diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index ab0446e0d..a1b910c70 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,9 +1,9 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "fcd948028bd42ce890deb31d6aef7d2a5f841d194d024c8a632bd40203c89554", + "sha256": "9c1281d5315dcf872bc65e6d30af66eeadb4ceaf37d9714629c213e746428336", "type": "query", - "version": 414 + "version": 415 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", @@ -13,27 +13,27 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", - "sha256": "cb3da7e9d3d8be5b8a37e6526d979d878e4f35a4959e471586e3d34af70bdc1a", + "sha256": "dc08e00d1f093824cd9f6195619de125ea81c97b96ae6c88ff0c310f66786f7c", "type": "eql", - "version": 419 + "version": 420 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", - "sha256": "b518c8d687daf21c36ee77a0ddf040b991db8663e026b77cb7d77e29d05f85c3", + "sha256": "dba5d16fb893bdb86a173237b75117a8e000bca4f1a47a96d9492119f8beea74", "type": "eql", - "version": 6 + "version": 7 }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", - "sha256": "ed35207381806ae6ebc471fc8ddd9c91238868639b006db03dbb1c966adcc472", + "sha256": "d66a80e6e6ca1221629a7e83ea80f4049b04fb3621a3e157094b7a9ae187e8e6", "type": "eql", - "version": 4 + "version": 5 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "f18ac0fef8bbe46018b12cbc49078cde5a800a49a288127e4b72f51ac086b3ea", + "sha256": "0a0794d4571cbdfb8dda1babc9d135e75c1bc8108479319cbc4e410da9e8be3f", "type": "query", - "version": 6 + "version": 7 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", @@ -61,9 +61,9 @@ }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", - "sha256": "0a276cca1f7578e64b5757ea19a2830db4e4fdd87f7ce4bec939fd66a82e067e", + "sha256": "076646ab6716181a2c6a88272c23d0eff028f4d43e05b1b9ba681c8fb13bb83b", "type": "new_terms", - "version": 207 + "version": 208 }, "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": { "rule_name": "AppArmor Policy Violation Detected", @@ -74,15 +74,15 @@ "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", - "sha256": "cd854516c52abc224cf16271f439eec724281de54a4aa6f6a7ce1013430393af", + "sha256": "1ac8acc9df54ef208b5dc3742eae3e38ea84b175e82d9cf10ac5196088f5fa42", "type": "eql", - "version": 2 + "version": 3 }, "022c37cd-5a4f-422b-8227-b136b7a23180": { "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", - "sha256": "3193240005005ffe39a4b8d546c9f2ea645ddcb1f574d8bd1aea201712b6baa0", + "sha256": "c70260326562dbb991c5d9fd30f1fac3d3eb355879f7f011c790d239358b2fc2", "type": "new_terms", - "version": 1 + "version": 2 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", @@ -92,9 +92,9 @@ }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", - "sha256": "701256e1dea091dbc7088014923ab37d3d04abfac5128574f4719f4a5819f555", + "sha256": "ea027afabe0d5c7840b6fa74533bd16b107d9fe59b134747165b941da38827f8", "type": "new_terms", - "version": 207 + "version": 208 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -110,51 +110,51 @@ }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { "rule_name": "Spike in Group Privilege Change Events", - "sha256": "8caf70090c5c180faa0955b692debfff1999f7c20aeb1f8aabf07eec4e4ebf09", + "sha256": "f1b1c78251514ea08b82d81a68811dcf1756bde9a25d7f17adff4b6f612c523a", "type": "machine_learning", - "version": 4 + "version": 5 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", - "sha256": "3c0cee1485089d0039569fe729555644745a965f74000c5e30fb73ff1a31a7ae", + "sha256": "8faa211ae2a7bcacb59c68e92a447cfd62919035dfe3259c39c0ee886be5ece8", "type": "eql", - "version": 6 + "version": 7 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "27d2f755c29364e32433065a224cd6626f6d8310b9a12d92bc6e3264c52682e4", + "sha256": "66859e52222069071bde2462f6cd971de312d63c6ca5da48abd9bde1d8a9986a", "type": "eql", - "version": 110 + "version": 111 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "M365 Exchange Email Safe Attachment Rule Disabled", - "sha256": "a3802ec0747674644557b2597c0c55f8fae19a9c2d058fb00938f48e2f11630d", + "sha256": "6b1e511c3d8b37b93763904520c805fc95c4a2211edd3bf22f4e25fef9f31db4", "type": "query", - "version": 211 + "version": 212 }, "03245b25-3849-4052-ab48-72de65a82c35": { "rule_name": "GitHub Actions Unusual Bot Push to Repository", - "sha256": "140774caf8e4b7021655033023dbfa647c2f8182ea0f44b41319db1b86aa381c", + "sha256": "80bd309c2d2564487e9fbba7f80c99d9998ac1e9bf023518a0a7c09b7b3940b9", "type": "new_terms", - "version": 1 + "version": 2 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "2a22d0f3cf317970be4b88c0a8ccdfe129a55d326c2025d0b931e84121a5ba59", + "sha256": "c836e54087ae1a8a3025909185da467587d5d132e8768294fe6772628655b8b4", "type": "threshold", - "version": 216 + "version": 217 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", - "sha256": "17893f9601250048949847c5698b0273035419cc62613c7a4e3cc2e74aaa111d", + "sha256": "6f7728c25cb5067fe5f3da92b9e429591bee6ca7b05b0dc967ed772bfc19c1d4", "type": "eql", - "version": 6 + "version": 7 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "969bc5383f6f200cd085a0639173548ff5820d7f75afba0622e631c4eb5ac813", + "sha256": "1955ce390a89fb19809e63ab7de3f8c5daa3aad4045bec36bcaa5b65779e457d", "type": "eql", - "version": 107 + "version": 108 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -164,33 +164,33 @@ }, "03b150d9-9280-4eb8-9906-38cfb6184666": { "rule_name": "First Time Python Accessed Sensitive Credential Files", - "sha256": "838f2075137a748159619966cd450776c11dffafbdcc30122666d3dc310e90b0", + "sha256": "aa5c2a00f56d00f3919acc63046fbd07594b643728777215c6faf15acefea5b8", "type": "new_terms", - "version": 1 + "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", - "sha256": "5be26fe7fb4dde7b807a564ff9eeac7a6b17504c9dceefcc79585a26e487de8e", + "sha256": "74510e92c414883b3395c16038036135ff8ab99e5598ed0fa19fdadd86e0b701", "type": "threshold", - "version": 7 + "version": 8 }, "03d856c2-7f74-4540-a530-e20af5e39789": { "rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location", - "sha256": "348d1c05b34234300fa1f78f365e55ffce4ef690c71b5b29ad426db5ccec5ab0", + "sha256": "074027b2bad9f1ac786fc520f793d1c3f48adbf4c5dee422b7ac017e8197672a", "type": "eql", - "version": 2 + "version": 3 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS CloudFormation Stack Creation", - "sha256": "aa9bbf4e95f9d88307a86039a78988c7fe8e87827e029e593d2bc314f2f56605", + "sha256": "0c9d3ca5caa192699b0063ff1bdd3d1c02fec13775724126cf6820833340921f", "type": "new_terms", - "version": 6 + "version": 7 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Renaming of OpenSSH Binaries", - "sha256": "a2faa9510f754d12856a3c441ec7131acb631c84fb8379d3ecd121af580d35a8", + "sha256": "9ee995138cffed589e949a0c429e822f01d39ee3d4e57daa0b0130de809eae76", "type": "query", - "version": 114 + "version": 115 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", @@ -210,9 +210,9 @@ } }, "rule_name": "High Number of Protected Branch Force Pushes by User", - "sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c", + "sha256": "0f0d9d1fd9f230eb192515220a010111d6391e983624a53e09d45dd85ce721b6", "type": "esql", - "version": 102 + "version": 103 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "rule_name": "Potential Escalation via Vulnerable MSI Repair", @@ -222,21 +222,21 @@ }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Entra ID Global Administrator Role Assigned", - "sha256": "b832dd8ee2fb783cfc93a509c2689f8d13f9eb4b536af7935f64be085e91d258", + "sha256": "75139c9666c86d615d6ddd72cb47dd16335cd9291d5210f2e393dbbb2d127778", "type": "query", - "version": 106 + "version": 107 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", - "sha256": "fc962dbd88cfb0860ac58c4125afeaaa0668366e0f9d1ad035411aee787a69f6", + "sha256": "b164ca59eecebcabe9bd4bbdc1c86c640f202a21e08e0a08cdfc824610ec9d98", "type": "eql", - "version": 4 + "version": 5 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", - "sha256": "0dae8d0010c9ebf4d51a556663c7a4e0f0b4a9d1780196c19012553a41e2fa5d", + "sha256": "3203192a8041b77616255d68fb931ef4c85b25bb8448b484b79f26ac5c16eea9", "type": "eql", - "version": 216 + "version": 217 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", @@ -246,22 +246,22 @@ }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835", + "sha256": "af7ccb91cc20e0406d5dbf0a368623b91dbe2fe0345075123197e22162c25280", "type": "eql", - "version": 12 + "version": 13 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "0959fd7aaf5bc8255ede40413834dc1ccfa5885a9e516724151852e596d397f4", + "sha256": "51c7cd4dc3b7daf503ea7d0eb1403ef46a8de3611b333180d3db2235aa02650f", "type": "eql", - "version": 217 + "version": 218 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", "rule_name": "System Path File Creation and Execution Detected via Defend for Containers", - "sha256": "0070de4186b0d66470a7b71b34781036a4107a7cb9e7d7d07ce655d2783238c8", + "sha256": "651ccae1e6baff5b1d018b9d02b49fa294970a75eddd6ad69ee73c7be6983531", "type": "eql", - "version": 1 + "version": 2 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", @@ -271,27 +271,27 @@ }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", - "sha256": "276dd21bd66c3a47606b31db6057e86c2968df89161ab2a5662f9c6a9064e959", + "sha256": "3409362f16f2ea621c13ead1a974ee23f72be8c149f6ddae366e3cd5fecbf50d", "type": "query", - "version": 8 + "version": 9 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "7a0c46e89bdb6cc0aeb28545a624f72dcac23bf7fd53eeb7121b9e521615a66e", + "sha256": "aa3c02fb79c761a80f4964773218383ce6f2fa3d6edbb33b4228d9f58a4d7224", "type": "eql", - "version": 113 + "version": 114 }, "05f2b649-dc03-4e9a-8c4e-6762469e8249": { "rule_name": "Suspicious AWS S3 Connection via Script Interpreter", - "sha256": "98707dba65515504ddccd478b6d990937253b23206d517eec8fb008262a30d53", + "sha256": "bdcf91c78e9c5c094fb384d21437ea44ff202ce66a874ddeb50bbd6be3ecd14f", "type": "esql", - "version": 2 + "version": 3 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", - "sha256": "d830586c866338070858fc3d79f60a78040bbbbf9694a72accfda57739d022bb", + "sha256": "287d45f63f9e0a5633a9830bc210991eedc0daf0db72f995831d011600a3b750", "type": "eql", - "version": 216 + "version": 217 }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", @@ -301,15 +301,15 @@ }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", - "sha256": "a6862748b17c59d814bdbc083c1cc7d27381aed9732b14f0f1b32474464fd2ef", + "sha256": "3c5edef6420d3b719294df8da79f6f77b0e473d0d2f3bbd1fa89103aa8f53bcf", "type": "eql", - "version": 113 + "version": 114 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", - "sha256": "940b98aed51ecda72eec089172e648832d8c8a6eec2015e92e44bbbd0a52854f", + "sha256": "565ac2eb82e32aae378c10858021adb00856aa3fcca8dfff5921bec099323be0", "type": "machine_learning", - "version": 8 + "version": 9 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", @@ -319,9 +319,9 @@ }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", - "sha256": "293efcde7679450961742320fa3bb6fd1b7734fb3b358c1f39d7ebc8621dd8f7", + "sha256": "6350e0d9141e53b3f2c4ecc5b9384512cd89637b34bb845ffedb10e893777303", "type": "eql", - "version": 106 + "version": 107 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", @@ -337,9 +337,9 @@ }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "58d2522836e9696867c5013f86c837c3de9c6139334c45f21862af1141102989", + "sha256": "d1938166ae314b5d65bd7cd0f0e25da8ffee8876a58953b1830890d09a6ea8ae", "type": "eql", - "version": 315 + "version": 316 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", @@ -355,39 +355,39 @@ }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "f1f4e6d8b819fb5e66fde3baab76b5530022b5b45365fa55e5218a19f2fb1902", + "sha256": "393b600688019a02a4e864518e1ac1b5d0b81d5be1f534cfb5137748aae51a7e", "type": "eql", - "version": 318 + "version": 319 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "efff36dcc67637acab70b8bdc118ef3d48a67a477cc5bff8a765be0b98c69d9c", + "sha256": "1da3405b77ad8ca58161b6fabc9e04c5119b12d8c1daa9f062fcac797b001a35", "type": "query", - "version": 109 + "version": 110 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", - "sha256": "c3033b6202ba8d06a3cce953bf5efde4f3292bfd7e4b02fcf073bcb3b4c38c0b", + "sha256": "e0131321585947ebb113994bcb41271b69a40753710365ea30b2a1204ad5008d", "type": "eql", - "version": 112 + "version": 113 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Service Creation and Immediate Loading", - "sha256": "a103bf9dea2202ad2c785712eb8d03c825973f10f2c2237c5fc3640b9c519ee4", + "sha256": "6e6a989495990c86ba5a6dc1a3178fbe5dc8a8e23542837ce40be022461703e9", "type": "eql", - "version": 111 + "version": 112 }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "1cab7c406a0a2310ac6081b7332ff99c4f29843587b48401e6b8fcb7f8006d21", + "sha256": "331bb08ecfb91660802ea7596bce628106de1d55504aa794724136799f9689e2", "type": "esql", - "version": 9 + "version": 10 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "92729a5db8411c86f55936222a8fdbd7c1634c859d8453339bf3d82144af86cf", + "sha256": "3e6315c69df778ac0ee943ef7672b9725a6c36ecdedf6c955d1609b9f0c936cc", "type": "eql", - "version": 110 + "version": 111 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", @@ -397,9 +397,9 @@ }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", - "sha256": "95dfc163dc1bc31c6f67c9956a92031cea559ff27d774bc621436fbce4e3c4be", + "sha256": "f161b256265c51cd268982d28acc9d9220cc7c1aba15a8b036c39d9ae9253da3", "type": "eql", - "version": 3 + "version": 4 }, "08933236-b27a-49f6-b04a-a616983f04b9": { "rule_name": "Alerts From Multiple Integrations by Destination Address", @@ -409,15 +409,15 @@ }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", - "sha256": "d2b0a72d8ef6f07e4647ae018611e94e004d13dbf270da1125381720f769fc59", + "sha256": "ce8ca8f191f83b34e7b0a028117f3ed158af3ebc4c3f9d40a1614f01033cd93e", "type": "eql", - "version": 7 + "version": 8 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", - "sha256": "f0c3939a5957cddd4b6387710c93b4c9797c526fdc426a83b3c681d57d67b47b", + "sha256": "bc44537711867484c6d568447d16aa07c2bebb17b8e8de3f9d5d4cd27b7877dc", "type": "machine_learning", - "version": 3 + "version": 4 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -433,9 +433,9 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "34aa7a13a75998606560cb32b50285f079aa350b0d28634aec6ce222a47b0985", + "sha256": "89f5838ed3a10f58fb95b54bf3a065b1edfcbccc6e82ba7249e7714ec14af877", "type": "eql", - "version": 112 + "version": 113 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Deprecated - Process Termination followed by Deletion", @@ -457,21 +457,21 @@ }, "097ef0b8-fb21-4e45-ad89-d81666349c6a": { "rule_name": "Spike in Special Logon Events", - "sha256": "42bb7ebf26e253f5a13b0f718a37a6de590190e051705ab28122bca64c59bbb5", + "sha256": "92d7807f355cf385d1fa15849d15c6fb322bf1b9dde07df1b9e0d92899819b0c", "type": "machine_learning", - "version": 3 + "version": 4 }, "098bd5cc-fd55-438f-b354-7d6cd9856a08": { "rule_name": "High Number of Closed Pull Requests by User", - "sha256": "ff907a6ea72cb5c7385c4bd5df56b41d6fe30d15ad9c631e4e85cc03ec5aa94d", + "sha256": "e714dc4c3dc9577f4375fc6de33d23e79e537c2ae0f59f3693fe866dffd42dae", "type": "esql", - "version": 2 + "version": 3 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "c7a49217ed78a7200634360d649716d6ba9e9ee6c138e093d73d3dfc6bef4542", + "sha256": "21a80a8417bb2147dbcfad3bbd1dbac0c463712efa27f14464c0547f66e34582", "type": "eql", - "version": 10 + "version": 11 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted", @@ -487,51 +487,51 @@ }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "b9f9c2acd032277ca219864f2c819167d986f72f5926874ea56998544a0f85a6", + "sha256": "6a2860edb5ebe67b8ddbfd0633c2fc64f43eb9a1a0b6cb59f298b6e207944b51", "type": "query", - "version": 8 + "version": 9 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "ebd1536f42ca0141a7b6beb2b1e75d981b95992088751d5824b10f54c3797b98", + "sha256": "62831c7e91ee7ce21ec1904ea276f67fc1771d890a541a18fba380632f6a8e04", "type": "query", - "version": 212 + "version": 213 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "89ca0e093d48d490f8ef9e04a952b23f45c4763cb50f8b27742fdc91cc20c6ea", + "sha256": "dbae98880bf9a0c1e97107f8d4f2e8db844623eea45f77f379c744c955ea36dc", "type": "eql", - "version": 9 + "version": 10 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", - "sha256": "5885c1e445642eebfc9b74d7427c15b9a7c7696141ebc1f2032514b026740cd1", + "sha256": "0d38cceb87101c739c8c402c9c084654ab8bea0da9d751f01e82deca56bdf848", "type": "machine_learning", - "version": 211 + "version": 212 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", - "sha256": "ecc8972d8837c63f62167cb4b7a5827b1681b456c8e41028f287e9036edc1ed1", + "sha256": "61bf77d6035d6c58759497860fd9dd5490f830db4c9aa91188271e861a7dcc9f", "type": "query", - "version": 219 + "version": 220 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", - "sha256": "9e0d97a7a8ab3f2db8a8aed2dda95a0c7b8f362c314ba0749004294a61229409", + "sha256": "09dffcc4e5124f18d47919fe93f50abaeb60d6834acf7ead306f212a6eba4afd", "type": "eql", - "version": 5 + "version": 6 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "06ad68bb0d0a78ccb3ee0674ced6bf71d574074395b2ecf56cf37cecd6f529f3", + "sha256": "21c399561ab291f36e2be0da55ac4c17cc2678e91e96df6af3c9cc83a6c711d3", "type": "eql", - "version": 5 + "version": 6 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "b6adb62c08f32a47497e1c0133aedae77c417a7f5449d1676df18b4e1792f38b", + "sha256": "7d77a4998b0ebb67b07e857ede2aade5168aa1ae3854965f321bbac0e38be89f", "type": "eql", - "version": 112 + "version": 113 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", @@ -553,15 +553,15 @@ }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { "rule_name": "Potential Hex Payload Execution via Common Utility", - "sha256": "fdf8da563f4c822a873e7d1f66565737110906d8c9e10b2107140aeccb84524e", + "sha256": "93cd06950bf1b69b6bd8abd8923e82b0e7c578c6e93606cfcd6be0f5909f8bb7", "type": "eql", - "version": 106 + "version": 107 }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User", - "sha256": "ff0822277c602739fb3c4c5a94325860245526567107723822b394098d3de9b5", + "sha256": "987496695139074943b504b3399babe5db3f7164fdf9b5915433567a1d24f112", "type": "new_terms", - "version": 6 + "version": 7 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", @@ -589,9 +589,9 @@ }, "0cbbb5e0-f93a-47fe-ab72-8213366c38f1": { "rule_name": "High Command Line Entropy Detected for Privileged Commands", - "sha256": "59c263dc1cdfe3855fdd501367d03907ed748e52353b5e059b96f1ee2c5afde3", + "sha256": "2e7d5c4df33ef2238bbf97c9d32ff1f30b544cd024426fbf7b8f60efb7289ad8", "type": "machine_learning", - "version": 3 + "version": 4 }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", @@ -601,9 +601,9 @@ }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", - "sha256": "d528dd1ee6d6f0dbfd598d62261c0dcae9ccecf382b0f35ad32fccdb0b5c618e", + "sha256": "a99d3f1a878b32334b2cfdb822776bae8b640c73ca2c0f249cfd629a3a8f1e09", "type": "new_terms", - "version": 212 + "version": 213 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", @@ -613,21 +613,21 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", - "sha256": "c9414871e97120cfd2ba849f228fcb33c42b7bafea04ef136b692d90f3c5886c", + "sha256": "b09b50fcb2010ca61ba40393d95ff0b09f587d7f4fb1bde3f3f6208e0d62baf9", "type": "esql", - "version": 7 + "version": 8 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", - "sha256": "c4bdbe8b150dc0ae69e6b9976ce317d49affb800b6a372b6b57f7aae39e58093", + "sha256": "dd76e3f0f0d4cc6807c6afcd4c5894467e3047dd19959748a879badf05fd647a", "type": "eql", - "version": 212 + "version": 213 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "c35a544ede6291a5e7cfafd2e811015d5bf703d447b07963ff1e071a644958d4", + "sha256": "094356d1f51021f7425e8498fdaa9e5545042553ed50aaf071c39778fedad057", "type": "eql", - "version": 113 + "version": 114 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "min_stack_version": "9.2", @@ -641,9 +641,9 @@ } }, "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "25d6b63d8ad4a081ad48d656666160d13bde2d0fac22a33427f2f6cdf5395cc1", + "sha256": "cd8d3417f90b50eef61c5fcddffc40cfb7abecd4edafc8450af2656eea62ee63", "type": "esql", - "version": 205 + "version": 206 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", @@ -653,15 +653,15 @@ }, "0e42f920-047d-4568-b961-2a50db6c4713": { "rule_name": "Potential Persistence via Mandatory User Profile", - "sha256": "5a2113036516752d10ffde2f40f78885d6a13a520f8ed58a99121231a5602e22", + "sha256": "12e7983cbf86322df7efb2239c16032fdaa348da475137cad5eb129c5a54d4dc", "type": "eql", - "version": 1 + "version": 2 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", - "sha256": "b2bc93de86a42b4c55877c2a128da76f5f058e48fc9af4396b89dd28a935fea5", + "sha256": "15cd22677a8340711fed0f7030ff28056951bba6f1f4f4c74dacd31c27371ef5", "type": "new_terms", - "version": 207 + "version": 208 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "M365 SharePoint Malware File Detected", @@ -671,15 +671,15 @@ }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads", - "sha256": "b6c8e87bc4292bde1ff1eaa810648c48bab7c0f07e0d8c39bc7b3f714fd32d5f", + "sha256": "9d50bbec806493725b1c928813d14b1b29caf88991662a39c748716ba674f690", "type": "esql", - "version": 7 + "version": 8 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", - "sha256": "13e3ae6b28abf879bb3effd835f64e3514061113d41c183ecea88cfb42499628", + "sha256": "b84301cb7a906cc450436d5dcff843dd5b454345301cc97cf7858e2211456588", "type": "query", - "version": 107 + "version": 108 }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", @@ -689,9 +689,9 @@ }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", - "sha256": "8bd791257510714b815ae04669e2f5ed846133f80ab4f376c6541bacd64856b2", + "sha256": "2d92ab04902fb83022f6920b2f0d2a5458f43dc2e662048624e594963673c582", "type": "eql", - "version": 214 + "version": 215 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "9.3", @@ -711,21 +711,21 @@ }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", - "sha256": "2cb9858f77267b218ffde0b05f379d42d3e9892bffe8c5a2558a7747e616dfa5", + "sha256": "0dd7907213fe1c2007ed13fc265447af5e1da11ec3932ac1bd234bac879ddd75", "type": "eql", - "version": 119 + "version": 120 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { "rule_name": "Polkit Policy Creation", - "sha256": "5bce1633b77528c70b19a239627042b9c5319822749afbec67e1683f8580686b", + "sha256": "390e710ade2de69e142c5ee48c04471d137a80031e3679e2c9675a40dbc10e4e", "type": "eql", - "version": 106 + "version": 107 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "498fd7d5af2db2a9cac662b6334d76045e188a07af85252f9c58e5e3553c5157", + "sha256": "a0f0ae4b269a171b856191b76721c04753d2c3ed780decf03817b56e352235ee", "type": "eql", - "version": 108 + "version": 109 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "rule_name": "Behavior - Detected - Elastic Defend", @@ -754,9 +754,9 @@ "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": { "min_stack_version": "9.3", "rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers", - "sha256": "f743bb12bafa53a42bae5f3eb32c50b072927cb62403e1cbd006537e9dae6e63", + "sha256": "99daa90cdf83d5fa31673dca3684a322c5b9b12882dbc2d4e82acfbc4a249401", "type": "eql", - "version": 1 + "version": 2 }, "0fe2290a-2664-4c9c-8263-b88904f12f0d": { "min_stack_version": "9.3", @@ -770,9 +770,9 @@ } }, "rule_name": "Kubernetes Sensitive Configuration File Activity", - "sha256": "7d61d62319c071310d69e8c15bf997fdaaa97c0d900ea9029b54bb02144275aa", + "sha256": "bfc840c4e0154ce1c816dc7e6d4b277b6a431df45094be45f5f6c0166ac02aa4", "type": "eql", - "version": 102 + "version": 103 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", @@ -782,15 +782,15 @@ }, "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", - "sha256": "8e7b6e88f72d16369595ba3f6fa07c1940d1a4aee7465ac6f4564e40e0d81cfb", + "sha256": "2eb8cfdb07798166e8e1dd3670510b676d8534e46fcf84abfd701d9b02107dd8", "type": "new_terms", - "version": 1 + "version": 2 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", - "sha256": "62236c3efc78d49212ef0d41035637d27a8639dc5eb24125db16fc4b5c5367dd", + "sha256": "65b7cb64433981f1907a05a2af586fe1deaa32e3e04f391a3b8be11d65cd67ef", "type": "query", - "version": 4 + "version": 5 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", @@ -800,9 +800,9 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", - "sha256": "5b102cd6d9e208ef30f244a8b4029b391783c1ec3f3bc24d5830028376bf8fd4", + "sha256": "7a9a8ca308fe9d2c8060cae7cf57cb65402bef0f911c86790a0d29b8e978c4b7", "type": "eql", - "version": 210 + "version": 211 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Ransomware - Prevented - Elastic Defend", @@ -812,9 +812,9 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", - "sha256": "c564ec0a3d6571899bf9b4573c706d7a88b754f61ae9a3abfee468abfcd88ce6", + "sha256": "31b8cd0b1dd3c87234077a916d0078084f97002f25b5000e7159d3e4d72ec71e", "type": "query", - "version": 107 + "version": 108 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", @@ -824,15 +824,15 @@ }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "b12993087a23a4196dff52b6d262095861045f58a03883e15e371a3d746f3b44", + "sha256": "c12c3a68af101bcbce58817565be96e65524121b02e8fd152d749b90a8fffc12", "type": "eql", - "version": 315 + "version": 316 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "219dd5e932b1758880482e0558051af64fba130f0e282e5da6aec5c00090ba9b", + "sha256": "1444babe7dce69629a2222be6a5ffb35d6fe83c286c1b26d6ebf42314a579aa9", "type": "query", - "version": 211 + "version": 212 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -842,9 +842,9 @@ }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "46c73ea2723d14ad9de10a0e66eef0f2833b48c7be940c0df3a709acb4dc3e7f", + "sha256": "a549668ec7559114b0115b356167686dc385ac990b386fb5e9f2b612c992357d", "type": "query", - "version": 118 + "version": 119 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", @@ -854,9 +854,9 @@ }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "3acdb831ecb148e687e802d033deaa6355218c3c02b42df9fb149c159039ac68", + "sha256": "723c1839bba8a00293365b903c123c18dd2d942e2676d4f95090f42a5fd47532", "type": "query", - "version": 211 + "version": 212 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -866,9 +866,9 @@ }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "rule_name": "User Detected with Suspicious Windows Process(es)", - "sha256": "7f2d9e5d94f4c5e73f555b37e6616ecee53130fe84f4f52617e299de2d14f53e", + "sha256": "a96480b14fddea2a5966e37fb70b54db6e8ef69582f58b9ddd9e0845943ff7ac", "type": "machine_learning", - "version": 110 + "version": 111 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", @@ -890,9 +890,9 @@ }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", - "sha256": "e0e45a77fb72c89d7d27f6371c8f82d70d1d23bd3d6f1f962526d6e106e52c1b", + "sha256": "2cd483d1bf44cc4f659cf2beb1a0364fdb1499c325dc003d1021b3f5602f6efb", "type": "new_terms", - "version": 209 + "version": 210 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", @@ -908,9 +908,9 @@ }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "3158b0d587e1f5c04d72866daa49f755711572ab959d2b9ed59f244d0c20d50f", + "sha256": "07c7f967479c49447a3c3f046c9c33fd9be4b98f57034bcff997060a3f9e1c06", "type": "eql", - "version": 319 + "version": 320 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", @@ -920,15 +920,15 @@ }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", - "sha256": "d4c5b7180a304ce4c1347d1dd042952513c3376e1c92f4c035026a43f1dcbe26", + "sha256": "a9b1539d0e9db24ff1c2c89fbce7703a1e17089844275ce75a152f357dcffb33", "type": "eql", - "version": 106 + "version": 107 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { "rule_name": "Spike in Group Membership Events", - "sha256": "e2e661163bffdfe10ea5fed8565f15060b3aa280538e6ab7961a0c4d34d930e3", + "sha256": "907893df220287d24f1906748b2da8456e68f29204e8cadd48187f98a98c5688", "type": "machine_learning", - "version": 3 + "version": 4 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", @@ -938,9 +938,9 @@ }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", - "sha256": "8204b19646063fea56f0893a743d86c1465aea28c9b920541a3549dc9ebead09", + "sha256": "634a2275fe6932fbcf9514a9c9f71bacb655d75a8f0437e3c7bbb947c34553d8", "type": "esql", - "version": 213 + "version": 214 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -956,15 +956,15 @@ }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Entra ID External Guest User Invited", - "sha256": "abd487e50565029f7b1ec1087e69423836bd8a499b13c5d16adfba6c67015832", + "sha256": "0a9b93490253851dfedef352e382402f47d282ded7e2130400e310d74a3d181c", "type": "query", - "version": 107 + "version": 108 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "c3e44edb8ffe05292ab119e3e6a439e72576953fd826f11cac889b1df3eea2bf", + "sha256": "5a9295587f27f717c1fa57077258c0bb56fb9857550ecb7c0773d2755931c5a7", "type": "query", - "version": 108 + "version": 109 }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", @@ -986,21 +986,21 @@ }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", - "sha256": "f5561c37096b4f71f0b29f3adc5adfe88f2505bcc9814aa9b052b68f7a0cb7f2", + "sha256": "a0052b219c12613b43f3b0b45d8eacc0b4b5ee9ce2ccb167d05ece989b878139", "type": "query", - "version": 6 + "version": 7 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "a787c8a5d1e30ca3e750ec49ca534e9a496786f700ab8794b3a8449050392808", + "sha256": "70e1ab79af3934113dbbbaba1ebf4c928eb1200bd4c056ba586728482c6f88a5", "type": "new_terms", - "version": 207 + "version": 208 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "e9f82f46cfea1b7298cf223f305e62b8a734e63548d2f0a51969e2abdd8c5a40", + "sha256": "74c2b1c0304ca426f733863c0419049018042d137c7067b1abde9a4f0418e114", "type": "eql", - "version": 6 + "version": 7 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", @@ -1028,9 +1028,9 @@ }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "8989fd255ab499907a77f2db83d4e2da1f9652d1ea9fb30aa192586ee11a4e9d", + "sha256": "11df8567d6795588d2f0b1c35dd8ca813fcf809258461c5483790a459bdc1cc9", "type": "eql", - "version": 112 + "version": 113 }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { "min_stack_version": "9.3", @@ -1044,9 +1044,9 @@ } }, "rule_name": "Kubectl Permission Discovery", - "sha256": "6d731657ec8c591dcefb910a3a67801314448feb8ea2db28a604c77d3be33979", + "sha256": "88b8163bdbf4231ba333b88a4662e21abc05924a08f51847cda7ed108328e09c", "type": "eql", - "version": 105 + "version": 106 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", @@ -1060,27 +1060,27 @@ } }, "rule_name": "Potential release_agent Container Escape Detected via Defend for Containers", - "sha256": "95ff258d6ac709d104147fbee7270bf69b23fcd62a49434721b8ac5e3ea07b6b", + "sha256": "83cc6f40e6132026e20c447cd04f8cba5947105f81fe35a20b393a650d0ca896", "type": "eql", - "version": 103 + "version": 104 }, "1615230f-beb7-48d8-9b3f-6d10674703bf": { "rule_name": "Suspicious SIP Check by macOS Application", - "sha256": "232a4bd93c50355d6ea770cd06a363c1777f939be142b3e759abc4eba094138d", + "sha256": "fa8c6092c9b9b8566ea7901262f4a9a3660b455e07ecb434fb833cdee30197d6", "type": "eql", - "version": 1 + "version": 2 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "ccff816d3b5217865698a800af2ba48cf248e6704d67b488436bd6259be29eba", + "sha256": "413aa0e2013846d270d2adf1b110f8b79db4362d7add6317237811d8f09e7e6d", "type": "query", - "version": 106 + "version": 107 }, "163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": { "rule_name": "Potential CVE-2025-32463 Nsswitch File Creation", - "sha256": "7327d13e4308d6dd816e0a5adb7b5d7d2d10242e25063b24ea6c81e06d94b261", + "sha256": "811b20416cead7025ab23de710ac19ed81924cc270507221b356a395d5fd4940", "type": "eql", - "version": 2 + "version": 3 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "rule_name": "Potential Timestomp in Executable Files", @@ -1090,9 +1090,9 @@ }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "0626527bb17e1ca3b9ae1e90bed0f13a81152908cce78d40a11e8cc9d8b709de", + "sha256": "d044c2e031f6739d53c3387ad4e0c7f4e1617a0fad10f442fa29118f43b2a0e0", "type": "eql", - "version": 111 + "version": 112 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", @@ -1108,21 +1108,21 @@ }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "8097298e41017acbee4a85afe9287a41dabe58a6a8a4e7a30a98fa7d8f13d652", + "sha256": "5fb3e0aae2b1ebf9a5ffcfc74df8cd42f502fbf0feac6a37b7f34237aa31b8ed", "type": "esql", - "version": 5 + "version": 6 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "fe5e13f3787fcc982378ee56140edbaf40dae2433b59f7317df27287c7e6ced4", + "sha256": "8a09c3ace5f964fb2b20640db4f17aff78b00b30d85088a92619aba22f982766", "type": "eql", - "version": 214 + "version": 215 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "11c0bff91c47efa25c0f5f167b3d977f3ac07a6fb5ff0158d88d3445efe327d9", + "sha256": "c5c4efbc0177d7f664f65f7a2c0854002a571cac05289aabc98d4707694e6a43", "type": "eql", - "version": 5 + "version": 6 }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", @@ -1144,39 +1144,39 @@ }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", - "sha256": "cf343116462e929ad9523a65633ab5d29d3e34227fb9f496e44e7321c07f75f0", - "type": "machine_learning", - "version": 209 - }, - "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "rule_name": "Suspicious Powershell Script", - "sha256": "1c4ffadb6be238942250eb70da7b3ef6df530fb7793f6ba3c397dc6c585aa53c", + "sha256": "3c42a7c62094acd7a9859c540f52484dd6a41d3d36d39aeadbc62492967e35ca", "type": "machine_learning", "version": 210 }, + "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "rule_name": "Suspicious Powershell Script", + "sha256": "ba7ac7109c4e1c1acc0a79dd47c42520c2d82b682f5630067a1d609b593859ce", + "type": "machine_learning", + "version": 211 + }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "4f6f47fc1343004d014ac17f50a4ada7c10665feaa2e7d259c490c975a0f98ff", + "sha256": "cec4b63c64124b03e92ef65aca7cf18b5a4de706c53935cf74d95cc70cd43693", "type": "machine_learning", - "version": 209 + "version": 210 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "90b5af752da98e9b3d570fdf8548369f161dbac4cf139339d72de4bccc30fcbc", + "sha256": "96872a6f89cfe1e8ecc023430fc4349c49cb5b6ef9e4a833d422b6961741f481", "type": "machine_learning", - "version": 209 + "version": 210 }, "178770e0-5c20-4246-b430-e216a2888b23": { "rule_name": "Spike in User Lifecycle Management Change Events", - "sha256": "9ceb5ec5bf8532d79372332317d958ae4138bcd71f3e24e3f6ee5fe4bb1c3e7f", + "sha256": "ef456fac2be7a733d18054b513015e78327fb99ad44dacc99be79140341146a1", "type": "machine_learning", - "version": 4 + "version": 5 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "e16f5c2479b4e9bfcd17e1a2b4dc927c71622b135694e9b9797e8acf3cff9230", + "sha256": "4c1feb2d691a715844f24edbb5207bc35a4fdeee0d7314d708aeaba89adbbf0d", "type": "eql", - "version": 19 + "version": 20 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "rule_name": "Initramfs Extraction via CPIO", @@ -1192,27 +1192,27 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "2f942b288c66f4480066469ad579758c9ff2fe4287501321cfcac506bd4e3288", + "sha256": "f645b86e534e62a3da7f7b898cd1b0ea974c51d162961a19206bd0f00a67e31f", "type": "machine_learning", - "version": 108 + "version": 109 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "132e35479cdc72c87bced9eb39159645e0dac333bed9e051208ed8838a8863bc", + "sha256": "36923ae1251f7766d426b5ee10cf1a5b1aa5f47a5effc14763ddac6fe3ed6679", "type": "eql", - "version": 207 + "version": 208 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", - "sha256": "f6e041665b8400ffbb3efd67855273d1656d8f3ac6b46b71510847394f7733e9", + "sha256": "b5bfa9c5bdbb2ac76c679d8e7c12aa4614561e8f0815a77d48fccf5feedd3a89", "type": "eql", - "version": 6 + "version": 7 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", - "sha256": "1d09e6dc623e3a07c2777f44c0be0f4b406a57136bd176f255d6d99ab846bfbd", + "sha256": "d121078e9bbaea9a45c53cba4d722ac9a2d6cd6516a442f3a74da808bce2cc7b", "type": "query", - "version": 107 + "version": 108 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", @@ -1222,45 +1222,45 @@ }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "AWS Secrets Manager Rapid Secrets Retrieval", - "sha256": "f6237fa0956bc5b66b294f3ddb4f97f871ca7c1bd1419a1049c8dd7916cad1ec", + "sha256": "2f1bb0bca5c3afffe652e54dbce191f5e119e2c17ab37111b680f7880cee85ec", "type": "threshold", - "version": 6 + "version": 7 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "5a2fa17a72429e5dca1c71f463c15e999e99ad7897637a4b66a0bfada9540daf", + "sha256": "4598c9aad50c787eadce4ce3b88adcfbc87b02c2ac5dcd9a6c3b39a445e3e6f4", "type": "machine_learning", - "version": 8 + "version": 9 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "0199418e23bdf78a20dd96bd7572555513e8aaa1350c6e48d99cf860a48b9ba9", + "sha256": "b7f7a986a5518b0381718c489963d6da245e8d32eff17ebfa2fc78cf9d463fdd", "type": "eql", - "version": 10 + "version": 11 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "f15ed23d38cca46be371b9df5688d56fad4b3de8988e041fc987e6418b647eb1", + "sha256": "6e73ca10f3e881fa538c71a4fa49fa6d7dd2022afd6c94c19a3c9c2bc3a24e01", "type": "eql", - "version": 9 + "version": 10 }, "1955e925-6679-4535-9c1b-28ebf369f35f": { "rule_name": "Suspicious File Creation via Pkg Install Script", - "sha256": "0a64f7723f488b5a5aaedf74fbc2c5eea7ab8e890d2138f3da1694b5a0fec32a", + "sha256": "bf39e06d8e8bcb3450813ab5d58f0a03c28e5cf9893bdc6abcfef843e67f134b", "type": "eql", - "version": 1 + "version": 2 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", - "sha256": "ba9962370e567452f85b765d9e529539c0332e858e748851ab1a63dbd9815488", + "sha256": "2e671c13c33cb02522db10a2ec30e4b58a107647589f9ff89a5f1b1259a43cb2", "type": "new_terms", - "version": 5 + "version": 6 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", - "sha256": "9025277d05a9b28f25e42b2ca001c86870d137286831af240685932876845347", + "sha256": "a88beb1ee86edcb6bfc98cfe6a5c15756fa5132b0566be0c5ad9a00826635c6a", "type": "esql", - "version": 7 + "version": 8 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1270,21 +1270,21 @@ }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "83a8f2d7386bddc053bfcb9ed1b462e2c6fee0711d78805f9f432f03029b4bda", + "sha256": "29db7dc93ab6eab4b8b87720dd8d95683b744f2e2137115f6f3e48c204792339", "type": "machine_learning", - "version": 8 + "version": 9 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", - "sha256": "b293b29ab681ba26a92119332275e4c89a2bc3dd8a598d9f9b0968a5c264d2ad", + "sha256": "f1fe94865fe02f98d69f15e048bb2c7b7a67fe767897b3534314e214f246e22d", "type": "esql", - "version": 2 + "version": 3 }, "1a1046f4-9257-11f0-9a42-f661ea17fbce": { "rule_name": "Azure RBAC Built-In Administrator Roles Assigned", - "sha256": "f8e44c4dc36c0654e1a87dcd4065540ec7f58e7e5474827dc1b175f2f8a28edd", + "sha256": "94feb1f75ec27cf9c53ab42c77998c78c6cf56652fb4a8b7fd527863a2083c22", "type": "query", - "version": 1 + "version": 2 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "9.3", @@ -1298,15 +1298,15 @@ } }, "rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers", - "sha256": "8d074f725afa65640f0f03c34a5c5845de08a1a9d4d29c575892c50a57bf380b", + "sha256": "52c8bf4b88a390a02c576926ab93066b84724ffbf8a8f2adfc8bfa9edf30f233", "type": "eql", - "version": 104 + "version": 105 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Entra ID Application Credential Modified", - "sha256": "f5a979a948b890f1d19ff5fd5e8c05378e51ba006eacddde32f49e3f2dc1faea", + "sha256": "3972e14bedb7ed262a4bf268bdaf8bf040f8a822a3c94dd74bb2edf42269a26d", "type": "query", - "version": 107 + "version": 108 }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", @@ -1322,27 +1322,27 @@ }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", - "sha256": "0755b62a96de7d1a62ad93b17b76d05e799c2288c120223dc3afbfaece5d8c4c", + "sha256": "1ddaf3e1d2b31dd53b6a93cda782926dd5e4279a2661118a1a3c635d64a47f11", "type": "eql", - "version": 317 + "version": 318 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "00d32e6fa5bbccc98584ca85d490bb3a869cf0f18122627e710ce3c3e0edf137", + "sha256": "7bb6798ddcb354c4347fefdf136c66ec0d059e74917c3871807ec7e341085eeb", "type": "query", - "version": 213 + "version": 214 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", - "sha256": "860d01c2bb53d9b7a09a8718626d0909a9e37d78d4f26bad282749d406874f1c", + "sha256": "dc47b4f6b8b13340fd5675c6b297e3e1a826d680a9630257e8c0093d4af5f198", "type": "eql", - "version": 314 + "version": 315 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", - "sha256": "b74e84be6cfe9c1defab5c385b553c14e467b5829d982f21c40c7b3343061ac9", + "sha256": "73f9c594fa7d3c1b5b8a23e0b26fcbd674d5597c657f3d07065f7d7a9f0f6da0", "type": "eql", - "version": 1 + "version": 2 }, "1aefed68-eecd-47cc-9044-4a394b60061d": { "rule_name": "React2Shell Network Security Alert", @@ -1370,9 +1370,9 @@ }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", - "sha256": "e84a699789d0edc48edfecd3b086d0e0b60583a630ef2d5a9fdb8e419271263a", + "sha256": "81a039d10521f44f4281d8544ffd0b16a9b3063f8ee87612d04ff43a2da6151a", "type": "eql", - "version": 1 + "version": 2 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", @@ -1388,9 +1388,9 @@ }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "47d4620c23138f802607ae88c1771da89921da694ce270e4830492b18d2eb9bb", + "sha256": "03f4a222aafafea3d3221e0582ccac9b11bbc82101504c84c7694b8ef873cda9", "type": "eql", - "version": 15 + "version": 16 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", @@ -1400,9 +1400,9 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Entra ID Illicit Consent Grant via Registered Application", - "sha256": "a8f8c2a897481a4c3d6bba8a3f6c01ec6140dd59c3f96b711b8e5d594f6923aa", - "type": "new_terms", - "version": 219 + "sha256": "fb04e2d9695cf1eb8eef84bae6c748979d9703934f64e06743e28b55e5168f56", + "type": "esql", + "version": 220 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", @@ -1412,15 +1412,15 @@ }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created", - "sha256": "cf9b597b001a31d848656557413a3721467ad321627dd60a0845a2a01c54d08c", + "sha256": "92302fac0a00aecfab0d26b23d5b798e9a6d692621b76bac74cc4d366c9dfc8a", "type": "query", - "version": 107 + "version": 108 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "rule_name": "New GitHub App Installed", - "sha256": "2a64f127e91b425ba0867b5db45435456582c294290f7aa666e65b682a28afbc", + "sha256": "905de7c7445d8245d70d98e20bf1b634c76d420d0abe70959fb9d7efc78cafec", "type": "eql", - "version": 207 + "version": 208 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", @@ -1430,45 +1430,45 @@ }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "2e9317401b317d36fee46e10db1c02198eeb2362780b252d333bfa26d2b8b7e7", + "sha256": "ef68bc87047a6664816ff4fcb845d3118897328ce84a3fc62faa10243e3b08bc", "type": "new_terms", - "version": 211 + "version": 212 }, "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { "rule_name": "Entra ID Domain Federation Configuration Change", - "sha256": "b991e58bb9febec0cf5ed7a76608a9ebc8025adc011b26dfe10a27851c63a867", + "sha256": "7c6cae6af5252c3ea93d98ec5db837504672509c62a82468357df5c3efb3f4ce", "type": "query", - "version": 1 + "version": 2 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", - "sha256": "2e108812f7164bba9127e0aa6659bcd9a2c8350f27be5be3a3fd06a9dcbaf48b", + "sha256": "73886707ccad198484d4c6cdde082d9ef78aea65c349fa08ea0430836e23f673", "type": "eql", - "version": 4 + "version": 5 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "44d7a6f871c3cef4250b42b0edb9f34272d3a8d90ab59b37b4e58ff12a88c7c1", + "sha256": "3e72b8912cd758c1e66ce4cd5024917e71825acfbc2048f1a41cf1a093cbc557", "type": "eql", - "version": 214 + "version": 215 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", - "sha256": "97574d1e96bef8af267abfb06bc0f7cb8d0586d2437b3b101bee18f491296858", - "type": "eql", - "version": 1 - }, - "1d485649-c486-4f1d-a99c-8d64795795ad": { - "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", - "sha256": "c074d6687b59f8e9a8ddf9fb262efa268ccb014e0e218c7d1f8ee218f6d627eb", + "sha256": "a2e51b827108578b99dad38b6f4ff3f0a701f0371af606bc18f7563b11c266e2", "type": "eql", "version": 2 }, + "1d485649-c486-4f1d-a99c-8d64795795ad": { + "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", + "sha256": "2756232f98fabdff059cfa55dc552f04e2c8c7042455b61eade3819dde3b4b3d", + "type": "eql", + "version": 3 + }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "e033fea1b5824fcb4bb6be09775b5afaba93c267fe98719d420ccc5fac613758", + "sha256": "179045c4db738ca0cd743b9ddcf7b57fb07c99dbd6d5b708c795dd94b1055b4e", "type": "query", - "version": 7 + "version": 8 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", @@ -1478,16 +1478,16 @@ }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "38928a45f4c6a0857efc517d37d79a536bc57a05c5e6765aeee651010e704b25", + "sha256": "263926e41cc042363726da99ea6d39b8c612261d890730e12ed614b018497a98", "type": "query", - "version": 112 + "version": 113 }, "1dc56174-5d02-4ca4-af92-e391f096fb21": { "min_stack_version": "9.3", "rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers", - "sha256": "40236f57640750a3b31ff46c28be35c721abe771fc5b5775af8eec75337a763e", + "sha256": "de7edeb410f5b8a1e8dbb092cbe4d087a133a7ba1c66545920a487874a383294", "type": "eql", - "version": 1 + "version": 2 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", @@ -1515,15 +1515,15 @@ }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "add8f0ecf98bfcdc50001b5a40e7f3f325feb495eb4cf5f976c2561095f6517d", + "sha256": "d77702d18de0a8d0365973764069a898ec115292a1894c24062e7aed54979fd4", "type": "eql", - "version": 108 + "version": 109 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "rule_name": "Deprecated - PowerShell Script with Discovery Capabilities", - "sha256": "bcc5e6231ae54f6a2e5b47919bc03cb87e06ee59f9a0e3419814d466ebafed45", + "sha256": "ad1bd87d23f66d5a3239115816acbcf857fffb8361fd598d3abda318487378fa", "type": "query", - "version": 214 + "version": 215 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", @@ -1533,21 +1533,21 @@ }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", - "sha256": "6727eeb8359a38b6bd76f7f485a4edc0afb2aba6967a5e19c21724161d1d0395", - "type": "eql", - "version": 107 - }, - "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "rule_name": "Creation of SettingContent-ms Files", - "sha256": "4797e35fc4a38dd74999a3a08a192ec1ca5363c6fbbefbe0efd341d55e664036", + "sha256": "1089578e25a1c2c14ab8fa84102e1fdafa39beba0b6dbd4f48c35a0cad5f7a73", "type": "eql", "version": 108 }, + "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { + "rule_name": "Creation of SettingContent-ms Files", + "sha256": "2f32979d0c4c70576ae719941f88e9b734de6ca0b68d8cbca27176d73ca4769d", + "type": "eql", + "version": 109 + }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", - "sha256": "60be0421e1c04fcced83d9e1eb5f6d9d4b817b26e543c09d54442c9ec8354280", + "sha256": "b6df387d7eea51849c454c9111255872e0f17716467e7f7dcb96324b0a100070", "type": "new_terms", - "version": 207 + "version": 208 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -1564,9 +1564,9 @@ }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "390a8ddd1ebfe760745876334b3873130a04a7357b53a3c9f1633c02379441a7", + "sha256": "53392e691b44808f9a8515ed8957b0731dca4f7f815904befb16700270092350", "type": "query", - "version": 116 + "version": 117 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", @@ -1576,15 +1576,15 @@ }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "590b9afb0a946a0d20b405f3236763b25916bc1c2865980d1471878bfeb9420a", + "sha256": "6ef4ba72caea4308333e21e9748b0103bd5465ca8e8de00cb44982b38ddc73a8", "type": "eql", - "version": 107 + "version": 108 }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "8987fcc178e2284c1227542322e424b652518be8cab76cb538d54ca2cc90c055", + "sha256": "eab82a81fa79d2c1535f04121103e36d3a2d38892144d98a280602fe1f7d3194", "type": "esql", - "version": 9 + "version": 10 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1594,33 +1594,33 @@ }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "4464c8de4f4905d81bb1c5f492987ef4c8032d9738d50bf6d5b533da1da754a2", + "sha256": "b540efcf8defc61b47ff3dde63f5d7a2c85f82795da8be78c3820bf1ddb62a05", "type": "eql", - "version": 218 + "version": 219 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "7c4db2799c89ee449c815b82891485079d5833e668c3397ab35496c6c65e1c04", + "sha256": "320ecccc98bfef326d6dc0f0054a1f42fc866f1bbcd92d8f3fd1352271653f0d", "type": "query", - "version": 105 + "version": 106 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", - "sha256": "7b68836a32e1779b0267875f39a97f5637ee17d6c9b4023e6479dc210b6bf15a", + "sha256": "776b98b92dbd4568e7096e732ead7f52eddf2732f6644902dc3e4d37989d5814", "type": "eql", - "version": 316 + "version": 317 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "faff9adbb63f6a41bdd2ff861ff8e99f6c1f4c38e8577828ae719b6599578cdd", + "sha256": "b71bdcfb747a7c25b0a7ecef37b73f89cfd4936ff7b67f399a7d47694f1c4992", "type": "eql", - "version": 108 + "version": 109 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", - "sha256": "cb97ac512379616b3ee47f87a9d7a7f6cdc27f77c1aeb2207f6fa1bbc5fa06af", + "sha256": "a56e29eb9a96103fc4c39153ee8d8e21f84134bcb62944cb04237651e3a4d1de", "type": "eql", - "version": 314 + "version": 315 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", @@ -1630,15 +1630,15 @@ }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", - "sha256": "969933445a0d95b7684221b4c55a04a981a502c5061dfdacb076bba52fa14b38", + "sha256": "e46abdd536b397307dd73b4a20f4296b0141a10a86a9c252ecc461420fea502d", "type": "eql", - "version": 213 + "version": 214 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "5268893db28ba2b8355e2703a825d92212770bc7a639a48c747da8fe62a6814c", + "sha256": "37353d258cf8edf69b0bfd21b13914eada7068fdd37274962245a637ba70257f", "type": "eql", - "version": 206 + "version": 207 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", @@ -1660,27 +1660,27 @@ }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", - "sha256": "9e1527dfa34c8a262625248c7a5788f2e59f32a8c1f26af52aa804ae2eeee552", + "sha256": "3be6e725cc1b6a531b8b138860f2ccb9b6b88cf7b8c4399d4c26e6a0141a23db", "type": "new_terms", - "version": 4 + "version": 5 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", - "sha256": "a0b684e1e7368b195c63cc2c1e61a39406f53d8fbdb8814f02345bec65fbdbb5", + "sha256": "ffbef35f2979f9b0815d176123110cf20185f13031b14a773f5d555d5a5f67ef", "type": "eql", - "version": 8 + "version": 9 }, "214d4e03-90b0-4813-9ab6-672b47158590": { "rule_name": "New GitHub Personal Access Token (PAT) Added", - "sha256": "db8bef0b0a2eb7f45525fc2a6b93213b5c3dec305f2a77d26d848728f61ad823", + "sha256": "0c32db1d0bdc3c62955fe42da52b54866bfdb760a99a75df466ec917fb903caa", "type": "eql", - "version": 1 + "version": 2 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "373fbf888323ceb2b501fedff354a2a9bee1a0105ca631e2d18e381ff2e803be", + "sha256": "b1715617058040be1981a4a2148f4685295b1658eee23805db1daf9a5ba2553b", "type": "new_terms", - "version": 9 + "version": 10 }, "21c3536f-b674-43db-9bfc-dcf4cf9dcc37": { "rule_name": "GitHub Secret Scanning Disabled", @@ -1696,9 +1696,9 @@ }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", - "sha256": "36e7433b9ac363f3b9eb6a9f77719796db3fdf22e0cef25d0318ab203e4c92ee", + "sha256": "b8ea3be7fe37d1a71bbceeadb9717e70b488e7256446ad679f347b464e34524c", "type": "esql", - "version": 1 + "version": 2 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Activity", @@ -1715,15 +1715,15 @@ "227cf26a-88d1-4bcb-bf4c-925e5875abcf": { "min_stack_version": "9.3", "rule_name": "Encoded Payload Detected via Defend for Containers", - "sha256": "6a07a74b399cf5346bcf3fb2acdccd01c3489906a3b780afa3a617c278537902", + "sha256": "c22125aa8d5fbba0e2e7ab1379a82385d8164c305089fc053ca1bf31ed58b2e0", "type": "eql", - "version": 2 + "version": 3 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "188373da495c052baa5f489c9a5e4ce8d8133ede03d4aec038290f45949ebd5a", + "sha256": "7d04e6fb99e0091df572932a00000c7665087be144f95263674523f940f9092f", "type": "query", - "version": 212 + "version": 213 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", @@ -1733,9 +1733,9 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "10057cdacf301c40c25637993cc4b38700c574b3f414544168b5375acb7cf76f", + "sha256": "f9288e22de117a3e3b910bca3924528268bd52d9c84de89acdb6e28e9d88d2d2", "type": "query", - "version": 107 + "version": 108 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via Built-in Utility", @@ -1761,27 +1761,27 @@ } }, "rule_name": "Potential Kubectl Masquerading via Unexpected Process", - "sha256": "d70c260690f552cfacb02450ed891f4c669046f11b94c24f5f0973a7bb51d56f", + "sha256": "6e24466e654e56308b329e2e506d4a36f3cb93890c9cc863c6f54618cdb177da", "type": "eql", - "version": 103 + "version": 104 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "64d186dce545974e3eefff0ffe0de8acbed12482e69e54ecbb96567916bad861", + "sha256": "082bad18b8416bb5ccd1d0cfce8b0e590878f8eda05813006131e35463194383", "type": "new_terms", - "version": 7 + "version": 8 }, "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": { "rule_name": "Potential SAP NetWeaver Exploitation", - "sha256": "1a947a8c0e8b33f904c1ca77617bf8cc6e689ef281f75f7f41e0d5ebe10702c4", + "sha256": "9592413691f94b0e392e5b6b6d96b45087aef7dcc204902cbee6f54c88ca0e31", "type": "eql", - "version": 1 + "version": 2 }, "23cd4ba2-344e-41bf-bcda-655bea43fdbc": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", - "sha256": "9e411037eb901ed4a4be89ef5b0a5f6d36e45637a15a1ff70afc11937f1244f7", + "sha256": "bad7dfbcf30e7a80ff8bf2b11b59f66510afc25bcebc9113d7ba02700a792c86", "type": "eql", - "version": 3 + "version": 4 }, "23e5407a-b696-4433-9297-087645f2726c": { "rule_name": "Potential NTLM Relay Attack against a Computer Account", @@ -1791,27 +1791,27 @@ }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", - "sha256": "fbd7404391275a1fb3c33e3cb3f065b69b751b4428efb98114c67b17021c2ba9", + "sha256": "c0175427cf1da2826fa554be27674f044389d71995f24fd50545ed40a819156b", "type": "esql", - "version": 210 + "version": 211 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", - "sha256": "284425d2163342436ce5a9d1e9fdd61c509eb88df35502cba160ef18c8ca5d17", + "sha256": "f9de2a51923458b9774e07e1d89fb9553a33f03ae4ebd60a5063dda5ee214fd3", "type": "eql", - "version": 209 + "version": 210 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", - "sha256": "bd35da091eebd6bb34af785cf1de52b0361a62eb9f8cc40804e0864ed4545115", + "sha256": "2090c343668df6833e9cf0bafba90329cb6b037e741a061fd9374332fdc2722c", "type": "eql", - "version": 312 + "version": 313 }, "25368123-b7b8-4344-9fd4-df28051b4c6e": { "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", - "sha256": "c9411c14d3c259f994d78ca45f0e9303aeb82698376b4c9179418ad2875882bb", + "sha256": "3714413319a7bc19d4a891160b2fa7ce870a8296e9da5b0b7811946cb72d49ad", "type": "new_terms", - "version": 1 + "version": 2 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", @@ -1822,15 +1822,15 @@ "2572f7e0-7647-4c68-a42b-d3b1973deaae": { "min_stack_version": "9.3", "rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers", - "sha256": "c7663a155471fff8ff929fa79611c9b8a5bdb6f45c70f80a2ad6170e9ab67a25", + "sha256": "f2f4d0bdad8b894fb254412c4e67385b007af2d2a3c4fdd609962b64f4ddc830", "type": "eql", - "version": 1 + "version": 2 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "87752d0d2674be61e35e91cd109a9bc7c29f88b96135fcdd527bc9b9a3185371", + "sha256": "d6a2ecf476cd2454fdbff39ec56abf5546147359689e2d4c4d2b1b13eec7d813", "type": "eql", - "version": 109 + "version": 110 }, "25a4207c-5c05-4680-904c-6e3411b275fa": { "rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree", @@ -1840,27 +1840,27 @@ }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", - "sha256": "85c27973460435a413b6d080b9381b7ea5624d36191a071d581a977d752b5ee8", + "sha256": "6f4eff66f0c65aba4c175641ec53bd362c571ddcc98a36f91f1357b1e7f21817", "type": "new_terms", - "version": 9 + "version": 10 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "882ff0c3deba5b93ff172e6bb626f39297b8242984e5b7db11bc8ca90e5bcca2", + "sha256": "4baf8dd59f661e9f32a10880d9cdb692a077f70531c803d62efa65fa54a9ba77", "type": "query", - "version": 5 + "version": 6 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "4e6c45b24b5b94cc4745674e2f05215e98a912f621fdffa24f291fc52a0a1194", + "sha256": "b4310f1d499651a51101aa441f2d2dbfa9526781e8c3572a6f390ee7b104c96e", "type": "query", - "version": 210 + "version": 211 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "c0c3359887ae31c91a2f36ba8659716838b2b3ea8e601eeb98d253ff3f6b2cb7", + "sha256": "847b0b60963ff676ec04a3851fcf67da0046389d6b3d572ab197169471c02e4c", "type": "eql", - "version": 10 + "version": 11 }, "263481c8-1e9b-492e-912d-d1760707f810": { "rule_name": "Potential Computer Account NTLM Relay Activity", @@ -1882,9 +1882,9 @@ }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "716cc35650ba4a9892b5d18a9799bac51553c52d29a9799bd63789601ac6263c", + "sha256": "5e89de514cd1bc3b12bfd6f31d05fa567baa8901346c45d9e852313e72ed5846", "type": "eql", - "version": 316 + "version": 317 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", @@ -1894,22 +1894,22 @@ }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", - "sha256": "61d9e243f182813ab7398db6ff475278201d6d9cf292caab584d2a10e77f3ee7", + "sha256": "fa8068ba6208f9c013cda667f737b51fae6f5b52b978165e1b76c35f0acd0ee1", "type": "new_terms", - "version": 5 + "version": 6 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", - "sha256": "2a473991dd2c9e0841fda1733aff3038c36a186cada11331d5e0f6841a34d332", + "sha256": "8c951a0906470270b43bc3293a9d807368a4febdfe1c96dcf7585c87d42f40b0", "type": "eql", - "version": 105 + "version": 106 }, "26a989d2-010e-4dae-b46b-689d03cc22b3": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers", - "sha256": "0f913614bc84eeb793c53a337d82071dc54799ad1f8546f5444f3ab8919fc6d0", + "sha256": "83c6cdeb9a06541ccba897ff5fded24c63515255d7a617a83ba2b1150425e39a", "type": "eql", - "version": 1 + "version": 2 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", @@ -1931,9 +1931,9 @@ }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "f3e07490e13703f24bd9972072c4789312cbf42c4ad361669075995598aba108", + "sha256": "e528a3c860f8f8de6eb7bceeebeefd1cf6ab283b09db3f9bc9ece6beb6fa532a", "type": "query", - "version": 212 + "version": 213 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", @@ -1943,15 +1943,15 @@ }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "M365 Exchange Mail Flow Transport Rule Modified", - "sha256": "3c93957c1e2ee5027e98b637df528737ddc67548e2c42a5e0e5d9f0e7d6dced2", + "sha256": "b5245c16c4d310231c399373dcac339d3181528c5d048cc20bb287871d4b7015", "type": "query", - "version": 211 + "version": 212 }, "27569131-560e-441e-b556-0b9180af3332": { "rule_name": "Unusual Privilege Type assigned to a User", - "sha256": "579ed4cf157c5823aba1285af6e70c68cb53ea8b58681a305bb4b2fad6f975e3", + "sha256": "6a4a1e539a2599e9b91ee64a6ae3f7c41201c686d380a2965e9e9117ab3860be", "type": "machine_learning", - "version": 3 + "version": 4 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", @@ -1961,22 +1961,22 @@ }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", - "sha256": "677e4f99e43770464f7c8109f73a9b6de9e59a595226aadb28817b9892ed438b", + "sha256": "8769f6898d63f15502763d54b54d972d28e6940b1bd05bbffb70622861a63f05", "type": "query", - "version": 107 + "version": 108 }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", "rule_name": "Suspicious Process Execution Detected via Defend for Containers", - "sha256": "c2d5e99aa5d5f7c2d4ec0558b50319e50e78c108addf943b7ccc4232c74d71cc", + "sha256": "f59668d5789c20ac3063485cf2e2475dee1cca5257adcd26dd6792bd6a9611aa", "type": "eql", - "version": 2 + "version": 3 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Deprecated - M365 Teams External Access Enabled", - "sha256": "b83875f1dac9ec8962c9e0d434baf51e77c060c9eef0c74cedbd0aced9af4abd", + "sha256": "f299af4df51862831053ea8aae2e99c0f8079f2f944aa32131a66dbe4b5820d2", "type": "query", - "version": 212 + "version": 213 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", @@ -1998,15 +1998,15 @@ }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "33c1f21b8ad943e006b0b8c052cb8e8e00dfc46a3d39b3b1baf2da061b691319", + "sha256": "525b714ab72a6ec9763b6f3728f543b80b837e8fbdbc7d991e186849d6f88bd1", "type": "eql", - "version": 214 + "version": 215 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "ea2ff866a53552d5f6b37d8fb6a24a980d6d123a4b964b5f369a83bf3fb5bbb6", + "sha256": "710295c0aea28068ca3f8bab2bfe3bcca0afc8af88682411cbf523f6847963c1", "type": "query", - "version": 105 + "version": 106 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "rule_name": "Suspicious File Changes Activity Detected", @@ -2022,51 +2022,51 @@ }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", - "sha256": "27c7aa43b06bcdf5a54290f27d411866cfc693c85f82ab73c01872b76435defe", + "sha256": "b0796e6f0bf03c93415475e92058a12de9609c2227a18556341385cd954bf49f", "type": "new_terms", - "version": 7 + "version": 8 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "d8189e4d4d87c58434d81440d509cddc5f5851df4ba905bf8d3efa83d8030eba", + "sha256": "40709b37a372f451eb19142e62244babb6f19d932ff23febe70379c94e8fd0e6", "type": "eql", - "version": 6 + "version": 7 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "rule_name": "Sudo Command Enumeration Detected", - "sha256": "c7e7e68e68ded776a6cb26f46fe6f7578514c8482e90a226136274592d1f964f", + "sha256": "08cd9c8ade957eb4b22e7e97107ab12ebabd91467a861afb99e3b6a377becb68", "type": "eql", - "version": 110 + "version": 111 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "64c610f7502c9c9fe5de3292ae31f7b7d9069333e4670ee1e070608a7f05dae7", + "sha256": "93526ab19a120dcce1e1f514bed302cf80ec75b023f0065f4eabf74853b0d18a", "type": "eql", - "version": 110 + "version": 111 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation", - "sha256": "f464d90995d80076ad4ff6a8ef87d3d52a6c4521f1c16c71285d835d37a2002b", + "sha256": "c58523c3504b477306897ad712fc266a3409aef8c601706b879c32f1efb654b3", "type": "eql", - "version": 10 + "version": 11 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", - "sha256": "3aaa75d486f4ba4c2eb992e5edbd1b9d18d5ba4ab2475b4f71eabe69e2a35fc6", + "sha256": "4c03899b632f6120813e6c46281e60ba58bfb5cc53b380141fe92b984ea88998", "type": "query", - "version": 212 + "version": 213 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "4bd4408885e9a117457d761703a208973169337ceb574c33f517d95f9b2e4c11", + "sha256": "4bf7f5f04793e6d5636749a63e62e76cb5bb933038ff25e20247a11a25ad8985", "type": "eql", - "version": 320 + "version": 321 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "190fe19deb24dbdf5cb26c1e6a680c43d3a978174783db1fce8caab8f4eb4344", + "sha256": "18d1e450aae801746877577fb6bc306f7f3d0957abdde58ea05c5bbdb5ecc84a", "type": "new_terms", - "version": 421 + "version": 422 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2082,9 +2082,9 @@ }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "1537231ffbe3f9f7c4366b5fc908eb9fd04fc332d5810b920c40f450550dc123", + "sha256": "abcf26f5365ecaa93b9183cd4908b02996150f691be796d2200f7e66456ef4f1", "type": "query", - "version": 208 + "version": 209 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2094,21 +2094,21 @@ }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "rule_name": "Linux SSH X11 Forwarding", - "sha256": "422904218232bf8f3987431c10b2f795fa972b2aef5a52beff47d02665c3e482", + "sha256": "e4c869cb3edc72947fd52af59a07d158d9df906cfd5b80d6dcca840734074fe7", "type": "eql", - "version": 108 + "version": 109 }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", - "sha256": "6bc991d4d49a1e97b058050ecf22b39b7f14ca2485a5cb04706ce0e339c32a82", + "sha256": "8e094ed2088f19cd263e2ec6c3f6f66ba0c512f83d405b72d214cc6b4b929c60", "type": "new_terms", - "version": 6 + "version": 7 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", - "sha256": "80cb87d47a5427da963fda4a8c8bcb1f2d1b47a4de77893fd97e4970e50596fe", + "sha256": "bb5d868d2632e7b5a662737cfdddf49f0aa78a0d0dda0cad6b4104330cad37ec", "type": "eql", - "version": 12 + "version": 13 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", @@ -2118,15 +2118,15 @@ }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", - "sha256": "bc667855081341dfcef940f0322f9eb6be13661698225c444ca64298ef62b31a", + "sha256": "37999a3afa79aa321127ff14e5839d96e719daa04d68b38cc7f79924c59a8982", "type": "eql", - "version": 112 + "version": 113 }, "2bca4fcd-5228-4472-9071-148903a31057": { "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", - "sha256": "09d0cf5e77010be2cc43c4031d377ce5839b0314b7c66300b0bbcf1eaef32711", + "sha256": "7fd9eda6eca11a59a902ae98e5e67013d23113287786c76e64be97d2beaa5b20", "type": "machine_learning", - "version": 3 + "version": 4 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", @@ -2142,9 +2142,9 @@ }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "c22b3e1c37ec22f448030cd1e024fefd0147a393609a60363ad325a47039b1e7", + "sha256": "93fe59d64717619f4032137589ed774e8bb5ecb5057da771c0b32dd7914da4db", "type": "eql", - "version": 215 + "version": 216 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", @@ -2154,9 +2154,9 @@ }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", - "sha256": "f9995a1f0a95afb24be29dd71a3ddf5c203bb6c2b32550ca795e94f59e06b674", + "sha256": "2b4448a33d201b761c3884680d789cd2f909456a276b9a125cb4ee55845e6345", "type": "eql", - "version": 206 + "version": 207 }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", @@ -2166,9 +2166,9 @@ }, "2d05fefd-40ba-43ae-af0c-3c25e86b54f1": { "rule_name": "BPF Program or Map Load via bpftool", - "sha256": "ec42dc0d8c393f7e859114d5d0dfea8e76e9a4dee7ee35c4ae48700ea479b355", + "sha256": "b89854776ad866f757ee1469315dad87cb628a427e71fe40f741a0aaf4c53d5e", "type": "eql", - "version": 1 + "version": 2 }, "2d3c27d5-d133-4152-8102-8d051619ec4a": { "rule_name": "Potential Okta Password Spray (Multi-Source)", @@ -2178,15 +2178,15 @@ }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", - "sha256": "f447ca71b251486b3b8cedd1c5d1c3fd8ef2cc2d6d7fff0d4869dbe86bd982df", + "sha256": "5e09e657da69ef3fb73e3795a8733b629201781c989c5407e927d1e39ef0e0b3", "type": "eql", - "version": 1 + "version": 2 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "550e0e7a2940f35a6a904171e569f5a7c7657c5a8bf8ddeea1c12e84c90afacb", + "sha256": "e5d671ad048423ca25d3abeb0d58b6247aeb872604f977aaab7dac050096bccd", "type": "eql", - "version": 208 + "version": 209 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "min_stack_version": "9.1", @@ -2213,15 +2213,15 @@ }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Unusual Kernel Module Enumeration", - "sha256": "8c0da309dd6e65f4fa9e9274761b3992b3dddf900cf7115e9408c8d9471ab051", + "sha256": "08ee164b5d1ce75b39808742849277e8261cb5961e4beed4e5b5884da7e12ccd", "type": "new_terms", - "version": 214 + "version": 215 }, "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", - "sha256": "08dc663e2efbf90abf4ead11bcf832d3c646081461d593b9b1ca097c52a8b111", + "sha256": "2038641850ec7f59a724389fa9c574dc5e7afde97a91a20ad4e700087c05d191", "type": "esql", - "version": 2 + "version": 3 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", @@ -2231,52 +2231,52 @@ }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", - "sha256": "b051575b660ddb58230d3dbdd7da457964ad0d6e708995983b29f8e9fc712ff5", + "sha256": "2fdf4a036c7f0d6c3aa8e7d60e6415e5dce3b059e32369e04f6f992f75d652cf", "type": "eql", - "version": 108 + "version": 109 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", - "sha256": "bf27b5f423aae8f1125e4c60009329db0174ac9d72b6c52104791813da17c14f", + "sha256": "122da6655602fd538b9bdbe622e072d3731265ff8ba0310878bf547b83631873", "type": "new_terms", - "version": 213 + "version": 214 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "931d384242cb325d15e63af27218a647c2acce98a2c49398df4b115f0ac31854", + "sha256": "1cafc7f308e499aa850d066435ed539f2766f7339c654c9f1806fc8738c7928a", "type": "eql", - "version": 214 + "version": 215 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", - "sha256": "24a5a79f109f05bf21d2f754c52ffc6b254ada0f09dc5a17a35dc19a34885963", + "sha256": "00a9820f74b15bcad625b039d2073da2991f8ee19275fd11429e6318ed544d9a", "type": "eql", - "version": 5 + "version": 6 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { "min_stack_version": "9.3", "rule_name": "Unusual GCP Event for a User", - "sha256": "55a21a226a7f4725775a54520604ff27ad80dc2b5fdb23531a58c027ae21a46d", + "sha256": "f2c101f62195e21efa9dd47975b9bb08fe09f90a69be64d4d45a731682b74628", "type": "machine_learning", - "version": 1 + "version": 2 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", - "sha256": "6a560a6ffcbba02c197efbaa1459015a7ee1a9f0dc30546961d0c558b4c86638", + "sha256": "bf7e0fde2619d02736e6e4ad87135d1b6463e80fc4f9bbf199eff594e2a34c19", "type": "eql", - "version": 216 + "version": 217 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "1182966a50d90ea8aa6e0dcf3bf488fd484f92fed47e6f9f6841ea493d8f235a", + "sha256": "eb0a61ec96fa7d830c2895b364f80245d8d62fbf1cdfb07e27cf10484d54b6f1", "type": "query", - "version": 217 + "version": 218 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", - "sha256": "91a6e248732a14c80990696a2fd6c4b667418459b6a00227136e0249a419f6bd", + "sha256": "049befdbf6cac7da7b115ab1a497a5d04ad6940c94e04cc89ac097e309c67f89", "type": "eql", - "version": 108 + "version": 109 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", @@ -2286,15 +2286,15 @@ }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "8e69b1881bc5d9e9b7cb08a41c64dfbc871b30af555dd21d9af9f47c6da2a3de", + "sha256": "3c4ba4324d491ee03a754021e112bccb471065275193915c992db9115828225d", "type": "query", - "version": 105 + "version": 106 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", - "sha256": "fa987929fc52327c1216c3eb0cdeb12ad53aec394acd16dff1a1e3ade053edb0", + "sha256": "056b4b73cde0fd5b004013c93f401196926c99645dc6bcccf0567c87a4c257fe", "type": "eql", - "version": 314 + "version": 315 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", @@ -2304,15 +2304,15 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "4118fbde9fb7da5dfde559ee21035f3c10aedd631eb6a5a80afced7314403204", + "sha256": "99ac9ef863cee31dd240561777099c022934a3cf76997d70d1b0f0b1414e32e2", "type": "query", - "version": 216 + "version": 217 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", - "sha256": "c5b6abead67063cc3196d089f76977673f487a6b61ccd94b175282fc266b654f", + "sha256": "83c3b8bb65af1b682a4e4e22bda3b0c8c4a7a01490b7e1a9add4b5b211590631", "type": "eql", - "version": 216 + "version": 217 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", @@ -2340,9 +2340,9 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", - "sha256": "373eac2208e12bd5891af7081fd3241bc526ffffeb55efa28a459d5647c124c9", + "sha256": "f1ad94a353eccf3aeac4419235229c5ccd90a3383840409db872d7f9e8d04ff5", "type": "query", - "version": 107 + "version": 108 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", @@ -2358,9 +2358,9 @@ }, "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": { "rule_name": "Suspicious File Made Executable via Chmod Inside A Container", - "sha256": "997ddf8d6ff0730e4be95a6d5a9d0c12d2d308ab78fae888f52f344063f9e853", + "sha256": "9fc179c299f0a00f746636e748563c34ee24c5ec85c28140a77bf0831f50e7b9", "type": "eql", - "version": 3 + "version": 4 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Deprecated - Network Connection via Sudo Binary", @@ -2370,15 +2370,15 @@ }, "30f9d940-7d55-4fff-a8b9-4715d20eb204": { "rule_name": "Windows Script Execution from Archive", - "sha256": "9aa5c9aced2b2c00f42c467774366d05a2b8edd0dd84dcb6df6ffbac36efbebe", + "sha256": "53b7166d77fbc83702b551e787b1f6eaded8cd5393cf11419067d3d693b3391f", "type": "eql", - "version": 1 + "version": 2 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "d0a538eca3e53a0b766d51bc2e1cfd3c7c34e55419b44ff625875fe71b156609", + "sha256": "0273272892c012a2d9fd49a6ba82366bcaef264c4639a58448933fe14d660732", "type": "new_terms", - "version": 7 + "version": 8 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", @@ -2388,15 +2388,15 @@ }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "a008c8165baa887d0f799ca34dbe16b08a499c28c83ca4cfcaac485bba2d9fb1", + "sha256": "53d71eb9f5efa44b7312f15518e494dc936ba4d201f4787686cb0872cbd8cdad", "type": "query", - "version": 105 + "version": 106 }, "314557e1-a642-4dbc-af43-321bc04b6618": { "rule_name": "M365 Security Compliance Admin Signal", - "sha256": "96f0acbb1e0769543a2b94ad428a81031d4f2f99da97acea5bd7a636725b64eb", + "sha256": "90ffab6d1e834727e5298c1c2a328ad9bf215065fe05525952503f932988d826", "type": "query", - "version": 1 + "version": 2 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", @@ -2406,9 +2406,9 @@ }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "92ce4a83bef3e49c7d7d4de7aad7116cf2ebb8f4deb88788ee2ef780d7e62b56", + "sha256": "0d3383f130023c3e513326852064c621515b898f342d0786cb1946e76e4c29d0", "type": "query", - "version": 107 + "version": 108 }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", @@ -2424,27 +2424,27 @@ }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "eb38f04d808e77835373a09365283aa656dd9cf6ff09ff8359687c1616120657", + "sha256": "230128099a762e79453143aa42805708865110bb5debd68d2c3c1aa35a550290", "type": "eql", - "version": 8 + "version": 9 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure VNet Network Watcher Deleted", - "sha256": "bc8da5072865b63a9bd11c87ff29a7be4cab8bb532de7d07b671c8a43a9c6c65", + "sha256": "402b21c5a8b90809bf2494832bbded33e11f8858286691ae499bbe87de9fab4c", "type": "query", - "version": 107 + "version": 108 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { "rule_name": "Spike in Group Application Assignment Change Events", - "sha256": "d5a88c5d3cd16e0906a590a49c7ef668ec5f349624dbd24d53e48b0e0928742e", + "sha256": "08b6d34feb24bfb3ef7b5cd94e07f722386374274b2d87f3277e125ddef5ec78", "type": "machine_learning", - "version": 4 + "version": 5 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "52eace0c1aa59cca6016fb9f15f526f1609d7dc2b94b05825d6f7a9b7a34ec3f", + "sha256": "969099d6bc45bcc29f0de7cdfafd79fcfb95cc5e47922ca6fdbd61d6f3aa1f7e", "type": "query", - "version": 107 + "version": 108 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", @@ -2454,15 +2454,15 @@ }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Travel Location", - "sha256": "30d151c70b48bcb9403acaac9fdbeefd66a5c29ccbe15d9ce278cc5cb6d15068", + "sha256": "da837c9d85b4f3f385517d68f15aae6abe941f8ec854dacc173305a12edcde4c", "type": "new_terms", - "version": 8 + "version": 9 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "835cae7a4d3ce95fad31a8965f6443101566d4d85e7e1013fa1d8788fd80ffd0", + "sha256": "c256b29b343f269dbf21e023ac3abb987eab65c6d60f67b02a81b0fe0b838efc", "type": "eql", - "version": 419 + "version": 420 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.1", @@ -2473,21 +2473,21 @@ }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", - "sha256": "e3735feb30f32effe12806ccdc1a553515976ed4186f7ce45c814752fae1fc63", + "sha256": "ced597d9501b078532ec2d68b3248faa95d307cc6fe32bbf812094b1072877b2", "type": "eql", - "version": 106 + "version": 107 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", - "sha256": "20c47ad4fd1ebfa6af30670a5f1c8320fdbbb069b2af8f3184de6556eed50a90", + "sha256": "86097c4bd776631b3496ac37b81634d2096b7900a55d099857a62a3195ea2570", "type": "query", - "version": 213 + "version": 214 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", - "sha256": "def030dc671ced61e475a8544d8b4124320a6d97819fe54fbef13913246ebd45", + "sha256": "a71d83b3ee92c09090ce8fd23ebd63f59231a2edccb9bd6886660caebecd03aa", "type": "eql", - "version": 112 + "version": 113 }, "33c27b4e-8ec6-406f-b8e5-345dc024aa97": { "rule_name": "Kubernetes Events Deleted", @@ -2510,9 +2510,9 @@ }, "341c6e18-9ef1-437e-bf18-b513f3ae2130": { "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", - "sha256": "d535abad52b8d6adb581e3d93e127daceb495d7d568e7909e07888cff673237b", + "sha256": "8d52f8c87d55bec0b5f01ab261889d2ac07ff3c6a7eb1cbed03398fb111be726", "type": "eql", - "version": 2 + "version": 3 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "9.3", @@ -2526,9 +2526,16 @@ } }, "rule_name": "Dynamic Linker Modification Detected via Defend for Containers", - "sha256": "162dc3fe83095dff7ae84bbb1a7b8a20fed852e1e2c06a1944bb5b36e65de8fd", + "sha256": "42eccedf47d0083269869acb142a647cebd64cd97a02f2693448c5df83b68fc3", "type": "eql", - "version": 103 + "version": 104 + }, + "344e6c7d-ceb0-4f20-ba04-7c75569a7e38": { + "min_stack_version": "9.3", + "rule_name": "Elastic Defend Alert from Package Manager Install Ancestry", + "sha256": "f9890676b10ae56aad1a991907864958c409724426840b68dda38701a732bd81", + "type": "esql", + "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "rule_name": "GitHub Repository Deleted", @@ -2538,33 +2545,33 @@ }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "d57bc63901b5b57de73fd7d0f786fb7815d8dae601a9cf7297eeb7473de8e7b1", + "sha256": "8ab449b25259296b7454c26d1a88b78d5c22b67f6c82f767508ffb494c3f8b15", "type": "new_terms", - "version": 6 + "version": 7 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "a63dcd3cac0e13109997f588b8687ad8378e29f22ac15957240b8814d579bc3d", + "sha256": "7e8ef18d5bc3b460e615980b4eccde93b38278f3ac2e312433a012ffe4a782d8", "type": "query", - "version": 111 + "version": 112 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "4ebbd5cfc55a9e5f65b0b34f53162cc5ffe1409cfc36197862c2df1b74591fd0", + "sha256": "a1843f580774fd27510d03b658a031fe4440da62ef0c574ddbe795d7f77b20e2", "type": "eql", - "version": 110 + "version": 111 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", - "sha256": "1cfa7770bfca864df1b18fd84d7c054c4f56be21ec171828d78e7b892f66e45d", + "sha256": "af1ce4b49ae91b35fdecc84a3dca8953012aaa85054fbb091e70bdac62d0b872", "type": "eql", - "version": 416 + "version": 417 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "7561c0ed3d1c144a972a8eaa915a539f587e6ef68023c251fa8487c2ffd986ac", + "sha256": "2849aafc536aac7e9741f20e297b001e5b980e2a6a4c77bb1ca6c76b0719472c", "type": "machine_learning", - "version": 7 + "version": 8 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", @@ -2574,21 +2581,21 @@ }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", - "sha256": "3127e57c1a692231a31a20d783e45dd5372621d16e598bf3c8917ebcee63c693", + "sha256": "898841494b2ae4193ff42978ce0f1807a55816bb416aadf5c4e073b0fc9b51bc", "type": "eql", - "version": 2 + "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", - "sha256": "dbd205d0455f5c80c9c6ef5c0bc88b7a2028098a9aefde11c54d3b8b9f3fbcca", + "sha256": "5642c564df53376c36863f9efb7431f2b9e0cb49e2795659df5a46f7e792cf70", "type": "eql", - "version": 319 + "version": 320 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "2076f8bac484f53cb646463676897a5173dc94e42712835dcbc45c9f571f6a56", + "sha256": "7f796d399910edf9f262f06a682761ddce112875ea599e8027c80503e3a0f50d", "type": "machine_learning", - "version": 108 + "version": 109 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -2598,9 +2605,9 @@ }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", - "sha256": "e1655d0157c9924353f67254db15e5e91b0f8fded8ecd95c781ab50945f70db6", + "sha256": "42e9d019a6b70159583b39776ba8b2be54dd88eb96698f05f1e01bcb67740de5", "type": "esql", - "version": 