065a49f39d3cccfc069db47d2052a9950cf0421e0187f9c5",
"sha256": "7400438cd326b5fa5137479c92eb2898c709c3338757a1f631cb718de551a551",
"type": "eql",
"version": 106
"version": 108
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
@@ -3172,9 +3704,9 @@
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "9b7a1e7596fff4b6d70a4064cf79f606a74f214ef8aeb4234c08842d2c1b910f",
"sha256": "9a958c72f2b71c12da6147cd83e0d798c1e114b362bd577b27f0f921b0a13465",
"type": "eql",
"version": 1
"version": 2
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
@@ -3205,18 +3737,43 @@
"version": 100
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
"sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314",
"type": "query",
"version": 106
"version": 208
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Config Resource Deletion",
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Config Resource Deletion",
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
"sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9",
"type": "query",
"version": 106
"version": 208
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "934721c56a14fb6b1ea672f4cedb14eae9cdafb81a8e9bf35230f542a602740f",
"type": "eql",
"version": 1
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
@@ -3240,11 +3797,20 @@
"version": 3
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0",
"type": "query",
"version": 107
}
},
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "565a3a934715161cb1c0bd792b9694d865ccf9df21072f0e5bd381c947ec3b65",
"type": "query",
"version": 106
"sha256": "72fea82152115abc97ea9e34b7e9bf40be8d5af11313625404f62dfcf5ca61e1",
"type": "new_terms",
"version": 207
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
@@ -3256,9 +3822,9 @@
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "44d4d66dea85165137a0d3f86d314a56a2d3de07baedee209e53118864691402",
"sha256": "d442a3b1c1b313c54f0bad14de16f98cd68ae8ada5e87c99e8c29aabe78f2d7f",
"type": "eql",
"version": 104
"version": 105
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.3",
@@ -3268,11 +3834,20 @@
"version": 102
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
"sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354",
"type": "query",
"version": 104
"version": 206
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
@@ -3280,6 +3855,13 @@
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "76e9e3a24fb77bafe1b7f5cf3730c4024c32f045d85de9b0857bae7a8716b2df",
"type": "new_terms",
"version": 1
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Modification of Accessibility Binaries",
@@ -3309,11 +3891,20 @@
"version": 103
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Sysctl File Event",
"sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "677db0e224b9e590ddaf2525bccc03fcd4c576f741537f13434eb9cecdd77bdc",
"type": "eql",
"version": 3
"sha256": "cdae4cce31893b3eb3b3a3472011e11708a7c9e1fcf4410bb88e18a099a94361",
"type": "new_terms",
"version": 103
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
@@ -3355,16 +3946,16 @@
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "d9c6faf2209cb103e1548a470602851ee01bf04f32853d0ed66169fff27e6847",
"sha256": "d2e53030dc005a302f0b5bb530360d58ce429809a0ed1827bc6d5b89de8b351e",
"type": "eql",
"version": 7
"version": 8
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "1d6f35d59421b7701973891ca9762db50f5dd087b3feb9e9e384ee927cdf1d36",
"sha256": "a3536eb13408e7fc538952bee75a1362e3be277b14f1edc18c2f63fda3f5f08c",
"type": "eql",
"version": 105
"version": 107
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
@@ -3376,23 +3967,23 @@
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "22a26a54eac8e02ec72df44fdc261481315acec5885269f591cb5fd1c46d1825",
"sha256": "ee743b928b61e259c3e46fce5b16400121f6ef6affdc122ea1f47e9a199900ea",
"type": "eql",
"version": 4
"version": 5
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "9f85a8053c83ad71c8540a2261dbbc4708549c0de62c0edd99395ef16629cc9f",
"sha256": "df53ce37b5877a6a26f2e5b7d78d60000048e5eaaa3d152f9ead7ef84d700a19",
"type": "eql",
"version": 106
"version": 107
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "3efbbd83a3795ef381af8172fedb8209e077505df6097622483b3275060f8be7",
"sha256": "863f7c79c8a07dbe9f74d5dd1ecb111219e82a3039c95ed6d56de800b2e13c69",
"type": "eql",
"version": 106
"version": 107
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
@@ -3411,9 +4002,9 @@
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2",
"sha256": "e8646ede4715b107643a3098b6e032965f664c38e7341d9d0519b3a8510d2fab",
"type": "threshold",
"version": 2
"version": 4
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
@@ -3439,18 +4030,34 @@
"version": 105
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Spike in AWS Error Messages",
"sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in AWS Error Messages",
"sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57",
"sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2",
"type": "machine_learning",
"version": 106
"version": 208
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "7b5df51876d17dc0c0978937514b88e32fbb68a471fdbfb5063af60dff04d178",
"sha256": "11fb3b45a1ccc2f104c91997fb4d7093f0efd5534a8f2048aa90ef37cc11f6cd",
"type": "eql",
"version": 4
"version": 5
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"min_stack_version": "8.3",
"rule_name": "File Compressed or Archived into Common Format",
"sha256": "ffc63f1281c5daf184121bec10deda5e91670f64baeaf47d2ee5336649bf2c78",
"type": "eql",
"version": 1
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
@@ -3462,16 +4069,16 @@
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "3b177629deb6dd64f254d75b8a4f6b71879b7ff33a70d98c184560b82d67277a",
"sha256": "51fa21c1094b9e214686668956d499fc25f19607d7b1a93fc094aa557eda00d7",
"type": "eql",
"version": 1
"version": 2
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential Exfiltration via Certreq",
"sha256": "4ef6fb0e47ac848843d2ae9b37eacc7369390ef5ff45ecf6b0a374512ad4b979",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "a74b9849420ed6b7c23bfb51caa8aad585cf535af48bfd4c11d1d7a16c8560f8",
"type": "eql",
"version": 4
"version": 5
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
@@ -3489,9 +4096,9 @@
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "1dd7950a241f5882d741236f88f61e5ed12437aa16756ce984ee04379e2dcdf9",
"sha256": "d77a6da669fbbb4406a59bd7061baf788f0f9fef20b43321c6fcfbb00a24690b",
"type": "eql",
"version": 2
"version": 3
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
@@ -3500,18 +4107,27 @@
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
"sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85",
"type": "query",
"version": 103
"version": 205
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.3",
"rule_name": "Windows Network Enumeration",
"sha256": "ef35c00c8f160878d607315e984c5aecf6fdca5f36d9db988c29e88f76d00270",
"sha256": "a02a471585a3b5aafa89be56f312db81bad278d8eafbf7463f73cfdebf9c80bb",
"type": "eql",
"version": 106
"version": 108
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.8",
@@ -3568,44 +4184,78 @@
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "0d2e9303095644cff713d6cc47bcea144b0fb7d1c8c7026f50ac5fe60e57228b",
"sha256": "c2521f557370eeadd9f5ab09fd706593451e0f0d44ffcb8ee63fd21ec3433862",
"type": "eql",
"version": 105
"version": 106
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66",
"type": "eql",
"version": 1
}
},
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66",
"type": "eql",
"version": 1
"sha256": "bc8f0cbcbf93a3e84a7433c81cb3997b0f23a2d6b1a1df28e3828f0fe7f1ac50",
"type": "new_terms",
"version": 101
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "27bee4413c109d7597639a0a60acd77d395ddd1b5f6f4fb09c88c026a699a4fa",
"sha256": "94cbc646d3a0879e403b786c2c25535db4aebbd67a3f041a8bf43b206462b8f2",
"type": "new_terms",
"version": 5
"version": 6
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0",
"type": "eql",
"version": 3
}
},
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "2dcd549142325271b0cc47d8d2a3b32dc6f1187d7ed0a0a2ad21238ba64e8ff0",
"type": "eql",
"version": 3
"sha256": "bcfbab89662a36049bb509952b29602fc3e552bc91c4f6851b183c3881604f7b",
"type": "new_terms",
"version": 103
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Extension",
"sha256": "15e1dd225bae684eac522b61872faae250a8aac0c4cb71b4e6d68986665587ed",
"sha256": "892abe65dfb4e821b001077e250ac7619928c9a8ba796ec314d9abce74c74ba8",
"type": "eql",
"version": 2
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "e07fdca00c03cede7dcd07d161752b6a5fa31a5987779dde490803e67071a0f7",
"type": "eql",
"version": 1
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual City For an AWS Command",
"sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual City For an AWS Command",
"sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab",
"sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199",
"type": "machine_learning",
"version": 106
"version": 208
},
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
@@ -3614,12 +4264,19 @@
"type": "query",
"version": 101
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Extension",
"sha256": "1eaf7e432793ec71e4a6924b5d8e2f95b30b4b8042f8aaeee43aed4a24050610",
"type": "machine_learning",
"version": 1
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "9c2f8341e807bf0b4ffeb0c40e797f72dbdd69d65b6db7a2a6c7f8ee10708d7a",
"sha256": "cd1b53b5cd9aacd751ae8801be77543c716fd21c184f54a776380edd185e8275",
"type": "eql",
"version": 106
"version": 107
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
@@ -3630,16 +4287,16 @@
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "663ce5702cc916692b79094fb7c51dcad29f2f3687f8085ce74b1f699219eb1e",
"sha256": "2a512f65b3d174a8cea1e7d419378e4fb46c850bc7e3a514409f3093ae43dc92",
"type": "query",
"version": 108
"version": 109
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "82f8ec9cc22e111eb627de7426fd99dd540938ed1e0d05473496ea18b54c3cea",
"sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46",
"type": "eql",
"version": 6
"version": 7
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
@@ -3651,9 +4308,9 @@
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "fe6cc04fb2e612cab72a6d221db5f03f75c1706355d5c212987ec5de3a2bd3a6",
"sha256": "1dd8817884ca577039baba5ede3be91c85119efdb77f580810c95c223816ebcc",
"type": "eql",
"version": 2
"version": 3
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"min_stack_version": "8.3",
@@ -3671,9 +4328,9 @@
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7bd7ca6309b09a6218ebe05322f1477ad28327ac05cab27ae9eb18267b43563c",
"sha256": "73d35f95e41d651a5e75315cd4b570345c8cc6334b9dec7db8adf08b57f52e30",
"type": "eql",
"version": 3
"version": 4
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
@@ -3682,12 +4339,19 @@
"type": "query",
"version": 1
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "3ab2c7dffde8d59a7f0d31f4f475c98f5325a94adb789cc4096286ae73e70e36",
"type": "eql",
"version": 1
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "5a3c03a8465e2bd10bcaa699af57945cf361af5ca71be2662c20a6746a5b4960",
"sha256": "ff711eea051615cadd16874b875330acd62c7aaf5fb10e2db0d36c1f15799712",
"type": "eql",
"version": 107
"version": 108
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
@@ -3697,53 +4361,98 @@
"version": 108
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47",
"type": "eql",
"version": 108
"sha256": "4c25f7bb1a234052d7a5d22439a6b2ceaf128a052fa764bb1d97b0d2b5928eee",
"type": "new_terms",
"version": 208
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
"sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be",
"type": "query",
"version": 103
"version": 205
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
"sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32",
"type": "query",
"version": 103
"version": 205
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Deletion",
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Deletion",
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
"sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383",
"type": "query",
"version": 103
"version": 205
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery via Grep",
"sha256": "d5d6fbfe8a86e827bb1f10589d9e8427ba7b59bea1a9707d4359dce6fee0929f",
"sha256": "39e477f562630dea0f3f3b68106d7c699a87d2ab0764247fc8bd0de442981f4f",
"type": "eql",
"version": 105
"version": 106
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "70ad3fa6e2da2dbfbb0211d6835e6657b3c156417e77b4b8bc33b86c2b69167d",
"sha256": "16de3139ef7299ea2fe5dc3a874629d2079e250e032b7f33ce0250a0b0e931e6",
"type": "eql",
"version": 107
"version": 108
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
"sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719",
"type": "query",
"version": 103
"version": 205
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
@@ -3773,11 +4482,20 @@
"version": 104
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "a4206f33521819d8d7d53c211f4469b0f4d29f90aa303e728ed6c22f0acd0ec3",
"type": "eql",
"version": 2
"sha256": "90ab70272d3bdc85151e9bc2add9998f4819f17d13c282ae54e1b047602630e4",
"type": "new_terms",
"version": 103
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
@@ -3816,9 +4534,9 @@
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "ffb3cada9e61abf88edfa4d4994b68df4a1c86040ef6344d2d5d2f2fb67e0bb2",
"sha256": "bd4e75d4bef5c733959b047c5466da2d7768bfe892c50c383b7d1d46240bcaf9",
"type": "eql",
"version": 2
"version": 3
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
@@ -3830,30 +4548,48 @@
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "a577ac9fcb46e067f2d9a3dfa1c37db43cf2b744e0701387877da0d9321a209f",
"type": "eql",
"version": 104
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
"type": "query",
"version": 104
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"min_stack_version": "8.3",
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16",
"sha256": "7b1e58c15587d23240b63b8dfd696aa8de530ddbf9be2c384db2620e9c9bd4ad",
"type": "eql",
"version": 105
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b",
"type": "query",
"version": 206
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16",
"type": "eql",
"version": 105
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "9bcba792d96bb90055853bbc119cff04fa2f40b46cd77ea9bab938ab61056074",
"type": "new_terms",
"version": 205
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "577175231e8722658399f535dfe19fa278f3082f7848da4f3c65e77ee2a4118c",
