security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Lock versions for releases: 8.19,9.1,9.2,9.3 (#5818)

Browse Source
This commit is contained in:
github-actions[bot]
2026-03-10 15:33:16 +05:30
committed by GitHub
parent 26d37dd62e
commit 87badac5a0
3 changed files with 409 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+400 -234
View File
@@ -49,9 +49,9 @@
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "3ba46fc1349a8bf917183c0721c61a73cdb30c9634e35439e7c80008d8f7e8c8",
"sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c",
"type": "esql",
"version": 14
"version": 15
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Detected - Elastic Defend",
@@ -68,9 +68,9 @@
"02275e05-57a1-46ab-a443-7fb444da6b28": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"sha256": "952901c0899f5762fcd50e767297ca8ffcf29a6bbb13ae322c70e6c160a8cb18",
"sha256": "cd854516c52abc224cf16271f439eec724281de54a4aa6f6a7ce1013430393af",
"type": "eql",
"version": 1
"version": 2
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
@@ -186,15 +186,15 @@
"8.19": {
"max_allowable_version": 100,
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043",
"sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql",
"version": 1
"version": 2
}
},
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043",
"sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql",
"version": 101
"version": 102
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
@@ -220,6 +220,12 @@
"type": "eql",
"version": 216
},
"054853f3-2ce0-41f3-a6eb-4a4867f39cdc": {
"rule_name": "M365 Defender Alerts Signal",
"sha256": "35c1046191b7ca47e3823cf1bd6d886e46229c2c7a24ddf6d2a71f52b7756723",
"type": "query",
"version": 1
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835",
@@ -259,9 +265,9 @@
},
"05f2b649-dc03-4e9a-8c4e-6762469e8249": {
"rule_name": "Suspicious AWS S3 Connection via Script Interpreter",
"sha256": "6ad0f3169c575ac9324d80b785de1bf27cb43f9886ea367449546e050a7aa111",
"sha256": "98707dba65515504ddccd478b6d990937253b23206d517eec8fb008262a30d53",
"type": "esql",
"version": 1
"version": 2
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands",
@@ -355,9 +361,9 @@
},
"083383af-b9a4-42b7-a463-29c40efe7797": {
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
"sha256": "b4f1a15ffdc521c66555c9bd089d50abcfd235fac9000ac6f00520cf4cf35d8e",
"sha256": "1cab7c406a0a2310ac6081b7332ff99c4f29843587b48401e6b8fcb7f8006d21",
"type": "esql",
"version": 8
"version": 9
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
@@ -379,9 +385,9 @@
},
"08933236-b27a-49f6-b04a-a616983f04b9": {
"rule_name": "Alerts From Multiple Integrations by Destination Address",
"sha256": "cc691ed6a93307a1173fd5fda394c29fdc98d2fa7ac909db45e82b9df3e4e378",
"sha256": "d6accf93019b97c82298a163af364a097f31b22146454acba734fd8f76d90c6e",
"type": "esql",
"version": 2
"version": 3
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
@@ -439,9 +445,9 @@
},
"098bd5cc-fd55-438f-b354-7d6cd9856a08": {
"rule_name": "High Number of Closed Pull Requests by User",
"sha256": "1178ccd0ea843bd94fae7d9a3f3b31228756bfdbbd9ba9701bac9ad9834f3106",
"sha256": "ff907a6ea72cb5c7385c4bd5df56b41d6fe30d15ad9c631e4e85cc03ec5aa94d",
"type": "esql",
"version": 1
"version": 2
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
@@ -517,9 +523,9 @@
},
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
"rule_name": "Elastic Defend and Network Security Alerts Correlation",
"sha256": "0ccc6af15fd729f5cb81b8ea88ff1f4911d30b894f58d96a3ba32ef834d614d7",
"sha256": "6c598d2eefbd251000e42180ee7d6cf054a1ee4b470d12f784a85bec03c01cb6",
"type": "esql",
"version": 5
"version": 6
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
@@ -583,9 +589,9 @@
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "2401df104749aaee63b22f70fa9419c84429ffd9480bff391344fd449d1b4e57",
"sha256": "f65217585fc96240d13bc4de41e59f92b3ce81627267bebed176d7add7fa5697",
"type": "esql",
"version": 6
"version": 7
},
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
"rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph",
@@ -606,10 +612,20 @@
"version": 113
},
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 204,
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b",
"type": "esql",
"version": 105
}
},
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b",
"sha256": "25d6b63d8ad4a081ad48d656666160d13bde2d0fac22a33427f2f6cdf5395cc1",
"type": "esql",
"version": 105
"version": 205
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
@@ -631,15 +647,15 @@
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "M365 SharePoint Malware File Detected",
"sha256": "b404f46b09bdd995617e194b53076b9dd47c5cd07d76c9f872e2639656612777",
"sha256": "14a1af1d926f42ad0025a51954a328ea770e664a871c163227e8597b49329bf3",
"type": "query",
"version": 211
"version": 212
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
"sha256": "c5c25c606f65d1dd93f7bb4554ef93fa844d008166cd092acbbb3fedbd622373",
"rule_name": "M365 OneDrive/SharePoint Excessive File Downloads",
"sha256": "b6c8e87bc4292bde1ff1eaa810648c48bab7c0f07e0d8c39bc7b3f714fd32d5f",
"type": "esql",
"version": 6
"version": 7
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
@@ -649,9 +665,9 @@
},
"0e67f4f1-f683-43c0-8d45-c3293cf31e5d": {
"rule_name": "Lateral Movement Alerts from a Newly Observed Source Address",
"sha256": "cbc38f9092c5b05d934d21db45e1e0795f8743ae2d9a7fbf2b7f4d0652743231",
"sha256": "77726aac9ceb48e0f529980fb81396999b0c6688cf5bab0f232aa63d3a653918",
"type": "esql",
"version": 2
"version": 3
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
@@ -703,8 +719,15 @@
},
"0fb25791-d8d4-42ab-8fc7-4954642de85f": {
"rule_name": "Kubernetes Creation or Modification of Sensitive Role",
"sha256": "08d959810b52a5dd296b94b2930b0769db43f5a659b49183d2b3b6412ba706b6",
"sha256": "d431f464078e8ba6df2d879cf09611ed71bb66449f85d3d04c20acaf59179284",
"type": "esql",
"version": 2
},
"0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": {
"min_stack_version": "9.3",
"rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers",
"sha256": "f743bb12bafa53a42bae5f3eb32c50b072927cb62403e1cbd006537e9dae6e63",
"type": "eql",
"version": 1
},
"0fe2290a-2664-4c9c-8263-b88904f12f0d": {
@@ -839,9 +862,9 @@
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"sha256": "3c53427258f633872c95a09f530577cf6a9ed72124f0d10cb5dd29c4d10ff5c1",
"sha256": "e0e45a77fb72c89d7d27f6371c8f82d70d1d23bd3d6f1f962526d6e106e52c1b",
"type": "new_terms",
"version": 208
"version": 209
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
@@ -911,9 +934,9 @@
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "a72b45c3d3656c4c1c594397d228ce07d18624f5c7a8314d0bc95b7f10b1e366",
"sha256": "c3e44edb8ffe05292ab119e3e6a439e72576953fd826f11cac889b1df3eea2bf",
"type": "query",
"version": 107
