security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Back-porting Version Trimming (#3704)

Browse Source
This commit is contained in:
shashank-elastic
2024-05-23 00:45:10 +05:30
committed by GitHub
parent 2c3dbfc039
commit 63e91c2f12
1016 changed files with 12005 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14'
default: '8.9,8.10,8.11,8.12,8.13,8.14'
jobs:
pr:
detection_rules/devtools.py
+57 -14
View File
@@ -812,8 +812,9 @@ def update_navigator_gists(directory: Path, token: str, gist_id: str, print_mark
@dev_group.command('trim-version-lock')
@click.argument('stack_version')
@click.option('--skip-rule-updates', is_flag=True, help='Skip updating the rules')
@click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file')
def trim_version_lock(stack_version: str, dry_run: bool):
def trim_version_lock(stack_version: str, skip_rule_updates: bool, dry_run: bool):
"""Trim all previous entries within the version lock file which are lower than the min_version."""
stack_versions = get_stack_versions()
assert stack_version in stack_versions, \
@@ -821,36 +822,78 @@ def trim_version_lock(stack_version: str, dry_run: bool):
min_version = Version.parse(stack_version)
version_lock_dict = default_version_lock.version_lock.to_dict()
removed = {}
removed = defaultdict(list)
rule_msv_drops = []
today = time.strftime('%Y/%m/%d')
rc: RuleCollection | None = None
if dry_run:
rc = RuleCollection()
else:
if not skip_rule_updates:
click.echo('Loading rules ...')
rc = RuleCollection.default()
for rule_id, lock in version_lock_dict.items():
file_min_stack: Version | None = None
if 'min_stack_version' in lock:
file_min_stack = Version.parse((lock['min_stack_version']), optional_minor_and_patch=True)
if file_min_stack <= min_version:
removed[rule_id].append(
f'locked min_stack_version <= {min_version} - {"will remove" if dry_run else "removing"}!'
)
rule_msv_drops.append(rule_id)
file_min_stack = None
if not dry_run:
lock.pop('min_stack_version')
if not skip_rule_updates:
# remove the min_stack_version and min_stack_comments from rules as well (and update date)
rule = rc.id_map.get(rule_id)
if rule:
new_meta = dataclasses.replace(
rule.contents.metadata,
updated_date=today,
min_stack_version=None,
min_stack_comments=None
)
contents = dataclasses.replace(rule.contents, metadata=new_meta)
new_rule = TOMLRule(contents=contents, path=rule.path)
new_rule.save_toml()
removed[rule_id].append('rule min_stack_version dropped')
else:
removed[rule_id].append('rule not found to update!')
if 'previous' in lock:
prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])]
outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version]
outdated_vers = [v for v in prev_vers if v < min_version]
if not outdated_vers:
continue
# we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new
# stack_version.
latest_version = max(outdated_vers)
if dry_run:
outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version]
if outdated_minus_current:
removed[rule_id] = outdated_minus_current
for outdated in outdated_vers:
popped = lock['previous'].pop(str(outdated))
if outdated >= stack_version:
lock['previous'][str(Version(stack_version[:2]))] = popped
short_outdated = f"{outdated.major}.{outdated.minor}"
popped = lock['previous'].pop(str(short_outdated))
# the core of the update - we only need to keep previous entries that are newer than the min supported
# version (from stack-schema-map and stack-version parameter) and older than the locked
# min_stack_version for a given rule, if one exists
if file_min_stack and outdated == latest_version and outdated < file_min_stack:
lock['previous'][f'{min_version.major}.{min_version.minor}'] = popped
removed[rule_id].append(f'{short_outdated} updated to: {min_version.major}.{min_version.minor}')
else:
removed[rule_id].append(f'{outdated} dropped')
# remove the whole previous entry if it is now blank
if not lock['previous']:
lock.pop('previous')
if dry_run:
click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes')
click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items()))
else:
click.echo(f'Changes {"that will be " if dry_run else ""} applied:' if removed else 'No changes')
click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items()))
if not dry_run:
new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict))
new_lock.save_to_file()
detection_rules/etc/stack-schema-map.yaml
+29 -30
View File
@@ -42,39 +42,38 @@
# beats: "8.2.1"
# ecs: "8.2.1"
# endgame: "1.9.0"
# "8.3.0":
# beats: "8.3.3"
# ecs: "8.3.1"
# endgame: "1.9.0"
# "8.4.0":
# beats: "8.4.3"
# ecs: "8.4.0"
# endgame: "8.4.0"
# "8.5.0":
# beats: "8.5.3"
# ecs: "8.5.2"
# endgame: "8.4.0"
# "8.6.0":
# beats: "8.6.1"
# ecs: "8.6.1"
# endgame: "8.4.0"
# "8.7.0":
# beats: "8.7.0"
# ecs: "8.7.0"
# endgame: "8.4.0"
# "8.8.0":
# beats: "8.8.2"
# ecs: "8.8.0"
# endgame: "8.4.0"
## Supported
"8.3.0":
beats: "8.3.3"
ecs: "8.3.1"
endgame: "1.9.0"
"8.4.0":
beats: "8.4.3"
ecs: "8.4.0"
endgame: "8.4.0"
"8.5.0":
beats: "8.5.3"
ecs: "8.5.2"
endgame: "8.4.0"
"8.6.0":
beats: "8.6.1"
ecs: "8.6.1"
endgame: "8.4.0"
"8.7.0":
beats: "8.7.0"
ecs: "8.7.0"
endgame: "8.4.0"
"8.8.0":
beats: "8.8.2"
ecs: "8.8.0"
endgame: "8.4.0"
"8.9.0":
beats: "8.9.0"
ecs: "8.9.0"
detection_rules/etc/version.lock.json
+49 -2521
View File
@@ -2,7 +2,7 @@
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
@@ -16,346 +16,258 @@
"version": 207
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc",
"type": "eql",
"version": 112
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 110
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1",
"type": "query",
"version": 2
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f",
"type": "query",
"version": 206
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca",
"type": "query",
"version": 206
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1",
"type": "threshold",
"version": 5
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.6",
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10",
"type": "eql",
"version": 105
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 1
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"min_stack_version": "8.4",
"rule_name": "Process Created with an Elevated Token",
"sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db",
"type": "eql",
"version": 6
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac",
"type": "eql",
"version": 208
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8",
"type": "eql",
"version": 1
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb",
"type": "query",
"version": 106
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573",
"type": "query",
"version": 206
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d",
"type": "threshold",
"version": 109
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"min_stack_version": "8.3",
"rule_name": "Potential Memory Seeking Activity",
"sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258",
"type": "eql",
"version": 2
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8",
"type": "eql",
"version": 2
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"min_stack_version": "8.8",
"rule_name": "SSH Process Launched From Inside A Container",
"sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d",
"type": "eql",
"version": 2
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4",
"type": "threshold",
"version": 3
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494",
"type": "query",
"version": 109
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"min_stack_version": "8.3",
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9",
"type": "query",
"version": 102
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa",
"type": "eql",
"version": 110
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through Systemd-udevd",
"sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763",
"type": "new_terms",
"version": 3
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730",
"type": "eql",
"version": 110
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
"type": "eql",
"version": 110
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Kernel Module Load",
"sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4",
"type": "query",
"version": 4
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754",
"type": "query",
"version": 108
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 112
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9",
"type": "eql",
"version": 7
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Size",
"sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1",
"type": "machine_learning",
"version": 3
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88",
"type": "eql",
"version": 7
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c",
"type": "eql",
"version": 110
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8",
"type": "eql",
"version": 110
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017",
"type": "eql",
"version": 2
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5",
"type": "threshold",
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 8
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310",
"type": "query",
"version": 5
}
},
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6",
"type": "query",
"version": 106
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Browser Child Process",
"sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be",
"sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be",
"type": "eql",
"version": 107
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"min_stack_version": "8.3",
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879",
"type": "eql",
"version": 106
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece",
"type": "query",
"version": 106
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Removable Device",
"sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91",
"type": "new_terms",
"version": 4
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"min_stack_version": "8.3",
"rule_name": "Windows Account or Group Discovery",
"sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb",
"type": "eql",
@@ -368,21 +280,18 @@
"version": 100
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993",
"type": "eql",
"version": 107
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
"rule_name": "Process Termination followed by Deletion",
"sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad",
"type": "eql",
"version": 109
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.3",
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
@@ -395,21 +304,18 @@
"version": 100
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"min_stack_version": "8.3",
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13",
"type": "eql",
"version": 4
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"min_stack_version": "8.3",
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53",
"type": "query",
"version": 102
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"min_stack_version": "8.3",
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2",
"type": "query",
@@ -425,7 +331,7 @@
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
@@ -439,58 +345,42 @@
"version": 106
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Windows Process Creation",
"sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579",
"type": "machine_learning",
"version": 105
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.3",
"rule_name": "User account exposed to Kerberoasting",
"sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3",
"type": "query",
"version": 109
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca",
"type": "eql",
"version": 5
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"min_stack_version": "8.3",
"rule_name": "Processes with Trailing Spaces",
"sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286",
"type": "eql",
"version": 2
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290",
"type": "threat_match",
"version": 6
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
"rule_name": "Peripheral Device Discovery",
"sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7",
"type": "eql",
"version": 109
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.5",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Indicator Match",
"sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3",
"type": "threat_match",
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
@@ -504,97 +394,60 @@
"version": 1
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746",
"type": "query",
"version": 206
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"min_stack_version": "8.3",
"rule_name": "Multiple Alerts Involving a User",
"sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252",
"type": "threshold",
"version": 3
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"min_stack_version": "8.3",
"rule_name": "Nping Process Activity",
"sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec",
"type": "eql",
"version": 108
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb",
"type": "eql",
"version": 110
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 1
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SharePoint Malware File Upload",
"sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579",
"type": "query",
"version": 106
}
},
"rule_name": "SharePoint Malware File Upload",
"sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393",
"type": "query",
"version": 206
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Key Creation",
"sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b",
"type": "query",
"version": 104
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.3",
"rule_name": "MsBuild Making Network Connections",
"sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880",
"type": "eql",
"version": 109
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "RC Script Creation",
"sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b",
"type": "new_terms",
"version": 110
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.3",
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147",
"type": "eql",
@@ -607,30 +460,18 @@
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720",
"type": "threshold",
"version": 106
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735",
"type": "threshold",
"version": 208
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895",
"type": "query",
"version": 106
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9",
"type": "query",
@@ -643,53 +484,30 @@
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "WebProxy Settings Modification",
"sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a",
"type": "query",
"version": 106
}
},
"rule_name": "WebProxy Settings Modification",
"sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af",
"type": "query",
"version": 206
},
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
"rule_name": "Abnormally Large DNS Response",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
"type": "query",
"version": 105
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309",
"type": "eql",
"version": 110
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76",
"type": "eql",
"version": 111
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Export",
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Export",
"sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c",
"type": "query",
@@ -702,30 +520,18 @@
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a",
"type": "query",
"version": 11
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba",
"type": "eql",
"version": 112
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7",
"type": "query",
@@ -738,7 +544,6 @@
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6",
"type": "machine_learning",
@@ -751,83 +556,48 @@
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554",
"type": "eql",
"version": 107
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec",
"type": "query",
"version": 203
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7",
"type": "query",
"version": 203
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.3",
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a",
"type": "eql",
"version": 3
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538",
"type": "eql",
"version": 111
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 108
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "8.3",
"rule_name": "Rare User Logon",
"sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679",
"type": "machine_learning",
"version": 104
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73",
"type": "threshold",
@@ -840,137 +610,102 @@
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c",
"type": "eql",
"version": 4
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"min_stack_version": "8.3",
"rule_name": "Azure External Guest User Invitation",
"sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1",
"type": "query",
"version": 102
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214",
"type": "query",
"version": 103
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.3",
"rule_name": "Office Test Registry Persistence",
"sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2",
"type": "eql",
"version": 3
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9",
"type": "query",
"version": 203
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697",
"type": "eql",
"version": 109
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4",
"type": "eql",
"version": 3
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4",
"type": "query",
"version": 110
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646",
"type": "eql",
"version": 112
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0",
"type": "eql",
"version": 107
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified release_agent File",
"sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3",
"type": "eql",
"version": 1
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633",
"type": "query",
"version": 102
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.3",
"rule_name": "File Creation Time Changed",
"sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c",
"type": "eql",
"version": 5
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d",
"type": "query",
"version": 106
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Creation",
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Creation",
"sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1",
"type": "query",
"version": 206
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08",
"type": "eql",
"version": 113
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f",
"type": "query",
@@ -984,63 +719,54 @@
"version": 1
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Username",
"sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120",
"type": "machine_learning",
"version": 104
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Service",
"sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a",
"type": "machine_learning",
"version": 103
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Powershell Script",
"sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3",
"type": "machine_learning",
"version": 104
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5",
"type": "machine_learning",
"version": 103
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Remote User",
"sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9",
"type": "machine_learning",
"version": 103
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d",
"type": "new_terms",
"version": 9
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22",
"type": "eql",
"version": 109
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8",
"type": "machine_learning",
"version": 103
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Sink Modification",
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
"type": "query",
@@ -1053,169 +779,114 @@
"version": 100
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb",
"type": "machine_learning",
"version": 3
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f",
"type": "eql",
"version": 4
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Rare AWS Error Code",
"sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Rare AWS Error Code",
"sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec",
"type": "machine_learning",
"version": 208
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002",
"type": "machine_learning",
"version": 3
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Network Tool Launched Inside A Container",
"sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc",
"type": "eql",
"version": 2
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"min_stack_version": "8.3",
"rule_name": "Azure Application Credential Modification",
"sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a",
"type": "query",
"version": 102
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.3",
"rule_name": "Execution of COM object via Xwizard",
"sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5",
"type": "eql",
"version": 109
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
"type": "query",
"version": 209
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
"rule_name": "User Account Creation",
"sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb",
"type": "eql",
"version": 109
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"min_stack_version": "8.4",
