security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Lock versions for releases: 8.19,9.1,9.2,9.3 (#5818)

Browse Source
This commit is contained in:
github-actions[bot]
2026-03-10 15:33:16 +05:30
committed by GitHub
parent 26d37dd62e
commit 87badac5a0
3 changed files with 409 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+400 -234
View File
@@ -49,9 +49,9 @@
}, },
"0171f283-ade7-4f87-9521-ac346c68cc9b": { "0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected", "rule_name": "Potential Network Scan Detected",
"sha256": "3ba46fc1349a8bf917183c0721c61a73cdb30c9634e35439e7c80008d8f7e8c8", "sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c",
"type": "esql", "type": "esql",
"version": 14 "version": 15
}, },
"017de1e4-ea35-11ee-a417-f661ea17fbce": { "017de1e4-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Detected - Elastic Defend", "rule_name": "Memory Threat - Detected - Elastic Defend",
@@ -68,9 +68,9 @@
"02275e05-57a1-46ab-a443-7fb444da6b28": { "02275e05-57a1-46ab-a443-7fb444da6b28": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"sha256": "952901c0899f5762fcd50e767297ca8ffcf29a6bbb13ae322c70e6c160a8cb18", "sha256": "cd854516c52abc224cf16271f439eec724281de54a4aa6f6a7ce1013430393af",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging", "rule_name": "Potential Cookies Theft via Browser Debugging",
@@ -186,15 +186,15 @@
"8.19": { "8.19": {
"max_allowable_version": 100, "max_allowable_version": 100,
"rule_name": "High Number of Protected Branch Force Pushes by User", "rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043", "sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql", "type": "esql",
"version": 1 "version": 2
} }
}, },
"rule_name": "High Number of Protected Branch Force Pushes by User", "rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043", "sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql", "type": "esql",
"version": 101 "version": 102
}, },
"043d80a3-c49e-43ef-9c72-1088f0c7b278": { "043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair", "rule_name": "Potential Escalation via Vulnerable MSI Repair",
@@ -220,6 +220,12 @@
"type": "eql", "type": "eql",
"version": 216 "version": 216
}, },
"054853f3-2ce0-41f3-a6eb-4a4867f39cdc": {
"rule_name": "M365 Defender Alerts Signal",
"sha256": "35c1046191b7ca47e3823cf1bd6d886e46229c2c7a24ddf6d2a71f52b7756723",
"type": "query",
"version": 1
},
"054db96b-fd34-43b3-9af2-587b3bd33964": { "054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation", "rule_name": "Systemd-udevd Rule File Creation",
"sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835", "sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835",
@@ -259,9 +265,9 @@
}, },
"05f2b649-dc03-4e9a-8c4e-6762469e8249": { "05f2b649-dc03-4e9a-8c4e-6762469e8249": {
"rule_name": "Suspicious AWS S3 Connection via Script Interpreter", "rule_name": "Suspicious AWS S3 Connection via Script Interpreter",
"sha256": "6ad0f3169c575ac9324d80b785de1bf27cb43f9886ea367449546e050a7aa111", "sha256": "98707dba65515504ddccd478b6d990937253b23206d517eec8fb008262a30d53",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"0635c542-1b96-4335-9b47-126582d2c19a": { "0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands", "rule_name": "Remote System Discovery Commands",
@@ -355,9 +361,9 @@
}, },
"083383af-b9a4-42b7-a463-29c40efe7797": { "083383af-b9a4-42b7-a463-29c40efe7797": {
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
"sha256": "b4f1a15ffdc521c66555c9bd089d50abcfd235fac9000ac6f00520cf4cf35d8e", "sha256": "1cab7c406a0a2310ac6081b7332ff99c4f29843587b48401e6b8fcb7f8006d21",
"type": "esql", "type": "esql",
"version": 8 "version": 9
}, },
"083fa162-e790-4d85-9aeb-4fea04188adb": { "083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd", "rule_name": "Suspicious Hidden Child Process of Launchd",
@@ -379,9 +385,9 @@
}, },
"08933236-b27a-49f6-b04a-a616983f04b9": { "08933236-b27a-49f6-b04a-a616983f04b9": {
"rule_name": "Alerts From Multiple Integrations by Destination Address", "rule_name": "Alerts From Multiple Integrations by Destination Address",
"sha256": "cc691ed6a93307a1173fd5fda394c29fdc98d2fa7ac909db45e82b9df3e4e378", "sha256": "d6accf93019b97c82298a163af364a097f31b22146454acba734fd8f76d90c6e",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"089db1af-740d-4d84-9a5b-babd6de143b0": { "089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery", "rule_name": "Windows Account or Group Discovery",
@@ -439,9 +445,9 @@
}, },
"098bd5cc-fd55-438f-b354-7d6cd9856a08": { "098bd5cc-fd55-438f-b354-7d6cd9856a08": {
"rule_name": "High Number of Closed Pull Requests by User", "rule_name": "High Number of Closed Pull Requests by User",
"sha256": "1178ccd0ea843bd94fae7d9a3f3b31228756bfdbbd9ba9701bac9ad9834f3106", "sha256": "ff907a6ea72cb5c7385c4bd5df56b41d6fe30d15ad9c631e4e85cc03ec5aa94d",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"09bc6c90-7501-494d-b015-5d988dc3f233": { "09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
@@ -517,9 +523,9 @@
}, },
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
"rule_name": "Elastic Defend and Network Security Alerts Correlation", "rule_name": "Elastic Defend and Network Security Alerts Correlation",
"sha256": "0ccc6af15fd729f5cb81b8ea88ff1f4911d30b894f58d96a3ba32ef834d614d7", "sha256": "6c598d2eefbd251000e42180ee7d6cf054a1ee4b470d12f784a85bec03c01cb6",
"type": "esql", "type": "esql",
"version": 5 "version": 6
}, },
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces", "rule_name": "Processes with Trailing Spaces",
@@ -583,9 +589,9 @@
}, },
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User", "rule_name": "Multiple Alerts Involving a User",
"sha256": "2401df104749aaee63b22f70fa9419c84429ffd9480bff391344fd449d1b4e57", "sha256": "f65217585fc96240d13bc4de41e59f92b3ce81627267bebed176d7add7fa5697",
"type": "esql", "type": "esql",
"version": 6 "version": 7
}, },
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
"rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph",
@@ -606,10 +612,20 @@
"version": 113 "version": 113
}, },
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 204,
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b",
"type": "esql",
"version": 105
}
},
"rule_name": "AWS Access Token Used from Multiple Addresses", "rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b", "sha256": "25d6b63d8ad4a081ad48d656666160d13bde2d0fac22a33427f2f6cdf5395cc1",
"type": "esql", "type": "esql",
"version": 105 "version": 205
}, },
"0e1af929-42ed-4262-a846-55a7c54e7c84": { "0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
@@ -631,15 +647,15 @@
}, },
"0e52157a-8e96-4a95-a6e3-5faae5081a74": { "0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "M365 SharePoint Malware File Detected", "rule_name": "M365 SharePoint Malware File Detected",
"sha256": "b404f46b09bdd995617e194b53076b9dd47c5cd07d76c9f872e2639656612777", "sha256": "14a1af1d926f42ad0025a51954a328ea770e664a871c163227e8597b49329bf3",
"type": "query", "type": "query",
"version": 211 "version": 212
}, },
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token", "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads",
"sha256": "c5c25c606f65d1dd93f7bb4554ef93fa844d008166cd092acbbb3fedbd622373", "sha256": "b6c8e87bc4292bde1ff1eaa810648c48bab7c0f07e0d8c39bc7b3f714fd32d5f",
"type": "esql", "type": "esql",
"version": 6 "version": 7
}, },
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation", "rule_name": "GCP Service Account Key Creation",
@@ -649,9 +665,9 @@
}, },
"0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": {
"rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address",
"sha256": "cbc38f9092c5b05d934d21db45e1e0795f8743ae2d9a7fbf2b7f4d0652743231", "sha256": "77726aac9ceb48e0f529980fb81396999b0c6688cf5bab0f232aa63d3a653918",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"0e79980b-4250-4a50-a509-69294c14e84b": { "0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections", "rule_name": "MsBuild Making Network Connections",
@@ -703,8 +719,15 @@
}, },
"0fb25791-d8d4-42ab-8fc7-4954642de85f": { "0fb25791-d8d4-42ab-8fc7-4954642de85f": {
"rule_name": "Kubernetes Creation or Modification of Sensitive Role", "rule_name": "Kubernetes Creation or Modification of Sensitive Role",
"sha256": "08d959810b52a5dd296b94b2930b0769db43f5a659b49183d2b3b6412ba706b6", "sha256": "d431f464078e8ba6df2d879cf09611ed71bb66449f85d3d04c20acaf59179284",
"type": "esql", "type": "esql",
"version": 2
},
"0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": {
"min_stack_version": "9.3",
"rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers",
"sha256": "f743bb12bafa53a42bae5f3eb32c50b072927cb62403e1cbd006537e9dae6e63",
"type": "eql",
"version": 1 "version": 1
}, },
"0fe2290a-2664-4c9c-8263-b88904f12f0d": { "0fe2290a-2664-4c9c-8263-b88904f12f0d": {
@@ -839,9 +862,9 @@
}, },
"12a2f15d-597e-4334-88ff-38a02cb1330b": { "12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"sha256": "3c53427258f633872c95a09f530577cf6a9ed72124f0d10cb5dd29c4d10ff5c1", "sha256": "e0e45a77fb72c89d7d27f6371c8f82d70d1d23bd3d6f1f962526d6e106e52c1b",
"type": "new_terms", "type": "new_terms",
"version": 208 "version": 209
}, },
"12cbf709-69e8-4055-94f9-24314385c27e": { "12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork", "rule_name": "Kubernetes Pod Created With HostNetwork",
@@ -911,9 +934,9 @@
}, },
"143cb236-0956-4f42-a706-814bcaa0cf5a": { "143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet", "rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "a72b45c3d3656c4c1c594397d228ce07d18624f5c7a8314d0bc95b7f10b1e366", "sha256": "c3e44edb8ffe05292ab119e3e6a439e72576953fd826f11cac889b1df3eea2bf",
"type": "query", "type": "query",
"version": 107 "version": 108
}, },
"14dab405-5dd9-450c-8106-72951af2391f": { "14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence", "rule_name": "Office Test Registry Persistence",
@@ -1075,9 +1098,9 @@
}, },