6 + "version": 7 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", @@ -2610,9 +2617,9 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", - "sha256": "6165a31cec72ee460cd8e53b67fe0da967b0f32bbe123f7ad1243b90483dcb9d", + "sha256": "976ac418b90849b5394d30625f9e55b98b84485146dec6f035af51f5458f7378", "type": "eql", - "version": 114 + "version": 115 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", @@ -2622,9 +2629,9 @@ }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "0dd412be9597895aea816ce7c5b554a930386c831c7359dbc53124227be95134", + "sha256": "43a13415ff8ef4d8e01e998e3ea19435f75aeaefaf99754435b96099dd0c2468", "type": "machine_learning", - "version": 8 + "version": 9 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", @@ -2634,15 +2641,15 @@ }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", - "sha256": "d63517c8906dad8af61b5965cf2b74af9be8714918eee953fe5fff9f31607e92", + "sha256": "bc478d05a000303ff85de650bc9b7604b2b57a7444f80337b05fca226b44d9a1", "type": "eql", - "version": 109 + "version": 110 }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", - "sha256": "c4a01e355bab3704b716b1f4c8ea76c08cce8953cde36d3c884f22a0a30752b8", + "sha256": "62c30263c62b0ea62ae0a31f58d43a5176807566e40627011d727f6d2f203284", "type": "esql", - "version": 6 + "version": 7 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", @@ -2670,15 +2677,15 @@ }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", - "sha256": "93f61a20155835d2e47aec16e3e4fa2a50686f2a8cb46cbe10473a471e1b4906", + "sha256": "5493474e928e83c1d82c3517327fd02f7f6ae87d55ed41189eb688418d77aa11", "type": "eql", - "version": 4 + "version": 5 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "rule_name": "Spike in User Account Management Events", - "sha256": "bd6a9507ccb771be5c4d84d5289168f672b66e36e548c57fb2b4c8c99b6fc847", + "sha256": "903df4e7a7b2f1df89ca4373c8cb64f4d3823204bf9d85dbdde3b79ab34a955f", "type": "machine_learning", - "version": 3 + "version": 4 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", @@ -2694,15 +2701,15 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", - "sha256": "fe0ac836d1b43d51e68aa54e4ef57826d67680dcf11888e6e66fc7b46063fe1d", + "sha256": "5e7901e98b0caf7d6571576af6676f95d6a1f8af52f4b9f99a6b7ffe6c6ea881", "type": "eql", - "version": 218 + "version": 219 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with Osascript", - "sha256": "b5759121d56608be8b41755b2685e9332b61fa9b5220e13d1ad7ede9144752a3", + "sha256": "82a7a287cd5ac7dcb591e035ffdecd15f555737bed999611a2fc015ac0aeeb4e", "type": "eql", - "version": 214 + "version": 215 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", @@ -2712,21 +2719,21 @@ }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "Entra ID User Added as Service Principal Owner", - "sha256": "400d8ceb1496cc07897f0c6f55ef9a74fa419908b1fae46ca7df95a9683d90cd", + "sha256": "fcdc0a5fefd0ad8a4bb425cddd97ab658b83831b297a69bb256a86fdbdf0dfc2", "type": "query", - "version": 107 + "version": 108 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", - "sha256": "0489e57457017d44cad2f7c958d916daa747b2818dde332ed7113b56f323f582", + "sha256": "4db9cfbab66f9abf45a00992d56768ed8511b1cd7d7522656cba31f91ce6361b", "type": "eql", - "version": 5 + "version": 6 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "bb7db3c3467098559484d1c9aeacc4c48a8e103859dfd04ea38ef1ba7bef6b3d", + "sha256": "79e5ede747cc09296988f2f63d6718d9c745a16c784a1e7e596f241a4d91a200", "type": "query", - "version": 211 + "version": 212 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", @@ -2742,21 +2749,21 @@ }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "faeda0ecc334d9a83831ab6154315aeb7c2686fd6f4cd6f8244eefe72f46dd30", + "sha256": "e33103029ba780783b5d130ae36615d18f9bbc8f6edd624fc3b76f46ddb47475", "type": "eql", - "version": 311 + "version": 312 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", - "sha256": "35a5819442db79680deb67568da0eda6a93fda85b19ff93a21b2e6a45bbc73fc", + "sha256": "ba955d67667f012e2b16b7f60f9d67344026b1c6964d11f2dd1da09cd04fa97e", "type": "eql", - "version": 7 + "version": 8 }, "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", - "sha256": "befed322a39aa806451d32ff48e001b234b58ed1b1ce44bacc40e509e8f51a21", + "sha256": "49b545a296b8c5e373e3800b7b6f270524c9cbb4d7f328cd91e22d93c306c7e0", "type": "eql", - "version": 1 + "version": 2 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", @@ -2766,9 +2773,9 @@ }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "e71a8895b84bf69f2ef7b6d3e9eafc406daeda7066b2dd7b15f74627bead842c", + "sha256": "6afa970ae8a58f793a98cb40a96c4500722761afb610be21815ab223a4df1c8e", "type": "eql", - "version": 12 + "version": 13 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", @@ -2784,9 +2791,9 @@ }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { "rule_name": "WDAC Policy File by an Unusual Process", - "sha256": "2f64969093014bc671fc8724aeb9018b2690f30500934734c6a4a0b25bc995f3", + "sha256": "fa6ce5eb9544d8e17eadb7d9a4abbde626516adf4fbea09585e4895b4466cb3e", "type": "eql", - "version": 4 + "version": 5 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", @@ -2796,15 +2803,15 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "b2370cf022a97844dc68bdabfcf7602ace007aad1da28145f9832a3f8104bcc9", + "sha256": "f647269c70ad9d84b89947c8a54702159cd718e82f39151bb6dee32ecdd6a114", "type": "query", - "version": 109 + "version": 110 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure VNet Full Network Packet Capture Enabled", - "sha256": "b9dcfb3ae17a8961aa5f86049d0b5eeac6f55adae6be1a5f3319a650a193fbca", + "sha256": "989b4fa1803654f264d249a19bf54348f0871954b786c97ad21dbfede9c7d3eb", "type": "query", - "version": 108 + "version": 109 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "rule_name": "First Occurrence of IP Address For GitHub User", @@ -2814,9 +2821,9 @@ }, "3aff6ab1-18bd-427e-9d4c-c5732110c261": { "rule_name": "Suspicious Kernel Feature Activity", - "sha256": "6f7601969f40ce64db3593969b2b45b39d87e16a2367fcd69bf04a55cb2514a9", + "sha256": "e15b8360b5fa96f7f261912197ae09404a3268f8229561e6bcc3f39b7d56448b", "type": "eql", - "version": 4 + "version": 5 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -2838,9 +2845,9 @@ }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", - "sha256": "58c96f189661675599648c6b056b6f6af4c7b7456acb19e526f4605819800e45", + "sha256": "8ccc9ffefdcb3516217cb8bcec790571ad1559f608b2eb380758df09de98a993", "type": "eql", - "version": 5 + "version": 6 }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", @@ -2866,39 +2873,39 @@ } }, "rule_name": "Potential Impersonation Attempt via Kubectl", - "sha256": "bdaa5069decd53d75ef631a5ca01e4278a643b1b8d2943d67de98646b9816fc7", + "sha256": "6f05c685fff2f027e142e25e5d1e4228ecf4ff2b4714298055101681504880f5", "type": "eql", - "version": 103 + "version": 104 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "90959aa7c932be6c768d07a768fca0c68d5723a9ef7996a75caa8f0bf3d55716", + "sha256": "49f89efa536ef4c93f890a07191660e00b3ad881b52b10096aa23ba941d850e7", "type": "machine_learning", - "version": 108 + "version": 109 }, "3c82bf84-5941-495b-ac41-0302f28e1a90": { "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", - "sha256": "18fe84303cd10390a63bedefefe74d000e354fbf6b6e498762afdfe1def7c97d", + "sha256": "44d6760aa9fba7780a036ff4bc2b1e968789d69f3eea615b8b50f3cdf1680ec9", "type": "eql", - "version": 1 + "version": 2 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", - "sha256": "7e139f90c3e517c0e4d321c2e1f8c85980072158ef2c577fc65ca7091b81ab0f", + "sha256": "b6ed31a8880a5bf50d74e9dcc03e8b2cb2a5102bcb585e66bfe54222fb8eb4d7", "type": "eql", - "version": 6 + "version": 7 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { "rule_name": "Unusual Pkexec Execution", - "sha256": "3e999931a2319e491b908b53254937c3e4896d529f025cc8ee67faa129ecdeee", + "sha256": "fe48ab4d99dcee0d5c5d78d13fd52a051728cc3f40f8e2da36a99717430d3944", "type": "new_terms", - "version": 106 + "version": 107 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "8f2ca239d2218e6e52e1d647acc0e7c03554c548b312f30435e3bd5f3d1c6e84", + "sha256": "53dc2347d00f5a346e2fce380a8a393faa45f1e56c19f24bae86e03b25b61924", "type": "eql", - "version": 208 + "version": 209 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -2908,9 +2915,9 @@ }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", - "sha256": "d3dc62e69239981e53542dd69d147adb8924ff76106d1ccb90d05c4862c3f03e", + "sha256": "df6f9c223d11d18a3757109d8dc8de28c3e8f6695c5600d3715aa1058e054286", "type": "esql", - "version": 4 + "version": 5 }, "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", @@ -2921,63 +2928,63 @@ }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", - "sha256": "09b1c205b24ec1820aa83763ee862d5e56b7d41bba93c7a655d266acb214106a", + "sha256": "9b0d126300cb2f308ca0adf5b6329e86fa15c840dc23d16ddf3c528b22e2fed8", "type": "new_terms", - "version": 8 + "version": 9 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", - "sha256": "426691651da55a13486adb2edaeb92be4fc3e76aa6173bcc31152e8ef79bffcb", + "sha256": "81cdf349478dbdf0bfdfbcd929b1aa2273a6a90be984ae7bd6444852d2623544", "type": "query", - "version": 213 + "version": 214 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "7a39f70bd50840452642735a3e67da404e3d64e454887950151ab398e3c8fb76", + "sha256": "e4d464262beeebfad9dbb0a00d42af6ae0790919218e2677dd0e4f96f907e872", "type": "machine_learning", - "version": 8 + "version": 9 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "ad39e0da9f1528903f7b948f8722a764d84af29138f38e7e451b2b69d31dda52", + "sha256": "0b21400f37baa5d80cb1f2d3cbac510af8822dfc3d5e1e2c236b07258bcc5b94", "type": "eql", - "version": 210 + "version": 211 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", - "sha256": "1cfc003150210222cb170a89f51cbb0bee81d70c92b6c8e2693294d342150c76", + "sha256": "0a649a755936c4b5da4883d2cb39416fee6ed20ff38954671bfa71ebcf3d8581", "type": "eql", - "version": 7 + "version": 8 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", - "sha256": "4fa0ac66cb92ef74e5a36e307cba5dfe26c171ba3a6bd0eb01fc3749398e7eb4", + "sha256": "c586b75e397cda63031abb53a78c714e80a8a1dfb2d133d0e35827dcba2a6902", "type": "eql", - "version": 112 + "version": 113 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "cb3453ce4f1b900e13227ac8b2a43f98f7f8ec2fadf350c28db58c5506bf5858", + "sha256": "41781f89453ed5af276e36687b1faf932f4e9e3cb8cfa75c6bcff4de95d68519", "type": "eql", - "version": 6 + "version": 7 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", - "sha256": "0cb04efb6341ee2e9701dfb0c64bc7685bbe040b6e31d895935fe01ef04be3ab", + "sha256": "fc8e3c202ef830d2941a6ad711b2144582b8312d846d1a75ced12e2f63f22a80", "type": "new_terms", - "version": 6 + "version": 7 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "fa87191c3cf871683d788f6c4d5cc2edb041153f3a910a86bb2f52dd63f9bf30", + "sha256": "92988c935ed3e7bcbebd473a3842c0ddee67886760c6842d7ba74c265ef9beb0", "type": "eql", - "version": 316 + "version": 317 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "c0abb71eca9e028ab82101da58ff61404406b4478f3dc27ff4585f8a484b1bc9", + "sha256": "9ec21aef0cac269b3807b436ccb086477f229090150d007cc77ce1b657695569", "type": "eql", - "version": 310 + "version": 311 }, "3ee526ce-1f26-45dd-9358-c23100d1121f": { "rule_name": "Linux Audio Recording Activity Detected", @@ -2999,21 +3006,21 @@ }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "0e79bd66f39ffccf0dd308f5d8eb9210be82176aaaf589daeeb7bb7d3d946777", + "sha256": "94be773db4ae46451aaa962d086a75466bbd8d1a8f6afdd666d19cf0b51bdcde", "type": "eql", - "version": 11 + "version": 12 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "21b51af36a810d45a807a867f60a4f93c19598bed97497ed7ba1dfd3231d2407", + "sha256": "d0213728bd6f84baef92aa0cfd3502dddef5d9b975a87ca21fabbded914ca935", "type": "eql", - "version": 115 + "version": 116 }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", - "sha256": "2e3ecddf559e0628c0c0383712aba5abcadf55bcb864c269701b5f12f98a8f06", + "sha256": "c9fbf72f3ad2335fdad1a3bf32efb3f1fa6ce126b64ce499c9bc1e9d48c4ef8a", "type": "eql", - "version": 1 + "version": 2 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", @@ -3023,9 +3030,9 @@ }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "2a301f3d0e21bf2994bfb6f0dc94ceb8bd4a934687f3a98227e7c367528996dd", + "sha256": "570ebb0e5a2ce71626cfe8f38f75326e77521db306168f490e68636c672152e5", "type": "machine_learning", - "version": 8 + "version": 9 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", @@ -3041,15 +3048,15 @@ }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9b63eb868c7d021d7edc961d57776d534b830e6abb84ac86fe4468029f6f94f5", + "sha256": "719051601ba7f4bc360e488b3f96c381ddee61bc0d99d586137c39964715592e", "type": "eql", - "version": 107 + "version": 108 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "rule_name": "Unusual Process Spawned by a User", - "sha256": "861bb0285ecfc831be0ed890516dad1897e980cd14f45cfb90f50367e05fdcc9", + "sha256": "4c17db59f36b3743d92068c1a5b88c0bbc0e7109294544f30d95ee11f6d5d083", "type": "machine_learning", - "version": 110 + "version": 111 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", @@ -3065,33 +3072,33 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", - "sha256": "53ec3c9de6cdade61cc0a64a9f0a1f4b8eb7587226bd349f521eee3cec24e2cc", + "sha256": "56347f9901f8422488710010a3f3dab8b1ca0da5424eed39b8c6252d5dc7e5e8", "type": "eql", - "version": 315 + "version": 316 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", - "sha256": "f76ddacb189a3accd814ea3630278fdabf423414b7ebc8aec38cba2b9b725cd7", + "sha256": "616dc23ae1465e1cb66812c91f762c8904b1ae889068e334cb9e1d99dcfff698", "type": "new_terms", - "version": 2 + "version": 3 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", - "sha256": "1c99be63c7b57bc74bf7952e4a71821d7f267473c111fb0300ba5661db3aea67", + "sha256": "07ed14815a1ee29d7a2ff5875f8b1a3077e662274428187236ecfb4fc4c0cb80", "type": "new_terms", - "version": 111 + "version": 112 }, "40e60816-5122-11f0-9caa-f661ea17fbcd": { "rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected", - "sha256": "bc1ac7ee1b4aeae8bb0d1dce3d10bd2dc1112121731c9dda25ab248e337152ce", + "sha256": "e5ed588398002392894bd097593aa777e7030ebcf8e8edcea1aa31a2f7e2d53b", "type": "eql", - "version": 3 + "version": 4 }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", - "sha256": "3182151b918f1eb8735a78061444af2e61b835bb51025b310d342915bd4049c6", + "sha256": "c6d6c68e59fc466982e011faf97a3276eb020ba84b1b90698c110647756a13c6", "type": "new_terms", - "version": 3 + "version": 4 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", @@ -3101,9 +3108,9 @@ }, "41554afd-d839-4cc2-b185-170ac01cbefc": { "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", - "sha256": "1d21f6f6232a83d4b72d32a65c605f092c9eaaa78603c82e4d9d7adbd2cc39a2", + "sha256": "80381865d90fd48ee541ed47002ee5deddf2d58b4b1566e972b3a9d0ffa684a5", "type": "query", - "version": 1 + "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", @@ -3131,9 +3138,9 @@ }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "516ad5a0c30748314f1cd52da501ad91627b02886e06d85affdabc86ebb8a38f", + "sha256": "5117bb1a4b1e01d38cf252aea6b1d85875d355d76d43d8355a82c5e6c8b94ec8", "type": "eql", - "version": 110 + "version": 111 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "min_stack_version": "9.3", @@ -3169,9 +3176,9 @@ }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Unusual Login via System User", - "sha256": "6827d23b4b308b9c67cf7b406b2045535b0fdc580189116432682385555b8a3a", + "sha256": "5b2247172cc6a9ec4fb03f5f3bb198e0ebbe37e546e0742e0a78510f59e8ba6e", "type": "new_terms", - "version": 6 + "version": 7 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Potential Okta Password Spray (Single Source)", @@ -3181,16 +3188,16 @@ }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", - "sha256": "eecb7179169c511c89f3de6f2709e952ed6d3e0e4f779d1a69058462ee5eaae5", + "sha256": "af0bdd3550a9fa44eb5f5671251f2f55aef0bba46e7bdbaab8b99321c3d913ed", "type": "new_terms", - "version": 2 + "version": 3 }, "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { "min_stack_version": "9.3", "rule_name": "Kubelet Certificate File Access Detected via Defend for Containers", - "sha256": "ac7f3df4cbc5e5487d605fc840c2e142f6d4479b7bcec3e8da8cfbad8db0b388", + "sha256": "5607487040f92b7d283e36023a5fe5282bf400d31b48f4dbf1eb2ebc42106dca", "type": "eql", - "version": 1 + "version": 2 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", @@ -3212,9 +3219,9 @@ }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "rule_name": "Linux User Added to Privileged Group", - "sha256": "e0d65c12d238b383dffaf13d4fb55100ee4b35aff545616783b87a81049c7bd8", + "sha256": "4087c9d1fa0fbd63a5994e714de0043354219e1486a90d369e6f9568db609f9b", "type": "eql", - "version": 113 + "version": 114 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", @@ -3222,6 +3229,13 @@ "type": "eql", "version": 314 }, + "444c8fad-874f-4f59-b0ea-cf26cea478bd": { + "min_stack_version": "9.2", + "rule_name": "AWS Account Discovery By Rare User", + "sha256": "096dc412a8e4d87ca6363764e943466da49ee23c7a29c3a29a43bd7d0779ab4a", + "type": "new_terms", + "version": 1 + }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", "sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9", @@ -3236,9 +3250,9 @@ }, "44cb1d8a-1922-4fc0-a00f-36c1caf57393": { "rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", - "sha256": "0ecac433216f510856ef55e68d0524fd3a0347b0708ed684ffb499bed9bf2a13", + "sha256": "2914fe3d40dd1b622e50c819001ef6f6841a9ab90204059631fee0d078b93a01", "type": "eql", - "version": 1 + "version": 2 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", @@ -3254,9 +3268,9 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "a9591128215a5ec0b9ebce85a74cbb8d346e601ad9c1a77447b066f0d77cee20", + "sha256": "821304ada86cb1f6baa0400b3df6da59d8cddb153c4eaf0cdbd47ac7b8559261", "type": "query", - "version": 105 + "version": 106 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", @@ -3273,9 +3287,9 @@ "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "836bf7b7a903a992358ac80bed2c8ff3f07f397efb36ab12d93757da9280dd72", + "sha256": "2e4b3a60f8ae843e4342d145b5e73bf17bbb18b5ef00336ceb23815729bccaf5", "type": "esql", - "version": 2 + "version": 3 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", @@ -3291,15 +3305,15 @@ }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "e4d8e7444b42bd9bae0893dacdaa1532c6cc36480a2100ee2ae9a27922f2b0b3", + "sha256": "d18a04d7579e8a64d6aa0608271b8d0d292c6cad9aa2ae50d327c58f8b25456e", "type": "eql", - "version": 315 + "version": 316 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", - "sha256": "7a34269b905c935b622166cefde9ec843b43f40a4c1f33fea3cf3b297c84d4bc", + "sha256": "e9014c52e069127714e9d007be1265c6a748574c47b1fd862fe6de12473bbfa9", "type": "eql", - "version": 1 + "version": 2 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", @@ -3315,21 +3329,21 @@ }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", - "sha256": "1cb9c0fd0274dca1ebc356d8b502ed8e73079bada5103d878b1c4611bbf060c1", + "sha256": "686ed0f6080d3374bf61df861ee046147736a91b683b9da640369ea7e836f693", "type": "new_terms", - "version": 1 + "version": 2 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", - "sha256": "a5511918810879fab5872afa2bad76386c05810eb83a332eafdbbc354f50a688", + "sha256": "a68393a005eedad66f216d14894d34d69d69ddf143cc9fa39a2f535685870c6b", "type": "eql", - "version": 118 + "version": 119 }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", - "sha256": "0ebaa20afe2747b15511424d174dff2a614551b155f5398c86ae2a524375e129", + "sha256": "a9bf06e4bc331b4157e3514a840e539a67615ad8c222659191ef8a6d8c06a775", "type": "eql", - "version": 2 + "version": 3 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "9.3", @@ -3343,28 +3357,28 @@ } }, "rule_name": "Sensitive File Compression Detected via Defend for Containers", - "sha256": "4cfac6296ff70d20ff834bd019d6afd9198871c12036cd15a02473a29fb199b9", + "sha256": "731ba52a513156d8a87d316d77433a64170711f97dc7f177f3f719aea71b3314", "type": "eql", - "version": 104 + "version": 105 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "d4cf683f05e6166f5ded6247948a4c8098ccebb8419921179ed3b00c4b7575f1", + "sha256": "653a7ef1791236e63f96af404c6b02046875b405b8037d13ccb1a3e7998ba6fd", "type": "eql", - "version": 106 + "version": 107 }, "47661529-15ed-4848-93da-9fbded7a3a0e": { "min_stack_version": "9.3", "rule_name": "Chroot Execution Detected via Defend for Containers", - "sha256": "8eef44e54c58bacf8930637ce3c1ccc456d47e98096fb6b90d0117c387cfb747", + "sha256": "59db7a4c53b4f3ddb4207c6491c7bd8d81c264d0c04da5d8788ab834607b79d7", "type": "eql", - "version": 1 + "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "a3c41fcfa1ca8b2ef3742212cb83d03ed47e7de62ec719449aea2350bc944579", + "sha256": "90b9fc3123d3194581564b32a92e5e7fb3829e1070cf2b0f19d17d3c32ba8034", "type": "eql", - "version": 216 + "version": 217 }, "47e46d85-3963-44a0-b856-bccff48f8676": { "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", @@ -3380,22 +3394,22 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "b4330f7c0ad66d1ea72157d55fa7ee76b34f1a8874ea8a9125aa105875f73fdb", + "sha256": "938566ecdd4b7685b7907233ea57cfe0cb348a40ac06c7eb2716b07aab912725", "type": "eql", - "version": 112 + "version": 113 }, "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": { "rule_name": "Potential Database Dumping Activity", - "sha256": "2e2294edc305537dd5c97fbbf11464f167eee021a72fd084ab5cdddee62b2244", + "sha256": "aad1b6a1095cc1013ae935d6e8045119e05fe3ef4f5834c1f9127be2395959e7", "type": "eql", - "version": 1 + "version": 2 }, "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { "min_stack_version": "9.2", "rule_name": "New USB Storage Device Mounted", - "sha256": "d9c4c1882638f87b1efbed9faeba2bd77e279205865e378e6c57377a911029ac", + "sha256": "68046728274c9ab9c11bc0b39e461e49b9a9b9848f71d7011fe77d57ba59496e", "type": "new_terms", - "version": 1 + "version": 2 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", @@ -3411,9 +3425,9 @@ }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", - "sha256": "3a4131ff417a75bb309eef287209c5f0e59cc7de9c9c317835e818d041b05c4d", + "sha256": "e0d23e8a4ce93e59d053897dac95bd93ea4007fea82aa10026eb0f9cb6aa98c0", "type": "eql", - "version": 14 + "version": 15 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", @@ -3429,9 +3443,9 @@ }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", - "sha256": "ca1b5ca19262980e5766116e70f08a65f1eed7775f88a4c285ba663ed4106a12", + "sha256": "2330313bf89d5002b03f6099ae7b30f49b7d93976a453057bf758266645dfd8c", "type": "eql", - "version": 1 + "version": 2 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", @@ -3441,33 +3455,33 @@ }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", - "sha256": "e4bf09e686462fb9baf9d6d83508dc82620348bfe2ed3c7d1168344e63c8d406", + "sha256": "556e66c84eba3c0cf7ea59d8d28a859a82096c3baff3a123dd6eeddf5c151609", "type": "eql", - "version": 6 + "version": 7 }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", - "sha256": "12b2f26e1de89428096370a95afe5282f53ef905809bc143ddbfe3283d5b799e", + "sha256": "1df7d0b092c017917b74e80d11a42239d82bd0f29749ea069a23d0bd0c0de371", "type": "new_terms", - "version": 2 + "version": 3 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "ebb9007ad27001cdcce71f4a7afd8ac119b58dd0d5e483f569eb30251b762431", + "sha256": "2c097873f1a10be45423e1b2e15f63d090c3579776255ab93bc16742e4a8d5e1", "type": "esql", - "version": 105 + "version": 106 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "746fa196876978fc4504823fefe63f4a01aa792823509324a65d2f5dc281611a", + "sha256": "9365957412d43c05676cc64a16e5849fea6369fb83f1f3bc6433834987b4d0c1", "type": "eql", - "version": 113 + "version": 114 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "ddbea71b52b73ad21036e2450178461c83e9d6076e9758efe70ec27b6f51afc4", + "sha256": "0f6f14ac9e02bf33ed9ec6898a2612bdaba3ac5eb0def45b43a1fa68b78f761c", "type": "query", - "version": 109 + "version": 110 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", @@ -3478,9 +3492,9 @@ "497a7091-0ebd-44d7-88c4-367ab4d4d852": { "min_stack_version": "9.3", "rule_name": "Web Server Exploitation Detected via Defend for Containers", - "sha256": "7472e79abc8837f88013d2d6772b889d8508248d6455205e9f51839bdd0512f8", + "sha256": "4f015b58f7cc44127fa2338b2af0178f6882ee823df52179f218821a49ec03e8", "type": "eql", - "version": 2 + "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", @@ -3507,21 +3521,21 @@ } }, "rule_name": "Entra ID Federated Identity Credential Issuer Modified", - "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d", + "sha256": "75ce697b7ebba19a90b13ad5c2a00f716b1136889ac57cf0454fb38d2abf3033", "type": "esql", - "version": 208 + "version": 209 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "dd05e7d6c7892b37af6ce478458d3a6f3871020996bc0929e482c9e16fb134cd", + "sha256": "b80cf2ef785fc1f795233217740d1fc3a7699238ea8c1fd5077df451eb9eb5cd", "type": "query", - "version": 107 + "version": 108 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "b92e224e525668611f60f5d1de7994d2062c86e282b1fa72a42abf3a60d2d74b", + "sha256": "ebb411cb6d8deec435be6983e89ff05cf986d078ea776de1c513732dad30a8a8", "type": "eql", - "version": 110 + "version": 111 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", @@ -3531,9 +3545,9 @@ }, "4ae94fc1-f08f-419f-b692-053d28219380": { "rule_name": "Connection to Common Large Language Model Endpoints", - "sha256": "3757df1c47780a8ca59cef529bfea5554132941f7c7e759dda3693ddb8de1d05", + "sha256": "f1c88d3cd852e1d0a2d4aac9a07c89847100fbd5606cae21c47cebfc0a741265", "type": "eql", - "version": 3 + "version": 4 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -3571,33 +3585,33 @@ }, "4b74d3b0-416e-4099-b432-677e1cd098cc": { "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "4f51a26ce742ddabf94b2be228930f7be04de3fd92771dc7c1caa6374a58215c", + "sha256": "4b1c24e5e2fb7b93b9cab43640dcb67a1a8d8023080af350342420b412d954a3", "type": "eql", - "version": 4 + "version": 5 }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", - "sha256": "96f9b15e64a5aae3a06bb23e8ef6300fa3c5410b9e4105647ebcc1f58ab564f9", + "sha256": "d1e04c245358b4f2310c94ba1c6a457cb19ea09b5c8ce402bc4eee4430bb60eb", "type": "new_terms", - "version": 4 + "version": 5 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", - "sha256": "a76e8e094705d102623bb7c79b5e3344c90196027095d45507853879747eb5ed", + "sha256": "68defaeb26fa351359ae0446628962b14803c4baeff4ee68daf60bf8947ef046", "type": "eql", - "version": 109 + "version": 110 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "be73c5ed12e0253799f57a2dc46812a22b59acc194e0151b9a0b49121a071e60", + "sha256": "94ec426a8004fc2a8a6b335f60ddaa7ac6b2e50638d6e72f242b133e0121c3a1", "type": "machine_learning", - "version": 7 + "version": 8 }, "4bae6c34-57be-403a-a556-e48f9ecef0b7": { "rule_name": "M365 Quarantine and Hygiene Signal", - "sha256": "3867e20407fa8e99b982da896d109a4bdf4a843a97dbd1931bce9c4ea41f6819", + "sha256": "f2d1e7436634073de94351647b98d9e406d09f11b6250cd96fef280126632366", "type": "query", - "version": 1 + "version": 2 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", @@ -3608,15 +3622,15 @@ "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request", - "sha256": "abb3c2c95247c1ae963a50fad9c2ab4cb792da935c24a7134f5cefed76cc18a0", + "sha256": "3c68f0231866ff8897de6eae4baef87e065983b91b398db762d9ea714d627a93", "type": "eql", - "version": 1 + "version": 2 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", - "sha256": "175b2c8f0b31ace9a05e0103f05f2ba382449003519ab9feeebc42dc01a0cbc5", + "sha256": "7836bbad444d51d5c8299aea810ea766e37ff1aaa90696ff4de74a6882d1fa3a", "type": "new_terms", - "version": 6 + "version": 7 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", @@ -3638,27 +3652,27 @@ }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "4264cb81ac0a3711b6c0aeb972da662aa892128c7719288fd235f65a3494b2b0", + "sha256": "ed5b0ee6f9acc299b7d681c6c248927820ed37d3afde535bbf22d1f88c8a5d38", "type": "eql", - "version": 112 + "version": 113 }, "4d4cda2b-9aad-4702-a0a2-75952bd6a77c": { "rule_name": "Docker Release File Creation", - "sha256": "4d35efcecf6648618eb05b3ef497625b2a92ef5040a48ff5d402a774fbc5bca6", + "sha256": "fcf46bfd3250345e843693606f5fb82feefdc1be32b6a5f2b0f4a2ba0f09777d", "type": "eql", - "version": 3 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "12b357e6311ff4eea5365916c53f043cd00969e62b4dcf117b519303de5b9559", + "sha256": "938ad9b1aa03ea75d6296e89dbf5c3de1d26d67e5121154a2e4ea45080a5f5f5", "type": "threshold", - "version": 212 + "version": 213 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "eec67c093d03b4278ef06c5c3fb57728ac4e7f26c2fd9148fa049687b0874c0d", + "sha256": "15628d00707d5cb8162b39822a54eaefbaba7cacec4fe61de572319ea4b25767", "type": "eql", - "version": 110 + "version": 111 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", @@ -3674,9 +3688,9 @@ }, "4ec47004-b34a-42e6-8003-376a123ea447": { "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "5548a1d92b6c1155ffc6a202dd592aeedea51a61915faf6440b392753b182de9", + "sha256": "3141b56172d9325f7e292f8848a1c32a7d10bbe33ba9a2d6876e5a8895c80063", "type": "eql", - "version": 114 + "version": 115 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", @@ -3686,15 +3700,15 @@ }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", - "sha256": "72dd52f88f0c957bd2e6d26f2d78ea3aecaf8ebbbc994fcc72baf28fce12fc4c", + "sha256": "d8c89ed2742bddca86741e2f6489bb305b4b6745abf23042db4bc95ad0c78bf0", "type": "eql", - "version": 212 + "version": 213 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "1da534261dd74dbfe7a88a3120ea11d3178d0d7d15bc26c55663375b183b66ce", + "sha256": "6b269d0d37d97b0a03461eec0b6af4944f4b148500e3bfc4985531bc8eadd82a", "type": "query", - "version": 413 + "version": 414 }, "4f2654e4-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint Search for Sensitive Content", @@ -3704,9 +3718,9 @@ }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", - "sha256": "e98cdfe47f6f762212f97a88c9e9242fe21f61b9c7ea51aeab5e6492b9609ccb", + "sha256": "991d514239a7588fb6359ef0829150e5fba13a68886bf02602eff1ce014b7a26", "type": "eql", - "version": 6 + "version": 7 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", @@ -3716,9 +3730,9 @@ }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", - "sha256": "0f48a61ca555356c3d245243f9e62a82d9a3dc30915701f68c281590c1712afc", + "sha256": "206c3fa2a8c36d653d259895a536463f5d900064da14325591ad9af49f42b37c", "type": "eql", - "version": 317 + "version": 318 }, "50742e15-c5ef-49c8-9a2d-31221d45af58": { "rule_name": "Okta Successful Login After Credential Attack", @@ -3728,9 +3742,9 @@ }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "765c282f30b0895e1d0260ea7fd4e8cc74f36d47fd286a736aad6211de527511", + "sha256": "395fd40c8e9df2409d5118bb5c76f930309bfdaee3f866588ee07fb9a8878f06", "type": "threshold", - "version": 210 + "version": 211 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -3740,9 +3754,9 @@ }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", - "sha256": "92df936b5c9f8126935576c6ee8792aa9b49ee7ab49dd26a96de5d5812293028", + "sha256": "3f5f4187427fe60250c06d4030358ca518b17592c87d264baef1d7091a731c6a", "type": "eql", - "version": 111 + "version": 112 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "rule_name": "Hidden Files and Directories via Hidden Flag", @@ -3764,15 +3778,15 @@ }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", - "sha256": "f24841812cdc6d72fb13f86792013f16481609bca3cf8354e6bec8635402bd34", + "sha256": "53bd9c3536270159cb19465da98cb6b3a08b95f2e506f03252e7064c28226e59", "type": "query", - "version": 211 + "version": 212 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", - "sha256": "2d8881e424afe188907789186fdf2aade7107730fdb292c3ba0aa7f9193281ac", + "sha256": "b60fbda9423c2d69feacf0c2cb45af4f4625cfcfba99cb7e40329b540c2ffd29", "type": "query", - "version": 107 + "version": 108 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", @@ -3782,15 +3796,15 @@ }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "101ac22e38fb1ef498354c278d2e76287baa392a0c1074025757e79c688f0f69", + "sha256": "420d5dd09194f845e48192e1792c8e90afa8c05728ada7c91374413c990944b4", "type": "query", - "version": 6 + "version": 7 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "f00b370497ce5969ecadca0e206dee295d1ff4035feecadd855b451da24e4b8f", + "sha256": "870d58a3e6ea8fe0f4085336bc6cbc3d947914097ba94babb4b5f15b0cda2444", "type": "eql", - "version": 211 + "version": 212 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", @@ -3806,22 +3820,22 @@ }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "30cf63ffb34e834c8b222bb11f4868475bdb20321c2ffe90ebb8451f39d7d1ce", + "sha256": "db0a78fa15e70e7486162d61b6f30566133d52e6433e0e9d7dc42ffbf6eeae48", "type": "eql", - "version": 118 + "version": 119 }, "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "min_stack_version": "9.3", "rule_name": "Tool Installation Detected via Defend for Containers", - "sha256": "6a19c11e4ec0d2dbf6539a7ae96322c3cfd2ae84d1d3ddc45b59bfdf5141dd10", + "sha256": "06b375e493f4b41424c0ca40c75d93d51a0530eaa4a352ee6d7853d70b04a0d3", "type": "eql", - "version": 3 + "version": 4 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", - "sha256": "a646f739b6321105caf7f40d15ddb77bc29668a1f12c883ed026d7680fe6061a", + "sha256": "29634fdc3cfdb91140f35c87f79547edac1b9e106807a8cc21d7ee6b51912e87", "type": "eql", - "version": 3 + "version": 4 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", @@ -3849,15 +3863,15 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "1dade4110ac7b55a500a7fe97a1a86de13e5858a566842318543c910dafe18e8", + "sha256": "06aa18b798246b990e22baa71af8b598ed63603682333c4694537075d56ce774", "type": "eql", - "version": 111 + "version": 112 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "937b80edc9af486f626f90a862b96a362dc3fa4fd55e45096b3780dc6d57a408", + "sha256": "9cf2ba4a67c472e0406c42262df0bb6ccddb11451ddcf29de0d5985842a08f96", "type": "new_terms", - "version": 14 + "version": 15 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System Deleted", @@ -3880,51 +3894,51 @@ }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "7298e067ae7df7ada3b5061b2f4fddbd40508f911cf0156071f9a0fd3957e8e0", + "sha256": "13ca397ec6553f6c993d68c532077536be213be3dee894a2609b0aaea9eade5e", "type": "query", - "version": 9 + "version": 10 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "d0f06b830a6476ff9a07972ea36ba0f652acd5ae46fa229d3630f98e5857443a", + "sha256": "3326631b740479c77dfe9393b190518a1bbbe724ff0dbb651f1ebd5aced9ebf8", "type": "eql", - "version": 316 + "version": 317 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "0294867fbd8ba3c9141d4557d0eca1f503d2bc94440bee39f8aad70295442ea2", + "sha256": "c082e3ac3a00dc4956ce3e96ea4ec33d0e3d82e54b0ccacc0ecbdcaea938c347", "type": "eql", - "version": 109 + "version": 110 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", - "sha256": "0f4f3659e783f09c99b9205d00d643cda69a018e82153aa94e2843dc2cac9ad3", + "sha256": "cd48b0f1d4115b1444172db9c6f59b8c60c75583bf5c511ba0df9ea374aa84f5", "type": "eql", - "version": 6 + "version": 7 }, "54214c47-be7c-4f6b-8ef2-78832f9f8f42": { "rule_name": "Network Connection to OAST Domain via Script Interpreter", - "sha256": "b23a8e48776683b5d40549babe8be8f226fea5f293ee533b5441bef2203396ef", + "sha256": "1203b6747b51b4832b4ebefe2903731584e77306aacc9f20d75fbf1cf7d1c66e", "type": "eql", - "version": 1 + "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", - "sha256": "85b3ae783986f75b82921357341bc4ee866a9da2bf84fdf8a1c810f6ded404b1", + "sha256": "df81b470e8c0d3518f8f24477c2f41c9d874a09f50aa751c968b959540e6e066", "type": "eql", - "version": 215 + "version": 216 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "fbf103aa3c39bb293ade25f6cb74acb3444ece6c2a9ffe3441d5d8be36a1bc89", + "sha256": "bb8801610e32224071dc341162073ded5df413ddf4c2cdcfb9b7e8442242b149", "type": "query", - "version": 214 + "version": 215 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", - "sha256": "8559ba99f619be1e87b32244f4b2d26bb2bc5c1d0c40ea0780192ab395054472", + "sha256": "0c6aaee25903d5e1cbfe5db0005e367ce387f48993e20dcd324610a7d7e37585", "type": "eql", - "version": 216 + "version": 217 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", @@ -3940,9 +3954,9 @@ }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", - "sha256": "e668e79265b55406cd93383522749d6bce039b43589478b9a489a0a5b77b8b67", + "sha256": "bad31009685857a7631fa0eda2334a199332fdb3698d8eb00f7e2ed62ae11c2b", "type": "eql", - "version": 212 + "version": 213 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", @@ -3952,9 +3966,9 @@ }, "55f711c1-6b4d-4787-930d-c9317a885adf": { "rule_name": "Suspicious Execution with NodeJS", - "sha256": "703c739baa06c65f081e0a6f4d49107b415aef292f2d9e69d0ee75fe9768e379", + "sha256": "cd340b2cf9970e3315afe3ca9ac1ac1850b0b408d0192366871ff8ba32e46835", "type": "eql", - "version": 1 + "version": 2 }, "56004189-4e69-4a39-b4a9-195329d226e9": { "rule_name": "Unusual Process Spawned by a Host", @@ -3976,9 +3990,9 @@ }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", - "sha256": "4ce263d173a70707a23ec71e9d047dcaa6073d6e38f210d0ccf8ebc29318b608", + "sha256": "87db461459ea0a1c445b59dfa9d8e7368c2afc905f30243a589b82af51f8515d", "type": "eql", - "version": 210 + "version": 211 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", @@ -3988,9 +4002,9 @@ }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", - "sha256": "01315f67e14fa8ba6873b6f6773f13ff2b404f9a5e551ab293a0bab6031404d0", + "sha256": "bbcaf9906f3fe767bcfdc7efa42c388744d4cfdd5c457f9659105daa36947db0", "type": "query", - "version": 107 + "version": 108 }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", @@ -4006,15 +4020,15 @@ }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", - "sha256": "c1892bef95d251f7d7a47ff403d9820d9133ad7d52d07ded161c63a0664c92ba", + "sha256": "98a1bb00cc5109dfee42a633f855fff9346d0648551bebc3d0863b1561b49aa2", "type": "new_terms", - "version": 108 + "version": 109 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "a2ea199f37920a1f0bdc7b5a401338b7ac2ee4316586ee61f879f019c7fb7854", + "sha256": "a12fd0977f48bb7edcf7f3086429bfa96f0be291d5d52080528b98342eb25e24", "type": "query", - "version": 109 + "version": 110 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", @@ -4030,9 +4044,9 @@ }, "5749282b-7524-4c9d-af9a-e2b3e814e5d4": { "rule_name": "AWS Credentials Searched For Inside A Container", - "sha256": "a0bcf9364ee8f47430f8b5b764ed21b99fe2d5d6c1ef4f06d82d091e7820ee3a", + "sha256": "b09e2c974cc1d80c0c75f3799dc517a1ba657bb18f02243743e329247980db61", "type": "eql", - "version": 3 + "version": 4 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", @@ -4042,21 +4056,21 @@ }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "200c9a6cf6ea2b424d9f8f4c5fdef6b620058afef51217c3581d139a0f79adf3", + "sha256": "4944bbed621deeb513b94814d78fab8b15895a6fbf5a4b3c12e69c50f5a82be6", "type": "eql", - "version": 108 + "version": 109 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "06514c775695c6ffb15b50ee3e811ce692a4cdd882e2912e1a0ee65bbe346273", + "sha256": "55fdd67e686833efc05fbb83449c1d2e4371e5dc05b8563accae23d7cc12f8c5", "type": "eql", - "version": 208 + "version": 209 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", - "sha256": "1d0cb6b6f76ce755ca5fb4d086cbe1b222f7cf1a54d1751338d1440ff5acdcc3", + "sha256": "828208f06437553b7fe68b30fc667d644d5f59836cbb6c02e9f58e62f3360da2", "type": "eql", - "version": 1 + "version": 2 