"version": 108
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
@@ -1075,9 +1098,9 @@
},
"171a4981-9c1a-4a03-9028-21cff4b27b38": {
"rule_name": "Suspected Lateral Movement from Compromised Host",
"sha256": "80cdb6c15c3dc9c7375625fea1c89ea54b6b480756a234873c252e3d23262eed",
"sha256": "48e0f928ed481c3e3c645ecfad961dfa891e8afe2e2b8ae94990745ace5522fb",
"type": "esql",
"version": 3
"version": 4
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
@@ -1225,9 +1248,9 @@
},
"19f3674c-f4a1-43bb-a89c-e4c6212275e0": {
"rule_name": "GitHub Exfiltration via High Number of Repository Clones by User",
"sha256": "55ac8f0658482004ba41518fb5ae40b6a8c4a8bcaa38011c90564b29a6fdcb21",
"sha256": "b293b29ab681ba26a92119332275e4c89a2bc3dd8a598d9f9b0968a5c264d2ad",
"type": "esql",
"version": 1
"version": 2
},
"1a1046f4-9257-11f0-9a42-f661ea17fbce": {
"rule_name": "Azure RBAC Built-In Administrator Roles Assigned",
@@ -1259,9 +1282,9 @@
},
"1a3d5b36-b995-4ace-9b85-8a0af429ccf6": {
"rule_name": "Newly Observed High Severity Detection Alert",
"sha256": "9b24d5e3affe2f35f066b5e0f89bebbd70db28c0e993d6416198c571abe32b00",
"sha256": "29750080e44ba02bb3c10e8a58ca3288e54debe1660f33b1e3d7a40247dcc479",
"type": "esql",
"version": 3
"version": 4
},
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
"rule_name": "Potential System Tampering via File Modification",
@@ -1325,9 +1348,9 @@
},
"1bb329a5-2168-4da5-b7b9-d42a51deb6dd": {
"rule_name": "Correlated Alerts on Similar User Identities",
"sha256": "c22e2f137482efcaa87dab19dc3553e257a9b32c721d931dd4986205af482070",
"sha256": "a3ef283129c4f9b2d2ff401a29cf89bafab9d5241edd4760ffc71517c9f865cc",
"type": "esql",
"version": 1
"version": 2
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
@@ -1419,6 +1442,13 @@
"type": "query",
"version": 112
},
"1dc56174-5d02-4ca4-af92-e391f096fb21": {
"min_stack_version": "9.3",
"rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"sha256": "40236f57640750a3b31ff46c28be35c721abe771fc5b5775af8eec75337a763e",
"type": "eql",
"version": 1
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b",
@@ -1427,9 +1457,9 @@
},
"1dd99dbf-b98d-4956-876b-f13bc0ce017f": {
"rule_name": "Alerts From Multiple Integrations by User Name",
"sha256": "f8ab4d8f44427fc8a987c9866f83bf76d09c1af99ec349ea6584a5c7d288624b",
"sha256": "5b591df265379ba718a43e0d8ae57ae7b2e96d60ea25cc141bb89faa9fffa7bf",
"type": "esql",
"version": 2
"version": 3
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
@@ -1639,9 +1669,9 @@
"227cf26a-88d1-4bcb-bf4c-925e5875abcf": {
"min_stack_version": "9.3",
"rule_name": "Encoded Payload Detected via Defend for Containers",
"sha256": "d6ebb5e57c278b1a9b1275aee015d7e6059d8352ec49837ae572a152c3b44db1",
"sha256": "6a07a74b399cf5346bcf3fb2acdccd01c3489906a3b780afa3a617c278537902",
"type": "eql",
"version": 1
"version": 2
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
@@ -1715,9 +1745,9 @@
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"rule_name": "Potential Okta Brute Force (Device Token Rotation)",
"sha256": "63082f91fd3d3e60377743e9f2e158d948155ddef6efe6db444b026ff31e58b9",
"sha256": "fbd7404391275a1fb3c33e3cb3f065b69b751b4428efb98114c67b17021c2ba9",
"type": "esql",
"version": 209
"version": 210
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
@@ -1752,9 +1782,9 @@
},
"25a4207c-5c05-4680-904c-6e3411b275fa": {
"rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree",
"sha256": "cc4a41b1788e20e2e224d7a150cdead5392cd3baf0aba2e2c1743def950ddcd8",
"sha256": "7454d14373817e95309e9422997b9eb330ec75601215a6d4c0eb4b5c0d237ec6",
"type": "esql",
"version": 1
"version": 2
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
@@ -1904,9 +1934,9 @@
},
"283683eb-f2ce-40a5-be16-fa931cb5f504": {
"rule_name": "Newly Observed Palo Alto Network Alert",
"sha256": "06c0ee8d2a9f83935613ee16386a41ee145a2726d82b353478873f07690880b9",
"sha256": "55f2451b2b926a62fba0cf39411dbdf9e3ab7b8893f5de6f6f67983d14178ffd",
"type": "esql",
"version": 1
"version": 2
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
@@ -1940,9 +1970,9 @@
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "77240b497ebf8b7b46e0d2d0c8be1f5bac792a097eef68aa119d7eebae565b41",
"sha256": "27c7aa43b06bcdf5a54290f27d411866cfc693c85f82ab73c01872b76435defe",
"type": "new_terms",
"version": 6
"version": 7
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
@@ -2066,9 +2096,9 @@
},
"2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": {
"rule_name": "Newly Observed FortiGate Alert",
"sha256": "663c7f29972d07ea8412e1361e05b81f3e4820304cea1a7cbd45ab3dbd6e05ea",
"sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff",
"type": "esql",
"version": 2
"version": 3
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation",
@@ -2090,9 +2120,9 @@
},
"2d3c27d5-d133-4152-8102-8d051619ec4a": {
"rule_name": "Potential Okta Password Spray (Multi-Source)",
"sha256": "69a3614d945637f774498b8d5a3480e7b78ac31b378cb9056696c5816692a51e",
"sha256": "aaafdc1afbc528d12bc055c3b9dca2d9057d8a4c2cc482e31728d931115c0b58",
"type": "esql",
"version": 1
"version": 2
},
"2d58f67c-156e-480a-a6eb-a698fd8197ff": {
"rule_name": "Potential Kerberos Relay Attack against a Computer Account",
@@ -2137,9 +2167,9 @@
},
"2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"sha256": "eaf9d7580fe68d994bc9dd5059a77678717d826f1027ca65b9dbb286ab41f332",
"sha256": "08dc663e2efbf90abf4ead11bcf832d3c646081461d593b9b1ca097c52a8b111",
"type": "esql",
"version": 1
"version": 2
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
@@ -2310,6 +2340,12 @@
"type": "query",
"version": 105
},
"314557e1-a642-4dbc-af43-321bc04b6618": {
"rule_name": "M365 Security Compliance Admin Signal",
"sha256": "96f0acbb1e0769543a2b94ad428a81031d4f2f99da97acea5bd7a636725b64eb",
"type": "query",
"version": 1
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3",
@@ -2820,16 +2856,16 @@
},
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
"rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"sha256": "470c107267da141be2217d27cd274e817711841e76123cf594f719816710abc4",
"sha256": "d3dc62e69239981e53542dd69d147adb8924ff76106d1ccb90d05c4862c3f03e",
"type": "esql",
"version": 3
"version": 4
},
"3dc4e312-346b-4a10-b05f-450e1eeab91c": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Compromised User Triage by User",
"sha256": "74320f5342f4057795f4d98338ee0b6f3faf00125e6e3df43ed7f3e4e7a47c8c",
"sha256": "f7d7a3d2b3fa34c89c46ec93946265b367223bda8341a57198fb272f8bd91505",
"type": "esql",
"version": 2
"version": 3
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Rare Protocol Subscription by User",
@@ -2875,9 +2911,9 @@
},
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "9828e9212b4a3c92f221380dccf1262425c653acfe104ac8aa3f03472b438ba5",
"sha256": "0cb04efb6341ee2e9701dfb0c64bc7685bbe040b6e31d895935fe01ef04be3ab",