"171a4981-9c1a-4a03-9028-21cff4b27b38": { "171a4981-9c1a-4a03-9028-21cff4b27b38": {
"rule_name": "Suspected Lateral Movement from Compromised Host", "rule_name": "Suspected Lateral Movement from Compromised Host",
"sha256": "80cdb6c15c3dc9c7375625fea1c89ea54b6b480756a234873c252e3d23262eed", "sha256": "48e0f928ed481c3e3c645ecfad961dfa891e8afe2e2b8ae94990745ace5522fb",
"type": "esql", "type": "esql",
"version": 3 "version": 4
}, },
"17261da3-a6d0-463c-aac8-ea1718afcd20": { "17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
@@ -1225,9 +1248,9 @@
}, },
"19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "19f3674c-f4a1-43bb-a89c-e4c6212275e0": {
"rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User",
"sha256": "55ac8f0658482004ba41518fb5ae40b6a8c4a8bcaa38011c90564b29a6fdcb21", "sha256": "b293b29ab681ba26a92119332275e4c89a2bc3dd8a598d9f9b0968a5c264d2ad",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"1a1046f4-9257-11f0-9a42-f661ea17fbce": { "1a1046f4-9257-11f0-9a42-f661ea17fbce": {
"rule_name": "Azure RBAC Built-In Administrator Roles Assigned", "rule_name": "Azure RBAC Built-In Administrator Roles Assigned",
@@ -1259,9 +1282,9 @@
}, },
"1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": {
"rule_name": "Newly Observed High Severity Detection Alert", "rule_name": "Newly Observed High Severity Detection Alert",
"sha256": "9b24d5e3affe2f35f066b5e0f89bebbd70db28c0e993d6416198c571abe32b00", "sha256": "29750080e44ba02bb3c10e8a58ca3288e54debe1660f33b1e3d7a40247dcc479",
"type": "esql", "type": "esql",
"version": 3 "version": 4
}, },
"1a3f2a4c-12d0-4b88-961a-2711ee295637": { "1a3f2a4c-12d0-4b88-961a-2711ee295637": {
"rule_name": "Potential System Tampering via File Modification", "rule_name": "Potential System Tampering via File Modification",
@@ -1325,9 +1348,9 @@
}, },
"1bb329a5-2168-4da5-b7b9-d42a51deb6dd": { "1bb329a5-2168-4da5-b7b9-d42a51deb6dd": {
"rule_name": "Correlated Alerts on Similar User Identities", "rule_name": "Correlated Alerts on Similar User Identities",
"sha256": "c22e2f137482efcaa87dab19dc3553e257a9b32c721d931dd4986205af482070", "sha256": "a3ef283129c4f9b2d2ff401a29cf89bafab9d5241edd4760ffc71517c9f865cc",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"1c27fa22-7727-4dd3-81c0-de6da5555feb": { "1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected", "rule_name": "Potential Internal Linux SSH Brute Force Detected",
@@ -1419,6 +1442,13 @@
"type": "query", "type": "query",
"version": 112 "version": 112
}, },
"1dc56174-5d02-4ca4-af92-e391f096fb21": {
"min_stack_version": "9.3",
"rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"sha256": "40236f57640750a3b31ff46c28be35c721abe771fc5b5775af8eec75337a763e",
"type": "eql",
"version": 1
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b", "sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b",
@@ -1427,9 +1457,9 @@
}, },
"1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "1dd99dbf-b98d-4956-876b-f13bc0ce017f": {
"rule_name": "Alerts From Multiple Integrations by User Name", "rule_name": "Alerts From Multiple Integrations by User Name",
"sha256": "f8ab4d8f44427fc8a987c9866f83bf76d09c1af99ec349ea6584a5c7d288624b", "sha256": "5b591df265379ba718a43e0d8ae57ae7b2e96d60ea25cc141bb89faa9fffa7bf",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook", "rule_name": "Suspicious Inter-Process Communication via Outlook",
@@ -1639,9 +1669,9 @@
"227cf26a-88d1-4bcb-bf4c-925e5875abcf": { "227cf26a-88d1-4bcb-bf4c-925e5875abcf": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Encoded Payload Detected via Defend for Containers", "rule_name": "Encoded Payload Detected via Defend for Containers",
"sha256": "d6ebb5e57c278b1a9b1275aee015d7e6059d8352ec49837ae572a152c3b44db1", "sha256": "6a07a74b399cf5346bcf3fb2acdccd01c3489906a3b780afa3a617c278537902",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"227dc608-e558-43d9-b521-150772250bae": { "227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion", "rule_name": "AWS S3 Bucket Configuration Deletion",
@@ -1715,9 +1745,9 @@
}, },
"23f18264-2d6d-11ef-9413-f661ea17fbce": { "23f18264-2d6d-11ef-9413-f661ea17fbce": {
"rule_name": "Potential Okta Brute Force (Device Token Rotation)", "rule_name": "Potential Okta Brute Force (Device Token Rotation)",
"sha256": "63082f91fd3d3e60377743e9f2e158d948155ddef6efe6db444b026ff31e58b9", "sha256": "fbd7404391275a1fb3c33e3cb3f065b69b751b4428efb98114c67b17021c2ba9",
"type": "esql", "type": "esql",
"version": 209 "version": 210
}, },
"24401eca-ad0b-4ff9-9431-487a8e183af9": { "24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added", "rule_name": "New GitHub Owner Added",
@@ -1752,9 +1782,9 @@
}, },
"25a4207c-5c05-4680-904c-6e3411b275fa": { "25a4207c-5c05-4680-904c-6e3411b275fa": {
"rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree", "rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree",
"sha256": "cc4a41b1788e20e2e224d7a150cdead5392cd3baf0aba2e2c1743def950ddcd8", "sha256": "7454d14373817e95309e9422997b9eb330ec75601215a6d4c0eb4b5c0d237ec6",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"25d917c4-aa3c-4111-974c-286c0312ff95": { "25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker", "rule_name": "Network Activity Detected via Kworker",
@@ -1904,9 +1934,9 @@
}, },
"283683eb-f2ce-40a5-be16-fa931cb5f504": { "283683eb-f2ce-40a5-be16-fa931cb5f504": {
"rule_name": "Newly Observed Palo Alto Network Alert", "rule_name": "Newly Observed Palo Alto Network Alert",
"sha256": "06c0ee8d2a9f83935613ee16386a41ee145a2726d82b353478873f07690880b9", "sha256": "55f2451b2b926a62fba0cf39411dbdf9e3ab7b8893f5de6f6f67983d14178ffd",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
@@ -1940,9 +1970,9 @@
}, },
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User", "rule_name": "AWS STS Role Assumption by User",
"sha256": "77240b497ebf8b7b46e0d2d0c8be1f5bac792a097eef68aa119d7eebae565b41", "sha256": "27c7aa43b06bcdf5a54290f27d411866cfc693c85f82ab73c01872b76435defe",
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 7
}, },
"28bc620d-b2f7-4132-b372-f77953881d05": { "28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
@@ -2066,9 +2096,9 @@
}, },
"2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": {
"rule_name": "Newly Observed FortiGate Alert", "rule_name": "Newly Observed FortiGate Alert",
"sha256": "663c7f29972d07ea8412e1361e05b81f3e4820304cea1a7cbd45ab3dbd6e05ea", "sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation", "rule_name": "Potential Foxmail Exploitation",
@@ -2090,9 +2120,9 @@
}, },
"2d3c27d5-d133-4152-8102-8d051619ec4a": { "2d3c27d5-d133-4152-8102-8d051619ec4a": {
"rule_name": "Potential Okta Password Spray (Multi-Source)", "rule_name": "Potential Okta Password Spray (Multi-Source)",
"sha256": "69a3614d945637f774498b8d5a3480e7b78ac31b378cb9056696c5816692a51e", "sha256": "aaafdc1afbc528d12bc055c3b9dca2d9057d8a4c2cc482e31728d931115c0b58",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"2d58f67c-156e-480a-a6eb-a698fd8197ff": { "2d58f67c-156e-480a-a6eb-a698fd8197ff": {
"rule_name": "Potential Kerberos Relay Attack against a Computer Account", "rule_name": "Potential Kerberos Relay Attack against a Computer Account",
@@ -2137,9 +2167,9 @@
}, },
"2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"sha256": "eaf9d7580fe68d994bc9dd5059a77678717d826f1027ca65b9dbb286ab41f332", "sha256": "08dc663e2efbf90abf4ead11bcf832d3c646081461d593b9b1ca097c52a8b111",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"2dd480be-1263-4d9c-8672-172928f6789a": { "2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call", "rule_name": "Suspicious Process Access via Direct System Call",
@@ -2310,6 +2340,12 @@
"type": "query", "type": "query",
"version": 105 "version": 105
}, },
"314557e1-a642-4dbc-af43-321bc04b6618": {
"rule_name": "M365 Security Compliance Admin Signal",
"sha256": "96f0acbb1e0769543a2b94ad428a81031d4f2f99da97acea5bd7a636725b64eb",
"type": "query",
"version": 1
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer", "rule_name": "Bypass UAC via Event Viewer",
"sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3", "sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3",
@@ -2820,16 +2856,16 @@
}, },
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
"rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"sha256": "470c107267da141be2217d27cd274e817711841e76123cf594f719816710abc4", "sha256": "d3dc62e69239981e53542dd69d147adb8924ff76106d1ccb90d05c4862c3f03e",
"type": "esql", "type": "esql",
"version": 3 "version": 4
}, },
"3dc4e312-346b-4a10-b05f-450e1eeab91c": { "3dc4e312-346b-4a10-b05f-450e1eeab91c": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "LLM-Based Compromised User Triage by User", "rule_name": "LLM-Based Compromised User Triage by User",
"sha256": "74320f5342f4057795f4d98338ee0b6f3faf00125e6e3df43ed7f3e4e7a47c8c", "sha256": "f7d7a3d2b3fa34c89c46ec93946265b367223bda8341a57198fb272f8bd91505",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Rare Protocol Subscription by User", "rule_name": "AWS SNS Rare Protocol Subscription by User",
@@ -2875,9 +2911,9 @@
}, },
"3e528511-7316-4a6e-83da-61b5f1c07fd4": { "3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory", "rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "9828e9212b4a3c92f221380dccf1262425c653acfe104ac8aa3f03472b438ba5", "sha256": "0cb04efb6341ee2e9701dfb0c64bc7685bbe040b6e31d895935fe01ef04be3ab",
"type": "new_terms", "type": "new_terms",
"version": 5 "version": 6
}, },
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation", "rule_name": "Privilege Escalation via Named Pipe Impersonation",
@@ -2893,9 +2929,9 @@
}, },
"3ee526ce-1f26-45dd-9358-c23100d1121f": { "3ee526ce-1f26-45dd-9358-c23100d1121f": {
"rule_name": "Linux Audio Recording Activity Detected", "rule_name": "Linux Audio Recording Activity Detected",
"sha256": "52d0a63b56d839189718871baa722279fa701065e67a13f2bb4ab7ffb8e4dba2", "sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5",
