From 72ec8199aea167a3c6faf758b1644714a7b0cf6d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 20 May 2025 08:26:21 +0530 Subject: [PATCH] Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4732) --- detection_rules/etc/version.lock.json | 84 +++++++++++++++++++-------- pyproject.toml | 2 +- 2 files changed, 61 insertions(+), 25 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index a6c6ea9a8..dcf843324 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -515,10 +515,10 @@ "version": 5 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "433ec6996467e5a490dcc8b75069d1b4143e6ef4040333e80228dddd4fe2efd6", - "type": "query", - "version": 210 + "rule_name": "Suspicious Mailbox Permission Delegation in Exchange Online", + "sha256": "4d8d3bed1120c39b3997ade0ceb78776ea8e18469df1abfa37bb139ab87fc155", + "type": "new_terms", + "version": 211 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", @@ -526,6 +526,13 @@ "type": "threshold", "version": 4 }, + "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { + "min_stack_version": "8.17", + "rule_name": "Microsoft Entra ID Session Reuse with Suspicious Graph Access", + "sha256": "5c708e3c3878ddd653cdf55f9cbaf029d5b6de268e2681c65df4ccdfd93c3223", + "type": "esql", + "version": 1 + }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "c4bdbe8b150dc0ae69e6b9976ce317d49affb800b6a372b6b57f7aae39e58093", @@ -1573,10 +1580,20 @@ "version": 107 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", + "min_stack_version": "8.17", + "previous": { + "8.14": { + "max_allowable_version": 411, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", + "type": "esql", + "version": 312 + } + }, + "rule_name": "Potential Microsoft 365 User Account Brute Force", + "sha256": "e19432ea193cb159db6a83bccae69b3a2165162645c22b0f8e36bee3f71ddb29", "type": "esql", - "version": 312 + "version": 412 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -1751,9 +1768,9 @@ }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph First Occurrence of Client Request", - "sha256": "6b466d820148d0cfc60bfd789a05cff1216e302972ec381bde5a8b6b44f6350c", + "sha256": "b4148f8d9943e630d980806e0c498a1c96623a4c53fbd882da857b6004a18c27", "type": "new_terms", - "version": 1 + "version": 2 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", @@ -3298,10 +3315,10 @@ "version": 206 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "c84484db7d213b2da4645d1127526eb0f4d34edc4309fc2f53911783db82cb39", + "rule_name": "Backup Deletion with Wbadmin", + "sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135", "type": "eql", - "version": 317 + "version": 318 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", @@ -4304,9 +4321,9 @@ }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "77153f9c14950adc74a164546568b82a599d966d5573409efd2a3e77224460af", + "sha256": "2d3be75d18124f279d600e4db3abfe4f05cd68abde7df9dc7bd130a75c5df7d0", "type": "eql", - "version": 318 + "version": 319 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", @@ -5681,9 +5698,9 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "4ef6084162b7b7ca5747a6e4208e6088166275efe18e3b1ab8f474071b61ac66", + "sha256": "39c28c83008ef62eb99a0de82b8be41f060c25120f83de8cd7666d847a57279d", "type": "eql", - "version": 116 + "version": 117 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", @@ -5962,10 +5979,10 @@ "version": 315 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "rule_name": "A scheduled task was updated", - "sha256": "1948ec1ad7f97c2d6eeef3638dbbaba87d1cb382495b4bb45f1c670deb735f5c", - "type": "eql", - "version": 113 + "rule_name": "Unusual Scheduled Task Update", + "sha256": "a8d0255953541006b7b693b73e9b6eb8888f017f0c86096c34bc51dbf1595d31", + "type": "new_terms", + "version": 114 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", @@ -6066,9 +6083,9 @@ }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker", - "sha256": "411113088ba431184790b1d524a1f56f33cb24eee23e03dedb7ce9738bc5accf", + "sha256": "5b4cb946748f0ce168135326a6b785b8d6237caab940d43e42792bc51db177e7", "type": "new_terms", - "version": 1 + "version": 2 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", @@ -7977,6 +7994,12 @@ "type": "eql", "version": 205 }, + "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { + "rule_name": "Microsoft Entra ID Protection - Risk Detections", + "sha256": "9b9497a3de9a58ad095e62964a8a2805cd52f9730e7907d236978486f7068bd6", + "type": "query", + "version": 1 + }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "4465a0b284dd1be9c6a5f56ece22af068c8a61e9af4e7a72e9fc3f614980fd77", @@ -8122,6 +8145,13 @@ "type": "new_terms", "version": 3 }, + "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { + "min_stack_version": "8.17", + "rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window", + "sha256": "75096b67404510e3b605f336c782c92b5393e605841cbe4a5c2c272e8c34adc1", + "type": "esql", + "version": 1 + }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "84d467b82d0972b0fd22be0fc6fa605093b59f4f5daddf51446d9c5ed62aac35", @@ -8540,6 +8570,12 @@ "type": "eql", "version": 312 }, + "e882e934-2aaa-11f0-8272-f661ea17fbcc": { + "rule_name": "Suspicious Email Access by First-Party Application via Microsoft Graph", + "sha256": "86ff54b665e83cd9f3393f348b5867905d4f8c0479c8d2ba5c6a3f21800bbc3d", + "type": "new_terms", + "version": 1 + }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "1e96b9c195bd7e985d54a7ebce9b7d3769f220cf8075ff16bc5572bae23b6fa7", @@ -8908,9 +8944,9 @@ "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "min_stack_version": "8.17", "rule_name": "Microsoft Azure or Mail Sign-in from a Suspicious Source", - "sha256": "3596cbeaa0407a5f2e35ddd85a3ee3d81a599369c2fe3cd3fe28a8251fee3da8", + "sha256": "4fd69243a3f405a2fc8dac28257d472860062369ad573cd79c1e6fc5b6add7a7", "type": "esql", - "version": 1 + "version": 2 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", diff --git a/pyproject.toml b/pyproject.toml index 5e8bfaf2f..6318517f3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.2.8" +version = "1.2.9" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"