"rule_name": "Process Created with a Duplicated Token",
"sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802",
"type": "eql",
"version": 3
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e",
"type": "eql",
"version": 107
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d",
"type": "query",
"version": 206
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516",
"type": "eql",
"version": 11
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
"type": "eql",
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 211,
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45",
"type": "query",
"version": 112
}
},
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
"type": "query",
"version": 212
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d",
"type": "eql",
"version": 113
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce",
"type": "query",
"version": 102
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.3",
"rule_name": "New GitHub App Installed",
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
"type": "eql",
"version": 1
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a",
"type": "eql",
@@ -1229,49 +900,42 @@
"version": 2
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed",
"type": "eql",
"version": 110
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"min_stack_version": "8.3",
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
"type": "eql",
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100",
"type": "query",
"version": 6
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d",
"type": "eql",
"version": 109
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1",
"type": "eql",
"version": 6
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
"type": "eql",
"version": 108
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731",
"type": "eql",
@@ -1280,7 +944,7 @@
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
@@ -1294,107 +958,84 @@
"version": 107
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e",
"type": "query",
"version": 102
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.3",
"rule_name": "Creation of a DNS-Named Record",
"sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75",
"type": "eql",
"version": 1
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.3",
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed",
"type": "eql",
"version": 3
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 1
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Sudo Activity",
"sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c",
"type": "machine_learning",
"version": 103
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.3",
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762",
"type": "query",
"version": 8
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de",
"type": "eql",
"version": 2
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9",
"type": "machine_learning",
"version": 103
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e",
"type": "eql",
"version": 111
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2",
"type": "query",
"version": 103
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a",
"type": "eql",
"version": 110
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"min_stack_version": "8.3",
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d",
"type": "eql",
"version": 2
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53",
"type": "eql",
"version": 110
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297",
"type": "query",
@@ -1403,7 +1044,7 @@
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Access of Stored Browser Credentials",
"sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563",
@@ -1417,14 +1058,12 @@
"version": 207
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982",
"type": "eql",
"version": 2
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287",
"type": "eql",
@@ -1437,137 +1076,102 @@
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"min_stack_version": "8.3",
"rule_name": "Mofcomp Activity",
"sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45",
"type": "eql",
"version": 2
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Child",
"sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade",
"type": "eql",
"version": 2
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b",
"type": "new_terms",
"version": 3
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.3",
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354",
"type": "eql",
"version": 7
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c",
"type": "query",
"version": 104
}
},
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0",
"type": "new_terms",
"version": 205
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"min_stack_version": "8.3",
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7",
"type": "eql",
"version": 108
},
"227dc608-e558-43d9-b521-150772250bae": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
"type": "query",
"version": 106
}
},
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629",
"type": "query",
"version": 207
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604",
"type": "query",
"version": 104
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Load via insmod",
"sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2",
"type": "eql",
"version": 109
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.9",
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"min_stack_version": "8.6",
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1",
"type": "new_terms",
"version": 1
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.3",
"rule_name": "New GitHub Owner Added",
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
"type": "eql",
"version": 3
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6",
"type": "eql",
"version": 108
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3",
"type": "query",
"version": 1
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5",
"type": "eql",
"version": 4
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"min_stack_version": "8.6",
"rule_name": "Network Activity Detected via Kworker",
"sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b",
"type": "new_terms",
@@ -1581,51 +1185,36 @@
"version": 1
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5",
"type": "eql",
"version": 5
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"min_stack_version": "8.3",
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534",
"type": "query",
"version": 102
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800",
"type": "eql",
"version": 111
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517",
"type": "eql",
"version": 7
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
"type": "query",
"version": 105
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9",
"type": "threshold",
"version": 107
}
},
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633",
"type": "threshold",
@@ -1634,7 +1223,7 @@
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
@@ -1648,60 +1237,36 @@
"version": 105
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5",
"type": "eql",
"version": 4
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e",
"type": "query",
"version": 206
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b",
"type": "eql",
"version": 109
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Modification",
"sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf",
"type": "query",
"version": 104
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56",
"type": "query",
"version": 206
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7",
"type": "eql",
@@ -1715,21 +1280,18 @@
"version": 1
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
"type": "eql",
"version": 111
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d",
"type": "query",
"version": 103
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
@@ -1749,44 +1311,30 @@
"version": 2
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320",
"type": "eql",
"version": 5
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"min_stack_version": "8.6",
"rule_name": "Shell Configuration Modification",
"sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c",
"type": "new_terms",
"version": 1
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c",
"type": "query",
"version": 206
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80",
"type": "eql",
"version": 112
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
@@ -1795,14 +1343,7 @@
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
"type": "eql",
"version": 108
},
"8.6": {
"8.9": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
@@ -1823,148 +1364,96 @@
"version": 1
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342",
"type": "new_terms",
"version": 1
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux SSH X11 Forwarding",
"sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7",
"type": "eql",
"version": 3
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391",
"type": "eql",
"version": 6
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0",
"type": "query",
"version": 203
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Grep",
"sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504",
"type": "eql",
"version": 6
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.3",
"rule_name": "Adobe Hijack Persistence",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"type": "eql",
"version": 111
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b",
"type": "eql",
"version": 110
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494",
"type": "eql",
"version": 109
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Enumeration of Kernel Modules",
"sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08",
"type": "eql",
"version": 105
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e",
"type": "new_terms",
"version": 209
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328",
"type": "eql",
"version": 211
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c",
"type": "eql",
"version": 3
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e",
"type": "threshold",
"version": 107
}
},
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46",
"type": "threshold",
"version": 207
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.3",
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f",
"type": "eql",
"version": 8
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.3",
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4",
"type": "eql",
"version": 110
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d",
"type": "query",
"version": 110
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.3",
"rule_name": "Accessing Outlook Data Files",
"sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d",
"type": "eql",
@@ -1978,233 +1467,192 @@
"version": 1
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174",
"type": "query",
"version": 104
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f",
"type": "eql",
"version": 110
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
"type": "query",
"version": 110
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e",
"type": "eql",
"version": 109
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93",
"type": "eql",
"version": 2
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813",
"type": "eql",
"version": 109
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793",
"type": "eql",
"version": 111
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Creation",
"sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e",
"type": "query",
"version": 104
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.5",
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea",
"type": "eql",
"version": 8
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection via Sudo Binary",
"sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058",
"type": "eql",
"version": 2
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46",
"type": "query",
"version": 101
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"min_stack_version": "8.3",
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446",
"type": "query",
"version": 104
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c",
"type": "eql",
"version": 112
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0",
"type": "query",
"version": 104
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"min_stack_version": "8.6",
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6",
"type": "eql",
"version": 1
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"min_stack_version": "8.3",
"rule_name": "Azure Network Watcher Deletion",
"sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a",
"type": "query",
"version": 102
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea",
"type": "query",
"version": 103
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
"rule_name": "Program Files Directory Masquerading",
"sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa",
"type": "eql",
"version": 109
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 111
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM User Addition to Group",
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM User Addition to Group",
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
"type": "query",
"version": 209
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Find",
"sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04",
"type": "eql",
"version": 6
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via PowerShell",
"sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976",
"type": "eql",
"version": 110
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "8.8",
"rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6",
"type": "eql",
"version": 1
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repository Deleted",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"type": "eql",
"version": 2
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"min_stack_version": "8.3",
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1",
"type": "query",
"version": 104
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"min_stack_version": "8.3",
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934",
"type": "query",
"version": 106
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 110
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac",
"type": "machine_learning",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3",
"type": "eql",
"version": 111
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82",
"type": "machine_learning",
@@ -2217,51 +1665,36 @@
"version": 100
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e",
"type": "eql",
"version": 109
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2",
"type": "eql",
"version": 107
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.9",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457",
"type": "machine_learning",
"version": 3
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious File Edit",
"sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254",
"type": "eql",
"version": 4
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Creation",
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Creation",
"sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0",
"type": "query",
"version": 206
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
"type": "query",
@@ -2274,16 +1707,6 @@
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Execution via System Manager",
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Execution via System Manager",
"sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e",
"type": "query",
@@ -2292,7 +1715,7 @@
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598",
@@ -2308,7 +1731,7 @@
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
@@ -2322,81 +1745,54 @@
"version": 207
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Certutil",
"sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612",
"type": "eql",
"version": 111
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08",
"type": "eql",
"version": 107
}
},
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277",
"type": "eql",
"version": 207
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f",
"type": "query",
"version": 102
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "External User Added to Google Workspace Group",
"sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1",
"type": "eql",
"version": 2
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee",
"type": "query",
"version": 206
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"min_stack_version": "8.3",
"rule_name": "Downloaded Shortcut Files",
"sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc",
"type": "eql",
"version": 2
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3",
"type": "eql",
"version": 107
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035",
"type": "eql",
"version": 110
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f",
"type": "eql",
@@ -2409,56 +1805,48 @@
"version": 100
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3",
"type": "query",
"version": 104
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"min_stack_version": "8.3",
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d",
"type": "query",
"version": 103
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 1
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"min_stack_version": "8.3",
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442",
"type": "query",
"version": 103
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 110
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde",
"type": "eql",
"version": 112
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9",
"type": "machine_learning",
"version": 103
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.3",
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c",
"type": "eql",
@@ -2467,7 +1855,7 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
@@ -2481,197 +1869,138 @@
"version": 105
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
"type": "query",
"version": 209
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62",
"type": "machine_learning",
"version": 3
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904",
"type": "eql",
"version": 6
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load",
"sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc",
"type": "eql",
"version": 4
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Emond Child Process",
"sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db",
"type": "eql",
"version": 106
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684",
"type": "eql",
"version": 3
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8",
"type": "eql",
"version": 110
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb",
"type": "eql",
"version": 107
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
"type": "eql",
"version": 208
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67",
"type": "threshold",
"version": 107
}
},
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39",
"type": "threshold",
"version": 207
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"min_stack_version": "8.3",
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a",
"type": "query",
"version": 102
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792",
"type": "eql",
"version": 5
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d",
"type": "eql",
"version": 110
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07",
"type": "eql",
"version": 3
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.9",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281",
"type": "machine_learning",
"version": 3
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a User",
"sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b",
"type": "machine_learning",
"version": 4
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.3",
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6",
"type": "eql",
"version": 108
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Modprobe File Event",
"sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c",
"type": "new_terms",
"version": 107
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
"rule_name": "Unix Socket Connection",
"sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22",
"type": "eql",
"version": 2
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71",
"type": "eql",
"version": 111
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 1
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
"rule_name": "EggShell Backdoor Execution",
"sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb",
"type": "query",
"version": 103
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a",
"type": "query",
@@ -2685,7 +2014,6 @@
"version": 1
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "8.8",
"rule_name": "Interactive Exec Command Launched Against A Running Container",
"sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063",
"type": "eql",
@@ -2694,7 +2022,7 @@
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621",
@@ -2708,126 +2036,108 @@
"version": 208
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
"rule_name": "Process Creation via Secondary Logon",
"sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0",
"type": "eql",
"version": 9
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "8.3",
"rule_name": "Unusual Login Activity",
"sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c",
"type": "machine_learning",
"version": 103
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"min_stack_version": "8.3",
"rule_name": "Linux User Added to Privileged Group",
"sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438",
"type": "eql",
"version": 6
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.3",
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6",
"type": "eql",
"version": 110
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Path Activity",
"sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e",
"type": "machine_learning",
"version": 104
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb",
"type": "eql",
"version": 3
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242",
"type": "eql",
"version": 10
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd",
"type": "query",
"version": 1
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a",
"type": "query",
"version": 103
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.3",
"rule_name": "Windows Event Logs Cleared",
"sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd",
"type": "query",
"version": 108
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41",
"type": "eql",
"version": 111
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07",
"type": "eql",
"version": 111
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f",
"type": "eql",
"version": 109
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For a Linux Host",
"sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782",
"type": "machine_learning",
"version": 104
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1",
"type": "new_terms",
"version": 9
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
"rule_name": "Sensitive Files Compression Inside A Container",
"sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939",
"type": "eql",
"version": 2
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f",
"type": "eql",
@@ -2840,244 +2150,186 @@
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"min_stack_version": "8.3",
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a",
"type": "eql",
"version": 106
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e",
"type": "eql",
"version": 109
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.8",
"previous": {
"8.6": {
"max_allowable_version": 104,
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea",
"type": "new_terms",
"version": 5
}
},
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea",
"type": "new_terms",
"version": 105
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736",
"type": "eql",
"version": 8
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70",
"type": "eql",
"version": 9
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312",
"type": "eql",
"version": 107
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6",
"type": "query",
"version": 106
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc",
"type": "eql",
"version": 3
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0",
"type": "threshold",
"version": 101
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8",
"type": "eql",
"version": 6
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e",
"type": "query",
"version": 5
}
},
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4",
"type": "query",
"version": 106
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"min_stack_version": "8.6",
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52",
"type": "eql",
"version": 4
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082",
"type": "query",
"version": 105
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea",
"type": "eql",
"version": 5
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"min_stack_version": "8.3",
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa",
"type": "eql",
"version": 1
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22",
"type": "eql",
"version": 110
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
"rule_name": "Container Workload Protection",
"sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24",
"type": "query",
"version": 4
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"min_stack_version": "8.3",
"rule_name": "ProxyChains Activity",
"sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3",
"type": "eql",
"version": 4
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0",
"type": "machine_learning",
"version": 3
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45",
"type": "eql",
"version": 109
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
"type": "query",
"version": 9
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e",
"type": "eql",
"version": 6
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f",
"type": "threshold",
"version": 106
}
},
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1",
"type": "threshold",
"version": 207
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba",
"type": "query",
"version": 106
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada",
"type": "eql",
"version": 112
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce",
"type": "eql",
"version": 10
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461",
"type": "eql",
"version": 8
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b",
"type": "eql",
"version": 111
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Script Object Execution",
"sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed",
"type": "eql",
@@ -3086,7 +2338,7 @@
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
@@ -3107,7 +2359,6 @@
"version": 1
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.3",
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef",
"type": "eql",
@@ -3121,109 +2372,78 @@
"version": 2
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
"sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273",
"type": "eql",
"version": 4
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"min_stack_version": "8.3",
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7",
"type": "eql",
"version": 2
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 108
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87",
"type": "query",
"version": 206
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Sink Deletion",
"sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827",
"type": "query",
"version": 104
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa",
"type": "query",
"version": 2
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a",
"type": "eql",
"version": 108
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325",
"type": "eql",
"version": 7
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce",
"type": "query",
"version": 206
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d",
"type": "eql",
"version": 112
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"min_stack_version": "8.3",
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
"type": "eql",
"version": 1
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
"type": "eql",
"version": 109
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Activity",
"sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7",
"type": "machine_learning",
@@ -3242,37 +2462,24 @@
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab",
"type": "eql",
"version": 106
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca",
"type": "new_terms",
"version": 8
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990",
"type": "query",
"version": 206
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"min_stack_version": "8.3",
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2",
"type": "query",
@@ -3286,21 +2493,18 @@
"version": 4
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b",
"type": "eql",
"version": 110
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43",
"type": "eql",
"version": 3
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17",
"type": "eql",
@@ -3309,7 +2513,7 @@
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
@@ -3323,35 +2527,30 @@
"version": 108
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59",
"type": "eql",
"version": 109
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c",
"type": "query",
"version": 108
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
"rule_name": "PsExec Network Connection",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
"type": "eql",
"version": 109
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"min_stack_version": "8.3",
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753",
"type": "eql",
"version": 1
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853",
"type": "machine_learning",
@@ -3365,7 +2564,6 @@
"version": 1
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.3",
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576",
"type": "query",
@@ -3374,7 +2572,7 @@
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Potential Admin Group Account Addition",
"sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4",
@@ -3388,14 +2586,12 @@
"version": 206
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb",
"type": "eql",
"version": 107
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a",
"type": "query",
@@ -3404,7 +2600,7 @@
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
@@ -3418,218 +2614,156 @@
"version": 210
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Execution of an Unsigned Service",
"sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc",
"type": "eql",
"version": 2
}
},
"rule_name": "Execution of an Unsigned Service",
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
"type": "new_terms",
"version": 105
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06",
"type": "query",
"version": 104
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234",
"type": "query",
"version": 103
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"min_stack_version": "8.3",
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762",
"type": "query",
"version": 102
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.3",
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
"type": "query",
"version": 108
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.3",
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408",
"type": "eql",
"version": 3
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc",
"type": "eql",
"version": 111
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb",
"type": "eql",
"version": 111
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff",
"type": "query",
"version": 103
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"min_stack_version": "8.3",
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08",
"type": "eql",
"version": 108
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13",
"type": "eql",
"version": 111
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
"rule_name": "File or Directory Deletion Command",
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
"type": "eql",
"version": 3
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef",
"type": "query",
"version": 206
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS CloudTrail Log Created",
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
"type": "query",
"version": 106
}
},
"rule_name": "AWS CloudTrail Log Created",
"sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7",
"type": "query",
"version": 207
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225",
"type": "machine_learning",
"version": 104
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4",
"type": "eql",
"version": 109
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1",
"type": "eql",
"version": 8
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"min_stack_version": "8.3",
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc",
"type": "eql",
"version": 2
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058",
"type": "query",
"version": 106
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
"type": "eql",
"version": 109
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2",
"type": "query",
"version": 108
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"min_stack_version": "8.3",
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40",
"type": "eql",
"version": 5
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.3",
"rule_name": "Suspicious which Enumeration",
"sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa",
"type": "eql",
"version": 5
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5",
"type": "eql",
"version": 4
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3",
"type": "eql",
"version": 108
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0",
"type": "query",
@@ -3643,116 +2777,84 @@
"version": 2
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0",
"type": "query",
"version": 1
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4",
"type": "new_terms",
"version": 10
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"min_stack_version": "8.3",
"rule_name": "Segfault Detected",
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
"type": "query",
"version": 1
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076",
"type": "eql",
"version": 6
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380",
"type": "machine_learning",
"version": 103
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4",
"type": "eql",
"version": 7
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef",
"type": "eql",
"version": 108
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
"rule_name": "User Added to Privileged Group",
"sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d",
"type": "eql",
"version": 109
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
"rule_name": "Persistence via PowerShell profile",
"sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60",
"type": "eql",
"version": 9
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8",
"type": "eql",
"version": 107
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd",
"type": "eql",
"version": 108
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906",
"type": "eql",
"version": 106
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a",
"type": "query",
"version": 106
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838",
"type": "query",
@@ -3772,58 +2874,42 @@
"version": 1
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.3",
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5",
"type": "eql",
"version": 1
},
"60884af6-f553-4a6c-af13-300047455491": {
"min_stack_version": "8.3",
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12",
"type": "query",
"version": 102
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"min_stack_version": "8.3",
"rule_name": "Azure Service Principal Addition",
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
"type": "query",
"version": 105
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9",
"type": "query",
"version": 206
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Network Connection",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
"type": "eql",
"version": 108
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.3",
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 1
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.3",
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2",
"type": "eql",
@@ -3832,7 +2918,7 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
@@ -3852,7 +2938,6 @@
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0",
"type": "eql",
@@ -3866,70 +2951,60 @@
"version": 1
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e",
"type": "eql",
"version": 107
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640",
"type": "query",
"version": 108
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f",
"type": "eql",
"version": 4
},
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab",
"type": "query",
"version": 6
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86",
"type": "query",
"version": 5
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd",
"type": "query",
"version": 6
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Signed Binary",
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
"type": "eql",
"version": 108
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096",
"type": "machine_learning",
"version": 104
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"min_stack_version": "8.3",
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012",
"type": "query",
"version": 106
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b",
"type": "eql",
@@ -3942,58 +3017,42 @@
"version": 100
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e",
"type": "query",
"version": 203
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4",
"type": "eql",
"version": 107
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2",
"type": "eql",
"version": 6
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.3",
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977",
"type": "eql",
"version": 105
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a",
"type": "eql",
"version": 7
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18",
"type": "eql",
"version": 113
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
"rule_name": "Linux Process Hooking via GDB",
"sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d",
"type": "eql",
@@ -4002,7 +3061,7 @@
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489",
@@ -4016,7 +3075,6 @@
"version": 206
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab",
"type": "query",
@@ -4025,7 +3083,7 @@
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
@@ -4039,16 +3097,6 @@
"version": 206
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb",
"type": "query",
@@ -4057,7 +3105,7 @@
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
@@ -4077,7 +3125,6 @@
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3",
"type": "threshold",
@@ -4090,23 +3137,12 @@
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.3",
"rule_name": "Image File Execution Options Injection",
"sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c",
"type": "eql",
"version": 107
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "New or Modified Federation Domain",
"sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6",
"type": "query",
"version": 106
}
},
"rule_name": "New or Modified Federation Domain",
"sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8",
"type": "query",
@@ -4115,7 +3151,7 @@
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
@@ -4129,252 +3165,162 @@
"version": 205
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f",
"type": "eql",
"version": 110
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55",
"type": "query",
"version": 105
}
},
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a",
"type": "query",
"version": 206
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c",
"type": "eql",
"version": 107
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
"type": "query",
"version": 209
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d",
"type": "eql",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459",
"type": "eql",
"version": 109
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
"type": "query",
"version": 5
}
},
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e",
"type": "query",
"version": 106
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.5",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8",
"type": "threat_match",
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.3",
"rule_name": "Modification of Boot Configuration",
"sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525",
"type": "eql",
"version": 109
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df",
"type": "query",
"version": 206
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc",
"type": "query",
"version": 1
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d",
"type": "eql",
"version": 110
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 111
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2",
"type": "eql",
"version": 7
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Sensitive Files Compression",
"sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19",
"type": "query",
"version": 106
}
},
"rule_name": "Sensitive Files Compression",
"sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50",
"type": "new_terms",
"version": 208
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.3",
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99",
"type": "eql",
"version": 107
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"min_stack_version": "8.8",
"rule_name": "Container Management Utility Run Inside A Container",
"sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d",
"type": "eql",
"version": 2
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca",
"type": "eql",
"version": 108
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For a Windows Host",
"sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78",
"type": "machine_learning",
"version": 107
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"min_stack_version": "8.6",
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0",
"type": "eql",
"version": 4
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa",
"type": "new_terms",
"version": 5
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd",
"type": "machine_learning",
"version": 105
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder Backdoor",
"sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1",
"type": "query",
"version": 106
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e",
"type": "eql",
"version": 107
}
},
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd",
"type": "eql",
"version": 207
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3",
"type": "eql",
"version": 108
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery using WMIC",
"sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89",
"type": "eql",
@@ -4387,7 +3333,6 @@
"version": 100
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8",
"type": "eql",
@@ -4407,16 +3352,6 @@
"version": 1
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Role Modified",
"sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Role Modified",
"sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081",
"type": "query",
@@ -4429,113 +3364,66 @@
"version": 100
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9",
"type": "query",
"version": 209
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Config Resource Deletion",
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Config Resource Deletion",
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
"type": "query",
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846",
"type": "eql",
"version": 2
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857",
"type": "eql",
"version": 108
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47",
"type": "query",
"version": 106
},
"7164081a-3930-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec",
"type": "query",
"version": 4
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0",
"type": "query",
"version": 107
}
},
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40",
"type": "new_terms",
"version": 209
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc",
"type": "eql",
"version": 114
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2",
"type": "eql",
"version": 109
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2",
"type": "eql",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f",
"type": "query",
@@ -4544,7 +3432,7 @@
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
@@ -4564,21 +3452,18 @@
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9",
"type": "new_terms",
"version": 2
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.3",
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578",
"type": "eql",
"version": 1
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb",
"type": "eql",
@@ -4587,7 +3472,7 @@
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb",
@@ -4601,232 +3486,168 @@
"version": 206
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "8.3",
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c",
"type": "machine_learning",
"version": 104
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"min_stack_version": "8.3",
"rule_name": "Unusual DNS Activity",
"sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577",
"type": "machine_learning",
"version": 103
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Sysctl File Event",
"sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8",
"type": "new_terms",
"version": 107
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
"rule_name": "Service Disabled via Registry Modification",
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
"type": "eql",
"version": 3
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961",
"type": "query",
"version": 102
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902",
"type": "query",
"version": 103
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982",
"type": "query",
"version": 203
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41",
"type": "eql",
"version": 10
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa",
"type": "eql",
"version": 110
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb",
"type": "eql",
"version": 106
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953",
"type": "eql",
"version": 9
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 110
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf",
"type": "eql",
"version": 111
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
"rule_name": "User Added as Owner for Azure Application",
"sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26",
"type": "query",
"version": 102
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"min_stack_version": "8.6",
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534",
"type": "new_terms",
"version": 2
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"min_stack_version": "8.3",
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d",
"type": "query",
"version": 104
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db",
"type": "threshold",
"version": 5
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76",
"type": "query",
"version": 104
}
},
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
"type": "query",
"version": 205
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"min_stack_version": "8.3",
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
"type": "query",
"version": 105
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Spike in AWS Error Messages",
"sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in AWS Error Messages",
"sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2",
"type": "machine_learning",
"version": 208
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0",
"type": "eql",
"version": 1
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45",
"type": "eql",
"version": 6
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"min_stack_version": "8.3",
"rule_name": "File Compressed or Archived into Common Format",
"sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555",
"type": "eql",
"version": 4
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
"rule_name": "Azure Key Vault Modified",
"sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87",
"type": "query",
"version": 103
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912",
"type": "eql",
"version": 4
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef",
"type": "eql",
"version": 8
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675",
"type": "query",
@@ -4839,14 +3660,12 @@
"version": 100
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2",
"type": "eql",
"version": 5
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"min_stack_version": "8.3",
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39",
"type": "eql",
@@ -4859,69 +3678,36 @@
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4",
"type": "query",
"version": 206
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.3",
"rule_name": "Windows Network Enumeration",
"sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855",
"type": "eql",
"version": 111
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1",
"type": "eql",
"version": 208
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"min_stack_version": "8.3",
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c",
"type": "eql",
"version": 105
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
"type": "query",
"version": 106
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Creation",
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
"type": "query",
@@ -4934,104 +3720,66 @@
"version": 100
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a",
"type": "eql",
"version": 2
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
"type": "eql",
"version": 109
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66",
"type": "eql",
"version": 1
}
},
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
"type": "new_terms",
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948",
"type": "new_terms",
"version": 9
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9",
"type": "eql",
"version": 4
}
},
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587",
"type": "new_terms",
"version": 106
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Extension",
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
"type": "eql",
"version": 4
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4",
"type": "eql",
"version": 2
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual City For an AWS Command",
"sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual City For an AWS Command",
"sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199",
"type": "machine_learning",
"version": 208
},
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be",
"type": "query",
"version": 103
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Extension",
"sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b",
"type": "machine_learning",
"version": 3
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186",
"type": "eql",
@@ -5046,7 +3794,7 @@
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
@@ -5060,7 +3808,6 @@
"version": 211
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46",
"type": "eql",
@@ -5069,7 +3816,7 @@
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a",
@@ -5083,14 +3830,12 @@
"version": 207
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f",
"type": "eql",
"version": 6
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9",
"type": "query",
@@ -5103,143 +3848,84 @@
"version": 100
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1",
"type": "eql",
"version": 7
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a",
"type": "new_terms",
"version": 2
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 5
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759",
"type": "eql",
"version": 3
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744",
"type": "eql",
"version": 110
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
"type": "eql",
"version": 111
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404",
"type": "new_terms",
"version": 210
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006",
"type": "query",
"version": 206
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9",
"type": "query",
"version": 206
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Deletion",
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Deletion",
"sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781",
"type": "query",
"version": 206
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery via Grep",
"sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76",
"type": "eql",
"version": 109
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5",
"type": "eql",
"version": 112
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339",
"type": "query",
@@ -5252,53 +3938,30 @@
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"min_stack_version": "8.6",
"rule_name": "Potential Suspicious Clipboard Activity Detected",
"sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839",
"type": "new_terms",
"version": 4
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66",
"type": "query",
"version": 206
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925",
"type": "eql",
"version": 107
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0",
"type": "new_terms",
"version": 105
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443",
"type": "eql",
@@ -5311,28 +3974,24 @@
"version": 100
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50",
"type": "eql",
"version": 110
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
"rule_name": "Command Prompt Network Connection",
"sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271",
"type": "eql",
"version": 108
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b",
"type": "query",
"version": 106
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32",
"type": "eql",
@@ -5346,21 +4005,18 @@
"version": 3
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.3",
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
"sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5",
"type": "query",
"version": 103
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3",
"type": "eql",
@@ -5369,7 +4025,7 @@
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
@@ -5383,149 +4039,120 @@
"version": 206
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16",
"type": "eql",
"version": 105
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75",
"type": "new_terms",
"version": 208
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140",
"type": "eql",
"version": 4
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298",
"type": "eql",
"version": 108
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.3",
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de",
"type": "eql",
"version": 109
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9",
"type": "query",
"version": 102
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"min_stack_version": "8.3",
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b",
"type": "query",
"version": 103
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba",
"type": "eql",
"version": 110
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
"rule_name": "Potential SharpRDP Behavior",
"sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda",
"type": "eql",
"version": 106
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2",
"type": "query",
"version": 103
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483",
"type": "eql",
"version": 11
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
"type": "eql",
"version": 3
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e",
"type": "eql",
"version": 2
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698",
"type": "eql",
"version": 108
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c",
"type": "query",
"version": 102
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"min_stack_version": "8.3",
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459",
"type": "eql",
"version": 3
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.3",
"rule_name": "Bitsadmin Activity",
"sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b",
"type": "eql",
"version": 2
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.3",
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6",
"type": "eql",
"version": 1
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"min_stack_version": "8.3",
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c",
"type": "eql",
"version": 106
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68",
"type": "eql",
"version": 107
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Deletion",
"sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb",
"type": "query",
@@ -5538,37 +4165,24 @@
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"min_stack_version": "8.3",
"rule_name": "Hping Process Activity",
"sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c",
"type": "eql",
"version": 108
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241",
"type": "query",
"version": 206
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3",
"type": "eql",
"version": 108
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Activity",
"sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9",
"type": "eql",
@@ -5581,51 +4195,36 @@
"version": 100
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79",
"type": "query",
"version": 104
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1",
"type": "query",
"version": 206
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Web User Agent",
"sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347",
"type": "machine_learning",
"version": 103
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Web Request",
"sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1",
"type": "machine_learning",
"version": 103
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"min_stack_version": "8.3",
"rule_name": "DNS Tunneling",
"sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea",
"type": "machine_learning",
"version": 103
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"min_stack_version": "8.3",
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
"type": "threshold",
@@ -5634,7 +4233,7 @@
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
@@ -5648,173 +4247,102 @@
"version": 108
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was created",
"sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76",
"type": "eql",
"version": 8
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c",
"type": "eql",
"version": 3
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860",
"type": "query",
"version": 206
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Sudoers File Modification",
"sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef",
"type": "query",
"version": 103
}
},
"rule_name": "Sudoers File Modification",
"sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2",
"type": "new_terms",
"version": 204
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
"type": "query",
"version": 108
}
},
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
"type": "query",
"version": 209
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606",
"type": "eql",
"version": 110
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 107
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657",
"type": "query",
"version": 205
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f",
"type": "query",
"version": 104
}
},
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30",
"type": "new_terms",
"version": 204
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"min_stack_version": "8.3",
"rule_name": "Creation of Kernel Module",
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
"type": "eql",
"version": 3
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0",
"type": "eql",
"version": 8
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1",
"type": "query",
"version": 106
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6",
"type": "query",
"version": 1
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation",
"sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80",
"type": "eql",
"version": 108
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
"type": "query",
"version": 108
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"min_stack_version": "8.8",
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9",
"type": "eql",
"version": 2
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
"rule_name": "File made Immutable by Chattr",
"sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e",
"type": "eql",
@@ -5823,7 +4351,7 @@
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
@@ -5837,53 +4365,30 @@
"version": 205
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1",
"type": "new_terms",
"version": 9
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de",
"type": "eql",
"version": 107
}
},
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63",
"type": "eql",
"version": 207
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36",
"type": "eql",
"version": 7
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6",
"type": "query",
"version": 206
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6",
"type": "query",
@@ -5897,16 +4402,6 @@
"version": 1
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS SAML Activity",
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS SAML Activity",
"sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d",
"type": "query",
@@ -5915,7 +4410,7 @@
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
@@ -5929,7 +4424,6 @@
"version": 209
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
@@ -5942,7 +4436,6 @@
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39",
"type": "eql",
@@ -5955,169 +4448,108 @@
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"min_stack_version": "8.3",
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684",
"type": "eql",
"version": 111
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627",
"type": "eql",
"version": 3
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.3",
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416",
"type": "eql",
"version": 2
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff",
"type": "query",
"version": 104
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c",
"type": "query",
"version": 206
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
"type": "query",
"version": 108
}
},
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
"type": "query",
"version": 209
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa",
"type": "query",
"version": 103
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584",
"type": "eql",
"version": 107
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f",
"type": "eql",
"version": 4
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292",
"type": "eql",
"version": 209
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "8.3",
"rule_name": "Spike in Failed Logon Events",
"sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f",
"type": "machine_learning",
"version": 104
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"min_stack_version": "8.3",
"rule_name": "Endpoint Security",
"sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d",
"type": "query",
"version": 103
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"min_stack_version": "8.3",
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf",
"type": "eql",
"version": 2
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8",
"type": "eql",
"version": 6
},
"8.4": {
"max_allowable_version": 207,
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0",
"type": "new_terms",
"version": 108
}
},
