security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4116)

Browse Source
This commit is contained in:
github-actions[bot]
2024-10-01 18:14:03 +05:30
committed by GitHub
parent a68a404bd8
commit 80143b23b2
1 changed files with 405 additions and 369 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+405 -369
View File
@@ -1,15 +1,15 @@
{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2",
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
"type": "query",
"version": 207
"version": 208
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "da003e8b80de71094bf7b93b61802e26c2c3dffbaa46b68598203a7dc0bf0571",
"sha256": "1373f91eab112faf20548ab4097d38478d76efdd3b2f1452a4ea00e6fbe5f971",
"type": "eql",
"version": 113
"version": 114
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.13",
@@ -36,9 +36,9 @@
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1",
"sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee",
"type": "query",
"version": 2
"version": 3
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
@@ -54,9 +54,9 @@
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "b8fe180b3014905fe11da3c0aa06b4e05fa0ce5c1aab90b093c291ede0fe9812",
"sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79",
"type": "threshold",
"version": 6
"version": 7
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
@@ -192,9 +192,9 @@
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "18206de4f5ccdad5336624f845d49008e9b9465a9a28c027d0ec8ac13f844587",
"sha256": "0dfc0b069d300f001ad888794c331aa6459cf2a1afbe74e991e76540d3d1c334",
"type": "eql",
"version": 5
"version": 6
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
@@ -293,9 +293,9 @@
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6",
"sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32",
"type": "query",
"version": 106
"version": 107
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
@@ -400,9 +400,9 @@
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "2b69a06ea7781c0a41b34c7cadba4aab83da534af3555d02cfc9279096625c38",
"sha256": "020707bc72930c1c88624fa6bc70c89066d79ec0c2e4b211d7039857de3514b0",
"type": "eql",
"version": 2
"version": 3
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
@@ -431,9 +431,9 @@
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"min_stack_version": "8.13",
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "def7eb89e3c878528aec7c13c05e2616c3459bde67544c20e3abe67d6574b59b",
"sha256": "1b2555dd5c85d73de0e5bba5942450628664cd1e0023117f44c85b562060643c",
"type": "eql",
"version": 1
"version": 2
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
@@ -462,9 +462,9 @@
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "b124621df90ec8e22a42cdf417ec79eeb7daa3d5e543cac43100cdb28f24f252",
"sha256": "6e3b46e8ec99a5315db0290b20975c2f96035274d47497b5275ca90eb2284494",
"type": "esql",
"version": 1
"version": 2
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
@@ -516,9 +516,9 @@
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "2e7d124198761afda3e1b48035ab8b166f486e36af3dd5be2f69f1783d13b0d1",
"sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5",
"type": "eql",
"version": 113
"version": 114
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
@@ -660,9 +660,9 @@
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "5ededfd13f540446ed50cce0b7819fc2db3867dacb3e94f7a8ad3e74fa27e842",
"sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177",
"type": "eql",
"version": 112
"version": 113
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.13",
@@ -719,9 +719,9 @@
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214",
"sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113",
"type": "query",
"version": 103
"version": 104
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
@@ -858,9 +858,9 @@
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "e0a46f4010f06fe2f8820ab81c9d77d43d93649c54d8aaca262b90a585e03641",
"sha256": "2a67cb5cd32db22aa939d61ec976ea4d0aa9623596bdf8a430c808aa2aa77ee5",
"type": "eql",
"version": 13
"version": 14
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
@@ -916,9 +916,9 @@
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "d1c1f1dbe854e24a206291ce09a0b5a7d0a3edd11c3de760e2ff9e5560924100",
"sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0",
"type": "eql",
"version": 3
"version": 4
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
@@ -1012,9 +1012,9 @@
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "40ddcb49b09cc55adadb4d77faa7e2399a198f85b05ae0091ff28080d0b3e163",
"sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368",
"type": "eql",
"version": 115
"version": 116
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
@@ -1036,9 +1036,9 @@
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54",
"sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e",
"type": "query",
"version": 2
"version": 3
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
@@ -1243,9 +1243,9 @@
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "5236a7331c35e34f2f5e5e0370db337e199dd5660d918ca0c21209ed25ca13a9",
"sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354",
"type": "new_terms",
"version": 4
"version": 5
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
@@ -1297,16 +1297,16 @@
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "52e498b76b1bc795b18dee476e1e03b1712563b3138813bf79295c071dd6adb5",
"sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa",
"type": "new_terms",
"version": 2
"version": 3
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "68aeb823e4de7c8e670285a009dd7c9fc39ae2a9abf83f65c35df1d9818dd586",
"sha256": "cd51f975ba0e08a764b771c3485b3cc15cd8d2fcdfa8d905fccc99b4527690da",
"type": "esql",
"version": 1
"version": 2
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
@@ -1316,9 +1316,9 @@
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6",
"sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381",
"type": "eql",
"version": 108
"version": 109
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"rule_name": "Potential PowerShell HackTool Script by Author",
@@ -1346,9 +1346,9 @@
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "6c8cf1738016d2de5acb239d04a90ee51862f9548c95ecc55be6dca60eb9530e",
"sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a",
"type": "query",
"version": 2
"version": 3
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
@@ -1404,9 +1404,9 @@
}
},
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "2b9e9d7c6c83c4a8875dd9c4906e18cdda6a69189c19b29dda5cbfdaed69fafe",