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", @@ -4066,9 +4080,9 @@ }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", - "sha256": "8de79d7265cefe1c4c9df3381c7d64befd5e4205b2fa99aa541ffc785d375e1a", + "sha256": "2076d1d54ca2fb2a601ffb05b938cf5acfb824cf8d9afb3b11affa6dabb5958b", "type": "new_terms", - "version": 2 + "version": 3 }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", @@ -4084,9 +4098,9 @@ }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", - "sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36", + "sha256": "dd509b2bcdfcdbc08ba7ffd1496e58a28bd54e96eced8b7cd0cf9443fa96314f", "type": "query", - "version": 104 + "version": 105 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", @@ -4096,21 +4110,21 @@ }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "aa0faf0feeded63930dae2ccaac0af504981592f7e7e9ecd84e12b30fbe3dc0a", + "sha256": "54a500e176cc9745327edf4a986bbcad4894627acf87bc50f5727b26558cd775", "type": "eql", - "version": 114 + "version": 115 }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", - "sha256": "abc0e27008b4d86a36e73961924ea3f39bc1c7fae09ed2b3e3e17d2a812608cb", + "sha256": "e545844a7c0d04bacd4149972e5530758f6f5fcfaad5eb85dbc690ef57aacdf0", "type": "new_terms", - "version": 4 + "version": 5 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", - "sha256": "613a83f0df9c2f3768df88ec52bff6d22e0eba6ca14447a6c66b0f7bdcf5efbc", + "sha256": "7742b4d700c05a6edae94904b1648746b5b85845c114eb60cbfc8fb84972171f", "type": "eql", - "version": 6 + "version": 7 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", @@ -4120,9 +4134,9 @@ }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", - "sha256": "9c331554770ecb70eaef91e13b8c815f94e30019ac7bece602e598f6487eaf86", + "sha256": "940ef236a8475305598b01c5be9a9cfc9be3fd3f7113b1531e9cdd1175d34659", "type": "query", - "version": 212 + "version": 213 }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", @@ -4132,15 +4146,15 @@ }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", - "sha256": "9fe3cf2fe1d2d052eb9543fccef6eea8a7ac5383268b9589b016836b97b85426", + "sha256": "121e9bd56ba8ea9ccd98b2ae0ce2eb69889ab784ca27660c4edcb3d06b913f2e", "type": "new_terms", - "version": 7 + "version": 8 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "9e1626197ed5941926dbc41962782ca8a323883170b2f3163b67df9866765cbc", + "sha256": "d9cf4c038f53b5ebd1c30a304fb8870d6145d0785926200cf0374842c84220ff", "type": "eql", - "version": 107 + "version": 108 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -4156,15 +4170,15 @@ }, "5a876e0d-d39a-49b9-8ad8-19c9b622203b": { "rule_name": "Command Line Obfuscation via Whitespace Padding", - "sha256": "0cc699f383c20c3ff271c516d77b95b987ed2739b33f240704c85b6544251d02", + "sha256": "1bf4f552f7599807a7e15afba35b168d0ca331e3b70e945506eb527d1e088934", "type": "esql", - "version": 3 + "version": 4 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", - "sha256": "406f524f675016ccdb5300c19a77dbbf5709c9f48608737209128a31fac9c822", + "sha256": "3570dec854c263de8cdebc1855ebfe5f7ab4526fc849b9e3a925eca865cdb5c7", "type": "eql", - "version": 5 + "version": 6 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", @@ -4174,9 +4188,9 @@ }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "801b331954e244547654f39e1cd8f34d2021a71a4b42b41e160a8ac6279bd843", + "sha256": "633d6227e7b67c05c46dd509f2cd8d07f37e29fa580d76f692df49fea3e78ff7", "type": "eql", - "version": 110 + "version": 111 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", @@ -4186,9 +4200,9 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "8bdc45642eabfb3f0ef103bce978e447aa2cad2f8846c07c660012a23bb3f07e", + "sha256": "d3606ed659895f8c1cfdbff613629c196b862c209892b801f1b8370aaaf4277d", "type": "eql", - "version": 113 + "version": 114 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", @@ -4198,15 +4212,15 @@ }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "rule_name": "Suspicious which Enumeration", - "sha256": "586b56458f4d63afd014b8dbb35e00f09492345bfd80de251a5c644f7f95b60d", + "sha256": "dfef9c7a379453c311f0bfab1d39e33e823cd53ca0d1401b0c395667b781beb7", "type": "eql", - "version": 111 + "version": 112 }, "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { "rule_name": "Successful SSH Authentication from Unusual User", - "sha256": "a8ae34ad74aa452d1ef26abfb920f07ad6dead22112f38645c036c46d2498937", + "sha256": "7be56f4b8d28507b68d83d793cca3e982deab0387b8e00b6117aafe109cb2bc3", "type": "new_terms", - "version": 4 + "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", @@ -4216,9 +4230,9 @@ }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", - "sha256": "fc9cef486a73aa99f5eb2449ccb3aeb22c54905f0aed559e59310a191b5b19c1", + "sha256": "053a68fdd7475f4e88b8e0c17034409f8ce460f18afc33a8f4db9478d0dfa8ff", "type": "new_terms", - "version": 320 + "version": 321 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", @@ -4228,9 +4242,9 @@ }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", - "sha256": "a3e5e93104eff8cc43073a34010259addb085407c0b9db48084e216971198b42", + "sha256": "027fc040e1e9e549efb1038c541a0965a6a625c7cfa7ac595dfc9747ffca5b09", "type": "eql", - "version": 6 + "version": 7 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -4240,15 +4254,15 @@ }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", - "sha256": "eb2f66cac706f2d5cd5a072b7e91723e2bdcaf18c2bcdbce959b054343e1bd32", + "sha256": "958cb09fe0453597f345b91d73f1f8cf88e769e76285da2a9029817841f976b0", "type": "eql", - "version": 8 + "version": 9 }, "5c495612-9992-49a7-afe3-0f647671fb60": { "rule_name": "Successful SSH Authentication from Unusual IP Address", - "sha256": "31b27a7e3c38e5075a078da3897b0903804faf938bb93fe6a383dcc1847c4a8a", + "sha256": "1131f0ba1299b1673272bd63bc99e020893f13a54959cc573c19f06e3c6d27c0", "type": "new_terms", - "version": 4 + "version": 5 }, "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", @@ -4258,9 +4272,9 @@ }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "c7b6447476c63c646a11dcddd2f18d6f0ba3ebebe596eca3d4aec3c2526d2226", + "sha256": "4ab3780669514a3c38d185828e425d62f8005baf7e564cfe108f7922d0d02d72", "type": "query", - "version": 107 + "version": 108 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "rule_name": "FirstTime Seen Account Performing DCSync", @@ -4270,21 +4284,21 @@ }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", - "sha256": "2e81ce6769021daba9c871cf5baf734f4fb6fbbdc9590bcc56e0bf1853d51d1e", + "sha256": "6ae08cb11476bde01a0bc5e23c18dbeb3c64c7f9f56cadc416776d004a3f3938", "type": "query", - "version": 3 + "version": 4 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", - "sha256": "4c48c84cd522696977dcc06b074e1009f2d813319099312d8f038742dc590289", + "sha256": "f60eb9f78e9b31ecc263168312144052efe7d3d67430d9e8e4bc68396f433f20", "type": "eql", - "version": 105 + "version": 106 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "0c3e1712dbacd60a7b25849404c3640e128985029f0549a100664928c6d062d7", + "sha256": "499e822266c7a93e65eed7dd53f2d4762b9ede773ae711da386d2dd215831704", "type": "eql", - "version": 11 + "version": 12 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", @@ -4300,15 +4314,15 @@ }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "36b4447995d99aeb6a7fc572fef2c2472373f1ef385d286717d76ea772593543", + "sha256": "aca1fb8fd3ab6a6e65bb58f43f1f0d6dd1efb62e25bdb7b248a7a5f35c0a0e46", "type": "eql", - "version": 213 + "version": 214 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "9c592d696b111ba2667fac67712827ef98ca432b69f7dc378b1cf79c1902bea0", + "sha256": "7ae4f643336f4e1a1ab78af0263eb55b4e0c84737f7ff6f26bc6a1ecaeacb0d3", "type": "eql", - "version": 215 + "version": 216 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", @@ -4318,16 +4332,16 @@ }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", - "sha256": "1b07692857d4196dca0282c0a6b818c123b5d8d3fcc412fb9139a364e2a4a08d", + "sha256": "e818c9edc963124f3fe4b690ac99f23981b4899d2ec0bbbffbb93c5590b8756b", "type": "eql", - "version": 111 + "version": 112 }, "5d1c962d-5d2a-48d4-bdcf-e980e3914947": { "min_stack_version": "9.3", "rule_name": "Forbidden Direct Interactive Kubernetes API Request", - "sha256": "be914b17ebae1af44b244d51b3c23386e68cba1e711e1a3016ff61269a549396", + "sha256": "6d915f910f0bfe2eb31be1eb5e3f7891ec2f9a9307533bb691094acb47ad1ad1", "type": "eql", - "version": 1 + "version": 2 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", @@ -4337,39 +4351,39 @@ }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "fe9828fdb1e826e9a4887dd4b52754e5a56c0b775c59963881f4538c3dc240fa", - "type": "eql", - "version": 106 - }, - "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { - "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "e8fa74379179a6e9e9280508afc640cb96c331cc171808a748ed740b40cef25f", - "type": "eql", - "version": 111 - }, - "5e161522-2545-11ed-ac47-f661ea17fbce": { - "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "fdff095d924623c81dd84192e86d2cd857ea9237a184331ffecbc98be0f08e7b", - "type": "query", - "version": 109 - }, - "5e23495f-09e2-4484-8235-bdb150d698c9": { - "rule_name": "Potential CVE-2025-33053 Exploitation", - "sha256": "e515ba416d112f154ee9c1ea73f1ac151201233455473ca6ac4c7bb238c79648", - "type": "eql", - "version": 1 - }, - "5e4023e7-6357-4061-ae1c-9df33e78c674": { - "rule_name": "Memory Swap Modification", - "sha256": "43d5d47f2f41f6a0da32a9f0a41268a9522c6eb161b7c9cdfe04ae2cb49caf67", + "sha256": "bc7fcf5dc1eb0cc2200f517fbce5e86470485c5dd4351885978ed25541e99a33", "type": "eql", "version": 107 }, + "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { + "rule_name": "Suspicious Automator Workflows Execution", + "sha256": "7a9ce14eef48ed766c137dbe638528f60bbfd889852e3b0e0251ed30b6ed4b98", + "type": "eql", + "version": 112 + }, + "5e161522-2545-11ed-ac47-f661ea17fbce": { + "rule_name": "Google Workspace 2SV Policy Disabled", + "sha256": "669f9eeb55c3bcaa2a349d5bd0cf86e3e1de625d92cf11629c560d6d912090af", + "type": "query", + "version": 110 + }, + "5e23495f-09e2-4484-8235-bdb150d698c9": { + "rule_name": "Potential CVE-2025-33053 Exploitation", + "sha256": "d9f93bfa692b5386386beddd97259f5aa071c648c5625585978643e3a843ce9c", + "type": "eql", + "version": 2 + }, + "5e4023e7-6357-4061-ae1c-9df33e78c674": { + "rule_name": "Memory Swap Modification", + "sha256": "84ab5ac7a9d4da0254311ffb718735490af81e6cb6c191ead1f08277e7a520e9", + "type": "eql", + "version": 108 + }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Deprecated - M365 Teams Guest Access Enabled", - "sha256": "6bd26b637d8d65d21fab98797574709274097ccf34020470f0460c4fa98adbae", + "sha256": "5e252d30858559a07fec7cd8c8314f704a835c338724c155213b6526cc3c0cbe", "type": "query", - "version": 212 + "version": 213 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -4379,21 +4393,21 @@ }, "5eac16ab-6d4f-427b-9715-f33e1b745fc7": { "rule_name": "Unusual Process Detected for Privileged Commands by a User", - "sha256": "c9aa68e0bbefe704a06a42460c07f488861cf71aaaec68520a0c536c8084352e", + "sha256": "1d71fb265ec9c3ff73874aa4beadd56455b47e89abd56102a39fe0cc342da6af", "type": "machine_learning", - "version": 3 + "version": 4 }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "rule_name": "AWS S3 Bucket Enumeration or Brute Force", - "sha256": "afe5cf0b41fabafb43587e9fff374222c812f9f85f2e6d494c41f2795f46e771", + "sha256": "b7a053aa108ee5047e30b524fc1a2b82f40a836705050ee642605974e87dc47a", "type": "threshold", - "version": 7 + "version": 8 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", - "sha256": "e1bc7738d6422a53137fd0fd3a0f1caea8ad0963f3c1ad4e800995133bf37fd2", + "sha256": "7ad46e4c1417d9c0c7af9ee3b98ee5787d0f6dbc52ac00412683783a32cfd189", "type": "eql", - "version": 207 + "version": 208 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Potential Docker Escape via Nsenter", @@ -4403,9 +4417,9 @@ }, "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { "rule_name": "NetSupport Manager Execution from an Unusual Path", - "sha256": "c80b105dcd79c80989bff9ac24cf5177de43e229e7d10b6401345ba38e066596", + "sha256": "2ff13f827d6e3b101978628ae7e81aea2aac534bb49e2e005c4b79ac69887d84", "type": "eql", - "version": 1 + "version": 2 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Compute VM Command Executed", @@ -4421,39 +4435,39 @@ }, "60c814fc-7d06-11f0-b326-f661ea17fbcd": { "rule_name": "M365 Threat Intelligence Signal", - "sha256": "79dc01a9db946e1a3d5c41a5e8c2af04359b9e44ecee31c16c38a3723d8bab07", + "sha256": "c39e4b442c100c558bad0866d26a3af772db700ab66c684e39f81c52511c464e", "type": "query", - "version": 3 + "version": 4 }, "60da1bd7-c0b9-4ba2-b487-50a672274c04": { "rule_name": "Discovery Command Output Written to Suspicious File", - "sha256": "0f20b925e290e8b322e4fbca19247555026e2be561e5f19adeeed82693fbd764", + "sha256": "272a08b491e9e0ed926f59f6e233f7e3a98e77d56dc61ce20e65ccc863a87d4e", "type": "eql", - "version": 1 + "version": 2 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", - "sha256": "d49413545670c96c3b5d14b25f8f532a2453b7464b7332636cb2977953371e86", + "sha256": "9006b456e8e5aac1b3083337c8468dc521950f1b2537f6eec97e03cf296f4dfa", "type": "query", - "version": 212 + "version": 213 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", - "sha256": "eedf094a7798099e64d10398f58d50331624cf7b56aa5b1d6cf30a6ac7ee5c40", + "sha256": "0fe57677933b692a71d8349b4f6cbf10c7875257fb7837ae9686faddffb1e8b1", "type": "eql", - "version": 211 + "version": 212 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", - "sha256": "65d60bb1e3e58c78ebdedb1c5ef222be1b3beda2413b057f21671ccae8870b82", + "sha256": "20989b28438ebb27b577cc7e27b4a8fddb5f0e786199089dbf791275399a39f7", "type": "eql", - "version": 206 + "version": 207 }, "616b8d00-05f8-11f1-8f33-f661ea17fbce": { "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", - "sha256": "9e0f60e5d2e546787e888d2c54ba461cfc4a3c257bbb2676cababb43348c99b3", + "sha256": "f561e95790ebad03eb90981d8ebfad155f4b4fadbf0404a9b1cb21fa8b170ec0", "type": "new_terms", - "version": 1 + "version": 2 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", @@ -4463,9 +4477,9 @@ }, "618a219d-a363-4ab1-ba30-870d7c22facd": { "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", - "sha256": "d2abab1390a043ad71171a861b542dc9d94f79af253dd0032c1fe0b04e90beb0", + "sha256": "65ef1e5263d2ceb9161e3fcb9722972eaf023a1a3be5b42fdf134c1ac77f1c2c", "type": "esql", - "version": 2 + "version": 3 }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", @@ -4475,9 +4489,9 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "f0416cbdf5fa18a079d3d3c82eae6bd19b83bdf9c69f6fb2425e8242e6a585d1", + "sha256": "be24ceae2afa9baef47813fd03666ea34a8f4036452bf224e709f3f059656acb", "type": "query", - "version": 319 + "version": 320 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4487,9 +4501,9 @@ }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "fc0df56314ea288221a4cc45552eda89e248931b37fa4cc8ac7ee9991d12fda4", + "sha256": "6383b77739e2749c866d9629ec58d853e848460e9543fa91f5fc5bdfb1ed81f9", "type": "eql", - "version": 217 + "version": 218 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", @@ -4499,15 +4513,15 @@ }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "25f5507d36b8030ec4b934a15054ff440470648a722b209844f64d8f983b3975", + "sha256": "42257f22a246a40f1b6a636be55d328756204c2ab6229c57d6bed4129300b5df", "type": "eql", - "version": 210 + "version": 211 }, "627374ab-7080-4e4d-8316-bef1122444af": { "rule_name": "Private Key Searching Activity", - "sha256": "8c9ae7796579d97d69a04310defc6854fc7624628efe267439acba9c94241356", + "sha256": "79f110a532df654130e63c8b81f83d83d968d2789069f0c82d5fc5cd50e602da", "type": "eql", - "version": 106 + "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", @@ -4529,21 +4543,21 @@ }, "63153282-12da-415f-bad8-c60c9b36cbe3": { "rule_name": "Process Backgrounded by Unusual Parent", - "sha256": "75b9496ea55a4093c1a530bf9d5d06b67b782ad0fea18e9f34fc26ae90875888", + "sha256": "030fd3f59aba85e33e9013260fe60ecd2b7e4e805aece285791cb170737d59d9", "type": "new_terms", - "version": 4 + "version": 5 }, "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { "rule_name": "M365 SharePoint Site Sharing Policy Weakened", - "sha256": "0d544b7572d561d522b7a1f66e3d6249547e10deb500eae0e09a7284cbd87030", + "sha256": "63a28820779cb76eff2c1ea94f27ea65d2813e5a6f361c0b5c78ef4f6cdb9e81", "type": "query", - "version": 1 + "version": 2 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", - "sha256": "45658ca009518a884a05c4cc9d68fdc61b4964fc64f0c576c2daf30b3bcb9df1", + "sha256": "3b0351c806161fe08412397624b92f4f969afffbb96b21e055a0631d33614a4f", "type": "eql", - "version": 8 + "version": 9 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", @@ -4565,9 +4579,9 @@ }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", - "sha256": "f1b41199a328bd02b1d8e68577dea1a0148279f462f58eb741ee169e443888cf", + "sha256": "79ac569d55644e0dabbb2fdd8052596be9d8f54d0ba514a54a93a7816d8853c0", "type": "eql", - "version": 5 + "version": 6 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", @@ -4577,21 +4591,21 @@ }, "640f0535-f784-4010-b999-39db99d2daeb": { "rule_name": "Potential Git CVE-2025-48384 Exploitation", - "sha256": "6355a097393b9deb52341b25d066690bfbd55cad96abb33b13e41ac9e3a0df67", + "sha256": "96a8f21a03b2eacdcb3c26f34ea7073e5fb7b7804eab2e552278f4b9a8524d75", "type": "eql", - "version": 1 + "version": 2 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation", - "sha256": "ef77f16d65b993459a5a079b5d1390f30ca2572dc700b7be825a98af2e546d42", + "sha256": "a3ad27a4e1aba1d93a8fcff149f1e5ae7d0563416aa19c3e8221f2661ddface0", "type": "eql", - "version": 8 + "version": 9 }, "642ce354-4252-4d43-80c9-6603f16571c1": { "rule_name": "System Public IP Discovery via DNS Query", - "sha256": "2441c0f7156104f1405a955199b80b4134fefeff71f2746eb534985a66a1ad90", + "sha256": "dadbb6d434afb19f97ab0d84b81956da85c5714c7113d0f80e6e22d72df1407b", "type": "eql", - "version": 2 + "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", @@ -4601,27 +4615,27 @@ }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "f04f7762a2d3bbdd47fc5d15c9ccbbdf7c3920065615febd7cfe2ecd45a20eab", + "sha256": "c6de97f12a7345d14030b631a6baa062804944e85c22ece163742abc536d4b59", "type": "eql", - "version": 111 + "version": 112 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "7ca1e9aa4bc2c98207af68b12ab4815c488fb92aaaca0ed2a51e25f5223e9d19", + "sha256": "7a4ee8a9aed27286d48b832645557e5b2b3be000c4b6d33e49f64977508ff9da", "type": "eql", - "version": 11 + "version": 12 }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "9bb82ad0e9bc06828a6c9959f3e13a9a5b3cb76d96ecae5e74a67b9ab53a6abd", + "sha256": "db724e0530dad97417c3737f077e737a1dfdf44b5ae1d4621f68d2fba0a4c75d", "type": "esql", - "version": 11 + "version": 12 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", - "sha256": "190a8efe19f33011395185ea35900c11f27889bad11a0f7a8152f2cb4c405674", + "sha256": "cc3d4c8b00317668d507150f4b0441132efe96a271f0e24182e1cf439f2bb036", "type": "eql", - "version": 3 + "version": 4 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", @@ -4637,27 +4651,27 @@ }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", - "sha256": "a721bcec40558c7e2341203c42d6c8be5bc3d58df369d41d5254731131cc6409", + "sha256": "0d9923c694d6f9e84a63f6978e5c542e08285a98fca12980503e9b9e6e4e7909", "type": "new_terms", - "version": 4 + "version": 5 }, "656739a8-2786-402b-8ee1-22e0762b63ba": { "rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent", - "sha256": "2f2b36cd3287567c3df71f99ffa36b3040ae29ca1871d964961cbf2e42e915b1", + "sha256": "b755ed320d3960e63c0cc92dbb2de8e1a6292117110a7f2412799824e5118874", "type": "new_terms", - "version": 3 + "version": 4 }, "65f28c4d-cfc8-4847-9cca-f2fb1e319151": { "rule_name": "Unusual Web Server Command Execution", - "sha256": "1ea13a93ae8354cb943d5d0635f94625e6f3fd00ddb5e18727aae85bae4ea947", + "sha256": "3d0ea0342f221d21119aee57a595095918d0fd86ad7f58cee311309b90fd0800", "type": "new_terms", - "version": 2 + "version": 3 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "2962f75c4c913a7ae6568d692aa100bc991b3f0a49913ed652b7423b7d56b4cd", + "sha256": "5c506cfad2486ff36e966e00f190680828c5177c83f2c6b197061dffdc963b11", "type": "query", - "version": 207 + "version": 208 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", @@ -4668,9 +4682,9 @@ "66229f32-c460-410d-bc37-4b32322cd4bb": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers", - "sha256": "b46c90e3fb46b1ed19f04b00acefbe47de9bebecafc766b1f2395be6d66db5b7", + "sha256": "42652c071cbc82b5d5b670ff8b27255c0e0da12b974caa887303d2f29b94ed4f", "type": "eql", - "version": 2 + "version": 3 }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", @@ -4686,15 +4700,15 @@ }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "73db657803846bffc7d107cbc8bf0cc7d9bbda6f034becce1f0990588362cb7f", + "sha256": "257ed26a976663a2c37c0dff32d55ea12d1dfc35247da988bf23c9b5274e0855", "type": "new_terms", - "version": 208 + "version": 209 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", - "sha256": "9b067a4e19e27494227981d9814f26e3262881c5cb3f74ed5c0a1d833408f0fb", + "sha256": "46b302e1052795242c5c6996364c7327c196bff092c53ab16033cb472970e7a3", "type": "eql", - "version": 210 + "version": 211 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", @@ -4704,45 +4718,45 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "36c806d8631c3382ce02b6ddc4f9fe4014909b9c44ac217b7884a8d585ad71a8", + "sha256": "da6621853cbee76b525a9a6ebbd8670a6e6a3eedf0c961d63667f002491ffa5d", "type": "eql", - "version": 128 + "version": 129 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", - "sha256": "17f4fe2ff61bcd9e8f15d4be875e352215f40c08ee78633c078953f304b1a7b5", + "sha256": "766af4a5b4b8dee8f8ef9498c1f216ad14f6f4755a93fd323998698d1ea1eb05", "type": "eql", - "version": 107 + "version": 108 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "1cbce0d436f0e84332bd5c6fdb6208ea47ff267a6c91804b470dc6f0f25e0c04", + "sha256": "42588eba4cedbc1d14e04f7d2306290a2b24362be89e2d67847e34d5a2348eae", "type": "eql", - "version": 211 + "version": 212 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "dd68706b99e4beb5be8e24958080e7a849d9798d75f9e1933ed87542d10c7617", + "sha256": "cc03da002044bd059977e784373cd2c76b4aae1630ae306b3e92c5b77f546cbd", "type": "query", - "version": 118 + "version": 119 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "a641b7d199f4e4fd832c1dc4b7bb8e8e0693119f5efdf132d673600f1a67de92", + "sha256": "8bcacf46dd663455ae16de208c535608363730de69e4f908f70764c932144785", "type": "query", - "version": 413 + "version": 414 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added", - "sha256": "8be27f29a033a1bf2d289bdfa875dbfcc33c406d400aa521e3688b61c23174d9", + "sha256": "b095d445e046b31bd0ca7453a145f7f2100fbc0a4e7a58ecaa13e83085edccf2", "type": "query", - "version": 211 + "version": 212 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "79c89592ce4eeceb4031a2a222deccbfc0af47774b4091697bc5095dce3ffa51", + "sha256": "73b7832d2d84a9fa85363889cdc9039b97122d38842307ea0cced1a5a7d08a3c", "type": "esql", - "version": 5 + "version": 6 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -4758,9 +4772,9 @@ }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "rule_name": "High Number of Process Terminations", - "sha256": "680382f572bc86ba9176bd3c8a36fc5d0e5243f44981819bad005566fcf79f13", + "sha256": "d4b68db35dd8a14409e6834fd97cc1e2a3b99967615f1f2270ae10e6d04dc2b3", "type": "threshold", - "version": 117 + "version": 118 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -4776,9 +4790,9 @@ }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", - "sha256": "a2d5481cf00bcc615174c048a94e4cad3d67177547935b236402280cb3a59b38", + "sha256": "28ae5b8416e43e899169c33eaf626c5deb33691ac860da166ed83af7e599646e", "type": "query", - "version": 212 + "version": 213 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Okta ThreatInsight Threat Suspected Promotion", @@ -4794,9 +4808,9 @@ }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "1532614e797cd095c55034b762a0bc6b838adcd29d3c103a933df074cc826f7f", + "sha256": "f84e2dcd11a132eea0ca7a43cb5f94e640a1d7c3cfc9966587d144b81d173e2d", "type": "query", - "version": 209 + "version": 210 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", @@ -4806,15 +4820,15 @@ }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "1b7b501e7883c46efe035c8b341ea0fcfabd82d6b5b1b567adc1489b4ba7109a", + "sha256": "3b6198e952a03a06fb8afe087f6c4f211074808c49106d77b0b354ce5a37554d", "type": "query", - "version": 213 + "version": 214 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "5d62319954b4d714f0fdc2b7ca74f32a7e5ff04025b3e9603a15d4b54b4cbdb8", + "sha256": "0473ce103c98b50a752b3c71561170f786022a9cecd7fd4a23ddd91ff741aae5", "type": "eql", - "version": 108 + "version": 109 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", @@ -4842,9 +4856,9 @@ }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "9561f0044194d3f868b07a589cc6e35db672b4a1d17f4997ab364b92b28677f3", + "sha256": "b57f22278c53ba1cc8de7db5578aa82c1285592d0b72098ab27156d27b1470df", "type": "query", - "version": 111 + "version": 112 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", @@ -4860,9 +4874,9 @@ }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", - "sha256": "ef5f5704546088d8e6c96f86d9b5bcf9595a80fdb94e5d01e0b17295987aecca", + "sha256": "6fbeb059f6b42ec54eaba065ad71a2371c3030633c93d0a4620a99782d9977b6", "type": "query", - "version": 6 + "version": 7 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", @@ -4872,15 +4886,15 @@ }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", - "sha256": "46d7bc444c3b0896efa5f0d56b1c811d852a0bc06b30a29c613a12bceb80f68c", + "sha256": "b061c8c53d8a4791c3c962e32cb262dc615e9bb9e4dde98973686f53485082c5", "type": "query", - "version": 211 + "version": 212 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "rule_name": "Attempt to Disable Auditd Service", - "sha256": "cf6b52ea88e41b620aa54fd85324e5f3d9ef4e38700901748067699ef21e2b9b", + "sha256": "b5bf8c334323c23629142910af291aa50391c82eed1b8a9f7c51e8d40d09d95d", "type": "eql", - "version": 105 + "version": 106 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "AWS EC2 AMI Shared with Another Account", @@ -4896,15 +4910,15 @@ }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "5095fe669c7a28cd0bd4ac67b605eac71f438d90afe54c8b6c1d52d1bd3efdf6", + "sha256": "a5db8d3fbc7120c2f1c28e235a8fd84ef3846e616464880ab4afc3a646a01e9a", "type": "eql", - "version": 420 + "version": 421 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "4619173954afe3c4ee3678df3b6a09d06d4e6c7044ca0cf1f841a8617e468f6d", + "sha256": "59a05181f1febc098b481acbd5cbd5725a57456d619a875909a207d3929c2b9c", "type": "eql", - "version": 112 + "version": 113 }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", @@ -4914,21 +4928,21 @@ }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", - "sha256": "e2fc6cd326556ed26877b749ff45a326d60917f1600dd11d2af16624358755ed", + "sha256": "25885ed63993320aa591be8ec7247e8cc1829c062e58638919cafebcf46b1d04", "type": "eql", - "version": 1 + "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", - "sha256": "21ac45217a2911444af91c4b8718e6c8d41f5981ef2e51a3ad618510a24f804c", + "sha256": "b4b1d4f080ee2f9ae817ac8f03b7e3665f07014ce68c646701880b9ad6378f45", "type": "new_terms", - "version": 213 + "version": 214 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "d73cbc7943b74d57e8f4fa3f49925afeefbca90f5912507c92e1459ed29cb513", + "sha256": "411e56079688143dac201cc66fee2dd6b1e6a533df93203d4e3f5c056e6646be", "type": "eql", - "version": 213 + "version": 214 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "min_stack_version": "9.3", @@ -4942,51 +4956,51 @@ } }, "rule_name": "Container Management Utility Execution Detected via Defend for Containers", - "sha256": "4ac4af6457b467b5f177d488c77ce39c4a0b0290702497ae30e67fd0ae43e525", + "sha256": "914c8911ec926b779845b78a8a67ea55b68742b53eeed37aeece8e781654f707", "type": "eql", - "version": 104 + "version": 105 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "69a395d0e80347499365554d56ecb7013b51d87f12d29487a7c19e439da8ed6f", + "sha256": "7053d338cd930b84a53a00d6136665d38dcc876ab54572d147dd8d3405482624", "type": "eql", - "version": 311 + "version": 312 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", - "sha256": "531384d15d52b8c071346a4f472a9f04c83f068c11e87cf028088200812078e7", + "sha256": "53e7e459aac5ef6a3b6aa399a0afefb7b4ec4727ffc73d731a6b4344b0b83431", "type": "eql", - "version": 206 + "version": 207 }, "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { "rule_name": "Suspicious Outlook Child Process", - "sha256": "ead3bdb03abbff29fb244e73d16f7594a5225127c4cf750abe0bb59b4f881ff9", + "sha256": "24294021daf4daac36d25201ce441fdef000f6859d77838c88d1b4c620d1c902", "type": "eql", - "version": 4 + "version": 5 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "3daaa058e3efafed14592627624d5744ecfbcc23d1d0dc1c4618589616b032a3", + "sha256": "c12d3d95f0d7c995800fde4303065b27add02c60576194f2f91d0515e2aa519c", "type": "machine_learning", - "version": 215 + "version": 216 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "b4a42530866bb3fcf923be492968e1ec069ccff128907752f4eb635c73bdbaa8", + "sha256": "52515d5e9039aa01279cbaea65ab4da9d7718f306506f0a16edabfcb918a1a7d", "type": "eql", - "version": 8 + "version": 9 }, "6da6f80f-fe41-4814-8010-453e6164bd40": { "rule_name": "Suspicious Curl from macOS Application", - "sha256": "c6696e22c0f6ea9d62054fd0a21b17180d6a932ffcdf222d3cbd4ca42f32170e", + "sha256": "3b2cab38c63f83f8b75a1a46cc2952021ecb6c26c6c258ef2158796eb2b26a89", "type": "eql", - "version": 1 + "version": 2 }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "0956563347ca9848e890ebe9a07a4ac68d34ad6b42b34bab5bc227b7b7dd9136", + "sha256": "0f29fe5a316d3be3647760940d0778e0a76946a010241a7154ce0faf36a1c9e3", "type": "esql", - "version": 10 + "version": 11 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -5020,9 +5034,9 @@ }, "6e5189c4-d3a5-4114-8cb3-bd3a65713f19": { "rule_name": "System and Network Configuration Check", - "sha256": "a39bd3cc0735f30a80651410c92c4d6c2d965fe1b0719d5ce05215534f48bd47", + "sha256": "362706edae4c15e704ffd619c77917cdbb538f4a44606d6f6c6632301bb6750c", "type": "eql", - "version": 1 + "version": 2 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", @@ -5038,9 +5052,9 @@ }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "ee1131249647118b84975962d58442cf80fa8283768385f7427a1880ed82cfcc", + "sha256": "ab4fc675056ec570e1d0fcee0b5dade33ef3d33131e6bf6d225cffcf9d59ab10", "type": "eql", - "version": 212 + "version": 213 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", @@ -5062,15 +5076,15 @@ }, "6eb862bb-013d-4d4f-a14b-341433ca1a1f": { "rule_name": "Unusual Exim4 Child Process", - "sha256": "a433b41c505b25d8ad3ab6790255c6130616643723ef55a98eedeac022eecb39", + "sha256": "7e0456ccada902df35ecfeda239bfbc50dfd31a0dc386834fb8f2ea91eb4039d", "type": "new_terms", - "version": 3 + "version": 4 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "fcd07e40992b3e612a095210ff3c48f93387e580802fa2fa7a2b78eb18a98fd9", + "sha256": "97da24e60bffad5b475a89da7cb4210ecec866dcac2b9017ae9bc655d0a947be", "type": "eql", - "version": 114 + "version": 115 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", @@ -5086,15 +5100,15 @@ }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "d58f1b2ff3f4055daa2a2dad3692f51bb7e7934e1801a5a9219b4d5487f74b1b", + "sha256": "fc527a53fbab4895ae11c74a764c12998813fcb3cf9dd606b542904f97b098ab", "type": "new_terms", - "version": 210 + "version": 211 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", - "sha256": "59cfd1766bf59330cc09e1890b460c610c178db06840e3d7abc6ef15bdafba7f", + "sha256": "0618d19023bba91b6f6a910920452388192425ec8b426e92ee1d0ff4b8404cc7", "type": "query", - "version": 208 + "version": 209 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5116,9 +5130,9 @@ }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "rule_name": "Spike in Special Privilege Use Events", - "sha256": "ed6ffa275f2e757c537e56f54d8322172b0f69b4f8654de69c31e43cf69165f2", + "sha256": "9774db65e26243e3f10e5b6d0e36b4993c05c3829a7b6333476c120ac88fa3c7", "type": "machine_learning", - "version": 3 + "version": 4 }, "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "rule_name": "Multiple Vulnerabilities by Asset via Wiz", @@ -5128,9 +5142,9 @@ }, "70089609-c41a-438e-b132-5b3b43c5fc07": { "rule_name": "Git Repository or File Download to Suspicious Directory", - "sha256": "cb888ec5cdd28b517fc5e25fad86b205b4dcad80d3a654af3170ac8efe593e9c", + "sha256": "cbf5324511ebf3d256beb8dd0237adcb4d5d5057979ca6751efcf7a7e11f8152", "type": "eql", - "version": 3 + "version": 4 }, "7020ff25-76d7-4a7d-b95b-266cf27d70e8": { "rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container", @@ -5140,9 +5154,9 @@ }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "79aba5e19e05a67ee76105ba02f4dd8ababc70a7cbd06a8c833f55e51a0f48c3", + "sha256": "05f5b1b39bf6f6ec97c024592101ffb50e05e5c4bff8e75680caa2e990b4c47a", "type": "query", - "version": 214 + "version": 215 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", @@ -5164,9 +5178,9 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "864ff665dcbced65f2a50abeae6420224e6af1557598ac0a35e6405ebf5a78df", + "sha256": "dc2e28cbbbea2af5186b2e45d7fa37497ae783a755934eea904b531ac9f88b16", "type": "eql", - "version": 112 + "version": 113 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", @@ -5176,21 +5190,21 @@ }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", - "sha256": "8375b2b999c5f940480f6e373670eb7929fed1299d974aa69e7aab0bdcd1ea1c", + "sha256": "db9212a9ffea96d90748a5055e62c90f85285a50161ba40260f808cf99a6a658", "type": "eql", - "version": 5 + "version": 6 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "e0e1831b2349191eba34af454905c373ca7a88563bdba740fec6039dce4f5885", + "sha256": "8f33675dd749c5cb67b560c261622230b1bfd0377e232760fbbffa0de39717dc", "type": "query", - "version": 10 + "version": 11 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "f99e79395663b62abc9522267b9d5174757d2af93dd136bb6f8834c55ef2d6e8", + "sha256": "48698d164ee9ef1e5911162525352f757091d4171f69f61e66b484e3292a3312", "type": "new_terms", - "version": 214 + "version": 215 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", @@ -5206,15 +5220,15 @@ }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", - "sha256": "5c1c2e9bc622fdfd22307f8a78bba011d594c683e3261da78070e1aa65082567", + "sha256": "6f10456533b056d27a062e3cd7f1b222441c8c716455684202ebbc452087ad19", "type": "eql", - "version": 7 + "version": 8 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "10ff6f7ba102585480c02d7d27e5114fc04dee598ef2592541cc6d8a08e5287c", + "sha256": "5d923d4e7fb3435940f026006987d38713abe2c862ab948e240a293b47aefe1d", "type": "eql", - "version": 7 + "version": 8 }, "720fc1aa-e195-4a1d-81d8-04edfe5313ed": { "rule_name": "Elastic Security External Alerts", @@ -5224,9 +5238,9 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", - "sha256": "2a680c4a4e1bbda3a08c46d451d0034d870388b139588ae38b32738977071f96", + "sha256": "cc254cfd97add19cf373a8fb6f915f1e9746797c89584d302c5e4c48502f660e", "type": "query", - "version": 213 + "version": 214 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", @@ -5236,15 +5250,15 @@ }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", - "sha256": "e690efec89bc3ebf684c741843cb0885156128d39a89c7ffbf53f96e928c3f50", + "sha256": "c2ba7bc1f82579e203cf13c0276ae7a02175109e13c3b84aa194fb79ac1745b3", "type": "eql", - "version": 3 + "version": 4 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "cc1423cbb9a6308b079d91c2db23175ab961848433acd76b756d3d618d8ae37f", + "sha256": "96c5f06a85108502969730ea53ed051f25f21b9a73a1bcd3f030770ceb560239", "type": "query", - "version": 413 + "version": 414 }, "72c91fc0-4ac0-11f0-811f-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device", @@ -5272,40 +5286,40 @@ }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "51694939fb7c336362382b2eb663e0be6f71da0693aa969468b3052e2048e38c", + "sha256": "7b56383593ef478eb655aeceb6ff30c991700bd03f1baf060fa76ed4d2b1e0c9", "type": "eql", - "version": 207 + "version": 208 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", - "sha256": "91c30c741416b6e4252375919a24edfe25b7f361f9481c1e9afcdc428ce1fc95", + "sha256": "529e1dbda15b3376095352d027735777a2397abe273d5ddbb29f3d1bd7214944", "type": "eql", - "version": 6 + "version": 7 }, "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", - "sha256": "74803ed8898a6b97a3a3216b37765bc5bc8b9fca5526bce51cad41266e545733", + "sha256": "eb6467c4887ce850c39eb5ee43cd7b05e0b921d03454f0ecc5108a7b8bad916b", "type": "new_terms", - "version": 1 + "version": 2 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", - "sha256": "eef7fa38c10ee1aaee36c1f6492fc37db1b42e462bf3138c334bc5874eb3096a", + "sha256": "77e205ee183f6c0e0cde587784b03809024a7e9b5cc57a8f974dd2ce582aaaef", "type": "eql", - "version": 6 + "version": 7 }, "737626a2-4dca-4195-8ecd-68ef96fd1bad": { "min_stack_version": "9.3", "rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers", - "sha256": "914bcc5197cf41c4c4e45b450b881a1cccfcb8cb88385ff00dba131d1a82a7d5", + "sha256": "eb5c59bba857613a7fb8d8110f1155d944972005c6f68ebc4ea9fec1a1a12df4", "type": "eql", - "version": 1 + "version": 2 }, "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", - "sha256": "7326cf6d3997c601c7fdfb47f61c62a2ee7636dda3bb752ab1d671b794d8b908", + "sha256": "9347c53ea709d2f8074638ad997bbacc99a872189976d336c2433d069db69fdc", "type": "query", - "version": 1 + "version": 2 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", @@ -5321,9 +5335,9 @@ }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", - "sha256": "ddf21d53d6b8b8924b7cd9e99aa28d4f195a780f81fedcabd802cfa7f5eb3443", + "sha256": "a9d6c1c782deeaef26911bdcca095460eb5de2281e53e7079c6db36ac880dd22", "type": "eql", - "version": 210 + "version": 211 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", @@ -5333,9 +5347,9 @@ }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "3bb8a6e567f321ccd00a7d8e30e775bc9185cd5cfd1f86345dfac966d25b186a", + "sha256": "e1aabfdf1dee210cd9bc10313dc7768d22ebcda60d7349abe52426f526903db3", "type": "machine_learning", - "version": 107 + "version": 108 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "min_stack_version": "9.3", @@ -5349,34 +5363,44 @@ } }, "rule_name": "Kubectl Workload and Cluster Discovery", - "sha256": "72b36e719acfa3ff798e7b986ca4a13227619e6e45f91695ff986bf2d8af3c17", + "sha256": "3fb59d0debefff5c213a62421bae47af81fdede0f7c3848bdfca03c7fd031d20", "type": "eql", - "version": 102 + "version": 103 }, "74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": { "min_stack_version": "9.3", "rule_name": "DNS Enumeration Detected via Defend for Containers", - "sha256": "c9fe483624c1c5ce68d3204bdec7b49c5d76ddc4e1b5181599fbb10d3854f78f", + "sha256": "c5699f232d2c200ebee161e0ddfb53f45756ab0e1b8961965e65a95f0993eee1", "type": "eql", - "version": 1 + "version": 2 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { + "min_stack_version": "9.2", + "previous": { + "8.19": { + "max_allowable_version": 106, + "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", + "sha256": "a2eea8c5634898435947b89e23f5f99b3be7c34925f6dfc0282bab9e4a8ada0a", + "type": "esql", + "version": 7 + } + }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "5d3683cb87a4b6feb76eab7180a861d4ee2475204293f6f6516782f4dd6d2e46", + "sha256": "a3283b48b422c13eab4c7c55de6772ff15c97402cb9b476d130c24cbedad5262", "type": "esql", - "version": 6 + "version": 107 }, "751b0329-7295-4682-b9c7-4473b99add69": { "rule_name": "Spike in Group Management