From 69a5b7e40949b2f3b673cd670ecc4764dbaa6bee Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Tue, 4 Aug 2020 13:35:14 -0600 Subject: [PATCH] Lock versions for 7.9 release --- etc/version.lock.json | 870 ++++++++++++++++++++++++++++-------------- 1 file changed, 580 insertions(+), 290 deletions(-) diff --git a/etc/version.lock.json b/etc/version.lock.json index 5d367d2a6..243a8d850 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -1,727 +1,1017 @@ { + "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { + "rule_name": "Attempt to Modify Okta MFA Rule", + "sha256": "e7230e37b0012ca864c73d09e735e54bcbdc3f7cb939e0308820d699de482d15", + "version": 1 + }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "39089b35d9aa4d3d8b9e595e74dc11548e4a0609e120ed58fc38941baca8cd5e", - "version": 2 + "sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf", + "version": 3 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "b4ffc6e7d9017294f8d07909cee42f866d5764b1d8bd5d9ae018f7e2a15e600e", - "version": 2 + "sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7", + "version": 3 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "f57a4c89c80964ccf26e8d78aca95f82e70958925cafa412a32399af9d7a2b20", - "version": 1 + "sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f", + "version": 2 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "a07971ec80d45ced9da4aea88a0601b6a8f041afb86d39b627cfd420cd97227f", - "version": 2 + "sha256": "8fd2873dee5de5a9b8d13d61c4e7ac8d9125a6a0f367bf64fea26470b8d96fda", + "version": 3 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", - "sha256": "0b1f0b1e073fe5119cc1b5c24a1c29d1e5fff4006cde69aa3dffae2e7cdd7fb8", - "version": 3 + "sha256": "2057dea2544576064924167ac3c3a0cffb69623636a385120791a54725cd121b", + "version": 4 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { - "rule_name": "Malware - Detected - Elastic Endpoint", - "sha256": "60247a5e9bfd70eb9e86f0ce55895501cc14cb659a2c73f3c2a93b38cb6c4f52", - "version": 2 + "rule_name": "Malware - Detected - Elastic Endpoint Security", + "sha256": "cf235efd02e861f1c87580d9fc3027c05d58c80ec19b8a4680b0cb9c4b794088", + "version": 3 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", - "sha256": "fb14a53c48d6663ac266c0636b3364f4f8c9ed9fff10e7e6ff37267406e43dde", - "version": 1 + "sha256": "1697d1e69b1cc81d4f3fe77471a9f843268be52e12f6b76679ff206cc44ba4b2", + "version": 2 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "368b19e0dafeefeaa308320ca31b368f4b1ebcd55e3b73a4844f0523d34c365e", - "version": 2 + "sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6", + "version": 3 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "cfa69218bdfdfdf32807bf699d622df0b11fba0dae582842fd5a410d15168864", - "version": 2 + "sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522", + "version": 3 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", - "sha256": "99a17ac0cd39f66214f8ec357b8287019dcce014b088380af6369a3823ff0a72", - "version": 2 + "sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a", + "version": 3 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", - "sha256": "516a989374daf3dff00c50cf25c5752bc6529f4654dfaeac14d468918a27a99b", - "version": 2 + "sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60", + "version": 3 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "e44bf0572d1c16dc6c3afb5fd7099af64775de2e2bc02f5657de1ad9835a7302", - "version": 1 + "sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f", + "version": 2 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", - "sha256": "165e687f11971e3a90f512eae1f7cd66b809dbf41574e310042102cb893ce160", - "version": 3 + "sha256": "3168a7ff380f965f554d8554a6048500bc6d2e623012a637a69604d4dde5aec6", + "version": 4 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "54bcc73de76c78b3bd35e493bd4ac3d7758ea5c691f7d5503f36163a438a005f", - "version": 3 + "sha256": "8c8dd977effd5f405e825323debef05986b8e59e8aeffab769a5a17c56f90838", + "version": 4 + }, + "169f3a93-efc7-4df2-94d6-0d9438c310d1": { + "rule_name": "AWS IAM Group Creation", + "sha256": "dc63fd09b50ada3a1d9e17f321e591716802a15bc98ad7933fbf1e638c8a9485", + "version": 1 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", - "sha256": "fc01b465045b17167db21385546bc1c3c6c6d00e2dcc077703ef41b87536c95b", - "version": 1 + "sha256": "36917b05e364e40334cb847ccadc8625146ce9be717185331ed0459dc974e552", + "version": 2 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", - "sha256": "7fb46c159b57cf544b91a13e6e7632acb6001dd7fda33e1de92e1529e530aa72", - "version": 1 + "sha256": "e5ac3b3c6f68d19a432a54215a555c1d103dcb14a8c00cb60e8fcc4f0d6e652d", + "version": 2 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", - "sha256": "d688f99e0bb99ac74c6bde09e1e90726eee185b92fb0a119e163bd31f45905d7", - "version": 1 + "sha256": "6787261e6c69ccc08f746484c360086764f048c64faabe20f7474007380f5f44", + "version": 2 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "afdfda57d393812c5bac293dac5069a851209e7bb83fb528af21394881d2ba66", - "version": 1 + "sha256": "d7b106c8c4863604d0712ad08ccce72e50dc8137297f90ff7a000e0f0f8d113a", + "version": 2 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "cb9c569b6a9375c526c32bea068c3d8609f88fedab3fce24b89baf05c756d084", - "version": 1 + "sha256": "21f4744229d682e68489bed55ec395634a81783217b4f8356a49566e6f5e17d1", + "version": 2 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "71a7ab62d3d11c3dabd0eaa0ebcb656f5926e07601d6e35e4ccf73bccf4a5308", + "sha256": "223ca77fb5f7df75f08ae4253b6d99599ee46fbebe0843d4e3249b756afcc57e", + "version": 2 + }, + "19de8096-e2b0-4bd8-80c9-34a820813fff": { + "rule_name": "Rare AWS Error Code", + "sha256": "cfcaf312b57481ecdbc8178c56fa63218e84f8688117c0d7a4cefb1a56953ceb", + "version": 1 + }, + "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "8c7e44ef3c20c8688412d06a94e63987aa6b2c1855b1fdb69a40b6e22d81f00c", "version": 1 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "bd894910fcaa18d7682c39203ab04b8efbf6bd36df137014b50a9cd6b2a8fe54", - "version": 2 + "sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb", + "version": 3 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", - "sha256": "be1434347fc362c5e025579b0fd1b7776d003c084fd58be2b916c6bce97d8d20", - "version": 1 + "sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85", + "version": 2 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { - "rule_name": "Exploit - Detected - Elastic Endpoint", - "sha256": "7d7e9fdb6626ccb0dbb1fc1f1485b23901223f3af87c173a49372233037c6876", - "version": 2 + "rule_name": "Exploit - Detected - Elastic Endpoint Security", + "sha256": "25dc927509d993054908f0797f8c848f5be07a1eadf4c754b95d6a8417aa8648", + "version": 3 + }, + "227dc608-e558-43d9-b521-150772250bae": { + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "72ab8004269800921494b64af09b7bc0e0aa4812c6502e014270e971b3b5c00c", + "version": 1 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", - "sha256": "124c52f61e77e57f3a90a5b533e814d477e78eb64a8bd951a5c67696a4e92155", - "version": 3 + "sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc", + "version": 4 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Net command via SYSTEM account", - "sha256": "eb00b6196dac7a17f5797b814c4a61737a00f4cbcfbe36f4068de27ba5c6d40b", - "version": 1 + "sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456", + "version": 2 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { - "rule_name": "Exploit - Prevented - Elastic Endpoint", - "sha256": "d010930d010bb22e3d5090f8fdef2fa9ec625d6d8f5d19614a06a9cbc1ab7869", - "version": 2 + "rule_name": "Exploit - Prevented - Elastic Endpoint Security", + "sha256": "56d0db57a57e386c8262f99e5165c8cd829b6da94536f62bf08353ab494394ed", + "version": 3 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Adobe Hijack Persistence", - "sha256": "d75866b9396e39d5b24a7075ad3da22bb731415543ba986f92f12bcaae41fc51", - "version": 2 + "sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f", + "version": 3 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", - "sha256": "ffbc06dd83e7a71513185c0793862b5a3535aab407969318726ecc8198a48827", - "version": 1 + "sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333", + "version": 2 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "bbe27e711309f490218ea0cd982daa31562a888f92899334d667bd08c1884dae", - "version": 1 + "sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db", + "version": 2 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "f37d188cbd09fa5e1c1203d77f22f30ae87f5a8874e420a9b911a29bbde0f32a", - "version": 1 + "sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba", + "version": 2 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "442c2027c43d3542f008452f789257629c30b9b0bf46fdf4bf60a7ef9383d9b7", - "version": 3 + "sha256": "91e9006ede6167bc0e1b0a606f1408741db7ac6ba5ade4a65e960cb6e1684069", + "version": 4 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ea60210c4757f8b73e87ea7d3b3c96fda5eb51f7b6e0011393bd3ef48a282238", - "version": 2 + "sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3", + "version": 3 + }, + "333de828-8190-4cf5-8d7c-7575846f6fe0": { + "rule_name": "AWS IAM User Addition to Group", + "sha256": "f0b0e824fde388a4217c0ccb4c8168deaccf74e0576ff4a2748cb958b4ec1c09", + "version": 1 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Telnet Port Activity", - "sha256": "561e4cc5f9ac4bd683de676c3ddc7b3cea3c9245b4b3d024976750052b7c9539", - "version": 2 + "sha256": "d52d770cacb099f8fc38d85ba230ecd94878c17fe3e6e9f79a0e55ea38f5c0a8", + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "26da1776418ca4f784295a501983859639d0edca40f266fceb98f18d5e5ae873", - "version": 2 + "sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde", + "version": 3 + }, + "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { + "rule_name": "AWS Execution via System Manager", + "sha256": "bc6bb14775383d504e21151c603c84cdb436c03b106b0e2a7b46d398143584a3", + "version": 1 + }, + "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "6adcfe622ebb2e1205cc4a4dc2a3b058f995a21602721b04407ed751641ca206", + "version": 1 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "61c10e5bfbf59f40256d91f5aed9bb63b95ddf1f3aa5e8fabb5a66e2ee4b11dc", + "sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9", + "version": 2 + }, + "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "554c42dd3f30ca0140797069242d16be3fab75dd59fdd820054c6c4645dab00e", "version": 1 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", - "sha256": "ace4e4dd54e8193f6f9864c3202907d0026d32ccef3ef0e07f48cc030cbf86c5", - "version": 1 + "sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473", + "version": 2 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "0d2a9bb546e3d7efa14722afdb1a0d9465a6523dc186298a4ea53acae919b4d5", - "version": 3 + "sha256": "d73415ca5e745ebbd0cc4e1c6805a1a58bef4740666f14c827e50766c26476a1", + "version": 4 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { - "rule_name": "Malware - Prevented - Elastic Endpoint", - "sha256": "9cb592e8da5f94d4c3676f09b065f521b2d30c2e9301a98517e756f7b2cbfbf8", - "version": 2 + "rule_name": "Malware - Prevented - Elastic Endpoint Security", + "sha256": "1de71bf0dca33368f44c2c020e159bcde7a48982e3979729a594b5a4bc190a9e", + "version": 3 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "e8c3cb8f40b5f6ef0975a62443f9504c84842f669c26b91657506c5286c8ebd4", + "sha256": "76e7d9d43d610d2299dffac8d6ffde9648afd588f3c8f4df90ac370ffa416c57", + "version": 2 + }, + "3e002465-876f-4f04-b016-84ef48ce7e5d": { + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "7fd31ec2dff167c29a32969ae7c2e83c12a7b473c5a6259d577ee2bf997be039", + "version": 