"sha256": "e79736c160e70b66e87aa690264e4ebe08b958d00a2d8178556525a57dae4323",
"type": "eql",
"version": 1
"version": 2
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
@@ -3879,16 +4615,16 @@
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"min_stack_version": "8.3",
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "02d2aa1ce970af5dbef685da0cfc51fc7c9d7c82932b13d1b19d8f212a1ba2de",
"sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b",
"type": "query",
"version": 102
"version": 103
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "ab6f219326b46640112b041c6a7ccdf841ac3d4aa2e364b34b83a7869e301b70",
"sha256": "32ad67514f438b6e30f64bc4b7b4eb626be6582afadb55c240c2e4efe9b7cfcb",
"type": "eql",
"version": 106
"version": 107
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
@@ -3907,9 +4643,16 @@
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "930f4fe60fcf470067a75a7d6d9b93d3c80d639fcc0cf248c30c9f41cb98f70d",
"sha256": "65f9ce05fea76a9a8692e1eab5ad90ab0904e79b28d0c1f077f5d0422c5a2098",
"type": "eql",
"version": 7
"version": 8
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "4aee04fcae9856c8db9a767d12e37c08a83d89f0665b4be03150aa01c6e03b4b",
"type": "eql",
"version": 1
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
@@ -3921,9 +4664,9 @@
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "9037dac927b76a260a11026c3e893f9f85b2d876004b652c74c012bb7fd93f5f",
"sha256": "bb4dbd0f9903378286cb13efb8f0898a00bf9c3255d58d6a58bd21da8997c9b5",
"type": "eql",
"version": 105
"version": 106
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"min_stack_version": "8.3",
@@ -3949,9 +4692,9 @@
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"min_stack_version": "8.3",
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "818146f18a2aefd065739007ec4aecb61ec4257169528b7a6605b7ff0cc0758c",
"sha256": "d3f17c275351dce43dbed1904257d053abe2a6e174ec12f91eabbc40236f918e",
"type": "eql",
"version": 104
"version": 105
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.3",
@@ -3976,16 +4719,25 @@
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"min_stack_version": "8.3",
"rule_name": "Hping Process Activity",
"sha256": "63e23dabfb3a8535a41b473614245b4df52a35760e0485a6e9f51e55d61615f5",
"sha256": "bca55701a9d9f3c48b1f6d8df6d0672f880ea5e8f7b5252ada7c42af6458802c",
"type": "eql",
"version": 105
"version": 106
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
"sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14",
"type": "query",
"version": 103
"version": 205
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
@@ -4015,11 +4767,20 @@
"version": 104
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
"sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb",
"type": "query",
"version": 103
"version": 205
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"min_stack_version": "8.3",
@@ -4045,9 +4806,9 @@
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "50456decf4f398de8c09653fee24f7eb07663c151fc638cfd1cf7c9584cb733b",
"sha256": "7fe6f04aad78c1165b56664a6e2b192a15c39a1166c3b1e24906d7ff5b91b1f0",
"type": "query",
"version": 5
"version": 6
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
@@ -4057,25 +4818,52 @@
"version": 7
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
"sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8",
"type": "query",
"version": 103
"version": 205
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Sudoers File Modification",
"sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef",
"type": "query",
"version": 103
}
},
"rule_name": "Sudoers File Modification",
"sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef",
"type": "query",
"version": 103
"sha256": "6a1a6b3462c4ea5f0ea3cf546684745e51efb7a52a094227c5b2f06e6fa90bc3",
"type": "new_terms",
"version": 203
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
"type": "query",
"version": 108
}
},
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
"sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454",
"type": "query",
"version": 106
"version": 208
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
@@ -4108,11 +4896,20 @@
"version": 205
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f",
"type": "query",
"version": 104
}
},
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f",
"type": "query",
"version": 104
"sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30",
"type": "new_terms",
"version": 204
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"min_stack_version": "8.3",
@@ -4168,23 +4965,32 @@
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
"rule_name": "File made Immutable by Chattr",
"sha256": "8de6fbce3edd5e6599051a15eae6429056bb4fae367b3cd3572ece577dc22e1b",
"sha256": "951d63b6557d5c3fb3f155e45999afcdd86791f7d830c26ba0ff9811f2ae0367",
"type": "eql",
"version": 106
"version": 108
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
"sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9",
"type": "query",
"version": 103
"version": 205
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "ac2aae146b439c128acf93b6d08c60c1297ef5ce278baed0d2463fed3d109553",
"sha256": "6adb4dbd03b3b5ad0d5318c1e811e89f0c4c560f2c2cac1830b06b007134962c",
"type": "new_terms",
"version": 5
"version": 6
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
@@ -4215,25 +5021,43 @@
"version": 104
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS SAML Activity",
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS SAML Activity",
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
"sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d",
"type": "query",
"version": 103
"version": 205
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
"type": "eql",
"version": 107
}
},
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
"sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d",
"type": "eql",
"version": 105
"version": 207
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Zoom Child Process",
"sha256": "b15108fed1be29ce5b03c10684a269ab6930c9843c4bae00bf62059a1151250f",
"sha256": "f82a785c120d52dcd2123f3f9d2f8b7503d520c6ea8e46fd74f310e8a53dd233",
"type": "eql",
"version": 107
"version": 108
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -4244,9 +5068,9 @@
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "23394ff5cf8c8530a51e90c2408d609e7000dfbc5dff8724cb29cb88e63a6d09",
"sha256": "cd7035a0017aa4b845f94e3aa665721e72fe1dc535c9cfb0867b4657d8a94ef3",
"type": "eql",
"version": 3
"version": 4
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
@@ -4290,11 +5114,20 @@
"version": 102
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
"type": "query",
"version": 108
}
},
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
"sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056",
"type": "query",
"version": 106
"version": 208
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
@@ -4310,6 +5143,13 @@
"type": "eql",
"version": 104
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "58480532047dc1a5936dce3ece1b30e3643a68fe8d7e2343553008f2a0deab18",
"type": "eql",
"version": 1
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.8",
"previous": {
@@ -4322,9 +5162,9 @@
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "2afc41e645fc2f007dfe22ec27e0c211672070aacd5d5a0a8281a8e68a24639f",
"sha256": "7fa3b7d91df0f6450cc6e044925c196edd851d9521299f034167bb892f7b39dc",
"type": "eql",
"version": 206
"version": 207
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "8.3",
@@ -4340,6 +5180,13 @@
"type": "query",
"version": 102
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"min_stack_version": "8.3",
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "095fc86e65f65030c66df81f286788b89fcf9160e7970ddbb409cc824fc40fd2",
"type": "eql",
"version": 1
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.4",
"previous": {
@@ -4352,37 +5199,44 @@
}
},
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "3d1c09ba378537737bdaa3bc2bbd9e9934d0e9cb7d50f63d33192377614d85f2",
"sha256": "353e07144858914694113a7e9d29ad53687500c1f60ed7c8b02d9c7cd634bad3",
"type": "new_terms",
"version": 106
"version": 107
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Explorer Child Process",
"sha256": "e8cc9a60bbe510d51bd3ad134669feb9e5cb0fa08160bf27530801138c60e882",
"sha256": "51c78c6f9a1af947f778a0b2a2529d21600647e60786daa70a728174bf87c995",
"type": "eql",
"version": 105
"version": 106
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "b2540b2ad922ec95cfd386da0ca9a614f308ef3262066028d23296d5db87509f",
"sha256": "26cb627c3803eec6cbcf9455a27b56c29ea1f604049232bf2d38813ad0a4d87c",
"type": "eql",
"version": 105
"version": 106
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "152428a8434461254fd0550779e5f2ff7b906cf27f44936e520219c6c117b748",
"type": "eql",
"version": 1
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "9a25dad4f89fd07ae509d365c90397c70feb22604338c0b57ed2c43b1498c278",
"sha256": "cb0771065ca25ee179d357d9e53676141cadf572ac31da5e1f00739f85cf36aa",
"type": "eql",
"version": 106
"version": 107
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
"rule_name": "Hosts File Modified",
"sha256": "acfc1d0db0cb1de8a27ec3ec15a3eea599e9644d56ab8bdd06c8678cf1bcee3f",
"sha256": "8f40a74de7484c5086f69c398cea506911f52935e23a27e3a229439cd5c239ce",
"type": "eql",
"version": 105
"version": 106
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
@@ -4394,9 +5248,9 @@
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "33745d6764626a4ad4ef565c71d285cde7a74a318e9622b428483457e45f612a",
"sha256": "594410ed9a140c2439264f3ef7b7bdefa77862b3865a95a2287437856a533db7",
"type": "eql",
"version": 106
"version": 107
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -4421,46 +5275,64 @@
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2",
"type": "eql",
"version": 105
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2",
"type": "eql",
"version": 105
"sha256": "fb85a79f99efb89bc92c481ec8e21aae037df490635821d5df16cac9b83057fa",
"type": "new_terms",
"version": 206
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "69d5523e4e8bd2c582f84b522bfeae185f56d87fb6f698ba3afd72a1722cfc9b",
"sha256": "dbebd3797fdae528a8f432c6944ceb33a92b55466eaf7317a77173ea58b80423",
"type": "eql",
"version": 106
"version": 107
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "b2885bccbc5942ef0b109aafd8cc5f741f11e702109bfce0e316e37c66a45f02",
"sha256": "8cbc8f08a554be1ad891d12df42a2e456602b21ce9cd4062d2c6428a80073296",
"type": "eql",
"version": 107
"version": 109
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "0cc7ec48190d68c5dc8c36a1df944b214f34c599d8425caea77fbf4875d98ff1",
"sha256": "4cf250c89befd6b335e6331fbef794c1a969a7f19e203c159d5a84ff3c54f944",
"type": "eql",
"version": 107
"version": 108
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d",
"type": "eql",
"version": 106
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d",
"type": "eql",
"version": 106
"sha256": "1f08334b425a0821c64aa8990f322f468a74567993e56ff39c7f39cfafb44380",
"type": "new_terms",
"version": 207
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "776c171ad88eb90cf08b8fe5b55c1f9f0303df9c61b6c977aa899c710d7f8348",
"sha256": "b8d4e0bd773e95d96983fb5724ac1405de2f5d491182e453c4dad3af9efe10cd",
"type": "query",
"version": 104
"version": 105
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"min_stack_version": "8.3",
@@ -4479,26 +5351,35 @@
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "18494ff65fcc575a4fe46296da4e82fca3ba729b57b21a1c55c64d81a92924ed",
"sha256": "e2394c0d8724d9f2e57e47f5a50cbfa2d1645b0cf50c8bfce9ce10a202bcd28f",
"type": "eql",
"version": 105
"version": 107
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via DCSync",
"sha256": "183d1fd02dc0fd574742ae54310b3f93b10da3165738e77fcdf8b460f5f7cdac",
"sha256": "dfd7fcad40d953ee8a27b0f8510db3d0cddfa4002ded1a896dbc248170dfb00a",
"type": "eql",
"version": 109
"version": 110
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3",
"type": "eql",
"version": 106
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "479f3fc53ac311718ff6affc4889eeca57ac3a34bf6f10026bf60b6b8e915eb8",
"type": "eql",
"version": 105
"sha256": "ed6e7a8e67076b9fae1eb03416f9d82c7915364a8c9a99c7e4c881a6ce932693",
"type": "new_terms",
"version": 206
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.6",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
@@ -4506,12 +5387,19 @@
"sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe",
"type": "query",
"version": 106
},
"8.6": {
"max_allowable_version": 307,
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
"type": "new_terms",
"version": 208
}
},
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
"sha256": "7cd0da2ff3ffb5eb309da5e40ce09ddc719465d69413af21aaa59db60bf569ea",
"type": "new_terms",
"version": 206
"version": 308
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
@@ -4520,6 +5408,13 @@
"type": "eql",
"version": 8
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "410784f14d7bf622572e26d5b794f3a0c338a4e24485cc977afa183933cd6ba1",
"type": "eql",
"version": 1
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Topic Creation",
@@ -4537,9 +5432,9 @@
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
"rule_name": "File Deletion via Shred",
"sha256": "9bb73e05248278c13545b111daf70f5b5b00005f472f1ad9a8ad6dc03a7e4bb8",
"sha256": "6a172e2439d747140f251d1d0e83f556e72ae03725f37bc760d2d4d7649fdd03",
"type": "query",
"version": 105
"version": 106
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
@@ -4572,9 +5467,9 @@
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "189260746002bccbe31e9ddb6ba7e60d701a6e651c5d2c19efe56cd242c954af",
"sha256": "cf164c11d3db4e9e02e907d5c0aef8c3c4aadaf05536b522bb73c9ab3bdb9560",
"type": "eql",
"version": 105
"version": 106
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"min_stack_version": "8.3",
@@ -4586,9 +5481,9 @@
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "7e9cfb7b511344e897eac5189a53654f476437241ee0c37b7600d2e033787ca7",
"sha256": "914a39f1d00e560fa0f28e8f67e57de3b2185f0ca422a7b395f419f567383cbe",
"type": "eql",
"version": 105
"version": 106
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -4609,9 +5504,9 @@
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "c26cd675ef7730a95a52e92c7f5bc7144cda7fb9f14144470c96dfe93b036da2",
"sha256": "af441eec9facc8c5fa2be399c6d3a1a2383c4e937ccfca40f8455f599c5d8a24",
"type": "query",