"type": "new_terms",
"version": 5
"version": 6
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
@@ -2893,9 +2929,9 @@
},
"3ee526ce-1f26-45dd-9358-c23100d1121f": {
"rule_name": "Linux Audio Recording Activity Detected",
"sha256": "52d0a63b56d839189718871baa722279fa701065e67a13f2bb4ab7ffb8e4dba2",
"sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5",
"type": "new_terms",
"version": 1
"version": 2
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
@@ -2923,9 +2959,9 @@
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "8834d4d7524a430c407512c2b2dc55f84b9717a8ad1c6ff1e39d18e62cd07805",
"sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b",
"type": "new_terms",
"version": 6
"version": 7
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
@@ -3075,15 +3111,15 @@
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Unusual Login via System User",
"sha256": "3433a7964722e2b13f7993e693f3a518fea97549609c9af49b3c1aa889cb15d8",
"sha256": "6827d23b4b308b9c67cf7b406b2045535b0fdc580189116432682385555b8a3a",
"type": "new_terms",
"version": 5
"version": 6
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Potential Okta Password Spray (Single Source)",
"sha256": "20af1f7f7992e83abaf5da57e9a22025998a2be4ab340f0ca68d5720c21a757d",
"sha256": "0c7e12d72953b3c07806fef01d5da914e1fadf25c25a821eea63561154a53f74",
"type": "esql",
"version": 416
"version": 417
},
"42c97e6e-60c3-11f0-832a-f661ea17fbcd": {
"rule_name": "Entra ID External Authentication Methods (EAM) Modified",
@@ -3209,9 +3245,9 @@
},
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
"sha256": "94ea66cd4f032738d36c46db9a1c7d5a6a84f64eeacd41a0e6c3f8fb4b6942a6",
"sha256": "ff41c11baab351eaebba65c96b1a87529582ee93161f65f77b892e94374ace8b",
"type": "esql",
"version": 3
"version": 4
},
"47403d72-3ee2-4752-a676-19dc8ff2b9d6": {
"rule_name": "AWS IAM OIDC Provider Created by Rare User",
@@ -3304,9 +3340,9 @@
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "02dec96d19dea37cecb92dbc3df4e0d0e211f6cb9fa09438aba02575ea4482c8",
"sha256": "203a6f49d298d9d11ea3837d9fa044d9b18cad4ed9a7c88776386eeadec80b5e",
"type": "esql",
"version": 116
"version": 117
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
@@ -3332,6 +3368,12 @@
"type": "eql",
"version": 6
},
"491651da-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint/OneDrive File Access via PowerShell",
"sha256": "b0ba8c5ebe208355146f0f9744658c7e7f9984f4ec6b5fa1db9a3568a97389df",
"type": "query",
"version": 1
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "ebb9007ad27001cdcce71f4a7afd8ac119b58dd0d5e483f569eb30251b762431",
@@ -3358,10 +3400,10 @@
},
"497a7091-0ebd-44d7-88c4-367ab4d4d852": {
"min_stack_version": "9.3",
"rule_name": "Web Server Child Shell Spawn Detected via Defend for Containers",
"sha256": "2836307f3b351a22d2986635ec61828cb144fabc433c6320de3eaa7c42f2d530",
"rule_name": "Web Server Exploitation Detected via Defend for Containers",
"sha256": "7472e79abc8837f88013d2d6772b889d8508248d6455205e9f51839bdd0512f8",
"type": "eql",
"version": 1
"version": 2
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"rule_name": "Process Discovery Using Built-in Tools",
@@ -3375,22 +3417,22 @@
"8.19": {
"max_allowable_version": 106,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ff1e6fb43f0632db21046ece71d7058ab3cee78192896d0f3a94b2c4d381c440",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 7
"version": 8
},
"9.1": {
"max_allowable_version": 206,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "8aa466b92052814d35b6235ef0f0cf8bae090247c85ceacc0a8dc6f29e8f02d2",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 107
"version": 108
}
},
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "1eb81cd186255e2682840b619c6fb99b4336bd278ada27f0d233b59ecd44c77f",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 207
"version": 208
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -3458,9 +3500,9 @@
},
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
"rule_name": "Kubernetes Forbidden Request from Unusual User Agent",
"sha256": "bce55d444f06dadedac1ad5fcab4e1b83ad531d1a3c30d85dac9d116dfb2998a",
"sha256": "96f9b15e64a5aae3a06bb23e8ef6300fa3c5410b9e4105647ebcc1f58ab564f9",
"type": "new_terms",
"version": 3
"version": 4
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
@@ -3474,6 +3516,12 @@
"type": "machine_learning",
"version": 7
},
"4bae6c34-57be-403a-a556-e48f9ecef0b7": {
"rule_name": "M365 Quarantine and Hygiene Signal",
"sha256": "3867e20407fa8e99b982da896d109a4bdf4a843a97dbd1931bce9c4ea41f6819",
"type": "query",
"version": 1
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f",
@@ -3571,6 +3619,12 @@
"type": "query",
"version": 413
},
"4f2654e4-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint Search for Sensitive Content",
"sha256": "f1b0c07102a00a597a4213a80a301d7d51d4d784c15d6641cd09775742725dfe",
"type": "eql",
"version": 1
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "e98cdfe47f6f762212f97a88c9e9242fe21f61b9c7ea51aeab5e6492b9609ccb",
@@ -3591,9 +3645,9 @@
},
"50742e15-c5ef-49c8-9a2d-31221d45af58": {
"rule_name": "Okta Successful Login After Credential Attack",
"sha256": "55bee654e447f1127392b0f508b6b48a0436e8d2b9889b59329c8696c39cfc38",
"sha256": "cf4ea6ec96f91bf55c3c6f1eca9cc056966f470e390fcba12bbe8e6264352a14",
"type": "esql",
"version": 1
"version": 2
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
@@ -3682,9 +3736,9 @@
"527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": {
"min_stack_version": "9.3",
"rule_name": "Tool Installation Detected via Defend for Containers",
"sha256": "60bd0870424af064060e3b1ad24aed4a9995fa9765dae5c3a1e175186c971501",
"sha256": "6a19c11e4ec0d2dbf6539a7ae96322c3cfd2ae84d1d3ddc45b59bfdf5141dd10",
"type": "eql",
"version": 2
"version": 3
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
@@ -3797,9 +3851,9 @@
},
"55a372b9-f5b6-4069-a089-8637c00609a2": {
"rule_name": "First-Time FortiGate Administrator Login",
"sha256": "c8ae5b46d71c1deaa2facaa60f2af5cf5b1ff5ebf20e1db487ae74f4c3be7e8d",
"sha256": "12264a88f6fcad9572c92f14f075c023b869acf3fd69f4ac23d26f7819b71c70",
"type": "esql",
"version": 1
"version": 2
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
@@ -3941,9 +3995,9 @@
},
"5889760c-9858-4b4b-879c-e299df493295": {
"rule_name": "Potential Okta Brute Force (Multi-Source)",
"sha256": "f01353ef2c7832ac2582fd21f0a0b382c87d1523f7b9feedbef273fead65952f",
"sha256": "483f341a689103f78ee0028c88bc8ff03e6d6ce55e6b3bd6e70f13c790a58d36",
"type": "esql",
"version": 1
"version": 2
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
@@ -4097,9 +4151,9 @@
},
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "ee13cbe8118f1116bc492fdb3d0c5492107c61620f936867492a273ae8e2e42f",
"sha256": "a3e5e93104eff8cc43073a34010259addb085407c0b9db48084e216971198b42",