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780",
"type": "new_terms",
"version": 208
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Explorer Child Process",
"sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7",
"type": "eql",
"version": 109
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce",
"type": "eql",
"version": 109
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
"type": "eql",
"version": 3
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c",
"type": "eql",
@@ -6131,44 +4563,30 @@
"version": 2
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
"type": "eql",
"version": 108
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e",
"type": "eql",
"version": 8
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"min_stack_version": "8.3",
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1",
"type": "eql",
"version": 2
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057",
"type": "eql",
"version": 110
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
@@ -6181,248 +4599,168 @@
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2",
"type": "eql",
"version": 105
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
"type": "new_terms",
"version": 209
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1",
"type": "eql",
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08",
"type": "eql",
"version": 112
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5",
"type": "eql",
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d",
"type": "eql",
"version": 106
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870",
"type": "new_terms",
"version": 211
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438",
"type": "query",
"version": 106
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"min_stack_version": "8.3",
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8",
"type": "eql",
"version": 106
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5",
"type": "machine_learning",
"version": 103
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079",
"type": "eql",
"version": 110
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via DCSync",
"sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407",
"type": "eql",
"version": 113
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3",
"type": "eql",
"version": 106
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46",
"type": "new_terms",
"version": 210
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Access Secret in Secrets Manager",
"sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe",
"type": "query",
"version": 106
},
"8.6": {
"max_allowable_version": 307,
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
"type": "new_terms",
"version": 208
}
},
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e",
"type": "new_terms",
"version": 310
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was updated",
"sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645",
"type": "eql",
"version": 8
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3",
"type": "eql",
"version": 3
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93",
"type": "query",
"version": 105
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f",
"type": "eql",
"version": 107
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
"rule_name": "File Deletion via Shred",
"sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48",
"type": "eql",
"version": 109
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486",
"type": "eql",
"version": 106
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119",
"type": "eql",
"version": 7
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99",
"type": "query",
"version": 104
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"min_stack_version": "8.7",
"rule_name": "My First Rule",
"sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29",
"type": "threshold",
"version": 3
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea",
"type": "eql",
"version": 108
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"min_stack_version": "8.3",
"rule_name": "Linux Group Creation",
"sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7",
"type": "eql",
"version": 5
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a",
"type": "eql",
"version": 109
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c",
"type": "query",
"version": 106
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
"type": "query",
"version": 7
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"rule_name": "Execution via local SxS Shared Module",
"sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525",
"type": "eql",
"version": 108
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"min_stack_version": "8.3",
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942",
"type": "eql",
@@ -6435,7 +4773,6 @@
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"min_stack_version": "8.8",
"rule_name": "Netcat Listener Established Inside A Container",
"sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146",
"type": "eql",
@@ -6449,100 +4786,78 @@
"version": 2
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681",
"type": "eql",
"version": 6
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df",
"type": "query",
"version": 209
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
"type": "query",
"version": 105
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6",
"type": "threat_match",
"version": 6
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4",
"type": "eql",
"version": 112
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
"rule_name": "Emond Rules Creation or Modification",
"sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287",
"type": "eql",
"version": 107
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a",
"type": "machine_learning",
"version": 3
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef",
"type": "eql",
"version": 111
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02",
"type": "eql",
"version": 110
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
"type": "query",
"version": 102
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295",
"type": "eql",
"version": 3
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.9",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539",
"type": "machine_learning",
@@ -6555,183 +4870,126 @@
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2",
"type": "query",
"version": 206
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9",
"type": "query",
"version": 205
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd",
"type": "eql",
"version": 108
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"min_stack_version": "8.3",
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee",
"type": "query",
"version": 104
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f",
"type": "query",
"version": 104
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"min_stack_version": "8.3",
"rule_name": "System Log File Deletion",
"sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246",
"type": "eql",
"version": 110
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8",
"type": "eql",
"version": 112
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"min_stack_version": "8.3",
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3",
"type": "eql",
"version": 2
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe",
"type": "threat_match",
"version": 7
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050",
"type": "eql",
"version": 111
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51",
"type": "machine_learning",
"version": 103
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Login Hook",
"sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9",
"type": "query",
"version": 108
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 112
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual AWS Command for a User",
"sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual AWS Command for a User",
"sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49",
"type": "machine_learning",
"version": 208
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9",
"type": "eql",
"version": 6
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21",
"type": "query",
"version": 108
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65",
"type": "query",
"version": 205
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"min_stack_version": "8.3",
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924",
"type": "eql",
"version": 106
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9",
"type": "threshold",
"version": 108
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a",
"type": "eql",
"version": 108
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543",
"type": "eql",
@@ -6744,121 +5002,96 @@
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307",
"type": "query",
"version": 205
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d",
"type": "query",
"version": 110
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6",
"type": "query",
"version": 106
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"min_stack_version": "8.3",
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa",
"type": "eql",
"version": 2
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584",
"type": "eql",
"version": 110
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Communication App Child Process",
"sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c",
"type": "eql",
"version": 4
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35",
"type": "eql",
"version": 3
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184",
"type": "eql",
"version": 5
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92",
"type": "new_terms",
"version": 7
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"min_stack_version": "8.3",
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123",
"type": "eql",
"version": 4
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
"rule_name": "Local Scheduled Task Creation",
"sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6",
"type": "eql",
"version": 107
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6",
"type": "eql",
"version": 6
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19",
"type": "eql",
"version": 5
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
"rule_name": "Timestomping using Touch Command",
"sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4",
"type": "eql",
"version": 106
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f",
"type": "query",
"version": 106
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.3",
"rule_name": "Netsh Helper DLL",
"sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9",
"type": "eql",
@@ -6878,95 +5111,66 @@
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Share Discovery",
"sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f",
"type": "eql",
"version": 3
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"min_stack_version": "8.3",
"rule_name": "Spike in Network Traffic",
"sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6",
"type": "machine_learning",
"version": 103
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4",
"type": "eql",
"version": 111
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf",
"type": "query",
"version": 206
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b",
"type": "eql",
"version": 108
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Username",
"sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016",
"type": "machine_learning",
"version": 103
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf",
"type": "eql",
"version": 111
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e",
"type": "eql",
"version": 7
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900",
"type": "query",
"version": 106
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
"type": "query",
"version": 105
}
},
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670",
"type": "query",
"version": 206
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.3",
"rule_name": "At.exe Command Lateral Movement",
"sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a",
"type": "eql",
@@ -6975,7 +5179,7 @@
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
@@ -6989,49 +5193,42 @@
"version": 206
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93",
"type": "eql",
"version": 5
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681",
"type": "eql",
"version": 111
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3",
"type": "eql",
"version": 111
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Elastic Agent Service Terminated",
"sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671",
"type": "eql",
"version": 106
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae",
"type": "eql",
"version": 109
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.3",
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2",
"type": "eql",
"version": 1
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"min_stack_version": "8.3",
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09",
"type": "query",
@@ -7040,7 +5237,7 @@
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
@@ -7054,7 +5251,6 @@
"version": 206
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"min_stack_version": "8.3",
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4",
"type": "threshold",
@@ -7063,7 +5259,7 @@
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
@@ -7077,190 +5273,132 @@
"version": 205
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"min_stack_version": "8.3",
"rule_name": "Linux System Information Discovery",
"sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61",
"type": "eql",
"version": 3
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d",
"type": "query",
"version": 5
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 108
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via MsXsl",
"sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266",
"type": "eql",
"version": 106
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.3",
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 5
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d",
"type": "eql",
"version": 109
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d",
"type": "eql",
"version": 111
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
"rule_name": "Discovery of Domain Groups",
"sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677",
"type": "eql",
"version": 2
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"min_stack_version": "8.3",
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c",
"type": "threshold",
"version": 4
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c",
"type": "query",
"version": 109
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d",
"type": "eql",
"version": 110
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8",
"type": "eql",
"version": 109
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Network Activity",
"sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad",
"type": "machine_learning",
"version": 103
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844",
"type": "eql",
"version": 3
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671",
"type": "eql",
"version": 109
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
"rule_name": "Azure Resource Group Deletion",
"sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576",
"type": "query",
"version": 102
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834",
"type": "query",
"version": 206
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "OneDrive Malware File Upload",
"sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814",
"type": "query",
"version": 106
}
},
"rule_name": "OneDrive Malware File Upload",
"sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa",
"type": "query",
"version": 206
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52",
"type": "threshold",
"version": 5
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee",
"type": "query",
"version": 107
}
},
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3",
"type": "query",
"version": 207
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Root Login Without MFA",
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Root Login Without MFA",
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
"type": "query",
"version": 209
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d",
"type": "query",
@@ -7274,223 +5412,168 @@
"version": 2
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Root Certificate",
"sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972",
"type": "query",
"version": 106
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"min_stack_version": "8.3",
"rule_name": "Azure Conditional Access Policy Modified",
"sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c",
"type": "query",
"version": 102
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26",
"type": "eql",
"version": 5
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"min_stack_version": "8.3",
"rule_name": "File and Directory Permissions Modification",
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
"type": "eql",
"version": 2
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Disabled",
"sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace",
"type": "query",
"version": 104
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f",
"type": "query",
"version": 3
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Keylogging Script",
"sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d",
"type": "query",
"version": 112
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b",
"type": "eql",
"version": 2
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c",
"type": "eql",
"version": 106
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe",
"type": "eql",
"version": 7
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39",
"type": "eql",
"version": 108
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f",
"type": "machine_learning",
"version": 4
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Directory",
"sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f",
"type": "machine_learning",
"version": 3
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4",
"type": "eql",
"version": 109
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f",
"type": "query",
"version": 206
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"min_stack_version": "8.3",
"rule_name": "System Owner/User Discovery Linux",
"sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df",
"type": "eql",
"version": 3
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1",
"type": "machine_learning",
"version": 3
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e",
"type": "eql",
"version": 111
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579",
"type": "eql",
"version": 107
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8",
"type": "eql",
"version": 109
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
"type": "eql",
"version": 2
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3",
"type": "query",
"version": 103
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa",
"type": "eql",
"version": 6
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63",
"type": "query",
"version": 206
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
"type": "eql",
"version": 1
}
},
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
"type": "eql",
"version": 102
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef",
"type": "eql",
"version": 110
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d",
"type": "machine_learning",
"version": 103
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Folder Action Script",
"sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa",
"type": "eql",
@@ -7504,112 +5587,96 @@
"version": 2
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
"rule_name": "Mshta Making Network Connections",
"sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5",
"type": "eql",
"version": 107
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5",
"type": "query",
"version": 103
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 107
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"min_stack_version": "8.3",
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8",
"type": "eql",
"version": 104
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.3",
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e",
"type": "eql",
"version": 109
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff",
"type": "eql",
"version": 107
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
"rule_name": "Windows System Network Connections Discovery",
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
"type": "eql",
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.3",
"rule_name": "Attempted Private Key Access",
"sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c",
"type": "eql",
"version": 3
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification via sc.exe",
"sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862",
"type": "eql",
"version": 3
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a",
"type": "eql",
"version": 109
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276",
"type": "query",
"version": 104
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f",
"type": "eql",
"version": 108
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