"version": 4
"version": 5
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
@@ -4643,9 +5538,9 @@
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "2bb373420b8f04de56b4e10442d426787ff255a9ed14d92c64f05a0c3334871f",
"sha256": "e730ecd8da8e472be98472039b0fe0d3367e75d284b97851b915bac433ec17c2",
"type": "eql",
"version": 1
"version": 2
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
@@ -4655,11 +5550,20 @@
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
"sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a",
"type": "query",
"version": 106
"version": 208
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"min_stack_version": "8.3",
@@ -4678,9 +5582,9 @@
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "e666ba885bd91e597b94e0359330e1a02c9c59b43b48de599aeb78a26c32aaa9",
"sha256": "1b6c475dbb4e03fa67ed24f68234e633e098831572aef47077e72f8dfe6957cb",
"type": "eql",
"version": 107
"version": 108
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
@@ -4689,6 +5593,13 @@
"type": "eql",
"version": 104
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "da4ddd46272515e372d09fc4efb2d394cba8e054b0ce9bd555adef5a46d91034",
"type": "machine_learning",
"version": 1
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
@@ -4717,6 +5628,13 @@
"type": "eql",
"version": 1
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.9",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "c0f263fa0ff7d4e7f059e58dd7c707af412cdea311f76703517ce73844a1267a",
"type": "machine_learning",
"version": 1
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
@@ -4749,16 +5667,16 @@
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "a73b1eb6b898a6e001202a04fdd4d7fb4c5b701bd88b68a6840f1260506c2e68",
"sha256": "7844ec8c0187f632d87cd6160ec6fbfa6968c5922e6a07bb3372475a6a1b5f31",
"type": "eql",
"version": 104
"version": 105
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"min_stack_version": "8.3",
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "c71a73ed18eadca2c2c082ca0d511745ce0960e56167e3ed59116b93c8b2720c",
"sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee",
"type": "query",
"version": 103
"version": 104
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"min_stack_version": "8.3",
@@ -4770,9 +5688,9 @@
"aa895aea-b69c-4411-b110-8d7599634b30": {
"min_stack_version": "8.3",
"rule_name": "System Log File Deletion",
"sha256": "6fee4b495f1438946191a9f0a5d18e790c19b3546166fa5dc0126a090844c515",
"sha256": "14e5354aa44af54186285133c4a176bf18dd8b2c1dc22c1555bd658ca8aed767",
"type": "eql",
"version": 106
"version": 108
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
@@ -4791,9 +5709,9 @@
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "9a5ead5bb94a1738ef4a8c11bf9f462123e5bd0feb2519f360526765f6f33939",
"sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac",
"type": "eql",
"version": 107
"version": 108
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -4812,23 +5730,32 @@
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "afa61dc2050d9a7e20f967d9211dda8036fdb4e3a725c969403a31ceb567ba33",
"sha256": "0f822c4116038c91a881a8b8eda9017407457ea3498167dea425f66a161a9067",
"type": "eql",
"version": 107
"version": 108
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual AWS Command for a User",
"sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual AWS Command for a User",
"sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a",
"sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49",
"type": "machine_learning",
"version": 106
"version": 208
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "85b49fc5764428ee7a05cbde9d031b14b82f8f03824c859dd58ec45f25c8a091",
"sha256": "48bea2e83f12194db4f91544236e97199adeadca828f332acc5c23da9f9d9206",
"type": "eql",
"version": 1
"version": 2
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
@@ -4870,9 +5797,9 @@
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "bedefb3843c8bab1185b36e6c8ced6d50cf2e073be5c0270dbbb3b1b27cb89f9",
"sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23",
"type": "eql",
"version": 104
"version": 105
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
@@ -4906,9 +5833,9 @@
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "908f3060b0c4846a176cfe5ad9f2187c6bf23b09a3fe9833680c524f1b6ff701",
"sha256": "8f2f24455938fb5ea09e3ec7060090a25a269b6678183d00e54a6414e2df8ebf",
"type": "query",
"version": 107
"version": 108
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
@@ -4920,16 +5847,16 @@
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "bb502a72d7b3be033796d389420de72438dbe7d44096a7b8203caa4e7676c5aa",
"sha256": "8cd17e47485c9d7340c14995dfe14cbab3158f5de2a29a64a2e8281e1236dc66",
"type": "eql",
"version": 107
"version": 108
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Communication App Child Process",
"sha256": "d195fb652753fee06135cdc5beb9fb65b68e7895f9d0fc199416d9269c88cfd6",
"sha256": "0e8ff7a50a23c7b9726e3fce8b74834754c75e9cc4bee21fddbb73b9acde9c43",
"type": "eql",
"version": 1
"version": 2
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
@@ -4941,16 +5868,16 @@
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "26c12224f8502e7fc4d3293edee86f433e5a9232a94ff1ed704587a9c019e640",
"sha256": "aad1b5a33619e6512fe65f763c3bf7efc9340426847e9521aef7529ed7b820a1",
"type": "new_terms",
"version": 3
"version": 4
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"min_stack_version": "8.3",
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "e5a5fa72494c859d18b55169da07fe4402091b7b621b55c497592cfe489f3912",
"sha256": "c98963d7bd8d88e43392beedefd94e993beba6832757358cbd30700b542c64d8",
"type": "eql",
"version": 1
"version": 2
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
@@ -4962,16 +5889,16 @@
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "842200b53b379cfcfe0e98cce8c0775e7120c7312edc3aecaa2cae7783559566",
"sha256": "3efeb12f45b961fb82eedcf17858c557c07e762e46a219c0988da6b4f07502f2",
"type": "eql",
"version": 1
"version": 2
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "c8effdbedbafb2183ae0ebbed62b0c5290d8157f7c6cf64bd0f9df02ee6c44d7",
"sha256": "0bf1a7ca2b5b8e549eb4f67bc0935b74f3f25e139397f7b67fa4657d5d14de9f",
"type": "eql",
"version": 2
"version": 3
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
@@ -5003,9 +5930,9 @@
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Share Discovery",
"sha256": "6b2beff828f6dbc7e7b0afe03808d0497daf94d97c99afb60f9b17cf65c76cb9",
"sha256": "eb213dc86c103363dad386e08221252c0d865f53b002b17fe09c36adb6631ec5",
"type": "eql",
"version": 1
"version": 2
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"min_stack_version": "8.3",
@@ -5045,9 +5972,9 @@
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "850a993dfb6eda757d5c928ddadb446f3ff907e01cc16c715a8274d56c405fa0",
"sha256": "aa283cd7566eebaa3e98d93024a7710926f4bb3dac4a46d97159d6377f7ee8ca",
"type": "eql",
"version": 106
"version": 107
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
@@ -5064,39 +5991,57 @@
"version": 104
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
"type": "query",
"version": 105
}
},
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
"sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090",
"type": "query",
"version": 103
"version": 205
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.3",
"rule_name": "At.exe Command Lateral Movement",
"sha256": "893d370046656c516a3d5b747ce8da0049fd49f11a14f685446dca5ada7bcbcf",
"sha256": "dd7f70787fff06dbfcdc2556f504ad62feda00ed2e1fa5d7effab3a1be31482f",
"type": "eql",
"version": 1
"version": 2
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
"sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6",
"type": "query",
"version": 104
"version": 206
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "933503a94667894209a5220b062fe18f2b075d5c0c0608171a3843cb264a4429",
"sha256": "c7deb10ffa59d05fbac1583edf15b565628cec521edbceb803f9b15c91400b85",
"type": "eql",
"version": 2
"version": 3
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "7cf6587d86fbdfeb3c6513bb3c44adaeeff97831c1afb84ac5aa64fb8ed82298",
"sha256": "9f885fb22e236780df0b7209ca3b783bbbe19b69cd285ad32c8a24005ef089e7",
"type": "eql",
"version": 106
"version": 107
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
@@ -5115,9 +6060,9 @@
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "e83adb7abd38295e3992be00556c51a2381e38d400259af3c0d3ba9e3abe6d2d",
"sha256": "9fbd1c201afd94da2c21d31f6797a87f96380d6cb42df20af7ad7205ffcd05ac",
"type": "eql",
"version": 106
"version": 107
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"min_stack_version": "8.3",
@@ -5127,18 +6072,36 @@
"version": 103
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
"sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6",
"type": "query",
"version": 104
"version": 206
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
"sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3",
"type": "query",
"version": 103
"version": 205
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"min_stack_version": "8.3",
@@ -5171,23 +6134,23 @@
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.3",
"rule_name": "Kirbi File Creation",
"sha256": "5cc88228ed8f2119aba7d21bef4e172fec1499a3b3b8168eb439cb581d94c2ac",
"sha256": "34a4c6af4a0abec4b49761fd3410e7ce843a7cd917929009de084283086d34f2",
"type": "eql",
"version": 1
"version": 2
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "26cd2a27b9188a119adafb00b69b4b1d5bbcbc60cfd384696c76c50e54bcff5d",
"sha256": "c5173c7852d544188783ae8ad6360a27c4dc99276c45cd65516112c2f3a24d88",
"type": "eql",
"version": 105
"version": 106
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "ed8d32c408ebce2c38e498744b7f617e2d9a2b9a38139ad447c1c100b5844299",
"sha256": "975875643c470662591b7f92890f341af3ec06aaec4d7462d89b555ab08b31ea",
"type": "eql",
"version": 106
"version": 107
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
@@ -5213,16 +6176,16 @@
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "e1cb2516563dc7520157b944c165c5b231a99942cdfcd049f1ef1d3213bf29d1",
"sha256": "24e7bf23a9b423f0ee788a5d588692dbf4cb7d5a9de672b20db27deb8f3d05fb",
"type": "eql",
"version": 104
"version": 106
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "6babe233910e674621a9caa5ef06d385da6c55f240c6169e50263b3ee15edba5",
"sha256": "c475fe418c9dd5c5b6a357004cecb0f77ec12520167b225d77dcb436eb1094fd",
"type": "eql",
"version": 105
"version": 106
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.3",
@@ -5234,9 +6197,9 @@
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "2a8f252310526865a66c043e6fce6a09a1f3bb3a23422aefd2e8782f9f25e414",
"sha256": "4e20d0099e197e490805cd6edaf652e4b192b1c67cd120c9583905ac929dd623",
"type": "eql",
"version": 104
"version": 105
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
@@ -5246,11 +6209,20 @@
"version": 102
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
"sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba",
"type": "query",
"version": 103
"version": 205
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"min_stack_version": "8.3",
@@ -5262,9 +6234,9 @@
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d",
"sha256": "2425bfd3bc54bb802d2646cf30575b92b6de9f1768145e593f3640a9ed1ba450",
"type": "threshold",
"version": 2
"version": 4
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
@@ -5274,11 +6246,20 @@
"version": 102
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Root Login Without MFA",
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Root Login Without MFA",
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
"sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07",
"type": "query",
"version": 106
"version": 208
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"min_stack_version": "8.3",
@@ -5304,9 +6285,9 @@
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "92fe0317a5bf0deb57dbfeb4dcf96a13fa08ceb7e7a1e13f9f597eb9c94cda33",
"sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26",
"type": "eql",
"version": 4
"version": 5
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"min_stack_version": "8.3",
@@ -5322,12 +6303,19 @@
"type": "query",
"version": 104
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "d63cfc91fa9b1bb91389ee64591686beafffd9f84982f78f22bcb437826e0180",
"type": "query",
"version": 1
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Keylogging Script",
"sha256": "3d79fb63abbf974eea35cef0856ce1d799ebbf00d6ca813fc02212c88846a9b9",
"sha256": "e5e42d67e73c95c6558439ae96e3515ae045a15b9cf9349190ccb7ce1a5c3258",
"type": "query",
"version": 109
"version": 110
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.3",
@@ -5346,16 +6334,30 @@
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3e3047dea72b0e200ecac521c558ec5c07205beb177d77602fbbc760d41b3735",
"sha256": "95a277633a730cc76f1f3dd56678af752c6c0b11bd0eca7bf678452efce66786",
"type": "eql",
"version": 1
"version": 3
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "9788f2c111d4f8b2f3e0fe64bf7ae3413c3de45f8b030b8611720aac8b263436",
"sha256": "49544ad4d81ab915c9fd10546c551f9f16cd314bd11afeb39e1d8c2f92d61242",
"type": "eql",
"version": 105
"version": 106
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "5ae04a57c1b38d7e0492041cf77dd21a4f39bbab4665de39b2fa755166cf1faa",
"type": "machine_learning",
"version": 1
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Directory",
"sha256": "4ed65ee17e5e6a2e754823609612583d0e717cead35636b67da9903546d4f880",
"type": "machine_learning",
"version": 1
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
@@ -5365,11 +6367,20 @@
"version": 106
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
"sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e",
"type": "query",
"version": 103
"version": 205
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"min_stack_version": "8.3",
@@ -5378,12 +6389,19 @@
"type": "eql",
"version": 2
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "5b26c01b0dbc43669ecd86f7d517896559de73bb5322add585302163804f23fc",
"type": "machine_learning",
"version": 1
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "7571708ba81c1f4c57ec35169932645127841b408009313e8f8135ce0047e56f",
"sha256": "48070e6a13563fdaf1cc968863fd1afaf4838e89682767a13af387858571ec00",
"type": "eql",
"version": 107
"version": 108
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
@@ -5395,9 +6413,16 @@
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "1d3f46774fa553848617bda8c90e9702f60b946e32a622488929bf506f40dae3",