"sha256": "b6dc758cc09d7e1a4109953f931108161705e9b57b50880bd8b5da3607455b2f",
"type": "esql",
"version": 309
"version": 310
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
@@ -1506,15 +1506,15 @@
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "d4750d3483d151cf29d387937a0c53e16532bb6c7f76c4129182f11af26907bd",
"sha256": "0a180c61b8aa35288abaa53efe0c157c6d37e5280e80b5e25ca9284d250d0be9",
"type": "eql",
"version": 1
"version": 2
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "a0220f32050291d6181245d119ff13f27d11d6776fab0aeef7a933b2fed998f5",
"sha256": "1bbc59664ea9b04b6617570b0dfb20792a323de2634050e653bd63ba8b1adcb4",
"type": "eql",
"version": 3
"version": 4
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS Security Group Configuration Change Detection",
@@ -1569,9 +1569,9 @@
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1",
"sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47",
"type": "query",
"version": 1
"version": 2
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
@@ -1628,9 +1628,9 @@
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "c490a1739cc80eda7fdee5d009f9920e865a0981abf5155f1e68132208d228e4",
"sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1",
"type": "eql",
"version": 111
"version": 112
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
@@ -1730,9 +1730,9 @@
}
},
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "46d05336c091b15f5411222d6025f5b05a2712ed0cdad1ae60eda64282563004",
"sha256": "172a634e3276f1e5ef0c46619a92359182cc7a564ac5e4fba01744185d0a3b40",
"type": "esql",
"version": 101
"version": 102
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -1760,9 +1760,9 @@
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e",
"sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9",
"type": "eql",
"version": 109
"version": 110
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
@@ -1814,9 +1814,9 @@
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "ac674594e4090f28c0defbacf2ab2ab0be02892e8c42781f49ec6b349245a750",
"sha256": "d6f20b6a3603f9833ff11f6068def92a2747b680d1ce4c78ffb5eda220b55347",
"type": "new_terms",
"version": 1
"version": 2
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Agent Spoofing - Mismatched Agent ID",
@@ -1844,9 +1844,9 @@
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6",
"sha256": "172d24bcf01cef30702ad2466f5b01b312a7b5b9b0420781b3f5d178dee2810e",
"type": "eql",
"version": 1
"version": 2
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
@@ -1856,9 +1856,9 @@
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea",
"sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3",
"type": "query",
"version": 103
"version": 104
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
@@ -1868,9 +1868,9 @@
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Login from Rare Location",
"sha256": "e85cd3384b5ccc5850cf4f33e5f844844cd1933da8469d78976c2ac6bea6146d",
"sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02",
"type": "new_terms",
"version": 1
"version": 2
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.13",
@@ -1933,9 +1933,9 @@
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "fca388730dbad2c3ff2b395e9a5b007eb2322d3321108a972c0800621625b236",
"sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a",
"type": "query",
"version": 105
"version": 106
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
@@ -1981,9 +1981,9 @@
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "11e9e74bfe492b9b952f35cacdacfc36e23fe9ac8652b8416b3b1e5d7bcbf491",
"sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0",
"type": "eql",
"version": 112
"version": 113
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
@@ -2063,9 +2063,9 @@
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b",
"sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4",
"type": "query",
"version": 207
"version": 208
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
@@ -2081,9 +2081,9 @@
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations",
"sha256": "4cd8c2fdddd563d87d08b18e0e9fc72833dd8de9d2def7c44af711875d61e1f5",
"sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d",
"type": "threshold",
"version": 1
"version": 2
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
@@ -2093,9 +2093,9 @@
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1",
"sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc",
"type": "eql",
"version": 2
"version": 3
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
@@ -2123,9 +2123,9 @@
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "942799a502924a8770a66f92b4f43fa2438edf86eef4d2e1fc81c5d5934ca45b",
"sha256": "6830658a6c7df047562c77a035de9a3c72616c2c4cc3680ea3caead24a2675ba",
"type": "eql",
"version": 1
"version": 2
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
@@ -2163,9 +2163,9 @@
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3",
"sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f",
"type": "query",
"version": 104
"version": 105
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
@@ -2210,9 +2210,9 @@
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "ad2e86d0c8ec513455336bfade5fc0db3f59e55eef5c4f0aeb454c9dd2e880b0",
"sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686",
"type": "eql",
"version": 113
"version": 114
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
@@ -2268,9 +2268,9 @@
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db",
"sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064",
"type": "eql",
"version": 106
"version": 107
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
@@ -2328,9 +2328,9 @@
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "fa6f9f682ade91c9ceb999d3536002bf17197697e5b132fe1ee39ac7bc15e6c9",
"sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc",
"type": "eql",
"version": 2
"version": 3
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"rule_name": "Unusual Process Spawned by a User",
@@ -2407,9 +2407,9 @@
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3",
"sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8",
"type": "threshold",
"version": 208
"version": 209
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"rule_name": "Process Creation via Secondary Logon",
@@ -2431,15 +2431,15 @@
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438",
"sha256": "2dfb9575cc645fa50cebdb23d7ca0430deb31dd044ee4678db3517dbeeab236c",
"type": "eql",
"version": 6
"version": 7
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6",
"sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77",
"type": "eql",
"version": 110
"version": 111
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"rule_name": "Unusual Windows Path Activity",
@@ -2485,9 +2485,9 @@
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "be491095047d3c14c4f0f6ceaaaa57b03ed05e79bd61229fae0171cd3b2edb4f",
"sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060",
"type": "eql",
"version": 112
"version": 113
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
@@ -2509,9 +2509,9 @@
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "2466e400fbb2609de0e103e31fce633373687c8f415da505013088e414873e97",
"sha256": "0b73e5e62cae5d12fa9f1593413122fedb8a5dabb1a53d42be46c0cee2d4f35f",
"type": "eql",
"version": 11
"version": 12
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Sensitive Files Compression Inside A Container",
@@ -2519,6 +2519,12 @@
"type": "eql",
"version": 2
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "ea849a9461e38a2045fe127b98e787f05d95161ba0ae4008de1c4ce3a7c773dd",
"type": "eql",
"version": 1
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40",
@@ -2587,15 +2593,15 @@
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "442cc445286a3163b8aba6078ab86ef9450687d9587a6716e1f7b2c5ff79b893",
"sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62",
"type": "eql",
"version": 7
"version": 8
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4",
"sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562",
"type": "query",
"version": 106
"version": 107
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
@@ -2611,9 +2617,9 @@
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082",
"sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536",
"type": "query",
"version": 105
"version": 106
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
@@ -2719,9 +2725,9 @@
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd",
"sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269",
"type": "query",
"version": 206
"version": 207
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"min_stack_version": "8.13",
@@ -2732,15 +2738,15 @@
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "48868bb471f2016ae1244c4c1b283ba8412b2ca525ae43545b96bc53a9bc5b45",
"sha256": "516db4cf8557eafd3460e28139da74d2c72f860f9905e30ab5a32a2022d2094d",
"type": "eql",
"version": 110
"version": 111
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca",
"sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb",
"type": "threshold",
"version": 2
"version": 3
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"rule_name": "Windows System Information Discovery",
@@ -2831,9 +2837,9 @@
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d",
"sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839",
"type": "eql",
"version": 112
"version": 113
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
@@ -2938,9 +2944,9 @@
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "06923df32d7e2f356945da46f0c5eae34bd28c11051184b76ae15232976e8b01",
"sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347",
"type": "eql",
"version": 110
"version": 111
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
@@ -2962,9 +2968,9 @@
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870",
"sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a",
"type": "eql",
"version": 1
"version": 2
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
@@ -3024,9 +3030,9 @@
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06",
"sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee",
"type": "query",
"version": 104
"version": 105
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
@@ -3078,9 +3084,9 @@
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08",
"sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40",
"type": "eql",
"version": 108
"version": 109
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
@@ -3124,6 +3130,12 @@
"type": "eql",
"version": 8
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491",
"type": "eql",
"version": 1
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc",
@@ -3150,9 +3162,9 @@
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40",
"sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894",
"type": "eql",
"version": 5
"version": 6
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
@@ -3205,9 +3217,9 @@
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076",
"sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba",
"type": "eql",
"version": 6
"version": 7
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
@@ -3223,9 +3235,9 @@
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef",
"sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80",
"type": "eql",
"version": 108
"version": 109
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group",
@@ -3247,9 +3259,9 @@
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd",
"sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75",
"type": "eql",
"version": 108
"version": 109
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"rule_name": "Unsigned DLL loaded by DNS Service",
@@ -3265,9 +3277,9 @@
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a",
"sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5",
"type": "query",
"version": 106
"version": 107
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
@@ -3366,9 +3378,9 @@
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "f25e451f9d9c08126337653c9ea7995d2e51c96900a93ceeb7efd560d4a16d08",
"sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba",
"type": "threshold",
"version": 2
"version": 3
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
@@ -3490,9 +3502,9 @@
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "cf3df62e5ce0ea5a36eecf9f10d43fe538eba935463ce13795268d526a69398b",
"sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576",
"type": "new_terms",
"version": 1
"version": 2
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"rule_name": "WebServer Access Logs Deleted",
@@ -3508,9 +3520,9 @@
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "fa30b025131804daeae1b711ecaa114a5df3d847eb17078910729a73d7189803",
"sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f",
"type": "eql",
"version": 115
"version": 116
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"rule_name": "Linux Process Hooking via GDB",
@@ -3542,9 +3554,9 @@
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede",
"sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48",
"type": "query",
"version": 206
"version": 207