"type": "eql",
"version": 5
"version": 6
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
@@ -4290,9 +4344,9 @@
},
"60c814fc-7d06-11f0-b326-f661ea17fbcd": {
"rule_name": "M365 Threat Intelligence Signal",
"sha256": "91d57ec69f35861a701090f79984b02303e24f68999cf2cf4ca1e8cf430ac5dc",
"sha256": "79dc01a9db946e1a3d5c41a5e8c2af04359b9e44ecee31c16c38a3723d8bab07",
"type": "query",
"version": 2
"version": 3
},
"60da1bd7-c0b9-4ba2-b487-50a672274c04": {
"rule_name": "Discovery Command Output Written to Suspicious File",
@@ -4332,9 +4386,9 @@
},
"618a219d-a363-4ab1-ba30-870d7c22facd": {
"rule_name": "FortiGate FortiCloud SSO Login from Unusual Source",
"sha256": "72da74c741d7d212fe291bf91eec7e01a0a2927b05681655ce4fcdda5b27197b",
"sha256": "d2abab1390a043ad71171a861b542dc9d94f79af253dd0032c1fe0b04e90beb0",
"type": "esql",
"version": 1
"version": 2
},
"618bb351-00f0-467b-8956-8cace8b81f07": {
"rule_name": "AWS S3 Bucket Policy Added to Allow Public Access",
@@ -4416,15 +4470,15 @@
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent",
"sha256": "a51b22abe731e1bf42bee2f8ab1b1e5278704564385639b3e04c29090100abdd",
"sha256": "b5f24bfa2e0ca5124eb8906e21888074cbc74f7ce03972f697e7da5b3a9dd341",
"type": "new_terms",
"version": 10
"version": 11
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent",
"sha256": "34c05c49fad5144c6d74e2060f98c8e4b73196e62fa7d647790619127fd75deb",
"sha256": "67374027e182776c03ce4412cb80c48c6224950afbbd622642c858cd97e5964f",
"type": "new_terms",
"version": 11
"version": 12
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
@@ -4476,9 +4530,9 @@
},
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
"sha256": "1ba76a28d1221550f249957c43bfccd0a28542d4170ccd39ce015e683cb07d10",
"sha256": "9bb82ad0e9bc06828a6c9959f3e13a9a5b3cb76d96ecae5e74a67b9ab53a6abd",
"type": "esql",
"version": 10
"version": 11
},
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
"rule_name": "Manual Memory Dumping via Proc Filesystem",
@@ -4621,9 +4675,9 @@
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "82a0ae24f8d6d4c866863accc34121f96f99a43a9484b4f778960ac82bdc6be8",
"sha256": "680382f572bc86ba9176bd3c8a36fc5d0e5243f44981819bad005566fcf79f13",
"type": "threshold",
"version": 116
"version": 117
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
@@ -4711,9 +4765,9 @@
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "1d9a305b395b414fcbcd48a340bc84de15aadf87a7e92478d4eec8c24f2e1447",
"sha256": "cde5eb69a93612087164e1626195700bd500e73b3e1248816d9a757a270b15bc",
"type": "esql",
"version": 11
"version": 12
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -4783,9 +4837,9 @@
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "00cbc975bf2bb4c3eabce8c28956e5676b088239f60aedb0397f4e4c6e3bb64e",
"sha256": "21ac45217a2911444af91c4b8718e6c8d41f5981ef2e51a3ad618510a24f804c",
"type": "new_terms",
"version": 212
"version": 213
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"rule_name": "Remote Computer Account DnsHostName Update",
@@ -4829,9 +4883,9 @@
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "a9d9339a8264b3d2300490621a7a0ccff22ea03e314c0467ae20f9d7c0df0b13",
"sha256": "3daaa058e3efafed14592627624d5744ecfbcc23d1d0dc1c4618589616b032a3",
"type": "machine_learning",
"version": 214
"version": 215
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
@@ -4847,9 +4901,9 @@
},
"6ddb6c33-00ce-4acd-832a-24b251512023": {
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
"sha256": "13ff8d1f600483ce1e555b28c7a7a4c6b9ffc5be4d95a4a86f2f9d8d0d6c9ac5",
"sha256": "0956563347ca9848e890ebe9a07a4ac68d34ad6b42b34bab5bc227b7b7dd9136",
"type": "esql",
"version": 9
"version": 10
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
@@ -4858,10 +4912,10 @@
"version": 106
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "213c2d203380501be08aecccb31169f1fb616edad4188e5f3f290ce6edd7b24c",
"rule_name": "First Time Seen Remote Monitoring and Management Tool",
"sha256": "04511da508ec7e9026719f649c7b3ebaf91040260ce93d63d701522a0b2cf21c",
"type": "new_terms",
"version": 114
"version": 115
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
@@ -4895,9 +4949,9 @@
},
"6e92a21a-58e7-449a-9cfd-9f563f59ac88": {
"rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host",
"sha256": "0af28c57cd19d5320e05faaad5f00b01898a15bbb2ff2f44b2bad5017e23d748",
"sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26",
"type": "esql",
"version": 2
"version": 3
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
@@ -4949,9 +5003,9 @@
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "9868b324f20d976867393dea2d166df6dc944a6a56def58191886a560e656fce",
"sha256": "d58f1b2ff3f4055daa2a2dad3692f51bb7e7934e1801a5a9219b4d5487f74b1b",
"type": "new_terms",
"version": 209
"version": 210
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
@@ -4985,9 +5039,9 @@
},
"6fcb4fe4-ac74-449d-855b-2bbd5c51c476": {
"rule_name": "Multiple Vulnerabilities by Asset via Wiz",
"sha256": "21d9115cd06ff66fad632bb8536510a76dbedb9bfd94e609eb472df0259fb802",
"sha256": "efc967ea17b6d6bd24680496c417b3ce7a00dbe16a1fa6bd08ed0d87e586e737",
"type": "esql",
"version": 1
"version": 2
},
"70089609-c41a-438e-b132-5b3b43c5fc07": {
"rule_name": "Git Repository or File Download to Suspicious Directory",
@@ -5051,9 +5105,9 @@
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "023d335e7994287cf47e5055a04d04bc7efbae9a37037f8b97335c8fcdfd1d28",
"sha256": "f99e79395663b62abc9522267b9d5174757d2af93dd136bb6f8834c55ef2d6e8",
"type": "new_terms",
"version": 213
"version": 214
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
@@ -5129,9 +5183,9 @@
},
"7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": {
"rule_name": "Newly Observed Elastic Defend Behavior Alert",
"sha256": "4f9d023add64723c8fdf24169e4519f072bda1e755b54d885a9ab3fd282c4158",
"sha256": "991c0b527369d84cb5ee39d4b00d92c6f07f1ea690d1589e4b8a2324575ff59e",
"type": "esql",
"version": 2
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
@@ -5334,9 +5388,9 @@
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "5c20b27d9972a603b528e757f9a230227c795bc88289b7bb230b6f6bb2112750",
"sha256": "d6a7aee26189c060e18f3968d98c5c20583366dd1285c8ec97f92fff6e54fa0b",
"type": "threshold",
"version": 13
"version": 14
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
@@ -5356,6 +5410,12 @@
"type": "query",
"version": 109
},
"78c6559d-47a7-4f30-91fe-7e2e983206c2": {
"rule_name": "Unusual Kubernetes Sensitive Workload Modification",
"sha256": "f76ed0d7a2b70dd121cafecc10eb29a699db9fac35dac6c3f7f771e25cfbcd63",
"type": "new_terms",
"version": 1
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89",
@@ -5457,6 +5517,12 @@
"type": "new_terms",
"version": 6
},
"7ab5b02c-0026-4c71-b523-dd1e97e15477": {
"rule_name": "M365 AIR Investigation Signal",
"sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85",
"type": "query",
"version": 1
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9",
@@ -5531,9 +5597,9 @@
},
"7d02c440-52a8-4854-ad3f-71af7fbb4fc6": {
"rule_name": "Alerts From Multiple Integrations by Source Address",
"sha256": "a61eb0d371a4caab4caa6d7283fbb4b4603fa27b28ebebb02a0b43a5b6f78cec",
"sha256": "1b10a9f9c9fdd43c1e8e5a1457824e37efbddc0f82866117cf399d9e5831b8ae",
"type": "esql",
"version": 2
"version": 3
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
@@ -5699,9 +5765,9 @@
},
"8167c5ae-3310-439a-8a58-be60f55023d2": {
"rule_name": "Suspicious Named Pipe Creation",
"sha256": "fd8454b2d4f97083b893c89b35068c9403dc7aab3220e1c766af3c15bade3745",
"sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3",
"type": "new_terms",
"version": 4
"version": 5
},
"81892f44-4946-4b27-95d3-1d8929b114a7": {
"min_stack_version": "9.3",
@@ -5830,11 +5896,18 @@
"type": "new_terms",
"version": 216
},
"85d9c573-ad77-461b-8315-9a02a280b20b": {
"min_stack_version": "9.3",
"rule_name": "Process Killing Detected via Defend for Containers",
"sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d",
"type": "eql",
"version": 1
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
"sha256": "7fd3bf166c197928c42d5da7436ced831f7387e7d7f015061f5ecf693dd830df",
"sha256": "c396f8d6ed3ce693a1e895c47d620e54b123aade8d0fe2f21984be74f6d47b0c",
"type": "esql",
"version": 8
"version": 9
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
@@ -5920,9 +5993,9 @@
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "0609fa45fbe6cea511043d6db444fe7586411718c17a3158936cd5006b2b1167",
"sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac",
"type": "new_terms",
"version": 9
"version": 10
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "M365 Identity Global Administrator Role Assigned",
@@ -6022,15 +6095,15 @@
},
"8a1db198-da6f-4500-b985-7fe2457300af": {
"rule_name": "Kubernetes Unusual Decision by User Agent",
"sha256": "02bd2e5594b646fce653c4f45cd7fe8be705a608f5bf1ff46d0a0efcc0dddb22",
"sha256": "1e224a2bc29fa5fe95faf7db7dd26935a7eaea101a9e5bada56484b937112be5",
"type": "new_terms",
"version": 3
"version": 4
},
"8a556117-3f05-430e-b2eb-7df0100b4e3b": {
"rule_name": "FortiGate Administrator Login from Multiple IP Addresses",
"sha256": "4fb953698ceae0d3a2368b598e494768631fda61e787c814fd8b14648970ed61",
"sha256": "8a440ac513665ee94c1d34a0b512de1f6e575d5edf5661d50035fb6a66156621",
"type": "esql",
"version": 1
"version": 2
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
@@ -6082,9 +6155,9 @@
},
"8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": {
"rule_name": "Several Failed Protected Branch Force Pushes by User",
"sha256": "9d1bc9b7060ea6d266960e7516d73eaba82762861155fa8f826340e62a420823",
"sha256": "3935786d70057d64ab74ad51d331966c633ef77288e78f0bd9fe008e0a5fd11a",
"type": "esql",
"version": 1
"version": 2
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
@@ -6170,9 +6243,9 @@
},
"8d4d0a23-19d3-4186-a6f1-6f0760d2e070": {
"rule_name": "Multiple External EDR Alerts by Host",
"sha256": "dbd31b6d355226db225bd9b68f61c5b05042dc609806bf1688af4069be15682f",
"sha256": "f7b9e9fbe3d9cfbfb3793b59abf31a5bfa623b9ab49b9c176023b6db3ad28892",
"type": "esql",
"version": 2
"version": 3
},
"8d696bd0-5756-11f0-8e3b-f661ea17fbcd": {
"rule_name": "Entra ID OAuth ROPC Grant Login Detected",
@@ -6218,9 +6291,9 @@
},
"8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": {
"rule_name": "Entra ID Actor Token User Impersonation Abuse",
"sha256": "c3a3ba5d26efb65c2238fe623846c02797e51129094d15bad8b7b5b259cf8dfb",
"sha256": "f0f5507ec01c62ad2d52cfa28f5838a924c8c89eff04e88ea7870b454d0d8541",
"type": "esql",
"version": 4
"version": 5
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity",
@@ -6429,9 +6502,9 @@
},
"93dd73f9-3e59-45be-b023-c681273baf81": {
"rule_name": "Linux Video Recording or Screenshot Activity Detected",
"sha256": "8586544da38d1a02ce7e3b31dbb37e08b2ba3a6a70a6281f431da764dfa7ba5e",
"sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b",
"type": "new_terms",
"version": 1
"version": 2
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
@@ -6465,9 +6538,9 @@
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Potential Okta Credential Stuffing (Single Source)",
"sha256": "51497d3090604a3039fc966afdfe2d841061c20722995d72be05eae76c1550c8",
"sha256": "3582f68249eb42feefbaee5cb78961ee3fdf381c206fd4985291b0a08d16cab3",
"type": "esql",
"version": 209
"version": 210
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
@@ -6987,9 +7060,9 @@
},
"9ed5d08f-aad6-4c03-838c-d686da887c2c": {
"rule_name": "Okta AiTM Session Cookie Replay",
"sha256": "3c8b25b3282976d4718265e11ce3ffa5a131cfff8bb053549a80ef90c6610b8a",
"sha256": "e83eb0975f982673d5e2c6240da8d5e17e7db175d72dc6df15da96c717104f26",
"type": "esql",
"version": 1
"version": 2
},
"9edd000e-cbd1-4d6a-be72-2197b5625a05": {
"rule_name": "Suricata and Elastic Defend Network Correlation",
@@ -6999,9 +7072,9 @@
},
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
"sha256": "e6f63f5a14d9fd64fa42c6876b3fc572b1ae4e05b427504913ebd567c4db37a4",
"sha256": "b19dffa62d3df7148544385ab17298f3037388eb487eaf544505b0c11521d102",
"type": "esql",
"version": 8
"version": 9
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
@@ -7017,9 +7090,9 @@
},
"9f432a8b-9588-4550-838e-1f77285580d3": {
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
"sha256": "240a406d0305dd6344e374366a323c69f6639bb80c3853e6d7d82cb35a43eef3",
"sha256": "7045b58f9119ab5ed4fa366f17cda1286910cc23c9f46bf53054547d2fa5b56d",
"type": "esql",
"version": 10
"version": 11
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
@@ -7111,6 +7184,12 @@
"type": "new_terms",
"version": 1
},
"a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": {
"rule_name": "Potential Account Takeover - Logon from New Source IP",
"sha256": "57e6c9d11619a17fa33f9b5d554849c500b51728ab5a7bfa82b61c0ca7a399e1",
"type": "esql",
"version": 1
},
"a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": {
"rule_name": "Entra ID Protection Admin Confirmed Compromise",
"sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4",
@@ -7179,9 +7258,9 @@
},
"a337c3f8-e264-4eb4-9998-22669ca52791": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"sha256": "07c213ebd7d0107bf8690e3353e74ed32a3fa4c99e2dcb4e6a90c5b51ce33882",
"sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3",
"type": "esql",
"version": 1
"version": 2
},
"a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
"rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
@@ -7327,9 +7406,9 @@
"a750bbcc-863f-41ef-9924-fd8224e23694": {
"min_stack_version": "9.3",
"rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"sha256": "2b7bf9a3de0eb18418db511b219abdc7cadd3b5cdefdd70d1cb796dd83161b36",