"sha256": "b703ff542262a1b01cce71377aa6ca313a15387e5c2b986a98d27924ecb2782f",
"type": "eql",
"version": 105
"version": 106
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "d6064fcc8c3a68d8ecb16d376fef04353be367b0f897433bc82b46a6569f0eb5",
"type": "eql",
"version": 1
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
@@ -5409,23 +6434,41 @@
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "2195aa627b79e9257bce750418e362ba1b3e8afcb6b58e9fb9d1e7cb145e171d",
"sha256": "6ce01312cbd857003098b2b0753a1ec8356a09b109b020cdc2ab369082ffbf8c",
"type": "eql",
"version": 3
"version": 4
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
"sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8",
"type": "query",
"version": 103
"version": 205
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"min_stack_version": "8.3",
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
"type": "eql",
"version": 1
}
},
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
"type": "eql",
"version": 1
"version": 101
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
@@ -5493,9 +6536,9 @@
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
"rule_name": "Windows System Network Connections Discovery",
"sha256": "56bf9828457985099728e90f9046ec5d50ba668e7b911712abec96eaa3d6d665",
"sha256": "16cd4b39c59281f69407d88a2f0bbadab7ac9d1408c9e0c6e5400a92f25898d9",
"type": "eql",
"version": 2
"version": 3
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.3",
@@ -5514,9 +6557,9 @@
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "0754db6d4f87bf3dbed35d286a6313e4dd925ac4336f36dfb27b7f5fdb03719d",
"sha256": "0710403c8d618e71c165c7b8eb160bed4e6e439b9d9c904d9b5af9aa9be9588e",
"type": "eql",
"version": 105
"version": 106
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
@@ -5528,9 +6571,9 @@
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "cb3a027cc825279d6ff1f31d31e63c3ce7ddce596ef2f0427bba0b3ffeb643f6",
"sha256": "9703a3f1e0ab87710ef683407452f9491a296fbb9fb21c1270d48f28039443a0",
"type": "eql",
"version": 104
"version": 105
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
@@ -5542,9 +6585,9 @@
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "8cf1d0abaed488b33ec708608f9a5ba1ec08a67e664df9145ebf1800d2701adb",
"sha256": "a6a7a57d9d9f53170aaca5b52e31fa5987b52d03287d461f35903e7a94f3c49e",
"type": "eql",
"version": 106
"version": 107
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
@@ -5567,18 +6610,36 @@
"version": 100
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
"sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f",
"type": "query",
"version": 104
"version": 206
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
"sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32",
"type": "query",
"version": 103
"version": 205
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.3",
@@ -5606,9 +6667,9 @@
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "26595f8f9541a3d4b1ce33b50669bb5f8e620a68f9063c6c07ef0eef97271b42",
"sha256": "462a72ca87888591497bad05c41909f4b20b28e8be26d594546e563f178bd706",
"type": "eql",
"version": 106
"version": 107
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
@@ -5627,9 +6688,9 @@
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "128d5682da221aeffcdc38868dcaa75f484b8b2411f3c7a2eae8881f6e41e861",
"sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67",
"type": "query",
"version": 102
"version": 103
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
@@ -5654,37 +6715,37 @@
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"min_stack_version": "8.3",
"rule_name": "Parent Process PID Spoofing",
"sha256": "c3dac03f556b89e88f147aed56f297767b5d0a9110cdf317ef621032e9aae739",
"sha256": "e1789b1189d98d1c0dd3e14aef3df67f994982f60001aab44c9785a8bab9bb3a",
"type": "eql",
"version": 104
"version": 105
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "6c899bbc998ab3b8926434c8838a0567b3e9daab6ac42337689be77fa96f4c6b",
"sha256": "d16c1571f4991e8257fc206ff4e66afbab3d14994c0b00534ab992bd948529be",
"type": "eql",
"version": 5
"version": 6
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "d820917b8b190283034007d7db8ba4ac8ef6bd82e9d9d8a9f256976c0fa2623d",
"sha256": "1d46ce00fb8fa393c7b0122644b3e0a367bb2ce96e5767209a2e3f101b552c52",
"type": "eql",
"version": 107
"version": 108
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "dfa996d0665851351caf73bca44bb19208342678d818aff4cc77005b0092ca67",
"sha256": "a2dad54c59a4df7c89caa5e11af6d9425532fe82b26ef1c0588f4d7b835f71ec",
"type": "eql",
"version": 106
"version": 107
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "1d87bf52f955049b3e1220e65c69464b5d6c21362b8762df0b397d412b1537ee",
"sha256": "a5e68609def010ae4cea5c31b29ec9740ce793360ee2d0c8995ce5c93286ed58",
"type": "eql",
"version": 3
"version": 4
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
@@ -5703,9 +6764,9 @@
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "94fbed29b0713d997d61575509179ec8a3aaf3580b4c2661a2a42ef4e7e50aef",
"sha256": "cbc3f42a7bcbc551c94f4915bbf898b210a4747c014608e39f4a2a12501d1682",
"type": "eql",
"version": 4
"version": 5
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
@@ -5725,9 +6786,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "16d0a37c5a0c0c7de7d31afcbfae78cadf1e1c87ed0eb87f347d3c6a44b1ae00",
"sha256": "5f9d6f9747305b2a9d59f1c2bb89ec12610c7490a57f1ccb24de236f42839d9b",
"type": "new_terms",
"version": 209
"version": 210
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -5765,6 +6826,13 @@
"type": "query",
"version": 104
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "6be5434c46b81e00bf29a5b3c08506bb5fefe291cfffe9666594851bd81d5007",
"type": "machine_learning",
"version": 1
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
@@ -5789,11 +6857,20 @@
"version": 104
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
"sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c",
"type": "query",
"version": 105
"version": 207
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"min_stack_version": "8.3",
@@ -5803,11 +6880,20 @@
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
"type": "query",
"version": 106
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
"sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f",
"type": "query",
"version": 104
"version": 206
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
@@ -5825,9 +6911,9 @@
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Removal",
"sha256": "06acdf4e4f36bf4d2e6e3f0d424b81264fc5262e89ef2db45dae483404ffce09",
"sha256": "7b92ec2e6a2290e49b0168c42351731b5a03508b59cbed4d0dd0127f6ab8ded1",
"type": "eql",
"version": 105
"version": 106
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
@@ -5837,39 +6923,57 @@
"version": 1
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
"sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf",
"type": "query",
"version": 104
"version": 206
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Okta User Session Impersonation",
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
"type": "query",
"version": 107
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
"sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7",
"type": "query",
"version": 105
"version": 207
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "8dd2c1c84b0fc1c9b380b49e3924012569cff3b126def7c497f092a63a057eff",
"sha256": "cb505702842c62bf14d57f592e2da9b793b4232bb14db1dc07ce3ee3dca88d72",
"type": "query",
"version": 5
"version": 6
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "e749e4d6a22d62d8564e36ff162cddb0342351273f7ae3f914f1781e4a6757e0",
"sha256": "2abbf97e21f0197022ef274f0c7aaf1326d6645628f586e1bbc7e75dd4bf6dac",
"type": "eql",
"version": 105
"version": 106
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "d72e36349524c074ac047562258cfce46273ee90ce47cd6b4d7bf6583558e37b",
"sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967",
"type": "query",
"version": 103
"version": 105
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"min_stack_version": "8.4",
@@ -5887,6 +6991,13 @@
"type": "query",
"version": 205
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Activity by User",
"sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff",
"type": "new_terms",
"version": 1
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"min_stack_version": "8.3",
"rule_name": "Trap Signals Execution",
@@ -5901,12 +7012,19 @@
"type": "eql",
"version": 108
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
"rule_name": "Archive File with Unusual Extension",
"sha256": "6fc1f60a466fb9cafbd52086ffba78f59d5ba996e6301563a12e09205b193e84",
"type": "eql",
"version": 1
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "62f6fba73304cb10595e4f538a276512b741e0029111d72087049753411361eb",
"sha256": "400a4ff29714ab2561d2a413f2f404116f8fe1067cb678f32d05daa204ee8316",
"type": "eql",
"version": 6
"version": 7
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "8.8",
@@ -5918,23 +7036,23 @@
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "ec194a453dd3acbf1dffd2e109f77cbbc7051fdfa80409701304809ce5654c43",
"sha256": "c206dc61a4c2ae0d1f412a63bcffc413ce72bb6de4d4c86c670d3c066dd1662e",
"type": "eql",
"version": 105
"version": 106
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "da76314ab374a374b6612165cb783f7d25612235f241744919149cb6d00af975",
"sha256": "077587010e7e194ab3d20e99f290d4a9813931fa3a4c1f4bd01f8a875b0a274a",
"type": "eql",
"version": 106
"version": 107
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "58dd943fa10c8dc106e4f561c6a5755a555d7dd1116a6e82a02678f77be051f4",
"sha256": "bcc8530ce8aa18d4efbc4c6c3709e6308cacb5408758aa722e8a7c30dca27138",
"type": "eql",
"version": 2
"version": 3
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
@@ -5959,16 +7077,16 @@
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "73e5e14af530fc3c0ff1a000b5b32bc30097045766025d6a7240dc31794faa7e",
"sha256": "52bed23a3a6e8d13a93def9f01fc3f4de6094c7cbd2b55eb10637d659a556dd1",
"type": "eql",
"version": 106
"version": 107
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "14a1097b7ee5b1d73b9dd86e6c7326ea224be99416f6f947d03c968723badf8c",
"sha256": "8ab63a4886ad2a72cbb3c1b616a3f462298f7cc74de154654064c96b035d343e",
"type": "eql",
"version": 107
"version": 108
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
@@ -5992,11 +7110,20 @@
"version": 104
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
"sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6",
"type": "query",
"version": 103
"version": 205
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"min_stack_version": "8.3",
@@ -6022,16 +7149,16 @@
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.3",
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "a386bc0314dc614dce09c10f76f04e239c85cffb8e305a1a37dc816fe8d0e466",
"sha256": "f5c2c64714e19cc3d5437f0039d3baa83ae9aa8fd5af5dcbd5b6655156c6e9af",
"type": "eql",
"version": 1
"version": 2
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "351666156e6d77e8c9c195311cd45ba8c31b9e97ea0fd1503c48c15a776c1918",
"sha256": "3c95ccf8f67a50f03ac411052a8a2da81d0483634ff43782835b20a2eee49275",
"type": "eql",
"version": 2
"version": 3
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
@@ -6041,11 +7168,20 @@
"version": 104
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
"sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a",
"type": "query",
"version": 104
"version": 206
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.3",
@@ -6055,11 +7191,20 @@
"version": 105
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
"sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee",
"type": "query",
"version": 106
"version": 208
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"min_stack_version": "8.3",
@@ -6077,9 +7222,9 @@
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.3",
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "123d0512c4355047e5fc67352b4ba9a65b7bd2515f7513409a0276a2414ce054",
"sha256": "e19053836a709b816dc84ce8ced0ba8168ccd803d9c077141d35d3a0679f082f",
"type": "eql",
"version": 6
"version": 7
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.3",
@@ -6098,9 +7243,9 @@
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "e5a39260fe132207d539ea518652001adadec98c3bbe9ddaff7d7e7b0e673a57",
"sha256": "be781bb6c568f6e3338fe8a85423ad7b2bed67673e71befc92524a519bf29602",
"type": "eql",
"version": 106
"version": 107
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.3",
@@ -6119,9 +7264,9 @@
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "23765713e12113ddb20663a6b929ed119d23f9106635fe4998ce6990dd394d97",
"sha256": "c44526d9a91a1fd72764e5afb5ad5c6a99415825884efde1516a72afc827756a",
"type": "eql",
"version": 107
"version": 108
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
@@ -6140,37 +7285,53 @@
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"min_stack_version": "8.3",
"rule_name": "SMTP on Port 26/TCP",
"sha256": "a83fb857076a042c492fa2affcd6539e499ab52f67b336d1e47854a3e23a13d3",
"sha256": "3816b9a7c573ec98806b9cc52fc8e281cd0559c43a7c7fce52c60f63c8a8eb2f",
"type": "query",
"version": 102
"version": 103
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "c5ce1faffd687af5423c4bad755a8d5d182a6c74fde100b49092067a43111e70",
"sha256": "aa9adda1ac8dfe9c91e83c7741e046bb1553fda39b7e023d70c58e86fa012e11",
"type": "eql",
"version": 5
"version": 6
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
"sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6",
"type": "query",
"version": 106
"version": 208
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "638b38528aaa1d362737de0ee6c2c010913f44c8179a2ac928dbedc9473049f6",
"sha256": "8442e8cbb922de0f547562302bde985f3e343662547902ae1b3ad81817991b14",
"type": "eql",
"version": 106
"version": 107
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "8376f30e9c1abd833e2b39242f04ba3f296fe0f2c153e3feda039d77b73ffd6f",
"sha256": "2102e91dda480a20979378bce1f9ce3243b54439c2ac1961ad795862fe956692",
"type": "eql",
"version": 5
"version": 6
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "fd0e143d1c3b97e0d0f5faf7c2574e3a80509905c6d6564cc15eadb49661058d",
"type": "query",
"version": 1
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
@@ -6202,9 +7363,9 @@
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.3",
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "b778970c6f8ec04e3dbcf851f3553e72e19420cdbf1181efb2a8d360ec4f49a2",