"type": "new_terms", "type": "new_terms",
"version": 1 "version": 2
}, },
"3efee4f0-182a-40a8-a835-102c68a4175d": { "3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
@@ -2923,9 +2959,9 @@
}, },
"3f4d7734-2151-4481-b394-09d7c6c91f75": { "3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications", "rule_name": "Process Discovery via Built-In Applications",
"sha256": "8834d4d7524a430c407512c2b2dc55f84b9717a8ad1c6ff1e39d18e62cd07805", "sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b",
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 7
}, },
"3f4e2dba-828a-452a-af35-fe29c5e78969": { "3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session", "rule_name": "Unusual Time or Day for an RDP Session",
@@ -3075,15 +3111,15 @@
}, },
"428e9109-dc13-4ae9-84cb-100464d4c6fa": { "428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Unusual Login via System User", "rule_name": "Unusual Login via System User",
"sha256": "3433a7964722e2b13f7993e693f3a518fea97549609c9af49b3c1aa889cb15d8", "sha256": "6827d23b4b308b9c67cf7b406b2045535b0fdc580189116432682385555b8a3a",
"type": "new_terms", "type": "new_terms",
"version": 5 "version": 6
}, },
"42bf698b-4738-445b-8231-c834ddefd8a0": { "42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Potential Okta Password Spray (Single Source)", "rule_name": "Potential Okta Password Spray (Single Source)",
"sha256": "20af1f7f7992e83abaf5da57e9a22025998a2be4ab340f0ca68d5720c21a757d", "sha256": "0c7e12d72953b3c07806fef01d5da914e1fadf25c25a821eea63561154a53f74",
"type": "esql", "type": "esql",
"version": 416 "version": 417
}, },
"42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "42c97e6e-60c3-11f0-832a-f661ea17fbcd": {
"rule_name": "Entra ID External Authentication Methods (EAM) Modified", "rule_name": "Entra ID External Authentication Methods (EAM) Modified",
@@ -3209,9 +3245,9 @@
}, },
"472b4944-d810-43cf-83dc-7d080ae1b8dd": { "472b4944-d810-43cf-83dc-7d080ae1b8dd": {
"rule_name": "Multiple Cloud Secrets Accessed by Source Address", "rule_name": "Multiple Cloud Secrets Accessed by Source Address",
"sha256": "94ea66cd4f032738d36c46db9a1c7d5a6a84f64eeacd41a0e6c3f8fb4b6942a6", "sha256": "ff41c11baab351eaebba65c96b1a87529582ee93161f65f77b892e94374ace8b",
"type": "esql", "type": "esql",
"version": 3 "version": 4
}, },
"47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "47403d72-3ee2-4752-a676-19dc8ff2b9d6": {
"rule_name": "AWS IAM OIDC Provider Created by Rare User", "rule_name": "AWS IAM OIDC Provider Created by Rare User",
@@ -3304,9 +3340,9 @@
}, },
"48b6edfc-079d-4907-b43c-baffa243270d": { "48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address", "rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "02dec96d19dea37cecb92dbc3df4e0d0e211f6cb9fa09438aba02575ea4482c8", "sha256": "203a6f49d298d9d11ea3837d9fa044d9b18cad4ed9a7c88776386eeadec80b5e",
"type": "esql", "type": "esql",
"version": 116 "version": 117
}, },
"48d7f54d-c29e-4430-93a9-9db6b5892270": { "48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine", "rule_name": "Unexpected Child Process of macOS Screensaver Engine",
@@ -3332,6 +3368,12 @@
"type": "eql", "type": "eql",
"version": 6 "version": 6
}, },
"491651da-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint/OneDrive File Access via PowerShell",
"sha256": "b0ba8c5ebe208355146f0f9744658c7e7f9984f4ec6b5fa1db9a3568a97389df",
"type": "query",
"version": 1
},
"493834ca-f861-414c-8602-150d5505b777": { "493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "ebb9007ad27001cdcce71f4a7afd8ac119b58dd0d5e483f569eb30251b762431", "sha256": "ebb9007ad27001cdcce71f4a7afd8ac119b58dd0d5e483f569eb30251b762431",
@@ -3358,10 +3400,10 @@
}, },
"497a7091-0ebd-44d7-88c4-367ab4d4d852": { "497a7091-0ebd-44d7-88c4-367ab4d4d852": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Web Server Child Shell Spawn Detected via Defend for Containers", "rule_name": "Web Server Exploitation Detected via Defend for Containers",
"sha256": "2836307f3b351a22d2986635ec61828cb144fabc433c6320de3eaa7c42f2d530", "sha256": "7472e79abc8837f88013d2d6772b889d8508248d6455205e9f51839bdd0512f8",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"4982ac3e-d0ee-4818-b95d-d9522d689259": { "4982ac3e-d0ee-4818-b95d-d9522d689259": {
"rule_name": "Process Discovery Using Built-in Tools", "rule_name": "Process Discovery Using Built-in Tools",
@@ -3375,22 +3417,22 @@
"8.19": { "8.19": {
"max_allowable_version": 106, "max_allowable_version": 106,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified", "rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ff1e6fb43f0632db21046ece71d7058ab3cee78192896d0f3a94b2c4d381c440", "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql", "type": "esql",
"version": 7 "version": 8
}, },
"9.1": { "9.1": {
"max_allowable_version": 206, "max_allowable_version": 206,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified", "rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "8aa466b92052814d35b6235ef0f0cf8bae090247c85ceacc0a8dc6f29e8f02d2", "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql", "type": "esql",
"version": 107 "version": 108
} }
}, },
"rule_name": "Entra ID Federated Identity Credential Issuer Modified", "rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "1eb81cd186255e2682840b619c6fb99b4336bd278ada27f0d233b59ecd44c77f", "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql", "type": "esql",
"version": 207 "version": 208
}, },
"4a4e23cf-78a2-449c-bac3-701924c269d3": { "4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior", "rule_name": "Possible FIN7 DGA Command and Control Behavior",
@@ -3458,9 +3500,9 @@
}, },
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
"rule_name": "Kubernetes Forbidden Request from Unusual User Agent", "rule_name": "Kubernetes Forbidden Request from Unusual User Agent",
"sha256": "bce55d444f06dadedac1ad5fcab4e1b83ad531d1a3c30d85dac9d116dfb2998a", "sha256": "96f9b15e64a5aae3a06bb23e8ef6300fa3c5410b9e4105647ebcc1f58ab564f9",
"type": "new_terms", "type": "new_terms",
"version": 3 "version": 4
}, },
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity", "rule_name": "ProxyChains Activity",
@@ -3474,6 +3516,12 @@
"type": "machine_learning", "type": "machine_learning",
"version": 7 "version": 7
}, },
"4bae6c34-57be-403a-a556-e48f9ecef0b7": {
"rule_name": "M365 Quarantine and Hygiene Signal",
"sha256": "3867e20407fa8e99b982da896d109a4bdf4a843a97dbd1931bce9c4ea41f6819",
"type": "query",
"version": 1
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": { "4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream", "rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f", "sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f",
@@ -3571,6 +3619,12 @@
"type": "query", "type": "query",
"version": 413 "version": 413
}, },
"4f2654e4-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint Search for Sensitive Content",
"sha256": "f1b0c07102a00a597a4213a80a301d7d51d4d784c15d6641cd09775742725dfe",
"type": "eql",
"version": 1
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity", "rule_name": "Kernel Unpacking Activity",
"sha256": "e98cdfe47f6f762212f97a88c9e9242fe21f61b9c7ea51aeab5e6492b9609ccb", "sha256": "e98cdfe47f6f762212f97a88c9e9242fe21f61b9c7ea51aeab5e6492b9609ccb",
@@ -3591,9 +3645,9 @@
}, },
"50742e15-c5ef-49c8-9a2d-31221d45af58": { "50742e15-c5ef-49c8-9a2d-31221d45af58": {
"rule_name": "Okta Successful Login After Credential Attack", "rule_name": "Okta Successful Login After Credential Attack",
"sha256": "55bee654e447f1127392b0f508b6b48a0436e8d2b9889b59329c8696c39cfc38", "sha256": "cf4ea6ec96f91bf55c3c6f1eca9cc056966f470e390fcba12bbe8e6264352a14",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
@@ -3682,9 +3736,9 @@
"527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Tool Installation Detected via Defend for Containers", "rule_name": "Tool Installation Detected via Defend for Containers",
"sha256": "60bd0870424af064060e3b1ad24aed4a9995fa9765dae5c3a1e175186c971501", "sha256": "6a19c11e4ec0d2dbf6539a7ae96322c3cfd2ae84d1d3ddc45b59bfdf5141dd10",
"type": "eql", "type": "eql",
"version": 2 "version": 3
}, },
"5297b7f1-bccd-4611-93fa-ea342a01ff84": { "5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host", "rule_name": "Execution via Microsoft DotNet ClickOnce Host",
@@ -3797,9 +3851,9 @@
}, },
"55a372b9-f5b6-4069-a089-8637c00609a2": { "55a372b9-f5b6-4069-a089-8637c00609a2": {
"rule_name": "First-Time FortiGate Administrator Login", "rule_name": "First-Time FortiGate Administrator Login",
"sha256": "c8ae5b46d71c1deaa2facaa60f2af5cf5b1ff5ebf20e1db487ae74f4c3be7e8d", "sha256": "12264a88f6fcad9572c92f14f075c023b869acf3fd69f4ac23d26f7819b71c70",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"55c2bf58-2a39-4c58-a384-c8b1978153c2": { "55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client", "rule_name": "Windows Service Installed via an Unusual Client",
@@ -3941,9 +3995,9 @@
}, },
"5889760c-9858-4b4b-879c-e299df493295": { "5889760c-9858-4b4b-879c-e299df493295": {
"rule_name": "Potential Okta Brute Force (Multi-Source)", "rule_name": "Potential Okta Brute Force (Multi-Source)",
"sha256": "f01353ef2c7832ac2582fd21f0a0b382c87d1523f7b9feedbef273fead65952f", "sha256": "483f341a689103f78ee0028c88bc8ff03e6d6ce55e6b3bd6e70f13c790a58d36",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry", "rule_name": "RDP Enabled via Registry",
@@ -4097,9 +4151,9 @@
}, },
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter", "rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "ee13cbe8118f1116bc492fdb3d0c5492107c61620f936867492a273ae8e2e42f", "sha256": "a3e5e93104eff8cc43073a34010259addb085407c0b9db48084e216971198b42",
"type": "eql", "type": "eql",
"version": 5 "version": 6
}, },
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion", "rule_name": "AWS WAF Rule or Rule Group Deletion",
@@ -4290,9 +4344,9 @@
}, },