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
@@ -3554,9 +3566,9 @@
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de",
"sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93",
"type": "query",
"version": 206
"version": 207
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
@@ -3590,9 +3602,9 @@
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8",
"sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f",
"type": "query",
"version": 205
"version": 206
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
@@ -3602,9 +3614,9 @@
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a",
"sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643",
"type": "query",
"version": 206
"version": 207
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
@@ -3657,9 +3669,9 @@
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "0b487e1b833bcafdcb2b535bc15463752b290f256859f2abdfb8a98f096a69bb",
"sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5",
"type": "query",
"version": 1
"version": 2
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
@@ -3710,9 +3722,9 @@
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "8fdabe8393c8059b468d28cdc56aeb125addbb35a437234a16b487e1534fdf34",
"sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce",
"type": "eql",
"version": 315
"version": 316
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
@@ -3794,9 +3806,9 @@
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3",
"sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75",
"type": "eql",
"version": 108
"version": 109
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
@@ -3830,15 +3842,15 @@
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f",
"sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d",
"type": "new_terms",
"version": 1
"version": 2
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081",
"sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998",
"type": "query",
"version": 205
"version": 206
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
@@ -3896,9 +3908,9 @@
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2",
"sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8",
"type": "eql",
"version": 109
"version": 110
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
@@ -3927,9 +3939,9 @@
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354",
"sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2",
"type": "query",
"version": 206
"version": 207
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
@@ -3951,9 +3963,9 @@
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "f72ef3ae820cc7827a173bd53ee654a144ca8e561720eb21b16aa8038e77cc52",
"sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2",
"type": "eql",
"version": 1
"version": 2
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"rule_name": "Potential Modification of Accessibility Binaries",
@@ -4009,9 +4021,9 @@
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902",
"sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4",
"type": "query",
"version": 103
"version": 104
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
@@ -4092,21 +4104,21 @@
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "a4a317660afe13172cc03e0cb5ca740454bfedb40ea0f7a8a28f1069dc642c0e",
"sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe",
"type": "threshold",
"version": 7
"version": 8
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "fc16f370dc60f9055462ab95361c53882679cdb66bc38d1af9e0d11c7fe6cae2",
"sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a",
"type": "eql",
"version": 1
"version": 2
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
"sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47",
"type": "query",
"version": 205
"version": 206
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
@@ -4151,9 +4163,9 @@
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45",
"sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f",
"type": "eql",
"version": 6
"version": 7
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format",
@@ -4211,9 +4223,9 @@
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "9f221e9e2c416c50b82f07c88332fd26eecf0a0478a0cb4be6f9783f23f4f9ef",
"sha256": "e0c591aeba61158c00765037cf3782c59e6577da6a93fca8720d47fe1b602867",
"type": "eql",
"version": 2
"version": 3
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
@@ -4229,9 +4241,9 @@
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855",
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
"type": "eql",
"version": 111
"version": 112
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"rule_name": "SELinux Configuration Creation or Renaming",
@@ -4247,27 +4259,27 @@
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "049a63c5b82b17f2d6c5dd181badc64cc229ff7a1273b26c54a8703a0514f8db",
"sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529",
"type": "eql",
"version": 106
"version": 107
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "7f541c0c50a6d33535985522ee86c00dcbab65268ec216860fa7dbf501f66554",
"sha256": "55bc076a0afc6e5d4aeeb675d5ceac237bd0b6f1be950eda19669219fb3bdf6b",
"type": "eql",
"version": 2
"version": 3
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
"sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c",
"type": "query",
"version": 106
"version": 107
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "e77cd450455ec49667cac7e0a1957a71b6b3644f627fe8c00b5bd2c41a8e0262",
"sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052",
"type": "eql",
"version": 1
"version": 2
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
@@ -4289,9 +4301,9 @@
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "90b5e320db9401bdd0376dab7ae156178fbe41dfe70edf6fe1e1f02626127276",
"sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc",
"type": "eql",
"version": 2
"version": 3
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
@@ -4336,9 +4348,9 @@
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "36739d1ea63a60bf5bf18435372ca052df46550047f525bcdad4d50834353f0f",
"sha256": "22106370ef245153e940ad0c5577fa5492b2c1799353840dcf28c8ef4a7c564a",
"type": "eql",
"version": 13
"version": 14
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
@@ -4481,9 +4493,9 @@
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "65e195a65ae9090069f90ac4dab89bfe2f9ac8b4a3d919f598943adf5c4f87ae",
"sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691",
"type": "eql",
"version": 8
"version": 9
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
@@ -4499,9 +4511,9 @@
