Lock versions for releases: 8.19,9.0,9.1,9.2 (#5426)
This commit is contained in:
github-actions[bot]
committed by
GitHub
GitHub
parent
b3173ac505
commit
793ecfe34a
@@ -42,10 +42,10 @@
|
||||
"version": 210
|
||||
},
|
||||
"015cca13-8832-49ac-a01b-a396114809f6": {
|
||||
"rule_name": "AWS Redshift Cluster Creation",
|
||||
"sha256": "485c2fd72b03d329a939d9aa2e0ed1fa869c9af0d75c6d1daaa066f99de00a26",
|
||||
"rule_name": "Deprecated - AWS Redshift Cluster Creation",
|
||||
"sha256": "f6e7e8c38698de53c1f503b5a483cd61fe060eba93c72f3d9d394148f9fb36ea",
|
||||
"type": "query",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
|
||||
"rule_name": "Potential Network Scan Detected",
|
||||
@@ -313,9 +313,9 @@
|
||||
},
|
||||
"083383af-b9a4-42b7-a463-29c40efe7797": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
|
||||
"sha256": "42e7ee3fe98ad169a9e8019700d1dd08faf3bb4fa9e52be141236531ecb4d169",
|
||||
"sha256": "4f14a718a89be4d729c0a63c46e4f6194cbbf0b477b7d7b0ba68c9b0ecf8c7b7",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
||||
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
||||
@@ -331,9 +331,9 @@
|
||||
},
|
||||
"0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": {
|
||||
"rule_name": "Node.js Pre or Post-Install Script Execution",
|
||||
"sha256": "548398463d4c38c2b93eeae4abccef6032dfbc90b31a756391e48524bd463888",
|
||||
"sha256": "95dfc163dc1bc31c6f67c9956a92031cea559ff27d774bc621436fbce4e3c4be",
|
||||
"type": "eql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
"089db1af-740d-4d84-9a5b-babd6de143b0": {
|
||||
"rule_name": "Windows Account or Group Discovery",
|
||||
@@ -463,9 +463,9 @@
|
||||
},
|
||||
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
|
||||
"rule_name": "Elastic Defend and Network Security Alerts Correlation",
|
||||
"sha256": "183cf42353fc5c65f841949b0932e3d3f3b22db72e600770b7384c9763af5fb6",
|
||||
"sha256": "056d4ea5cd3b4e8aa563e49d2404f2c0050940516ba5249574bee7bb2353f021",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
|
||||
"rule_name": "Processes with Trailing Spaces",
|
||||
@@ -553,9 +553,9 @@
|
||||
},
|
||||
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
|
||||
"rule_name": "AWS Access Token Used from Multiple Addresses",
|
||||
"sha256": "367aa86bbae336557e47859aaa7ff46e28884858534ab2e3cf9f597679c3c3dd",
|
||||
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b",
|
||||
"type": "esql",
|
||||
"version": 104
|
||||
"version": 105
|
||||
},
|
||||
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
|
||||
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
|
||||
@@ -577,9 +577,9 @@
|
||||
},
|
||||
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
|
||||
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
|
||||
"sha256": "e0fc1db1622a8156c5b0701e10b162b8e5f8710ac73f34baa3029caa90ca4413",
|
||||
"sha256": "c5c25c606f65d1dd93f7bb4554ef93fa844d008166cd092acbbb3fedbd622373",
|
||||
"type": "esql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
||||
"rule_name": "GCP Service Account Key Creation",
|
||||
@@ -691,9 +691,9 @@
|
||||
},
|
||||
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
||||
"rule_name": "AWS RDS Snapshot Export",
|
||||
"sha256": "0cde2bfbacf1d5ad63f6bb5e0964b3b5a2a15cf4882e8cba347f52c5989079da",
|
||||
"sha256": "bed507515e00c4a06151d8f8fb70eff8c61569f774c6889d3cbda5bee2cb6010",
|
||||
"type": "query",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
||||
"rule_name": "AWS RDS Snapshot Export",
|
||||
@@ -949,9 +949,9 @@
|
||||
},
|
||||
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
|
||||
"rule_name": "Persistence via a Windows Installer",
|
||||
"sha256": "9d071673dc778a2ba73f917a3d9f6ec217c7c494f6a407363675471350a5deed",
|
||||
"sha256": "11c0bff91c47efa25c0f5f167b3d977f3ac07a6fb5ff0158d88d3445efe327d9",
|
||||
"type": "eql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
|
||||
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
|
||||
@@ -1015,9 +1015,9 @@
|
||||
},
|
||||
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
||||
"rule_name": "Unusual Network Destination Domain Name",
|
||||
"sha256": "599cc8905fe0fb2873fc02bca62c1ebf97d34b684180665e7e909d527e509ad7",
|
||||
"sha256": "2f942b288c66f4480066469ad579758c9ff2fe4287501321cfcac506bd4e3288",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"181f6b23-3799-445e-9589-0018328a9e46": {
|
||||
"rule_name": "Script Execution via Microsoft HTML Application",
|
||||
@@ -1057,9 +1057,9 @@
|
||||
},
|
||||
"192657ba-ab0e-4901-89a2-911d611eee98": {
|
||||
"rule_name": "Potential Persistence via File Modification",
|
||||
"sha256": "2bfc3b450c5f44d97b88b26d385af8956ca80d7cb2d78e45b85b0df3fc06993d",
|
||||
"sha256": "0199418e23bdf78a20dd96bd7572555513e8aaa1350c6e48d99cf860a48b9ba9",
|
||||
"type": "eql",
|
||||
"version": 9
|
||||
"version": 10
|
||||
},
|
||||
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
|
||||
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
|
||||
@@ -1081,9 +1081,9 @@
|
||||
},
|
||||
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
||||
"rule_name": "Rare AWS Error Code",
|
||||
"sha256": "c5ccfa06fcb6ada608a35d93744993c3f48966ce6d4323197e222dcb5324993f",
|
||||
"sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb",
|
||||
"type": "machine_learning",
|
||||
"version": 211
|
||||
"version": 212
|
||||
},
|
||||
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
|
||||
"rule_name": "Spike in Number of Processes in an RDP Session",
|
||||
@@ -1111,9 +1111,9 @@
|
||||
},
|
||||
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
|
||||
"rule_name": "Potential System Tampering via File Modification",
|
||||
"sha256": "103948de64613c9e00529640ef48bc2472935b80420628f0917df58b4f57ff10",
|
||||
"sha256": "01016fb07b4de034fd77a549366e844c1df0ef74f37599b5e5b3dc0e87a4c168",
|
||||
"type": "eql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
||||
"rule_name": "Execution of COM object via Xwizard",
|
||||
@@ -1217,6 +1217,12 @@
|
||||
"type": "eql",
|
||||
"version": 213
|
||||
},
|
||||
"1d306bf0-7bcf-4acd-83fd-042f5711acc9": {
|
||||
"rule_name": "Initial Access via File Upload Followed by GET Request",
|
||||
"sha256": "97574d1e96bef8af267abfb06bc0f7cb8d0586d2437b3b101bee18f491296858",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"1d485649-c486-4f1d-a99c-8d64795795ad": {
|
||||
"rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt",
|
||||
"sha256": "c074d6687b59f8e9a8ddf9fb262efa268ccb014e0e218c7d1f8ee218f6d627eb",
|
||||
@@ -1585,9 +1591,9 @@
|
||||
},
|
||||
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
||||
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
||||
"sha256": "beb3cd25d9df9767e008011425e30dbaed0ffa3f3d1fc6ba941135fedad0e089",
|
||||
"sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d",
|
||||
"type": "eql",
|
||||
"version": 10
|
||||
"version": 11
|
||||
},
|
||||
"26edba02-6979-4bce-920a-70b080a7be81": {
|
||||
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
||||
@@ -1830,11 +1836,20 @@
|
||||
"version": 207
|
||||
},
|
||||
"2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
|
||||
"min_stack_version": "8.19",
|
||||
"min_stack_version": "9.0",
|
||||
"previous": {
|
||||
"8.19": {
|
||||
"max_allowable_version": 105,
|
||||
"rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
|
||||