1 + }, + "42bf698b-4738-445b-8231-c834ddefd8a0": { + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "1333a0ff14b05aff2b16fd4c2768af221d10df3e1a85059e66f3e7b0dc582d4e", "version": 1 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "1b7e41fe98f0e26118b8628a1325a59002b48b787d93ab96a2d158ecd004e368", - "version": 1 + "sha256": "45aefd42ccd184d5d3015dc3a1cc5ec131a402884f578f40815213c71143722f", + "version": 2 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "dd2f91dbccd0af4d0a576013c193844643e84a54aa6373fbce114dc1dfb25dc3", - "version": 2 + "sha256": "3f96283628d73912878e47073e8094a219c6e8c260e6094055fe753e6ef903b7", + "version": 3 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", - "sha256": "c40b729895a99fd1f7a8514a420f2f0eabe57f408bed85a2cc86178acc9b9cef", - "version": 1 + "sha256": "2625e3ebfa6328b4d7803a9390b136d4d8d944bcc71a0bbdc8c2c85717c967bd", + "version": 2 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { - "rule_name": "Permission Theft - Prevented - Elastic Endpoint", - "sha256": "2015029af5a5a0330f929920e99f93bd06e9d0a2f1ccf5b7b7c30c953f7ca340", - "version": 2 + "rule_name": "Permission Theft - Prevented - Elastic Endpoint Security", + "sha256": "bb1865e997d39d7c7d272d8b31538666e2a9600336304c4b558a4cfadb10c25e", + "version": 3 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "b3347c68deb04c69d524eaf1d092ca1cd26a18c32eb7d57a72b2d19f994a1a44", - "version": 2 + "sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072", + "version": 3 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "e0e4ab88394545469f2d5eee21909298fb6d8b5c0e2fa4ef35331d1fd7ac9f23", - "version": 1 + "sha256": "a5208685993a30816029b70a8d51f0a5cda6dd19b6864c4dbfe86977b326f746", + "version": 2 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "f33bc5f0b3e49b2e47b15376fd2a68d1de7d14204a05fe17a1551291f5603673", - "version": 1 + "sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89", + "version": 2 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "50f4b863d2184bb0c86fa854e7f009ac21a0c0919deb80c41cbfc2c55ab264e2", - "version": 2 + "sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7", + "version": 3 + }, + "523116c0-d89d-4d7c-82c2-39e6845a78ef": { + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "8a44ca241191004ae1c7d535cfbc90116d4ef56e7f6941cc3e3cbb7303633791", + "version": 1 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "d85fea308f2fcf2b3a99f38acc2800b7c397a310deb5d2042ccb023d9e491c0f", - "version": 3 + "sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92", + "version": 4 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "c564c6efa5f18c2c696f39d0c6befcfdf6a48220cb287746c98c89d38d9a9301", - "version": 1 + "sha256": "a728aa2cc5aa9069c78ef89989e5894c8d1782ba5d85c9d5c0abb22fe6d9a6ad", + "version": 2 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", - "sha256": "ff6fd99b9f6141b59784df526e92405db1b15197adca3c16b13f8f193a3389e3", - "version": 1 + "sha256": "ffd826b4cd0c45b2193f022109c2ed58f54ee722f0f738845d2be2041529d780", + "version": 2 }, "52afbdc5-db15-596e-bc35-f5707f820c4b": { "rule_name": "Unusual Linux Network Service", - "sha256": "04797144ac125fbff20df8d63db471c237f3ee6319f2e75b4607a0d3201d88c8", - "version": 1 + "sha256": "3a21e7de28af69f13df5929cdc14c7de727a99b6189fa33d4f60f3b55a42e433", + "version": 2 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "75442e7eb596645909961fe13ee945137ef2c3ab5207f5aa6d7b204216ec335b", - "version": 1 + "sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b", + "version": 2 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "aa7366d7de1e17ceb977e79a1bb88f56cf5451ddadc12d7e349d93a9f6ada328", - "version": 2 + "sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43", + "version": 3 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "90375f3a66c917be3c0951978877e9886ba55a6c2a7378ec45547952bf391c28", - "version": 1 + "sha256": "87396c542097d7e2dd7f971aaefce97ad2d44cfbdceb13bca458f983fe6fa8fd", + "version": 2 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "8803236e7bdb9aec8904a7bb13d47b3bd3c0ba7dc2cfff1c27439466d0170691", - "version": 3 + "sha256": "2137e4281cddedab4cdbdd8247616a3bee15fa285682d7b95633272a57c8e006", + "version": 4 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { - "rule_name": "Credential Dumping - Detected - Elastic Endpoint", - "sha256": "5c3fac8543701612b433b719a609135a1e95c4081bbbbdbdeb0203c18e0a7b77", - "version": 2 + "rule_name": "Credential Dumping - Detected - Elastic Endpoint Security", + "sha256": "16d5323c26e28a90a60b9e855819cc6b97cbed9a1d2cc6888b5fa14fcf11bf15", + "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "3bbb66c55707077ad2ef97fc1d95cff0527e95a49f83b84b82fc688e61017760", - "version": 2 + "sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43", + "version": 3 + }, + "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "rule_name": "AWS CloudTrail Log Created", + "sha256": "068af758f1ff3e0d031c5cfe35020b6f0288b12dd9d66ddab288002e0b1e05e6", + "version": 1 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "2ded9ffeea250303a503fac66aaefca610fa0fc2f96cf6917b4676b41437c6fb", + "sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf", + "version": 2 + }, + "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "9bc533bac9e9abefc27a1adafb40c6fd99c0e359e469e9577b1efbaabd3ce356", "version": 1 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "eb6f8ca3e9a957d3573fc09527b54c4c316eaed783f5bad2d6057875e934d43d", - "version": 2 + "sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b", + "version": 3 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", - "sha256": "7e94855d83fa70497f23ac1ac0996234b462102bc82f06e6c442c6ac437075ed", - "version": 2 + "sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d", + "version": 