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "0b70543d8ab821dcbc89c2c036e27300440bc34c97c569c9e947b3e00de93037",
"sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e",
"type": "eql",
"version": 1
"version": 2
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
@@ -4523,9 +4535,9 @@
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404",
"sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481",
"type": "new_terms",
"version": 210
"version": 211
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
@@ -4601,9 +4613,9 @@
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "5204e29d31ddd9d46708224fe842aa218cd42b2ee9b4dbea4cb00236379c3755",
"sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776",
"type": "eql",
"version": 106
"version": 107
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
@@ -4649,9 +4661,9 @@
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c",
"sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031",
"type": "eql",
"version": 3
"version": 4
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"rule_name": "GitHub PAT Access Revoked",
@@ -4661,9 +4673,9 @@
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "d30b78adc54d39f3c741ae106d085d3b2c772c7bcc6ff6cd5f0431e699ffb069",
"sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994",
"type": "eql",
"version": 104
"version": 105
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
@@ -4673,9 +4685,9 @@
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b",
"sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c",
"type": "query",
"version": 206
"version": 207
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Suspicious JAVA Child Process",
@@ -4709,9 +4721,9 @@
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b",
"sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f",
"type": "query",
"version": 103
"version": 104
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"rule_name": "Unusual Child Process of dns.exe",
@@ -4721,9 +4733,9 @@
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "e39c5937dbc4ab56573d51ab9f6ce2aecc5f8d281f4c0d4a2d2c86bf94d01fd5",
"sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588",
"type": "eql",
"version": 107
"version": 108
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
@@ -4928,9 +4940,9 @@
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2",
"sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14",
"type": "new_terms",
"version": 204
"version": 205
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
@@ -4969,9 +4981,9 @@
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657",
"sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919",
"type": "query",
"version": 205
"version": 206
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
@@ -4981,9 +4993,9 @@
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "6d87a179a9250be94d5ebc89d3c18cac19a649c4532c5e5aad6410478f96a232",
"sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0",
"type": "eql",
"version": 3
"version": 4
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
@@ -5000,15 +5012,15 @@
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "58ae4c29b8169b66911606add6b41d931703e9b60ab61eeeed2c2199d336378e",
"sha256": "51bedd9974378d0cf2ac060ec589b9d6c5c34c9532ce5ef37f4a16cd0e1561d2",
"type": "esql",
"version": 1
"version": 2
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1",
"sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c",
"type": "query",
"version": 106
"version": 107
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
@@ -5018,9 +5030,9 @@
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "bac765ec665e393fb7abe2f02f93968c2d175a15544229c56054eb22f34775c6",
"sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8",
"type": "eql",
"version": 109
"version": 110
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
@@ -5031,9 +5043,9 @@
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "22d8f8f7b3a1f49d8a20f6a8689d8b956724b24cc7694994859ce03c6909068d",
"sha256": "e2c27c3f6d1a4fbe980d5489ddcf7534108876d1454a281129555139fbb308fc",
"type": "esql",
"version": 1
"version": 2
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
@@ -5049,15 +5061,15 @@
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
"sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9",
"sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d",
"type": "query",
"version": 205
"version": 206
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "d80c76481d619796d4c3699f60527c153deb2cd18dd2c8f9b9c38d9d854488e1",
"sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8",
"type": "eql",
"version": 11
"version": 12
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
@@ -5097,9 +5109,9 @@
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed",
"sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee",
"type": "eql",
"version": 209
"version": 210
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.13",
@@ -5144,19 +5156,25 @@
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "a9b76ad35efed428600fccb9f8ae90c150c46bc3fc5fd166b1bef8b119c42576",
"sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285",
"type": "eql",
"version": 112
"version": 113
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627",
"sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc",
"type": "eql",
"version": 3
"version": 4
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "6d36df93f7a4a9365138e6a5ca493712ab0384647f7f19e86479b6e29c524099",
"sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724",
"type": "eql",
"version": 2
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "5712effbbe1f56916c81aa8c2fa4c30fe56da84d391d94c8f1fabfcc499a273f",
"type": "eql",
"version": 1
},
@@ -5204,9 +5222,9 @@
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292",
"sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3",
"type": "eql",
"version": 209
"version": 210
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
@@ -5374,9 +5392,9 @@
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "245f927a2216282fba339f223bf9e0ed49bbdbc6e72284733cac097d9141725d",
"sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921",
"type": "eql",
"version": 114
"version": 115
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
@@ -5446,15 +5464,15 @@
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea",
"sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3",
"type": "eql",
"version": 108
"version": 109
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7",
"sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076",