"sha256": "09e0db85e9bb2792e16cac43d4386f3e6669fc339ee9f0fd5b9c0766b24390d7",
|
||||
"type": "esql",
|
||||
"version": 6
|
||||
}
|
||||
},
|
||||
"rule_name": "Microsoft Entra ID Excessive Account Lockouts Detected",
|
||||
"sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842",
|
||||
"type": "threshold",
|
||||
"version": 5
|
||||
"version": 106
|
||||
},
|
||||
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
||||
"rule_name": "Enumeration of Kernel Modules",
|
||||
@@ -2073,9 +2088,9 @@
|
||||
"32f95776-6498-4f3c-a90c-d4f6083e3901": {
|
||||
"min_stack_version": "9.1",
|
||||
"rule_name": "Potential Masquerading as Svchost",
|
||||
"sha256": "4afcc293f2da3e0d75279f561aff916cea9a37c827cb4cfa6c093a43be40acf2",
|
||||
"sha256": "30826654b84c8a5018f4c8d5c115a0016759528fe1b85df69b8604c674ec7e95",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"3302835b-0049-4004-a325-660b1fba1f67": {
|
||||
"rule_name": "Directory Creation in /bin directory",
|
||||
@@ -2175,9 +2190,9 @@
|
||||
},
|
||||
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
||||
"rule_name": "Network Traffic to Rare Destination Country",
|
||||
"sha256": "f387323689ef2cf34009ce6de40a191fa010ffb20334c5a343789667490315d6",
|
||||
"sha256": "2076f8bac484f53cb646463676897a5173dc94e42712835dcbc45c9f571f6a56",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
||||
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
||||
@@ -2319,9 +2334,9 @@
|
||||
},
|
||||
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
|
||||
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
|
||||
"sha256": "61259a7fd31474e07ef6f32f1f11c3e7bd5e381656f8b667d4c02a8db21e117d",
|
||||
"sha256": "a2ae354dd666a1ae571d0b286934c5d03358e88ab0e6ed648b6e49e82281940a",
|
||||
"type": "esql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
||||
"rule_name": "Persistence via Microsoft Outlook VBA",
|
||||
@@ -2427,9 +2442,9 @@
|
||||
},
|
||||
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
||||
"rule_name": "Unusual Linux Network Port Activity",
|
||||
"sha256": "e28820cdef8824c303418b68a7e76996a4b6f9692520a06646c81c82c8ab4d6a",
|
||||
"sha256": "90959aa7c932be6c768d07a768fca0c68d5723a9ef7996a75caa8f0bf3d55716",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
|
||||
"rule_name": "Kernel Seeking Activity",
|
||||
@@ -2455,6 +2470,12 @@
|
||||
"type": "query",
|
||||
"version": 210
|
||||
},
|
||||
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
|
||||
"rule_name": "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode",
|
||||
"sha256": "3c165b3d0b7f63d4296bd1183d680a1097e47aeb7ca1b84255b0ff6d6d89d107",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
|
||||
"rule_name": "AWS SNS Rare Protocol Subscription by User",
|
||||
"sha256": "6058fa96b4d3ccbd3cbe0800857ef03594df77f0f35cf37710da392649d733c3",
|
||||
@@ -2593,6 +2614,12 @@
|
||||
"type": "eql",
|
||||
"version": 315
|
||||
},
|
||||
"40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": {
|
||||
"rule_name": "New GitHub Self Hosted Action Runner",
|
||||
"sha256": "afbae386edf6dfb7e342c2fe33cd1ac8a58684a2d50313d22bba2a50c259afb8",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
|
||||
"rule_name": "Suspicious Modprobe File Event",
|
||||
"sha256": "f74b29a60a90fdca80a92b306db20a9ad31e53709a4d46bea0308cb9f1bde95c",
|
||||
@@ -2739,9 +2766,9 @@
|
||||
},
|
||||
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
|
||||
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
|
||||
"sha256": "0a49b0bc11b7b7734b51c058fb7b983d9dc746749a1489031c26efc399d833fb",
|
||||
"sha256": "fea0eb1b7a074a7c66598a13e49915f3809a1946f0ddcf5e238359c001a27692",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
||||
"rule_name": "Windows Event Logs Cleared",
|
||||
@@ -2749,6 +2776,13 @@
|
||||
"type": "query",
|
||||
"version": 215
|
||||
},
|
||||
"45d099b4-a12e-4913-951c-0129f73efb41": {
|
||||
"min_stack_version": "9.2",
|
||||
"rule_name": "Web Server Potential Remote File Inclusion Activity",
|
||||
"sha256": "ff25fabd9223a7102f408eb2923f5a338aa9ebb6eb2990bab28b37fa546e040f",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
||||
"rule_name": "Encrypting Files with WinRar or 7z",
|
||||
"sha256": "d587f84061510af81e4d24d6a46b7d23a87048e8f6d3d1172b32452a1d829ae5",
|
||||
@@ -2779,6 +2813,12 @@
|
||||
"type": "machine_learning",
|
||||
"version": 108
|
||||
},
|
||||
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
|
||||
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
|
||||
"sha256": "63d56fef38ba2b4ccd12a2c05513698e2ff41e5070dae3e915f65671915d9490",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
|
||||
"rule_name": "System V Init Script Created",
|
||||
"sha256": "962ab60a7b6b0263c7388f0355f15fac1e3a3d9003b2d0ab2d625af6b790d76a",
|
||||
@@ -2787,9 +2827,9 @@
|
||||
},
|
||||
"47595dea-452b-4d37-b82d-6dd691325139": {
|
||||
"rule_name": "Credential Access via TruffleHog Execution",
|
||||
"sha256": "be16d5f3a77572e7460510d143328a666363e19e7d40eca3719eb3d2a314ff6b",
|
||||
"sha256": "0ebaa20afe2747b15511424d174dff2a614551b155f5398c86ae2a524375e129",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
|
||||
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
|
||||
@@ -3190,9 +3230,9 @@
|
||||
},
|
||||
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
||||
"rule_name": "Unusual Linux Network Activity",
|
||||
"sha256": "ab770d636e60e934030892c3300fbde621dafef776555bd84887bb2d146ec07d",
|
||||
"sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
||||
"rule_name": "Unusual Linux Web Activity",
|
||||
@@ -3219,10 +3259,10 @@
|
||||
"version": 14
|
||||
},
|
||||
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
||||
"rule_name": "AWS EFS File System or Mount Deleted",
|
||||
"sha256": "0937e3ed0e1bfaded40e2d98b86747c93987130ca395825e0d477467a192e258",
|
||||
"rule_name": "AWS EFS File System Deleted",
|
||||
"sha256": "609ed621a69c3390bab0a9033977e866424574af96e87ba8f51ba3731d8ad7cd",
|
||||
"type": "query",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
||||
"rule_name": "Azure Diagnostic Settings Deletion",
|
||||
@@ -3392,6 +3432,12 @@
|
||||
"type": "eql",
|
||||
"version": 208
|
||||
},
|
||||
"57e118c1-19eb-4c20-93a6-8a6c30a5b48b": {
|
||||
"rule_name": "Remote GitHub Actions Runner Registration",
|
||||
"sha256": "1d0cb6b6f76ce755ca5fb4d086cbe1b222f7cf1a54d1751338d1440ff5acdcc3",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
||||
"rule_name": "Backup Deletion with Wbadmin",
|
||||
"sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135",
|
||||
@@ -3428,6 +3474,12 @@
|
||||
"type": "eql",
|
||||
"version": 114
|
||||
},
|
||||
"590fc62d-7386-4c75-92b0-af4517018da1": {
|
||||
"rule_name": "Unusual Process Modifying GenAI Configuration File",
|
||||
"sha256": "d15498a6c01273b39703c3016c982fcab89864cd34a4a815be7323f64ad64615",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"5919988c-29e1-4908-83aa-1f087a838f63": {
|
||||
"rule_name": "File or Directory Deletion Command",
|
||||
"sha256": "580ad4755828bed2eed4fc05fda6a383cb56bcfad28fbc5784fe8aa3b56558e2",
|
||||
@@ -3898,9 +3950,9 @@
|
||||
},
|
||||
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
|
||||
"sha256": "b6cf23674580c2fcf3dd499e987b22b13642b9b8c7eef303611731dcf5d95d3b",
|
||||
"sha256": "d942ea2a574b0c58f9570daac07cd6d5436809cbac8cb59e98a55aa70dae7c3c",