"sha256": "5846c6b43e380d83d1c497de9db85c35f4fb983138dde4300adddb76e4cd3ec4",
"type": "eql",
"version": 1
"version": 2
},
"a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": {
"rule_name": "Execution via OpenClaw Agent",
@@ -7349,6 +7428,12 @@
"type": "eql",
"version": 315
},
"a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": {
"rule_name": "M365 Purview Security Compliance Signal",
"sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4",
"type": "query",
"version": 1
},
"a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": {
"rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User",
"sha256": "5cb15224ba5e3b436c88a0c808d62f5975a8a962c7c0d804baf2e704d054b03d",
@@ -7404,6 +7489,12 @@
"type": "eql",
"version": 2
},
"a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": {
"rule_name": "Newly Observed ScreenConnect Host Server",
"sha256": "5a8acf8b9ca572d30b42f96b89249dc24621630278b9db105d665630cbb8cb34",
"type": "esql",
"version": 1
},
"a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": {
"rule_name": "Azure Storage Blob Retrieval via AzCopy",
"sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683",
@@ -7412,9 +7503,9 @@
},
"a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": {
"rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand",
"sha256": "8ed3514f87da2cdb2928680ebebadacf9c99a8de8d6504196742c42c1969fb24",
"sha256": "cd7321baa685c0b8fdee3998ff993ac2f4f5761124d7f2e78e2c404978211ab3",
"type": "esql",
"version": 1
"version": 2
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
@@ -7526,9 +7617,9 @@
},
"ab7795cc-0e0b-4f9d-a934-1f17a58f869a": {
"rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)",
"sha256": "1cde5d806050171a8af5ccce92a4ee5c18676617db73c04392ef22527cca5238",
"sha256": "c1d2e49b9c7ced7cce10153c0338a47448b25c6a03c1e185a3ae353d07665b67",
"type": "eql",
"version": 1
"version": 2
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
@@ -7734,6 +7825,12 @@
"type": "new_terms",
"version": 7
},
"af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": {
"rule_name": "Okta Alerts Following Unusual Proxy Authentication",
"sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514",
"type": "eql",
"version": 1
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "58f5a32068e937f8a5a7e0ebf56c814d9d90bc5411188e096283a1699389e0bf",
@@ -7796,9 +7893,9 @@
},
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
"sha256": "9b70b1ae2e9c9a8d5c326e930ee1d6922a8234afeb5945abdad61790a366eb47",
"sha256": "deec12e81c3d8c2bda1563d1d7e93dc1148fff91ddea9ab3eaff47117ad97a1d",
"type": "esql",
"version": 9
"version": 10
},
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
"min_stack_version": "9.3",
@@ -7876,6 +7973,12 @@
"type": "threshold",
"version": 1
},
"b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": {
"rule_name": "Potential Account Takeover - Mixed Logon Types",
"sha256": "6fe0f08ade5d4fc0987a2467cbde981ee38c90a5d96697e3e6851627833b4c8d",
"type": "esql",
"version": 1
},
"b2c3d4e5-f6a7-8901-bcde-f123456789ab": {
"rule_name": "GenAI Process Compiling or Generating Executables",
"sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6",
@@ -8040,9 +8143,9 @@
},
"b7f77c3c-1bcb-4afc-9ace-49357007947b": {
"rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike",
"sha256": "5e33ef87d305f50f061545ef99ce1dd5b9ce6bfa3247837f6e2355532fbe5fcd",
"sha256": "3fc38efdfb54c28bd83b93be278e07a0480084d972768a3dac3e6d6187408cb7",
"type": "esql",
"version": 2
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
@@ -8052,9 +8155,9 @@
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "c4e3a5090583d6cecaac50b3fdef659bb2062b055ba65461ccaf9ddd7f570b32",
"sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b",
"type": "new_terms",
"version": 7
"version": 8
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script",
@@ -8087,6 +8190,12 @@
"type": "query",
"version": 1
},
"b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": {
"rule_name": "M365 Purview DLP Signal",
"sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7",
"type": "query",
"version": 1
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"rule_name": "Kirbi File Creation",
"sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e",
@@ -8191,9 +8300,9 @@
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "M365 OneDrive Malware File Upload",
"sha256": "a61bbbfa2a2f704a98aff991ac3892323c1ec978f59e28708b05c7bfc824180d",
"sha256": "cd0ee58446ad10fef53b9675021f3383a26e3552230434632e711d88af2d5d1e",
"type": "query",
"version": 211
"version": 212
},
"bba8c7d1-172b-435d-9034-02ed9289c628": {
"rule_name": "Potential Etherhiding C2 via Blockchain Connection",
@@ -8203,9 +8312,9 @@
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "352b0d2453ef219a0e530c3488bdd1b9548690c7bc717e3b5fd20a03b2fa88ee",
"sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce",
"type": "threshold",
"version": 13
"version": 14
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "M365 Teams Custom Application Interaction Enabled",
@@ -8353,9 +8462,9 @@
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "6565b433d28c9d96ee23e6597d655eaf4fb7b01e667594f9c882613e332e739f",
"sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008",
"type": "new_terms",
"version": 7
"version": 8
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
@@ -8538,6 +8647,12 @@
"type": "new_terms",
"version": 1
},
"c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": {
"rule_name": "Suspicious Execution from VS Code Extension",
"sha256": "c801b37699ca3fa63ec4095cd5889b3842b42a66e9a48c161a0dca78c7707c5e",
"type": "eql",
"version": 1
},
"c3d4e5f6-a7b8-9012-cdef-123456789abc": {
"rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688",
@@ -8571,9 +8686,9 @@
"c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": {
"min_stack_version": "9.3",
"rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host",
"sha256": "c0d66e17e9785feeec08ca3facd4df547341800aa13d146f280878dd710f5426",
"sha256": "4542646fbec130c4f8575763a13a38d14024a3c708f352f590be00d4942eb20e",
"type": "esql",
"version": 1
"version": 2
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access",
@@ -8678,10 +8793,20 @@
"version": 3
},
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89",
"type": "new_terms",
"version": 6
}
},
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89",
"sha256": "2ab33e3210faabbf21634cb53b667334ab3853f7a3edab5accc936e62e0092c9",
"type": "new_terms",
"version": 6
"version": 106
},
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
"rule_name": "Mount Launched Inside a Container",
@@ -8803,6 +8928,12 @@
"type": "eql",
"version": 12
},
"c9636a6e-125e-11f1-9cd3-f661ea17fbce": {
"rule_name": "M365 Exchange MFA Notification Email Deleted or Moved",
"sha256": "df3b151df4fd569bcd9b3f33c7f7bf9ce148405ff51fcf9a672aa8413b0a6ba8",