"type": "eql",
"version": 5
"version": 6
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
@@ -5464,9 +5482,9 @@
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "f88225fa0fa8f945e8a2c742913108af721f807ca41fe1e300d3d6546236bcd2",
"sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722",
"type": "query",
"version": 107
"version": 108
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
@@ -5513,9 +5531,9 @@
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681",
"sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0",
"type": "eql",
"version": 6
"version": 7
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
@@ -5628,9 +5646,9 @@
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9",
"sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0",
"type": "query",
"version": 205
"version": 206
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
@@ -5640,9 +5658,9 @@
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee",
"sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5",
"type": "query",
"version": 104
"version": 105
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
@@ -5652,15 +5670,15 @@
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "79bab8f6a142d4bdac160c384285fd4ae3bd5d54eabbd413b0a29e050b3d6d70",
"sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350",
"type": "eql",
"version": 111
"version": 112
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8",
"sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0",
"type": "eql",
"version": 112
"version": 113
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
@@ -5676,9 +5694,9 @@
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "2db0d63bf6a61835c07c04493720d25000478eddbe26b47a8942c028a73892aa",
"sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd",
"type": "eql",
"version": 113
"version": 114
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"min_stack_version": "8.13",
@@ -5724,9 +5742,9 @@
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "0e054a4d038b07eafcacda1d0db5d03bdcfc365eea986702a69ed4aa816a50fe",
"sha256": "1a2154c53e400d0a4a40954d8b3bb8a81e9c72e8ea5339616287431599bbd96a",
"type": "eql",
"version": 1
"version": 2
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"rule_name": "Outlook Home Page Registry Modification",
@@ -5760,9 +5778,9 @@
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "c387b952f7259ac6c595aba8c0f9182063b9497dd22302e8b1d3bcd1e582de79",
"sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e",
"type": "query",
"version": 206
"version": 207
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
@@ -5796,9 +5814,9 @@
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307",
"sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0",
"type": "query",
"version": 205
"version": 206
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
@@ -5820,9 +5838,9 @@
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "129a19636bb2a5074188b195332bb5f191fa7c838a1aa56dd1e30cb5df52303f",
"sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a",
"type": "eql",
"version": 3
"version": 4
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "File Transfer or Listener Established via Netcat",
@@ -5862,9 +5880,9 @@
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6",
"sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0",
"type": "eql",
"version": 107
"version": 108
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
@@ -5983,9 +6001,9 @@
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6",
"sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e",
"type": "query",
"version": 206
"version": 207
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
@@ -6007,9 +6025,9 @@
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "685f7eda1ffe48d637bb57dd38a4e2f75a7db512b20e0f6fe2346df99999cb0a",
"sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4",
"type": "new_terms",
"version": 2
"version": 3
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
@@ -6043,9 +6061,9 @@
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6",
"sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d",
"type": "query",
"version": 206
"version": 207
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
@@ -6055,9 +6073,9 @@
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3",
"sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60",
"type": "query",
"version": 205
"version": 206
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
@@ -6165,6 +6183,12 @@
"type": "eql",
"version": 111
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4",
"type": "eql",
"version": 1
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
"sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57",
@@ -6203,9 +6227,9 @@
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "3058dba57eff10cad98a1365366e790ede645217bdbb3799d91d71aa9b8d2ebf",
"sha256": "682e1b59f8cf01d5dd254c5cab6e075ed621000c6059b31845117c2d16a2ba69",
"type": "threshold",
"version": 6
"version": 7
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
@@ -6434,9 +6458,9 @@
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
"sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5",
"sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624",
"type": "eql",
"version": 107
"version": 108
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
@@ -6566,15 +6590,15 @@
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f",
"sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4",
"type": "query",
"version": 206
"version": 207
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32",
"sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd",
"type": "query",
"version": 205
"version": 206
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
@@ -6614,15 +6638,15 @@
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67",
"sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad",
"type": "query",
"version": 103
"version": 104
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "7205a9074f6d1e38cc1e10e53f9a19ab2e7ec6839e4975def4e58ff917026a40",
"sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318",
"type": "eql",
"version": 111
"version": 112
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
@@ -6638,9 +6662,9 @@
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733",
"sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4",
"type": "eql",
"version": 106
"version": 107
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
@@ -6650,15 +6674,15 @@