|
||||
"type": "esql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
|
||||
"rule_name": "Manual Memory Dumping via Proc Filesystem",
|
||||
@@ -3932,6 +3984,12 @@
|
||||
"type": "new_terms",
|
||||
"version": 3
|
||||
},
|
||||
"65f28c4d-cfc8-4847-9cca-f2fb1e319151": {
|
||||
"rule_name": "Unusual Web Server Command Execution",
|
||||
"sha256": "a00138f5ac336eb4408e082304d0d74c151617aa44a0444dd0acb8960b67777e",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"65f9bccd-510b-40df-8263-334f03174fed": {
|
||||
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
||||
"sha256": "2962f75c4c913a7ae6568d692aa100bc991b3f0a49913ed652b7423b7d56b4cd",
|
||||
@@ -3946,9 +4004,9 @@
|
||||
},
|
||||
"6631a759-4559-4c33-a392-13f146c8bcc4": {
|
||||
"rule_name": "Potential Spike in Web Server Error Logs",
|
||||
"sha256": "98be4f9eef1a15a275f88c7d941c841e8bf9c82a05e15cb84747255c255d396c",
|
||||
"sha256": "effc61a862d7377ca5db5b1edccd523326415b1fad2a0176cf40a825888b0431",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"6641a5af-fb7e-487a-adc4-9e6503365318": {
|
||||
"rule_name": "Suspicious Termination of ESXI Process",
|
||||
@@ -3976,9 +4034,9 @@
|
||||
},
|
||||
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
||||
"rule_name": "Connection to Commonly Abused Web Services",
|
||||
"sha256": "ed15ffb242f86a6f50709786a298deaf34a408fe5da570d4456f637e5ac04586",
|
||||
"sha256": "341b1d747c5f1911c4deea9190dfab0c542a5d1d67dcc459764f21997264f460",
|
||||
"type": "eql",
|
||||
"version": 123
|
||||
"version": 124
|
||||
},
|
||||
"66c058f3-99f4-4d18-952b-43348f2577a0": {
|
||||
"rule_name": "Linux Process Hooking via GDB",
|
||||
@@ -4012,9 +4070,9 @@
|
||||
},
|
||||
"6756ee27-9152-479b-9b73-54b5bbda301c": {
|
||||
"rule_name": "Rare Connection to WebDAV Target",
|
||||
"sha256": "967542c9e365ae3208bfef2073ef7dac00b601c61d74a4487fd3c413c9c9bb3e",
|
||||
"sha256": "2256b4ec67c4244841a6cbd5d266f2fa67bf43eb4fef34a0a2f0ec5958f6cf9c",
|
||||
"type": "esql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
},
|
||||
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
||||
"rule_name": "Attempt to Revoke Okta API Token",
|
||||
@@ -4114,9 +4172,9 @@
|
||||
},
|
||||
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
||||
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
||||
"sha256": "dd12550a3cff20c4f63fc6067d74d35429245b167537619b73a3d2a44d4250db",
|
||||
"sha256": "7d47c62652d1fd5b413a4b287ec7edaf4ad513a4c97d9db1b56892a3639fca0b",
|
||||
"type": "query",
|
||||
"version": 109
|
||||
"version": 110
|
||||
},
|
||||
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
|
||||
"rule_name": "AWS IAM User Created Access Keys For Another User",
|
||||
@@ -4234,9 +4292,9 @@
|
||||
},
|
||||
"6ddb6c33-00ce-4acd-832a-24b251512023": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
|
||||
"sha256": "d84e236eff45eec22ad50a0288a325163adbb643b1dfa20e9db617201fe58709",
|
||||
"sha256": "adde7f16204d80d3990b8f91dcb264ce4dc3b467b3aff63719ee416a82b35660",
|
||||
"type": "esql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
|
||||
"rule_name": "Root Certificate Installation",
|
||||
@@ -4348,9 +4406,9 @@
|
||||
},
|
||||
"6fa3abe3-9cd8-41de-951b-51ed8f710523": {
|
||||
"rule_name": "Web Server Potential Spike in Error Response Codes",
|
||||
"sha256": "8b34b274384a2853c8fe78423e0cc186bc5ae6593ca179b7160bb5e5d818efb5",
|
||||
"sha256": "3802d6b986d632b4d8b454c524e9c70e97a2025548c150279629e3a953827f8b",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"6fb2280a-d91a-4e64-a97e-1332284d9391": {
|
||||
"rule_name": "Spike in Special Privilege Use Events",
|
||||
@@ -4552,9 +4610,9 @@
|
||||
},
|
||||
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
|
||||
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
|
||||
"sha256": "d924ef5485e75e0c8853ab00ccb0ec1126e4e5422f67a276e9ef7ac8c0fb84d7",
|
||||
"sha256": "dc6a565326bdc13f67b5abbecf56477d61decfb1c6d3f80667b859b733d7acc4",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"751b0329-7295-4682-b9c7-4473b99add69": {
|
||||
"rule_name": "Spike in Group Management Events",
|
||||
@@ -4684,9 +4742,9 @@
|
||||
},
|
||||
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
||||
"rule_name": "Spike in AWS Error Messages",
|
||||
"sha256": "23b9183b0b627393d88469e86e1b3ed49184a6b912ce0286003e993fe66341db",
|
||||
"sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89",
|
||||
"type": "machine_learning",
|
||||
"version": 211
|
||||
"version": 212
|
||||
},
|
||||
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
|
||||
"rule_name": "Suspicious ScreenConnect Client Child Process",
|
||||
@@ -4916,9 +4974,15 @@
|
||||
},
|
||||
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
|
||||
"rule_name": "Python Path File (pth) Creation",
|
||||
"sha256": "51f4a31fd30564d6ed4c5f7b2b7fc3a1dcc968bde90c6d00593f4bc6e8ac17a3",
|
||||
"sha256": "e59c0b9eacb4545d608aaddd4b9af94f9ee69288094831c2ca30b6f0308083d0",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
},
|
||||
"7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": {
|
||||
"rule_name": "Web Server Potential SQL Injection Request",
|
||||
"sha256": "204cd779dc6031bd76983b73b78317c57c9d6f994ce37c34e79baba33312ffdb",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
|
||||
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
|
||||
@@ -4958,9 +5022,9 @@
|
||||
},
|
||||
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
|
||||
"rule_name": "Potential PowerShell Obfuscated Script",
|
||||
"sha256": "2704d9f00e0dde549f0ed2acc2e4b4c78b56ce3b6abbbce8060a543e57798f86",
|
||||
"sha256": "21338d52150e45c05db894e54d90d6ef1f3db44cf524a501e31309cfbb983e05",
|
||||
"type": "query",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
|
||||
"rule_name": "AWS SSM Session Started to EC2 Instance",
|
||||
@@ -4976,9 +5040,9 @@
|
||||
},
|
||||
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
||||
"rule_name": "Unusual City For an AWS Command",
|
||||
"sha256": "badc6a5976ec7afe16af98d9d59d033002ebd31687f59d4d87a8427d710dfbeb",
|
||||
"sha256": "272e14dd9496c7030d82926713a2ce20703c2bbdd138ab8e3102543dec9d6ed8",
|
||||
"type": "machine_learning",
|
||||
"version": 211
|
||||
"version": 212
|
||||
},
|
||||
"80c52164-c82a-402c-9964-852533d58be1": {
|
||||
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
||||
@@ -5048,9 +5112,9 @@
|
||||
},
|
||||
"8383a8d0-008b-47a5-94e5-496629dc3590": {
|
||||
"rule_name": "Web Server Discovery or Fuzzing Activity",
|
||||
"sha256": "5d0314db6259c4f5884084701984c5316aff5eac3c9e1f0fdd188abdf96aba43",
|
||||
"sha256": "ab53ad1723cbcba05a3f4eea26e389306f8c217740c4fa194e7a3f5e112d3523",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
||||
"rule_name": "Azure Kubernetes Pods Deleted",
|
||||
@@ -5066,9 +5130,9 @@
|
||||
},
|
||||
"83bf249e-4348-47ba-9741-1202a09556ad": {
|
||||
"rule_name": "Suspicious Windows Powershell Arguments",
|
||||
"sha256": "793552a1e01c4b4aaee3794578a3ecb4512bed33213c33b666bf453e7edd7aa2",
|
||||
"sha256": "0347e6f35d144ad0df73bc8c69dd91de5d8d5e226494bf2511856671f3c94808",
|
||||
"type": "eql",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
|
||||
"rule_name": "Attempt to Disable IPTables or Firewall",
|
||||
@@ -5090,9 +5154,9 @@
|
||||
},
|
||||
"84755a05-78c8-4430-8681-89cd6c857d71": {
|
||||