3 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", - "sha256": "d2e4829910b24fb980060b8e3adb7ce138fe2de8b47193c5801bd6fb28d4a339", - "version": 2 + "sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3", + "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "b6f615b8c0851c51a8a2cd76d70f32c13d3ec6868a1435b3b99ad29e7b211c55", + "sha256": "6ca827084277205952821ef76e28cc5a3c9e837fc0acc0342a32db5c67a428ee", + "version": 2 + }, + "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { + "rule_name": "Attempt to Modify Okta Policy", + "sha256": "38bd3bfb4bc91af943ccb1720848358f178b6931d65b266edff08ce1c90a7e83", + "version": 1 + }, + "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "77ac6c19df3acb42de629d1cf267c16b086d00055dea2bde9a72e06e78d9e015", "version": 1 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", - "sha256": "7b9fdb9bb74d1bae58a5e0d2913992a48f694d895c651a879d1be6a215fb6822", - "version": 3 + "sha256": "22d11f4013bd73e1e115211b366763fd0b11995dd815916c0cee80f0ccd78c1d", + "version": 4 + }, + "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { + "rule_name": "Threat Detected by Okta ThreatInsight", + "sha256": "80a86cc85576646b9db95dfa9f4924e52641cd4acc303129e4e8b774521f6126", + "version": 1 + }, + "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "74b68b5a2a6e6fe020077c596b9b0a87a7c21bade893f197f92c92cf1ebd78c4", + "version": 1 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", - "sha256": "aca262dc656d8203cd46799960df4e1de99bfcc6660953e6ba10fe25145e9237", + "sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53", + "version": 2 + }, + "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "ee55403ad95ab22aa2ac5d8d7c388e92703b99eda4d7ea28da482b548bc47691", "version": 1 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "c7e849caff0ec964d5ad2d1e7523abadba7a887846bbea3270bc900d3231da2e", - "version": 1 + "sha256": "7f79263265e25ce495fb3b557ca7cfee951dca089cbc14a5b192c917d0b7bb7d", + "version": 2 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", - "sha256": "da3a7b5c5addf4b3e760a505232b8048c8a865d9fa8b5b09df1bc3f5da942956", - "version": 1 + "sha256": "ea801143086d4558886f5c91f70433689952a90dcfd370c6d7f3366e23ef702d", + "version": 2 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", - "sha256": "267fe9694bab5833b3a374a799162c4cd8ba8e25777232a023e22f53e27e9260", - "version": 3 + "sha256": "c45b8f43aaf392553bc8565a0ff6079f16dafaf1e4b6328bfb33aeda43aaaa77", + "version": 4 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", - "sha256": "164c2588d9a22e77c2830a79e0b5f72df6050ee724d4113a3bb75668faa6a8d7", - "version": 3 + "sha256": "6acb7d97e42965a327c13fc188392ab14a08a40489ebbcd454e61a07c19a1650", + "version": 4 + }, + "7024e2a0-315d-4334-bb1a-441c593e16ab": { + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "5467989f4ef94dd3c6b8df6b4b1e9609335c37474706889457433fca0f3c8682", + "version": 1 + }, + "7024e2a0-315d-4334-bb1a-552d604f27bc": { + "rule_name": "AWS Config Service Tampering", + "sha256": "4f59fbb90ee508242779e252ea128487f58bbe1ed925441ee1fc3a39b48dc112", + "version": 1 + }, + "729aa18d-06a6-41c7-b175-b65b739b1181": { + "rule_name": "Attempt to Reset MFA Factors for Okta User Account", + "sha256": "2b125723ee269c57de27fd76a9fa970f7cdbfcb1ab8c878565097f774df9fdd3", + "version": 1 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "bbc8ce5e399e0d06157aff9e07a922bbf3d9428adb0e602274443225d27e13d3", - "version": 2 + "sha256": "edcd5b6adeaa24b39ed57d401844fda13b07a95bd82863ee3d74b5df04020b11", + "version": 3 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "1a2b60f6f140c9da40b5a57790581a31d9d022d23d9ae4988cfe074241d98d4a", - "version": 1 + "sha256": "2e83758195426759f474e25a59427e0e1c9f1784528e8d31bf861ade42da8186", + "version": 2 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "a59eebb16d201dcb8ef6d461222854017ddeb42f13709fbd86cf664eb176443c", - "version": 2 + "sha256": "9277093d6875b1d2ae7dd347d3b7fa8db344c053a62bcc886a2290b86ee18518", + "version": 3 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { - "rule_name": "Adversary Behavior - Detected - Elastic Endpoint", - "sha256": "642078d517a828b397afeaf66b572336c03b072695a1be761941da5a0da82ab2", - "version": 2 + "rule_name": "Adversary Behavior - Detected - Elastic Endpoint Security", + "sha256": "930dc5d6fc719ed0536d6c32b959666a726625e72fe80c63beefecee2ff0f495", + "version": 3 + }, + "78d3d8d9-b476-451d-a9e0-7a5addd70670": { + "rule_name": "Spike in AWS Error Messages", + "sha256": "878f2171b2ac7b514991f9b9c25af495905d25515ca2f2cde25b4fe84e3f93ed", + "version": 1 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", - "sha256": "70194d4c327e916fa7cbd73fd373d5282732e1604ed2f1f9e80e005746b2ebc7", - "version": 2 + "sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d", + "version": 3 + }, + "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { + "rule_name": "Deletion of Bash Command Line History", + "sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8", + "version": 1 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", - "sha256": "149e45da1494348a5a1ebb5802b048d5efa9d4fd5ff588f8ac0c32d416a1220c", - "version": 3 + "sha256": "83a2131189e58a38c4a31aa4e54751626eeb1cf80867c21dc344749a252c0db2", + "version": 4 + }, + "809b70d3-e2c3-455e-af1b-2626a5a1a276": { + "rule_name": "Unusual City For an AWS Command", + "sha256": "1a5c7d4c0acf3ca14a00735df9852a9f66069139de940eb86ef9da409a93df32", + "version": 1 }, "80c52164-c82a-402c-9964-852533d58be1": { - "rule_name": "Process Injection - Detected - Elastic Endpoint", - "sha256": "ebc218c788a01666499b9ccd9126099fad2c1262f34d1fbf904cbc2ff179a2d0", - "version": 2 + "rule_name": "Process Injection - Detected - Elastic Endpoint Security", + "sha256": "ccca2ab5467bbbb8a8ccf1d6ca6a8396839f0f5daef67df9b45e2c709a9c7bb0", + "version": 