"sha256": "f4edf52a98e83ab010153cdffb7067610814b7fcc0414bb5e8dcee5bf8d0d3ff",
"type": "eql",
"version": 1
"version": 2
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
@@ -6223,9 +7384,9 @@
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "f64d050e90fd179771887f3ae5d3ecdd6d9c638572d6ecb8cb513fddcd5496df",
"sha256": "e4df76ec7b5df39c1969e559f1a6da83fa65a42ce5b7d0309e543137738e41d0",
"type": "eql",
"version": 2
"version": 3
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
@@ -6236,23 +7397,32 @@
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "df8a6dcbb0d179f109c810c8d819c0e48c62c8280a2c6196d00ba951b1486594",
"sha256": "d42dea9b11a475bd84ac3a3f2a7556720a15eec56ff92168c87ed712e91e8908",
"type": "eql",
"version": 3
"version": 4
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "2ec7ebca77b749a6e4385185ffcbdbc71c0c3a9600b7599bb7b6462c6d84a28a",
"sha256": "068a220aff143f426d32e403fb68a377e120e375f657e84217c3eb4f399e543f",
"type": "eql",
"version": 106
"version": 107
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual Country For an AWS Command",
"sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Country For an AWS Command",
"sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946",
"sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561",
"type": "machine_learning",
"version": 106
"version": 208
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
@@ -6271,9 +7441,9 @@
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "cdf948e2a073cb6319fa302acc7b0fc8a11477746659be69cff0c9b7860403b8",
"sha256": "6ff22a837ebb0aeecf0c358977ae439d6e5c872e7d002a5a13622b00638fa02a",
"type": "eql",
"version": 105
"version": 106
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
@@ -6285,23 +7455,32 @@
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "0ec40a6ffaf45b8d92ca2b163b9aabf5bde1a0fbb801e77ab931a36571295fb1",
"sha256": "e1754aece5bca9de7f3a297a9ebcfde160a4c48fdba1042e55a503c43af3a487",
"type": "query",
"version": 105
"version": 106
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Query Registry using Built-in Tools",
"sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd",
"type": "eql",
"version": 2
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd",
"type": "eql",
"version": 2
"sha256": "1ce3bd6bd9c91187b6ee6941b8adf51a9bc72c81dd5bcc25fe03bd480f1122eb",
"type": "new_terms",
"version": 102
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
"rule_name": "First Time Seen Driver Loaded",
"sha256": "e35873c4c836a040e5f558474966d7bd8b224776bcebab71cd3db0279a1068d2",
"sha256": "ad243a0040fbf3b300d379e356e6d3eb10209a2132942ac2f4e08962b1e8bd79",
"type": "new_terms",
"version": 5
"version": 6
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.3",
@@ -6320,9 +7499,9 @@
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.3",
"rule_name": "Dynamic Linker Copy",
"sha256": "3e2bd8f151616982adae6eeff5311584831c41100d151b5327e9a39e41354ef4",
"sha256": "4c3f4b8b94c3abf50fada6c7104d6fcffb6126ad61920c98219b8ca2d1f7af00",
"type": "eql",
"version": 104
"version": 105
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"min_stack_version": "8.4",
@@ -6346,6 +7525,13 @@
"type": "query",
"version": 100
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"min_stack_version": "8.3",
"rule_name": "Delayed Execution via Ping",
"sha256": "dea7cf4add6220cd27ddb9f1a641b95436204b87ca0fca1c18dc903d50ce57a4",
"type": "eql",
"version": 1
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"min_stack_version": "8.3",
"rule_name": "Azure Firewall Policy Deletion",
@@ -6363,16 +7549,32 @@
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "ff2526e88d22d00ba16eca2c07ec3bec5e06c7785739a7ab842edd79c975943f",
"sha256": "5b07769d45f5a33fcbe539609647986809d75daea1b8aa5874d0ae7f0e6a8892",
"type": "eql",
"version": 4
"version": 5
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02",
"type": "threshold",
"version": 107
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02",
"sha256": "10ee903471646d3de3429f99b45cf5e5d7fadc3fda75e3d87f0d1f495d30f511",
"type": "threshold",
"version": 105
"version": 207
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "b30b5b205b4d258de4072197ae2f131b0716891f4297ffc36e6a2549b7ca66fc",
"type": "eql",
"version": 1
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16",
@@ -6389,32 +7591,57 @@
"version": 102
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Created",
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Created",
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
"sha256": "4081dda0ac65323a45109124e0222f68584e912ecdc216ad1e2f5b8f9f431afc",
"type": "query",
"version": 103
"version": 205
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Cluster Creation",
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Cluster Creation",
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
"sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32",
"type": "query",
"version": 103
"version": 205
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.3",
"rule_name": "Connection to External Network via Telnet",
"sha256": "812d614780faf4725c6f1f5361fd6e47e40c2ea93429a55d3e577c3517074577",
"sha256": "ecd74e5b4a0d9320b567ccff15b0551b10812d52a6a99e120eb4e09dc3c70a70",
"type": "eql",
"version": 104
"version": 105
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "1ce0e6ef09a67c9f0018cebdedc41c09e0f2d980c0892d2c58f1e17af536bd70",
"type": "machine_learning",
"version": 1
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "d5d199aba7de4375e54e1a420264755c1e6c6e2326dabf9ca76f2cd5285ebe46",
"sha256": "c283a96f0e6778b4047079842cb8724e31caef3444301c6475256a53b012ee57",
"type": "eql",
"version": 3
"version": 4
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "8.3",
@@ -6426,16 +7653,25 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "619ca917a538026a7832ad49ce85327632de2c6218731727c03f1492ef67e712",
"sha256": "8c840abd0eed39efbf4517ceb247d5a1e29c14df891f7fc68b9c8ca19af732fa",
"type": "query",
"version": 108
"version": 109
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Management Console Root Login",
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Management Console Root Login",
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
"sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6",
"type": "query",
"version": 106
"version": 208
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"min_stack_version": "8.3",
@@ -6454,9 +7690,9 @@
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "b8ef093aa90790193389f0a3b2eb27568f9516fec3932bce89da7213cabf2393",
"sha256": "f4aa9648ae148430d56ec66b1b05383eff95f446f9d746fa618a5fd5d74b932d",
"type": "eql",
"version": 106
"version": 108
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
@@ -6473,11 +7709,20 @@
"version": 107
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
"sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41",
"type": "query",
"version": 103
"version": 205
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
@@ -6496,16 +7741,25 @@
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "1b8c0a0d497da1a7aa237cea422221680d66e067bd3cb56754342e2426b8456e",
"sha256": "47990704fcf218a068f07339d376b36fe1ff72c831754b08f0dffed5768cc04d",
"type": "eql",
"version": 105
"version": 107
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
"sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6",
"type": "query",
"version": 104
"version": 206
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.3",
@@ -6517,9 +7771,9 @@
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "f58e148fb90ab12de044fc7afa0a2778b71ecd8643082310872048c0960b54d4",
"sha256": "ff07330e7b280ebe26aff63e3c933ca68bc9e57095f06822a1ce1a766f8aa2d4",
"type": "query",
"version": 107
"version": 108
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.4",
@@ -6546,9 +7800,9 @@
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"min_stack_version": "8.3",
"rule_name": "Bash Shell Profile Modification",
"sha256": "89a6e5c6d2b9b24839bad3982fe4350838838f91a099081af2d9e17bbd48eb02",
"sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3",
"type": "query",
"version": 103
"version": 104
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
@@ -6558,11 +7812,20 @@
"version": 104
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Possible Okta DoS Attack",
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
"type": "query",
"version": 105
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
"sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e",
"type": "query",
"version": 103
"version": 205
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
@@ -6574,9 +7837,16 @@
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "c0e04ce1aa8f8652c9593631d1a9692ea6c265ee388e504ccc1d3c225ad62272",
"sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e",
"type": "query",
"version": 103
"version": 104
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "49debe62710e167c237de800f3dd2ce6ad4a3f4a6effd957439d576770b4e7c9",
"type": "eql",
"version": 1
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.3",
@@ -6586,46 +7856,64 @@
"version": 105
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "ab002c02bd96a6d77776ccb1b5fe96cb19d8ee3fa408b8c5853d7a4580f3fc18",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
"type": "eql",
"version": 4
"version": 105
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "3b88ce7678e0afd9133e4614123484e05b3c652f2ee1b555271860a540e9e01a",
"sha256": "b79eae658a0dc89978d022131f60766565b9d713cf71cfa900e632da05719fe3",
"type": "eql",
"version": 1
"version": 2
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "6b4158b68c196337a5ca798c23c4e99e1f5b63dcc09404ce703310ffa3115658",
"sha256": "9dabc489226c779aadc8aebd27fd06248863464f8c3eb77f8e3e65ea9de31581",
"type": "eql",
"version": 4
"version": 5
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
"sha256": "2199bfaa82c73c0e3d8e7c4dd8d7df67b438163716298173157240784ea80fdc",
"type": "query",
"version": 103
"version": 205
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.3",
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "9d7d295720f93607b0c637e791d1135a828f9a60edfd04a13aea1c2f444cddfb",
"sha256": "2894b45c8036eb38c332ca6f58cdcc5e872a80caa4e846636d051be8a166fcfe",
"type": "eql",
"version": 106
"version": 107
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
"rule_name": "Installation of Security Support Provider",
"sha256": "07f742804dcc4362c3a6df0146ffd869e3e92a5e39ed19fbc676e1a205762fca",
"sha256": "05e809fb643c5c0b932f08cf325d5b980c1be26c2322a33497bf7931a54612bb",
"type": "eql",
"version": 104
"version": 105
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
@@ -6635,32 +7923,66 @@
"version": 4
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.4",
"min_stack_version": "8.6",
"previous": {
"8.4": {
"max_allowable_version": 102,
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80",
"type": "new_terms",
"version": 3
}
},
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "386862fe4e944388b9eada8008e45520c98413131236b3c1dbdffd72bd7b2db3",
"sha256": "b2bf47b2d754b97d1201f5d927c49421ceb71609ac667f07c240495f839cd6be",
"type": "new_terms",
"version": 2
"version": 103
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08",
"type": "threshold",
"version": 107
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08",
"sha256": "bb06cc2e64669d793dd0ab51b8f596cf9ed9f9454f861ae51504837bb3552d10",
"type": "threshold",
"version": 105
"version": 207
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
"sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd",
"type": "query",
"version": 103
"version": 205
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "f4946a910d3c5cf165420c1f5768200c1484fdc853e0a53756994d7993255dd4",
"type": "machine_learning",
"version": 1
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "2691fb427b7fddacc7927bc417d5dab77367c0f14203e072f86d3aefe7a62802",
"sha256": "0932a11d1af761dc69c880afac16d9f8543316e5b003ac9c7f31d6a1b903eb5b",
"type": "eql",
"version": 107
"version": 108
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
@@ -6669,6 +7991,13 @@
"type": "eql",
"version": 104
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.9",
"rule_name": "Spike in Remote File Transfers",
"sha256": "5a680fcc21fa3a04e8559fed157bb4ad2d12ae704220ebfb794b987dd5e7f9ab",
"type": "machine_learning",
"version": 1
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
@@ -6688,12 +8017,28 @@
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "e0eb8a5cb723b6d21c3bd60ed9f2fbaa258b957aaf1c3ccb239075cb1bd9e3a2",
"type": "machine_learning",
"version": 1
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80",
"type": "threshold",
"version": 108
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80",
"sha256": "c03ce8fcb77809e7578333b7e52f0fe9d851c9f6687eb1a7d20a33e2b642ed3f",
"type": "threshold",
"version": 106
"version": 208
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
@@ -6719,9 +8064,9 @@
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "a05367ae65e4b39de37332b4894eb8085397b7fbf86eb16ab1899b6d60beac4d",
"sha256": "19a8d98813f7227deaf511c0d633facc03ce98eca134cbf0ad8d95277312d2bd",
"type": "query",
"version": 107
"version": 108
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
@@ -6733,9 +8078,9 @@
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of SELinux",
"sha256": "b8f1ac64b7c560cb7647ffb41b0bcbedc7b257a7f316fcbeb491b84b7b09c94c",
"sha256": "039692bcb30d46067fc586c4ebcd04997a968d5c426694130fea5aeb0a48d46b",
"type": "query",
"version": 105
"version": 106
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
@@ -6772,12 +8117,28 @@
"type": "query",
"version": 102
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"min_stack_version": "8.3",
"rule_name": "Executable File with Unusual Extension",
"sha256": "d740eda69b10b688372f488feab1a6e9af2a26122ee1f6af6de7612aa33706e8",
"type": "eql",
"version": 1
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
"sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc",
"type": "query",
"version": 103
"version": 205
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"min_stack_version": "8.3",
@@ -6789,23 +8150,32 @@
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "84fe4ed20d10995793ab80c3edcadea3a2e6590b1c71d8b0f7ae5f3400276e36",
"sha256": "b3773d30c5a81754f182b5e16112b660ce51afc7217b471c07c135c92343561e",
"type": "eql",
"version": 106
"version": 107
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
"sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c",
"type": "query",
"version": 104
"version": 206
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "3482abb380dae16ed856b1c92ebf753d98d655730383b3e1e6329221b64d7f96",
"sha256": "2879ba6dedb4672f2a2edf42d9b51a445ad7e87deafca2d3e115c225361d1e52",
"type": "eql",
"version": 106
"version": 107
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
@@ -6844,16 +8214,16 @@
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
"rule_name": "BPF filter applied using TC",
"sha256": "dfcaee87ab5815bd4120fc20f1cfd41d481913aa1b077dd7e28539febe9bd5d9",
"sha256": "d3b6a041bc5f899f14ba0e350fbb36350e02d5800b1751b2bff3950a02bab9e4",
"type": "eql",
"version": 105
"version": 106
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "421ac0a4b80d62b16f199e6f04b38b5b8c1c8dbed801722495c596321864b0fb",
"sha256": "fa04606235d591a3a18f27ac11497e0b0b3c0db64ac9d3cdae52dac5bebb9ca1",
"type": "eql",
"version": 3
"version": 4
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
@@ -6862,6 +8232,13 @@
"type": "eql",
"version": 107
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "ae2f3e60d6bf07e3ace4c7be1a9a199dc8b181ae4c472baa2f02f91eb86e6801",
"type": "machine_learning",
"version": 1
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Processes of RunDLL32",
@@ -6877,11 +8254,20 @@
"version": 104
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
"sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395",
"type": "query",
"version": 103
"version": 205
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
@@ -6907,9 +8293,9 @@
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "acc6575e3fa6df0eabd86bf1fa2a16fdcf95a33f0b3c99ef35f473bee3cbea26",
"sha256": "9472c913dfa8869854d45e63066366097bc76d22561deba5f0332c0e764850d5",
"type": "eql",
"version": 4
"version": 5
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -6935,9 +8321,9 @@
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "181e254a121f95897919759791f5af14565c11aa4ed7bab144e1e9c27400ac8b",
"sha256": "5b99a39e1fe7e357d865152fc9bddaf95dbcdef3438bbdd9a2de4b9ef6351120",
"type": "eql",
"version": 105
"version": 107
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
@@ -6954,11 +8340,20 @@
"version": 106
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance Creation",
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance Creation",
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
"sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0",
"type": "query",
"version": 103
"version": 205
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -6967,12 +8362,19 @@
"type": "eql",
"version": 3
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "109d0c7e3887d7f898702bb931801365f78166bc37b58aa04f66b0e30101f41b",
"type": "query",
"version": 1
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "881b9fd8fe67814ac0e2fd46633b3d14bec837de65f947f3196690da517ec326",
"sha256": "05dfb891d848215da2bda7c42b5229022f92e80d8ee4f97ea007d57196cfd637",
"type": "eql",
"version": 107
"version": 108
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
@@ -6988,19 +8390,26 @@
"type": "threat_match",
"version": 3
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"min_stack_version": "8.6",
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "397ef632c840d0922b83d252b5b41db9cbaa48dbded3e4274d7b714ea636231b",
"type": "eql",
"version": 2
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "6529bb3e9f2e7ba6334ccf83e73cb084a6d4a6b4754c82131a2b29b573db94fc",
"sha256": "292a400f924bdf495a355385c16ff53e68f9f3339a16f03722da0a67d20439f9",
"type": "eql",
"version": 104
"version": 105
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.3",
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "58fd8199f7eaa97b77809fbe7b9b19e44632eef4618a3a85d269f4c10fc65dda",
"sha256": "26b40ddcaa37e8f078da5fbfc2a20a67103717af9bed0188b9002a14836ffe5a",
"type": "query",
"version": 107
"version": 108
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
@@ -7011,16 +8420,16 @@
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "4a1c0d919c79748efefe5321d5e6652f4806a90a6748a5fbb97472ba5c7b6479",
"sha256": "7c8538ccb98edd565c3e77089791a93f35d6fe22c6f6622b1b5830797dfce87b",
"type": "eql",
"version": 2
"version": 3
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "9c28b36b93bb14bdf7618dda4125499529113bf5a991135211322b859581d528",
"sha256": "137fe700650e80f99c3e810ffa7887f243a69e3fd36267afd3685955e5b3a7e4",
"type": "eql",
"version": 106
"version": 107
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
@@ -7032,15 +8441,29 @@
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "1985348b300faecebbaac140fff23f888d5eac725cc209b01811dc5cc860b8b1",
"sha256": "9d093df26320c45b314e47dc2317d5b84a706d33b570f9b302014671f4b684de",
"type": "query",
"version": 1
"version": 2
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.3",
"rule_name": "WMIC Remote Command",
"sha256": "dc6e94a20b8f1618cea407e2ac25227adc96daf497e2c1b5b034408f0e1aa3c9",
"sha256": "e1ef94a11c4732f762e8f4e61014834b56c85ac0b9238a537e111d942fb12601",
"type": "eql",
"version": 2
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "05f3189fe09c5f5c72a44871e7af8a36a085d5f5642ee65deed333c490888820",
"type": "eql",
"version": 1
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "d95530ac48c152547acc046bef874063d532e0a9f5f639803e3b525025209f22",
"type": "machine_learning",
"version": 1
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
@@ -7060,9 +8483,9 @@
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "0e7d1a785743f7bd0167dacf31665648afe6cc0921d859d611decdcf3ca2bf89",
"sha256": "23aef572b50810af907ee7bd6ef6657623f6592f933f9406a58dda38ccecb9d2",
"type": "eql",
"version": 106
"version": 107
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
@@ -7093,11 +8516,20 @@
"version": 102
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
"sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9",
"type": "query",
"version": 106
"version": 208
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "8.8",
@@ -7116,9 +8548,9 @@
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "84af71d36b636e2785c85ee6e6b0dcfc90b6df18c844ba0627a5605b8aa892d5",
"sha256": "0e07c2995af6088f4c7f371ce44780cab7ffe75d215408752857ac720cea0465",
"type": "eql",
"version": 104
"version": 105
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
@@ -7130,9 +8562,9 @@
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "9c50c505cf44d6eec05e8c2cc96a6569c7c14b193943425c21de51abbea9e5ca",
"sha256": "11ff5b48af4c6fe451b2ce1623b1cb2cb5bb35007bef94018597f897219a10af",
"type": "eql",
"version": 106
"version": 107
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
@@ -7163,11 +8595,20 @@
"version": 7
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.3",
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
"type": "query",
"version": 105
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
"sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392",
"type": "query",
"version": 103
"version": 205
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
@@ -7179,16 +8620,16 @@
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "983e0ddc1783910db137adf087a0cb74b34fbf20bf1569b9024cd5578ab1b84a",
"sha256": "fac6f9cee3f43e0193ffc987c11e25fd31bc52cf43af80e9cfabc8dc453c1812",
"type": "eql",
"version": 3
"version": 4
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "df52af5aacf36ea1a7ad6a44b6238bfd08e8feb288d0bb5d1b604d6f8cd513b2",
"sha256": "91a2395bf7620588ccb74be3c35e5550521b5efb2e5268f5e5f700def971d705",
"type": "eql",
"version": 4
"version": 5
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
@@ -7200,23 +8641,32 @@
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of AppArmor",
"sha256": "84c459fa919be715728e6f1c0a8c4ec19b8480510bb411c3b81bb72ced32586f",
"sha256": "af928c417577e8cc0260d0553a69112ffe4cce0432ff7dd3e11a6bf0e6c446d1",
"type": "eql",
"version": 1
"version": 2
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"min_stack_version": "8.3",
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "6dabae4a91d13a982c01d893b7091d39599ab9bbc1e7e88117adcf8ae0a70a40",
"sha256": "83d55181cc10cf106c86f733adfc8bcd7100be39580cbdaf2784a6237cd2f61b",
"type": "eql",
"version": 1
"version": 102
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Registration Utility",
"sha256": "cca4c8c4fe974be12e9a9717eb82caa9cbb509858bba01b5872ad90988772dce",
"sha256": "43bf761ed99e39883a71417804e95161874113a3d08e64e551fe474bb054586c",
"type": "eql",
"version": 105
"version": 106
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
@@ -7225,18 +8675,27 @@
"version": 100
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"min_stack_version": "8.3",
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
"sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15",
"type": "query",
"version": 103
"version": 205
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "8975d3c8774ec9437e4cd11148a51508e2c6d7f7d78d7201c4be6cfbaf0004ab",
"sha256": "d82de3a511d6f9d1fdacc568ea1f4f13dcb5c7b1923e37472627edad3bc0e244",
"type": "eql",
"version": 105
"version": 106
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
@@ -7259,18 +8718,34 @@
"version": 106
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Svchost spawning Cmd",
"sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04",
"type": "eql",
"version": 107
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04",
"sha256": "2cf4b3a4a92c5be889a51b4f1d51c3eab77327b7bf883a2a045d1571d8779e4b",
"type": "new_terms",
"version": 207
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "cc47fed45ee058e096104f4c1d2e2068a516895cf8a9e85ab1511686b49de1ee",
"type": "eql",
"version": 107
"version": 1
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "62b9374ecd5f2c092b1940f6dd1481f37a42f04bdda1015b7cb512ba22db08ca",
"sha256": "590ac86e1af3b8706e4cb2a69e8fdd314724e77dbb5799e8fb98370ce40c9e58",
"type": "eql",
"version": 1
"version": 2
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
@@ -7282,21 +8757,28 @@
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "a8ea104f14627b5bef865394a5a80d56b351edaa5b4beea10407d3950c42f419",
"sha256": "7e932f33b6e1585cd992ffb8d0c475283c7c7d9e5f8480d9858165a716090f61",
"type": "query",
"version": 1
"version": 2
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "da773bcc4a79e9c08e47654c4abaef1190bd351feb40255c17932f918361f591",
"sha256": "a8eff42378039fb19f5db47284f5c0fc7ac55a01a9ec1c5d9b1a664f91fff887",
"type": "eql",
"version": 106
"version": 107
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "60ec14b09417f0cb76b839ac47aa592120fc5692e363f35cb28840dcb84414be",
"sha256": "f8fb3a902d4649dae09ebfd3622387f97612d9ce93d0c82dc28badc57bf61ae1",
"type": "eql",
"version": 2
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "2d4dac5ee69aa01095329c1850ad5569f1d4d34fe06d5a73ef0f4fb93b1d98b7",
"type": "eql",
"version": 1
},
@@ -7310,23 +8792,30 @@
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"min_stack_version": "8.3",
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "93c635e72bde1b37f08db8fbaab71b57c830ec8a6d88f9d868cad5cae1d4c602",
"sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055",
"type": "query",
"version": 102
"version": 103
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"min_stack_version": "8.9",
"rule_name": "Potential DGA Activity",
"sha256": "83e50c945d95a5c87970b0f27356a28d98589040cb7698c584b7b41c832a8c24",
"type": "machine_learning",
"version": 1
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "3f05ca34ca031232a58c6bdd28c52d7ebc9751646383323594d0514a33322443",
"sha256": "b1a94af889b3bd5f19d461f40cf67ebb70a8c9c19383c1c6b821e829e49477e8",
"type": "new_terms",
"version": 4
"version": 5
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "89aab4dd5ac4c53bd4096c632d79151c726d6991f64ad42938fde25eed6a3c8b",
"sha256": "592b792af644dd525e7bb61b8ba69a59219b797775997301b8ca62e5e71e03bd",
"type": "eql",
"version": 3
"version": 4
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.3",
@@ -7345,8 +8834,8 @@
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "16c98c01aec6efd485063babc9daf4aef11f4c6de3c2834b877688f6326a8cb6",
"sha256": "7f5618048d9c9a947da0f5e7789a02590652382297e9fc2355be088f7eb8a2bf",
"type": "eql",
"version": 2
"version": 3
}
}
detection_rules/integrations.py
+29 -9
View File
@@ -23,6 +23,7 @@ from . import ecs
from .beats import flatten_ecs_schema
from .misc import load_current_package_version
from .utils import cached, get_etc_path, read_gzip, unzip
from .schemas import definitions
MANIFEST_FILE_PATH = Path(get_etc_path('integration-manifests.json.gz'))
SCHEMA_FILE_PATH = Path(get_etc_path('integration-schemas.json.gz'))
@@ -47,12 +48,13 @@ class IntegrationManifestSchema(Schema):
description = fields.Str(required=True)
download = fields.Str(required=True)
conditions = fields.Dict(required=True)
policy_templates = fields.List(fields.Dict, required=True)
policy_templates = fields.List(fields.Dict)
owner = fields.Dict(required=False)
@post_load
def transform_policy_template(self, data, **kwargs):
data["policy_templates"] = [policy["name"] for policy in data["policy_templates"]]
if "policy_templates" in data:
data["policy_templates"] = [policy["name"] for policy in data["policy_templates"]]
return data
@@ -93,21 +95,30 @@ def build_integrations_manifest(overwrite: bool, rule_integrations: list = [], i
print(f"final integrations manifests dumped: {MANIFEST_FILE_PATH}")
def build_integrations_schemas(overwrite: bool) -> None:
def build_integrations_schemas(overwrite: bool, integration: str = None) -> None:
"""Builds a new local copy of integration-schemas.json.gz from EPR integrations."""
final_integration_schemas = {}
saved_integration_schemas = {}
# Check if the file already exists and handle accordingly
if overwrite and SCHEMA_FILE_PATH.exists():
SCHEMA_FILE_PATH.unlink()
final_integration_schemas = {}
elif SCHEMA_FILE_PATH.exists():
saved_integration_schemas = load_integrations_schemas()
final_integration_schemas = load_integrations_schemas()
else:
final_integration_schemas = {}
# Load the integration manifests
integration_manifests = load_integrations_manifests()
# if a single integration is specified, only process that integration
if integration:
if integration in integration_manifests:
integration_manifests = {integration: integration_manifests[integration]}
else:
raise ValueError(f"Integration {integration} not found in manifest.")