"rule_name": "At Job Created or Modified",
|
||||
"sha256": "4b40c8d4568713d94d3041b310220b96e926d642d9216b845db1d0aca6f8a500",
|
||||
"sha256": "6e504e70a35be24ee291ec0ba421905fc26fddf57819413dbe239482adfba4c9",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
|
||||
"rule_name": "Potential Upgrade of Non-interactive Shell",
|
||||
@@ -5114,15 +5178,15 @@
|
||||
},
|
||||
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
||||
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
||||
"sha256": "2b68e3314eed43cc0d2bdc768e13c39f48e52778ff8449c187251249a074dc64",
|
||||
"sha256": "bb796fbb6709db50cf45bb757855ee8bc991b319103faac34de21cd08d1bbc00",
|
||||
"type": "new_terms",
|
||||
"version": 214
|
||||
"version": 215
|
||||
},
|
||||
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
|
||||
"sha256": "e0010b13da80d6b7d6a418117dcfeb8273b72aaf61c191ca8ab299b54b0424df",
|
||||
"sha256": "f5a68ee676891a83f8345f6c6cf82c90b609b89b2fd92207a5f25849e70fcc8f",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
|
||||
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
|
||||
@@ -5496,11 +5560,17 @@
|
||||
"type": "eql",
|
||||
"version": 212
|
||||
},
|
||||
"9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": {
|
||||
"rule_name": "GenAI Process Connection to Unusual Domain",
|
||||
"sha256": "c1ab7f1687abc48558b4f79637b81b5b869d77dc8f67f3919111860f1c8be8dd",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
||||
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
||||
"sha256": "c0ced9e98431f4313c2ee2846e7d348cf0c0a199a2116036d425cee836f6e272",
|
||||
"rule_name": "AWS RDS DB Instance or Cluster Deleted",
|
||||
"sha256": "daa3efa31df9fdb6c67f3ae012d725a7d068c9bdce1c74ef1b3e81f6d256e2f2",
|
||||
"type": "query",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
|
||||
"rule_name": "Simple HTTP Web Server Creation",
|
||||
@@ -5532,6 +5602,13 @@
|
||||
"type": "query",
|
||||
"version": 100
|
||||
},
|
||||
"90e4ceab-79a5-4f8e-879b-513cac7fcad9": {
|
||||
"min_stack_version": "9.2",
|
||||
"rule_name": "Web Server Local File Inclusion Activity",
|
||||
"sha256": "2cab88240e2e98e8fb79a3259fbd0f4623526ba79e62f420bbdb30c1d30c12ef",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
|
||||
"rule_name": "Linux System Information Discovery via Getconf",
|
||||
"sha256": "4687e5bf7ae059a2434a6c4e07de4bdb3447074f7e07cff1fcbc294e415db0f4",
|
||||
@@ -5641,10 +5718,10 @@
|
||||
"version": 208
|
||||
},
|
||||
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
||||
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
||||
"sha256": "a3ec4aa1bace9ef4e52df433a1a9130b8ea7d6ed43756319c31ea2a5eb523627",
|
||||
"rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration",
|
||||
"sha256": "1e54e18fae8c9afcee81de6f64a1d344e006e894e2357424bbdf76c9accceb1c",
|
||||
"type": "new_terms",
|
||||
"version": 207
|
||||
"version": 208
|
||||
},
|
||||
"94418745-529f-4259-8d25-a713a6feb6ae": {
|
||||
"rule_name": "Executable Bit Set for Potential Persistence Script",
|
||||
@@ -5690,9 +5767,9 @@
|
||||
},
|
||||
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
||||
"rule_name": "Remote Scheduled Task Creation",
|
||||
"sha256": "8cd15104409a97fd4438abc212c1c0ff0707de6458eeb1e1d8f7420e40c241c2",
|
||||
"sha256": "6da3743f708580488d3f5e70ddab86ceadad147350a9bde3f95229d0021ba8c3",
|
||||
"type": "eql",
|
||||
"version": 213
|
||||
"version": 214
|
||||
},
|
||||
"9563dace-5822-11f0-b1d3-f661ea17fbcd": {
|
||||
"rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client",
|
||||
@@ -5714,9 +5791,9 @@
|
||||
},
|
||||
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
|
||||
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
|
||||
"sha256": "f1670dfd45e43ac5895b53ca679f177046d57bc693a881636a01300acff3ecbb",
|
||||
"sha256": "21247d90931b191b5dfd6bbfe9ecf48ffd7f4bf01251fa9957234ed6dcfe002d",
|
||||
"type": "new_terms",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
|
||||
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
|
||||
@@ -5762,9 +5839,9 @@
|
||||
},
|
||||
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
||||
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
||||
"sha256": "721369ff74415e524db18c08b07e924d7fc2afb77dd0de54c0094712ccad6b66",
|
||||
"sha256": "fbebd44525dceef0ede4b04ea6dc25697c9905dcbe4212fe2c02f891abcb80a4",
|
||||
"type": "eql",
|
||||
"version": 112
|
||||
"version": 113
|
||||
},
|
||||
"9705b458-689a-4ec6-afe8-b4648d090612": {
|
||||
"rule_name": "Unusual D-Bus Daemon Child Process",
|
||||
@@ -5802,6 +5879,12 @@
|
||||
"type": "query",
|
||||
"version": 211
|
||||
},
|
||||
"9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": {
|
||||
"rule_name": "Potential HTTP Downgrade Attack",
|
||||
"sha256": "4a73054f38e7c1a0a6cd09109a0af2f1b3799c2690618d534bcd1135ee0f6064",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
||||
"rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications",
|
||||
"sha256": "e60ca0f40eef1090732be6cccd54853228ee8d052ddf109441c7cc42cf9e8ba2",
|
||||
@@ -6122,15 +6205,15 @@
|
||||
},
|
||||
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
|
||||
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
|
||||
"sha256": "42e0b978f0c0a9c4fbace71206d97c11ef387556c3bff09bae4c49934342707b",
|
||||
"sha256": "cf6888d083e6d3a579b18b1ab105b96412b235f1370e5d79239762c8a95e79b8",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
|
||||
"rule_name": "AWS RDS DB Instance Made Public",
|
||||
"sha256": "6ab37a0c54d41e81d56ba27c0ad3dcac227dc7a8f82cd0f4324da20cc757080b",
|
||||
"sha256": "e2349af7d08dca867f606f4f249e15878755f671b776eb1ca1a6fa17b882bdd4",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
||||
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
||||
@@ -6140,9 +6223,9 @@
|
||||
},
|
||||
"9f432a8b-9588-4550-838e-1f77285580d3": {
|
||||
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
|
||||
"sha256": "e0dfbc0391e8ca17a470e41a103402daeebdac84b5ea26e44496486e852136bf",
|
||||
"sha256": "d1ddff7c56268c96a8e68bdac7a60807a929770a433fc81868ff703976fc033b",
|
||||
"type": "esql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
||||
"rule_name": "Potential Credential Access via DCSync",
|
||||
@@ -6188,9 +6271,9 @@
|
||||
},
|
||||
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
||||
"rule_name": "File Deletion via Shred",
|
||||
"sha256": "38364f20e36aaae29e165a3e0c9c3193d18addfb698d1ab56197ea8fd52725ff",
|
||||
"sha256": "98412a3e65a49c2be4d293e3c9638980546eeb6a63f2ac2e43ea86e24cdb5fee",
|
||||
"type": "eql",
|
||||
"version": 213
|
||||
"version": 214
|
||||
},
|
||||
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
||||
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
||||
@@ -6234,11 +6317,17 @@
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"a1b2c3d4-e5f6-7890-abcd-ef1234567890": {
|
||||
"rule_name": "GenAI Process Connection to Suspicious Top Level Domain",
|
||||
"sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": {
|
||||
"rule_name": "Web Server Suspicious User Agent Requests",
|
||||
"sha256": "b48f9bf3f906fccb7f09ca13f172a840467544e471b7087fb0301961ef7337f1",
|
||||
"sha256": "cf0f38746759586b626e1934014abd885226f3d9a623a74cc9c9436ac79187aa",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
|
||||
"rule_name": "Linux Group Creation",
|
||||
