Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4732)

detection_rules/etc/version.lock.json

@@ -515,10 +515,10 @@
     "version": 5
   },
   "0ce6487d-8069-4888-9ddd-61b52490cebc": {
-    "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
-    "sha256": "433ec6996467e5a490dcc8b75069d1b4143e6ef4040333e80228dddd4fe2efd6",
-    "type": "query",
-    "version": 210
+    "rule_name": "Suspicious Mailbox Permission Delegation in Exchange Online",
+    "sha256": "4d8d3bed1120c39b3997ade0ceb78776ea8e18469df1abfa37bb139ab87fc155",
+    "type": "new_terms",
+    "version": 211
   },
   "0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
     "rule_name": "Multiple Alerts Involving a User",
@@ -526,6 +526,13 @@
     "type": "threshold",
     "version": 4
   },
+  "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
+    "min_stack_version": "8.17",
+    "rule_name": "Microsoft Entra ID Session Reuse with Suspicious Graph Access",
+    "sha256": "5c708e3c3878ddd653cdf55f9cbaf029d5b6de268e2681c65df4ccdfd93c3223",
+    "type": "esql",
+    "version": 1
+  },
   "0d69150b-96f8-467c-a86d-a67a3378ce77": {
     "rule_name": "Nping Process Activity",
     "sha256": "c4bdbe8b150dc0ae69e6b9976ce317d49affb800b6a372b6b57f7aae39e58093",
@@ -1573,10 +1580,20 @@
     "version": 107
   },
   "26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
-    "rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
-    "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59",
+    "min_stack_version": "8.17",
+    "previous": {
+      "8.14": {
+        "max_allowable_version": 411,
+        "rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
+        "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59",
+        "type": "esql",
+        "version": 312
+      }
+    },
+    "rule_name": "Potential Microsoft 365 User Account Brute Force",
+    "sha256": "e19432ea193cb159db6a83bccae69b3a2165162645c22b0f8e36bee3f71ddb29",
     "type": "esql",
-    "version": 312
+    "version": 412
   },
   "27071ea3-e806-4697-8abc-e22c92aa4293": {
     "rule_name": "PowerShell Script with Archive Compression Capabilities",
@@ -1751,9 +1768,9 @@
   },
   "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": {
     "rule_name": "Microsoft Graph First Occurrence of Client Request",
-    "sha256": "6b466d820148d0cfc60bfd789a05cff1216e302972ec381bde5a8b6b44f6350c",
+    "sha256": "b4148f8d9943e630d980806e0c498a1c96623a4c53fbd882da857b6004a18c27",
     "type": "new_terms",
-    "version": 1
+    "version": 2
   },
   "2a692072-d78d-42f3-a48a-775677d79c4e": {
     "rule_name": "Potential Code Execution via Postgresql",
@@ -3298,10 +3315,10 @@
     "version": 206
   },
   "581add16-df76-42bb-af8e-c979bfb39a59": {
-    "rule_name": "Deleting Backup Catalogs with Wbadmin",
-    "sha256": "c84484db7d213b2da4645d1127526eb0f4d34edc4309fc2f53911783db82cb39",
+    "rule_name": "Backup Deletion with Wbadmin",
+    "sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135",
     "type": "eql",
-    "version": 317
+    "version": 318
   },
   "58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
     "rule_name": "RDP Enabled via Registry",
@@ -4304,9 +4321,9 @@
   },
   "71bccb61-e19b-452f-b104-79a60e546a95": {
     "rule_name": "Unusual File Creation - Alternate Data Stream",
-    "sha256": "77153f9c14950adc74a164546568b82a599d966d5573409efd2a3e77224460af",
+    "sha256": "2d3be75d18124f279d600e4db3abfe4f05cd68abde7df9dc7bd130a75c5df7d0",
     "type": "eql",
-    "version": 318
+    "version": 319
   },
   "71c5cb27-eca5-4151-bb47-64bc3f883270": {
     "rule_name": "Suspicious RDP ActiveX Client Loaded",
@@ -5681,9 +5698,9 @@
   },
   "97fc44d3-8dae-4019-ae83-298c3015600f": {
     "rule_name": "Startup or Run Key Registry Modification",