Events", - "sha256": "1f0d951f0aa45a48dc46316b1f1d4e02ff8c900e6c997441383ac1f247d42aa0", + "sha256": "46dbe1f415014fc4ff087fd37f1d098ed96134081a662bb61724fb2e6c4e779c", "type": "machine_learning", - "version": 4 + "version": 5 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", - "sha256": "cb879068d644f437de4d77d3f7ab51738082390ba4e77c8e6ccdaa9941a721d7", + "sha256": "9fc432aa9a279cced87c9fda16b8665d2628e1dab0015863865b7afb8f2a813a", "type": "new_terms", - "version": 111 + "version": 112 }, "75c53838-5dcd-11f0-829c-f661ea17fbcd": { "rule_name": "Azure Key Vault Unusual Secret Key Usage", @@ -5386,9 +5410,9 @@ }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", - "sha256": "99972be3aaef2b87210728a09b1bcabb051d032b977008f6cc411bafbbfe88b8", + "sha256": "69703b792212ac650f5366d9c9672d3727d599a31dc333a09e730b29acaff933", "type": "eql", - "version": 5 + "version": 6 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", @@ -5398,9 +5422,9 @@ }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "b16e7aa630bf09efd8c9c4b5abd21061b8abe08ed648b264ae75cdd15c7444cf", + "sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf", "type": "query", - "version": 107 + "version": 108 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", @@ -5410,9 +5434,9 @@ }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "af536a89c8431a57461522f9c43fb2bb20200fbdaead36aa1c3f6d802487313a", + "sha256": "4588e1ad8fb41b88c6cea0ea015d458eafe7b89a1c54c30d22e3d2e3316607f0", "type": "eql", - "version": 117 + "version": 118 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", @@ -5422,52 +5446,52 @@ }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "58a655e54c5cb166ac6ab5498819171cec1889190859287d7c41626ff6632018", + "sha256": "7a17f084e6192844b2f877437f8109cad8496af43a28efbf89b5d5b8a40ed209", "type": "eql", - "version": 210 + "version": 211 }, "76de17b9-af25-49a0-9378-02888b6bb3a2": { "min_stack_version": "9.3", "rule_name": "Unusual Country for an Azure Activity Logs Event", - "sha256": "cac25f96b39b9f32e48d401acb7829a913876e84f086a0f780c95de1e2974997", + "sha256": "5e21adc950dc411f6f016793cc3e07955a770c3440428d18b0d8632c142e8c6e", "type": "machine_learning", - "version": 1 + "version": 2 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "f2d7e5b912a866467377c5e412b5b25073dc6d48860aecd8f818f158b769cc70", + "sha256": "60456e0811186e9f508af57452cb7f817f28f4cee61eda0f03c1f2c5b8a81d31", "type": "eql", - "version": 14 + "version": 15 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "2f1dc5042c5324178d8de82aebbac4085da8ad4cdf63a22939b6c481f989c4b0", + "sha256": "903a0a9edd3425864b0a664abd4ee2570f7f877710cd853053f0cb2117135aea", "type": "eql", - "version": 419 + "version": 420 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "b9e24cba4cbda3e2ed33c9da86174cd9d7e7422319ea041848dcf546768713fd", + "sha256": "c3cbbc077d9c9f8ede69f2ebf176e93f5a2b8bbcbe05300b799a309f9bf48e5b", "type": "eql", - "version": 318 + "version": 319 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "4b09604c6f3250ef34ab3b31005bb1a0faed886bb1605c15862580c2d8365528", + "sha256": "db9af522c30e7e110cc3ea5941e3c91f8dbff26edf880489cc22abbeeddfbd0d", "type": "esql", - "version": 9 + "version": 10 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", - "sha256": "f83c205a8791d9c71a57853abe76651cc64e90daf4bb5bfdc15481a45b6c570f", + "sha256": "79f713f7a834c738d2dd71fe53d1981174adb26d8a0a42cf1759c96b5e6cc8d9", "type": "query", - "version": 107 + "version": 108 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "09f5609b75e9a346caa33172e5f5805a0e1c5241c717d0db503b4b4792f5bef5", + "sha256": "b2f265c1c6f02ff0149022c18138a9ef408fa696e50c27e9d3445721816237f5", "type": "new_terms", - "version": 8 + "version": 9 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", @@ -5477,33 +5501,33 @@ }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", - "sha256": "d6a7aee26189c060e18f3968d98c5c20583366dd1285c8ec97f92fff6e54fa0b", + "sha256": "8cd906472fcb1e0eab241dcb4b3e15dc1d20c8b99da3affe9cb3b454b7b9eeb6", "type": "threshold", - "version": 14 + "version": 15 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "c1b3684999c95292d2253c9a75fb57179ae653ca85316fdb894bad0d4e581df4", + "sha256": "4ee525bb41e218ef13fb88f401ac12bc1f5f99fa86cac02a671bd02fc136b7a9", "type": "eql", - "version": 107 + "version": 108 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", - "sha256": "d8715340030f5e840104979c68ca6a5bee643b38558bc0f8cefeeab653cb8c01", + "sha256": "ece5f99761b6328f961df02985e273822861903477c8ba2e44859385751ded66", "type": "query", - "version": 208 + "version": 209 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified", - "sha256": "19c6e5338fb238cda3c675ae8c10f1f391e073d6926ff35cdfb69a0ca2bd0f49", + "sha256": "85dae539ab2ab3efc92c218e57a9f84ff579284a29bd60b4e06006c5f35ae2b9", "type": "query", - "version": 109 + "version": 110 }, "78c6559d-47a7-4f30-91fe-7e2e983206c2": { "rule_name": "Unusual Kubernetes Sensitive Workload Modification", - "sha256": "f76ed0d7a2b70dd121cafecc10eb29a699db9fac35dac6c3f7f771e25cfbcd63", + "sha256": "115f836378563ac6d2f1ec97ef92aa0549b2c5418b90645692afcceaa8d7c6ce", "type": "new_terms", - "version": 1 + "version": 2 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", @@ -5513,33 +5537,33 @@ }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "030f794bc9fe8acd0c6e7d24f93ccf1656808b54cd87b4027d431fabc125dce0", + "sha256": "a4c7071dd1e4bf182761113041b2da283e2488b49b19fb92ce4696e9530c9c89", "type": "eql", - "version": 312 + "version": 313 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", - "sha256": "8707838785d36a930a0b2e027746fc7dc78264f09fc45fdec3a61d89ae361de0", + "sha256": "fc36a81054625c5902ae6500e85e00b2a9fc03c2150826c8f62a33430d0202e3", "type": "eql", - "version": 6 + "version": 7 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "727bed32f960f3646b304cd0dddef223d4d3389c7f0f1fe781a6429f84b3eebe", + "sha256": "21b66925e5b20f61404277c32caa3fe78101d5c5e6c62c75497373e3ea137086", "type": "eql", - "version": 10 + "version": 11 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", - "sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845", + "sha256": "9f0dd07e9624660f7c948faf37e93c69ecb2938712118952d7030e874b4d22cc", "type": "eql", - "version": 6 + "version": 7 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", - "sha256": "662dc91439e997c034a7d87f072269b25668dcb3444557e4beac3dbf2ebc5f40", + "sha256": "41bc835f319544568d5ba56f381b1ca5ddb7d18c27cf8763618f6ad915b69cb7", "type": "new_terms", - "version": 107 + "version": 108 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "9.1", @@ -5560,9 +5584,9 @@ } }, "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "34ff2faea0f0010dbb984347aa520ba5d3cb219dcb2d9090d8a798f211e7a2af", + "sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c", "type": "eql", - "version": 205 + "version": 206 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", @@ -5572,27 +5596,27 @@ }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "8b980b38e01743202bf213e8e3a1684119d087b4ece47c02ca74498829afa271", + "sha256": "3333d79d05ec9e15466500362c0268b37e40266434c27aabb9d73657780de11b", "type": "eql", - "version": 8 + "version": 9 }, "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { "rule_name": "Linux User Account Credential Modification", - "sha256": "50562e7ed1bab71a9aaff6ee05bd9aeca8a88c82cb416c4040a682e448246eb8", + "sha256": "795cea2132f0be536e09c042566c70bedbac1d9a32d7d90a6e8263771c4988b8", "type": "eql", - "version": 4 + "version": 5 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", - "sha256": "739bccdcfd3db9fb32edaff3316a98acf52b7a8558af12bc59d2855b1961179a", + "sha256": "1b443a5458a487078f9004f980c7c23accc89492275a498020941dcfbcf25f8f", "type": "eql", - "version": 214 + "version": 215 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "6dca80a21bd07d4cb0946bae4db9e87b3308a608f61d7f83ee89227f5470903f", + "sha256": "d9d5f80c14fa4219776918c52f1586fd8de74dbd8c7bb558bb623285497d8901", "type": "query", - "version": 217 + "version": 218 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", @@ -5614,15 +5638,15 @@ }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9", + "sha256": "99fca949ae8edfb7afb964e72886e6e40bb9aa3611aba9a895220b6a5d0f2bba", "type": "eql", - "version": 10 + "version": 11 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via SSH Backdoor", - "sha256": "822ab7570929788dc137266adcda1e304a01e733c283426f6c467a7521680cd3", + "sha256": "115b28ee0d196e28e67c341ab955d79013a022f4f7a4f1e7899195e22fb80d16", "type": "eql", - "version": 10 + "version": 11 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", @@ -5662,27 +5686,27 @@ }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "f81d72430f1b2d89ce17a700ebf187085759b5a6ebf54a9403e6e441bfeb17d4", + "sha256": "0f2225c0e5a72b8db9a421b84b3d7600a08c7515a0f9198c8171b5d44ec8a112", "type": "eql", - "version": 8 + "version": 9 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "157e5ffc06f419ad6940e871b764ead2932667dd53a17c103978827e8a3116f1", + "sha256": "27e73369b79facdf452a2eeb38cd0a58ef0d040289eab840a04e14002f4b03b6", "type": "query", - "version": 109 + "version": 110 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { "rule_name": "Git Hook Child Process", - "sha256": "a694f40a65b07c3c43af49d86e22e12be7e5373f3c29c10218235a7fc851d6de", + "sha256": "e1aafa5f4d3337d194ce54fa78c294dd28edec70497f58d3cfefde65ee48e549", "type": "eql", - "version": 106 + "version": 107 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", - "sha256": "1ff9d6f50da5c85c4aba702a23bff1479031602cd3c7b1418f230190dcb0dfe8", + "sha256": "986520c08328530d000cba6aeabd461662a6aab489f6a5175dcc2962d1ebe543", "type": "query", - "version": 107 + "version": 108 }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", @@ -5692,9 +5716,9 @@ }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "9bd31c52b89b1c34fd08553ad975e18ed5d7bc6ec0b6940c262d7d9717a12c31", + "sha256": "2b6cdcd231748c61f53feb9963e71c2ea8b5408fbb62f12921966de5391b23a8", "type": "query", - "version": 7 + "version": 8 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", @@ -5704,9 +5728,9 @@ }, "7dc45430-7407-4790-b89e-c857c3f6bf23": { "rule_name": "Potential Execution via FileFix Phishing Attack", - "sha256": "3a1b732e8be3a1cf4952a67727c6163f1f442150dc53f09939833ae406ce4ab2", + "sha256": "7552c27d9839591151b20b2777a97138d46a546f73a79af040d8763c0dabe036", "type": "eql", - "version": 1 + "version": 2 }, "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { "rule_name": "Entra ID Custom Domain Added or Verified", @@ -5722,15 +5746,15 @@ }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "bf59b10250da89d024f6f5d1f4c7e97528116633e4d8418f440ad65dd0424702", + "sha256": "85bbf6cf0101b56ff21d6892fe6fb8895c06afbd4c9ab6bace4d8db07ede02ba", "type": "eql", - "version": 6 + "version": 7 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "493e22ea78c761eae9056fac3878d9b6d1ebbaee2624fee14ae21875d09353b1", + "sha256": "ce3eab09aed04f923be31c2e962c4f6b205d223e8c70a7fa93f99f55e8cccd73", "type": "eql", - "version": 313 + "version": 314 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", @@ -5746,39 +5770,39 @@ }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", - "sha256": "aa8bd6fdfbed576bb8c1b64ea5fe017b18e991910e48f211f5b76ead1eaaedec", + "sha256": "dfd9d1738b7b47ca18ef97c110717eb2ebb80cd79bf43dcd58d9f5ca4f7dc466", "type": "eql", - "version": 106 + "version": 107 }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", - "sha256": "88714010e65bea6f44a54b09c5312c0844757ded9c621de9a615efcbfc8f73d7", + "sha256": "ff0ce0b917f4d95e3ba214a663661594a129575d10f91c29992c7832c41b60a9", "type": "eql", - "version": 2 + "version": 3 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "209bb76a623ef2ceecf2a1aee175416811264a846f5849790c6d7cbb8ef45131", + "sha256": "69dfb1e0f5d03ec1d65f9e5bb3a1e3447beee47c6a8cd7e499615db82def6721", "type": "eql", - "version": 212 + "version": 213 }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", - "sha256": "6815297487b127a300e756f95452928556f43a380b3247d72f838c651ec85eb8", + "sha256": "313125e03d372aba438ca517f9c4a42fecac7a75eac9373fec72e311942d809a", "type": "eql", - "version": 1 + "version": 2 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", - "sha256": "9cb285c73a58b7f55d2270444624ce284968b053b72781884d5a33bff30e62b5", + "sha256": "5357e1bfb039ea8b93e129b2cdac2371d183c097a8351e7f1b28d086e81f487f", "type": "eql", - "version": 6 + "version": 7 }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", - "sha256": "e8f73888757eab5978f3e31aef96d979b411a46e20872f2538df52b0572a1cc3", + "sha256": "30aa21ec0a72baf965a1cc4c73807f1dba317eeb02fee3d038e5f6869527cd9b", "type": "eql", - "version": 2 + "version": 3 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", @@ -5788,9 +5812,9 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "ffd12199db7dafd205e3b23c7316d44a9a304ac3c3e6730b2075260fb983096c", + "sha256": "11fb6ed836d3d13fda309a2ddebc6784355450f5e65c15241634917d7de7a449", "type": "eql", - "version": 19 + "version": 20 }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "M365 Exchange Mailbox Items Accessed Excessively", @@ -5800,15 +5824,15 @@ }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "273635e3d94265c8539f908bff1965b23021614338a6e90d4dc7c080147d8dde", + "sha256": "40911f3a840c98fc17c16032d0a9b113cba2c4a99423d28a52a4f70d868bb110", "type": "eql", - "version": 10 + "version": 11 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "ecaafc5bf5d7b3e1ea6d21e1969ffec6b5571bfc6d8a868e834f8b53ee791434", + "sha256": "5a2251601cf605cb63463e81b7f57bf842eb1dd019bcc6e1a5d05909114cea77", "type": "new_terms", - "version": 110 + "version": 111 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", @@ -5818,9 +5842,9 @@ }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "rule_name": "Deprecated - Potential PowerShell Obfuscated Script", - "sha256": "72a01fd54afb28c944bf94f431e2f37ee0678bbd7fc3d85d119f6a3282220b26", + "sha256": "fefa473559337a11c4edaefa3914f1b5e6809c26b04da1e9eb98f17f147f93a2", "type": "query", - "version": 109 + "version": 110 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", @@ -5830,15 +5854,15 @@ }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "e7c4132d51d3d348842c0ba1e39ac406a80258333d648ada160ba675f302facd", + "sha256": "be4fcdd1b914e92f16ebb75fc86828552c9fc7abda2685ac63b28f7d9a3f2054", "type": "eql", - "version": 107 + "version": 108 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "272e14dd9496c7030d82926713a2ce20703c2bbdd138ab8e3102543dec9d6ed8", + "sha256": "99bf6df5902600b0c743678eb247b68b3d1fdec36e3c5d7f879c547fd0141726", "type": "machine_learning", - "version": 212 + "version": 213 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -5848,15 +5872,15 @@ }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "rule_name": "Unusual Remote File Extension", - "sha256": "71c7673c8d33664e251206a8c6b33692ab2583160ba5cb665ca3f4feb143979a", + "sha256": "33a6b5894bf572fe38a6958bae8ae131abc5dc3bbc817b80fd113e9e3864b0ff", "type": "machine_learning", - "version": 8 + "version": 9 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", - "sha256": "8afead563aec10ecbe9ff320f472d7ef9aaecb7af95c998f1f5e9db6c65350e4", + "sha256": "991965250b10d42aec5d6ee76ab2fd8a361227d80eb667d76a4fa93528ded285", "type": "eql", - "version": 1 + "version": 2 }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", @@ -5867,9 +5891,9 @@ "81892f44-4946-4b27-95d3-1d8929b114a7": { "min_stack_version": "9.3", "rule_name": "Unusual Azure Activity Logs Event for a User", - "sha256": "3b6dd078f56e918a4356301a29cfba68433b1d0cfd22ff759aebf7778600c5ea", + "sha256": "7c5faa919e74876e3f34492417b53d9f00eda55ae6d361c298363b9a310af609", "type": "machine_learning", - "version": 1 + "version": 2 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", @@ -5885,9 +5909,9 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "067bbe4c3d422970852d7c5d7dbe42bb1d0dedee1abaedd5eb778bf92e40fbbd", + "sha256": "78ecc919099d037e5659de54e87c82ad17df389c27afd588da069af4a012318d", "type": "query", - "version": 318 + "version": 319 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", @@ -5897,9 +5921,9 @@ }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "05adc3d0061ec5ff0fcfef1b7b4774742c17bc49ce1d5932c4ce5a56238e3ff4", + "sha256": "5b5b70876d3001d659553913b8987b5454fa88d97ba664716d9d4d284a02725d", "type": "eql", - "version": 212 + "version": 213 }, "8293bf1f-8dd0-434e-b52a-1aa6ec101777": { "rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files", @@ -5909,15 +5933,15 @@ }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", - "sha256": "ad582fa6b85b731dfd67150d645a69c5478eea3109f26f40072c23b827f5968d", + "sha256": "277df1300e839607dcd3b2f0c822ad6033930c8c4c737859b4bc8f29cacd38e4", "type": "new_terms", - "version": 6 + "version": 7 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "rule_name": "Manual Dracut Execution", - "sha256": "3bc6296afa7a84b607821333ebadb5a4bf6583f34383b0ea2862032d4220bffe", + "sha256": "29c7059375d06cd1cc12a302f2333031ad5939f3b5d67b5793afadddfdaea7fd", "type": "eql", - "version": 6 + "version": 7 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", @@ -5945,21 +5969,21 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "553ef147268721ddc516e579c19daf3baccf3cbd76f1162888b183f723f1c224", + "sha256": "75bb8f9f31be1e9fd9403b85fb9ce838cae0777b298ceac489a7df0b3d413e08", "type": "eql", - "version": 211 + "version": 212 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "9d5125b89bf4b28b23fd80a946975483f91bbbae3e051bccc7ca6128bb7e2918", + "sha256": "e7181205724d4dd074ed7813ffe5b2b8d1e6b3d21158bb791df05b329db185d9", "type": "eql", - "version": 114 + "version": 115 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", - "sha256": "09f6c49d3b72f57141f343b4f77c8b4112cb859139b6ef1a85f09ae998fb6a1f", + "sha256": "9c2b941e2e5930d93bbcee2beff72193ee97b4f901640925d42841c6e3868d87", "type": "new_terms", - "version": 7 + "version": 8 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", @@ -6006,15 +6030,15 @@ }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "c396f8d6ed3ce693a1e895c47d620e54b123aade8d0fe2f21984be74f6d47b0c", + "sha256": "e1622f5f1fa297b5f0a4cb3e691f41981673b2a1b436b4ef9501bf1b863c902f", "type": "esql", - "version": 9 + "version": 10 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "b29b22ccd587b0cd409163c8bcb8cbe450cd8de6a9879edb11b706e88090a34d", + "sha256": "eb7966947b224f71bc5820c2ccdc7483d0ce47586bfb72edca96f14f0a673e78", "type": "esql", - "version": 9 + "version": 10 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -6036,9 +6060,9 @@ }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "rule_name": "NetworkManager Dispatcher Script Creation", - "sha256": "426456937bff5d6c76e9959095c5e30f7a9735e8bdad3fecebbc757628d21aae", + "sha256": "af4d1639fa424646c1f9aea3aa4e17d4c520b08a657af139282fba725cfc76d9", "type": "eql", - "version": 6 + "version": 7 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", @@ -6060,15 +6084,15 @@ }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "ad55d7c869a8687881afbb4d90f0f33189652cba0b8de7c0f0f8778db0e12175", + "sha256": "d6f873969ac639bb9e587b0eaa85dc91eddd15cab10aa8065314db4ae93a4698", "type": "query", - "version": 7 + "version": 8 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "c30d4f3affb3f542a49d43b8722a103a8b771386946628814e8bc5b7f7bd18a6", + "sha256": "5b16d753e92cc7f4be569cf16c1873cf3dec458ae0e39312cf5031d8a2812c30", "type": "query", - "version": 211 + "version": 212 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { "min_stack_version": "9.3", @@ -6082,9 +6106,9 @@ } }, "rule_name": "Kubectl Network Configuration Modification", - "sha256": "610a8cb4d2094544038062f65ed4745f98198a7994038fa0aeb006581813e4de", + "sha256": "a1894306d2121d58ca0fbece2a5bf937c976bf968265df675e6644c2ee86bd99", "type": "eql", - "version": 102 + "version": 103 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -6100,9 +6124,9 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "M365 Identity Global Administrator Role Assigned", - "sha256": "2b31ac6446ccc8882c59f1695ac283d95bd873f81e66fd55efcd8c5330ea7fc4", + "sha256": "7a08a69d94282ffb1752687208e33c672537ee52044eaebec4f2a3f7b0ca5af4", "type": "query", - "version": 213 + "version": 214 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", @@ -6112,9 +6136,9 @@ }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", - "sha256": "154688775047f1e42f01bfbe28727cdbb601d1e00c8e0e830004be87c6e9438d", + "sha256": "15290009b50a0be19faab5d4bcf8b037b1133350ac236ed74d1fef9b7f28e36c", "type": "eql", - "version": 111 + "version": 112 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", @@ -6130,9 +6154,9 @@ }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", - "sha256": "c960e94b6fe858a351dc1e1bc20464d5403ad087c32cad69b265ddbca2bbcc6d", + "sha256": "82cbb50093b7189e8055cf91877ce1bc99b834a542647687ac04ef91ea1da63a", "type": "esql", - "version": 6 + "version": 7 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -6148,33 +6172,33 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "ebee242d6ebd5dd4df5eb9d53e35e8796a2b0bcb6e499808ec159da4d51abda8", + "sha256": "9a1514fa2f7c2e178c7f302e262eef5082e37f640a372ca6cec31a365d8fa536", "type": "eql", - "version": 213 + "version": 214 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Suspicious Command Prompt Network Connection", - "sha256": "3213a8de8068cd9157da88af05f5df49400dc63b5a902a20fbd436008c12e78d", + "sha256": "d3a28ac5257797347250b3cefc1d7cddf75c74111a6c131fc90628798f269067", "type": "eql", - "version": 213 + "version": 214 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "e1d2923b4618260ae746187c3d2d189c499dd85784378c90e3221265517e2688", + "sha256": "dd084e812cce1783a6f9ba2487369dcde52524dd9ebbdf42cbb46fbc6775cb61", "type": "eql", - "version": 110 + "version": 111 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", - "sha256": "c626e05d95bf6f2caeec7338d852ca07b9d6465fb05303e6c68a3d8ab6196eb4", + "sha256": "85b2f05242ef2b243497149f4a9ced74f2092360b32956fbd76fa5877477b9ae", "type": "eql", - "version": 10 + "version": 11 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "fb1ea0e63a803e1940dff9f62dd54930786b39fa993f1997a8229653dd5551ec", + "sha256": "9bfe18606c0387f329727b706c76b385f09efeb34a8a6009b0590757d8759506", "type": "eql", - "version": 211 + "version": 212 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", @@ -6184,21 +6208,21 @@ }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", - "sha256": "e2a83a3fdca1852a222f19e286148fd37cec4304dc95d3edb9abb5c519dcc48d", + "sha256": "3cdc89e93768197c70d988777a765055e5d99d6ff147c94e5015d96650a4f6ce", "type": "eql", - "version": 109 + "version": 110 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "dd402a12633ed1ab118bbcbc953d65b005d1dc74c6eac3297fb4350cef59619b", + "sha256": "349ded4bcc9e6ba485b858b410906271ef2070655016a3b59de4611d2494c49e", "type": "eql", - "version": 212 + "version": 213 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", - "sha256": "1e224a2bc29fa5fe95faf7db7dd26935a7eaea101a9e5bada56484b937112be5", + "sha256": "26e95d71a6ccc8bd7c4b84c6b01b1f8a5690190cce2e844d04b5709d0ec54a0f", "type": "new_terms", - "version": 4 + "version": 5 }, "8a556117-3f05-430e-b2eb-7df0100b4e3b": { "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", @@ -6208,15 +6232,15 @@ }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "dbce4eb6536e98fead4c6b92a94a9dfc69b503211cd450e3c89655a61ff3653d", + "sha256": "1fd50152519656e2f81672b43d60101562d7d075eeeb952663e16a2ce248a807", "type": "query", - "version": 413 + "version": 414 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "532a58af8d89c41e3de894fde3842c7d363fe0607782382b0a6307e6ce89bfe1", + "sha256": "b3ea46a26a077fea90252c502566b8938f20bf14cbd218600f2c4580933deecc", "type": "esql", - "version": 9 + "version": 10 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -6226,9 +6250,9 @@ }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "f89e4c36997cbe9bbd3b245a20fdb5ca518b563f1fbeb22c2fdde82146a8ffde", + "sha256": "500aa971acca151f7325aa6f5b1b35a36cd749170866c9f0f3f9a5d1061d008b", "type": "eql", - "version": 109 + "version": 110 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", @@ -6250,27 +6274,27 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", - "sha256": "20b2586d7fe6f001abbc023f34c06f874edf48193694fcb62b237762033f9174", + "sha256": "ad9d0b9037da823dfd02a3e6628966718fc5f862afa0639e15b32821fa763abd", "type": "query", - "version": 107 + "version": 108 }, "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "rule_name": "Several Failed Protected Branch Force Pushes by User", - "sha256": "3935786d70057d64ab74ad51d331966c633ef77288e78f0bd9fe008e0a5fd11a", + "sha256": "d4cbe77b91140ce9ceba3b2895682426f7950773eabb61ae8972fef8ed09df0f", "type": "esql", - "version": 2 + "version": 3 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "dcdfd61701dea4fe94233755e511f8bcf367c7b025cf088786c7a2d094011cec", + "sha256": "17e34f9cd4b5886eb1615c875f70160a8bf80caa21d966f5a15dc8399087c7c6", "type": "query", - "version": 107 + "version": 108 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", - "sha256": "049ee13aaa5ccfc606fd52f980a2bce0189ce70877afc655a8218996270d86b3", + "sha256": "3999c76431ca92c9063d85b4f0354a9cc2237cdf19ecfcce86514ee863069f6e", "type": "eql", - "version": 317 + "version": 318 }, "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": { "rule_name": "GitHub Private Repository Turned Public", @@ -6280,21 +6304,21 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", - "sha256": "6d506eeffc6b03a3695cc525f379e6d1c988c17a56a8b90f8f8e202c073febb8", + "sha256": "4cf3598e184cd3c8984d8d33d2a1c2d9b9516554d1c903ef569a66889fe0c998", "type": "eql", - "version": 111 + "version": 112 }, "8c8df61f-ed2a-4832-87b8-ee30812606e0": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line", - "sha256": "f4ec1a9e2f971442d5dbcfb322a4643fd862ebbfad2327f63defa293adad462a", + "sha256": "0adfd339ad27a6b8b76c80aedee937f94c4f97230a6eb989be7cc055dc705db6", "type": "eql", - "version": 1 + "version": 2 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", - "sha256": "7a6965067decb91421ed50757505f4af9ffd89cf9cf0f0e91cae128d11f3a3e9", + "sha256": "8d6b03d8b977dac1e4f97975d2503c23388923c451ba2f613c2166c4691efcc8", "type": "machine_learning", - "version": 3 + "version": 4 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", @@ -6304,9 +6328,9 @@ }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "39313bee43b740e0f0e4d9e657d8c296d27cf1b22b639cf3c6cc6163940f9905", + "sha256": "a96fb4b4b383179cc72cb5eae13d8db7519f05a462df336a7c09f4ff2348581e", "type": "eql", - "version": 15 + "version": 16 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", @@ -6322,9 +6346,9 @@ }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", - "sha256": "f9b8f99ec26b989e24f1152d9ad42ab9af8e41d40acd404ef8667b07cb6f0ac4", + "sha256": "0bf06ca7dbd6bf33afe26f82f0a013a7c48a33b7aa69fe2114aa607308c21adb", "type": "eql", - "version": 5 + "version": 6 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "9.3", @@ -6350,39 +6374,39 @@ }, "8d696bd0-5756-11f0-8e3b-f661ea17fbcd": { "rule_name": "Entra ID OAuth ROPC Grant Login Detected", - "sha256": "c6a5293af2a49a475ae8216a308aed808bb06db83161d49a1d3fae4e71ada003", - "type": "new_terms", - "version": 2 - }, - "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { - "rule_name": "Potential Data Exfiltration Through Wget", - "sha256": "8daccf899c1de00970772d1b6a6a89519475d13897cc49c15a3a4a4d4d619d79", - "type": "eql", - "version": 2 - }, - "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { - "rule_name": "Entra ID Elevated Access to User Access Administrator", - "sha256": "f3c8c758f1401358a58572b2f351d55e706b678acc2c00cec14b534ab3af2b84", + "sha256": "ff32f3850f01753a8c4ff52837e697b8cb64952b67c697ee24ad7ea76acf4860", "type": "new_terms", "version": 3 }, + "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { + "rule_name": "Potential Data Exfiltration Through Wget", + "sha256": "3fd2b1b4a83e83cd6cc4d3b9171acbf2a8727daa0a182983a596c27976019c1c", + "type": "eql", + "version": 3 + }, + "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { + "rule_name": "Entra ID Elevated Access to User Access Administrator", + "sha256": "9319f317c948573adfc9710297958adf4d3497eca03a73b3c687f0080c47bf77", + "type": "new_terms", + "version": 4 + }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "deb464e30e85354dc3dcfc4f32483257772a7a1b609d9dc33a8560f230be4e90", + "sha256": "b076e4e14884d25fba16f078694f7925272dd885b2e4091bc53e86bf8312b0fe", "type": "eql", - "version": 212 + "version": 213 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", - "sha256": "846de30bfee2fb2851a8c6bdcfcca47cd415e4a2b0aeab32df3404dca827caae", + "sha256": "1d8de54598b389563a10a4a6650cef088cf18c737a20de371fc82727a9ec432f", "type": "query", - "version": 106 + "version": 107 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "13e32526ec5f3ea8afe105014601fb2d3cf7ede6434f1558469e2246d7a17072", + "sha256": "b34944c55acd8e8a9c5b99ca8febdb20912e263159ba8462274a230690882f4e", "type": "eql", - "version": 210 + "version": 211 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", @@ -6392,9 +6416,9 @@ }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", - "sha256": "f0f5507ec01c62ad2d52cfa28f5838a924c8c89eff04e88ea7870b454d0d8541", + "sha256": "3d44c73a3692bf5d2e82a05e5660e69202bc834886ad39fb4b6b3fe0211e845a", "type": "esql", - "version": 5 + "version": 6 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", @@ -6404,9 +6428,9 @@ }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", - "sha256": "7f9c0e2ac161d55ba0eb7cbe17ec9b58afd387e4186d09779061dc427cf38ba1", + "sha256": "35d4cf378e1864f4bec4f0fb2fa48977ca5e60207aeb39827e0625a6c1473cea", "type": "esql", - "version": 9 + "version": 10 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", @@ -6422,15 +6446,15 @@ }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", - "sha256": "fac2426e338073ef38d46aefaf5984f891f175da708d915a34cc536123f8eba9", + "sha256": "9097975f7890b4d531b35ae33794bd65145b919c575d26e22fa95c26151a5f1c", "type": "eql", - "version": 1 + "version": 2 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "5a6c0fd9f1056ae1872a6860d6986dba91877e1eeb3641f5a39569457c350d3f", + "sha256": "228c17439f27e613d0b772ab38c3e921ac3177b0cb0c85045797d3e7489e9316", "type": "eql", - "version": 210 + "version": 211 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", @@ -6446,9 +6470,9 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", - "sha256": "1209b2a3c652cad88138da2eb87892666eaa6d7c4a8b6182d2134dd19b745c51", + "sha256": "5452130912b7e1ab2aa128c84c0b21c6969d10067f9d01105f86b08e0a26dcab", "type": "eql", - "version": 212 + "version": 213 }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", @@ -6464,15 +6488,15 @@ }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", - "sha256": "a23cba747475bf65ee2f72a8b5b8dc3170f33feba6b87c356651dc311074c83a", + "sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43", "type": "eql", - "version": 105 + "version": 106 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "c39cbcc9ec00fb8b8524d9882aa4493642e4a647cde6977cb299df8d20c86b1d", + "sha256": "3767b47364ab96c700f9ddf5ee8bf9636f68b00a9d5b36d8c98ee2483cd8cd65", "type": "eql", - "version": 113 + "version": 114 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", @@ -6495,9 +6519,9 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "33952d37f02671cfd9f0b61713e18036220cf9bd1a581fa74190fd1a7aceaa27", + "sha256": "a9dbdf2d7d10d4b7b1a9a7cffe83e0df5431c2b815f192a0f94750464cc77708", "type": "esql", - "version": 2 + "version": 3 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", @@ -6507,15 +6531,15 @@ }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Entra ID Unusual Cloud Device Registration", - "sha256": "5b2c500cbc2dab1090c08cd6291b33e213a59618a2b5198d2e8b99f1b41b2dd5", + "sha256": "2a5315299c90071c76c62049a8a83d055add0945a353fa6b2fcedf11b74abfbe", "type": "eql", - "version": 3 + "version": 4 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "9ed99ec9a3de42fb40262d6e25e3ad8a768e7d263d9871a96371fbd40bab8993", + "sha256": "15b85ca67f6aed22967d5fccd07283f873fcf31bdf97fe927995ea261e8db35d", "type": "query", - "version": 107 + "version": 108 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", @@ -6531,15 +6555,15 @@ }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "48f49cf6ff7a2b88e730b821486130bdeb51163a054125e315df8a5b5f18e1f5", + "sha256": "c2a5dcf47a109617f2ae0c83a92116a8d4b1a8335b84b9c65d58ab3333ed2ea0", "type": "machine_learning", - "version": 107 + "version": 108 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "2871a56af162b6dcaa9cb770f845ce1100523e91f5cf859a93332be52e9d4a0c", + "sha256": "f497eccc9233e8257ed6e93ccb53e711b11690bb288e1e79e9d3562fb7773c14", "type": "machine_learning", - "version": 107 + "version": 108 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -6555,15 +6579,15 @@ }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application", - "sha256": "dbc0ec41f751d7441029d96a10b598fb57dd1d8b6709ae7bd616890f2b0801fa", + "sha256": "d6e42a616ed7bbe2472cc4fdc3742e026c67afcb1a0587711b1c43fc7f32d79e", "type": "query", - "version": 3 + "version": 4 }, "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { "rule_name": "First Time Python Spawned a Shell on Host", - "sha256": "e51b54650c42f9d44ee2560310bdc08ecb5641e1de49371a6ad5fe39db0610d5", + "sha256": "be63d148ae752f2a10774f0a44d74f9d112e91c8757bb2b6821252b3481ce6c1", "type": "new_terms", - "version": 1 + "version": 2 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", @@ -6573,21 +6597,21 @@ }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "adef5e4455f6e473e36a4449f35b4cc39bc56074ba769f171a3fa2a7514b6f83", + "sha256": "d684c85dc5d52b61cf3a00401b6d7b15bb24a6a8d501121605996315037983b5", "type": "eql", - "version": 109 + "version": 110 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", - "sha256": "03b386bdf11a11611a6a26938ba70a0bbf61c5512116c4ad60735dfffca3caa3", + "sha256": "d069247b8ddebd603422b604d8a4bce7a860e3e879e680a440c5252f81301fca", "type": "new_terms", - "version": 214 + "version": 215 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", - "sha256": "94fc3790f7b269024ccf24f59ae98d94a131d31aa37ab462091d9ede98b5d6ef", + "sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578", "type": "eql", - "version": 210 + "version": 211 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", @@ -6603,9 +6627,9 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", - "sha256": "819d88211a74681757c27c0eb0ea164fd5c4a94925056350fbf01ded6ddae907", + "sha256": "8e8b9ac5138c62d2b2a02a20501c1553751117f056094b9ddf235ae808b96ad5", "type": "eql", - "version": 416 + "version": 417 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", @@ -6615,9 +6639,9 @@ }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "7be1cb011c38151697499b5072f449871604670f61f78a51bcc8cd4f20891454", + "sha256": "ef34d40c1057c774d6ef0c63e18c0e86cdd601194cb98eaf32b8ff38c9a1f524", "type": "query", - "version": 208 + "version": 209 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", @@ -6627,9 +6651,9 @@ }, "94418745-529f-4259-8d25-a713a6feb6ae": { "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "c174873b577d0a7473d134cd1736941903ed102c0ff134d59d8b03a34388c261", + "sha256": "36ac08934324e18a5d413160904562eb2048ebc1ec0386d2e5c65e183599afbb", "type": "eql", - "version": 108 + "version": 109 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Deprecated - Creation of Kernel Module", @@ -6657,15 +6681,15 @@ }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "d7a3f1617beda3e7d11241a3206a0f8603150de68cfd53d84abede9af4557d63", + "sha256": "0667231065032d984269b8e7c38c6f897272af7ebfd80313727e1eb8faf5342b", "type": "query", - "version": 108 + "version": 109 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", - "sha256": "4aa02955237441509504054ce456733c32d997d40043e181b87b1ebc1806a13e", + "sha256": "a18c513e885014629b1256650fe3ded14d233dc2ed783efca6ecb4b8af1946fa", "type": "eql", - "version": 6 + "version": 7 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", @@ -6681,21 +6705,21 @@ }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "31e2f17d4f6eee75ad942db3473974cffd6ff8ed827c2e83eda081d95f4fccd6", + "sha256": "ac705fd1257ac37bcda167b715884142ebe726b87d21f9f82b2b0bbd48822ee4", "type": "query", - "version": 213 + "version": 214 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "cd1a5de507c25bd1a6334afde371785eb24794bfa0ef15228a7e405e5ae20e85", + "sha256": "960e6fd80772b1bd33599bc31c7754c78c9f0f8caa486f7ce3f6a3da2849e4ae", "type": "esql", - "version": 208 + "version": 209 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "6a9330b4f80799423ca5aa1c542e8516f4fdae2830bbc271fb8933fd7e8747ac", + "sha256": "7a76f9664f6701830b8f83735fb4063a5318f60a1966f61e7591ede0fd5dc745", "type": "new_terms", - "version": 6 + "version": 7 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "9.3", @@ -6709,9 +6733,9 @@ } }, "rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers", - "sha256": "a39b6d8b42657868bd51fc294ad4f68e4913d96ed2692c0b711d82a301b287c9", + "sha256": "8731c52d5893d47420bbb5a3b0149d7db6bfb0f0bb7297e2fd1c7cbbb03a5f01", "type": "eql", - "version": 104 + "version": 105 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "rule_name": "File made Immutable by Chattr", @@ -6721,21 +6745,21 @@ }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", - "sha256": "3eed4a4c3204cad01ff4a9d1c6cc455649e35300c8afa58eb7986f4f11d49357", + "sha256": "c9bee1a192b67f29b4efb6de03dc39731e216acb146248d30b554c9bc0750917", "type": "new_terms", - "version": 4 + "version": 5 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", - "sha256": "a5d1a18063a75668e70700f1528f8337ed0d0f3744f711f615a6b1bc9a4164c7", + "sha256": "546289b4c1c2dfc97c6bd7689c6ea92981adbe5b8a4740ea67493bf8946f56a1", "type": "query", - "version": 412 + "version": 413 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", - "sha256": "ac357aa91e08aa36f7be5de2449841183f216d2ec7c667740a641a11b9c65e8d", + "sha256": "fb6f0c3d4a4b1103cffd1214243faf16011837bf6185ed9dd364b4b00955967d", "type": "eql", - "version": 16 + "version": 17 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process", @@ -6745,9 +6769,9 @@ }, "96f29282-ffcc-4ce7-834b-b17aee905568": { "rule_name": "Potential Backdoor Execution Through PAM_EXEC", - "sha256": "fa1a3b730a4e917d8ec81a44c2b67adb54d122a598d6b6bccb4d8d840f2a5c9f", + "sha256": "132131e91bb5571399245226355bb06a9e2707dbe7eebedaa18d51a965601746", "type": "eql", - "version": 3 + "version": 4 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", @@ -6757,9 +6781,9 @@ }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", - "sha256": "4d2ab02405987d41c1061c79fef892618ed337cd1d4ddfd42bdebc91365a3e07", + "sha256": "32963455b75df93504e8d1002eaa12a8821f55aa19be3c4fee1115dc42f8708c", "type": "eql", - "version": 5 + "version": 6 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "M365 Exchange Anti-Phish Rule Modification", @@ -6769,9 +6793,9 @@ }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "c138eb09128dd118093e7159c1ca2369fe0593b5c3cfead636e46f3864dae12d", + "sha256": "e5aca962f0e6a45c5b8bcd98533ca267135de0e9de2a39cd257cf5da65df8850", "type": "query", - "version": 107 + "version": 108 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "min_stack_version": "9.3", @@ -6785,21 +6809,21 @@ } }, "rule_name": "DebugFS Execution Detected via Defend for Containers", - "sha256": "6f417db542766a62e63ab34064859b422867fa877dea2028ac2b68a752952766", + "sha256": "cb201a9e31aa49674cb68601b095f1fe2812900a8e7b104b8e5a35913c4cd69c", "type": "eql", - "version": 103 + "version": 