3 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", - "sha256": "0be3f6a38c6fe9504aec5239d9dcf6962b2bde90eb07f5f6f1a682da2fbf8b52", - "version": 2 + "sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c", + "version": 3 + }, + "8623535c-1e17-44e1-aa97-7a0699c3037d": { + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "44fc8a84430a247ef479cfc22f09af928395d1a68c162695bd2f1fe74ddb669b", + "version": 1 + }, + "867616ec-41e5-4edc-ada2-ab13ab45de8a": { + "rule_name": "AWS IAM Group Deletion", + "sha256": "a2d9d722c68c041bb26d4bb85d7615765f7cd6dbf15ba8ad19ff9a0be2a18bc7", + "version": 1 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", - "sha256": "82a95329040bb9a03fc93ae26ead52d063732e01e55fc91a50ea51bd60febfb6", - "version": 3 + "sha256": "d6e40340f9ba714197d88dc37469a496ef047131805e4bf2115c1cb498aaff2c", + "version": 4 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Command Prompt Network Connection", - "sha256": "0117b0bffd43900d7a93110cd44c4b786cb30d62832dd9a7594e1a95d00428e2", - "version": 2 + "sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014", + "version": 3 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "Setuid Bit Set via chmod", - "sha256": "6fb4352bf42cc1842367ccfd3077c0ab58b47cc855253b70cdb5283e451067da", - "version": 1 + "sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5", + "version": 2 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "aa661ef6bef1c2951cde1a90dab2dd8ea17e01838b9ee69872963950dd5f76a9", - "version": 3 + "sha256": "9c678e34d82a66ba6f1316d96ed990c1dc77274ba54f40714dd5397b5c19967f", + "version": 4 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { - "rule_name": "Ransomware - Detected - Elastic Endpoint", - "sha256": "3ccc4f8e13efe9a61b5624bed9ce6407cbe1bb6919e36f1e375cdffebe54da7b", - "version": 2 + "rule_name": "Ransomware - Detected - Elastic Endpoint Security", + "sha256": "8f1c885f6197487c9fbbf88b66c7080b7785add5683651bb2d3a16c887f4b157", + "version": 3 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "c2df3568f4994b77e0b62a787cb3ff25a0c064ea75a849875344555e84da23c9", - "version": 2 + "sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6", + "version": 3 + }, + "9055ece6-2689-4224-a0e0-b04881e1f8ad": { + "rule_name": "AWS RDS Cluster Deletion", + "sha256": "1859295025727023cc7909e4a23b6fbc105b7fa20780e197619e257d9c4f2373", + "version": 1 + }, + "91d04cd4-47a9-4334-ab14-084abe274d49": { + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "deaf75945036241126ef6fa3c886f67b82760f41f0db7de5ffccbbebd126dc25", + "version": 1 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "12b16eb9930172fcbf4ddec9b03ce0dc2bf5effe5e132e7a338f9ef4d34aece7", - "version": 1 + "sha256": "eb54cad9c20bbed0348cbdf81778221c5f78c4a893e520c84deff016d4b81328", + "version": 2 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "2c2c81f80ebe5fa568d94f6b44778a3617d2c98a60db66ff89b7734fe0f58227", - "version": 1 + "sha256": "993ea8037cc7f04431563a10c526803be22b8693a18b4a4628b46d11609632bd", + "version": 2 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "cc489289aea78cec83cf6baafd052523a12a5de52b7fd051de469de7aedb11e1", - "version": 1 + "sha256": "8b401f043c87d8012c04dbd86b0b419574a8cb18a2520bae9c606317845acce8", + "version": 2 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", - "sha256": "992014dda37755b93706823224d6c773881d207f2e95bf28ae9c8b142a7ab08d", + "sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7", + "version": 2 + }, + "9395fd2c-9947-4472-86ef-4aceb2f7e872": { + "rule_name": "AWS EC2 Flow Log Deletion", + "sha256": "a07ac3fd787f6fa03fc452f068782d4a6750e76de83097551495865091307436", + "version": 1 + }, + "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { + "rule_name": "Attempt to Create Okta API Token", + "sha256": "1f857755423c0bed3d659452e148cd346fd059f7674b0e6eddaf58128a238ec6", "version": 1 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "3a99fc1237f79b736e78e2504a7f03a3c051127d56280d18e7942bc28458e0f8", + "sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e", + "version": 2 + }, + "98fd7407-0bd5-5817-cda0-3fcc33113a56": { + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "840005729165b8c2d84e64b83bbc337b7b34e2ee4298922e23c9ef304dc9fa71", "version": 1 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { - "rule_name": "Process Injection - Prevented - Elastic Endpoint", - "sha256": "2c548340fbb54eff9e1b152ee566003019a76115e631d639787f29d932c707c0", - "version": 2 + "rule_name": "Process Injection - Prevented - Elastic Endpoint Security", + "sha256": "68a43b05df8c141fa36b6fbe9272b51f39f45f1ce41a5e8dab442fe379612b33", + "version": 3 + }, + "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { + "rule_name": "Elastic Endpoint Security", + "sha256": "bf71c88346cdee0c29ed5ec74723e873a3d579784ce79dca1e96668c9525b2fd", + "version": 1 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", - "sha256": "c50856866464349948eb885d9d4b377a46b8a7470c6f32673c3d5e61ff0242b3", - "version": 2 + "sha256": "d752b66cbbeace2be75cbb9f537c2616a93f3afaeff642192cda616b2901b421", + "version": 3 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "ac0023e83e5909cd445a89e0d4ab90bb7b6b30a351e62e88c166a7679a935777", - "version": 1 + "sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91", + "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "1b36179b1f136fb76beaff305ce0c197b0f004809f7d87db6152af0b530279e9", - "version": 1 + "sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f", + "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "adef27d5671cae0ca7e338d1831deb5be547ca7e2bcc3f5c325d51e378062b15", - "version": 1 + "sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758", + "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Microsoft Build Engine Loading Windows Credential