"60c814fc-7d06-11f0-b326-f661ea17fbcd": { "60c814fc-7d06-11f0-b326-f661ea17fbcd": {
"rule_name": "M365 Threat Intelligence Signal", "rule_name": "M365 Threat Intelligence Signal",
"sha256": "91d57ec69f35861a701090f79984b02303e24f68999cf2cf4ca1e8cf430ac5dc", "sha256": "79dc01a9db946e1a3d5c41a5e8c2af04359b9e44ecee31c16c38a3723d8bab07",
"type": "query", "type": "query",
"version": 2 "version": 3
}, },
"60da1bd7-c0b9-4ba2-b487-50a672274c04": { "60da1bd7-c0b9-4ba2-b487-50a672274c04": {
"rule_name": "Discovery Command Output Written to Suspicious File", "rule_name": "Discovery Command Output Written to Suspicious File",
@@ -4332,9 +4386,9 @@
}, },
"618a219d-a363-4ab1-ba30-870d7c22facd": { "618a219d-a363-4ab1-ba30-870d7c22facd": {
"rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source",
"sha256": "72da74c741d7d212fe291bf91eec7e01a0a2927b05681655ce4fcdda5b27197b", "sha256": "d2abab1390a043ad71171a861b542dc9d94f79af253dd0032c1fe0b04e90beb0",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"618bb351-00f0-467b-8956-8cace8b81f07": { "618bb351-00f0-467b-8956-8cace8b81f07": {
"rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access",
@@ -4416,15 +4470,15 @@
}, },
"63c056a0-339a-11ed-a261-0242ac120002": { "63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent",
"sha256": "a51b22abe731e1bf42bee2f8ab1b1e5278704564385639b3e04c29090100abdd", "sha256": "b5f24bfa2e0ca5124eb8906e21888074cbc74f7ce03972f697e7da5b3a9dd341",
"type": "new_terms", "type": "new_terms",
"version": 10 "version": 11
}, },
"63c057cc-339a-11ed-a261-0242ac120002": { "63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent",
"sha256": "34c05c49fad5144c6d74e2060f98c8e4b73196e62fa7d647790619127fd75deb", "sha256": "67374027e182776c03ce4412cb80c48c6224950afbbd622642c858cd97e5964f",
"type": "new_terms", "type": "new_terms",
"version": 11 "version": 12
}, },
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack", "rule_name": "Sensitive Registry Hive Access via RegBack",
@@ -4476,9 +4530,9 @@
}, },
"64f17c52-6c6e-479e-ba72-236f3df18f3d": { "64f17c52-6c6e-479e-ba72-236f3df18f3d": {
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
"sha256": "1ba76a28d1221550f249957c43bfccd0a28542d4170ccd39ce015e683cb07d10", "sha256": "9bb82ad0e9bc06828a6c9959f3e13a9a5b3cb76d96ecae5e74a67b9ab53a6abd",
"type": "esql", "type": "esql",
"version": 10 "version": 11
}, },
"6505e02e-28dd-41cd-b18f-64e649caa4e2": { "6505e02e-28dd-41cd-b18f-64e649caa4e2": {
"rule_name": "Manual Memory Dumping via Proc Filesystem", "rule_name": "Manual Memory Dumping via Proc Filesystem",
@@ -4621,9 +4675,9 @@
}, },
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations", "rule_name": "High Number of Process Terminations",
"sha256": "82a0ae24f8d6d4c866863accc34121f96f99a43a9484b4f778960ac82bdc6be8", "sha256": "680382f572bc86ba9176bd3c8a36fc5d0e5243f44981819bad005566fcf79f13",
"type": "threshold", "type": "threshold",
"version": 116 "version": 117
}, },
"68113fdc-3105-4cdd-85bb-e643c416ef0b": { "68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe", "rule_name": "Query Registry via reg.exe",
@@ -4711,9 +4765,9 @@
}, },
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User", "rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "1d9a305b395b414fcbcd48a340bc84de15aadf87a7e92478d4eec8c24f2e1447", "sha256": "cde5eb69a93612087164e1626195700bd500e73b3e1248816d9a757a270b15bc",
"type": "esql", "type": "esql",
"version": 11 "version": 12
}, },
"699e9fdb-b77c-4c01-995c-1c15019b9c43": { "699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -4783,9 +4837,9 @@
}, },
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression", "rule_name": "Sensitive Files Compression",
"sha256": "00cbc975bf2bb4c3eabce8c28956e5676b088239f60aedb0397f4e4c6e3bb64e", "sha256": "21ac45217a2911444af91c4b8718e6c8d41f5981ef2e51a3ad618510a24f804c",
"type": "new_terms", "type": "new_terms",
"version": 212 "version": 213
}, },
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"rule_name": "Remote Computer Account DnsHostName Update", "rule_name": "Remote Computer Account DnsHostName Update",
@@ -4829,9 +4883,9 @@
}, },
"6d448b96-c922-4adb-b51c-b767f1ea5b76": { "6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host", "rule_name": "Unusual Process For a Windows Host",
"sha256": "a9d9339a8264b3d2300490621a7a0ccff22ea03e314c0467ae20f9d7c0df0b13", "sha256": "3daaa058e3efafed14592627624d5744ecfbcc23d1d0dc1c4618589616b032a3",
"type": "machine_learning", "type": "machine_learning",
"version": 214 "version": 215
}, },
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911", "rule_name": "Potential Privilege Escalation via CVE-2023-4911",
@@ -4847,9 +4901,9 @@
}, },
"6ddb6c33-00ce-4acd-832a-24b251512023": { "6ddb6c33-00ce-4acd-832a-24b251512023": {
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
"sha256": "13ff8d1f600483ce1e555b28c7a7a4c6b9ffc5be4d95a4a86f2f9d8d0d6c9ac5", "sha256": "0956563347ca9848e890ebe9a07a4ac68d34ad6b42b34bab5bc227b7b7dd9136",
"type": "esql", "type": "esql",
"version": 9 "version": 10
}, },
"6ded0996-7d4b-40f2-bf4a-6913e7591795": { "6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation", "rule_name": "Root Certificate Installation",
@@ -4858,10 +4912,10 @@
"version": 106 "version": 106
}, },
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "rule_name": "First Time Seen Remote Monitoring and Management Tool",
"sha256": "213c2d203380501be08aecccb31169f1fb616edad4188e5f3f290ce6edd7b24c", "sha256": "04511da508ec7e9026719f649c7b3ebaf91040260ce93d63d701522a0b2cf21c",
"type": "new_terms", "type": "new_terms",
"version": 114 "version": 115
}, },
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation", "rule_name": "Loadable Kernel Module Configuration File Creation",
@@ -4895,9 +4949,9 @@
}, },
"6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "6e92a21a-58e7-449a-9cfd-9f563f59ac88": {
"rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host",
"sha256": "0af28c57cd19d5320e05faaad5f00b01898a15bbb2ff2f44b2bad5017e23d748", "sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands", "rule_name": "Enumeration of Users or Groups via Built-in Commands",
@@ -4949,9 +5003,9 @@
}, },
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"rule_name": "First Occurrence of Okta User Session Started via Proxy", "rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "9868b324f20d976867393dea2d166df6dc944a6a56def58191886a560e656fce", "sha256": "d58f1b2ff3f4055daa2a2dad3692f51bb7e7934e1801a5a9219b4d5487f74b1b",
"type": "new_terms", "type": "new_terms",
"version": 209 "version": 210
}, },
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified", "rule_name": "Google Workspace Role Modified",
@@ -4985,9 +5039,9 @@
}, },
"6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": {
"rule_name": "Multiple Vulnerabilities by Asset via Wiz", "rule_name": "Multiple Vulnerabilities by Asset via Wiz",
"sha256": "21d9115cd06ff66fad632bb8536510a76dbedb9bfd94e609eb472df0259fb802", "sha256": "efc967ea17b6d6bd24680496c417b3ce7a00dbe16a1fa6bd08ed0d87e586e737",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"70089609-c41a-438e-b132-5b3b43c5fc07": { "70089609-c41a-438e-b132-5b3b43c5fc07": {
"rule_name": "Git Repository or File Download to Suspicious Directory", "rule_name": "Git Repository or File Download to Suspicious Directory",
@@ -5051,9 +5105,9 @@
}, },
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object", "rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "023d335e7994287cf47e5055a04d04bc7efbae9a37037f8b97335c8fcdfd1d28", "sha256": "f99e79395663b62abc9522267b9d5174757d2af93dd136bb6f8834c55ef2d6e8",
"type": "new_terms", "type": "new_terms",
"version": 213 "version": 214
}, },
"71bccb61-e19b-452f-b104-79a60e546a95": { "71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream", "rule_name": "Unusual File Creation - Alternate Data Stream",
@@ -5129,9 +5183,9 @@
}, },
"7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": { "7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": {
"rule_name": "Newly Observed Elastic Defend Behavior Alert", "rule_name": "Newly Observed Elastic Defend Behavior Alert",
"sha256": "4f9d023add64723c8fdf24169e4519f072bda1e755b54d885a9ab3fd282c4158", "sha256": "991c0b527369d84cb5ee39d4b00d92c6f07f1ea690d1589e4b8a2324575ff59e",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"730ed57d-ae0f-444f-af50-78708b57edd5": { "730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process", "rule_name": "Suspicious JetBrains TeamCity Child Process",
@@ -5334,9 +5388,9 @@
}, },
"781f8746-2180-4691-890c-4c96d11ca91d": { "781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected", "rule_name": "Potential Network Sweep Detected",
"sha256": "5c20b27d9972a603b528e757f9a230227c795bc88289b7bb230b6f6bb2112750", "sha256": "d6a7aee26189c060e18f3968d98c5c20583366dd1285c8ec97f92fff6e54fa0b",
"type": "threshold", "type": "threshold",
"version": 13 "version": 14
}, },
"78390eb5-c838-4c1d-8240-69dd7397cfb7": { "78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery", "rule_name": "Yum/DNF Plugin Status Discovery",
@@ -5356,6 +5410,12 @@
"type": "query", "type": "query",
"version": 109 "version": 109
}, },
"78c6559d-47a7-4f30-91fe-7e2e983206c2": {
"rule_name": "Unusual Kubernetes Sensitive Workload Modification",
"sha256": "f76ed0d7a2b70dd121cafecc10eb29a699db9fac35dac6c3f7f771e25cfbcd63",
"type": "new_terms",
"version": 1
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": { "78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages", "rule_name": "Spike in AWS Error Messages",
"sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89", "sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89",
@@ -5457,6 +5517,12 @@
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 6
}, },
"7ab5b02c-0026-4c71-b523-dd1e97e15477": {
"rule_name": "M365 AIR Investigation Signal",
"sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85",
"type": "query",
"version": 1