104 }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "28badeba84b69db9ee4eb75b4f53ecf57a1f2b8ccb9d7c366d49d05603891751", + "sha256": "208453906aafff3188872be131447a9bbfe2e54cff5582b8edeee4167e7f9be3", "type": "esql", - "version": 9 + "version": 10 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "15e8bd9e821ff9f947a44455beebc90071a7d9a4dfedbf53a308edfee89bd817", + "sha256": "e26d7f62021d18acc8dfecd73e65d07df91ece0a39a25b986eef48672e1a5cfa", "type": "query", - "version": 212 + "version": 213 }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", @@ -6809,15 +6833,15 @@ }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", - "sha256": "e60ca0f40eef1090732be6cccd54853228ee8d052ddf109441c7cc42cf9e8ba2", + "sha256": "5898b2b9e2deecc44bb0867c1299f960eb490ea7a0d595eca75928027eaf8710", "type": "eql", - "version": 417 + "version": 418 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", - "sha256": "49e682ed0900fe6b4dd64afcb66820ad063b579ddb64ab9e0f6f7ed0df6b229e", + "sha256": "2f112a9f4661303deb296d1447e823390a464df00c5cf5ee3cc51a00af441846", "type": "eql", - "version": 420 + "version": 421 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -6827,9 +6851,9 @@ }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "de75fc9bf1e6b63717acafa0f2e0c57992bb564865585ee68a30b90e82d33346", + "sha256": "34932396b727d338f36c36468067ccae5bda12c0704d2824ff90b34548bbe134", "type": "eql", - "version": 12 + "version": 13 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", @@ -6839,27 +6863,27 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", - "sha256": "ca0340b830856c1096c16293dea815fc9e920d28b925cd1837d17de17f277612", + "sha256": "3f693807be8d9f10dda45d8759ac626810c760ebf05dfebcc180a15a5094498d", "type": "eql", - "version": 118 + "version": 119 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "a0ba2bcc49a34c7465962ad88f73de571ce3f2066628be2012d784ad3c144815", + "sha256": "3dce30a6e5b5c9a25514018796e1f024fe119037256ea8b06b233d3e32249632", "type": "eql", - "version": 7 + "version": 8 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", - "sha256": "23c1a06c016f64ebd69f1851f64863ed4c9f284af3b1505f31fcd2e6dbb36eed", + "sha256": "cc8a4cc0fb13f05a7da5ab6cfb6cd3695172d812a45c53e6a907e9695ba46683", "type": "eql", - "version": 6 + "version": 7 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "cb9a8717146f6e34600a679ddc6cd6389f9467ebaf8262cb9fb5bd4aaa054eb7", + "sha256": "d8b0db21eaf28b6c2ede7046c2a599db635f704533c740913838a7ef0b324a85", "type": "eql", - "version": 106 + "version": 107 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", @@ -6869,15 +6893,15 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "117b18f02e0d843e522d6111e758b53add8d55cb5ea06ccb3cb11fe297f88a4b", + "sha256": "fab3fd6a06ce0b5c14b01d3fa576252596d34492533ec8c9e60345dcac76df3f", "type": "query", - "version": 107 + "version": 108 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "M365 Exchange Management Group Role Assigned", - "sha256": "310d0d96f9c9dbf8d2359b702dc07c8547995f273adb1feceedeb1824ae453ea", + "sha256": "72314208ea72765e4adb514651f93c4e906e349120ec1ea0285b739e6832ce06", "type": "query", - "version": 211 + "version": 212 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "min_stack_version": "9.3", @@ -6895,6 +6919,13 @@ "type": "eql", "version": 103 }, + "98cfaa44-83f0-4aba-90c4-363fb9d51a75": { + "min_stack_version": "9.2", + "rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts", + "sha256": "4d1eb0d8f54d6d9ca893701c2deb5d9a983041c19a1127b93848822120ab39a0", + "type": "esql", + "version": 1 + }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", "sha256": "52534900cb089a485a4c94a1f500a1360cfdc36c116a0c025538279cd853204d", @@ -6915,9 +6946,9 @@ }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "Suspicious Installer Package Spawns Network Event", - "sha256": "36abc0c0a66851f146ca5de478c883481a4db57dc1fa336a5e0434091e7e8288", + "sha256": "10b68299303c79e2f3f73069791e5403b756335bc4d4d502987b6d7352fd276b", "type": "eql", - "version": 112 + "version": 113 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", @@ -6939,9 +6970,9 @@ }, "99ac5005-8a9e-4625-a0af-5f7bb447204b": { "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", - "sha256": "386127d0c66af62ae5577f0cd57b8f5c8627cbcc9d3484f413ffe10d01dcabb2", + "sha256": "b6cea4a0d0eee3e800098108eafb099e27c5451f75a5202a3d12408cb4e4916f", "type": "eql", - "version": 1 + "version": 2 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", @@ -6957,9 +6988,9 @@ }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", - "sha256": "f86fdfd7f9e5f3789e9063903170f36e24b74691d8e3c80a274cb3ad7158f35e", + "sha256": "258d2a4aff6f38a12e7faee6637ec4ac5c3e839daa6ead4587fd9871bbdc57ae", "type": "machine_learning", - "version": 107 + "version": 108 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security (Elastic Defend)", @@ -6981,9 +7012,9 @@ }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", - "sha256": "dd80f5817acac0027dcebc6619363825539469594a770675572c555afdec7fb7", + "sha256": "4ede25035ced2ee53b8ba630714831c1eae23a3c7822356c127d7ace94d90a1b", "type": "eql", - "version": 312 + "version": 313 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", @@ -6997,9 +7028,9 @@ } }, "rule_name": "Kubeconfig File Discovery", - "sha256": "9cf4ca024bd0b6a65da57d83de692104a85e503c0b78462225df6cfa64aeb91e", + "sha256": "952491df2d553d81ac6123388594fb05d3495f6ad8592f77c734e2f8c1ec0938", "type": "eql", - "version": 103 + "version": 104 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", @@ -7015,15 +7046,15 @@ }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", - "sha256": "138f1d64018a840b6ce3d00fc5ba4b817f9e711ef2388631f0f2846b54debe9e", + "sha256": "46a0569127e7cc1e492606dcf457c00340e9b183ff389fd350f292acea0f7545", "type": "eql", - "version": 1 + "version": 2 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", - "sha256": "f2f81d6a850a0317bfda8ce3adb7dc062645f5850734d86e983f453a3f48bcd4", + "sha256": "b8021547bfb3e66b179d5a786645be09f322d02542d3b04ed497e64abba92682", "type": "eql", - "version": 209 + "version": 210 }, "9b35422b-9102-45a9-8610-2e0c22281c55": { "rule_name": "SentinelOne Alert External Alerts", @@ -7039,15 +7070,15 @@ }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "a7fef893c45c5cdabba9e2538c69c7dabb406bf38fcd6126bf456dc4a00d5b0d", + "sha256": "08b7cbc1fe957a8e96b47412dde3a48dee6dd1c2196e026c8300003adc915044", "type": "eql", - "version": 9 + "version": 10 }, "9c0f61fa-abf4-4b11-8d9d-5978c09182dd": { "rule_name": "Potential Command Shell via NetCat", - "sha256": "8b7366396a7d5ebe64d336b843c68f81ab1cb913704133ec08cad70891f0de37", + "sha256": "e984f394b7db575dabb5ab5eae23ab9c57ebb2227b9f11c38f7cad14f9f9a7bb", "type": "eql", - "version": 1 + "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", @@ -7057,9 +7088,9 @@ }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", - "sha256": "bf3dbe84dcadf1939a398f274b6aa86c42aa4e5b12716ae9952a8477f0a5a02d", + "sha256": "9ece81aaee4ed5b034cf8a085367eaccce1145402d65119600ff18fed390a0d4", "type": "new_terms", - "version": 5 + "version": 6 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "rule_name": "Remote Scheduled Task Creation via RPC", @@ -7069,9 +7100,9 @@ }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "01cc2728a3aaa64490a4359643d8ef66af312f2ca4a2e9b3c9cf9d655fafea00", + "sha256": "66ad019e1cd62c66983ee960fdcbe80dd6be678bd2e81d87a998a9fa1850936a", "type": "eql", - "version": 5 + "version": 6 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", @@ -7093,15 +7124,15 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "3b27f84b414ad14fef5c881ba7fd992f1742573d61e05a2fe2b20222eed9f15e", + "sha256": "70c80d9fd4279270f44d1ebb99d57f193bf3a07b00ca30244a3eca0ae8091b39", "type": "new_terms", - "version": 316 + "version": 317 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "ea39741402eae1c2de3b16ea9b7967105bb1104d83fde8cee5a1ed125bc989b6", + "sha256": "992beaeb7bdd47eff309d7867097199639cbc644bb723b3160d35592777a5c74", "type": "eql", - "version": 316 + "version": 317 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", @@ -7117,9 +7148,9 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "4a20239c78d80594c4f6a58e043c0e56b3ef5484fbded24b2a3fc9c5fd95748f", + "sha256": "077706fa97d8e176feb1fd774622b2256a6b8d0e93a5acefdaa7816e1069b803", "type": "new_terms", - "version": 319 + "version": 320 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", @@ -7142,22 +7173,22 @@ "9d312839-339a-4e10-af2e-a49b15b15d13": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Common Utilities", - "sha256": "98030edf36d06cdf0146bc3be290891b259b6a33b280ec19ff6382cb1126c2f3", + "sha256": "0d14505286b88870ce711b2d8fd82bf17953609503c68c0d232214333c7b046d", "type": "eql", - "version": 1 + "version": 2 }, "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { "min_stack_version": "9.3", "rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers", - "sha256": "abda5d886c027c7acdd2c2c9794c552d98d75d0f329d924d0c9509263235ebb4", + "sha256": "f8be6f477a2da1a7d940956c6dbc04076b17f5ab491021aaa8b623554c49eae5", "type": "eql", - "version": 1 + "version": 2 }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", - "sha256": "221e95b30c3f9132594ca8d2ea13d90345e2f5e585597c7ed073f601c81148e9", + "sha256": "a38c3966c3b2143e5136aa9701203813508c6670bdc2673c967b15484492d65c", "type": "new_terms", - "version": 6 + "version": 7 }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", @@ -7167,9 +7198,9 @@ }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", - "sha256": "d2fb1e7e88bb29491c8fa01f26a5a3a50a50065abdf06ed375a9b102a600ad60", + "sha256": "c9bef573b3f690c4d008b46914f0168b42c2944eb1945c737c89d8a76e6f4aa4", "type": "eql", - "version": 2 + "version": 3 }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", @@ -7179,39 +7210,45 @@ }, "9ed5d08f-aad6-4c03-838c-d686da887c2c": { "rule_name": "Okta AiTM Session Cookie Replay", - "sha256": "e83eb0975f982673d5e2c6240da8d5e17e7db175d72dc6df15da96c717104f26", + "sha256": "39164513ba294600eae6f1e6a7d5ac56cf28a69c5d48983ffe6a3f7ce5639f99", "type": "esql", - "version": 2 + "version": 3 }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", - "sha256": "069736ec0e27e4a41a9a2be1230b04c062e36fd2393cd332c593d7895d73e1ec", + "sha256": "1731ee5bc1af80f777474dad331fc0087b9cadcd773e56cac147ca1ab1d96b1d", "type": "eql", - "version": 2 + "version": 3 }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", - "sha256": "b19dffa62d3df7148544385ab17298f3037388eb487eaf544505b0c11521d102", + "sha256": "b33c684120dc6f9e6274cf518cc990c7730ed0e47045a4cb79d4cf11bb098b76", "type": "esql", - "version": 9 + "version": 10 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "afa0e64706733be39b84d5ae11086fec9d877d20a2940d73afaad175a608b6ad", + "sha256": "73213f9e627c8ac38c4c910438c66c36006496bdf82823ee86646f57b4cdd703", "type": "eql", - "version": 7 + "version": 8 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "fab80c2f6dc690690e50c96aae45d746097c2abeaccf36db7f08dc8ad4f43cce", + "sha256": "de326157f887fe153178406c21d4c6d5b7083d7b37989d95fbe88cc3b47cf107", "type": "eql", - "version": 215 + "version": 216 }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", - "sha256": "7045b58f9119ab5ed4fa366f17cda1286910cc23c9f46bf53054547d2fa5b56d", + "sha256": "a51bf01a5df76390c908b50a4a9b7c3fb2cdad0ed9c8e0c55d50b16b67c240d7", "type": "esql", - "version": 11 + "version": 12 + }, + "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": { + "rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP", + "sha256": "92b2699675495cdd2c77a223b88c257d9a4b5c9771dd463394da97c6d82ee6f5", + "type": "new_terms", + "version": 1 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -7221,9 +7258,9 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", - "sha256": "45ebd846873b2090df7ce820b0ff1b65be3335784a8f200e2a1204c9e088e1f4", + "sha256": "d93040becd8bbf8f42f58453634aae7a7ea3e2544497b11c5ebe435f07c4b01b", "type": "new_terms", - "version": 215 + "version": 216 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", @@ -7239,21 +7276,21 @@ }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "7f0125f7dcdbcaf2089a121b23b1595e7a3f36729d2b82c30cd5753352589f16", + "sha256": "e33dee9e1e0472fe7b4bb95a33a85484750138d145fa1fd68bad0ec533d1e2db", "type": "eql", - "version": 8 + "version": 9 }, "a0fbd7a9-1923-4e05-92df-b484168f17bc": { "rule_name": "Sensitive File Access followed by Compression", - "sha256": "e910bf96c71ee8bb6fec3cc3fde5260a1fed7f1c8601a0b631e0f7af2bd9217b", + "sha256": "4229ab56c54c29e2fee1021f6509406944d50803d252c497dd310d99fed68335", "type": "eql", - "version": 1 + "version": 2 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "99fda56283f6a5bc7b7a2a8f783178516e9590efeb3d04c0a96f7ba53346810e", + "sha256": "a218d4dc79d01dd2a13363d90001f8c870141866f032cfb7f3790965f33ed5a8", "type": "query", - "version": 108 + "version": 109 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", @@ -7263,9 +7300,9 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "f8e895d4c1baeff1e615618dc43e5e9a9599d7f61f70f464c2074f5eaa35334a", + "sha256": "5efdf2a253cb05a0a0e2d843c94d7196d97edc860d48285c4275b8aa17f1887f", "type": "eql", - "version": 215 + "version": 216 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", @@ -7275,15 +7312,15 @@ }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "12fb13bd4b276eee68b30f7ce5743d3f6da9f2da1f47d5c77aee0fb852f1eab0", + "sha256": "082f848417d0983cbe8afe7fa8da7ba39df370cb36ee01d5ae23e94e2aad6783", "type": "eql", - "version": 212 + "version": 213 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "354d06b8918adc41575d74a6e7c19525f434aef4a51c270d1a82c77a009f667b", + "sha256": "b65e249cdd670a847b2aaee22255a1445633b93652c02c7da935fb513724cc80", "type": "query", - "version": 107 + "version": 108 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", @@ -7293,9 +7330,9 @@ }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "85632de93b14e074f7b1cd989c58964ffacc5f4c3adb2d382c0092498fb89563", + "sha256": "1933279eb0a1f69eecd6e4e705790232b200372e83e832ecfb52e1319e301f5e", "type": "eql", - "version": 111 + "version": 112 }, "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": { "rule_name": "Azure Storage Account Deletion by Unusual User", @@ -7311,9 +7348,9 @@ }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", - "sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4", + "sha256": "c52bd8e1d7d776b7c835c3d44095c8af47658ddc9211239b2d3bb8e976c8a109", "type": "query", - "version": 1 + "version": 2 }, "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", @@ -7329,9 +7366,9 @@ }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", - "sha256": "ec196dbd90d33ec4874a0ea55614963b84c0372bb694bfc00779f85daec00889", + "sha256": "d0040002c9b7c60e5e303893dd4a5ca29f8df89596c3191f76c6af9d7d2eaf06", "type": "eql", - "version": 10 + "version": 11 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", @@ -7341,21 +7378,21 @@ }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", - "sha256": "e180f5334c7287e0ac2dbfc6bb6815060f5a68ceaf301c52643dbd7e133285fb", - "type": "new_terms", - "version": 5 - }, - "a22f566b-5b23-4412-880d-c6c957acd321": { - "rule_name": "AWS STS AssumeRole with New MFA Device", - "sha256": "eaaea319c13caf1cf8e2da240548950d1975fa2cebbd2d4ee5fa97b8687ebf62", + "sha256": "8ee49a67c0bedcc25c790e6d57a0835f5748dc89b35eb4dd6c0736231edeace1", "type": "new_terms", "version": 6 }, + "a22f566b-5b23-4412-880d-c6c957acd321": { + "rule_name": "AWS STS AssumeRole with New MFA Device", + "sha256": "c6d2802d60f7cb8fc9b21cb19e1950a297cea7077f518279a4cc9cf62dd449c2", + "type": "new_terms", + "version": 7 + }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", - "sha256": "290f5dd4735fc16f954e39d424d7f47daab28148de0828a8a22ea588eee81314", + "sha256": "31ca574a5425c352f948873b80bcd8001311f19ddad62b271eba6d788a54f4c2", "type": "query", - "version": 110 + "version": 111 }, "a2951930-dd35-438c-b10e-1bbdc5881cb4": { "rule_name": "Kubernetes Cluster-Admin Role Binding Created", @@ -7371,9 +7408,9 @@ }, "a300dea6-e228-40e1-9123-a339e207378b": { "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", - "sha256": "6766dc8f5e02b59766bf64222d202554ead379489ef45a93a89f75f34701b72b", + "sha256": "553c6e6e65c43d5ee933841dbf34f7d9a9ea80e08e543900e277036686cbddfa", "type": "machine_learning", - "version": 3 + "version": 4 }, "a337c3f8-e264-4eb4-9998-22669ca52791": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", @@ -7383,15 +7420,15 @@ }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", - "sha256": "b0cb4bda3738ab20e63d9ccd9aa054a0151377801ad9d786fbe0ec4e521cd011", + "sha256": "7c519926517b618be19af735311a9b969fe9ea2b081ad68a9f2de5bb02d59c1f", "type": "new_terms", - "version": 4 + "version": 5 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", - "sha256": "15ce53d9971d69e0cce8aa48ed7d5d0e8f07262067920ed25643ff74947439cd", + "sha256": "777d3b478fb1eea22452ad39f88e4208a133631bc1eab6e7adc5b793bc90c00b", "type": "eql", - "version": 312 + "version": 313 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", @@ -7408,9 +7445,9 @@ }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "0597bc8c77ba3bc0acc1e91426b0c1d17bd1799128e2d8549593007939740fbc", + "sha256": "1bb0110ad3d200b54abca7cf4469c34dfeb0097d5057b0ade9f484188955956c", "type": "eql", - "version": 112 + "version": 113 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", @@ -7420,9 +7457,9 @@ }, "a4f7a295-aba1-4382-9c00-f7b02097acbc": { "rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process", - "sha256": "9bd9decc9c822a522bace342351db9b5899645c1b92caefa46a2b009e1b258d3", + "sha256": "787d2f5521dc4499fb6b01d857d4e2f1c96bb9acf94725a4dc16764d99962411", "type": "eql", - "version": 1 + "version": 2 }, "a52a9439-d52c-401c-be37-2785235c6547": { "min_stack_version": "9.3", @@ -7436,9 +7473,9 @@ } }, "rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers", - "sha256": "fe7aecdc2e1b42b756c2f4858a8500d51905c2c99a9196db75f548c326d2b233", + "sha256": "7e3bfec1c4781db2d7417c710ec2883216a3b33ff5bfd0292f1c72cf76b48f18", "type": "eql", - "version": 104 + "version": 105 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", @@ -7448,9 +7485,9 @@ }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "rule_name": "Potential Reverse Shell via UDP", - "sha256": "ae71eb7835476969206ee90c8252e0a9b7f8981fcd5dec9dbe52e7dc2b7f7efa", + "sha256": "682586bdb044ed6ab9f2d86aa3803980638ce1756f871292eca8c0f20adae25e", "type": "eql", - "version": 11 + "version": 12 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -7470,9 +7507,9 @@ } }, "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "07e4d830eb22a626c11659d2c4d3ee7d09106df31772fc62b9088af6b2762f28", + "sha256": "e6482b504c514d6b1753b89034fad24ee3fc56c8f55c3541c3b8e700adf499fc", "type": "new_terms", - "version": 315 + "version": 316 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Entra ID PowerShell Sign-in", @@ -7494,15 +7531,15 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", - "sha256": "c26ba77509e14edd7a244af9e057ae5c8ddde527759809d383616b2ad6d1dbb9", + "sha256": "b0f8257a53944308de393b93cad9fec026cd701e9181cec30f96d8cbaa5be52b", "type": "eql", - "version": 317 + "version": 318 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", - "sha256": "5c2e02372424c7523c482923663eaedd7d5dd64f7f91059d807cbd86fd1ab716", + "sha256": "14361ef9fcfb305ac2f4824cb070fbf348522f67cdd712c8988f563f7615c75e", "type": "eql", - "version": 1 + "version": 2 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", @@ -7512,34 +7549,41 @@ }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", - "sha256": "f6db651d781c09513c5a405895ceaf3b0365f2c340923c3dfb7af7aa8094a077", + "sha256": "0aef85561df73b765eb845f8de00dd44020df10da07314fb87273d339f48199e", "type": "eql", - "version": 112 + "version": 113 }, "a6d4e070-b9b9-4294-b028-d9e21ad47413": { "rule_name": "Entra ID Protection User Alert and Device Registration", - "sha256": "7607cf57a33694aa6eda42e9a81e1648c3a6e269564960f460daa3b881dd0e62", + "sha256": "4876756b256c3aeddfcfdd04f09b0cb7e60f51ae76b94698d9a227ca6d1bc07e", "type": "eql", - "version": 2 + "version": 3 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", - "sha256": "98b2e7d0d5c6e743cfc10a8e3764d9e083ab3e45612f50c8e656c82b2c87a42e", + "sha256": "54d4c476c777d29b060e86d324c7eccca8db5647602b0b9efa9792822185c764", "type": "machine_learning", - "version": 8 + "version": 9 }, "a750bbcc-863f-41ef-9924-fd8224e23694": { "min_stack_version": "9.3", "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", - "sha256": "5846c6b43e380d83d1c497de9db85c35f4fb983138dde4300adddb76e4cd3ec4", + "sha256": "31e7a49e77598252a554c7de32610e73a9bcd249edd8f11c4d792f3e14f2916d", "type": "eql", - "version": 2 + "version": 3 + }, + "a7577205-88a1-4a08-85d4-7b72a9a2e969": { + "min_stack_version": "9.2", + "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", + "sha256": "9678721291da5cb523dc6ee9387e340cdcc03ee3f81a163f03942dc2201438b8", + "type": "esql", + "version": 1 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", - "sha256": "5f23f3e55cc3e972b4ab8b3d979202308afb708a2f40538f2566149e13026d87", + "sha256": "57561a090eba3d509ddd4db1e495c4ae3e56bac366975fbf1ea694a59947c35c", "type": "eql", - "version": 2 + "version": 3 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", @@ -7567,27 +7611,27 @@ }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", - "sha256": "4e3c23c7881aeb5c679a751675fc7441b3984d00897e461cd40ecaeba57cdc62", + "sha256": "a43c4cce90f10259b7f083ff5adbd8eca3f9cc3b122406f30ace77a409419d1b", "type": "new_terms", - "version": 6 + "version": 7 }, "a80ffc40-a256-475a-a86a-74361930cdb1": { "rule_name": "AWS IAM SAML Provider Created", - "sha256": "d5cdab921477a06497e239824cd88e803d3eb45dd7f85f9bc3ef531c713c400f", + "sha256": "94732c42b485343065e0774196628119dc2f316080a333102bf203c983c779d0", "type": "query", - "version": 1 + "version": 2 }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", - "sha256": "96bdc6dda9b99337a375bda8f6a1c8755a9bd449a70db25466f3f8d135bc2ed8", + "sha256": "c823ebf0672517c8ed1929f4379c1fac131417b4c0dca9ef94e1dea1560ad82a", "type": "eql", - "version": 1 + "version": 2 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", - "sha256": "16514f9c9cd35b419a7ea68569c80f7a25b1f66370b0276cfa62cb3ec62b0c42", + "sha256": "d6cb0373e901e7888cbdf65dce494355d38a829de9c102fc07aa2c2274b165f4", "type": "query", - "version": 6 + "version": 7 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", @@ -7604,52 +7648,52 @@ }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", - "sha256": "60319003b74e45deda3b2f9aef3f6d1b8a77a689505e9b01bdb66e0edc283460", + "sha256": "f46594fa786a8d96dc492f49de6a09e7c4bf69b2f8f6bba7fc371fe01c0140c3", "type": "new_terms", - "version": 5 + "version": 6 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "a986702b7238a13ac729d815815083fad17ac0cb185b211b536aafa325fda726", + "sha256": "b083c7c924a0947dc0048039147a36632af5a70ced0a58b91f8d089faa8cf44f", "type": "eql", - "version": 8 + "version": 9 }, "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { "min_stack_version": "9.3", "rule_name": "File Download Detected via Defend for Containers", - "sha256": "7639716e2528d68b95b96d7b6b558489c5d3825d36ff2d4a98b810b4372c40ae", + "sha256": "dd24216e43c8d2d97f235518778ef26185e2277d713a56fc385c92a5ed05305b", "type": "eql", - "version": 2 + "version": 3 }, "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": { "rule_name": "Newly Observed ScreenConnect Host Server", - "sha256": "5a8acf8b9ca572d30b42f96b89249dc24621630278b9db105d665630cbb8cb34", - "type": "esql", - "version": 1 - }, - "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { - "rule_name": "Azure Storage Blob Retrieval via AzCopy", - "sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683", - "type": "new_terms", - "version": 1 - }, - "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { - "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", - "sha256": "cd7321baa685c0b8fdee3998ff993ac2f4f5761124d7f2e78e2c404978211ab3", + "sha256": "cabaeca9e2b181ef28dd279e76d8fede9fc1829cbcf8ee0cced3e387f9d1e653", "type": "esql", "version": 2 }, + "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { + "rule_name": "Azure Storage Blob Retrieval via AzCopy", + "sha256": "49906c7167773c5c88a880e059c18f24adb62337a0b8ef76a5c8bb33623fe4a9", + "type": "new_terms", + "version": 2 + }, + "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { + "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", + "sha256": "49e45807f197d72382a572c2a9f601aeef490252cf7c11dacd21a726fb810968", + "type": "esql", + "version": 3 + }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", - "sha256": "c1b7d0299bdbc6612b5661369ed5e4594203e23f1ac7c6f66177a0d4e9e639c5", + "sha256": "f9c8c7c261451895bad9202f8a232c6e4062e1d272ece1ec51d009c841579e71", "type": "machine_learning", - "version": 8 + "version": 9 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", - "sha256": "c1754fb24018b0b1ad18dda900585a848ef023365ffdb417c9ee87a5e201ac4c", + "sha256": "bd9b1c164a07769ffeb8aeb475e7e3e4f8d0a0787d5e419ee1ca1e160d2149c9", "type": "machine_learning", - "version": 3 + "version": 4 }, "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", @@ -7665,57 +7709,57 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "M365 Exchange Email Safe Link Policy Disabled", - "sha256": "d95fe7a8034cfa3811029416e206a44840af20beb42cbbeffd08e3655cb0331c", + "sha256": "7461bc40b2d09bbc574bdb5ec21554865c01cc2c13d11a28cf089e2366cc740c", "type": "query", - "version": 211 + "version": 212 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", - "sha256": "81d1942ffab6ae0133a69e39a646edbdede691809bcbafff2767f9f328c796b0", + "sha256": "f542e1b863cd42eb8bf3b80af48508e5938cb132dba214ba2b8f331d83b03f5a", "type": "query", - "version": 208 + "version": 209 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "544161a59a89370ab4438a8bd397acb36f3567b1c2af131d5856d084531ea717", + "sha256": "4d255aabd1699229c83718a7915c758e828c189e6dc926bd2c871529233f1cd3", "type": "eql", - "version": 213 + "version": 214 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "b03b17a6bc41837d91b2207e76fe08aec227bfb082ba903b23cd1a007cde63c8", + "sha256": "35e4a6106cba38795de889121dbf12207ff75aef92afcccabe8a806fd0e4c769", "type": "query", - "version": 108 + "version": 109 }, "aa1e007a-2997-4247-b048-dd9344742560": { "rule_name": "Script Interpreter Connection to Non-Standard Port", - "sha256": "b395e05708d4c9e34bae97f6daf956aa4e62e1d0b6d36e3342294d4e1fa442fb", + "sha256": "e45fd015a2a23f9dae370bf76c6835579ef979403f82f2256fcf2c71dadae0e8", "type": "eql", - "version": 1 + "version": 2 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { "rule_name": "Spike in Group Lifecycle Change Events", - "sha256": "3ab7c41b734b153c7587be53dfc664648e566347fe8811622b4ec7949d802ed9", + "sha256": "117615ae9f7bbcdf2f22d30db030b964809f545f13d82041ceafa1c2b45773da", "type": "machine_learning", - "version": 3 + "version": 4 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", - "sha256": "aa97f5795e7ab2d0faa239249f1d62103360fb6dbacdd0aabd4f4b4bb16e3be0", + "sha256": "8757f16023a807b6b2b792ab3d99ad696e95ce9eaf579b679780cee08cc829cb", "type": "query", - "version": 107 + "version": 108 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", - "sha256": "f1178ad0ef58ec25525ca5d80993d16b763e918ec464f6760f9ff20bca37019d", + "sha256": "7633b03ab034572bab063198511ae4e111488b09f58f32812662c42da32b9762", "type": "eql", - "version": 217 + "version": 218 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", - "sha256": "a4fab962e929045f641696e751146d262d934876aa3bd42a8e4724c004a6e2d9", + "sha256": "d41b2ce91143e8b5a36d2d9e2d2e08e32df9b2200511697cacf5f3bdecc18fee", "type": "eql", - "version": 216 + "version": 217 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", @@ -7731,9 +7775,9 @@ }, "aabdad51-51fb-4a66-9d82-3873e42accb8": { "rule_name": "GRUB Configuration Generation through Built-in Utilities", - "sha256": "f9c20c9f91ef5e4ec353c199251c1547907c932794c488f511af325a87b5fc6d", + "sha256": "27610c9d7787e7f52bb7ead9aef37e9fb044dd6430bbe3d6769401682fde8596", "type": "eql", - "version": 5 + "version": 6 }, "ab25369e-ea5e-46f1-9cd5-478a0a4a131a": { "rule_name": "Multiple Elastic Defend Alerts by Agent", @@ -7743,15 +7787,15 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "2b2ec6b74139595571db7fb15900c6301b821915bf8934804499f2a156001755", + "sha256": "8b21463695c549dc63e6b3954e76c01209042706c77dd47d184ace74d9df957f", "type": "eql", - "version": 121 + "version": 122 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", - "sha256": "c1d2e49b9c7ced7cce10153c0338a47448b25c6a03c1e185a3ae353d07665b67", + "sha256": "9eb2c45dfa3291e5f9ceaf2caf261fbed05150c8688cdfc93f3c7731b5759f90", "type": "eql", - "version": 2 + "version": 3 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", @@ -7761,33 +7805,33 @@ }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", - "sha256": "8d7fc19513012d8ab86d3ad4472b072a5722b6e85b2d0dcf628a1f4568016ba7", + "sha256": "7a0ef5b6fa33fef315d70305319e2f28b52ecf4bcd373708a98ffb1312146928", "type": "eql", - "version": 1 + "version": 2 }, "aba3bc11-e02f-4a03-8889-d86ea1a44f76": { "rule_name": "Perl Outbound Network Connection", - "sha256": "44441dd2aaf2ceb05edf4613d7ec999000efd12bb8d89d09c06b0711794db3ac", + "sha256": "1199004d18d11cefa9e43650db5c565969e006d67b5da5d7cb5ec77c33114b01", "type": "eql", - "version": 1 + "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "f4415dd1ab33127524c8f8e5d3d96559ff08c874c75581ea1f418527b37f297c", + "sha256": "bb1a749f861f7459448bb4e1a2eb19dc2a26f353fb57634eed0ccea7218f3cff", "type": "machine_learning", - "version": 209 + "version": 210 }, "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { "rule_name": "Google Calendar C2 via Script Interpreter", - "sha256": "49b0695a34b73511dba9f1d043a882b463dcee2a9a40a7ce26a3056fc2699e8e", + "sha256": "cd3aac05b993742d0c467053b7548c79623f2da5a4d979c6abe448b797d3411c", "type": "eql", - "version": 1 + "version": 2 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", - "sha256": "8817908d1fcc931d10eaa32b81fbcb6a57cbbb8130bf2b99e7f1ded843a88c10", + "sha256": "3458d345ab11b49c4e091f9cf2f1b6535e27e905407265f7ac9aef9dfb91564b", "type": "query", - "version": 111 + "version": 112 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", @@ -7797,27 +7841,27 @@ }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", - "sha256": "df1810d9ad8194c8a2583139f77a9e651a3e8b83cde95f4f4822db4abbd83aa2", + "sha256": "d613f940d2dddc9dad9333b8188f60d43dc30443a11f82c3821da4d4ac7cf4f7", "type": "eql", - "version": 107 + "version": 108 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", - "sha256": "ccb9c2dedae4339f4a8402f20a272f5e31e98268fe151021905c5803581264a1", + "sha256": "d20a637fe702ef3a14ed08bc79e70ce0945d586fcef20fe2e3b0423940fa91ad", "type": "eql", - "version": 207 + "version": 208 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "1f09c70ccb7bd829212e7f28d45b59ad23a8b162294e57623f186995150eb12a", + "sha256": "8d4e2f6cb5d21f8244e59e8c3b20856df8349b82ee18227dc9c8ee312213e81a", "type": "eql", - "version": 104 + "version": 105 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "1bb48c457ffaa6213c29fb112617a61f4513cf5ed3fe8ae984d050f46f0e2a14", + "sha256": "6329bd421d92474b7b724414f883a3a46da0190498df4f628e370b759c237af3", "type": "machine_learning", - "version": 212 + "version": 213 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", @@ -7827,39 +7871,39 @@ }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "6f62627b38152a2e8e01bc9b475438152d6eaf8ca51a8ccc5aee958b6bf090ef", + "sha256": "aa82c73c60e38856083805edc8a6ae9bd585611711aa27e1243df74d655316fd", "type": "query", - "version": 214 + "version": 215 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", - "sha256": "269058c6e89f4b6bc7158aedc2e877924bd1b4c12f2370e52061d34e70314ad5", + "sha256": "9e2873a47031b6e8b15b6b20da3ac0862ce4124e7ffc8cd818be8eba1efd2c3e", "type": "query", - "version": 209 + "version": 210 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "268da22fe3012eb7235a40832d96ae587a9b50ab8bbb40fbf09a44b3912383c7", + "sha256": "5585abed6562a24727d275419903615a3d29b9c2b4f10910d6394b1a0d471be5", "type": "eql", - "version": 109 + "version": 110 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "dd2d6c056560cc33d94c90d31c595af511cc7337acf1609880294a656269fe42", + "sha256": "ad378adde9bbf820b6da8dd6764e50a48c987669c717ca222e023f1a01b17553", "type": "threshold", - "version": 111 + "version": 112 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "0e892fd6bcef9c6cf7081f8e1038b23eed575c1f75deebe83a933f7b038987bf", + "sha256": "01947c38ddbaf757c9c2706842377b1699f7e65de106e2ee1005a90436e9e8db", "type": "eql", - "version": 312 + "version": 313 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "08722f5e5dd94f6aa3a6b9f961dc93e655489cf429a7bcc8d18387cad4c6ff0d", + "sha256": "401cb7b60b2cf3bb799ffcb99b3d39a35feba91d7146952c4408a2fe5ff97ea5", "type": "eql", - "version": 314 + "version": 315 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", @@ -7869,75 +7913,75 @@ }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "10870b0be6a523545f966558befd0ad3a93708d00bc14db5a1770e6c942a9596", + "sha256": "dd3bba4447ec0a85398b9bf7a5b42ec6cfc45c5c472e988b56fc51878deb7ade", "type": "query", - "version": 208 + "version": 209 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", - "sha256": "85c351391431f6667bc08d272b279b43c0e10d769c6f8e477d4951ddf99870eb", + "sha256": "8ee09f0722e3d4094b5116fcd3ccdf47c8466d3dedaf45a2bce8131e571a5590", "type": "eql", - "version": 107 + "version": 108 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "rule_name": "Decline in host-based traffic", - "sha256": "6fc5bbba4f289f6433e148acbd5a3f03e6a19a814418a883f6f068b46e73beae", + "sha256": "d3443af533d8c9c71544393bbb3528bab9f2a4528d9d339f101e5d8628f1a384", "type": "machine_learning", - "version": 4 + "version": 5 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "1cab4d236af2187cf214d9f7698d6bafb8c4fbbae2f26d08efeea2017a7e0f32", + "sha256": "51d7f733e3374dcbe3976ae51a6bc313af267acc5db56d25e523260a910d942b", "type": "query", - "version": 216 + "version": 217 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "d5725f7f8e8be780fd21622817a7fba7953922117e6f18da9a72966708dbe4ab", + "sha256": "7e0e9edcd353321915ab04263138fc1a2c2cd6827c51ba0fe5874b5472b53d0f", "type": "eql", - "version": 110 + "version": 111 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "78f73bba97b67da61f9a1ce9f381ede05cd7b1d5148ea1b0446c91c90540f768", + "sha256": "750bf0616ef3c52e7f9c6631ec3e3cfea69beba6673151f2e6c6e12bd6e124ca", "type": "eql", - "version": 110 + "version": 111 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "4239c0e54a533bf54ce1ffa594d9547a1893c342c07465a5a130880daf78662a", + "sha256": "9a8cd6f888fb568bcebde8a607523abff1e1b5f2093b48a188b2627cf7128d9f", "type": "eql", - "version": 215 + "version": 216 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", - "sha256": "daaae8ed9bbb55f911868f672baf1ab3fddecc6081cba618abc705d40485e3a1", + "sha256": "3fc9c5c4759767185d5582e1bab598a681896a2df7753b4d3c91fb22c0527aa9", "type": "eql", - "version": 12 + "version": 13 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", - "sha256": "7a29c8e7bc280e7a42cceecbdf82a980b9650be7de3082b0f18e7adfd0571ee6", + "sha256": "6e872d7e24f0c0631132efe9f516b618480f9f40705f831a449c368918b4bb77", "type": "eql", - "version": 110 + "version": 111 }, "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": { "rule_name": "Suspicious React Server Child Process", - "sha256": "f464b42faa30ed9c4a481383ade936264f8ae7018b3bbf4388d5ab11e87a8a62", + "sha256": "8fc6e17b6f87f1749ad3b2ec19e38059ad1d2b55818befec965af351912cd17d", "type": "eql", - "version": 2 + "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "967c59ea43c5beb353059b127aead53cfc4bb82df6b3deffafa653e4fea554c8", + "sha256": "c5078f597c295cea9a4dedfb0717f3f8db2dfb4a97b14c31721fe7366500128f", "type": "eql", - "version": 208 + "version": 209 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", - "sha256": "da6adafb32495d2bbd2fb19670ba6a7fbe02883ae1b35a39820e364ff5b5314b", + "sha256": "178fb249bd43c2383b67d1411b9fb257d092c368cea0ac05d03be5b785d42606", "type": "new_terms", - "version": 14 + "version": 15 }, "aeebe561-c338-4118-9924-8cb4e478aa58": { "rule_name": "CrowdStrike External Alerts", @@ -7947,15 +7991,15 @@ }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", - "sha256": "477d7d002c39e4eb1eb850629c391b63246779ac7e4ed964b3688f79d0d83941", + "sha256": "0a3c43255d3c95aedd0f97b4e22701b135b6b447294478eeb2109f17a773414d", "type": "eql", - "version": 4 + "version": 5 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", - "sha256": "8d9b8457210e9a424a62e6747d90cb0a5f9f302e639ecc373cce226284489ca0", + "sha256": "15e48bbd9ec05f38f788fe85d3d314645cc526a65f9154c9c852aa4e46b60822", "type": "new_terms", - "version": 8 + "version": 9 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", @@ -7965,9 +8009,9 @@ }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "58f5a32068e937f8a5a7e0ebf56c814d9d90bc5411188e096283a1699389e0bf", + "sha256": "7d10e6efd142a09f199ae3461997c14ec7ea789aa43adcd41b7177e7664189c9", "type": "eql", - "version": 9 + "version": 10 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", @@ -7977,21 +8021,21 @@ }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", - "sha256": "551fb537c43ddce4d157eefb1f9e89955a4766f5a4742d877fc0926debec39bb", + "sha256": "c7ba64794076705bc9730b99d67877072cc6f9ae46d2bea1a55cc73dab2a3ebc", "type": "eql", - "version": 11 + "version": 12 }, "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": { "rule_name": "Curl Execution via Shell Profile", - "sha256": "d8cd404e877272b325b702a0e8ac4f18db2c194ae25f1bec87a5deb487850f3c", + "sha256": "90ee59b3a454a03021437f01fc2442fd3503fe941f69d4a9b7fda0d1ca4af237", "type": "eql", - "version": 1 + "version": 2 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "d8caabf41661b7eede526f852cecc1cb3fb45052aaaf902375b23226bf0ecca4", + "sha256": "7f9907f21f21b24e6aac00e4e7706f5dbc9c8ab5891e9ece18d88f30aaec68da", "type": "eql", - "version": 10 + "version": 11 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", @@ -8001,9 +8045,9 @@ }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "1a1342dd0291e3a2607fe7016af4f30658ce19b6c109196a12a2edc9103fbcef", + "sha256": "2de0c7e6afc5a090ed826fbef600250fcaf3386d0dea5229916795bef6153462", "type": "eql", - "version": 110 + "version": 111 }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", @@ -8019,15 +8063,15 @@ }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", - "sha256": "9797dcc6378c0d57e76f5bd680375872b642a475cef26b5bbdf5a241bf149ec5", + "sha256": "8dee5585853fc2cc29d0a3fa86c34646de7bc439f3082c135445169f367d5ede", "type": "new_terms", - "version": 5 + "version": 6 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "sha256": "deec12e81c3d8c2bda1563d1d7e93dc1148fff91ddea9ab3eaff47117ad97a1d", + "sha256": "e448d9b59d2f49b4c015b5980d16a6a35c92a493127292ce515a5a6d268491f6", "type": "esql", - "version": 10 + "version": 11 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "min_stack_version": "9.3", @@ -8041,9 +8085,9 @@ } }, "rule_name": "Kubeconfig File Creation or Modification", - "sha256": "66a13f6294c6ee5ca9b08ab89692540cb784861984f18bb86b41db4c2b14b9c9", + "sha256": "c170db655cc983bc2f7399ca8f83b883daa93945d755cb705d587cfed18454bf", "type": "eql", - "version": 103 + "version": 104 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", @@ -8065,9 +8109,9 @@ }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "rule_name": "Potential Network Share