Libraries", - "sha256": "7ea5a0d0ea0780b698bc9007712ebc10b6cf49e8c5622c73700bda45ecba141a", - "version": 1 + "sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee", + "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "40f6a7c2ade30ed37caf7db9f4f86b589bb220935a04d1bd9cacb4595999d0de", - "version": 1 + "sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454", + "version": 2 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "3e1bd6080789278af1262594434fb9df61bf980a196edef457066754ddb9b428", - "version": 1 + "sha256": "11408d55fdfb3692af922f829dbb1ece3131f59b6486d9f5d27572beb172d862", + "version": 2 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "2791ea7aab403f784e99b1a00253127bc01b533c071ae239de2d951df5744226", + "sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012", + "version": 2 + }, + "a00681e3-9ed6-447c-ab2c-be648821c622": { + "rule_name": "AWS Access Secret in Secrets Manager", + "sha256": "d642e98b3e076e633ca985b67690dc130e7e8dff683221673cdba5bbeaf5b584", "version": 1 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "670fee406466143d95c3d010a8f318d9551a33ceeb3b18edb862aa50517d153e", - "version": 1 + "sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664", + "version": 2 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", - "sha256": "0d5aa3558796ad1cfa586b0c0d1a99b2ba6d0cd6baeae3a1f31af0dd384a5859", - "version": 2 + "sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad", + "version": 3 + }, + "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "2ada6c757e1263e796387b4f8f3ad22df6208c7883e4cc040875dcd20a1f7171", + "version": 1 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "97f3907a36f237b97c3812f4574501cc28397821d814246ef551cab92809bf20", - "version": 2 + "sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813", + "version": 3 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "fa702d3f843d3b28f1d7be714e638126bdf36a51086d6f46c0931dcdff59637a", - "version": 2 + "sha256": "04570e79c085d3cac740e046e3448362b8438d9a99c9b399168381945773cea2", + "version": 3 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "f41d31dc2d8ac8a4da2ea71dc3a2eda04b2195581612b5f40f5ed7d4b23c1939", - "version": 1 + "sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e", + "version": 2 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "bfbecd958d7ac30b7a1ce42d1222a026e48e6d5b5b56580dc6063537a66e872b", - "version": 2 + "sha256": "c6224e1b5be58c085435d8673229f7e70e6bc87f1bd11ddb46bbb7f0cc435e7c", + "version": 3 + }, + "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { + "rule_name": "Unusual AWS Command for a User", + "sha256": "ce52e2d02b90df1e3ca736fc26c70d3e2f2620a9db338e3c97c668081e6fc900", + "version": 1 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", - "sha256": "c8dde04e8b38da965110f057e8b7a7198cd6c1fdaf122919861a3bf44b715108", - "version": 3 + "sha256": "0596288e875728453b19e654f4f6e52c3dc4fe48d69c52a04a8c18f5e05724f5", + "version": 4 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "Netcat Network Activity", - "sha256": "05e16bd1d644813e92367add6a0e06dd94e5d5bb13deee5ae76e2b4e1c5e6bf8", - "version": 2 + "sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e", + "version": 3 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Commands", - "sha256": "c6cdd952bda0851019bfb4442e8f981491c254b0442fc875baf088eee4d1b4b6", - "version": 2 + "sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f", + "version": 3 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "75b96e48cffe957398885c16d19668180a9c8a3f34393533298f1a57f73540ef", - "version": 2 + "sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52", + "version": 3 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "ba2d648dd481c9efc13942569f8c5b1bac7f3110b10ab10e52d548b0501cddae", + "sha256": "d4821cc663dcd04faa0dee1bb378f9e34e9e1f909bf935443e1ce0fa4055726e", + "version": 2 + }, + "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { + "rule_name": "Attempt to Delete Okta Policy", + "sha256": "01518daa44aeaab1e69ff8e839d09993ac3dff4bee42db07cc9f72061c7f450b", "version": 1 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deletion via VssAdmin", - "sha256": "7ca6f8f1c070f5ece4dd1a4e11ce37658fb18141bdd7995482ab65cee2ede3bc", - "version": 2 + "sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f", + "version": 3 + }, + "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { + "rule_name": "Attempt to Deactivate Okta Policy", + "sha256": "260673214731a4388538f29a28dd04e1c49db7f4e79b2e8a4a839ab169c24de8", + "version": 1 + }, + "b8075894-0b62-46e5-977c-31275da34419": { + "rule_name": "Administrator Privileges Assigned to Okta Group", + "sha256": "5632521575581aedea783c9b845524be2de4e8f1a5e1b52566dac7b3db62785a", + "version": 1 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "f1713a791e10f0c22d6ef141ac00027fe0c25c74e5c170917c82039d82df95e4", + "sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371", + "version": 2 + }, + "b9666521-4742-49ce-9ddc-b8e84c35acae": { + "rule_name": "Creation of Hidden Files and Directories", + "sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc", "version": 1 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "b3020cd50fdd4071cd24ba4864a6f71571c7be9dfbc04a05675fc5f82cd2b765", + "sha256": "8de6f1c5e4d700262cef0544529d3b788e0298c32283cc3f92e97968ce3b59f9", + "version": 2 + }, + "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "60ae1b84baff1b57148144be22fb1fab68acc6c121388e267c0e06762d5fd1a2", + "version": 1 + }, + "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { + "rule_name": "AWS Root Login Without MFA", + "sha256": "1b8d4953e6732a9a3ef60f7ee29e4a69a50750a56448334dc0bc0f06d6c1a3f7", "version": 1 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { - "rule_name": "Credential Manipulation - Detected - Elastic