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket", "rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9", "sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9",
@@ -5531,9 +5597,9 @@
}, },
"7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": {
"rule_name": "Alerts From Multiple Integrations by Source Address", "rule_name": "Alerts From Multiple Integrations by Source Address",
"sha256": "a61eb0d371a4caab4caa6d7283fbb4b4603fa27b28ebebb02a0b43a5b6f78cec", "sha256": "1b10a9f9c9fdd43c1e8e5a1457824e37efbddc0f82866117cf399d9e5831b8ae",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"7d091a76-0737-11ef-8469-f661ea17fbcc": { "7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function", "rule_name": "AWS Lambda Layer Added to Existing Function",
@@ -5699,9 +5765,9 @@
}, },
"8167c5ae-3310-439a-8a58-be60f55023d2": { "8167c5ae-3310-439a-8a58-be60f55023d2": {
"rule_name": "Suspicious Named Pipe Creation", "rule_name": "Suspicious Named Pipe Creation",
"sha256": "fd8454b2d4f97083b893c89b35068c9403dc7aab3220e1c766af3c15bade3745", "sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3",
"type": "new_terms", "type": "new_terms",
"version": 4 "version": 5
}, },
"81892f44-4946-4b27-95d3-1d8929b114a7": { "81892f44-4946-4b27-95d3-1d8929b114a7": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
@@ -5830,11 +5896,18 @@
"type": "new_terms", "type": "new_terms",
"version": 216 "version": 216
}, },
"85d9c573-ad77-461b-8315-9a02a280b20b": {
"min_stack_version": "9.3",
"rule_name": "Process Killing Detected via Defend for Containers",
"sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d",
"type": "eql",
"version": 1
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": { "85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
"sha256": "7fd3bf166c197928c42d5da7436ced831f7387e7d7f015061f5ecf693dd830df", "sha256": "c396f8d6ed3ce693a1e895c47d620e54b123aade8d0fe2f21984be74f6d47b0c",
"type": "esql", "type": "esql",
"version": 8 "version": 9
}, },
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host", "rule_name": "Potential Subnet Scanning Activity from Compromised Host",
@@ -5920,9 +5993,9 @@
}, },
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected", "rule_name": "Linux Clipboard Activity Detected",
"sha256": "0609fa45fbe6cea511043d6db444fe7586411718c17a3158936cd5006b2b1167", "sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac",
"type": "new_terms", "type": "new_terms",
"version": 9 "version": 10
}, },
"88671231-6626-4e1b-abb7-6e361a171fbb": { "88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "M365 Identity Global Administrator Role Assigned", "rule_name": "M365 Identity Global Administrator Role Assigned",
@@ -6022,15 +6095,15 @@
}, },
"8a1db198-da6f-4500-b985-7fe2457300af": { "8a1db198-da6f-4500-b985-7fe2457300af": {
"rule_name": "Kubernetes Unusual Decision by User Agent", "rule_name": "Kubernetes Unusual Decision by User Agent",
"sha256": "02bd2e5594b646fce653c4f45cd7fe8be705a608f5bf1ff46d0a0efcc0dddb22", "sha256": "1e224a2bc29fa5fe95faf7db7dd26935a7eaea101a9e5bada56484b937112be5",
"type": "new_terms", "type": "new_terms",
"version": 3 "version": 4
}, },
"8a556117-3f05-430e-b2eb-7df0100b4e3b": { "8a556117-3f05-430e-b2eb-7df0100b4e3b": {
"rule_name": "FortiGate Administrator Login from Multiple IP Addresses", "rule_name": "FortiGate Administrator Login from Multiple IP Addresses",
"sha256": "4fb953698ceae0d3a2368b598e494768631fda61e787c814fd8b14648970ed61", "sha256": "8a440ac513665ee94c1d34a0b512de1f6e575d5edf5661d50035fb6a66156621",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone", "rule_name": "Attempt to Deactivate an Okta Network Zone",
@@ -6082,9 +6155,9 @@
}, },
"8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": {
"rule_name": "Several Failed Protected Branch Force Pushes by User", "rule_name": "Several Failed Protected Branch Force Pushes by User",
"sha256": "9d1bc9b7060ea6d266960e7516d73eaba82762861155fa8f826340e62a420823", "sha256": "3935786d70057d64ab74ad51d331966c633ef77288e78f0bd9fe008e0a5fd11a",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet", "rule_name": "RDP (Remote Desktop Protocol) from the Internet",
@@ -6170,9 +6243,9 @@
}, },
"8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": {
"rule_name": "Multiple External EDR Alerts by Host", "rule_name": "Multiple External EDR Alerts by Host",
"sha256": "dbd31b6d355226db225bd9b68f61c5b05042dc609806bf1688af4069be15682f", "sha256": "f7b9e9fbe3d9cfbfb3793b59abf31a5bfa623b9ab49b9c176023b6db3ad28892",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"8d696bd0-5756-11f0-8e3b-f661ea17fbcd": { "8d696bd0-5756-11f0-8e3b-f661ea17fbcd": {
"rule_name": "Entra ID OAuth ROPC Grant Login Detected", "rule_name": "Entra ID OAuth ROPC Grant Login Detected",
@@ -6218,9 +6291,9 @@
}, },
"8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": {
"rule_name": "Entra ID Actor Token User Impersonation Abuse", "rule_name": "Entra ID Actor Token User Impersonation Abuse",
"sha256": "c3a3ba5d26efb65c2238fe623846c02797e51129094d15bad8b7b5b259cf8dfb", "sha256": "f0f5507ec01c62ad2d52cfa28f5838a924c8c89eff04e88ea7870b454d0d8541",
"type": "esql", "type": "esql",
"version": 4 "version": 5
}, },
"8eec4df1-4b4b-4502-b6c3-c788714604c9": { "8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity", "rule_name": "Bitsadmin Activity",
@@ -6429,9 +6502,9 @@
}, },
"93dd73f9-3e59-45be-b023-c681273baf81": { "93dd73f9-3e59-45be-b023-c681273baf81": {
"rule_name": "Linux Video Recording or Screenshot Activity Detected", "rule_name": "Linux Video Recording or Screenshot Activity Detected",
"sha256": "8586544da38d1a02ce7e3b31dbb37e08b2ba3a6a70a6281f431da764dfa7ba5e", "sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b",
"type": "new_terms", "type": "new_terms",
"version": 1 "version": 2
}, },
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion", "rule_name": "Google Workspace Admin Role Deletion",
@@ -6465,9 +6538,9 @@
}, },
"94e734c0-2cda-11ef-84e1-f661ea17fbce": { "94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Potential Okta Credential Stuffing (Single Source)", "rule_name": "Potential Okta Credential Stuffing (Single Source)",
"sha256": "51497d3090604a3039fc966afdfe2d841061c20722995d72be05eae76c1550c8", "sha256": "3582f68249eb42feefbaee5cb78961ee3fdf381c206fd4985291b0a08d16cab3",
"type": "esql", "type": "esql",
"version": 209 "version": 210
}, },
"9510add4-3392-11ed-bd01-f661ea17fbce": { "9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified", "rule_name": "Google Workspace Custom Gmail Route Created or Modified",
@@ -6987,9 +7060,9 @@
}, },
"9ed5d08f-aad6-4c03-838c-d686da887c2c": { "9ed5d08f-aad6-4c03-838c-d686da887c2c": {
"rule_name": "Okta AiTM Session Cookie Replay", "rule_name": "Okta AiTM Session Cookie Replay",
"sha256": "3c8b25b3282976d4718265e11ce3ffa5a131cfff8bb053549a80ef90c6610b8a", "sha256": "e83eb0975f982673d5e2c6240da8d5e17e7db175d72dc6df15da96c717104f26",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"9edd000e-cbd1-4d6a-be72-2197b5625a05": { "9edd000e-cbd1-4d6a-be72-2197b5625a05": {
"rule_name": "Suricata and Elastic Defend Network Correlation", "rule_name": "Suricata and Elastic Defend Network Correlation",
@@ -6999,9 +7072,9 @@
}, },
"9edd1804-83c7-4e48-b97d-c776b4c97564": { "9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal", "rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
"sha256": "e6f63f5a14d9fd64fa42c6876b3fc572b1ae4e05b427504913ebd567c4db37a4", "sha256": "b19dffa62d3df7148544385ab17298f3037388eb487eaf544505b0c11521d102",
"type": "esql", "type": "esql",
"version": 8 "version": 9
}, },
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public", "rule_name": "AWS RDS DB Instance Made Public",
@@ -7017,9 +7090,9 @@
}, },
"9f432a8b-9588-4550-838e-1f77285580d3": { "9f432a8b-9588-4550-838e-1f77285580d3": {
"rule_name": "Dynamic IEX Reconstruction via Method String Access", "rule_name": "Dynamic IEX Reconstruction via Method String Access",
"sha256": "240a406d0305dd6344e374366a323c69f6639bb80c3853e6d7d82cb35a43eef3", "sha256": "7045b58f9119ab5ed4fa366f17cda1286910cc23c9f46bf53054547d2fa5b56d",
"type": "esql", "type": "esql",
"version": 10 "version": 11
}, },
"9f962927-1a4f-45f3-a57b-287f2c7029c1": { "9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync", "rule_name": "Potential Credential Access via DCSync",
@@ -7111,6 +7184,12 @@
"type": "new_terms", "type": "new_terms",
"version": 1 "version": 1
}, },
"a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": {
"rule_name": "Potential Account Takeover - Logon from New Source IP",
"sha256": "57e6c9d11619a17fa33f9b5d554849c500b51728ab5a7bfa82b61c0ca7a399e1",
"type": "esql",
"version": 1
},
"a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": {
"rule_name": "Entra ID Protection Admin Confirmed Compromise", "rule_name": "Entra ID Protection Admin Confirmed Compromise",
"sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4", "sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4",
@@ -7179,9 +7258,9 @@
}, },
"a337c3f8-e264-4eb4-9998-22669ca52791": { "a337c3f8-e264-4eb4-9998-22669ca52791": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"sha256": "07c213ebd7d0107bf8690e3353e74ed32a3fa4c99e2dcb4e6a90c5b51ce33882", "sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
"rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
@@ -7327,9 +7406,9 @@
"a750bbcc-863f-41ef-9924-fd8224e23694": { "a750bbcc-863f-41ef-9924-fd8224e23694": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"sha256": "2b7bf9a3de0eb18418db511b219abdc7cadd3b5cdefdd70d1cb796dd83161b36", "sha256": "5846c6b43e380d83d1c497de9db85c35f4fb983138dde4300adddb76e4cd3ec4",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": {
"rule_name": "Execution via OpenClaw Agent", "rule_name": "Execution via OpenClaw Agent",
@@ -7349,6 +7428,12 @@
"type": "eql", "type": "eql",
"version": 315 "version": 315
}, },
"a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": {