# Loop through the packages and versions
for package, versions in integration_manifests.items():
print(f"processing {package}")
@@ -127,12 +138,12 @@ def build_integrations_schemas(overwrite: bool) -> None:
# Open the zip file
with unzip(response.content) as zip_ref:
for file in zip_ref.namelist():
file_data_bytes = zip_ref.read(file)
# Check if the file is a match
if glob.fnmatch.fnmatch(file, '*/fields/*.yml'):
integration_name = Path(file).parent.parent.name
final_integration_schemas[package][version].setdefault(integration_name, {})
file_data = zip_ref.read(file)
schema_fields = yaml.safe_load(file_data)
schema_fields = yaml.safe_load(file_data_bytes)
# Parse the schema and add to the integration_manifests
data = flatten_ecs_schema(schema_fields)
@@ -140,7 +151,14 @@ def build_integrations_schemas(overwrite: bool) -> None:
final_integration_schemas[package][version][integration_name].update(flat_data)
del file_data
# add machine learning jobs to the schema
if integration in list(map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)):
if glob.fnmatch.fnmatch(file, '*/ml_module/*ml.json'):
ml_module = json.loads(file_data_bytes)
job_ids = [job['id'] for job in ml_module['attributes']['jobs']]
final_integration_schemas[package][version]['jobs'] = job_ids
del file_data_bytes
# Write the final integration schemas to disk
with gzip.open(SCHEMA_FILE_PATH, "w") as schema_file:
@@ -317,7 +335,9 @@ def get_integration_schema_data(data, meta, package_integrations: dict) -> Gener
if integration is None:
# Use all fields from each dataset
for dataset in integrations_schemas[package][package_version]:
schema.update(integrations_schemas[package][package_version][dataset])
# ignore jobs from machine learning packages
if dataset != "jobs":
schema.update(integrations_schemas[package][package_version][dataset])
else:
if integration not in integrations_schemas[package][package_version]:
raise ValueError(f"Integration {integration} not found in package {package} "
detection_rules/main.py
+18 -2
View File
@@ -11,14 +11,17 @@ import os
import re
import time
from datetime import datetime
import pytoml
from marshmallow_dataclass import class_schema
from pathlib import Path
from semver import Version
from typing import Dict, List, Optional
from typing import Dict, Iterable, List, Optional
from uuid import uuid4
import click
from .attack import build_threat_map_entry
from .cli_utils import rule_prompt, multi_collection
from .mappings import build_coverage_map, get_triggered_rules, print_converage_summary
from .misc import add_client, client_error, nested_set, parse_config, load_current_package_version
@@ -93,7 +96,7 @@ def generate_rules_index(ctx: click.Context, query, overwrite, save_files=True):
@click.argument('input-file', type=click.Path(dir_okay=False, exists=True), nargs=-1, required=False)
@click.option('--directory', '-d', type=click.Path(file_okay=False, exists=True), help='Load files from a directory')
def import_rules(input_file, directory):
"""Import rules from json, toml, or Kibana exported rule file(s)."""
"""Import rules from json, toml, yaml, or Kibana exported rule file(s)."""
rule_files = glob.glob(os.path.join(directory, '**', '*.*'), recursive=True) if directory else []
rule_files = sorted(set(rule_files + list(input_file)))
@@ -385,6 +388,19 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str,
return filtered
@root.command('build-threat-map-entry')
@click.argument('tactic')
@click.argument('technique-ids', nargs=-1)
def build_threat_map(tactic: str, technique_ids: Iterable[str]):
"""Build a threat map entry."""
entry = build_threat_map_entry(tactic, *technique_ids)
rendered = pytoml.dumps({'rule': {'threat': [entry]}})
# strip out [rule]
cleaned = '\n'.join(rendered.splitlines()[2:])
print(cleaned)
return entry
@root.command("test")
@click.pass_context
def test_rules(ctx):
detection_rules/misc.py
+8 -8
View File
@@ -115,7 +115,7 @@ def nest_from_dot(dots, value):
return nested
def schema_prompt(name, value=None, required=False, **options):
def schema_prompt(name, value=None, is_required=False, **options):
"""Interactively prompt based on schema requirements."""
name = str(name)
field_type = options.get('type')
@@ -136,7 +136,7 @@ def schema_prompt(name, value=None, required=False, **options):
if name == 'rule_id':
default = str(uuid.uuid4())
if len(enum) == 1 and required and field_type != "array":
if len(enum) == 1 and is_required and field_type != "array":
return enum[0]
def _check_type(_val):
@@ -168,7 +168,7 @@ def schema_prompt(name, value=None, required=False, **options):
prompt = '{name}{default}{required}{multi}'.format(
name=name,
default=' [{}] ("n/a" to leave blank) '.format(default) if default else '',
required=' (required) ' if required else '',
required=' (required) ' if is_required else '',
multi=' (multi, comma separated) ' if field_type == 'array' else '').strip() + ': '
while True:
@@ -177,7 +177,7 @@ def schema_prompt(name, value=None, required=False, **options):
result = None
if not result:
if required:
if is_required:
value = None
continue
else:
@@ -187,7 +187,7 @@ def schema_prompt(name, value=None, required=False, **options):
result_list = result.split(',')
if not (min_item < len(result_list) < max_items):
if required:
if is_required:
value = None
break
else:
@@ -195,19 +195,19 @@ def schema_prompt(name, value=None, required=False, **options):
for value in result_list:
if not _check_type(value):
if required:
if is_required:
value = None
break
else:
return []
if required and value is None:
if is_required and value is None:
continue
else:
return [_convert_type(r) for r in result_list]
else:
if _check_type(result):
return _convert_type(result)
elif required:
elif is_required:
value = None
continue
return
detection_rules/packaging.py
+9 -2
View File
@@ -14,6 +14,7 @@ import textwrap
from collections import defaultdict
from pathlib import Path
from typing import Dict, Optional, Tuple
from semver import Version
import click
import yaml
@@ -377,9 +378,15 @@ class Package(object):
def _generate_registry_package(self, save_dir):
"""Generate the artifact for the oob package-storage."""
from .schemas.registry_package import RegistryPackageManifest
from .schemas.registry_package import (RegistryPackageManifestV1,
RegistryPackageManifestV3)
manifest = RegistryPackageManifest.from_dict(self.registry_data)
# 8.12.0+ we use elastic package v3
stack_version = Version.parse(self.name, optional_minor_and_patch=True)
if stack_version >= Version.parse('8.12.0'):
manifest = RegistryPackageManifestV3.from_dict(self.registry_data)
else:
manifest = RegistryPackageManifestV1.from_dict(self.registry_data)
package_dir = Path(save_dir) / 'fleet' / manifest.version
docs_dir = package_dir / 'docs'
detection_rules/rule.py
+28 -59
View File
@@ -229,7 +229,8 @@ class AlertSuppressionMapping(MarshmallowDataclassMixin, StackCompatMixin):
value: int
group_by: List[definitions.NonEmptyStr]
duration: Optional[AlertSuppressionDuration] = field(metadata=dict(metadata=dict(min_compat="8.7")))
duration: Optional[AlertSuppressionDuration]
missing_fields_strategy: definitions.AlertSuppressionMissing
@dataclass(frozen=True)
@@ -247,7 +248,6 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin):
integration: Optional[definitions.NonEmptyStr]
actions: Optional[list]
alert_suppression: Optional[AlertSuppressionMapping] = field(metadata=dict(metadata=dict(min_compat="8.6")))
author: List[str]
building_block_type: Optional[definitions.BuildingBlockType]
description: str
@@ -273,7 +273,7 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin):
risk_score_mapping: Optional[List[RiskScoreMapping]]
rule_id: definitions.UUIDString
rule_name_override: Optional[str]
setup: Optional[str] = field(metadata=dict(metadata=dict(min_compat="8.3")))
setup: Optional[definitions.Markdown] = field(metadata=dict(metadata=dict(min_compat="8.3")))
severity_mapping: Optional[List[SeverityMapping]]
severity: definitions.Severity
tags: Optional[List[str]]
@@ -561,6 +561,7 @@ class QueryRuleData(BaseRuleData):
index: Optional[List[str]]
query: str
language: definitions.FilterLanguages
alert_suppression: Optional[AlertSuppressionMapping] = field(metadata=dict(metadata=dict(min_compat="8.8")))
@cached_property
def validator(self) -> Optional[QueryValidator]:
@@ -592,6 +593,14 @@ class QueryRuleData(BaseRuleData):
if validator is not None:
return validator.get_required_fields(index or [])
@validates_schema
def validate_exceptions(self, data, **kwargs):
"""Custom validation for query rule type and subclasses."""
# alert suppression is only valid for query rule type and not any of its subclasses
if data.get('alert_suppression') and data['type'] != 'query':
raise ValidationError("Alert suppression is only valid for query rule type.")
@dataclass(frozen=True)
class MachineLearningRuleData(BaseRuleData):
@@ -638,52 +647,6 @@ class NewTermsRuleData(QueryRuleData):
type: Literal["new_terms"]
new_terms: NewTermsMapping
def validate(self, meta: RuleMeta) -> None:
"""Validates terms in new_terms_fields are valid ECS schema."""
kql_validator = KQLValidator(self.query)
kql_validator.validate(self, meta)
feature_min_stack = Version.parse('8.4.0')
feature_min_stack_extended_fields = Version.parse('8.6.0')
current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
# validate history window start field exists and is correct
assert self.new_terms.history_window_start, \
"new terms field found with no history_window_start field defined"
assert self.new_terms.history_window_start[0].field == "history_window_start", \
f"{self.new_terms.history_window_start} should be 'history_window_start'"
# validate new terms and history window start fields is correct
assert self.new_terms.field == "new_terms_fields", \
f"{self.new_terms.field} should be 'new_terms_fields' for new_terms rule type"
# ecs validation
min_stack_version = Version.parse(meta.get("min_stack_version")) if meta.get("min_stack_version") else None
min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \
current_package_version else min_stack_version
assert min_stack_version >= feature_min_stack, \
f"New Terms rule types only compatible with {feature_min_stack}+"
ecs_version = get_stack_schemas()[str(min_stack_version)]['ecs']
beats_version = get_stack_schemas()[str(min_stack_version)]['beats']
# checks if new terms field(s) are in ecs, beats or non-ecs schemas
_, _, schema = kql_validator.get_beats_schema(self.index or [], beats_version, ecs_version)
for new_terms_field in self.new_terms.value:
assert new_terms_field in schema.keys(), \
f"{new_terms_field} not found in ECS, Beats, or non-ecs schemas"
# validates length of new_terms to stack version - https://github.com/elastic/kibana/issues/142862
if min_stack_version >= feature_min_stack and \
min_stack_version < feature_min_stack_extended_fields:
assert len(self.new_terms.value) == 1, \
f"new terms have a max limit of 1 for stack versions below {feature_min_stack_extended_fields}"
# validate fields are unique
assert len(set(self.new_terms.value)) == len(self.new_terms.value), \
f"new terms fields values are not unique - {self.new_terms.value}"
def transform(self, obj: dict) -> dict:
"""Transforms new terms data to API format for Kibana."""