Endpoint", - "sha256": "ff22df35f9c904de4bd9ea09ad6930326a56135cd21a69d9b159ffc80d1f1eb3", - "version": 2 + "rule_name": "Credential Manipulation - Detected - Elastic Endpoint Security", + "sha256": "b52ff8fc9a81095d6fab9fc74b1990c8e8882403fe6eaf33f035f0473ac86572", + "version": 3 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { - "rule_name": "Permission Theft - Detected - Elastic Endpoint", - "sha256": "14615d66138ce8a151124e86105e476cbc86391f48b9d623e5d89d3fedfd5244", - "version": 2 + "rule_name": "Permission Theft - Detected - Elastic Endpoint Security", + "sha256": "17c3166c1f15f852bd7d969a0e07962377ffa92769690eada8f0ad5ee6460587", + "version": 3 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "b576737d3673fc434f53908d325f1e19780acf43f29e5ca403d233a76e49157f", - "version": 1 + "sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33", + "version": 2 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "sha256": "2b1aea0e382da26a9095637412779ea07ba1c600085708fd8533cb908cb4246b", - "version": 3 + "sha256": "26855945696ccd5efe39e4c6e0f53dc80d8af97b7a4b927790da064f4a7102e5", + "version": 4 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "5aa93865218f76c6c0e0a221e6525c3a25990e004dcd5a130abcb2693e799521", - "version": 3 + "sha256": "0b3597c5c91897753305ee323198d7acfedf2098d69287ba2dfbce7676940576", + "version": 4 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "Direct Outbound SMB Connection", - "sha256": "043f27706d54abb341bc27bfe0e0ab28cb301040d67f45e454b69ed91c413acd", - "version": 2 + "sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130", + "version": 3 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", - "sha256": "2dd6d209fe4baeb9f4de665c48ae09886f0ebedac1f5348e8cd9670ad3cba231", - "version": 2 + "sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4", + "version": 3 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { - "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint", - "sha256": "4de5fba453fc6e77905f049de58e3d4e949c02b8a7c5664824d6de0fafa98aaf", - "version": 2 + "rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security", + "sha256": "f8f63b01f7675b23489b6b8c06f68a5c02516706d5a92f2beb5c8425925fb51a", + "version": 3 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", - "sha256": "69c100cf7e526df7fe98c60f5dfdec39b5e283b70b8258a214d48f549136b3ee", - "version": 2 + "sha256": "b58371646e73225044b02876cefe65dfeb96a8be81b39da0cf93094af30c34e8", + "version": 3 + }, + "cc92c835-da92-45c9-9f29-b4992ad621a0": { + "rule_name": "Attempt to Deactivate Okta MFA Rule", + "sha256": "e2eab87ea117ee00a592cd37fb71d7b7a3dd98e5ddfae8372d241ccf867cc9f0", + "version": 1 + }, + "cd16fb10-0261-46e8-9932-a0336278cdbe": { + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "a132753ad56c8475bdc9fb137b92fa594f6976a3697ac6e6a8c7536e14651290", + "version": 1 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", - "sha256": "bb51f973a0c732418f775ff5034494ac78d917dbe268104196275c056c2c6eee", - "version": 2 + "sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720", + "version": 3 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", - "sha256": "3d0384a5dfcab595d6e37e51bb57c14999240e81e677c28a72980729d3843e5f", + "sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403", + "version": 2 + }, + "cd89602e-9db0-48e3-9391-ae3bf241acd8": { + "rule_name": "Attempt to Deactivate MFA for Okta User Account", + "sha256": "396f243a682ad551b4aab5079679f7e10b35f243e223c09d914003c38f2a68aa", "version": 1 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", - "sha256": "1d1338c7e5a451124c5457b9f951ecb4fea2d25f66e1e0a42fd5bd42901fb5c4", - "version": 2 + "sha256": "323b7718cfeb8ddb94d27961ac2f3d47767b5f6ae02f97da32f13c22e2726582", + "version": 3 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "f7c0075c089b3dc58718cf914f458d603e8334259676255fa410666ed4838619", - "version": 2 + "sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100", + "version": 3 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "2afadbc58b81aa3f157bc2a6e2336c2cdc01c4f7cf1b2e49ccda73115e1416e1", - "version": 2 + "sha256": "8bdc6cf7bf0a97f98345d321612263de58f0bd6d649cb98360a776b8af7dc37e", + "version": 3 + }, + "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "2021499caa2a2176a0b86ac263f23a7518297480f0e0215dcc3a22895005edca", + "version": 1 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", - "sha256": "208748780ef08f6f5518d19ddc02b27ca464e0a2283e3bd597d1adb209faedf6", - "version": 2 + "sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb", + "version": 3 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "8b733d719fb36d87ffc7c4061b5745a309c9aa9f4486b916839612c5f2842d78", - "version": 1 + "sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a", + "version": 2 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "2e069990afc7e2595fbb44fbf7409fa9689e06fe1bf4e38c5eb6b63b7e668278", - "version": 2 + "sha256": "28fa30167bad1a2feb0868794e0cc3d05c54a6245e14b13d1f3323ef386f247f", + "version": 3 + }, + "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "46878290e9bdd3e13049723afe9522c8b81af03e08648c90bba7782c1368b4dc", + "version": 1 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { - "rule_name": "Credential Dumping - Prevented - Elastic Endpoint", - "sha256": "00d2b15422187a2e7d8cb886d61b5af82e900690fce4d231b81a6c88e71329b2", - "version": 2 + "rule_name": "Credential Dumping - Prevented - Elastic Endpoint Security", + "sha256": "2c5599ac23ed0959ec53b00503b7a05ee68b12c975a39d25047bac8e87254759", + "version": 3 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "47c0662835bb960faa810a241cec8a0e3a5e16dea5c5b24a2391bc46a41ccbb7", - "version": 2 + "sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b", + "version": 3 + }, + "dca28dee-c999-400f-b640-50a081cc0fd1": { + "rule_name": "Unusual Country