"rule_name": "M365 Purview Security Compliance Signal",
"sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4",
"type": "query",
"version": 1
},
"a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": {
"rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User",
"sha256": "5cb15224ba5e3b436c88a0c808d62f5975a8a962c7c0d804baf2e704d054b03d", "sha256": "5cb15224ba5e3b436c88a0c808d62f5975a8a962c7c0d804baf2e704d054b03d",
@@ -7404,6 +7489,12 @@
"type": "eql", "type": "eql",
"version": 2 "version": 2
}, },
"a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": {
"rule_name": "Newly Observed ScreenConnect Host Server",
"sha256": "5a8acf8b9ca572d30b42f96b89249dc24621630278b9db105d665630cbb8cb34",
"type": "esql",
"version": 1
},
"a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": {
"rule_name": "Azure Storage Blob Retrieval via AzCopy", "rule_name": "Azure Storage Blob Retrieval via AzCopy",
"sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683", "sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683",
@@ -7412,9 +7503,9 @@
}, },
"a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": {
"rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand",
"sha256": "8ed3514f87da2cdb2928680ebebadacf9c99a8de8d6504196742c42c1969fb24", "sha256": "cd7321baa685c0b8fdee3998ff993ac2f4f5761124d7f2e78e2c404978211ab3",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration", "rule_name": "High Variance in RDP Session Duration",
@@ -7526,9 +7617,9 @@
}, },
"ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": {
"rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)",
"sha256": "1cde5d806050171a8af5ccce92a4ee5c18676617db73c04392ef22527cca5238", "sha256": "c1d2e49b9c7ced7cce10153c0338a47448b25c6a03c1e185a3ae353d07665b67",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"ab8f074c-5565-4bc4-991c-d49770e19fc9": { "ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key", "rule_name": "AWS S3 Object Encryption Using External KMS Key",
@@ -7734,6 +7825,12 @@
"type": "new_terms", "type": "new_terms",
"version": 7 "version": 7
}, },
"af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": {
"rule_name": "Okta Alerts Following Unusual Proxy Authentication",
"sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514",
"type": "eql",
"version": 1
},
"afa135c0-a365-43ab-aa35-fd86df314a47": { "afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id", "rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "58f5a32068e937f8a5a7e0ebf56c814d9d90bc5411188e096283a1699389e0bf", "sha256": "58f5a32068e937f8a5a7e0ebf56c814d9d90bc5411188e096283a1699389e0bf",
@@ -7796,9 +7893,9 @@
}, },
"b0c98cfb-0745-4513-b6f9-08dddb033490": { "b0c98cfb-0745-4513-b6f9-08dddb033490": {
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
"sha256": "9b70b1ae2e9c9a8d5c326e930ee1d6922a8234afeb5945abdad61790a366eb47", "sha256": "deec12e81c3d8c2bda1563d1d7e93dc1148fff91ddea9ab3eaff47117ad97a1d",
"type": "esql", "type": "esql",
"version": 9 "version": 10
}, },
"b11116fd-023c-4718-aeb8-fa9d283fc53b": { "b11116fd-023c-4718-aeb8-fa9d283fc53b": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
@@ -7876,6 +7973,12 @@
"type": "threshold", "type": "threshold",
"version": 1 "version": 1
}, },
"b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": {
"rule_name": "Potential Account Takeover - Mixed Logon Types",
"sha256": "6fe0f08ade5d4fc0987a2467cbde981ee38c90a5d96697e3e6851627833b4c8d",
"type": "esql",
"version": 1
},
"b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "b2c3d4e5-f6a7-8901-bcde-f123456789ab": {
"rule_name": "GenAI Process Compiling or Generating Executables", "rule_name": "GenAI Process Compiling or Generating Executables",
"sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6", "sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6",
@@ -8040,9 +8143,9 @@
}, },
"b7f77c3c-1bcb-4afc-9ace-49357007947b": { "b7f77c3c-1bcb-4afc-9ace-49357007947b": {
"rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike",
"sha256": "5e33ef87d305f50f061545ef99ce1dd5b9ce6bfa3247837f6e2355532fbe5fcd", "sha256": "3fc38efdfb54c28bd83b93be278e07a0480084d972768a3dac3e6d6187408cb7",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"b8075894-0b62-46e5-977c-31275da34419": { "b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group", "rule_name": "Administrator Privileges Assigned to an Okta Group",
@@ -8052,9 +8155,9 @@
}, },
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery", "rule_name": "Linux System Information Discovery",
"sha256": "c4e3a5090583d6cecaac50b3fdef659bb2062b055ba65461ccaf9ddd7f570b32", "sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b",
"type": "new_terms", "type": "new_terms",
"version": 7 "version": 8
}, },
"b8386923-b02c-4b94-986a-d223d9b01f88": { "b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script", "rule_name": "PowerShell Invoke-NinjaCopy script",
@@ -8087,6 +8190,12 @@
"type": "query", "type": "query",
"version": 1 "version": 1
}, },
"b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": {
"rule_name": "M365 Purview DLP Signal",
"sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7",
"type": "query",
"version": 1
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"rule_name": "Kirbi File Creation", "rule_name": "Kirbi File Creation",
"sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e", "sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e",
@@ -8191,9 +8300,9 @@
}, },
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "M365 OneDrive Malware File Upload", "rule_name": "M365 OneDrive Malware File Upload",
"sha256": "a61bbbfa2a2f704a98aff991ac3892323c1ec978f59e28708b05c7bfc824180d", "sha256": "cd0ee58446ad10fef53b9675021f3383a26e3552230434632e711d88af2d5d1e",
"type": "query", "type": "query",
"version": 211 "version": 212
}, },
"bba8c7d1-172b-435d-9034-02ed9289c628": { "bba8c7d1-172b-435d-9034-02ed9289c628": {
"rule_name": "Potential Etherhiding C2 via Blockchain Connection", "rule_name": "Potential Etherhiding C2 via Blockchain Connection",
@@ -8203,9 +8312,9 @@
}, },
"bbaa96b9-f36c-4898-ace2-581acb00a409": { "bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected", "rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "352b0d2453ef219a0e530c3488bdd1b9548690c7bc717e3b5fd20a03b2fa88ee", "sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce",
"type": "threshold", "type": "threshold",
"version": 13 "version": 14
}, },
"bbd1a775-8267-41fa-9232-20e5582596ac": { "bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "M365 Teams Custom Application Interaction Enabled", "rule_name": "M365 Teams Custom Application Interaction Enabled",
@@ -8353,9 +8462,9 @@
}, },
"bf8c007c-7dee-4842-8e9a-ee534c09d205": { "bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux", "rule_name": "System Owner/User Discovery Linux",
"sha256": "6565b433d28c9d96ee23e6597d655eaf4fb7b01e667594f9c882613e332e739f", "sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008",
"type": "new_terms", "type": "new_terms",
"version": 7 "version": 8
}, },
"bfba5158-1fd6-4937-a205-77d96213b341": { "bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
@@ -8538,6 +8647,12 @@
"type": "new_terms", "type": "new_terms",
"version": 1 "version": 1
}, },
"c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": {
"rule_name": "Suspicious Execution from VS Code Extension",
"sha256": "c801b37699ca3fa63ec4095cd5889b3842b42a66e9a48c161a0dca78c7707c5e",
"type": "eql",
"version": 1
},
"c3d4e5f6-a7b8-9012-cdef-123456789abc": { "c3d4e5f6-a7b8-9012-cdef-123456789abc": {
"rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688", "sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688",
@@ -8571,9 +8686,9 @@
"c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host", "rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host",
"sha256": "c0d66e17e9785feeec08ca3facd4df547341800aa13d146f280878dd710f5426", "sha256": "4542646fbec130c4f8575763a13a38d14024a3c708f352f590be00d4942eb20e",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"c55badd3-3e61-4292-836f-56209dc8a601": { "c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access", "rule_name": "Attempted Private Key Access",
@@ -8678,10 +8793,20 @@
"version": 3 "version": 3
}, },
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89",
"type": "new_terms",
"version": 6
}
},
"rule_name": "AWS IAM API Calls via Temporary Session Tokens", "rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89", "sha256": "2ab33e3210faabbf21634cb53b667334ab3853f7a3edab5accc936e62e0092c9",
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 106
}, },
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
"rule_name": "Mount Launched Inside a Container", "rule_name": "Mount Launched Inside a Container",
@@ -8803,6 +8928,12 @@
"type": "eql", "type": "eql",
"version": 12 "version": 12
}, },
"c9636a6e-125e-11f1-9cd3-f661ea17fbce": {
"rule_name": "M365 Exchange MFA Notification Email Deleted or Moved",
"sha256": "df3b151df4fd569bcd9b3f33c7f7bf9ce148405ff51fcf9a672aa8413b0a6ba8",
"type": "eql",
"version": 1
},
"c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": {
"rule_name": "Potential Remote Install via MsiExec", "rule_name": "Potential Remote Install via MsiExec",
"sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69", "sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69",
@@ -8923,6 +9054,12 @@
"type": "eql", "type": "eql",
"version": 105 "version": 105
}, },
"cccc9be5-d8b0-466e-8a37-617eae57351a": {
"rule_name": "M365 Entra ID Risk Detection Signal",
"sha256": "392041a3844e680f234c92dc4275823b02292a6f5e26d39151ebe50958c2231d",
"type": "query",
"version": 1
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": { "cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7", "sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7",
@@ -8932,9 +9069,9 @@