"rule_name": "Installation of Custom Shim Databases",
"sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6",
"type": "eql",
"version": 108
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712",
"type": "eql",
"version": 110
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f",
"type": "query",
"version": 102
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f",
"type": "eql",
@@ -7624,7 +5691,7 @@
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
@@ -7640,7 +5707,7 @@
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
@@ -7654,65 +5721,48 @@
"version": 205
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6",
"type": "eql",
"version": 107
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a",
"type": "query",
"version": 203
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf",
"type": "eql",
"version": 110
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61",
"type": "machine_learning",
"version": 104
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37",
"type": "query",
"version": 107
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67",
"type": "query",
"version": 103
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
"rule_name": "Direct Outbound SMB Connection",
"sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d",
"type": "eql",
"version": 110
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827",
"type": "eql",
@@ -7725,65 +5775,48 @@
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"min_stack_version": "8.3",
"rule_name": "Parent Process PID Spoofing",
"sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733",
"type": "eql",
"version": 106
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2",
"type": "eql",
"version": 8
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319",
"type": "eql",
"version": 110
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411",
"type": "eql",
"version": 110
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51",
"type": "eql",
"version": 5
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3",
"type": "query",
"version": 103
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82",
"type": "query",
"version": 206
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a",
"type": "eql",
@@ -7796,39 +5829,18 @@
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa",
"type": "eql",
"version": 108
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a",
"type": "new_terms",
"version": 213
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b",
"type": "query",
"version": 107
}
},
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a",
"type": "query",
"version": 207
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Calendar File Modification",
"sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da",
"type": "query",
@@ -7841,7 +5853,6 @@
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Enable the Root Account",
"sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d",
"type": "query",
@@ -7855,30 +5866,18 @@
"version": 2
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037",
"type": "machine_learning",
"version": 3
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823",
"type": "query",
"version": 106
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408",
"type": "query",
@@ -7887,7 +5886,7 @@
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
@@ -7901,7 +5900,6 @@
"version": 207
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
@@ -7910,7 +5908,7 @@
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
@@ -7930,21 +5928,18 @@
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793",
"type": "machine_learning",
"version": 103
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Removal",
"sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f",
"type": "eql",
"version": 109
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
"rule_name": "Downloaded URL Files",
"sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0",
"type": "eql",
@@ -7953,7 +5948,7 @@
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
@@ -7969,7 +5964,7 @@
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Okta User Session Impersonation",
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
@@ -7985,7 +5980,7 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
@@ -7999,107 +5994,84 @@
"version": 111
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 1
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7",
"type": "eql",
"version": 109
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967",
"type": "query",
"version": 105
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce",
"type": "query",
"version": 104
}
},
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1",
"type": "query",
"version": 205
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Activity by User",
"sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff",
"type": "new_terms",
"version": 1
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"min_stack_version": "8.3",
"rule_name": "Trap Signals Execution",
"sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4",
"type": "eql",
"version": 2
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.3",
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766",
"type": "eql",
"version": 112
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
"rule_name": "Archive File with Unusual Extension",
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
"type": "eql",
"version": 2
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e",
"type": "eql",
"version": 9
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "8.8",
"rule_name": "AWS Credentials Searched For Inside A Container",
"sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e",
"type": "eql",
"version": 1
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292",
"type": "eql",
"version": 110
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197",
"type": "eql",
"version": 111
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2",
"type": "eql",
"version": 5
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
"type": "eql",
@@ -8112,42 +6084,36 @@
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"min_stack_version": "8.3",
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2",
"type": "query",
"version": 106
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0",
"type": "eql",
"version": 110
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576",
"type": "eql",
"version": 112
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
"rule_name": "Remote Windows Service Installed",
"sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9",
"type": "eql",
"version": 6
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.3",
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4",
"type": "eql",
"version": 2
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd",
"type": "eql",
@@ -8156,7 +6122,7 @@
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
@@ -8170,35 +6136,30 @@
"version": 205
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7",
"type": "query",
"version": 102
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f",
"type": "machine_learning",
"version": 103
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041",
"type": "machine_learning",
"version": 103
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.3",
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06",
"type": "eql",
"version": 6
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924",
"type": "eql",
@@ -8212,7 +6173,6 @@
"version": 3
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c",
"type": "eql",
@@ -8221,7 +6181,7 @@
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
@@ -8235,30 +6195,18 @@
"version": 206
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.3",
"rule_name": "Service Command Lateral Movement",
"sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42",
"type": "eql",
"version": 107
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
"type": "query",
"version": 209
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4",
"type": "query",
@@ -8271,155 +6219,102 @@
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.3",
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641",
"type": "eql",
"version": 10
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91",
"type": "query",
"version": 206
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.3",
"rule_name": "Modification of WDigest Security Provider",
"sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df",
"type": "eql",
"version": 109
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192",
"type": "eql",
"version": 111
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d",
"type": "query",
"version": 206
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Memory grep Activity",
"sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165",
"type": "eql",
"version": 2
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SystemKey Access via Command Line",
"sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d",
"type": "query",
"version": 106
}
},
"rule_name": "SystemKey Access via Command Line",
"sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091",
"type": "query",
"version": 206
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541",
"type": "eql",
"version": 110
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
"rule_name": "Azure Blob Permissions Modification",
"sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f",
"type": "query",
"version": 103
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"min_stack_version": "8.3",
"rule_name": "Spike in Logon Events",
"sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203",
"type": "machine_learning",
"version": 103
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"min_stack_version": "8.3",
"rule_name": "SMTP on Port 26/TCP",
"sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b",
"type": "query",
"version": 104
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8",
"type": "eql",
"version": 8
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906",
"type": "query",
"version": 209
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1",
"type": "eql",
"version": 111
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d",
"type": "eql",
"version": 9
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083",
"type": "query",
"version": 3
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694",
"type": "eql",
@@ -8432,42 +6327,36 @@
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.4",
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e",
"type": "new_terms",
"version": 3
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"min_stack_version": "8.3",
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
"type": "query",
"version": 105
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.3",
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474",
"type": "eql",
"version": 3
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3",
"type": "eql",
"version": 6
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65",
"type": "query",
"version": 103
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0",
"type": "eql",
@@ -8480,132 +6369,90 @@
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7",
"type": "eql",
"version": 8
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99",
"type": "eql",
"version": 110
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual Country For an AWS Command",
"sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Country For an AWS Command",
"sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561",
"type": "machine_learning",
"version": 208
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d",
"type": "eql",
"version": 2
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a",
"type": "eql",
"version": 7
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735",
"type": "eql",
"version": 108
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a",
"type": "eql",
"version": 110
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977",
"type": "eql",
"version": 110
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Query Registry using Built-in Tools",
"sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd",
"type": "eql",
"version": 2
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd",
"type": "new_terms",
"version": 105
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
"rule_name": "First Time Seen Driver Loaded",
"sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58",
"type": "new_terms",
"version": 7
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce",
"type": "machine_learning",
"version": 103
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Account Created",
"sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669",
"type": "query",
"version": 102
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.3",
"rule_name": "Dynamic Linker Copy",
"sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725",
"type": "eql",
"version": 108
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622",
"type": "query",
@@ -8618,35 +6465,30 @@
"version": 100
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"min_stack_version": "8.3",
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253",
"type": "eql",
"version": 1
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"min_stack_version": "8.3",
"rule_name": "Delayed Execution via Ping",
"sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71",
"type": "eql",
"version": 2
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"min_stack_version": "8.3",
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0",
"type": "query",
"version": 102
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.3",
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34",
"type": "query",
"version": 107
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b",
"type": "eql",
@@ -8655,7 +6497,7 @@
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0",
@@ -8669,81 +6511,54 @@
"version": 208
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a",
"type": "eql",
"version": 4
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16",
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"min_stack_version": "8.3",
"rule_name": "Azure Event Hub Deletion",
"sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7",
"type": "query",
"version": 102
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Created",
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Created",
"sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5",
"type": "query",
"version": 207
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Cluster Creation",
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Cluster Creation",
"sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6",
"type": "query",
"version": 206
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.3",
"rule_name": "Connection to External Network via Telnet",
"sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5",
"type": "eql",
"version": 107
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650",
"type": "machine_learning",
"version": 3
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9",
"type": "eql",
"version": 6
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "8.3",
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff",
"type": "machine_learning",
@@ -8752,7 +6567,7 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
@@ -8773,95 +6588,66 @@
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Management Console Root Login",
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Management Console Root Login",
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
"type": "query",
"version": 209
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"min_stack_version": "8.3",
"rule_name": "System Network Connections Discovery",
"sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1",
"type": "eql",
"version": 3
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc",
"type": "eql",
"version": 7
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d",
"type": "eql",
"version": 111
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Role Deletion",
"sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe",
"type": "query",
"version": 104
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.3",
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e",
"type": "eql",
"version": 110
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525",
"type": "query",
"version": 206
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462",
"type": "query",
"version": 103
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e",
"type": "eql",
"version": 107
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b",
"type": "eql",
"version": 110
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02",
"type": "new_terms",
@@ -8870,7 +6656,7 @@
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
@@ -8884,30 +6670,18 @@
"version": 206
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.3",
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1",
"type": "eql",
"version": 105
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510",
"type": "query",
"version": 110
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049",
"type": "query",
"version": 104
}
},
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f",
"type": "query",
@@ -8920,14 +6694,12 @@
"version": 100
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"min_stack_version": "8.3",
"rule_name": "Bash Shell Profile Modification",
"sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3",
"type": "query",
"version": 104
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
"rule_name": "Authorization Plugin Modification",
"sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e",
"type": "query",
@@ -8936,7 +6708,7 @@
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Possible Okta DoS Attack",
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
@@ -8950,125 +6722,84 @@
"version": 205
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51",
"type": "eql",
"version": 107
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e",
"type": "query",
"version": 104
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62",
"type": "eql",
"version": 3
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.3",
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478",
"type": "eql",
"version": 107
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
"type": "eql",
"version": 6
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20",
"type": "eql",
"version": 106
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a",
"type": "eql",
"version": 1
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
"type": "eql",
"version": 4
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.3",
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35",
"type": "eql",
"version": 1
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393",
"type": "eql",
"version": 8
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112",
"type": "query",
"version": 207
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.3",
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765",
"type": "eql",
"version": 108
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
"rule_name": "Installation of Security Support Provider",
"sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c",
"type": "eql",
"version": 108
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006",
"type": "eql",
"version": 7
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.6",
"previous": {
"8.4": {
"max_allowable_version": 102,
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80",
"type": "new_terms",
"version": 3
}
},
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35",
"type": "new_terms",
@@ -9077,7 +6808,7 @@
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d",
@@ -9091,44 +6822,30 @@
"version": 208
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c",
"type": "query",
"version": 206
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91",
"type": "machine_learning",
"version": 3
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f",
"type": "eql",
"version": 111
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e",
"type": "eql",
"version": 105
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.9",
"rule_name": "Spike in Remote File Transfers",
"sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1",
"type": "machine_learning",
@@ -9141,7 +6858,6 @@
"version": 100
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Webhook Created",
"sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078",
"type": "query",
@@ -9154,153 +6870,108 @@
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd",
"type": "machine_learning",
"version": 4
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c",
"type": "threshold",
"version": 109
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
"type": "threshold",
"version": 210
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
"rule_name": "Spike in Firewall Denies",
"sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a",
"type": "machine_learning",
"version": 103
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c",
"type": "eql",
"version": 2
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"min_stack_version": "8.3",
"rule_name": "External Alerts",
"sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6",
"type": "query",
"version": 103
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad",
"type": "query",
"version": 4
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
"type": "query",