Discovery", - "sha256": "bb9bb0209d6b77927b4ec4b99c54e1510142c41168681b3eeb06a29054ae1d1c", + "sha256": "d7a2f1e37fdf49243ac43e4049ebc1395e41378971a27a1bbc4df975c9ac465a", "type": "eql", - "version": 109 + "version": 110 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", @@ -8089,15 +8133,15 @@ }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", - "sha256": "cd6c7c8ebd7053c22aea64363f762d7a129e69574650d16e1cff644d71ec01ab", + "sha256": "e9869a2d9ef0ede8759bbae2c633720e4822ae0eaab97d4d123c32340d879b7e", "type": "eql", - "version": 1 + "version": 2 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", - "sha256": "5ae46136e4a5238cfa794a88f7f0b05e83998ae1b1211edf89c69ad05cf6b4d0", + "sha256": "f2a62ec8399d34841a66053ae048739a04aacf0c4fb6268a7d2c0f76f034d6ad", "type": "eql", - "version": 212 + "version": 213 }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", @@ -8113,9 +8157,9 @@ }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", - "sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6", + "sha256": "10699cfc2c120433bed5e971c71194d0acbc72cddecacab5469c0b1d23216ecb", "type": "eql", - "version": 1 + "version": 2 }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", @@ -8131,21 +8175,21 @@ }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "0e205375dc32c8ec2ab27fb098c7166cde2e60a4e7bfeda0a3b2de5ee7b82bb9", + "sha256": "7a02506f8453110cac713662233968f74b625854c528b34fe1af2413dc67e6be", "type": "eql", - "version": 7 + "version": 8 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "663662cad8b04fffd15af7a0863496bc68ba12a9ac0245a2bfdaf1b9c63e284d", + "sha256": "5b8430098588353df995dbb0f9417305b6c27f4fe205e41393ba1027e5e30ae9", "type": "eql", - "version": 319 + "version": 320 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", - "sha256": "dd9a52bf74d28ebffb64b83134917f8d6aee148108e4fb2f7cde27b41fb69285", + "sha256": "56d00977592f10b6f40e65fdea0937ffb2fbae03cbd765c1258d5f1f0f36a508", "type": "esql", - "version": 1 + "version": 2 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", @@ -8155,15 +8199,15 @@ }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "20bfd59b3360c88f5f3e56a5321f9e88ffc3bafa00b215c52a612b5cc107f44c", + "sha256": "aa4c16259c4ca94dffd3cb61e6cdba1aa20599065aaf7ae56a8a21eb1b08a65d", "type": "eql", - "version": 110 + "version": 111 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Usage", - "sha256": "d262c23e0e416fa8b25a50e95e04b830957bc29495995da225b0ab30d09de3ba", + "sha256": "b0f5631b927606bf9cd543de35f1eb1f4e1a5a5655e0dcc70fa9ef1b9dc1fd81", "type": "query", - "version": 210 + "version": 211 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "rule_name": "At.exe Command Lateral Movement", @@ -8173,22 +8217,22 @@ }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "774aa21659a63c8b8b6166215078531f5d94fd43b5e2ee37fd411ccca68d5991", + "sha256": "6686019692b13bf91ca12c4dd69c9ca41ffd81d4480b58bce574581fb1ec6335", "type": "query", - "version": 413 + "version": 414 }, "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { "min_stack_version": "9.3", "rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers", - "sha256": "e26d8865848df84bf05891fff57ff9bafd1acf3c54e699d5cd07d4c923ed9727", + "sha256": "ea1e6c16c05f513bef9a7fce9aea0e625892b08e71fb0657730605a640764afd", "type": "eql", - "version": 1 + "version": 2 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "3852b315ecbd762ca27f312ca2ad0f3b674dff45eca735c17f0bdddcd36e9769", + "sha256": "8184ab730ee2e991794ad836b1317d48d6b4ea0e58c4fc42fb00db88f9ca8bef", "type": "eql", - "version": 9 + "version": 10 }, "b53f1d73-150d-484d-8f02-222abeb5d5fa": { "min_stack_version": "9.3", @@ -8202,9 +8246,9 @@ } }, "rule_name": "Kubernetes Direct API Request via Curl or Wget", - "sha256": "20b5bcb6b45398978619e78190a331e01385bd5c092d0769e6b36d1c8a28e413", + "sha256": "5848bf5a4bd044df06ef95227df444a60c1471ca1bcb5523d37347327c87dc52", "type": "eql", - "version": 103 + "version": 104 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", @@ -8220,51 +8264,51 @@ }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "57cf240369b6476819ff1428960e30c61087363abaddc996cb3f1c307d126f72", + "sha256": "0021061d622b59482f91129c9afd828047712d6ca62d4a338937389e67656e41", "type": "new_terms", - "version": 7 + "version": 8 }, "b625c9ad-16e5-4f16-8d38-3e9631952554": { "rule_name": "AWS CloudShell Environment Created", - "sha256": "c4fccaa7aab536283674e16a7b11aa361376826cbb7bd03f2eb2bdb49c64a25a", + "sha256": "08c9c9d81fbaf3d369f67668422c612a9236fbee0687355f1cd7ee32fa413fdf", "type": "query", - "version": 1 + "version": 2 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "f58ebba1d4063ee0e5e0fad5b21e9dd7db61d517b25b32a324094ba175a2b5e2", + "sha256": "a72ebf831df03c21d401b9f11214fb6941e12203f4375308a7cf89f9a8d39865", "type": "eql", - "version": 113 + "version": 114 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "c81ac4b9460caa3eeca4379f6ccfc4b06e1ee9b8437a5b9c88d91bd1eb0f6860", + "sha256": "1fc45823fd595615deb1b9e32ee0d8aac5faca18436a10e3a095dff25a42c403", "type": "eql", - "version": 213 + "version": 214 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", - "sha256": "94d59eb9110fa3146a9b5d7d6c7581e612695b83558cc2f640745f6a2fe1c47b", + "sha256": "cbdee887cd13d54f550e80a5e90a2a8b627f93cac8d9f8a062df574362cd2878", "type": "eql", - "version": 207 + "version": 208 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "209df9ae546ce07831a4b3ba56aba23d6f88229516b869bf7b7b1d654f795f55", + "sha256": "b37782b05e4d6c2c899c3c64cf6002bfdabf1b8833b2361b762c9e8e5bb5bf21", "type": "eql", - "version": 107 + "version": 108 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "606d597ff55dce161d5826494f5c021adc1a97e3696c40533bbbc2491ef481f4", + "sha256": "0542bd5e149db60900db304cc0b992f8a1ec8647b377ce665d2b29a57c78f25a", "type": "query", - "version": 107 + "version": 108 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "4cddeb02ca83f5ec2218122735fb4489929a8613f1d7da7bab02a3d2a4a87cdc", + "sha256": "44a164cbbee23384317110deaf966d410b9546ff686d8d76040abb21cb1322a6", "type": "query", - "version": 413 + "version": 414 }, "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { "min_stack_version": "9.3", @@ -8281,9 +8325,9 @@ }, "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": { "rule_name": "FortiGate Configuration File Downloaded", - "sha256": "dadf194589874cdb80905bdf9fda73d3c06041b662cef7f27dc6fa15a1a8a1a8", + "sha256": "8a6732c321ad665cbe34c05fba17c8a2062608ec98c2303074636c1cc82d3e58", "type": "eql", - "version": 1 + "version": 2 }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", @@ -8293,9 +8337,9 @@ }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264", + "sha256": "135ed590d058ea2d34fc0bf1d1252edd24563787b15e9c1c581989395ea3aeb9", "type": "query", - "version": 412 + "version": 413 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -8305,15 +8349,15 @@ }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "1e13c08a49a32e6ba3fd692d5e4a1a4a26a4a16e1c9aeea2ee40dff66fc30010", + "sha256": "907dce619b274f26d19e9cafbef702e882b9c42666f0aeb54efc90d57b8a2610", "type": "query", - "version": 111 + "version": 112 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5e9c3cd4768e1f8abff71d8323e0a0808368503ce204d18acc448b89e3539f73", + "sha256": "85f657e35fa459539e836b4889434164e69815e35ee5bf47f09466e436e86414", "type": "eql", - "version": 415 + "version": 416 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", @@ -8324,9 +8368,9 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", - "sha256": "bcdd20128f5b5f6c161154d5df0b9bd8f96456e094845f30e33f1b159aad6694", + "sha256": "3c4778b7d4cd766b8f6215dab5e2e2395ee5160237595ca472bcea1cc1c66b30", "type": "eql", - "version": 210 + "version": 211 }, "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Recovery Services Resource Deleted", @@ -8342,9 +8386,9 @@ }, "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": { "rule_name": "M365 Purview DLP Signal", - "sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7", + "sha256": "e3ef983c1782d0d31d55c56f099f438dbf0e1180aa4222c17d078488f0692878", "type": "query", - "version": 1 + "version": 2 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", @@ -8360,15 +8404,15 @@ }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", - "sha256": "49b9315515c7d56a7a53069e9dcd562e05e1b92f1524b25da32c7e186f5067ca", + "sha256": "d0cc5c171239dbcb104a7489e747f4fa4712d1f0b9d0c7c2c40c266c6e44d456", "type": "eql", - "version": 218 + "version": 219 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", - "sha256": "78acee60a41b09251f89ee68e7c51c978e7174c9f003de84bcaed2bd0f34ce20", + "sha256": "39ff2ecd53d1273176883da80f5c853cba5c7d5cffe7daac11a6b8735507dd0f", "type": "eql", - "version": 5 + "version": 6 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", @@ -8396,9 +8440,9 @@ }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "3e2f948ac9829685c374f528f5f3357a976e25df1f5bec1d0f9a57f82dee167f", + "sha256": "dca11625c815b4157b45c06d2d04e7f72ef5ba0ecdd1fed7cc9cfd8e42cd42ac", "type": "eql", - "version": 106 + "version": 107 }, "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": { "rule_name": "Anomalous React Server Components Flight Data Patterns", @@ -8408,45 +8452,45 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "8add33888ce9849b510c0d0b80fd76797ddc082ac5700758b7b90c58c80099c1", + "sha256": "6dd4b33d728787835db1ae21a3cba7bf99af83a6470d46cbd1476d0dffaa9c59", "type": "machine_learning", - "version": 210 + "version": 211 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", - "sha256": "3bcb05b0905ba0f036c9669558547fe1c5c10663a53c5d1df57a888ca99d6251", + "sha256": "3d73d351f7d7d32b5c4b0b10ddfe73cd017fa245219e660100861063839d6fff", "type": "new_terms", - "version": 4 + "version": 5 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", - "sha256": "9c65f9d0b0b742e9ae409f6a0801d7341de785e65ee7b054256092bf1bfb8bfb", + "sha256": "881df1bf3e0d1bd5035f0163b4c6fbea98426fdad7f5e30cd133d408466dfd22", "type": "eql", - "version": 7 + "version": 8 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "090872d47d5a3f1428db18f1e48befbdfce5df0242cd30cca8a1535b18d528e4", + "sha256": "c36dfdebbc19fdfc76b9b10f57e4c6e51e9958d0e01c6889100cca94188cf35a", "type": "eql", - "version": 212 + "version": 213 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", - "sha256": "de66db695baebdde84a330bfe3bde0083d66582be88489134f9799265204fbf6", + "sha256": "1f23630363aa37b8d7166c30043f1f47b8607a6a098292584b4cbbe55915b5e1", "type": "query", - "version": 6 + "version": 7 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deleted", - "sha256": "c852316f313b153ac3b61ca8c8ecc4ba69b7220da531214dfea51c375cd1aff8", + "sha256": "3d4454944fd0c9bf2faccc65a985c95158db648c3ddc91784bf036fec605b29e", "type": "query", - "version": 107 + "version": 108 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "439721690045cb46d6f9859269c364150b58109dbafffa7929de898b55893fc0", + "sha256": "7af345a100eb92de91782949bfa1266c3265fbe6a434c89921c79ffad6bd9789", "type": "query", - "version": 211 + "version": 212 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "M365 OneDrive Malware File Upload", @@ -8456,9 +8500,9 @@ }, "bba8c7d1-172b-435d-9034-02ed9289c628": { "rule_name": "Potential Etherhiding C2 via Blockchain Connection", - "sha256": "0239484ec551525aec443a437f14bbce8e9235329a703ffc6613bc8c74510667", + "sha256": "adf13fd4f74075a1c4d807c951b541af172e2bded395dbbfe1ba42983acd3d22", "type": "eql", - "version": 1 + "version": 2 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", @@ -8468,9 +8512,9 @@ }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "M365 Teams Custom Application Interaction Enabled", - "sha256": "5ca8152db27b66fca754da1c64d145050b1590a423cf1a527a420a71d225c11b", + "sha256": "b9ec0d7e63d1adda464ae0b51112405b884c2b4c466a0a412ff85a22ee6a4b76", "type": "query", - "version": 212 + "version": 213 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "Deprecated - AWS Root Login Without MFA", @@ -8486,9 +8530,9 @@ }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "d8bf7e5a63698244691000196ba249c7936eab2a4eab1772ca5476f3f5322e21", + "sha256": "e0ba4cc9f179a908179ae1b8fb08501b168e5dd989246796d70691f3f4eff7f0", "type": "eql", - "version": 6 + "version": 7 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", @@ -8498,9 +8542,9 @@ }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Entra ID Conditional Access Policy (CAP) Modified", - "sha256": "3ac0ca9520344b972f5a41af4a5e10a54efd11a2827dc838a359ba99a1557c43", + "sha256": "8ce594b9beda915d155841c38ba5dbd50b378588b08572407d9a468800afdc19", "type": "new_terms", - "version": 108 + "version": 109 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", @@ -8522,33 +8566,33 @@ }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "738bdc893bf3d562e861dbdf7a75427c263f7aaca05a2bb682d878ee38c60a5f", + "sha256": "56d1f942df83d7f90dce141e8d61ea6c55751a210ce9f2acedfd94a2aea52eea", "type": "query", - "version": 9 + "version": 10 }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Entra ID Protection Alerts for User Detected", - "sha256": "fd64341da1fcdaa6a082cbf25b167c5db69c69f1dcc6d20c3ec818bb42e4da07", + "sha256": "7492519d14b8804f657d4ff6510cd4ea2272dcc95fdfe90b5e9aaa2e5fca65d8", "type": "eql", - "version": 3 + "version": 4 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", - "sha256": "e5e78d693e4425e712df0af92733019ad02ac2c0c9f7cd8c3d371c11cba4e196", + "sha256": "87629b7d4d5b9fc75f1a26d77b396e39a528483a25c72d1238b5ebf5271839b9", "type": "eql", - "version": 3 + "version": 4 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { "rule_name": "Spike in Privileged Command Execution by a User", - "sha256": "0abbb06b0ea223dd93d5fe72d4038b28733b82fe49397d0f3f46a331b0bd7adb", + "sha256": "99ea8a26e2591f788b098171cdedaae4b59e16b257d990f96f5dc7fda4e3c272", "type": "machine_learning", - "version": 3 + "version": 4 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", - "sha256": "f7b1bc1a3d0f9605b59dd71dcc889746c9c5235ffcb7f1920e9950b7fd85819d", + "sha256": "2b2c41d8349db184a3dfcf109c0e32f06a4e29eb8036f85956a55e479cedaf1c", "type": "query", - "version": 218 + "version": 219 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", @@ -8558,9 +8602,9 @@ }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "86aa1bc737f26987d86809d8f763aff7982e416bef5dc2bbd44444cf72678bf3", + "sha256": "1c15b9f9ecabc1e9ea3b53c43b74d34537d72cfcb2a559de97b42c679cd01e2c", "type": "eql", - "version": 212 + "version": 213 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", @@ -8570,33 +8614,33 @@ }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "037264e4531e277aca0fdee38754e89317fba7ebc3ca718a9a2498853349c488", + "sha256": "7eaec669020f14dddbe892f76fd4b204a602a2c3cd1cd4174098514f6abc7b6a", "type": "eql", - "version": 214 + "version": 215 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "5f00835a9adee4dd9a68ab262fb2d6cd7b32fbbd1331cc6a295e623d98be5d8e", + "sha256": "e871b5c50d55beb37d562677eaaf824b9df867ed5271d206f1349f94c364ad54", "type": "eql", - "version": 108 + "version": 109 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "rule_name": "Host Detected with Suspicious Windows Process(es)", - "sha256": "7583da02b3461f3c8c23ab008a83a819453635fa8a62df30def1136237e68078", + "sha256": "78e88e33d9c078480535176d94c745523d1b5cdc53faa7f6dc0c4bb98f303dca", "type": "machine_learning", - "version": 110 + "version": 111 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", - "sha256": "b656146b40333aa0bbb38207431e1bda4ac60ed0c81425452fc9bdbeb293966a", + "sha256": "3b62f382cca1d5aa8845239afb457e39f5a035382660884911727b4dd5f91aba", "type": "machine_learning", - "version": 8 + "version": 9 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", - "sha256": "6ebfa1674b4fb1f63c8b2f093c2b147a12ca9cc31050e7e5dcc13e1338e4bd3e", + "sha256": "10a4816f54ea177fa9e3d1289e45f425f1497b53d4964f359dcd7a1cdd2e729d", "type": "eql", - "version": 6 + "version": 7 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -8606,9 +8650,9 @@ }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "dcf1b4b02597d1fbb9117d6283301d1cc4dcfdaef977185fc969396736431cdf", + "sha256": "e53e01ad1dad386bc602403ad1b1c7f04959ea318f3613e082d51bf040d08cf0", "type": "query", - "version": 212 + "version": 213 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", @@ -8630,33 +8674,33 @@ }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", - "sha256": "bd69d866074bf4d6cd69d9bd018b8dbfc035fccbb9aea55c4d0fd9a2bbf0a2d1", - "type": "eql", - "version": 4 - }, - "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { - "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "5208299f996ad99bd98466a5f61746b69aacc186c2a0462be9bf785783db4e0e", - "type": "eql", - "version": 113 - }, - "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "4953192d062873314b4f801999d784d7d345b2594beb605d599a5d09325a9805", - "type": "eql", - "version": 313 - }, - "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { - "rule_name": "AWS IAM Login Profile Added for Root", - "sha256": "74ca3a72d0eabe28dd5c38faab3e9d4d9ea86ed1a38b68c9e88498f41f084582", + "sha256": "fff30a21597fa127c872708fa401f4c529403d667c7125ebd8013e5aad23a140", "type": "eql", "version": 5 }, + "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { + "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "sha256": "0bd519abe65e56eef7207d3456911a0aaaeb511637bdc1491f081d31cf4b7bcc", + "type": "eql", + "version": 114 + }, + "c0429aa8-9974-42da-bfb6-53a0a515a145": { + "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", + "sha256": "8982ff1e520c4ea2fac7e7d0c08177e42ec01a9859b6966ac01685fc4a948f22", + "type": "eql", + "version": 314 + }, + "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { + "rule_name": "AWS IAM Login Profile Added for Root", + "sha256": "5ea4300c4120cd499f435e400fee9a298ff5ccdefb2e57454d86d5af86e773de", + "type": "eql", + "version": 6 + }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", - "sha256": "532e349acfc6e6aab0897022466d2fc9b643a5fffd27576778848cd32cc20dbe", + "sha256": "bcd9f7ffa49224ec115854a811b87d190eda31293324e0f9f94550270b0553ea", "type": "esql", - "version": 6 + "version": 7 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -8691,15 +8735,15 @@ }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "9a970e5f890eb12630cec204f47833b5e4c7575dcb58e8e2ef15689f162e64c9", + "sha256": "4976c842ac56a58e89e3692662b9d7ff044c8e03e60f14cdb0b9e605c1b53a27", "type": "query", - "version": 211 + "version": 212 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", - "sha256": "ccc74ce67ff73841a84622e148b60bd2f573cbd316e7818dc2308c87b4714326", + "sha256": "ca2e72f536d6b88239ddbccd6ba2ba34e48002360725af8721e789991edd95b0", "type": "eql", - "version": 4 + "version": 5 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", @@ -8709,9 +8753,9 @@ }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", - "sha256": "729840b0257c2eb8e9321efb5e5bb49aeac8813a3cecaa56977db51e30036bcd", + "sha256": "a9287ee9d3d4bfdbb455e4a588537f4c1168ad937f0b7bef1edde049c7340b82", "type": "new_terms", - "version": 6 + "version": 7 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", @@ -8721,9 +8765,9 @@ }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "90f4cf252faaaac2dc8deed5c5717b0be78711928ecc299a039b6460196f7be4", + "sha256": "ee0bd1f86590675b1968e6c9acb3c60ff51ea57e2c22d45881495ae30a89caae", "type": "eql", - "version": 106 + "version": 107 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", @@ -8733,9 +8777,9 @@ }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "171b64c3655d63c4c9bc56f78576500ad24e42302644e1e342e4c67cffc91e94", + "sha256": "0de4bcec251458feeef6095e125d1e7b8c7bc63b1d7765d3d4985b8da3134aa2", "type": "eql", - "version": 316 + "version": 317 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", @@ -8751,15 +8795,15 @@ }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", - "sha256": "415473fa35059a5d07964fed000f16360560c80dac0386baf8227972ac37c2f2", + "sha256": "0e4561214fbcbee7b437528faea36307cf2255abd709788284dc2e7f5a740232", "type": "eql", - "version": 112 + "version": 113 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "ade96b474e9768ab238966bce7bf5b5bd9756dccb3a1e36f53965027d4c4f781", + "sha256": "3928140ff2c2daa2baa63a3c01524bc5693142c460ae8797ab4165dacfd176cb", "type": "eql", - "version": 6 + "version": 7 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", @@ -8769,15 +8813,15 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "23db8b09fdb9f4b08efb4ad8bcdfde256153602b55b53b81a85fe1273b9664de", + "sha256": "2ce243e8fc579af6ca9724a16a2f30f2190e9528ffef9972a75dcbfe94ce987e", "type": "query", - "version": 105 + "version": 106 }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "13e8f259d203e8ed841c1a188f203e99cf912e41cfbc69b898f8b47aba4851de", + "sha256": "f813eeef96588e7cc2eb90e1e91b32f2b9304bdb6c040357a4cf1ef6b41f0748", "type": "new_terms", - "version": 6 + "version": 7 }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", @@ -8799,21 +8843,21 @@ }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", - "sha256": "c801b37699ca3fa63ec4095cd5889b3842b42a66e9a48c161a0dca78c7707c5e", + "sha256": "0ec69c03bb9d7456c9a93544cf20965e854e58b67cdeaaf9ca6f468cf54b22d2", "type": "eql", - "version": 1 + "version": 2 }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", - "sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688", + "sha256": "2caa4a4c527982a8446df9b6583559e7fa1f9730c1b61832b7d8e8be02e594af", "type": "eql", - "version": 1 + "version": 2 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "c353bf8d28c1c9cca5662d7a7a69e0a7229505982746bd0b0be3276fbda1444b", + "sha256": "6a1e4a58107207bd64985edd80b630efbfb2c0257405b1e8eb91b08ce480f0eb", "type": "eql", - "version": 107 + "version": 108 }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", @@ -8829,15 +8873,15 @@ }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "daac0bc012c68171ee7eecaca5a8245783c20db64d1f94bf65beaf3c89bd75fa", + "sha256": "bdbd89ee7db4fd96cf5fb0c39b561b6daedf290cb18f66ed80fa0442e0a5d44b", "type": "eql", - "version": 310 + "version": 311 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", - "sha256": "54953666f891c689614cbee244e6c837541a8003ef5b0ccd0c482029d4f2220a", + "sha256": "212aaec8993088800bd4d7f70a7332eaf7e5bc714183097e26fb19acf8ebc70e", "type": "eql", - "version": 6 + "version": 7 }, "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "min_stack_version": "9.3", @@ -8848,9 +8892,9 @@ }, "c55badd3-3e61-4292-836f-56209dc8a601": { "rule_name": "Attempted Private Key Access", - "sha256": "e707e3c1a46f94d7499ab0a59780aea166d33755a2683120a0dd1227eaf3df43", + "sha256": "433198f3e83515be6a9fb2d81a58e55f395ca9b6c12755ce513c08a8eccdf886", "type": "eql", - "version": 110 + "version": 111 }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", @@ -8860,9 +8904,9 @@ }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "54486ef06f4739ce2602ae30107b8d9100006c9cfafff813156cafb6153a2266", + "sha256": "e21136bfb6c1f28166ad9f1507c6fae94e9e72605c1e755f3dde075789a00a6b", "type": "esql", - "version": 8 + "version": 9 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", @@ -8872,27 +8916,27 @@ }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "0641c9ee39050bac0336ca03815f4418d8f42b3f9c4a05788a18e4b115f51438", + "sha256": "5d22b0424e8074f59090697192854f19c4859b2ae43a07b5dfe118636a38dc63", "type": "eql", - "version": 313 + "version": 314 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "37a8cf43dbd537aa0901deeae2eaf9f766dfce63e61823daae640cd566c4dbb8", + "sha256": "f85e79d75f82ee75f3edce31aa9b650ee2f9ea037634e7e151fd698850c792ed", "type": "query", - "version": 107 + "version": 108 }, "c595363f-52a6-49e1-9257-0e08ae043dbd": { "rule_name": "Pod or Container Creation with Suspicious Command-Line", - "sha256": "0978c07dd959e8239b4ba8195831bf80b8e8978c16d7aae614691c0d82edec11", + "sha256": "6a5835653ce8a44460f7a6265334f5715cec34eef906940d610adfd93fef4883", "type": "eql", - "version": 1 + "version": 2 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "a53e65d2430e3ea2e00f15ea40f9a151c2ea30db22fa0dca97a1936c8b70f192", + "sha256": "3b29d97c23b63018824312b0e3bb53aea47e80865bd2e078156b6a7eb1a048f2", "type": "eql", - "version": 211 + "version": 212 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", @@ -8902,27 +8946,27 @@ }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", - "sha256": "a0d9e978b3b963c3ac8dbeec2961f7bc2230436817e053ddfe69b035b30fb9c5", + "sha256": "6b7e94971186501aac3530e4bee4b1247c1391d2aa9afe212581dacb76d121a5", "type": "eql", - "version": 2 + "version": 3 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "41d2711d82ae1036c71c33e1e80f65df27a0f498c1f2d93e5864e359920cc5a4", + "sha256": "edbd3217e44f72ff853e25abf17ad68fd778160b077a05496ed7287c137fc8e4", "type": "eql", - "version": 315 + "version": 316 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "167111eaf58a3bbebd2719d2939ba47beb2bf57e4905de19dcb49e47b08bea57", + "sha256": "847e2b8eecaed755caafcb1b8eddd7fc4b22f1758a6fa63874850974cc588937", "type": "query", - "version": 105 + "version": 106 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "rule_name": "Initramfs Unpacking via unmkinitramfs", - "sha256": "3377babcb31164f78cb4544423ee54b63d1817459e38c4bfb401f150681ecbd3", + "sha256": "670705faa3fa17cf9262d86f5f84c89d2b19a8d98e66695f0d696dd97dee6195", "type": "eql", - "version": 5 + "version": 6 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", @@ -8944,9 +8988,9 @@ }, "c6b40f4c-c6a9-434e-adb8-989b0d06d005": { "rule_name": "Suspicious Kerberos Authentication Ticket Request", - "sha256": "5a2ab9f129366aaf001a9bd121ce1e65ab4ae4f1eae88702d2b15ca145a1e6d0", + "sha256": "8736d228be608f8444c05b92524b70cad9521695df3889cb526d6ff03c7ca3d5", "type": "eql", - "version": 3 + "version": 4 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "min_stack_version": "9.2", @@ -8960,9 +9004,9 @@ } }, "rule_name": "AWS IAM API Calls via Temporary Session Tokens", - "sha256": "2ab33e3210faabbf21634cb53b667334ab3853f7a3edab5accc936e62e0092c9", + "sha256": "e51a13afb9b1276561368d3c0c84bd100068d5317bcbdf866a80643237f4e16c", "type": "new_terms", - "version": 106 + "version": 107 }, "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "rule_name": "Mount Launched Inside a Container", @@ -8984,21 +9028,21 @@ }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "dd1e7889df2c7ca7ad63523e2f2639f629b061768c4fb25e91a27e3da587f33d", + "sha256": "5abdcb56935324216ff8d42e978ebb491fbe54cafcc4d7fe8b3ac582d9ad5be1", "type": "eql", - "version": 6 + "version": 7 }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Client", - "sha256": "acdbe411fad108d24ac7d90b26bc1d8a6292f370fd265a7a8ceb8dcbe48c8681", + "sha256": "f109d4fc8194a0bea030cd351da44fecb6da97d3d264195c2d2f218e04018ff8", "type": "new_terms", - "version": 5 + "version": 6 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", - "sha256": "3048fb1cb33c9d61e64c57c88bc310c6f76330a531c1a04fc2cbf5fa9a962e53", + "sha256": "b0a32508095aa70040c9d8bf3ca82bc1e968dd033a273746e7225b568e964c84", "type": "eql", - "version": 211 + "version": 212 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", @@ -9008,27 +9052,27 @@ }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", - "sha256": "4d49a5bd41e3590655a8d2043aece053a6a244c67f1919e2cd24eec334e11d00", + "sha256": "e6471c46e4aa6f38d5ebc7c9128f2f7352361f9bd28640ed8cd1fe64060c0f41", "type": "new_terms", - "version": 216 + "version": 217 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "0e93c7c9d8c379f5113f5da64c80c41a4baa81ef5c9f06da338f591b12f797b6", + "sha256": "3400eb9c633145b2e7439c65f498db5bfb7dcafd680699d908e79e11eda2a0fd", "type": "machine_learning", - "version": 109 + "version": 110 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "ab323cd4136ecba4ec4deb2bbe62345240087bafcd8ef51b2651926b6c108c28", + "sha256": "c214ac68f9bcf286e1bb6d40a6982c5bb92697877f85be0a95fbf6efa738cd74", "type": "eql", - "version": 111 + "version": 112 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "41eeff0d6b77b5166fca7d002d1570c3525c02a9afe6c94de757a4c836923659", + "sha256": "80690e02a31f15148910ec2ee7236e4bc03cc849563c838fd8af5e90a1444b1e", "type": "new_terms", - "version": 108 + "version": 109 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", @@ -9038,9 +9082,9 @@ }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "4755df4d8fe4221cbf2e2a70a0429b0cdabd6b9d109872751e2563e95e594424", + "sha256": "10971404f4a346079b0483d85790d52dc211b28704722b156c33bb04e4afd15d", "type": "eql", - "version": 108 + "version": 109 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", @@ -9074,9 +9118,9 @@ }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", - "sha256": "8a9ebdfe9236d7201f3e30cc3841547ebbacf7f90f7567d0b5da622f349dfcfd", + "sha256": "c69ebd1e055528c11c168ab190eb8599b27185d2fce7ea7a2e92a40a5426437b", "type": "new_terms", - "version": 2 + "version": 3 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", @@ -9086,15 +9130,15 @@ }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", - "sha256": "df3b151df4fd569bcd9b3f33c7f7bf9ce148405ff51fcf9a672aa8413b0a6ba8", + "sha256": "1f5b1b963a4b1164cc7a7bd1d5e092a5dc02deb402165183832e4dad3cc03f67", "type": "eql", - "version": 1 + "version": 2 }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", - "sha256": "c059148c2721ed1f7b2d8824e5dd41b2d93e06364fe138d59d4295a56ce0484d", + "sha256": "4546208062ec7234e2d91a8987203f9e246829ab84b577d600d62df86bc13a38", "type": "eql", - "version": 2 + "version": 3 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -9104,15 +9148,15 @@ }, "ca3bcacc-9285-4452-a742-5dae77538f61": { "rule_name": "Polkit Version Discovery", - "sha256": "e4bec6658d6405825240fbf346b7b226e3557e511f56be55c68077970103f48f", + "sha256": "9057c8fc734774b49324b875ba5e83569cc77adb125c1abb70688ebfedcdbcc3", "type": "eql", - "version": 6 + "version": 7 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "M365 Exchange Malware Filter Rule Modified", - "sha256": "18a1ba7eebeeb47c4f007c39127a659ac95e7fa31565c171bf1ae73f2d794bed", + "sha256": "b107f7712f9a208373f6b2998e169a884c9513c8140ee511d87325185fd7649e", "type": "query", - "version": 211 + "version": 212 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", @@ -9122,9 +9166,9 @@ }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", - "sha256": "a34b5d65dc328f2775a7359f20afa71e00d0dc77dbe92edb183e95b6e260c34b", + "sha256": "234b1f812cc26ea5ae0c3204d763111e0adf06969bee74d8d97d614d0467f805", "type": "query", - "version": 4 + "version": 5 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", @@ -9134,15 +9178,15 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "03e6cbb21ddd14cf08bb9645a2d0dfcb6f8c2a81dae5d4521565837f33ea95e1", + "sha256": "7741096692f9fe425bdb8c608cb7b6d139ecb608252b6e1bc29bea7446dce8b8", "type": "new_terms", - "version": 218 + "version": 219 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "9a77d3bf78caa364a3501dc4041e9ba9e5c3d13e2b3b7aaa5eb6abdaaadfec14", + "sha256": "e0fa508f8a66ea03208554588ec6fdeace556b98a7dad66db3bb6d13f40f9328", "type": "query", - "version": 210 + "version": 211 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", @@ -9158,9 +9202,9 @@ }, "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { "rule_name": "Kubernetes Secret Access via Unusual User Agent", - "sha256": "779866cad0e79ce9f2c9c7234c09cc2ccc2d4642c9bec7b268d036a244638cd6", + "sha256": "216b03bd8030750a1829b8992b0cedc35d4862d62686159b6ce6dd6438776fd5", "type": "new_terms", - "version": 1 + "version": 2 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", @@ -9170,15 +9214,15 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", - "sha256": "1d11314aa3de8e4ec889248829226cc47dcc245b1c1b32bd6d7b81f27312a317", + "sha256": "dc65243f14859cec0de10c90d31e854d1dfab19c45872d94ad5938971bf56fe6", "type": "eql", - "version": 110 + "version": 111 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "8e7204daa15aa64acf5ab9e352b8e028ba759ad98fbff579bc815a9848e31909", + "sha256": "821fa84a157656b3c90f9017a3af1f8a6c21d8ad85fe4c3b0219312cbff30633", "type": "esql", - "version": 309 + "version": 310 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -9188,21 +9232,21 @@ }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "121726cd64a95f6fae236ff3668a6aa031ca24474771917197adeccf8a133e7a", + "sha256": "338376af242b33172d898fba84ece33ffc3f89c31fe7c92c5a081072164b5732", "type": "query", - "version": 109 + "version": 110 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "925c8d54bd81af668dcd38ad3ea61b8e8d48f40b0db136c69e8ddb6d02698414", + "sha256": "7471cc381cf028628928655debc7fbfb438f73b595c02aac92e7e2c426a66d7b", "type": "query", - "version": 107 + "version": 108 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "ad8b058fbd73eb0d1d35b377a0e40d51bff4555e31e6a3aae172ebaa6c924480", + "sha256": "d7d6be81fb7b35412b0959c15b374ed93f960acb5195bc2d0ca60ac6cd18890e", "type": "query", - "version": 414 + "version": 415 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", @@ -9218,22 +9262,22 @@ }, "cccc9be5-d8b0-466e-8a37-617eae57351a": { "rule_name": "M365 Entra ID Risk Detection Signal", - "sha256": "392041a3844e680f234c92dc4275823b02292a6f5e26d39151ebe50958c2231d", + "sha256": "80306f186a6e389d65f795a639aa14cc2d0d5e9278ce95f2eadbef633acdebc2", "type": "query", - "version": 1 + "version": 2 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7", + "sha256": "cc7b5ab7a7faa4c73249b1efd1b07de83a0946a5cc0c23ca201e6037eda52681", "type": "query", - "version": 413 + "version": 414 }, "cd24c340-b778-44bd-ab69-2f739bd70ce1": { "min_stack_version": "9.3", "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", - "sha256": "dd5558b655f37b28a249477f9e372be817a1484e796ea566c51b3f8135df88d8", + "sha256": "e426cd61370f7a3337d24e8fa843cb3ff9bc78469f0b54ef7f2f20320130b2e9", "type": "eql", - "version": 2 + "version": 3 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -9243,9 +9287,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "6e739a1f4016e28fce4154f8593038c7ecf0675e1a1efc95f9e34a304b94a2cc", + "sha256": "35c7e422c3df463c1657227267587350013b8a6f6625e624b528caddc9621936", "type": "machine_learning", - "version": 107 + "version": 108 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -9255,64 +9299,64 @@ }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", - "sha256": "4a47b2f5d23fc106e911c3431fc7d04910bf0abfb0acde9b0815898441f17516", + "sha256": "3b971c7b326342ceecf24fb181f3d8ef5fb3f417813fdb7d5c7461b798d01463", "type": "eql", - "version": 7 + "version": 8 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "bf90da01585328d17be5647a18e2fc86f587ba6f75076c99f406a8bb81f8dd88", + "sha256": "36660dae7d9205f03ce3876ce3eedb67e5ec8da8ad60110fc05fa3f1a469959c", "type": "eql", - "version": 417 + "version": 418 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", - "sha256": "fd20dd3278688d63cc6c90f2a764d862c712ec3c2bf755f14cd15a06830ed4af", + "sha256": "610364b7c0fca876936de34e1d2e6e8a594f33f2c5447b49b5d22711ac4ecc69", "type": "query", - "version": 414 + "version": 415 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "1fea0a2f7ea3bb2c16b62b1430f80ebd513dac2500b61d345a23a244da6d0f00", + "sha256": "4be76e64dd78a60dd653583d166ff23a96f61d81cc9540d321047abcbecc57ac", "type": "query", - "version": 220 + "version": 221 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", - "sha256": "f51aa3f3b9cbf11d092933794749cd607580146c5a8d3123121f8fd0c2e675fc", + "sha256": "fa212f11ff7dc31c458f4c5b4a44abf511bad5178eaab6a43dd2471e02b8de8b", "type": "eql", - "version": 6 + "version": 7 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", - "sha256": "f3580149e911351b1ef86e81e65c4cf6c2023cc99c8c0743a7bec9e560389b32", + "sha256": "cb096a6dea392aedfc4158c3ea6faa4bbc4ba5dc20f240c5c486db678b44a67e", "type": "new_terms", - "version": 207 + "version": 208 }, "ce08cdb8-e6cb-46bb-a7cc-16d17547323f": { "min_stack_version": "9.3", "rule_name": "Unusual City for an Azure Activity Logs Event", - "sha256": "441a4f1d55325a1222ec8e48f957b86abb0aba011fec2c67feae33279fcee26c", + "sha256": "30df431b2784b5a707dfdd493977ad52e071e6ea4ef199bc4a1474e010c0f823", "type": "machine_learning", - "version": 1 + "version": 2 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "rule_name": "GRUB Configuration File Creation", - "sha256": "85c46d9160a01a7051be6ea8c170a76720222e1a7a43aa5f113a868ffb132c84", + "sha256": "8171cdc003b23ecc74cd941913d99aa321de69230dc036f86df3e89ee88cc8a6", "type": "eql", - "version": 5 + "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "09087f914a3c126533c0de3158f57d7751d164361f1f81db15d9b3876a3df847", + "sha256": "a862f0ee4740add69347de8e985637bb8c15a241001db3f8cc128436def5ac73", "type": "eql", - "version": 315 + "version": 316 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", - "sha256": "88dd742313deb546b807380819cb68b55d2d56fbad18f1995684fc407c9e68a1", + "sha256": "f037b6877c9466fa03677ff27ac9dc757799db083eafb89b01048fb5fb2e5336", "type": "eql", - "version": 3 + "version": 4 }, "cebabc1e-1145-4e39-b04b-34d621ee1e2c": { "min_stack_version": "9.3", @@ -9329,15 +9373,15 @@ }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "358f978a2e6f3e446c7216cd749cba581f6d777dd924f3883764e299d4ff4945", + "sha256": "9abac0d246326bd11a5c0f896b8ca3336ae4a3579c7adfc1acc36ff1c727bbcb", "type": "query", - "version": 106 + "version": 107 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "79a815bfe76e67bc24d51ea9ef619e32bb4055c15b4846ebe777ed42e5c6f1d3", + "sha256": "3f4624204ae6fd0f1eed09c6fb0f88bdb724fb91f46e9ff02a4313d8db5bdcff", "type": "query", - "version": 208 + "version": 209 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Deprecated - Unusual Discovery Activity by User", @@ -9347,15 +9391,15 @@ }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "rule_name": "Trap Signals Execution", - "sha256": "fb9b4b1726b85fc2cfd187b29071300f8b35a7bf14198061a2d21ac2cd7fdbaf", + "sha256": "5d1c2a7fa37d485677c9525e57187ee14cae40657b6b37b87075a86b32fd53f2", "type": "eql", - "version": 5 + "version": 6 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "630b88a3364fbe8639133004b3bbe4f833208f2804012fa6a85120ad434c6d85", + "sha256": "e97d7df79858f61197c671d6926f57ab3b88a69fabed29d9567f93e9f12dc290", "type": "eql", - "version": 319 + "version": 320 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", @@ -9365,9 +9409,9 @@ }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "8c05198a2611a9e538996fe4b19f24cc57aac06fc4c39687a77015f01794b109", + "sha256": "bea2f089b581a7b037ab2f0e416094fc9f5f92ec207fed7243cef5ffe932e2d5", "type": "eql", - "version": 114 + "version": 115 }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", @@ -9387,9 +9431,9 @@ } }, "rule_name": "Cloud Credential Search Detected via Defend for Containers", - "sha256": "06225be504fa72a83c99628e858b3fe5b84aa7da72d9175202ed5f07c09c016f", + "sha256": "152389ffbec21b8c6cf4900a221557e3cbba23580dac8dcec675d8f6d38962d7", "type": "eql", - "version": 103 + "version": 104 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", @@ -9399,51 +9443,51 @@ }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "d3a52256086f20e3515d09e0eecbd462fd3912d7b2d978f5e544bbab87146f22", + "sha256": "c72dc96083ad4f6a138434337eeaa80d3c9ee6abf005c9b38b48c3119c21eb71", "type": "eql", - "version": 316 + "version": 317 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", - "sha256": "5feda5d73ab4d3ab81c92e2bb7f1a50af9c48b0a747bccc3751b155732abde29", + "sha256": "186fa8e9e48f17bdd811b333cc800a701fa71dbb0a502a7d08b690710e3d4f85", "type": "query", - "version": 2 + "version": 3 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "11b8167c23291c967fa2a069f2063970f0d8fa874b642503e2b9ce0b1cbc7496", + "sha256": "0736c6f8243cbdbe153b9631ee71fb38f2c113ab8f5a97601a451de905402a3b", "type": "eql", - "version": 