"cd24c340-b778-44bd-ab69-2f739bd70ce1": { "cd24c340-b778-44bd-ab69-2f739bd70ce1": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"sha256": "f3008bfe96f0c05c6c297439f3dcd6f545b950b428e93451c419188a4c8757fa", "sha256": "dd5558b655f37b28a249477f9e372be817a1484e796ea566c51b3f8135df88d8",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity", "rule_name": "Socat Process Activity",
@@ -9124,9 +9261,9 @@
}, },
"d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": {
"rule_name": "System Binary Symlink to Suspicious Location", "rule_name": "System Binary Symlink to Suspicious Location",
"sha256": "0aea406ddba7b11453a548228195caa671109a902b295bcbc467bb5f21200a8b", "sha256": "38f91221ebf1ad1f815b2410711902a446bf634093f757a94276a1fc84a35506",
"type": "new_terms", "type": "new_terms",
"version": 3 "version": 4
}, },
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role", "rule_name": "AWS EC2 Instance Console Login via Assumed Role",
@@ -9196,9 +9333,9 @@
}, },
"d43f2b43-02a1-4219-8ce9-10929a32a618": { "d43f2b43-02a1-4219-8ce9-10929a32a618": {
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
"sha256": "739247a92bc9484d0dcb60b1be1c780d2409c02187834df1752f6b3cc122e3d4", "sha256": "7c5e02a840182b33f4790c944b9ec48af5f79dac23befdb0f069ef00258b4e70",
"type": "esql", "type": "esql",
"version": 8 "version": 9
}, },
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting", "rule_name": "Shell Execution via Apple Scripting",
@@ -9242,6 +9379,13 @@
"type": "threshold", "type": "threshold",
"version": 1 "version": 1
}, },
"d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": {
"min_stack_version": "9.3",
"rule_name": "Elastic Defend Alert from GenAI Utility or Descendant",
"sha256": "cdaceb7b07acc4eed0fec1f0d29c98302d3dc5d01f0bb281c84fc3555fbcd5d8",
"type": "esql",
"version": 1
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB", "rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "b83c3c1532b5af713bd9011025fcc17c4214c07593127a7a206e19e9fb5e28a2", "sha256": "b83c3c1532b5af713bd9011025fcc17c4214c07593127a7a206e19e9fb5e28a2",
@@ -9274,9 +9418,9 @@
}, },
"d591d7af-399b-4888-b705-ae612690c48d": { "d591d7af-399b-4888-b705-ae612690c48d": {
"rule_name": "Newly Observed High Severity Suricata Alert", "rule_name": "Newly Observed High Severity Suricata Alert",
"sha256": "5429febf472a2b6a92abaf89cbe7b824b49407e8a1704ee6415bac4a4abcf45a", "sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule", "rule_name": "Attempt to Delete an Okta Policy Rule",
@@ -9455,9 +9599,9 @@
"d9bfa475-270d-4b07-93cb-b1f49abe13da": { "d9bfa475-270d-4b07-93cb-b1f49abe13da": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"sha256": "9a8879a1b9bab3940164561c3907250d88bce0a1a16c2c2ac5de71620cfb7523", "sha256": "ce0e37c4131266899b3fff16ba9305d4088310293fc2c32ed800451178e89358",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
"rule_name": "Sensitive Files Compression Inside A Container", "rule_name": "Sensitive Files Compression Inside A Container",
@@ -9503,9 +9647,9 @@
}, },
"da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "da7f7a93-26e1-49ce-b336-963c6dc17c7b": {
"rule_name": "Multiple Machine Learning Alerts by Influencer Field", "rule_name": "Multiple Machine Learning Alerts by Influencer Field",
"sha256": "bbac8cf5212f002212b5f8bf7bd3d272ce4cfefbc2fc7e77631b044646ec3b81", "sha256": "261d3febfee5e90a2350910f92af7a263d627358d8f42ad07c4a9e339509fdb5",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"da87eee1-129c-4661-a7aa-57d0b9645fad": { "da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System", "rule_name": "Suspicious Service was Installed in the System",
@@ -9742,9 +9886,9 @@
}, },
"df9c0e92-5dee-4f1d-a760-3a5c039e4382": { "df9c0e92-5dee-4f1d-a760-3a5c039e4382": {
"rule_name": "Detection Alert on a Process Exhibiting CPU Spike", "rule_name": "Detection Alert on a Process Exhibiting CPU Spike",
"sha256": "f5ac0710ca1245ab366c3b05727497d8c3380c801d3c5d4c58c457f5221c2e67", "sha256": "83a996f5513897b32f3f2090c57c0cb08be06399fea34777c922db1e09a1d437",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028", "rule_name": "Potential privilege escalation via CVE-2022-38028",
@@ -9868,9 +10012,9 @@
}, },
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery", "rule_name": "System Network Connections Discovery",
"sha256": "60a571ef757ab1f19773e24a8565e269022ef8dce483eb103351f24cc96cc4f0", "sha256": "b00992fce58b8dc70936e08ee54b5daac9d824811cc5a4c82eb3167aee0301ec",
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 7
}, },
"e2e0537d-7d8f-4910-a11d-559bcf61295a": { "e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
@@ -9969,10 +10113,20 @@
"version": 212 "version": 212
}, },
"e4feea34-3b62-4c83-b77f-018fbef48c00": { "e4feea34-3b62-4c83-b77f-018fbef48c00": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d",
"type": "eql",
"version": 4
}
},
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d", "sha256": "ea754dc7ebd790477767de5ab2895d06f2ef94d22a8707ae800e9f54986de376",
"type": "eql", "type": "eql",
"version": 4 "version": 104
}, },
"e514d8cd-ed15-4011-84e2-d15147e059f1": { "e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User", "rule_name": "Kerberos Pre-authentication Disabled for User",
@@ -10004,6 +10158,12 @@
"type": "eql", "type": "eql",
"version": 3 "version": 3
}, },
"e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": {
"rule_name": "First Time Seen DNS Query to RMM Domain",
"sha256": "b09357075adc197f9663635384299a12e0b25c28bded7221f0feeee2cf5c978e",
"type": "new_terms",
"version": 1
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": { "e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification", "rule_name": "Bash Shell Profile Modification",
"sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e", "sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e",
@@ -10096,9 +10256,9 @@
}, },
"e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "e819b7eb-c2d4-4adc-b0c9-658aeb140450": {
"rule_name": "Lateral Movement Alerts from a Newly Observed User", "rule_name": "Lateral Movement Alerts from a Newly Observed User",
"sha256": "25b15177e88f841bf8797680046c7a6100044cfd433d8f0ecb13ec8c5ac90a43", "sha256": "a3258f0d15c7c51105bf8854c5ce37f0d660fb5f008b73587d0eb4314de34c12",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter", "rule_name": "Service Control Spawned via Script Interpreter",
@@ -10150,9 +10310,9 @@
}, },
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
"rule_name": "Potential PowerShell Obfuscation via String Reordering", "rule_name": "Potential PowerShell Obfuscation via String Reordering",
"sha256": "c9c8e405e6ac8fa5c9711db9949851e54148dbab50f0f01943ea9202de3054cd", "sha256": "84fb725b362cfa15cd93030dd0ee407c62219b8e75e23fc673d4b4411efc479e",
"type": "esql", "type": "esql",
"version": 11 "version": 12
}, },
"e90ee3af-45fc-432e-a850-4a58cf14a457": { "e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
@@ -10252,9 +10412,9 @@
}, },
"eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": { "eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": {
"rule_name": "Telnet Authentication Bypass via User Environment Variable", "rule_name": "Telnet Authentication Bypass via User Environment Variable",
"sha256": "c869b726c71065ef1c6ec9bc86d8d6c93a4576e456ad1a9e49a6cb90158de156", "sha256": "dad30a9b0ac5bb3048cae4d42fe0015a25c5bdf4122aaec696d0bfede5c73556",
"type": "eql", "type": "eql",
"version": 1 "version": 2
}, },
"eb44611f-62a8-4036-a5ef-587098be6c43": { "eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
@@ -10323,9 +10483,9 @@
} }
}, },
"rule_name": "File Execution Permission Modification Detected via Defend for Containers", "rule_name": "File Execution Permission Modification Detected via Defend for Containers",
"sha256": "c464aef0348ff82a20e8148ae70d2a55f66f0e8c371fa69e80415085ad2db41a", "sha256": "c02875fc6dfc7d8a299910738b01d4334c0184bc205d79b15c22974fb6271f10",
"type": "eql", "type": "eql",
"version": 104 "version": 105
}, },
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
"rule_name": "Kubernetes Forbidden Creation Request", "rule_name": "Kubernetes Forbidden Creation Request",
@@ -10359,9 +10519,9 @@
}, },
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": { "ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation", "rule_name": "Unusual Remote File Creation",
"sha256": "83b61acb47941fdd7ddf74b051c1403ad5940349e000dde55a40bb059e9ff0f5", "sha256": "a7a4aa5dee70a0b7400227badb99bbd92c05ec809b52bddb0719918089f99323",
"type": "new_terms", "type": "new_terms",
"version": 5 "version": 6
}, },
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)",
@@ -10579,9 +10739,9 @@
"f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": {
"min_stack_version": "9.3", "min_stack_version": "9.3",
"rule_name": "LLM-Based Attack Chain Triage by Host", "rule_name": "LLM-Based Attack Chain Triage by Host",
"sha256": "a8e526596cd31695f761b1c473b0d8067336519cb1918dd798f4d7752e5a7f6b", "sha256": "286422b3b4035aa2adeafd1b284e053369eeed39302d7369532e46de03eaff07",
"type": "esql", "type": "esql",
"version": 2 "version": 3
}, },
"f243fe39-83a4-46f3-a3b6-707557a102df": { "f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification", "rule_name": "Service Path Modification",
@@ -10614,6 +10774,12 @@
"type": "query", "type": "query",
"version": 5 "version": 5
}, },
"f2c43e8c-ccf2-4eab-9e9a-e335da253773": {
"rule_name": "M365 Purview Insider Risk Signal",
"sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841",
"type": "query",
"version": 1
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf", "sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf",
@@ -10676,9 +10842,9 @@
}, },
"f38633f4-3b31-4c80-b13d-e77c70ce8254": { "f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
"sha256": "8840b0c126687d686b10af54ad284385b8385dd1400d81f180b14c807162c05b", "sha256": "4e8a1d0b5d2d08befba089df12e7d27768455c6c08f58a912f825e916e665108",
"type": "esql", "type": "esql",
"version": 9 "version": 10
}, },
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution", "rule_name": "Kill Command Execution",
@@ -10821,9 +10987,9 @@