@@ -1024,8 +987,10 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
# if integration is not a policy template remove
if package["version"]:
policy_templates = packages_manifest[
package["package"]][package["version"].strip("^")]["policy_templates"]
version_data = packages_manifest.get(package["package"],
{}).get(package["version"].strip("^"), {})
policy_templates = version_data.get("policy_templates", [])
if package["integration"] not in policy_templates:
del package["integration"]
@@ -1125,14 +1090,18 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
elif isinstance(node, FieldComparison) and str(node.field) == 'event.dataset':
datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value)))
if not datasets:
# windows and endpoint integration do not have event.dataset fields in queries
# integration is None to remove duplicate references upstream in Kibana
rule_integrations = meta.get("integration", [])
if rule_integrations:
for integration in rule_integrations:
if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData):
packaged_integrations.append({"package": integration, "integration": None})
# integration is None to remove duplicate references upstream in Kibana
# chronologically, event.dataset is checked for package:integration, then rule tags
# if both exist, rule tags are only used if defined in definitions for non-dataset packages
# of machine learning analytic packages
rule_integrations = meta.get("integration", [])
if rule_integrations:
for integration in rule_integrations:
ineligible_integrations = definitions.NON_DATASET_PACKAGES + \
[*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)]
if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData):
packaged_integrations.append({"package": integration, "integration": None})
for value in sorted(datasets):
integration = 'Unknown'
detection_rules/schemas/__init__.py
+6
View File
@@ -262,6 +262,12 @@ def migrate_to_8_10(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.11")
def migrate_to_8_11(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.11."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version
detection_rules/schemas/definitions.py
+9 -4
View File
@@ -28,6 +28,7 @@ VERSION_PATTERN = f'^{_version}$'
MINOR_SEMVER = r'^\d+\.\d+$'
BRANCH_PATTERN = f'{VERSION_PATTERN}|^master$'
ELASTICSEARCH_EQL_FEATURES = {
"allow_negation": (Version.parse('8.9.0'), None),
"allow_runs": (Version.parse('7.16.0'), None),
"allow_sample": (Version.parse('8.6.0'), None),
"elasticsearch_validate_optional_fields": (Version.parse('7.16.0'), None)
@@ -43,7 +44,6 @@ TACTIC_URL = r'^https://attack.mitre.org/tactics/TA[0-9]+/$'
TECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/$'
SUBTECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$'
MACHINE_LEARNING = 'machine_learning'
SAVED_QUERY = 'saved_query'
QUERY = 'query'
QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"]
@@ -90,6 +90,7 @@ EXPECTED_RULE_TAGS = [
'OS: Linux',
'OS: macOS',
'OS: Windows',
'Rule Type: BBR',
'Resources: Investigation Guide',
'Rule Type: Higher-Order Rule',
'Rule Type: Machine Learning',
@@ -125,7 +126,10 @@ EXPECTED_RULE_TAGS = [
'Use Case: Vulnerability'
]
MACHINE_LEARNING_PACKAGES = ['LMD', 'DGA', 'DED', 'ProblemChild', 'Beaconing']
AlertSuppressionMissing = NewType('AlertSuppressionMissing', str,
validate=validate.OneOf(['suppress', 'doNotSuppress']))
NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1))
TimeUnits = Literal['s', 'm', 'h']
BranchVer = NewType('BranchVer', str, validate=validate.Regexp(BRANCH_PATTERN))
@@ -144,7 +148,7 @@ OSType = Literal['windows', 'linux', 'macos']
PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1))
RiskScore = NewType("MaxSignals", int, validate=validate.Range(min=1, max=100))
RuleName = NewType('RuleName', str, validate=validate.Regexp(NAME_PATTERN))
RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql', 'threshold', 'threat_match', 'new_terms']
RuleType = Literal['query', 'machine_learning', 'eql', 'threshold', 'threat_match', 'new_terms']
SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN))
SemVerMinorOnly = NewType('SemVerFullStrict', str, validate=validate.Regexp(MINOR_SEMVER))
Severity = Literal['low', 'medium', 'high', 'critical']
@@ -159,5 +163,6 @@ UUIDString = NewType('UUIDString', str, validate=validate.Regexp(UUID_PATTERN))
BuildingBlockType = Literal['default']
# experimental machine learning features and releases
MachineLearningType = Literal['DGA', 'ProblemChild']
MachineLearningTypeLower = Literal['dga', 'problemchild']
MachineLearningType = getattr(Literal, '__getitem__')(tuple(MACHINE_LEARNING_PACKAGES)) # noqa: E999
MachineLearningTypeLower = getattr(Literal, '__getitem__')(
tuple(map(str.lower, MACHINE_LEARNING_PACKAGES))) # noqa: E999
detection_rules/schemas/registry_package.py
+41 -9
View File
@@ -5,7 +5,7 @@
"""Definitions for packages destined for the registry."""
from dataclasses import dataclass
from dataclasses import dataclass, field
from typing import Dict, List, Optional
from .definitions import ConditionSemVer, SemVer
@@ -13,22 +13,54 @@ from ..mixins import MarshmallowDataclassMixin
@dataclass
class RegistryPackageManifest(MarshmallowDataclassMixin):
class ConditionElastic:
subscription: str
@dataclass
class Condition:
kibana_version: str = field(metadata={"data_key": "kibana.version"})
elastic: ConditionElastic
@dataclass
class Icon:
size: str
src: str
type: str
@dataclass
class RegistryPackageManifestBase(MarshmallowDataclassMixin):
"""Base class for registry packages."""
categories: List[str]
conditions: Dict[str, ConditionSemVer]
description: str
format_version: SemVer
icons: list
license: str
icons: List[Icon]
name: str
owner: Dict[str, str]
release: str
title: str
type: str
version: SemVer
internal: Optional[bool] = None
policy_templates: Optional[list] = None
screenshots: Optional[list] = None
internal: Optional[bool]
policy_templates: Optional[List[str]]
screenshots: Optional[List[str]]
@dataclass
class RegistryPackageManifestV1(RegistryPackageManifestBase):
"""Registry packages using elastic-package v1."""
conditions: Dict[str, ConditionSemVer]
license: str
release: str
@dataclass
class RegistryPackageManifestV3(RegistryPackageManifestBase):
"""Registry packages using elastic-package v3."""
conditions: Condition
source: Dict[str, str]
detection_rules/utils.py
+3 -1
View File
@@ -326,8 +326,10 @@ def load_rule_contents(rule_file: Path, single_only=False) -> list:
return contents or [{}]
elif extension == '.toml':
rule = pytoml.loads(raw_text)
elif extension.lower() in ('yaml', 'yml'):
rule = load_dump(str(rule_file))
else:
rule = load_dump(rule_file)
return []
if isinstance(rule, dict):
return [rule]
kql/evaluator.py
+3 -2
View File
@@ -10,7 +10,7 @@ import eql.ast
from eql import Walker, EqlCompileError, utils
from eql.functions import CidrMatch
from .errors import KqlRuntimeError, KqlCompileError
from .parser import is_ipaddress
class FilterGenerator(Walker):
__cidr_cache = {}
@@ -20,8 +20,9 @@ class FilterGenerator(Walker):
@classmethod
def equals(cls, term, value):
"""Check if a term is equal to a value."""
if utils.is_string(term) and utils.is_string(value):
if CidrMatch.ip_compiled.match(term) and CidrMatch.cidr_compiled.match(value):
if is_ipaddress(term) and eql.utils.is_cidr_pattern(value):
# check for an ipv4 cidr
if value not in cls.__cidr_cache:
cls.__cidr_cache[value] = CidrMatch.get_callback(None, eql.ast.String(value))
kql/parser.py
+10 -3
View File
@@ -40,6 +40,15 @@ with open(grammar_file, "rt") as f:
lark_parser = Lark(grammar, propagate_positions=True, tree_class=KvTree, start=['query'], parser='lalr')
def is_ipaddress(value: str) -> bool:
"""Check if a value is an ip address."""
try:
eql.utils.get_ipaddress(value)
return True
except ValueError:
return False
def wildcard2regex(wc: str) -> re.Pattern:
parts = wc.split("*")
return re.compile("^{regex}$".format(regex=".*?".join(re.escape(w) for w in parts)))
@@ -85,8 +94,6 @@ def elasticsearch_type_family(mapping_type: str) -> str:
class BaseKqlParser(Interpreter):
NON_SPACE_WS = re.compile(r"[^\S ]+")
ip_regex = re.compile("^" + eql.functions.CidrMatch.ip_re + "(/([0-2]?[0-9]|3[0-2]))?$")
unquoted_escapes = {"\\t": "\t", "\\r": "\r", "\\n": "\n"}
for special in "\\():<>\"*{}]":
@@ -223,7 +230,7 @@ class BaseKqlParser(Interpreter):
except ValueError:
pass
elif field_type_family == "ip" and value_type == "keyword":
if "::" in python_value or self.ip_regex.match(python_value) is not None:
if "::" in python_value or is_ipaddress(python_value) or eql.utils.is_cidr_pattern(python_value):
return python_value
elif field_type_family == 'date' and value_type in STRING_FIELDS:
# this will not validate datemath syntax
pyproject.toml
+5 -4
View File
@@ -24,22 +24,23 @@ classifiers = [
dependencies = [
"Click~=8.1.0",
"elasticsearch~=8.1",
"eql==0.9.18",
"eql==0.9.19",
"jsl==0.2.4",
"jsonschema==3.2.0",
"marko",
"marko==2.0.1",
"marshmallow-dataclass[union]~=8.5.12",
"marshmallow-jsonschema~=0.12.0",
"marshmallow-union~=0.1.15",
"marshmallow~=3.13.0",
"pywin32 ; platform_system=='Windows'",
"pytoml",
"pytoml==0.1.21",
"PyYAML~=5.3 ; python_version<='3.9'",
"PyYAML~=6.0.1 ; python_version>='3.10'",
"requests~=2.27",
"toml==0.10.0",
"typing-inspect==0.8.0",
"typing-extensions==4.5.0",
"typing-extensions==4.5.0 ; python_version<='3.11'",
"typing-extensions==4.8.0 ; python_version>='3.12'",
"XlsxWriter~=1.3.6",
"semver==3.0.0-dev.4"
]
rta/adobe_hijack.py
+10 -11
View File
@@ -9,10 +9,9 @@
# Description: Replaces PE file that will run on Adobe Reader start.
import os
from pathlib import Path
from . import common
from . import RtaMetadata
from . import RtaMetadata, common
metadata = RtaMetadata(
uuid="2df08481-31db-44a8-b01d-1c0df827bddb",
@@ -23,22 +22,22 @@ metadata = RtaMetadata(
)
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
def main():
rdr_cef_dir = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF"
rdrcef_exe = os.path.join(rdr_cef_dir, "RdrCEF.exe")
rdr_cef_dir = Path("C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF")
rdrcef_exe = rdr_cef_dir / "RdrCEF.exe"
cmd_path = "C:\\Windows\\System32\\cmd.exe"
backup = os.path.abspath("xxxxxx")
backup = Path("xxxxxx").resolve()
backedup = False
# backup original if it exists
if os.path.isfile(rdrcef_exe):
if rdrcef_exe.is_file():
common.log("{} already exists, backing up file.".format(rdrcef_exe))
common.copy_file(rdrcef_exe, backup)
backedup = True
else:
common.log("{} doesn't exist. Creating path.".format(rdrcef_exe))
os.makedirs(rdr_cef_dir)
rdr_cef_dir.mkdir(parents=True)
# overwrite original
common.copy_file(cmd_path, rdrcef_exe)
@@ -47,10 +46,10 @@ def main():
if backedup:
common.log("Putting back backup copy.")
common.copy_file(backup, rdrcef_exe)
os.remove(backup)
backup.unlink()
else:
common.remove_file(rdrcef_exe)
os.removedirs(rdr_cef_dir)
rdr_cef_dir.rmdir()
if __name__ == "__main__":
rta/adobe_priv_helper_tool.py
+1 -1
View File
@@ -21,7 +21,7 @@ metadata = RtaMetadata(
)
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
def main():
masquerade = "/tmp/com.adobe.ARMDC.SMJobBlessHelper"
rta/app_bundler_execution.py
+1 -1
View File
@@ -21,7 +21,7 @@ metadata = RtaMetadata(
)
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
def main():
# create masquerades
rta/app_hijack.py
+1 -1
View File
@@ -22,7 +22,7 @@ metadata = RtaMetadata(
)
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
def main():
app_dir = Path("/Applications/test/Contents/")
rta/appcompat_shim.py
+1 -1
View File
@@ -28,7 +28,7 @@ metadata = RtaMetadata(
SHIM_FILE = common.get_path("bin", "CVE-2013-3893.sdb")
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
@common.dependencies(SHIM_FILE)
def main():
common.log("Application Compatibility Shims")
rta/at_command.py
+1 -1
View File
@@ -26,7 +26,7 @@ metadata = RtaMetadata(
)
@common.requires_os(metadata.platforms)
@common.requires_os(*metadata.platforms)
def main(target_host=None):
target_host = target_host or common.get_ip()
host_str = "\\\\%s" % target_host

Some files were not shown because too many files have changed in this diff Show More