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "12a36bd9b04dcde6a3310c995ee77a77f6c8b96fbe98821a397ed60a4b20e126",
"sha256": "fdeb8bd3bd36da8482aec51fe088238a05b01313fe6a03b6a96be73499e64c95",
"type": "eql",
"version": 112
"version": 113
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "2e71d6f0faf4ce46650000b4dea642e8a649823fe98c77b0466583464d41bb58",
"sha256": "b6c3999e3b7038dd6d84f41e410f3f357f47f247ca63dab5d626eba35c8f1403",
"type": "eql",
"version": 111
"version": 112
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
@@ -6680,9 +6704,9 @@
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a",
"sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647",
"type": "eql",
"version": 8
"version": 9
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
@@ -6698,9 +6722,9 @@
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a",
"sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0",
"type": "query",
"version": 207
"version": 208
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
@@ -6732,9 +6756,9 @@
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "1ff1f2a88a1700579b30e869574672a0f8a4a59710be9c14164041681731b380",
"sha256": "ce1b6ad3aa66993d7eb446cb0b45e2b75f20d505adc12a2bcf198b3a413ee774",
"type": "esql",
"version": 102
"version": 103
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
@@ -6744,9 +6768,9 @@
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823",
"sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861",
"type": "query",
"version": 106
"version": 107
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
@@ -6756,9 +6780,9 @@
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c",
"sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf",
"type": "query",
"version": 207
"version": 208
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
@@ -6768,9 +6792,9 @@
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f",
"sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c",
"type": "query",
"version": 206
"version": 207
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
@@ -6798,15 +6822,15 @@
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5",
"sha256": "fb512e2a04b7bf3b8549b73433d2f7f16c1fc0028ad3a8730030fc324bd23ee6",
"type": "eql",
"version": 207
"version": 208
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"rule_name": "Okta User Session Impersonation",
"sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7",
"sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7",
"type": "query",
"version": 207
"version": 208
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.12",
@@ -6826,9 +6850,9 @@
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification",
"sha256": "81f59855dd3863c54604646a10250287d80095942c3a3bc9eee85d811a248f72",
"sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe",
"type": "eql",
"version": 1
"version": 2
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
@@ -6850,9 +6874,9 @@
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1",
"sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c",
"type": "query",
"version": 205
"version": 206
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Unusual Discovery Activity by User",
@@ -6868,9 +6892,9 @@
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "a393bd450241c1b01693e2fcf00e8a5a910da4abc38680caafe586ec6b7a5413",
"sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe",
"type": "eql",
"version": 113
"version": 114
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
@@ -6934,15 +6958,15 @@
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "e216fb5c63c285bab589efe63deac014169c80b00d8d95dfb3629dddf16891c7",
"sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7",
"type": "eql",
"version": 111
"version": 112
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "c871e4891716136e22d22dfa458545b59d2c6f10619d707d4c806bce32117f75",
"sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548",
"type": "eql",
"version": 113
"version": 114
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"rule_name": "Remote Windows Service Installed",
@@ -6970,9 +6994,9 @@
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6",
"sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb",
"type": "query",
"version": 205
"version": 206
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
@@ -7019,9 +7043,9 @@
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a",
"sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e",
"type": "query",
"version": 206
"version": 207
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"rule_name": "Service Command Lateral Movement",
@@ -7115,9 +7139,9 @@
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b",
"sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365",
"type": "query",
"version": 104
"version": 105
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
@@ -7221,9 +7245,9 @@
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"rule_name": "Git Hook Command Execution",
"sha256": "282fc3f8ccba0ee2e2712e27b8c470536176a5b702f23fded8742b217ac7e540",
"sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6",
"type": "eql",
"version": 1
"version": 2
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
@@ -7263,9 +7287,9 @@
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "3d195d2619285bfbd6aca75e191418a6b62714cfd361ca97b4f700816d1f7663",
"sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6",
"type": "eql",
"version": 2
"version": 3
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
@@ -7379,9 +7403,9 @@
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e",
"sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068",
"type": "threshold",
"version": 208
"version": 209
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
@@ -7449,9 +7473,9 @@
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "31536a11d590cece9331f011d8354e03c5452833563053431fcec39ce7de39de",
"sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2",
"type": "query",
"version": 213
"version": 214
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"min_stack_version": "8.11",
@@ -7523,9 +7547,9 @@
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "2612a73932324f2d0d2d71d184740ba05e67dee72b389d4dd7a60b54c96ee46d",
"sha256": "a12fc5ac4681febd200e96fa86740a7e2de167ef46d88241bac338e2664351a8",
"type": "eql",
"version": 112
"version": 113
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"rule_name": "First Time Seen NewCredentials Logon Process",
@@ -7535,9 +7559,9 @@
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6",
"sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3",