@@ -6360,6 +6449,12 @@
|
||||
"type": "eql",
|
||||
"version": 317
|
||||
},
|
||||
"a640ef5b-e1da-4b17-8391-468fdbd1b517": {
|
||||
"rule_name": "Execution via GitHub Actions Runner",
|
||||
"sha256": "5c2e02372424c7523c482923663eaedd7d5dd64f7f91059d807cbd86fd1ab716",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
|
||||
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
|
||||
"sha256": "44d2266516b212b0b177209326e4e81953e7169d03ce0615fa6d86e7754d3bc3",
|
||||
@@ -6432,6 +6527,12 @@
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": {
|
||||
"rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand",
|
||||
"sha256": "8ed3514f87da2cdb2928680ebebadacf9c99a8de8d6504196742c42c1969fb24",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
|
||||
"rule_name": "High Variance in RDP Session Duration",
|
||||
"sha256": "ab11651cb3fb46c70c3fdbf4479abc32ea2fb7d096747443517a1d135615d72c",
|
||||
@@ -6444,6 +6545,12 @@
|
||||
"type": "machine_learning",
|
||||
"version": 3
|
||||
},
|
||||
"a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": {
|
||||
"rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt",
|
||||
"sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
||||
"rule_name": "Hex Encoding/Decoding Activity",
|
||||
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
||||
@@ -6530,9 +6637,9 @@
|
||||
},
|
||||
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
|
||||
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
|
||||
"sha256": "958773d8daef17b9524d9777dd4b3cf3630c13699cceb373bab52de8855ddccf",
|
||||
"sha256": "5f92ecc1a1ab4856446a7daefdbb84f2124c1fb6c1c82caeed75f72022ade618",
|
||||
"type": "esql",
|
||||
"version": 7
|
||||
"version": 8
|
||||
},
|
||||
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
||||
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
||||
@@ -6572,9 +6679,9 @@
|
||||
},
|
||||
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
||||
"rule_name": "Unusual AWS Command for a User",
|
||||
"sha256": "22dee7a0dba4259dae807f0636fa682ffa5c2f3fa4a3025aefea153263a89744",
|
||||
"sha256": "1bb48c457ffaa6213c29fb112617a61f4513cf5ed3fe8ae984d050f46f0e2a14",
|
||||
"type": "machine_learning",
|
||||
"version": 211
|
||||
"version": 212
|
||||
},
|
||||
"ac8805f6-1e08-406c-962e-3937057fa86f": {
|
||||
"rule_name": "Potential Protocol Tunneling via Chisel Server",
|
||||
@@ -6638,9 +6745,9 @@
|
||||
},
|
||||
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
|
||||
"rule_name": "Decline in host-based traffic",
|
||||
"sha256": "2437e732072bc33cbbc5ba0bd9ea39c6556f00672e79ac4e3f3bdc54398e324f",
|
||||
"sha256": "6fc5bbba4f289f6433e148acbd5a3f03e6a19a814418a883f6f068b46e73beae",
|
||||
"type": "machine_learning",
|
||||
"version": 3
|
||||
"version": 4
|
||||
},
|
||||
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
||||
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
||||
@@ -6678,6 +6785,12 @@
|
||||
"type": "eql",
|
||||
"version": 109
|
||||
},
|
||||
"ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": {
|
||||
"rule_name": "Suspicious React Server Child Process",
|
||||
"sha256": "a1f8cf50a3bdc7b67f8625f5d07e539dbc4826e9c5e69841688e50274dfb91af",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
|
||||
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
|
||||
"sha256": "967c59ea43c5beb353059b127aead53cfc4bb82df6b3deffafa653e4fea554c8",
|
||||
@@ -6764,9 +6877,9 @@
|
||||
},
|
||||
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
|
||||
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
|
||||
"sha256": "7d06dd74453291b00725d654daea341f2ca17b2a79e2b8712d00507005156728",
|
||||
"sha256": "1be1ec78c8c9466fb5a6c635180b30142956d174d90b1e8b4be363149489b171",
|
||||
"type": "esql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
|
||||
"rule_name": "Kubeconfig File Creation or Modification",
|
||||
@@ -6800,9 +6913,9 @@
|
||||
},
|
||||
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
||||
"rule_name": "Spike in Network Traffic",
|
||||
"sha256": "5dbb9eed1f0e10b192dc7c2f72a009a668a5dba1bb5dc8fa0c86326ff2bd145f",
|
||||
"sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
||||
"rule_name": "Remote File Copy via TeamViewer",
|
||||
@@ -6828,6 +6941,18 @@
|
||||
"type": "threshold",
|
||||
"version": 1
|
||||
},
|
||||
"b2c3d4e5-f6a7-8901-bcde-f123456789ab": {
|
||||
"rule_name": "GenAI Process Compiling or Generating Executables",
|
||||
"sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"b2c3d4e5-f6a7-8901-bcde-f23456789012": {
|
||||
"rule_name": "GenAI or MCP Server Child Process Execution",
|
||||
"sha256": "223b956a529959c9e18df158fc49c4954749b3b139a4e0e2c98d9056fe6cb7e4",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
||||
"rule_name": "Unusual Linux Username",
|
||||
"sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1",
|
||||
@@ -6836,9 +6961,9 @@
|
||||
},
|
||||
"b36c99af-b944-4509-a523-7e0fad275be1": {
|
||||
"rule_name": "AWS RDS Snapshot Deleted",
|
||||
"sha256": "ade98e7953750dbc98194e18eb9a5c0b009482bdd4291ee0afa7c090646fd8a3",
|
||||
"sha256": "0608995dc9f8ecd5e421b6699b410ddffada935f84fcc24fdb93bc0b20716d8a",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
||||
"rule_name": "Suspicious Endpoint Security Parent Process",
|
||||
@@ -7038,11 +7163,17 @@
|
||||
"type": "eql",
|
||||
"version": 105
|
||||
},
|
||||
"b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": {
|
||||
"rule_name": "Anomalous React Server Components Flight Data Patterns",
|
||||
"sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
||||
"rule_name": "Unusual Windows Network Activity",
|
||||
"sha256": "8d8e53fbf2a2f3163dfc630866851d9212df2d9741e38c81cf5846fa0e60250a",
|
||||
"sha256": "8add33888ce9849b510c0d0b80fd76797ddc082ac5700758b7b90c58c80099c1",
|
||||
"type": "machine_learning",
|
||||
"version": 209
|
||||
"version": 210
|
||||
},
|
||||
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
|
||||
"rule_name": "AWS STS Role Chaining",
|
||||
@@ -7232,9 +7363,9 @@
|
||||
},
|
||||
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
||||
"rule_name": "AWS RDS DB Instance Restored",
|
||||
"sha256": "9eafea55bf73d9efa7281b8e04b71b2411d67ceaa0bd491ce8b7ff8716e4469e",
|
||||
"type": "eql",
|
||||
"version": 210
|
||||
"sha256": "5194de7967cb4987fc5b077de80c87f720fc241fd5484fbf074d0f3ba2b9db2c",
|
||||
"type": "query",
|
||||
"version": 211
|
||||
},
|
||||
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
|
||||
"rule_name": "System Owner/User Discovery Linux",
|
||||
@@ -7254,6 +7385,12 @@
|
||||
"type": "eql",
|
||||
"version": 218
|
||||
},
|
||||
"c0136397-f82a-45e5-9b9f-a3651d77e21a": {
|
||||
"rule_name": "GenAI Process Accessing Sensitive Files",
|
||||
"sha256": "d6c0c41cfb020fd17045a5aad1f7f9fe737fbf0b70b796e1c9e28fb6dde7697c",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
||||
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
||||
"sha256": "3194a97a3ddcdf805d1dd80b9746243334be76e30e2727bac3465ff1ad50b75f",
|
||||
@@ -7410,6 +7547,12 @@
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"c3d4e5f6-a7b8-9012-cdef-123456789abc": {
|
||||
"rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
|
||||
"sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
||||
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
||||