"version": 111
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of SELinux",
"sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef",
"type": "eql",
"version": 110
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 109
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8",
"type": "eql",
"version": 110
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2",
"type": "eql",
"version": 110
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "8.8",
"rule_name": "File Made Executable via Chmod Inside A Container",
"sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54",
"type": "eql",
"version": 2
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df",
"type": "query",
"version": 206
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"min_stack_version": "8.3",
"rule_name": "Executable File with Unusual Extension",
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
"type": "eql",
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58",
"type": "query",
"version": 206
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"min_stack_version": "8.3",
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c",
"type": "query",
"version": 102
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1",
"type": "eql",
@@ -9309,7 +6980,7 @@
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
@@ -9323,14 +6994,12 @@
"version": 206
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6",
"type": "eql",
"version": 112
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
"rule_name": "Linux User Account Creation",
"sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08",
"type": "eql",
@@ -9339,7 +7008,7 @@
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 102,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932",
@@ -9353,14 +7022,12 @@
"version": 103
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c",
"type": "eql",
"version": 108
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
"type": "eql",
@@ -9373,56 +7040,48 @@
"version": 100
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc",
"type": "eql",
"version": 107
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
"rule_name": "BPF filter applied using TC",
"sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2",
"type": "eql",
"version": 108
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7",
"type": "eql",
"version": 7
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified notify_on_release File",
"sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04",
"type": "eql",
"version": 1
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
"rule_name": "Whoami Process Activity",
"sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202",
"type": "eql",
"version": 111
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32",
"type": "machine_learning",
"version": 3
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe",
"type": "eql",
"version": 108
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
"rule_name": "Suspicious HTML File Creation",
"sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d",
"type": "eql",
@@ -9431,7 +7090,7 @@
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
@@ -9445,149 +7104,120 @@
"version": 205
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c",
"type": "eql",
"version": 108
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270",
"type": "query",
"version": 102
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"min_stack_version": "8.3",
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb",
"type": "query",
"version": 106
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7",
"type": "eql",
"version": 7
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
"type": "query",
"version": 2
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification",
"sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9",
"type": "eql",
"version": 2
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3",
"type": "eql",
"version": 108
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24",
"type": "eql",
"version": 109
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
"rule_name": "SIP Provider Modification",
"sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf",
"type": "eql",
"version": 107
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Creation",
"sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4",
"type": "eql",
"version": 109
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance Creation",
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance Creation",
"sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166",
"type": "query",
"version": 206
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
"sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9",
"type": "eql",
"version": 4
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea",
"type": "query",
"version": 3
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e",
"type": "eql",
"version": 110
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c",
"type": "threshold",
"version": 104
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c",
"type": "eql",
"version": 2
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471",
"type": "threat_match",
"version": 6
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"min_stack_version": "8.6",
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808",
"type": "eql",
"version": 5
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc",
"type": "eql",
"version": 108
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.3",
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765",
"type": "query",
@@ -9607,135 +7237,108 @@
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc",
"type": "eql",
"version": 6
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577",
"type": "eql",
"version": 111
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
"rule_name": "SSH Connection Established Inside A Running Container",
"sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7",
"type": "eql",
"version": 2
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.3",
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5",
"type": "new_terms",
"version": 3
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124",
"type": "query",
"version": 4
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.3",
"rule_name": "WMIC Remote Command",
"sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f",
"type": "eql",
"version": 4
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6",
"type": "eql",
"version": 5
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312",
"type": "machine_learning",
"version": 4
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"min_stack_version": "8.3",
"rule_name": "Masquerading Space After Filename",
"sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37",
"type": "eql",
"version": 6
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"min_stack_version": "8.3",
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135",
"type": "eql",
"version": 3
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
"type": "eql",
"version": 110
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841",
"type": "eql",
"version": 109
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b",
"type": "query",
"version": 106
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"min_stack_version": "8.3",
"rule_name": "System Hosts File Access",
"sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571",
"type": "eql",
"version": 3
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"min_stack_version": "8.3",
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103",
"type": "query",
"version": 102
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
"type": "query",
"version": 209
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "8.8",
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
"sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237",
"type": "eql",
"version": 2
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.3",
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177",
"type": "eql",
@@ -9749,56 +7352,48 @@
"version": 2
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec",
"type": "eql",
"version": 109
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87",
"type": "query",
"version": 106
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b",
"type": "eql",
"version": 110
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 1
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042",
"type": "machine_learning",
"version": 104
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734",
"type": "eql",
"version": 7
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
"rule_name": "Browser Extension Install",
"sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a",
"type": "eql",
"version": 2
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
"rule_name": "Privileged Account Brute Force",
"sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70",
"type": "eql",
@@ -9807,7 +7402,7 @@
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
@@ -9821,65 +7416,48 @@
"version": 205
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525",
"type": "eql",
"version": 109
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda",
"type": "eql",
"version": 7
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c",
"type": "eql",
"version": 7
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 9
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of AppArmor",
"sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3",
"type": "eql",
"version": 6
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc",
"type": "eql",
"version": 104
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Registration Utility",
"sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d",
"type": "eql",
"version": 108
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.8",
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
"type": "threshold",
@@ -9892,37 +7470,24 @@
"version": 100
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004",
"type": "query",
"version": 206
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e",
"type": "eql",
"version": 109
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 1
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.3",
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
"type": "eql",
@@ -9935,151 +7500,114 @@
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.3",
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469",
"type": "eql",
"version": 110
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CertUtil Commands",
"sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b",
"type": "eql",
"version": 108
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Svchost spawning Cmd",
"sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04",
"type": "eql",
"version": 107
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91",
"type": "new_terms",
"version": 212
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
"type": "eql",
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828",
"type": "eql",
"version": 7
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e",
"type": "query",
"version": 4
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
"type": "query",
"version": 5
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275",
"type": "eql",
"version": 110
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5",
"type": "eql",
"version": 4
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
"type": "eql",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.3",
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2",
"type": "eql",
"version": 107
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"min_stack_version": "8.3",
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055",
"type": "query",
"version": 103
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"min_stack_version": "8.9",
"rule_name": "Potential DGA Activity",
"sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640",
"type": "machine_learning",
"version": 3
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293",
"type": "new_terms",
"version": 9
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18",
"type": "eql",
"version": 7
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88",
"type": "query",
"version": 206
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.3",
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb",
"type": "eql",
"version": 1
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
"type": "query",
"version": 104
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366",
"type": "eql",
docs/versioning.md
+26
View File
@@ -0,0 +1,26 @@
# Supported Versions and Releases
This document provides detailed information about the different versions that are supported and released for prebuilt detection rules.
## Current Version
The current version of prebuilt detection rules is `v8.14`.
## Previous Versions Released
The following version(s) are released along with the current version.
- `v8.13`
- `v8.12`
- `v8.11`
### Previous Versions Maintained
The following version(s) are maintained along with the current version.
- `v8.10`
- `v8.9`
## End of Life Policy
Our policy is to support and provide public releases for `Current`, `Current-1`, `Current-2`, `Current-3` versions. We maintain and do not release `Current-4` and `Current-5` versions.
rules/apm/apm_403_response_to_a_post.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/02/18"
integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/apm/apm_405_response_method_not_allowed.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/02/18"
integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/apm/apm_sqlmap_user_agent.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/02/18"
integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
+11 -6
View File
@@ -2,15 +2,13 @@
creation_date = "2023/06/19"
integration = ["endpoint", "system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/30"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt
to deliver phishing payloads via a trusted webservice.
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing
payloads via a trusted webservice.
"""
false_positives = [
"Approved third-party applications that use Google Drive download URLs.",
@@ -25,7 +23,14 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan
risk_score = 47
rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Command and Control",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/command_and_control_non_standard_ssh_port.toml
+12 -11
View File
@@ -2,9 +2,7 @@
creation_date = "2022/10/18"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -30,13 +28,14 @@ references = ["https://attack.mitre.org/techniques/T1571/"]
risk_score = 21
rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
severity = "low"
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"OS: macOS",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"OS: macOS",
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
@@ -51,15 +50,17 @@ sequence by process.entity_id with maxspan=1m
]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1571"
name = "Non-Standard Port"
reference = "https://attack.mitre.org/techniques/T1571/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
+10 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/12/21"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -37,7 +35,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+5 -6
View File
@@ -1,15 +1,14 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch"
occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could
indicate attempts to spoof events in order to masquerade actual activity to evade detection.
description = """
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the
expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
"""
false_positives = [
"""
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+7 -8
View File
@@ -1,15 +1,14 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent
being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to
masquerade actual activity to evade detection.
description = """
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and
used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual
activity to evade detection.
"""
false_positives = [
"""
@@ -47,11 +46,11 @@ id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.threshold]
field = ["agent.id"]
value = 2
[[rule.threshold.cardinality]]
field = "host.id"
value = 2
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
+11 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -28,7 +26,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
+14 -14
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/04"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/02/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -29,15 +27,15 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic.
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager"
]
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -56,20 +54,22 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.003"
name = "Clear Command History"
reference = "https://attack.mitre.org/techniques/T1070/003/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+11 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2022/05/23"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -30,7 +28,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2022/10/18"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -34,7 +32,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_timestomp_touch.toml
+8 -10
View File
@@ -2,9 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/18"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -30,13 +28,13 @@ For more details on adding a custom ingest pipeline refer - https://www.elastic.
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend"
]
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/discovery_security_software_grep.toml
+14 -13
View File
@@ -2,9 +2,7 @@
creation_date = "2020/12/20"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/18"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -59,14 +57,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -122,20 +121,22 @@ process.name : "grep" and user.id != "0" and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/09/29"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -36,7 +34,14 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/01/12"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -18,7 +16,14 @@ references = ["https://github.com/neoneggplant/EggShell"]
risk_score = 73
rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/execution_revershell_via_shell_cmd.toml
+13 -12
View File
@@ -2,9 +2,7 @@
creation_date = "2020/01/07"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -62,14 +60,15 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -86,15 +85,17 @@ process where event.type in ("start", "process_started") and
not process.parent.command_line : "runc init"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/cross-platform/execution_suspicious_jar_child_process.toml
+16 -15
View File
@@ -2,9 +2,7 @@
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -64,15 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Use Case: Vulnerability",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Resources: Investigation Guide",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -86,19 +85,20 @@ event.category:process and event.type:("start" or "process_started") and process
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.007"
name = "JavaScript"
reference = "https://attack.mitre.org/techniques/T1059/007/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -107,7 +107,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.command_line"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
+10 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/12/10"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -28,7 +26,15 @@ references = [
risk_score = 73
rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Execution",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
rules/cross-platform/guided_onboarding_sample_rule.toml
+1 -3
View File
@@ -1,9 +1,7 @@
[metadata]
creation_date = "2022/09/22"
maturity = "production"
min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+"
min_stack_version = "8.7.0"
updated_date = "2024/03/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/cross-platform/impact_hosts_file_modified.toml
+15 -6
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/07"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -64,7 +62,16 @@ Hence for this rule to work effectively, users will need to add a custom ingest
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Impact",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
timeline_title = "Comprehensive File Timeline"
timestamp_override = "event.ingested"
@@ -91,20 +98,22 @@ any where
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1565"
name = "Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/"
[[rule.threat.technique.subtechnique]]
id = "T1565.001"
name = "Stored Data Manipulation"
reference = "https://attack.mitre.org/techniques/T1565/001/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
+2 -8
View File
@@ -1,9 +1,7 @@
[metadata]
creation_date = "2020/09/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/19"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -28,11 +26,7 @@ setup = """## Setup
The Zoom Filebeat module or similarly structured data is required to be compatible with this rule."""