}, },
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools", "rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "dc922f1a06634e41b2fa415a4c415210b0239ecb9270eb3b5fbabeb005803dd5", "sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371",
"type": "new_terms", "type": "new_terms",
"version": 6 "version": 7
}, },
"f63c8e3c-d396-404f-b2ea-0379d3942d73": { "f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell", "rule_name": "Windows Firewall Disabled via PowerShell",
@@ -10874,9 +11040,9 @@
}, },
"f6d8c743-0916-4483-8333-3c6f107e0caa": { "f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation", "rule_name": "Potential PowerShell Obfuscation via String Concatenation",
"sha256": "4966b256f77320a536fd06f26771860ce412bb74324a875bca6867ac35dd79c3", "sha256": "f56190b966c8b01230a154a0851ed2e59d80595a1de876b0764e3d046e9bea51",
"type": "esql", "type": "esql",
"version": 9 "version": 10
}, },
"f701be14-0a36-4e9a-a851-b3e20ae55f09": { "f701be14-0a36-4e9a-a851-b3e20ae55f09": {
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
@@ -11047,15 +11213,15 @@
}, },
"f9753455-8d55-4ad8-b70a-e07b6f18deea": { "f9753455-8d55-4ad8-b70a-e07b6f18deea": {
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
"sha256": "459fdfc9a0bf0c7e11816d78422d6f072d79db1e1bcc876e972c71d10a2739f4", "sha256": "2ecbf0a719e60c1a4d65cc86c0d02ce00fa12333fbb32e834f271fc17367cd24",
"type": "esql", "type": "esql",
"version": 8 "version": 9
}, },
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Account Brute Force", "rule_name": "Privileged Account Brute Force",
"sha256": "8e958e43156701d8c536815d851b1fd4d6891d08dbdb20e1141143b2d64be583", "sha256": "78aeaab7e3bf4d6d513db619e43eb7454c6f800492e403b6873fe8c17bf7d95b",
"type": "esql", "type": "esql",
"version": 116 "version": 117
}, },
"f994964f-6fce-4d75-8e79-e16ccc412588": { "f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User", "rule_name": "Suspicious Activity Reported by Okta User",
@@ -11065,15 +11231,15 @@
}, },
"f9abcddc-a05d-4345-a81d-000b79aa5525": { "f9abcddc-a05d-4345-a81d-000b79aa5525": {
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
"sha256": "a8fb8ff65c77ca30e4b18c8cfe9a98058e413bb924c285e9eb647e2cb7d43baa", "sha256": "e429a1bb7579d75e52d9c21dba63b12b1d6d5efe9aa7dbff56eb09d652825da3",
"type": "esql", "type": "esql",
"version": 10 "version": 11
}, },
"f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "f9de0949-94d8-441d-ae9a-8eb1e040acf2": {
"rule_name": "Newly Observed Process Exhibiting High CPU Usage", "rule_name": "Newly Observed Process Exhibiting High CPU Usage",
"sha256": "b6e23d1b2f53b36d09252c99a34fd67b30e68ccf7faf46c5516504738b92f2b7", "sha256": "ac67c25e692fc04e2eeae6c2c6c597c4c637f8d746afc513e7b9e0370b67cdf7",
"type": "esql", "type": "esql",
"version": 1 "version": 2
}, },
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share", "rule_name": "Remote File Copy to a Hidden Share",
@@ -11353,9 +11519,9 @@
}, },
"ff4599cb-409f-4910-a239-52e4e6f532ff": { "ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API", "rule_name": "LSASS Process Access via Windows API",
"sha256": "8c10501ce86f18c3be3435c923b228298606f73818b611f539f520e1e40320a3", "sha256": "9ac7770cb7a1a1d0348ae3f523fb76bbc3740b98d2354456e5f0495c5c6896c5",
"type": "esql", "type": "esql",
"version": 15 "version": 16
}, },
"ff46eb26-0684-4da3-9dd6-21032c9878e1": { "ff46eb26-0684-4da3-9dd6-21032c9878e1": {
"rule_name": "Active Directory Discovery using AdExplorer", "rule_name": "Active Directory Discovery using AdExplorer",
@@ -11395,8 +11561,8 @@
}, },
"ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": {
"rule_name": "Suspicious TCC Access Granted for User Folders", "rule_name": "Suspicious TCC Access Granted for User Folders",
"sha256": "14436e33164f86a8e456f0a6ac11a53c2da7a2238add394df63ac4e5a120d36c", "sha256": "6329ee62398952755171a82d57fd5c59d159290b7d4fab00d7fe6043899ca3ea",
"type": "esql", "type": "esql",
"version": 1 "version": 2
} }
} }
docs-dev/ATT&CK-coverage.md
+8 -1
View File
@@ -72,6 +72,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-application](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-application.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-application](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-application.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-automated-response-tracking](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-automated-response-tracking.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-aws-config](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-config.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-config](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-config.json&leave_site_dialog=false&tabs=false)|
@@ -104,6 +105,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-azure-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-storage.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-storage.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-bbr](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bbr.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-blocked-threat-tracking](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-blocked-threat-tracking.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-bpfdoor](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-bpfdoor.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-c2-beaconing-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-c2-beaconing-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-c2-beaconing-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-c2-beaconing-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-cisco-ftd](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cisco-ftd.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cisco-ftd](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cisco-ftd.json&leave_site_dialog=false&tabs=false)|
@@ -114,6 +116,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-collection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-collection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-collection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-collection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-command-and-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-command-and-control.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-command-and-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-command-and-control.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-configuration-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-audit.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-configuration-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-configuration-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-configuration-auditing.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-container](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-container.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-container](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-container.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-credential-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-credential-access.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-credential-access](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-credential-access.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)|
@@ -149,6 +152,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iam.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iam.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-threat-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iis.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iis.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-impact](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-impact.json&leave_site_dialog=false&tabs=false)|
@@ -168,15 +172,18 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-microsoft-365-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-365-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365-audit-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender-for-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-endpoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-threat-intelligence.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender-for-office-365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender-for-office-365.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-defender.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-audit-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-protection-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-protection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-purview](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-purview.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-microsoft-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-threat-intelligence.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network-packet-capture](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-packet-capture.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network-packet-capture](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-packet-capture.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-network-security-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-security-monitoring.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network-security-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-security-monitoring.json&leave_site_dialog=false&tabs=false)|
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project] [project]
name = "detection_rules" name = "detection_rules"
version = "1.5.52" version = "1.5.53"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine." description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md" readme = "README.md"
requires-python = ">=3.12" requires-python = ">=3.12"