"sha256": "c353bf8d28c1c9cca5662d7a7a69e0a7229505982746bd0b0be3276fbda1444b",
|
||||
@@ -7470,6 +7613,12 @@
|
||||
"type": "query",
|
||||
"version": 107
|
||||
},
|
||||
"c595363f-52a6-49e1-9257-0e08ae043dbd": {
|
||||
"rule_name": "Pod or Container Creation with Suspicious Command-Line",
|
||||
"sha256": "0978c07dd959e8239b4ba8195831bf80b8e8978c16d7aae614691c0d82edec11",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
||||
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
||||
"sha256": "a53e65d2430e3ea2e00f15ea40f9a151c2ea30db22fa0dca97a1936c8b70f192",
|
||||
@@ -7526,9 +7675,9 @@
|
||||
},
|
||||
"c6b40f4c-c6a9-434e-adb8-989b0d06d005": {
|
||||
"rule_name": "Suspicious Kerberos Authentication Ticket Request",
|
||||
"sha256": "e23ea6934805893d0a762d92c016466df1e095e89990ac13b0fd20adf6fcf712",
|
||||
"sha256": "3e8bbd5ab3f47272a2294246d2e869c3a340607be602eb6af2662418340cb228",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
|
||||
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
|
||||
@@ -7586,9 +7735,9 @@
|
||||
},
|
||||
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
||||
"rule_name": "Spike in Network Traffic To a Country",
|
||||
"sha256": "e11202b80cd04fed8b343ef174236d78a6d5ea6fbbd37a73fb8a9ddc666d4548",
|
||||
"sha256": "0e93c7c9d8c379f5113f5da64c80c41a4baa81ef5c9f06da338f591b12f797b6",
|
||||
"type": "machine_learning",
|
||||
"version": 108
|
||||
"version": 109
|
||||
},
|
||||
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
||||
"rule_name": "Persistence via Docker Shortcut Modification",
|
||||
@@ -7808,9 +7957,9 @@
|
||||
},
|
||||
"cde1bafa-9f01-4f43-a872-605b678968b0": {
|
||||
"rule_name": "Potential PowerShell HackTool Script by Function Names",
|
||||
"sha256": "c5d8f7341c8aa94026664e5ad58319bfe7157e03a65de4182baa55387cc32856",
|
||||
"sha256": "6a3a41432334b7098df61a7139dca98767324dea23216d6d9fd8e10be74d51aa",
|
||||
"type": "query",
|
||||
"version": 218
|
||||
"version": 219
|
||||
},
|
||||
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
|
||||
"rule_name": "Shadow File Modification by Unusual Process",
|
||||
@@ -7944,6 +8093,12 @@
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": {
|
||||
"rule_name": "Privileged Container Creation with Host Directory Mount",
|
||||
"sha256": "16394afb9f2c78168b53837f4bd19e6929e026be8f08c8291b17ea82e16d97ba",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
||||
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
||||
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
||||
@@ -7994,9 +8149,9 @@
|
||||
},
|
||||
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
|
||||
"sha256": "5e0286288a46daccf7f9d563112ed05545bab69583b2aa32b10852647b4ef5d9",
|
||||
"sha256": "01699cbe4fa27efc2594bc6e9836990f28194adaaf4ba50d7a7df86e96872607",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
||||
"rule_name": "Shell Execution via Apple Scripting",
|
||||
@@ -8006,9 +8161,9 @@
|
||||
},
|
||||
"d488f026-7907-4f56-ad51-742feb3db01c": {
|
||||
"rule_name": "AWS S3 Bucket Replicated to Another Account",
|
||||
"sha256": "064253e65c01b23e75a16fd16708b2a3f9ecdd7da6ff9823f13d37e081416990",
|
||||
"sha256": "f754c6d0d951940fc7c786c9b64fdcdadf44f8e92eb5c966b6aa14d75a295129",
|
||||
"type": "eql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
||||
"rule_name": "Attempt to Delete an Okta Application",
|
||||
@@ -8150,9 +8305,9 @@
|
||||
},
|
||||
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
|
||||
"rule_name": "Python Site or User Customize File Creation",
|
||||
"sha256": "4b3a053c8caeca2a1bd34ac1c472b5a915029448a8d37e95ddec0e407343489a",
|
||||
"sha256": "e870753b28c4b9bf32983bd2fb5bcfafae38f902273f04300b5f3354570c37ec",
|
||||
"type": "eql",
|
||||
"version": 3
|
||||
"version": 4
|
||||
},
|
||||
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
||||
"rule_name": "Azure Blob Permissions Modification",
|
||||
@@ -8216,9 +8371,9 @@
|
||||
},
|
||||
"d9af2479-ad13-4471-a312-f586517f1243": {
|
||||
"rule_name": "Curl or Wget Spawned via Node.js",
|
||||
"sha256": "7d25f249eb1c37f0387a50af1d770254a7a935c20d9520f05e795438d486f719",
|
||||
"sha256": "e9b7a7e641e61102321f9e774ae3df5054f9ef8ff40b6d2376f243c1389aca11",
|
||||
"type": "eql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
|
||||
"rule_name": "Sensitive Files Compression Inside A Container",
|
||||
@@ -8336,9 +8491,9 @@
|
||||
},
|
||||
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
||||
"rule_name": "Unusual Country For an AWS Command",
|
||||
"sha256": "1deeb5c156dc053b7a9d4898334185233e3078a2d6669323b32bc24dd35eaeb1",
|
||||
"sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f",
|
||||
"type": "machine_learning",
|
||||
"version": 211
|
||||
"version": 212
|
||||
},
|
||||
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
|
||||
"rule_name": "Suspicious Execution from INET Cache",
|
||||
@@ -8418,6 +8573,12 @@
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"df0553c8-2296-45ef-b4dc-3b88c4c130a7": {
|
||||
"rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners",
|
||||
"sha256": "1911bad236dfa90b27f167aac3ae24c7f49c5a1fc583ab500bff60f013b34dc6",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
||||
"rule_name": "First Time Seen Driver Loaded",
|
||||
"sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e",
|
||||
@@ -8803,16 +8964,16 @@
|
||||
"version": 2
|
||||
},
|
||||
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
|
||||
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
|
||||
"sha256": "570f50040e4c5830eda8d9d4d63e5472233a96b0aac24dcd32a887779944a110",
|
||||
"rule_name": "Host File System Changes via Windows Subsystem for Linux",
|
||||
"sha256": "fc04a26c8bd9015b4cca4f17b20d8f18ac3eacb335a947d8793d0016b6ebbf0f",
|
||||
"type": "eql",
|
||||
"version": 111
|
||||
"version": 112
|
||||
},
|
||||
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
|
||||
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
|
||||
"sha256": "70238f523a244c54e5d533afdf35c0eb016e7a89fdf5f53db9f37e3e91b4559c",
|
||||
"sha256": "9b8d379c12a7bfbde5c49431b8583f858819263472a48003b8b105c5504a48b0",
|
||||
"type": "eql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
|
||||
"rule_name": "AWS DynamoDB Table Exported to S3",
|
||||
@@ -8828,9 +8989,9 @@
|
||||
},
|
||||
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
|
||||
"sha256": "d2f95295421397874a9612a08627ff834430be52aea03bf2db77a9b641da195c",
|
||||
"sha256": "7398bf8dcf03e0a14d88b60fd486092a22b0e758a93f99dbefdd54bd5997170e",
|
||||
"type": "esql",
|
||||
"version": 7
|
||||
"version": 8
|
||||
},
|
||||
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
||||
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
||||
@@ -8893,16 +9054,16 @@
|
||||
"version": 110
|
||||
},
|
||||
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
||||
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
||||
"sha256": "cc2ff222226e52b4e5328e06189bf9e8e8888b2ffce285254bfe1ad99938251a",
|
||||
"rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
|
||||
"sha256": "f14b002eebcbbb555471d258b2d7843d5ea29c1f6968943863f83e6cae46568c",
|
||||
"type": "threshold",
|
||||
"version": 212
|
||||
"version": 213
|
||||
},
|
||||
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
||||
"rule_name": "Spike in Firewall Denies",
|
||||
"sha256": "64375b8122d8cb9d91710468df616731c22eafab3c95b0ae6238cd55db970ddc",