-    "sha256": "4ef6084162b7b7ca5747a6e4208e6088166275efe18e3b1ab8f474071b61ac66",
+    "sha256": "39c28c83008ef62eb99a0de82b8be41f060c25120f83de8cd7666d847a57279d",
     "type": "eql",
-    "version": 116
+    "version": 117
   },
   "980b70a0-c820-11ed-8799-f661ea17fbcc": {
     "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
@@ -5962,10 +5979,10 @@
     "version": 315
   },
   "a02cb68e-7c93-48d1-93b2-2c39023308eb": {
-    "rule_name": "A scheduled task was updated",
-    "sha256": "1948ec1ad7f97c2d6eeef3638dbbaba87d1cb382495b4bb45f1c670deb735f5c",
-    "type": "eql",
-    "version": 113
+    "rule_name": "Unusual Scheduled Task Update",
+    "sha256": "a8d0255953541006b7b693b73e9b6eb8888f017f0c86096c34bc51dbf1595d31",
+    "type": "new_terms",
+    "version": 114
   },
   "a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
     "rule_name": "Potential Privilege Escalation via Python cap_setuid",
@@ -6066,9 +6083,9 @@
   },
   "a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
     "rule_name": "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker",
-    "sha256": "411113088ba431184790b1d524a1f56f33cb24eee23e03dedb7ce9738bc5accf",
+    "sha256": "5b4cb946748f0ce168135326a6b785b8d6237caab940d43e42792bc51db177e7",
     "type": "new_terms",
-    "version": 1
+    "version": 2
   },
   "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
     "rule_name": "Execution via local SxS Shared Module",
@@ -7977,6 +7994,12 @@
     "type": "eql",
     "version": 205
   },
+  "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": {
+    "rule_name": "Microsoft Entra ID Protection - Risk Detections",
+    "sha256": "9b9497a3de9a58ad095e62964a8a2805cd52f9730e7907d236978486f7068bd6",
+    "type": "query",
+    "version": 1
+  },
   "da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
     "rule_name": "Code Signing Policy Modification Through Registry",
     "sha256": "4465a0b284dd1be9c6a5f56ece22af068c8a61e9af4e7a72e9fc3f614980fd77",
@@ -8122,6 +8145,13 @@
     "type": "new_terms",
     "version": 3
   },
+  "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": {
+    "min_stack_version": "8.17",
+    "rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window",
+    "sha256": "75096b67404510e3b605f336c782c92b5393e605841cbe4a5c2c272e8c34adc1",
+    "type": "esql",
+    "version": 1
+  },
   "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
     "rule_name": "Unusual Child Process from a System Virtual Process",
     "sha256": "84d467b82d0972b0fd22be0fc6fa605093b59f4f5daddf51446d9c5ed62aac35",
@@ -8540,6 +8570,12 @@
     "type": "eql",
     "version": 312
   },
+  "e882e934-2aaa-11f0-8272-f661ea17fbcc": {
+    "rule_name": "Suspicious Email Access by First-Party Application via Microsoft Graph",
+    "sha256": "86ff54b665e83cd9f3393f348b5867905d4f8c0479c8d2ba5c6a3f21800bbc3d",
+    "type": "new_terms",
+    "version": 1
+  },
   "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
     "rule_name": "Host Files System Changes via Windows Subsystem for Linux",
     "sha256": "1e96b9c195bd7e985d54a7ebce9b7d3769f220cf8075ff16bc5572bae23b6fa7",
@@ -8908,9 +8944,9 @@
   "f0cc239b-67fa-46fc-89d4-f861753a40f5": {
     "min_stack_version": "8.17",
     "rule_name": "Microsoft Azure or Mail Sign-in from a Suspicious Source",
-    "sha256": "3596cbeaa0407a5f2e35ddd85a3ee3d81a599369c2fe3cd3fe28a8251fee3da8",
+    "sha256": "4fd69243a3f405a2fc8dac28257d472860062369ad573cd79c1e6fc5b6add7a7",
     "type": "esql",
-    "version": 1
+    "version": 2
   },
   "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
     "rule_name": "Execution with Explicit Credentials via Scripting",

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.8"
+version = "1.2.9"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"