"type": "query",
"version": 206
"version": 207
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"rule_name": "Service Creation via Local Kerberos Authentication",
@@ -7553,9 +7577,9 @@
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f",
"sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501",
"type": "query",
"version": 205
"version": 206
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
@@ -7577,9 +7601,9 @@
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"rule_name": "Possible Okta DoS Attack",
"sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e",
"sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e",
"type": "query",
"version": 205
"version": 206
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
@@ -7641,11 +7665,17 @@
"type": "query",
"version": 207
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40",
"type": "eql",
"version": 1
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "52c8b5a28396e2845c251c50f47cb8b13a846a171ca7f49a6320a18e9ea9ee15",
"sha256": "b576b9312a24eace9741a55d9454c1c62f3b238d1d890bd98ee5d0f0ff2c20e0",
"type": "eql",
"version": 110
"version": 111
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
@@ -7673,9 +7703,9 @@
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce",
"sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4",
"type": "threshold",
"version": 208
"version": 209
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
@@ -7745,9 +7775,9 @@
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "661da391dd78348e6362f2c0adfd6989bbbe145a0119ef4fc58a6b960cbcff03",
"sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f",
"type": "eql",
"version": 3
"version": 4
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
@@ -7810,9 +7840,9 @@
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "42a3ab803111a0c2ce392dd64b561f83571b15eb3610601857f4616d1528014e",
"sha256": "7997ce4c4ea3c3ef0d1adec59cb16f13f15a066fbf0ce32911c176a9d52c6efe",
"type": "eql",
"version": 111
"version": 112
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "File Made Executable via Chmod Inside A Container",
@@ -7858,9 +7888,9 @@
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c",
"sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05",
"type": "query",
"version": 206
"version": 207
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"rule_name": "ImageLoad via Windows Update Auto Update Client",
@@ -7870,15 +7900,15 @@
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08",
"sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6",
"type": "eql",
"version": 5
"version": 6
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c",
"sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c",
"type": "query",
"version": 103
"version": 104
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
@@ -7948,9 +7978,9 @@
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395",
"sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6",
"type": "query",
"version": 205
"version": 206
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
@@ -7984,9 +8014,9 @@
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
"sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04",
"type": "query",
"version": 2
"version": 3
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
@@ -8032,9 +8062,9 @@
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "61a244bcc42e7fe6a8d29bc90399d36b2b0533e2c59f79ecc436f42c7ae1ae63",
"sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58",
"type": "eql",
"version": 6
"version": 7
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
@@ -8118,9 +8148,9 @@
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"rule_name": "Windows Script Executing PowerShell",
"sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577",
"sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c",
"type": "eql",
"version": 111
"version": 112
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "SSH Connection Established Inside A Running Container",
@@ -8243,6 +8273,12 @@
"type": "query",
"version": 106
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "8c82f7ae81e70899a3291b174c982e42800a293504f4224e5b966446845357bb",
"type": "eql",
"version": 1
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd",
@@ -8288,15 +8324,15 @@
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392",
"sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b",
"type": "query",
"version": 205
"version": 206
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "2cfc1d8a49043543fe0beb20b526b279d0e46c2af82b88fe304ab06d86bf97c2",
"sha256": "047b8cd1964481be440c7186d72ce524d343cb9aef77ae92e9f48b47f18b27f0",
"type": "eql",
"version": 110
"version": 111
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
@@ -8383,9 +8419,9 @@
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "7d0cd61a7ee1b6b5c420e7c65fa957d464287864d848af99298aefd73ed89184",
"sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811",
"type": "eql",
"version": 2
"version": 3
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
@@ -8413,9 +8449,9 @@
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "9dac146019f273e9e16f21ed3bd8ef3623e4bc9c034106b687cedd0be0bfd1ad",
"sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c",
"type": "eql",
"version": 109
"version": 110
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
@@ -8431,9 +8467,9 @@
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "cf5258393c1c96765c7ec4622413a5fa2b2ed02429b6dbfcaf2db4c1814f0568",
"sha256": "c86b28f11fe883a792c1f4a99ca24524597264470b2dc6d302b02795551ec614",
"type": "eql",
"version": 11
"version": 12
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
@@ -8449,9 +8485,9 @@
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "93f435cb72d30a8a679257867d908523bc546a21fe8ceaa3f795c09830d3caa8",
"sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada",
"type": "eql",
"version": 113
"version": 114
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
@@ -8473,9 +8509,9 @@
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055",
"sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b",
"type": "query",
"version": 103
"version": 104
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
@@ -8485,9 +8521,9 @@
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "605581cc6adbd551e8e3354e5d289bc809a96070b5ff60171f1c4b73ac505a15",
"sha256": "ed309e5ccb19be6d0cd66d8b65d8c4d28a0fd81f4d5dd3a10bb6a321632bf511",
"type": "eql",
"version": 12
"version": 13
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",