|
||||
"sha256": "1682a0c3be0d13c2d886046e969759c83cba4312382efe8fca8f9be342ef8e86",
|
||||
"type": "machine_learning",
|
||||
"version": 107
|
||||
"version": 108
|
||||
},
|
||||
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
|
||||
"rule_name": "Suspicious APT Package Manager Network Connection",
|
||||
@@ -8912,9 +9073,9 @@
|
||||
},
|
||||
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
||||
"rule_name": "External Alerts",
|
||||
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
|
||||
"sha256": "af86440d8e74a3463325d061cfbf3f755cc974d7c9e0929ccd302ad2b2a9b4f1",
|
||||
"type": "query",
|
||||
"version": 105
|
||||
"version": 106
|
||||
},
|
||||
"eb44611f-62a8-4036-a5ef-587098be6c43": {
|
||||
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
|
||||
@@ -9044,9 +9205,9 @@
|
||||
},
|
||||
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
||||
"rule_name": "Unusual Print Spooler Child Process",
|
||||
"sha256": "94421dbaf4b818996b818ce7add2fff5f19b3361bc746e84bf7b001c6f22a107",
|
||||
"sha256": "54e542eced060164ea48e1acd0e2dad60a507e92b22080e79fefa1717cdb3600",
|
||||
"type": "eql",
|
||||
"version": 214
|
||||
"version": 215
|
||||
},
|
||||
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
|
||||
"rule_name": "Shortcut File Written or Modified on Startup Folder",
|
||||
@@ -9182,9 +9343,9 @@
|
||||
},
|
||||
"f2015527-7c46-4bb9-80db-051657ddfb69": {
|
||||
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
|
||||
"sha256": "d3de58ca35a9dc6d480cb9bef167e9065d10fd64c76dd25369636c977eb978bf",
|
||||
"sha256": "8a13d49d9f7ae5db75943a19a2ddd120f65594d8ea51715e52c0c2e122f7ac52",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"f243fe39-83a4-46f3-a3b6-707557a102df": {
|
||||
"rule_name": "Service Path Modification",
|
||||
@@ -9266,9 +9427,9 @@
|
||||
},
|
||||
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
|
||||
"sha256": "0c9ca06dc06f2ec65026cb7a0472081a2aece5bb59900ad0a99e1306ca842b25",
|
||||
"sha256": "54495e1bb2c0ec5091f7a95edc4df069f5177b211e4e4da61c957cfd5db18020",
|
||||
"type": "esql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
|
||||
"rule_name": "Kill Command Execution",
|
||||
@@ -9278,9 +9439,9 @@
|
||||
},
|
||||
"f3ac6734-7e52-4a0d-90b7-6847bf4308f2": {
|
||||
"rule_name": "Web Server Potential Command Injection Request",
|
||||
"sha256": "e550ce52f82ca0148dbb9cd09300cc2bf87d55fcb223f6969d7b86782f1445b9",
|
||||
"sha256": "b7997278cd12830ba691f272f4ac953dbaf2fc6fc873c92ee9e7c1694d8ae2ab",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
|
||||
"rule_name": "Threat Intel URL Indicator Match",
|
||||
@@ -9308,9 +9469,9 @@
|
||||
},
|
||||
"f48ecc44-7d02-437d-9562-b838d2c41987": {
|
||||
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
|
||||
"sha256": "600d74d6c0a73fde14d13868996c69e59247528ce68d34fc56405dbf549e548e",
|
||||
"sha256": "e7e9acdb251a2b166fc608361ff69aadeffe38a3417c4ccf906230a0a46b9c9a",
|
||||
"type": "eql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
||||
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
||||
@@ -9416,9 +9577,9 @@
|
||||
},
|
||||
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
|
||||
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
|
||||
"sha256": "5ff52316c612a32b456c1d8cabd1f45f2752e52eb36c4c2d1950f4f50750c57f",
|
||||
"sha256": "54e022f155300bd083ae3a1d4abb3d750bfbfa0d9764c4b939fc2e266a475c85",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
||||
"rule_name": "Delete Volume USN Journal with Fsutil",
|
||||
@@ -9440,9 +9601,9 @@
|
||||
},
|
||||
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
|
||||
"sha256": "89bd628a65d8efba57ca5a4279fdbb8a3dbe414ee8bab5ccc726f2392189c425",
|
||||
"sha256": "2522ba5d4934299385050871e4b4982e48a2ccf3dd12fbbae5c588655c2633bb",
|
||||
"type": "esql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
|
||||
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
|
||||
@@ -9552,6 +9713,12 @@
|
||||
"type": "eql",
|
||||
"version": 105
|
||||
},
|
||||
"f92171ed-a4d3-4baa-98f9-4df1652cb11b": {
|
||||
"rule_name": "Potential Secret Scanning via Gitleaks",
|
||||
"sha256": "33e0146feb9de871b5ada55b0af64c3223f0c8f03ad5434f251ab66a85956093",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"f94e898e-94f1-4545-8923-03e4b2866211": {
|
||||
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
|
||||
"sha256": "220ffd3b00b10fff5b9c9d3ea8cee1554fc9fa9e03cd8b6af5c2f5657604728b",
|
||||
@@ -9572,15 +9739,15 @@
|
||||
},
|
||||
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
|
||||
"rule_name": "Browser Extension Install",
|
||||
"sha256": "576be150607dc9afd8fedcd60b859916ff133c1200bc665c1b3be75c7b71afd8",
|
||||
"sha256": "81bcee1c190422617ecec5060d5c56cac2493d8ea917f010d9ecb2c97e1c8082",
|
||||
"type": "eql",
|
||||
"version": 206
|
||||
"version": 207
|
||||
},
|
||||
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
|
||||
"sha256": "3b05a3eb675347f627c2d4b98effbd8fe5cd8eb924ea7110b9fc947fc753525a",
|
||||
"sha256": "cf7fbc9464030a3093b93140a3546ac433b241d612890f6b22e11fa3df3a5c42",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
||||
"rule_name": "Privileged Account Brute Force",
|
||||
@@ -9596,9 +9763,9 @@
|
||||
},
|
||||
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
|
||||
"sha256": "20ca9752cbc305147351fbd73c5705e988791b2a8b5ed27d0af2e1bd6bd47449",
|
||||
"sha256": "988364349c492d2af5ea38485ae58fe9249b04052c0f74c627b555942806bba0",
|
||||
"type": "esql",
|
||||
"version": 6
|
||||
"version": 7
|
||||
},
|
||||
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
||||
"rule_name": "Remote File Copy to a Hidden Share",
|
||||
@@ -9752,9 +9919,9 @@
|
||||
},
|
||||
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
||||
"rule_name": "Potential Application Shimming via Sdbinst",
|
||||
"sha256": "d31dcef398fc63196c928a47cf1a242e1bc03e206145f2973e6f2717c0a47417",
|
||||
"sha256": "d9690771206500e07e7c25755beb650bddea9bff417f6e2bbdf01c97d2926969",
|
||||
"type": "eql",
|
||||
"version": 316
|
||||
"version": 317
|
||||
},
|
||||
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
||||
"rule_name": "Suspicious CertUtil Commands",
|
||||
@@ -9800,9 +9967,9 @@
|
||||
},
|
||||
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
|
||||
"rule_name": "Spike in host-based traffic",
|
||||
"sha256": "4fa29254fdfdc90f04cb22e0b5a84b3f62769dda8e36b0ebe462188b99fd92d4",
|
||||
"sha256": "7d0904f2a6c2a004781895aff437401514b91b5b08ebb3f2ee87de5341e110a7",
|
||||
"type": "machine_learning",
|
||||
"version": 3
|
||||
"version": 4
|
||||
},
|
||||
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
|
||||
"rule_name": "Potential Masquerading as Business App Installer",
|
||||
|
||||