severity = "medium"
tags = [
"Data Source: Zoom",
"Use Case: Configuration Audit",
"Tactic: Initial Access"
]
tags = ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/multiple_alerts_different_tactics_host.toml
+6 -5
View File
@@ -1,9 +1,7 @@
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -18,8 +16,8 @@ false_positives = [
""",
]
from = "now-24h"
interval = "1h"
index = [".alerts-security.*"]
interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
@@ -34,10 +32,13 @@ query = '''
signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*
'''
[rule.threshold]
field = ["host.id"]
value = 1
[[rule.threshold.cardinality]]
field = "kibana.alert.rule.threat.tactic.id"
value = 3
rules/cross-platform/multiple_alerts_involving_user.toml
+6 -5
View File
@@ -1,9 +1,7 @@
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -20,8 +18,8 @@ false_positives = [
""",
]
from = "now-24h"
interval = "1h"
index = [".alerts-security.*"]
interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Multiple Alerts Involving a User"
@@ -36,10 +34,13 @@ query = '''
signal.rule.name:* and user.name:* and not user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
'''
[rule.threshold]
field = ["user.name"]
value = 1
[[rule.threshold.cardinality]]
field = "signal.rule.rule_id"
value = 5
rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
+15 -15
View File
@@ -2,9 +2,7 @@
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/09/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -29,14 +27,15 @@ references = [
risk_score = 47
rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
severity = "medium"
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -70,27 +69,27 @@ event.category:file and event.type:change and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
@@ -99,7 +98,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/cross-platform/persistence_shell_profile_modification.toml
+13 -12
View File
@@ -2,9 +2,7 @@
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -24,13 +22,14 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-
risk_score = 47
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
severity = "medium"
tags = ["Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
@@ -51,20 +50,22 @@ event.category:file and event.type:change and
/Users/*/.zshenv)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
+25 -24
View File
@@ -2,9 +2,7 @@
creation_date = "2020/12/22"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2024/02/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -20,16 +18,18 @@ name = "SSH Authorized Keys File Modification"
risk_score = 47
rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
severity = "medium"
tags = ["Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:file and event.type:(change or creation) and
file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and
@@ -51,46 +51,46 @@ event.category:file and event.type:(change or creation) and
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.004"
name = "SSH Authorized Keys"
reference = "https://attack.mitre.org/techniques/T1098/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[rule.threat.tactic]
id = "TA0008"
@@ -100,7 +100,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/01/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -20,7 +18,14 @@ name = "Potential Privilege Escalation via Sudoers File Modification"
risk_score = 73
rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -24,7 +22,14 @@ name = "Setuid / Setgid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
+11 -5
View File
@@ -2,9 +2,7 @@
creation_date = "2021/02/03"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/05"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -33,9 +31,17 @@ references = [
risk_score = 73
rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
type = "threshold"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.category:process and event.type:start and
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+13 -13
View File
@@ -2,9 +2,7 @@
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/12/18"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -21,13 +19,13 @@ risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend"
]
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"
@@ -37,19 +35,20 @@ not process.name:(dpkg or platform-python or puppet or yum or dnf) and
not process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
@@ -58,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "process.executable", "file.path"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/cross-platform/threat_intel_indicator_match_address.toml
+25 -27
View File
@@ -1,12 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/01/17"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
"""
min_stack_version = "8.5.0"
updated_date = "2024/05/21"
[transform]
[[transform.osquery]]
@@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
@@ -103,7 +99,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe
references = [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
"https://www.elastic.co/security/tip",
]
risk_score = 99
rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
@@ -118,72 +114,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not
labels.is_ioc_transform_source:"true"
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
timestamp_override = "event.ingested"
type = "threat_match"
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and
not labels.is_ioc_transform_source:"true"
'''
query = """
query = '''
source.ip:* or destination.ip:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threat.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threat.indicator.ip"
rules/cross-platform/threat_intel_indicator_match_hash.toml
+34 -30
View File
@@ -1,12 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/01/17"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
"""
min_stack_version = "8.5.0"
updated_date = "2024/05/21"
[transform]
[[transform.osquery]]
@@ -33,11 +28,12 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an
event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.
This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against
an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.
"""
from = "now-65m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"]
@@ -102,7 +98,7 @@ This rule is triggered when a hash indicator from the Threat Intel Filebeat modu
references = [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
"https://www.elastic.co/security/tip",
]
risk_score = 99
rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca"
@@ -117,115 +113,123 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or
threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true"
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
timestamp_override = "event.ingested"
type = "threat_match"
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
(threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and
not labels.is_ioc_transform_source:"true"
'''
query = """
query = '''
file.hash.*:* or process.hash.*:* or dll.hash.*:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threat.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threat.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "dll.hash.md5"
type = "mapping"
value = "threat.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "dll.hash.sha1"
type = "mapping"
value = "threat.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "dll.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "process.hash.md5"
type = "mapping"
value = "threat.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "process.hash.sha1"
type = "mapping"
value = "threat.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "process.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
rules/cross-platform/threat_intel_indicator_match_registry.toml
+24 -27
View File
@@ -1,12 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/01/17"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
"""
min_stack_version = "8.5.0"
updated_date = "2024/05/21"
[transform]
[[transform.osquery]]
@@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
@@ -97,7 +93,7 @@ This rule is triggered when a Windows registry indicator from the Threat Intel F
references = [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
"https://www.elastic.co/security/tip",
]
risk_score = 99
rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60"
@@ -112,66 +108,67 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not
labels.is_ioc_transform_source:"true"
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
timestamp_override = "event.ingested"
type = "threat_match"
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and
not labels.is_ioc_transform_source:"true"
'''
query = """
query = '''
registry.path:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threat.indicator.registry.path"
rules/cross-platform/threat_intel_indicator_match_url.toml
+25 -27
View File
@@ -1,12 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2024/01/17"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
"""
min_stack_version = "8.5.0"
updated_date = "2024/05/21"
[transform]
[[transform.osquery]]
@@ -33,6 +28,7 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
@@ -106,7 +102,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul
references = [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
"https://www.elastic.co/security/tip",
]
risk_score = 99
rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3"
@@ -121,72 +117,74 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
"""
severity = "critical"
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = """
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not
labels.is_ioc_transform_source:"true"
"""
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
timestamp_override = "event.ingested"
type = "threat_match"
threat_index = ["filebeat-*", "logs-ti_*"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true"
'''
query = """
query = '''
url.full:*
"""
'''
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
negate = false
type = "phrase"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threat.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.original"
type = "mapping"
value = "threat.indicator.url.original"
rules/integrations/aws/collection_cloudtrail_logging_created.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -32,7 +30,13 @@ references = [
risk_score = 21
rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Tactic: Collection",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
+1 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2024/04/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to 2.0.0"
min_stack_version = "8.3.0"
updated_date = "2024/05/13"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -19,7 +17,6 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Admin Credential Fetch via Assumed Role"
note = """
## Triage and Analysis
### Investigating AWS EC2 Admin Credential Fetch via Assumed Role
rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml
+3 -5
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/16"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -76,10 +74,10 @@ tags = [
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Credential Access"
"Tactic: Credential Access",
]
type = "threshold"
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:aws.cloudtrail and
rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/04"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+9 -7
View File
@@ -2,16 +2,18 @@
creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Nick Jones", "Elastic"]
description = """
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action.
This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may
attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time
a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the
`GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with
IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with
access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the
compromised service's IAM role to access the secrets in Secrets Manager.
"""
false_positives = [
"""
@@ -78,7 +80,7 @@ The AWS Fleet integration, Filebeat module, or similarly structured data is requ
references = [
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
"https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/",
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum",
]
risk_score = 47
rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
rules/integrations/aws/credential_access_root_console_failure_brute_force.toml
+9 -5
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/21"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -31,9 +29,15 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
risk_score = 73
rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
severity = "high"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
type = "threshold"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Tactic: Credential Access",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -76,7 +74,14 @@ references = [
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -80,7 +78,14 @@ references = [
risk_score = 47
rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/15"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -82,7 +80,13 @@ references = [
risk_score = 47
rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/26"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -80,7 +78,13 @@ references = [
risk_score = 21
rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/16"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/15"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -79,7 +77,14 @@ references = [
risk_score = 73
rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
severity = "high"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -37,7 +35,13 @@ references = [
risk_score = 47
rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Network Security Monitoring",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2021/07/19"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2021/07/19"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/09/22"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
@@ -31,7 +29,13 @@ references = [
risk_score = 21
rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/28"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
+1 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2024/04/12"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/06"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -21,7 +19,6 @@ language = "kuery"
license = "Elastic License v2"
name = "Route53 Resolver Query Log Configuration Deleted"
note = """
## Triage and Analysis
### Investigating Route53 Resolver Query Log Configuration Deleted
rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/27"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -35,7 +33,13 @@ references = [
risk_score = 21
rule_id = "227dc608-e558-43d9-b521-150772250bae"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/21"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -32,7 +30,13 @@ references = [
risk_score = 47
rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Network Security Monitoring",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/09"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -32,7 +30,13 @@ references = [
risk_score = 47
rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Network Security Monitoring",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
+1 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/13"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -26,7 +24,6 @@ language = "kuery"
license = "Elastic License v2"
name = "EC2 AMI Shared with Another Account"
note = """
## Triage and Analysis
### Investigating EC2 AMI Shared with Another Account
rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -36,7 +34,14 @@ references = [
risk_score = 47
rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Network Security Monitoring",
"Tactic: Exfiltration",
"Tactic: Collection",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/24"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/04/22"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -32,7 +30,14 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h
risk_score = 21
rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Exfiltration",
"Tactic: Collection",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_rds_snapshot_export.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta
risk_score = 21
rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Exfiltration",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/29"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
@@ -34,7 +32,13 @@ references = [
risk_score = 47
rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2021/10/17"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
rules/integrations/aws/impact_cloudtrail_logging_updated.toml
+10 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -76,7 +74,15 @@ references = [
risk_score = 21
rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Cloudtrail",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
+10 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/18"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -81,7 +79,15 @@ references = [
risk_score = 47
rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS CloudWatch",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -36,7 +34,13 @@ references = [
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2021/08/27"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/26"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -75,7 +73,14 @@ references = [
risk_score = 47
rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Resources: Investigation Guide",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_iam_group_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/21"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -35,7 +33,13 @@ references = [
risk_score = 21
rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2022/09/21"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Xavier Pich"]
@@ -37,7 +35,14 @@ references = [
risk_score = 47
rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS KMS",
"Use Case: Log Auditing",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_group_deletion.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -30,7 +28,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del
risk_score = 21
rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/21"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -39,7 +37,14 @@ references = [
risk_score = 47
rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Use Case: Asset Visibility",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -34,7 +32,14 @@ references = [
risk_score = 47
rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d"
severity = "medium"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Use Case: Asset Visibility",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_console_login_root.toml
+2 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/11"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -72,7 +70,7 @@ tags = [
"Data Source: AWS Signin",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Initial Access"
"Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_password_recovery.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/02"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -32,7 +30,14 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Signin",
"Use Case: Identity and Access Audit",
"Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_via_system_manager.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
+10 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 50
@@ -87,6 +85,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
+10 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 50
@@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
+10 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 50
@@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
+10 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 50
@@ -91,6 +89,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml
+10 -5
View File
@@ -1,10 +1,8 @@
[metadata]
creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2023/10/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 75
@@ -89,6 +87,13 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
rules/integrations/aws/persistence_ec2_network_acl_creation.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/04"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -37,7 +35,14 @@ references = [
risk_score = 21
rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi
risk_score = 21
rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS EC2",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_iam_group_creation.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -35,7 +33,14 @@ references = [
risk_score = 21
rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS IAM",
"Use Case: Identity and Access Audit",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_cluster_creation.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/05/20"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -37,7 +35,14 @@ references = [
risk_score = 21
rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_group_creation.toml
+8 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +27,13 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
risk_score = 21
rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_instance_creation.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
risk_score = 21
rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS RDS",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_redshift_instance_creation.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2022/04/12"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -33,7 +31,14 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea
risk_score = 21
rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Redshift",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/05/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -35,7 +33,14 @@ references = [
risk_score = 21
rule_id = "12051077-0124-4394-9522-8f4f4db1d674"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Route53",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/05/10"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -30,7 +28,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera
risk_score = 21
rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Route53",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/07/19"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
@@ -29,7 +27,14 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc
risk_score = 21
rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Route53",
"Use Case: Asset Visibility",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_table_created.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -34,7 +32,14 @@ references = [
risk_score = 21
rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Route53",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
+9 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2021/06/05"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -38,7 +36,14 @@ references = [
risk_score = 21
rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
severity = "low"
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: AWS Route53",
"Use Case: Network Security Monitoring",
"Tactic: Persistence",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
+2 -4
View File
@@ -2,9 +2,7 @@
creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/04/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
@@ -77,7 +75,7 @@ tags = [
"Data Source: AWS Route53",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Privilege Escalation"
"Tactic: Privilege Escalation",
]
timestamp_override = "event.ingested"
type = "query"

Some files were not shown because too many files have changed in this diff Show More