"type": "eql",
"version": 1
},
"c9847fe9-3bed-4e6b-b319-f9956d6dd02a": {
"rule_name": "Potential Remote Install via MsiExec",
"sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69",
@@ -8923,6 +9054,12 @@
"type": "eql",
"version": 105
},
"cccc9be5-d8b0-466e-8a37-617eae57351a": {
"rule_name": "M365 Entra ID Risk Detection Signal",
"sha256": "392041a3844e680f234c92dc4275823b02292a6f5e26d39151ebe50958c2231d",
"type": "query",
"version": 1
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7",
@@ -8932,9 +9069,9 @@
"cd24c340-b778-44bd-ab69-2f739bd70ce1": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"sha256": "f3008bfe96f0c05c6c297439f3dcd6f545b950b428e93451c419188a4c8757fa",
"sha256": "dd5558b655f37b28a249477f9e372be817a1484e796ea566c51b3f8135df88d8",
"type": "eql",
"version": 1
"version": 2
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
@@ -9124,9 +9261,9 @@
},
"d19a2399-f8e2-4b10-80d8-a561ce9d24d1": {
"rule_name": "System Binary Symlink to Suspicious Location",
"sha256": "0aea406ddba7b11453a548228195caa671109a902b295bcbc467bb5f21200a8b",
"sha256": "38f91221ebf1ad1f815b2410711902a446bf634093f757a94276a1fc84a35506",
"type": "new_terms",
"version": 3
"version": 4
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
@@ -9196,9 +9333,9 @@
},
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
"sha256": "739247a92bc9484d0dcb60b1be1c780d2409c02187834df1752f6b3cc122e3d4",
"sha256": "7c5e02a840182b33f4790c944b9ec48af5f79dac23befdb0f069ef00258b4e70",
"type": "esql",
"version": 8
"version": 9
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
@@ -9242,6 +9379,13 @@
"type": "threshold",
"version": 1
},
"d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": {
"min_stack_version": "9.3",
"rule_name": "Elastic Defend Alert from GenAI Utility or Descendant",
"sha256": "cdaceb7b07acc4eed0fec1f0d29c98302d3dc5d01f0bb281c84fc3555fbcd5d8",
"type": "esql",
"version": 1
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "b83c3c1532b5af713bd9011025fcc17c4214c07593127a7a206e19e9fb5e28a2",
@@ -9274,9 +9418,9 @@
},
"d591d7af-399b-4888-b705-ae612690c48d": {
"rule_name": "Newly Observed High Severity Suricata Alert",
"sha256": "5429febf472a2b6a92abaf89cbe7b824b49407e8a1704ee6415bac4a4abcf45a",
"sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626",
"type": "esql",
"version": 2
"version": 3
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
@@ -9455,9 +9599,9 @@
"d9bfa475-270d-4b07-93cb-b1f49abe13da": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"sha256": "9a8879a1b9bab3940164561c3907250d88bce0a1a16c2c2ac5de71620cfb7523",
"sha256": "ce0e37c4131266899b3fff16ba9305d4088310293fc2c32ed800451178e89358",
"type": "eql",
"version": 1
"version": 2
},
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
"rule_name": "Sensitive Files Compression Inside A Container",
@@ -9503,9 +9647,9 @@
},
"da7f7a93-26e1-49ce-b336-963c6dc17c7b": {
"rule_name": "Multiple Machine Learning Alerts by Influencer Field",
"sha256": "bbac8cf5212f002212b5f8bf7bd3d272ce4cfefbc2fc7e77631b044646ec3b81",
"sha256": "261d3febfee5e90a2350910f92af7a263d627358d8f42ad07c4a9e339509fdb5",
"type": "esql",
"version": 2
"version": 3
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
@@ -9742,9 +9886,9 @@
},
"df9c0e92-5dee-4f1d-a760-3a5c039e4382": {
"rule_name": "Detection Alert on a Process Exhibiting CPU Spike",
"sha256": "f5ac0710ca1245ab366c3b05727497d8c3380c801d3c5d4c58c457f5221c2e67",
"sha256": "83a996f5513897b32f3f2090c57c0cb08be06399fea34777c922db1e09a1d437",
"type": "esql",
"version": 2
"version": 3
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028",
@@ -9868,9 +10012,9 @@
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "60a571ef757ab1f19773e24a8565e269022ef8dce483eb103351f24cc96cc4f0",
"sha256": "b00992fce58b8dc70936e08ee54b5daac9d824811cc5a4c82eb3167aee0301ec",
"type": "new_terms",
"version": 6
"version": 7
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
@@ -9969,10 +10113,20 @@
"version": 212
},
"e4feea34-3b62-4c83-b77f-018fbef48c00": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d",
"type": "eql",
"version": 4
}
},
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d",
"sha256": "ea754dc7ebd790477767de5ab2895d06f2ef94d22a8707ae800e9f54986de376",
"type": "eql",
"version": 4
"version": 104
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User",
@@ -10004,6 +10158,12 @@
"type": "eql",
"version": 3
},
"e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": {
"rule_name": "First Time Seen DNS Query to RMM Domain",
"sha256": "b09357075adc197f9663635384299a12e0b25c28bded7221f0feeee2cf5c978e",
"type": "new_terms",
"version": 1
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e",
@@ -10096,9 +10256,9 @@
},
"e819b7eb-c2d4-4adc-b0c9-658aeb140450": {
"rule_name": "Lateral Movement Alerts from a Newly Observed User",
"sha256": "25b15177e88f841bf8797680046c7a6100044cfd433d8f0ecb13ec8c5ac90a43",
"sha256": "a3258f0d15c7c51105bf8854c5ce37f0d660fb5f008b73587d0eb4314de34c12",
"type": "esql",
"version": 2
"version": 3
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
@@ -10150,9 +10310,9 @@
},
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
"sha256": "c9c8e405e6ac8fa5c9711db9949851e54148dbab50f0f01943ea9202de3054cd",
"sha256": "84fb725b362cfa15cd93030dd0ee407c62219b8e75e23fc673d4b4411efc479e",
"type": "esql",
"version": 11
"version": 12
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -10252,9 +10412,9 @@
},
"eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": {
"rule_name": "Telnet Authentication Bypass via User Environment Variable",
"sha256": "c869b726c71065ef1c6ec9bc86d8d6c93a4576e456ad1a9e49a6cb90158de156",
"sha256": "dad30a9b0ac5bb3048cae4d42fe0015a25c5bdf4122aaec696d0bfede5c73556",
"type": "eql",
"version": 1
"version": 2
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
@@ -10323,9 +10483,9 @@
}
},
"rule_name": "File Execution Permission Modification Detected via Defend for Containers",
"sha256": "c464aef0348ff82a20e8148ae70d2a55f66f0e8c371fa69e80415085ad2db41a",
"sha256": "c02875fc6dfc7d8a299910738b01d4334c0184bc205d79b15c22974fb6271f10",
"type": "eql",
"version": 104
"version": 105
},
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
"rule_name": "Kubernetes Forbidden Creation Request",
@@ -10359,9 +10519,9 @@
},
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation",
"sha256": "83b61acb47941fdd7ddf74b051c1403ad5940349e000dde55a40bb059e9ff0f5",
"sha256": "a7a4aa5dee70a0b7400227badb99bbd92c05ec809b52bddb0719918089f99323",
"type": "new_terms",
"version": 5
"version": 6
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Entra ID Global Administrator Role Assigned (PIM User)",
@@ -10579,9 +10739,9 @@
"f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Attack Chain Triage by Host",
"sha256": "a8e526596cd31695f761b1c473b0d8067336519cb1918dd798f4d7752e5a7f6b",