@@ -26,6 +26,8 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-indexes-endgame-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-endgame-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-filebeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-filebeat-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-WILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-apache](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-apache_tomcat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache_tomcat.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-auditd_manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-auditd_manager.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-aws.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azure.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -39,10 +41,12 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-indexes-logs-gcpWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-gcpWILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-github.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-google_workspaceWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-google_workspaceWILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-iis.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-jamf_protectWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-jamf_protectWILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-kubernetes](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-kubernetes.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-m365_defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-m365_defender.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-network_traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-network_traffic.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-nginx](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-nginx.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-o365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-o365.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-okta.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-indexes-logs-oktaWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-oktaWILDCARD.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -65,11 +69,15 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-apache-tomcat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-apache-tomcat.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-apache](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-apache.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-api.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-application](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-application.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-dynamodb](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-dynamodb.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-ec2](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ec2.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-efs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-efs.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-elastic-load-balancing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-elastic-load-balancing.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-guardduty](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-guardduty.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-iam.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-kms](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-kms.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -79,6 +87,7 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-aws-s3](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-s3.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-secrets-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-secrets-manager.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-service-quotas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-service-quotas.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-ses](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ses.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sign-in.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-sns](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sns.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-aws-sqs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sqs.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -124,6 +133,7 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-exploit-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exploit-detection.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-file-integrity-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-file-integrity-monitoring.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-fortinet](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-fortinet.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-gcp-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp-audit-logs.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-gcp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-google-cloud-platform](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-cloud-platform.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -131,6 +141,7 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-graph-api-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api-activity-logs.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-graph-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iam.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iis.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -144,6 +155,7 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-lightning-framework](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-lightning-framework.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-linux](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-linux.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-living-off-the-land-attack-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-living-off-the-land-attack-detection.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-llm](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-llm.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-log-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-log-auditing.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-machine-learning](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-machine-learning.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-macos](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-macos.json&leave_site_dialog=false&tabs=false)|
|
||||
@@ -185,6 +197,10 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-storage.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-sysmon](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sysmon.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-system.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-t0053](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0053.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-t0055](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0055.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-t0085](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0085.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-t0086](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0086.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-threat-detection.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-triplecross](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-triplecross.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-ueba](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ueba.json&leave_site_dialog=false&tabs=false)|
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "1.5.21"
|
||||
version = "1.5.22"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
Reference in New Issue
Block a user