For an AWS Command", + "sha256": "865d4e9d7e291ee018c098eea8785ef6cbcd98368594eeadc7e66da52159931e", + "version": 1 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "12c5ab3282cc98896c2fdc6019cacda579fde5f1c9b155ea12a5bf89308e6771", - "version": 1 + "sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160", + "version": 2 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", - "sha256": "ab00dfd7fb69715948b4b0b71cbd2aa4f01da00124717860ee62245023c94201", - "version": 2 + "sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d", + "version": 3 + }, + "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { + "rule_name": "AWS RDS Cluster Creation", + "sha256": "3ad5cf801bdf9baae1e7e2c260d90108d185fd7af724cee0475e4226835be0f9", + "version": 1 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "b8febd6d9d552e61b554f6a3c60eda8224b8c7c6a270cdb5540b7bcb013eacf9", + "sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa", + "version": 2 + }, + "e2a67480-3b79-403d-96e3-fdd2992c50ef": { + "rule_name": "AWS Management Console Root Login", + "sha256": "b867fd994b9f5fd467ac4a9e93c3fc34069e8860d49828a39272f1bbb5c74baf", "version": 1 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "ad3d7159bb5aef8d8658ab0c89416a2b0e94b8e775f4a65da241352f3a198508", - "version": 2 + "sha256": "8b0e8036c1a949ccbfd40fa57471a19b52d6a072a3362d40e55eecdf09515c5b", + "version": 3 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { - "rule_name": "Ransomware - Prevented - Elastic Endpoint", - "sha256": "c9af59f7a05da04fffa3d96c38a40b342820cb3bee6c800ee9df883882d538ec", - "version": 2 + "rule_name": "Ransomware - Prevented - Elastic Endpoint Security", + "sha256": "ac0bba2fb5f0c96691cb486a49bd3993a4f2fec3e899ec3ab51facdd15f906ff", + "version": 3 + }, + "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { + "rule_name": "Attempt to Modify Okta Network Zone", + "sha256": "7fa770db85902c74e76603da32e18846181911f67d3aa29d9e4331b83ad9dc09", + "version": 1 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", - "sha256": "f56dd354749071664740a90eaaa0b989322cd84d851b0b1488d1c9a6c6a18f7e", - "version": 3 + "sha256": "c0ddd4408b7df965bb399e1d9b23b5580467983f7f856378a42d9f8f9ab97db7", + "version": 4 + }, + "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "rule_name": "Possible Okta DoS Attack", + "sha256": "9af51d68b03a227d373b1c687c6c411d1810e0afe7d93e0dba41008393ab92ed", + "version": 1 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Local Service Commands", - "sha256": "bf7942d8947c958f37d4e71bfe3ffbfa274316bae269c280383be9f9777314ba", - "version": 2 + "sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25", + "version": 3 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", - "sha256": "cc73cfef9c8a52df72988a68e4c672f5b2836557e5505eca35867724e53c1960", - "version": 3 + "sha256": "9a3aa688f874a1f6a0757bfced4e6acf8ce786dc75b0d2b57acf118c2e474e55", + "version": 4 + }, + "ea248a02-bc47-4043-8e94-2885b19b2636": { + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "a1877bd26b03c15006c1206a4227d80d9e19fda78567256f62a5e4ff247cb899", + "version": 1 + }, + "eb079c62-4481-4d6e-9643-3ca499df7aaa": { + "rule_name": "External Alerts", + "sha256": "e27190c2fc3f5863287bf24853e0e3f05363b8814fd229aee9411da4a51e094b", + "version": 1 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", - "sha256": "20096fe4e38033d51625a5d76c64b63cb2b3aa9087cfd527013f99a9621a8a37", + "sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f", + "version": 2 + }, + "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "d345cd2be573364d96bf551506fa83327d1a88f9d1d578ee730f8085ff5043ab", "version": 1 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "25c739bb74073b6d0cf882b7f2771dfbb2dc85f27a64414f34f2544332c305ec", - "version": 2 + "sha256": "ec1977d61b17849139eebe7aa40136a25ee369eec4a85491150f818d24dc5b5e", + "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "4c6602cef669e1229027ac71756ae75547d9250e04b526e7d1706cf4cca6655d", - "version": 2 + "sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549", + "version": 3 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "bebe50d02b82af53fc18f68f84e4e4e23ea720312aa2427254627f3fb82caa6b", - "version": 2 + "sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219", + "version": 3 + }, + "f772ec8a-e182-483c-91d2-72058f76a44c": { + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "72de6ba3763bd235c252a332326af7b4cd7e670ac5322ae56ba59135b2c4d200", + "version": 1 + }, + "f994964f-6fce-4d75-8e79-e16ccc412588": { + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "5af9cbee41e50e97d7c51d898ea484b4dae244da1d45c8c49327cecffd0e55e3", + "version": 1 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Regsvr", - "sha256": "1ea67c38378949c4946d6704ded6c3d6f1a0c7b890e45045b2e6a2264bc92fc5", - "version": 2 + "sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014", + "version": 3 + }, + "fbd44836-0d69-4004-a0b4-03c20370c435": { + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "6b269a2c7fb920ecb2cf5d7516b0ff7010c0eed637beac273fd2e40cf4df60d2", + "version": 1 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "d3a22bf6b97ce616591989d43fca5248d4c14ee87c9c5dd572b3f3a7ac1120a1", - "version": 2 + "sha256": "7c77385566b7c159d8e598d80ebed2d23c64e6301e1ddd7b9305d8fbc2a294c1", + "version": 3 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Encoding or Decoding Files via CertUtil", - "sha256": "811d196a3ef110b9651feedc5bd363205c4eb0317305f1b5aafd2884a7369967", - "version": 2 + "sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b", + "version": 3 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "07aef064be12522287511146bf3cef378006cd6d6785bfe022972bee00ce2d1e", - "version": 2 + "sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d", + "version": 3 } } \ No newline at end of file