"sha256": "286422b3b4035aa2adeafd1b284e053369eeed39302d7369532e46de03eaff07",
"type": "esql",
"version": 2
"version": 3
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification",
@@ -10614,6 +10774,12 @@
"type": "query",
"version": 5
},
"f2c43e8c-ccf2-4eab-9e9a-e335da253773": {
"rule_name": "M365 Purview Insider Risk Signal",
"sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841",
"type": "query",
"version": 1
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf",
@@ -10676,9 +10842,9 @@
},
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
"sha256": "8840b0c126687d686b10af54ad284385b8385dd1400d81f180b14c807162c05b",
"sha256": "4e8a1d0b5d2d08befba089df12e7d27768455c6c08f58a912f825e916e665108",
"type": "esql",
"version": 9
"version": 10
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
@@ -10821,9 +10987,9 @@
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "dc922f1a06634e41b2fa415a4c415210b0239ecb9270eb3b5fbabeb005803dd5",
"sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371",
"type": "new_terms",
"version": 6
"version": 7
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
@@ -10874,9 +11040,9 @@
},
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
"sha256": "4966b256f77320a536fd06f26771860ce412bb74324a875bca6867ac35dd79c3",
"sha256": "f56190b966c8b01230a154a0851ed2e59d80595a1de876b0764e3d046e9bea51",
"type": "esql",
"version": 9
"version": 10
},
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
@@ -11047,15 +11213,15 @@
},
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
"sha256": "459fdfc9a0bf0c7e11816d78422d6f072d79db1e1bcc876e972c71d10a2739f4",
"sha256": "2ecbf0a719e60c1a4d65cc86c0d02ce00fa12333fbb32e834f271fc17367cd24",
"type": "esql",
"version": 8
"version": 9
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Account Brute Force",
"sha256": "8e958e43156701d8c536815d851b1fd4d6891d08dbdb20e1141143b2d64be583",
"sha256": "78aeaab7e3bf4d6d513db619e43eb7454c6f800492e403b6873fe8c17bf7d95b",
"type": "esql",
"version": 116
"version": 117
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User",
@@ -11065,15 +11231,15 @@
},
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
"sha256": "a8fb8ff65c77ca30e4b18c8cfe9a98058e413bb924c285e9eb647e2cb7d43baa",
"sha256": "e429a1bb7579d75e52d9c21dba63b12b1d6d5efe9aa7dbff56eb09d652825da3",
"type": "esql",
"version": 10
"version": 11
},
"f9de0949-94d8-441d-ae9a-8eb1e040acf2": {
"rule_name": "Newly Observed Process Exhibiting High CPU Usage",
"sha256": "b6e23d1b2f53b36d09252c99a34fd67b30e68ccf7faf46c5516504738b92f2b7",
"sha256": "ac67c25e692fc04e2eeae6c2c6c597c4c637f8d746afc513e7b9e0370b67cdf7",
"type": "esql",
"version": 1
"version": 2
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
@@ -11353,9 +11519,9 @@
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "8c10501ce86f18c3be3435c923b228298606f73818b611f539f520e1e40320a3",
"sha256": "9ac7770cb7a1a1d0348ae3f523fb76bbc3740b98d2354456e5f0495c5c6896c5",
"type": "esql",
"version": 15
"version": 16
},
"ff46eb26-0684-4da3-9dd6-21032c9878e1": {
"rule_name": "Active Directory Discovery using AdExplorer",
@@ -11395,8 +11561,8 @@
},
"ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": {
"rule_name": "Suspicious TCC Access Granted for User Folders",
"sha256": "14436e33164f86a8e456f0a6ac11a53c2da7a2238add394df63ac4e5a120d36c",
"sha256": "6329ee62398952755171a82d57fd5c59d159290b7d4fab00d7fe6043899ca3ea",
"type": "esql",
"version": 1
"version": 2
}
}
docs-dev/ATT&CK-coverage.md
+8 -1
View File
@@ -72,6 +72,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-application](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-application.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-automated-response-tracking](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-automated-response-tracking.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-config](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-config.json&leave_site_dialog=false&tabs=false)|
@@ -104,6 +105,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-azure-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-storage.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-blocked-threat-tracking](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-blocked-threat-tracking.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-c2-beaconing-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-c2-beaconing-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-cisco-ftd](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cisco-ftd.json&leave_site_dialog=false&tabs=false)|
@@ -114,6 +116,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-collection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-collection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-command-and-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-command-and-control.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-configuration-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-configuration-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-auditing.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-container](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-container.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-credential-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-credential-access.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)|
@@ -149,6 +152,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iam.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-threat-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iis.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)|
@@ -168,15 +172,18 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-microsoft-365-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365-audit-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-threat-intelligence.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-for-office-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-office-365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-audit-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-protection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-purview](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-purview.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-threat-intelligence.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network-packet-capture](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-packet-capture.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network-security-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-security-monitoring.json&leave_site_dialog=false&tabs=false)|
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.5.52"
version = "1.5.53"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"