8 + "version": 9 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", - "sha256": "e460aefe896a4ca7a07b897e1d955f90b2add567d2d43c3a435b632d77a34bc4", - "type": "eql", - "version": 5 - }, - "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { - "rule_name": "System Binary Symlink to Suspicious Location", - "sha256": "38f91221ebf1ad1f815b2410711902a446bf634093f757a94276a1fc84a35506", - "type": "new_terms", - "version": 4 - }, - "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { - "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "e81a04e3fd65b851b65dbec3a2b0a2b3d8ce15389bf8ddbc09e564e84ab18324", + "sha256": "b8ef92cb19cb52e0bd7fb40cff7396636355fc683271c5bf1dbbd88a63e7753c", "type": "eql", "version": 6 }, + "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { + "rule_name": "System Binary Symlink to Suspicious Location", + "sha256": "83f4835ace6e0cacb08b95892e3708076af8aa86de8a18edb56b641b451e2d61", + "type": "new_terms", + "version": 5 + }, + "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { + "rule_name": "AWS EC2 Instance Console Login via Assumed Role", + "sha256": "7d5d915447ba165dbd1403ff480fd59335c6ac23888a7f985ead6216cac3831d", + "type": "eql", + "version": 7 + }, "d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": { "rule_name": "Curl or Wget Egress Network Connection via LoLBin", - "sha256": "3fbf4a9a5915e2ed78be6e0a19ab14fe424f8227b14736cc0d2b6e2cbbb83137", + "sha256": "ce203e6ef36a4f383860bdf870609761df68e02c57e8d531399a85f8423111d2", "type": "eql", - "version": 1 + "version": 2 }, "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": { "rule_name": "Privileged Container Creation with Host Directory Mount", - "sha256": "16394afb9f2c78168b53837f4bd19e6929e026be8f08c8291b17ea82e16d97ba", + "sha256": "75d684bf84179e6a25e644ac7d2db82a2d829dfdf5935cebecd941e03db6bf7d", "type": "eql", - "version": 1 + "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", @@ -9453,9 +9497,9 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "429422145532225bd65534fedd80e071ba1dafca49a047729750299bfe3d4af9", + "sha256": "762e4b15bacae2524f2eb4f6453f08cbabda5dc4ec577ed0a48d96b0f24b35df", "type": "eql", - "version": 110 + "version": 111 }, "d26331be-affe-46b2-bf4e-203d0e2d364c": { "rule_name": "AppArmor Profile Compilation via apparmor_parser", @@ -9465,15 +9509,15 @@ }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", - "sha256": "4a27a3971ab4ac2abd8929f07178a8052f887401d8443d1e1f49f090638b2f20", + "sha256": "7d7f91e46122ecfa96e68cf202a12ce57732a41f839a42d4fb9c06d5e92c3f06", "type": "machine_learning", - "version": 3 + "version": 4 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "4afd57a339d41912ae7ad833a7198061d9c2c8b8d84ef2755fe3994daabfa5c3", + "sha256": "38940757fca1ddd027a120feff3f423b8e79c1e6230955632fd198e0fe178c11", "type": "eql", - "version": 315 + "version": 316 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", @@ -9483,15 +9527,15 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", - "sha256": "6b9f951c8a016b83f49461ef758a4357b60f7b5a193b7244d68edf903d216ae8", + "sha256": "5d84f22c162fe4ff95b0ecc0aaf1ce02711745197686b3b097a7b8c8fd376267", "type": "eql", - "version": 319 + "version": 320 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", - "sha256": "f7391c261eb5cadf9fa292909ae5f7bb001644d1fafe546a3efac5fb51e4d32a", + "sha256": "0e984edd1d08434ad42472f342632652f77b07c2ede678799d9aa2e0c2dedaba", "type": "eql", - "version": 112 + "version": 113 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", @@ -9507,21 +9551,21 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "7c5e02a840182b33f4790c944b9ec48af5f79dac23befdb0f069ef00258b4e70", + "sha256": "507195f030dbfb333fdf4a137642e63632da2654b5a69d8f1b4552ec78585ce4", "type": "esql", - "version": 9 + "version": 10 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", - "sha256": "2527c4142d94796d2b6a29956710c8e839a75d3f11fd53b71390789e00214068", + "sha256": "dde2f1948e3783288c5dda0fd4b020d47ac4e2ebc6daebe917d4a373dac35ab9", "type": "eql", - "version": 112 + "version": 113 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "0278be6dda863249c11fe7d34a3ca5b26ea3b6d7608b458d13d3f818c99b7681", + "sha256": "64f021972b8c1ca4a6d06cdfb5fa138082847328da4dc274b4f759003ce1e67c", "type": "eql", - "version": 6 + "version": 7 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", @@ -9543,9 +9587,9 @@ }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "0f5821323d386dee70029098f8d95f174c2b5cd85f465e9f17f90766c6facbe7", + "sha256": "c9833b1d069a636b244cc7e624faecf1e2964d7a6b4cf53d49455c51c3a33462", "type": "machine_learning", - "version": 107 + "version": 108 }, "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": { "rule_name": "Azure Compute Snapshot Deletions by User", @@ -9562,15 +9606,15 @@ }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "b83c3c1532b5af713bd9011025fcc17c4214c07593127a7a206e19e9fb5e28a2", + "sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817", "type": "eql", - "version": 111 + "version": 112 }, "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { "rule_name": "Kernel Module Load from Unusual Location", - "sha256": "56e955ca39d25c4cfa531933b411d67ed74652d81495207e8d2ef7c743af219d", + "sha256": "42ab912e8f87151cc830318d80b8fcacef86ad752a051c7f3c2a5bafdcc76af5", "type": "eql", - "version": 2 + "version": 3 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", @@ -9580,15 +9624,15 @@ }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "274dc56a6e1e3f97442ae5bfcd16d363d4283ea38f6abb9190081c4f7d31f8f2", + "sha256": "39da3f93465e6657006f53771e217c4fc049da876a80117b4cd2e4d6ba155a2f", "type": "eql", - "version": 7 + "version": 8 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "15fe34ca3118484deea0a66f9eae2dd88581f0e7135f0478d0ab3f9b5e98a61b", + "sha256": "6f71886a7c6f57912198b39f952f340684fd719a263e0f0d8b567dfb6623aceb", "type": "eql", - "version": 313 + "version": 314 }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", @@ -9598,33 +9642,33 @@ }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13", + "sha256": "f7406f6e8e4f99730b2de0d9ba6def938c6d07a72f848be0b8200535ccd2b8b2", "type": "query", - "version": 413 + "version": 414 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", - "sha256": "2a32aeadc451efbdde9e929bbcf28e8a11e5c007b9b33dd0b853ad20943cd907", + "sha256": "ec792d8d6d68da3e40b7831bee052b65e3bc492647c62a9ccecc030221e53956", "type": "eql", - "version": 210 + "version": 211 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", - "sha256": "99110576912a770abca53b691f3644a5e26b87ded92c2ac26e342b388785161e", + "sha256": "189ec619c7b3f1acbaf3ec85c31d1cdef910e9f4fb1e9eee4e320cf66524c3eb", "type": "eql", - "version": 7 + "version": 8 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "5dd0735831fd4a14204ba795e70b8a5793d58eaa264bfa1a33c4c7094e438fd5", + "sha256": "00f4d49dfeb68624a5a87a0c501c0520de98b897d23522a52d9087cc2b8b5ae8", "type": "query", - "version": 213 + "version": 214 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "8efda573b2a1bac665b991f72ec074f93082501d2f067f80ad8faf6f686205bf", + "sha256": "6e71e2cf0d9f82acce1ceeef7b183af71e081896822b2f273db61ec4f9205018", "type": "query", - "version": 108 + "version": 109 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", @@ -9646,21 +9690,21 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "M365 Exchange Anti-Phish Policy Deleted", - "sha256": "4fb70852654dccfce55dca864f521914bd56cde848d581895e4c83a2e4e1b00c", + "sha256": "89b6c0d37db190728f7703cf10c9b41edff3a8b275ded8492b41442a5fec841e", "type": "query", - "version": 211 + "version": 212 }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", - "sha256": "91bcd19a0c6ac9d676ba46dab1a6f60a67056006f701cdedc9b6984a39e4eeeb", + "sha256": "abcda99d0ac746a4fc37a83d52500fe44b794d2e3de44be7f01e91efeb3365fc", "type": "eql", - "version": 1 + "version": 2 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", - "sha256": "b78d84ead9c2e2f8c0b080d7539804c006d2e82dda1e1d1bb489a991d1db248a", + "sha256": "f4b6260448b7a26cf9adb6e7177332c244726837dc94096e73f440a181ccc543", "type": "eql", - "version": 214 + "version": 215 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", @@ -9676,33 +9720,33 @@ }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", - "sha256": "71ade0933a7bec32785b9b65e651af4b2653864c0ac4b43f6bafb8f020212da3", + "sha256": "e780cde82962256d0374ac831ca3dc39e6d52813d73183a96cfb483efd87b81e", "type": "query", - "version": 211 + "version": 212 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", - "sha256": "90316dc22033d912089d941a034d244275e443b6634bc88b197272fe1e1124d8", + "sha256": "bd02b6e884a029c82503af499237b283074d0ca5c44c925afc8f88dcd6162644", "type": "eql", - "version": 108 + "version": 109 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", - "sha256": "f8b1d74f08a045a33b10594b57edfd3f20896d97c6a7c6d78e4ad772596b160a", + "sha256": "0eb4e9b2e8d7ae7e32cea1ab9708d0e2c67a166339ae6128cf014faf53bb202b", "type": "eql", - "version": 210 + "version": 211 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "e7fce547c4db43bb3611e08cc2943197b41498464c41ee416e5e770a83e95700", + "sha256": "6903d7db95ea1e3cd259c3ce0b5ca1cea3642360c9cfae1b6e55c16f174b1c7d", "type": "eql", - "version": 215 + "version": 216 }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", - "sha256": "60863e4019007a38c549c67afc285d909ed41523046489f619dd198934b92715", + "sha256": "b1b0ab169ce762f2b928b00dbc60e869cc527620231972f6845fb6d33ec29a8b", "type": "eql", - "version": 6 + "version": 7 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", @@ -9712,27 +9756,27 @@ }, "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { "rule_name": "Suspicious Apple Mail Rule Plist Modification", - "sha256": "0f15e69cc154771f61534e30c9066d955ed06e8098f4f9a80e3d8f4b6e45eb78", + "sha256": "a0c45fe46654506f314348d84713c3f366b341eea449497c5470f69c930e5b6b", "type": "eql", - "version": 1 + "version": 2 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "354592452a896e760a771da189694898283fef283e30b4cd3fc4d2c8f0deaf52", + "sha256": "317c0266782452758057ef761b442ef54ece9724de45c6cdbb81cc02870772b1", "type": "machine_learning", - "version": 107 + "version": 108 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", - "sha256": "81ffd7a87b123f53ba5a055652cd67738c4cfda70d52d8a9ef566f06d240ce9d", + "sha256": "1b97aafbc2e87437583540015fd4a60ee17b8cce9eb2877890ff1b0acaddf00c", "type": "query", - "version": 108 + "version": 109 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", - "sha256": "9a5a94e5c4aade5dd94fd013bdfb06e84c7d6f223f8bf5c214b4f54a36ba6f4d", + "sha256": "c7f056a526e7ce81616db6acf82ab52e38bb997a5eef5833434a31172726d3d9", "type": "eql", - "version": 2 + "version": 3 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", @@ -9742,15 +9786,15 @@ }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", - "sha256": "5edbe0cfcce77f5741297489ab7cd3d0b6fbc30eff4c47b9695617e90a279504", + "sha256": "de2bb38e8505e749478ef2557b81ff9eae12440213cdd0c52622a3073c22dc90", "type": "eql", - "version": 1 + "version": 2 }, "d8f2a1b3-c4e5-6789-abcd-ef0123456789": { "rule_name": "Ollama API Accessed from External Network", - "sha256": "ecc28c21ed2096e0e2c6206a13a70fdc48e94cf4de217f5c528e21df266d1816", + "sha256": "e3733d532630c219d6614d21fb75e356d22f16ec0a9ff3f0f60224843ab8c594", "type": "eql", - "version": 1 + "version": 2 }, "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collections Deleted", @@ -9760,9 +9804,9 @@ }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "3f8b720637522efa339b3f4d6a37132a0afde5245c9d019e1cc04b4692608858", + "sha256": "c378e81d539a3f704e304bd4c6d57a1071b11423236b6d9e4e83211c3b44f00b", "type": "query", - "version": 214 + "version": 215 }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", @@ -9772,34 +9816,34 @@ }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "9550d120744ff92d7f4104b60b380d0debc4c6bd9a3171d48966998a5dd48226", + "sha256": "22a7a5716153adb0bc953cec387325f9ef05d38345803fda75f633945eb37555", "type": "eql", - "version": 316 + "version": 317 }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", - "sha256": "d1600218fc96bb2a51bece15f870cace393f636ebcf4f68a4d9b06ccf8a80a4d", + "sha256": "7ca35f6a6c0eba849591ca1295bb52c5a29e74d0845523a9c3dbf72eb58b3b16", "type": "eql", - "version": 4 + "version": 5 }, "d9bfa475-270d-4b07-93cb-b1f49abe13da": { "min_stack_version": "9.3", "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", - "sha256": "ce0e37c4131266899b3fff16ba9305d4088310293fc2c32ed800451178e89358", - "type": "eql", - "version": 2 - }, - "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { - "rule_name": "Sensitive Files Compression Inside A Container", - "sha256": "abaae9b121b4c9e85fe7f81aa82f7048fed76d2dfcef8712ec4ff82c33a93706", + "sha256": "07b381c84cab6bd05cd985d2912671b0d45207acb284af1f93837b49a556c20c", "type": "eql", "version": 3 }, + "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { + "rule_name": "Sensitive Files Compression Inside A Container", + "sha256": "9c333571d80d149931449ce4fe2f16cc2b89cb7d0b97e5360a06a35349eec9f6", + "type": "eql", + "version": 4 + }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "aff7d38b73a0e95e989acef5b99c298a4ee9a1cb09ef6eb7a3eda510ac03edcd", + "sha256": "29d2d57874108eb0bb526cbbe763e14057fb72c2c14d18950933ef078eae2289", "type": "eql", - "version": 206 + "version": 207 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection", @@ -9815,9 +9859,9 @@ }, "da4f56b8-9bc5-4003-a46c-d23616fbc691": { "rule_name": "PANW and Elastic Defend - Command and Control Correlation", - "sha256": "1671e56ab926da333517e73469025c78710f8895f623fcda53659f9584fd8d1c", + "sha256": "9c4cc881a8a05c1e645c6fe4391834b009ca46b5124f18c1b821ee66b634a942", "type": "eql", - "version": 1 + "version": 2 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", @@ -9827,9 +9871,9 @@ }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "0ff9609987d9a6de247a349ff8e4b707f3c7580c7470faffdbac5d115c8e7307", + "sha256": "d887a9027105bdf4a170339cbb9e7012eb40383c6c65812c787c1f612543ae11", "type": "query", - "version": 8 + "version": 9 }, "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "rule_name": "Multiple Machine Learning Alerts by Influencer Field", @@ -9857,33 +9901,33 @@ }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", - "sha256": "3290943a7f9eac7a81b22c85d4475823a85bc512db43b7fb89cfad523ea17c84", + "sha256": "b55e9bf5bab3165f9e92907a31714efd1541a3c27caef7912bdccdb413cad2d6", "type": "eql", - "version": 1 + "version": 2 }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", - "sha256": "7e678bb2e91b5748488cd6fc3db4e567d29471f1977f03b00c7fcc37bbacbacf", + "sha256": "42448295211edb528695e38e36a13b0bc15eede7df3a59c5d4c514a550b009ab", "type": "new_terms", - "version": 1 + "version": 2 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", - "sha256": "b54fc8c1edfe9d6f2035c2846c98bf0d3c51413ae61ac58e234172aa4fdb711a", + "sha256": "061f0a3c16c52b4cff078cf8c484ed2bda8d80c37c7dcd4537015b5550b61904", "type": "query", - "version": 109 + "version": 110 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "e8a375d2c92b79dbedd319eb4d79fe9a66efc3263210f4b629ec811cb642db64", + "sha256": "faf5dd9126ff3012f925802c474c2d340c75c5ba8cd12879dfc2cbabb8338cfa", "type": "eql", - "version": 207 + "version": 208 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "3d2e5ac48ff0dd732d63a309fd8645c301330bfc555cc67fe1e4e842f3604e9a", + "sha256": "0b959d13263be251adada90be36f876c59b1bb53e7184aba599101af6d35ab4d", "type": "eql", - "version": 214 + "version": 215 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -9892,22 +9936,22 @@ "version": 105 }, "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": { - "rule_name": "Azure Service Principal Authentication from Multiple Countries", - "sha256": "a3374ebe2417fa418ec0532baa788b5b2ded9d847dead371b7a0699ab62ed7be", - "type": "esql", - "version": 1 + "rule_name": "Entra ID Service Principal with Unusual Source ASN", + "sha256": "ced2a6675c90bdc7a8113fa5ffacb65d0c64c765405c4273ee8ebbd57ef8e50e", + "type": "new_terms", + "version": 2 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e9b9e809e2cf545314cb6ddadbc533e5c7aba5f5ece5aa2d433d7050c32fc96f", + "sha256": "04a000054fd086fe35b3e52f9d3eb48095fbb9e0b2f9aacddf7ec8e892c6d415", "type": "eql", - "version": 110 + "version": 111 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "rule_name": "Git Hook Command Execution", - "sha256": "f59a76eae734bd08b0262cde69d2f9485e13eb81bd6972ca814fccb3c9048511", + "sha256": "df35f25f9ccc47ef6da1162061e6426b9e9a36091db4987ef34c162d36beacfd", "type": "eql", - "version": 107 + "version": 108 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -9917,15 +9961,15 @@ }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "89224db65c511c704e59e1f3954ea53d015c2ad5d81525e57edab31e32d6c616", + "sha256": "7e94ec06da053b5379f26e7355e1de6a3ec95c67115e9537b7ace9a1e062ad88", "type": "eql", - "version": 114 + "version": 115 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "rule_name": "Dracut Module Creation", - "sha256": "0e99d7949e86837bb6610359a57608bb2013bb4c567ebd78cc8d3eefe8449f80", + "sha256": "e7901044b018b0d51e7579987769d7d815f196e226c06f7802072f53c04388c1", "type": "eql", - "version": 5 + "version": 6 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", @@ -9941,28 +9985,28 @@ }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", - "sha256": "3e7ff7380de734a0b98762b61a6c34d06b5e6209fa1b42b89385a27f3e709e1e", + "sha256": "1ea6bb8df5954276dbd002347427e291629078ce75a18dfc0ced29444bfc0f2f", "type": "eql", - "version": 210 + "version": 211 }, "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": { "min_stack_version": "9.3", "rule_name": "Unusual Country For a GCP Event", - "sha256": "5453995a966b42c545508b8d3aa57fd84891a46c9ac167eb5e4b36d2c3f4fe3b", + "sha256": "c007ef6fbd3ab40348587d3c21a2cdd12d03971945ea59b220b0d84cf3b8d802", "type": "machine_learning", - "version": 1 + "version": 2 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "ab7d16c803fc15c77dc6801a94c2476e64591720f62dd9bcc56d4896f4b14a6e", + "sha256": "351f30bfcb339806bbb9af10c53548984316f0e932c351ac864c6c430a64c343", "type": "eql", - "version": 214 + "version": 215 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "405e7084d6ebec98fee61cf3cff66178b05b514c0bf6d62492ebbf42928134b9", + "sha256": "61c08b145f474da52f1ef04e85dcb57c8943bda0687f41fc8d07ac5da39fcb73", "type": "eql", - "version": 8 + "version": 9 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", @@ -9982,9 +10026,9 @@ } }, "rule_name": "Docker Socket Enumeration", - "sha256": "58cc67adcc51ab6b32e392ef0edb01b69d46a6c5e44666e2f95cb708f722ebca", + "sha256": "3b20c039973e88cff852dc38dbf06dcab6f9f7dddf03fff3e2c9b9ea124a1b4a", "type": "eql", - "version": 104 + "version": 105 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", @@ -10000,15 +10044,15 @@ }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "rule_name": "File Creation in /var/log via Suspicious Process", - "sha256": "c93e5ca8c14efd2dfdd66fc555a1270d9dd497d15192f1fe8347c783cb238ff6", + "sha256": "5f8ad4b3b68a18b84f5a900a3c5491e09f7b0f7e7080c501e059c8c08178977c", "type": "new_terms", - "version": 4 + "version": 5 }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", - "sha256": "6ab64c006d24097f944e6a6908d33fcb3365fb7a054d3dbce20536fb0b4e609b", + "sha256": "5fa242623c50bffc4c3c740c31ded763d75588a49530b6f5eb3b31bc12da9a06", "type": "esql", - "version": 6 + "version": 7 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", @@ -10018,9 +10062,9 @@ }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "3cbd491b0c22fa5ad46e7105f3ff9bf650b5b7cb2b5b6ae071ebe1fc541478c2", + "sha256": "cc614eb9ec6ed03a159b5db0dbf49482ecd4ad3eff42784b233103ac0f8201a2", "type": "eql", - "version": 215 + "version": 216 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", @@ -10030,21 +10074,21 @@ }, "deee5856-25ba-438d-ae53-09d66f41b127": { "rule_name": "AWS EC2 Export Task", - "sha256": "db05870aa6ed8aaa9c35c23f2f027925b38e3f3641f4286a390c61be5c6a59b4", + "sha256": "3aa818e94e0ceca563f3161e0dd4718d157e777ceb3844b0fd632a1ab4359fbb", "type": "query", - "version": 2 + "version": 3 }, "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", - "sha256": "1911bad236dfa90b27f167aac3ae24c7f49c5a1fc583ab500bff60f013b34dc6", + "sha256": "554697d96fc03f19bf3758bd9118b506f368879575889f932f4049755fd5e0bb", "type": "eql", - "version": 1 + "version": 2 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", - "sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e", + "sha256": "0591510be58a74ccce29b7b2b3bc4998fbb59995f8bb09fd1388f2d8faf6ea39", "type": "new_terms", - "version": 11 + "version": 12 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", @@ -10060,9 +10104,9 @@ }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", - "sha256": "003233b091321e0a4fe6df57cdaa994539bb71b6dd12601da5a6fd5f01de11d2", + "sha256": "74975fc1c4e9c6ba277040431b9fdeb13dcda0d536146b120add215ed4d701df", "type": "eql", - "version": 215 + "version": 216 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", @@ -10090,15 +10134,15 @@ }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "04754d1f1115e42d25e09ec628091486bee331e78bf83009b4038c838f2f8606", + "sha256": "e999cb3a4b0dc22e6bf621d12d34b3c9d972a116d73a59a84cae559c5093f10f", "type": "eql", - "version": 208 + "version": 209 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "3db533741b55d6d75bb2c5e997575e42cd8dfe5e3e5c71ca2726a0c46208a150", + "sha256": "5b4d8442b7b332ecaadb1671d1e54dd6ebaa53f78b2355c78cc5a002ca1b607c", "type": "eql", - "version": 7 + "version": 8 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", @@ -10114,21 +10158,21 @@ }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "76b86024b492a5882735a99a0b302d59465ce6d3c4a76111d5c396c8fe3afee9", + "sha256": "e589be7d2f86dabb5960decd210508e1d28f819cda2df6b1bb9b7902a8b06c62", "type": "eql", - "version": 113 + "version": 114 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "6895c9fbae5168b04623118fd5fc7fd437115a39af78dc23169e7b1ec667b959", + "sha256": "f034b01432ed622dceca33fcee6b0a20e58534b28ebd9f3f19d7e0704c241ee6", "type": "threshold", - "version": 415 + "version": 416 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "cc1a82b33871698dca83debd13763adc7dd5248191fa09eb72daa77f2269beca", + "sha256": "009201c6e671258aeae2bedc88405596018aabb7b315facd99b1f46ae2585cd3", "type": "eql", - "version": 110 + "version": 111 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", @@ -10138,15 +10182,15 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deleted", - "sha256": "196e87bc132f72c0d5ba55f801723dc80de03525b77a152b0d97a5487d58d8f9", + "sha256": "559b805067103320ffad40ebda7a5b86b7d10c1182ba107d81d2f7ce751c65b5", "type": "query", - "version": 107 + "version": 108 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS EC2 Route Table Created", - "sha256": "0107e5ff857bb3b08c9181ad8398d51eb0862148b3a6e45e1e18d3ef85982147", + "sha256": "b983d55d9f9e65d786d7452230981e4a6660f4a50f8d82e7719771595ab5e928", "type": "new_terms", - "version": 212 + "version": 213 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "Deprecated - AWS RDS Cluster Creation", @@ -10156,9 +10200,9 @@ }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", - "sha256": "8b3afa0d58084217b29e918bb34ad10a43cb606479d126d45a3f2ef8e47b035b", + "sha256": "531ef817962d765ea1d1873aaba42843ea3beaae12f70d493be1b6b58326b983", "type": "eql", - "version": 212 + "version": 213 }, "e1db8899-97c1-4851-8993-3a3265353601": { "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", @@ -10168,27 +10212,27 @@ }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "31f1e42fd073189974ef107fca4aa2c24131c2cd80c3eb16f91755fcfe3f54d4", + "sha256": "c6b59218f0bd6a67c42d0853ef8efecafa69decfbdb0aa5c7f7edfe917c74a92", "type": "eql", - "version": 111 + "version": 112 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "797e8be045b28198233988299f917efbbbeab83acaef08795d0a7b3a8f56533f", + "sha256": "8b21616a77df814353badde453886243eb0d298bd177dfbd772563f9cc9a6229", "type": "machine_learning", - "version": 107 + "version": 108 }, "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { "rule_name": "Full Disk Access Permission Check", - "sha256": "513dd07104c0782edbca0973652ff1c0affc115b879c08c56ce1bd500d587595", + "sha256": "e7bb1fd6bdeaf8d10f670322c516617a75eaaa78ba368b994860add677b7f488", "type": "eql", - "version": 1 + "version": 2 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "907edd17e466a818cba2a0af32a363af70af30da65bab6787f7c3c1cbe02cf49", + "sha256": "330e090e05d199d784a30dba2d9a2b95c747892566f0625825f70a6c9a46c893", "type": "query", - "version": 321 + "version": 322 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", @@ -10198,9 +10242,9 @@ }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", - "sha256": "39bd466dd0e2510cef75410efa33adfc11e78fe35175353653b4d3b314783d1e", + "sha256": "10d2ec7341493ccc024bc77312d038463740052c2544a13310264eb38ec7352a", "type": "eql", - "version": 4 + "version": 5 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", @@ -10210,9 +10254,9 @@ }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", - "sha256": "b00992fce58b8dc70936e08ee54b5daac9d824811cc5a4c82eb3167aee0301ec", + "sha256": "f40303a3b6fe56ee00bf1284cc98b8436149887e35ef2c1c694e84084ad8f79c", "type": "new_terms", - "version": 7 + "version": 8 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", @@ -10222,9 +10266,9 @@ }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "c5dd1640be638638d42328b63e8b36a12443ad1dead6923ba13d075ad7d13001", + "sha256": "4e960095c85a68e958400a6cd5c3532f44c0e0fbc405b12a955034f394db2720", "type": "eql", - "version": 216 + "version": 217 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", @@ -10234,33 +10278,33 @@ }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "rule_name": "Potential Data Splitting Detected", - "sha256": "4b19dd9f518a41b8105ead19de687f720f9565ed64a685148b4a6fd3ddb5ac68", + "sha256": "70959d883cd0b3cf2e76630d3a39639178bb9c1f3664108165d1b139efff9d29", "type": "eql", - "version": 106 + "version": 107 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", - "sha256": "280fe85dbda49421337ee3e0acbe259db72a41d7fe3a0824a6d5c47ab39ece79", + "sha256": "a6c6153c98664f409adf81e63b32ae1a3ca2b8d144d2a13c573d00499340e5f1", "type": "eql", - "version": 316 + "version": 317 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", - "sha256": "94bc6e3515c8fcb6f1fe62327d4d4a02ccab5f9520a1e457b4c9b56868a0b76a", + "sha256": "9e1f35b42e0abee84eca783efa5268ffaccabb15ccc59983bf894ab3ffcb55eb", "type": "eql", - "version": 1 + "version": 2 }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", - "sha256": "10e92fbdc7b268665e8611e80d3c2104328b31411a49372fdefe7d868a964903", + "sha256": "19bf150a514bcb726c88288192dc659d8509fa1529194019bce292e554cccee9", "type": "esql", - "version": 5 + "version": 6 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", - "sha256": "bb79588455fb19ea641cea5b513903bcfd62f5d8d8714dda71986fdc80fdcc13", + "sha256": "1a3343a15af94307a50f89a7591854259c58491683ffa98e7dae0ac77201c3ac", "type": "query", - "version": 211 + "version": 212 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", @@ -10276,9 +10320,9 @@ }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "KDE AutoStart Script or Desktop File Creation", - "sha256": "999d735f1b43bec7ac12aae0dfcb782d61f178d80df5c7d200629806c941435b", + "sha256": "86251b2eca0b5f3acf7e5da5bfb34467b59c79339df8798d4a928e1e2efc6cad", "type": "eql", - "version": 219 + "version": 220 }, "e3f5a566-df31-40cc-987c-24bc4bb94ba5": { "rule_name": "Persistence via a Hidden Plist Filename", @@ -10300,15 +10344,15 @@ }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "0fe269bb97bcb2fd0169410d29766dd6d5f9d7c0cb45606460e173d3a8122c76", + "sha256": "a46b153b0713389e6a149aad3a4e95a3211eaf71a2a01173ffce0d26f520cae1", "type": "query", - "version": 413 + "version": 414 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "dcdd90fdd58bbbdd33a53fae80e5df7d4963e028b4ce8ddd29df997cba2c0964", + "sha256": "a8d5740eabcbbb09f46fbfdeb0e4366b51fdccf32faeee210f7108501110e476", "type": "eql", - "version": 212 + "version": 213 }, "e4feea34-3b62-4c83-b77f-018fbef48c00": { "min_stack_version": "9.2", @@ -10322,27 +10366,27 @@ } }, "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", - "sha256": "ea754dc7ebd790477767de5ab2895d06f2ef94d22a8707ae800e9f54986de376", + "sha256": "ef461777bc1c5b00f31f1b5fdc917e63da77f9e2d0d6688eb02421290903249f", "type": "eql", - "version": 104 + "version": 105 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "33eb3aeb5b3dd4bea1245d0a515df9229d87de7f2c0ec19e04d60911f451099b", + "sha256": "7b70e3c40c147feab727f6d09ca74efe63a042f6716e4d8debd3066d7b1db93a", "type": "eql", - "version": 217 + "version": 218 }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", - "sha256": "c2210953bc0ea85caae3af77749d98d8ef8e88559dfa7871f04e8f1d43287f17", + "sha256": "7a5e47f5bd44607aa08a96e9f60e4b5e3e991f52a1a3e2ad835a3808872c2cbe", "type": "eql", - "version": 3 + "version": 4 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "8d84f71e1bd9d53371b05b590f59d4d7625f35ddc50596b9e85358d04a9ea3d6", + "sha256": "4190d8a82f489cf30bdb1c3e459ff20a7fba23cd32e4e1d1335f15f148d7d19e", "type": "query", - "version": 208 + "version": 209 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -10352,9 +10396,9 @@ }, "e5d69377-f8cf-4e8f-8328-690822cd012a": { "rule_name": "GitHub Authentication Token Access via Node.js", - "sha256": "ad6ddc79e5e91fdcefbc8d3ede209e443bf203dc4336b588f87cc5c7702a1222", + "sha256": "6a417d5d405f2f5407cee4783101473ada9b188d889fb655c65694110b02a589", "type": "eql", - "version": 3 + "version": 4 }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", @@ -10370,27 +10414,27 @@ }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", - "sha256": "744d55b2624acf5063085463e8c93573a6bd166726891c49518a7e0f876c9506", - "type": "eql", - "version": 111 - }, - "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "rule_name": "Possible Okta DoS Attack", - "sha256": "b21e24b57dbe58161fb421ca64574bc8e25b38423b8b0522e7245c63e7482a0b", - "type": "query", - "version": 412 - }, - "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { - "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "3f5eaac76da3b4b7c5d8d535d0176d7838894c7e60cf0c23bfc833dd1f9a07be", + "sha256": "17b73d3e39ffba68bb956e466370e9d6eaa7ebe30fc50598af1a624b1e18229c", "type": "eql", "version": 112 }, + "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "rule_name": "Possible Okta DoS Attack", + "sha256": "e15de9b379a466b490e8437eec47e33890de883cde4a19bcecec558f9ab20332", + "type": "query", + "version": 413 + }, + "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { + "rule_name": "Screensaver Plist File Modified by Unexpected Process", + "sha256": "048555dd2466b4a537ebc22441d66a2efefb466f5505a45d435f0319e2802734", + "type": "eql", + "version": 113 + }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "04bf3e29bdae001d0d6e5252b2e7ffe48bf3768f072adbeb9f4a138613d1a911", + "sha256": "33ff6f60a69292a6c4c66e86ae14dbbdb9b1055b1ff0a5a432a33b39150c5399", "type": "query", - "version": 108 + "version": 109 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", @@ -10400,9 +10444,9 @@ }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "b115ce618bac0c40e2c9a0017d3c755ba486d73979b049d7abae7e6bfe172fd6", + "sha256": "862ff12fae93833d4bafe92891d261d9deea8a23d8d8a3a6a8e4e514ef507e44", "type": "eql", - "version": 210 + "version": 211 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", @@ -10412,51 +10456,51 @@ }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "f0d0dfaf215a9c74db6e276efa561707f2c059d3035cf81463cbaac81b4827ca", + "sha256": "7dfd1488aad203d7c704c8ef37e805a93c2d2b6e0ad0c890e818cd989898489e", "type": "eql", - "version": 4 + "version": 5 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "467937da7cc714e1f6a0386a8944592cc48e2285f954a8f9c601ff715c8c0209", + "sha256": "f0e1c5528f65f66b87d2190eb338e758a3f0d5b44557e8e747dbefac8ca09623", "type": "eql", - "version": 6 + "version": 7 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "7fa81f350e13f62767add8eac8f6ed5ff6bded35dfbc9240a90f6afc1a74579b", + "sha256": "64d958d4a218acf01c61ecb66ce870621c7a94e8ecaead58aae78712b51a9b5b", "type": "eql", - "version": 205 + "version": 206 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "095bc67fc213affaf3d86f181676fa71bf12541b50aebded9b6b8a386f4336bd", + "sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310", "type": "eql", - "version": 113 + "version": 114 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", - "sha256": "f18144745e343e210c9169d503a65725d2a19d82ea50df322b5d417924d93cbb", + "sha256": "d6e17cd4b7605577f5364b33f69ef8cfeacdc0ff6fa835f466e93041f25078d7", "type": "new_terms", - "version": 211 + "version": 212 }, "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", - "sha256": "ce53d5d2947803141c22295600533afed56ad3287b80b85ca8c9dd0d17b0af3d", + "sha256": "0cab3f24cd193b08178b94d7a007dffe133ccb4bce1d98ee99aeee1e030c00eb", "type": "eql", - "version": 1 + "version": 2 }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", - "sha256": "da8044c4f43ed4839eb4e34c47fa76d078c1149e5f37d29600c0df04067e11b0", + "sha256": "8eab0b2e107b64ff573bea446ad50927cd61e27a98f5c3faa3e127a296d910b4", "type": "eql", - "version": 1 + "version": 2 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "0d70a846b5231fa5055bd8dab47d27adc7650f6ea92664b759685a8cff6e619c", + "sha256": "9dadc34c752b9bc0928030b436c8dc050e4c931a424ac3abd0aabc8c86180945", "type": "eql", - "version": 5 + "version": 6 }, "e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "rule_name": "Lateral Movement Alerts from a Newly Observed User", @@ -10466,9 +10510,9 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "2f9cf61e66c50847a30dfde7b4a3bbf289e90674920e25039f08a8953eb1eace", + "sha256": "e5f80c38f4b75c5c41e1df3f31ce447484ec6cd772fef27201c299778c3d9a1c", "type": "eql", - "version": 217 + "version": 218 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", @@ -10478,51 +10522,51 @@ }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", - "sha256": "2c86e3a65889b2dcc098107030beb9848fa1a54fc6f7874911e7148f919a36d2", + "sha256": "7f3abd6af19c72f509c4ce685dac414568f214d8bb423d4dbb8b96b6bdc89ee7", "type": "new_terms", - "version": 4 + "version": 5 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", - "sha256": "fc04a26c8bd9015b4cca4f17b20d8f18ac3eacb335a947d8793d0016b6ebbf0f", + "sha256": "aa965b72f3af0a8b4f4a2c3b56a535088bf010909077efaccbd0de20a73ab017", "type": "eql", - "version": 112 + "version": 113 }, "e8b37f18-4804-4819-8602-4aba1169c9f4": { "rule_name": "GitHub Actions Workflow Modification Blocked", - "sha256": "8a03e6a43d6c01bdf79a1197212c01b4c7c27862f9dbe9176f70cc1506b487e2", + "sha256": "6938ae0fe092466ebe7a800629949a38ad4eb3da443917c54766b67839d2912d", "type": "esql", - "version": 5 + "version": 6 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "651f7eb7bc6d9f26754d5a8e04106fb4b65004ed9bf01a8c593c6df5ca9482aa", + "sha256": "1fa214c361aeee1955b244162504604a4d9f3660758b8104be9e4921e015432d", "type": "eql", - "version": 8 + "version": 9 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", - "sha256": "7a1c848b9332b7abde093a99eab67afa7b533fe25cef0d9374d8854c2e0a36e7", + "sha256": "8294ab72a68c2b751f36db14d3d44d28561d4dcda0696365bacc740b85ccd147", "type": "new_terms", - "version": 5 + "version": 6 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "9ae5a217d42efb627b6ac44f09ebae8cecffcbc04bee2a7a6de32120c50d311e", + "sha256": "bed94ea17205b8c891d4ddb047a885b0302d991f1f9be008ba2c8dc7e4483618", "type": "new_terms", - "version": 111 + "version": 112 }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "84fb725b362cfa15cd93030dd0ee407c62219b8e75e23fc673d4b4411efc479e", + "sha256": "b59e0cbc56c4fb53787bc00632c6ceab167a0694f6b7fecc962d87dbbea24286", "type": "esql", - "version": 12 + "version": 13 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "cd48b966ef0a6d90372a5d1bea8755963aa907f83d7e62adacbb43d77280b961", + "sha256": "b068510e8bb733899c090234bf1ec0732842b70e90793bb61bdab5fc156be59f", "type": "threshold", - "version": 415 + "version": 416 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "Deprecated - AWS EC2 VM Export Failure", @@ -10532,21 +10576,21 @@ }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "3972b1d0f6ef586df99e20db1f8a7b5f3e92843225a0ead8bdfb2bfda5096834", + "sha256": "85e2742ed6e3a554393ca3c7c7b3462fbeb726e083b4f63bc562360141a1b8fa", "type": "machine_learning", - "version": 7 + "version": 8 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "d0d79e029dbc2c30f3d6e94335597e07feda824c2751b442c658b9aa9867d635", + "sha256": "b561863cf2392c784c3c635360c7d06067db2c64a38ce4d486380f4e9764d4d5", "type": "eql", - "version": 315 + "version": 316 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", - "sha256": "0b119216b26c97e9d09c1c3f8a6f57140261fe8f360165369dd6242701c3c765", + "sha256": "5e3e4830d4541a4e622121b68abbd2dfd611a6127af90ffcc80d8a462369afc5", "type": "eql", - "version": 1 + "version": 2 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", @@ -10556,9 +10600,9 @@ }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "rule_name": "Spike in Remote File Transfers", - "sha256": "6eab278586da677be043352e5acc6918724d546e2a66017c7babdd4f44d5a2f9", + "sha256": "2f20bc8bdb8336b52144c14c8d650bf10d1c3cd7ac2005fda6d231be3ce129cd", "type": "machine_learning", - "version": 8 + "version": 9 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -10568,9 +10612,9 @@ }, "e9fe3645-f588-43d6-99f5-437b3ef56f25": { "rule_name": "AWS EC2 Serial Console Access Enabled", - "sha256": "4f14c69238fcb650530a5884d6ebbbfe0c80780c84a29a6d26d078bb3114929b", + "sha256": "903944fba71323174e8453b652660eea7df47c047e60636c873854ef24d3bdbe", "type": "query", - "version": 1 + "version": 2 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", @@ -10586,27 +10630,27 @@ }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "d05c4f87423f7e7375d862028b9f83a9a3ebb9175e51a3de0db0f4b8e983ecda", + "sha256": "cde5761fb379a2ebd52bded54373ddfa826286728ad4637aa03d845220da0c91", "type": "machine_learning", - "version": 110 + "version": 111 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", - "sha256": "0c0f0eb2a7f6d55541448bebed4b150affcf95c0e6cc3fd1c4524b8fa02d6480", + "sha256": "2b7b3ae7b50956a57428f9c334521c176a71f1d3d2d7e9695d1eabb1de626e2a", "type": "threshold", - "version": 214 + "version": 215 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "1682a0c3be0d13c2d886046e969759c83cba4312382efe8fca8f9be342ef8e86", + "sha256": "43fbc760dbb9d213111df81edfb92ab4f4902eb6c46f5bdfe3b1f0e215a38432", "type": "machine_learning", - "version": 108 + "version": 109 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "fc4cdb8ca683ffa65896c61ff70e92915bae58e9ea0ae565d2ca5dee990ac6a7", + "sha256": "0392cad4ebbd3925824fb6d7902f524c2bc25be9f9b7c642869fb070d18502d2", "type": "eql", - "version": 9 + "version": 10 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", @@ -10616,9 +10660,9 @@ }, "eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": { "rule_name": "Telnet Authentication Bypass via User Environment Variable", - "sha256": "dad30a9b0ac5bb3048cae4d42fe0015a25c5bdf4122aaec696d0bfede5c73556", + "sha256": "addac13158f89b3addaf29024a1c49c9396a2f87bc029975ea1f19735fcb49ab", "type": "eql", - "version": 2 + "version": 3 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", @@ -10647,9 +10691,9 @@ "eb958cb3-dead-42b6-94ff-b9de6721fab2": { "min_stack_version": "9.3", "rule_name": "Curl SOCKS Proxy Detected via Defend for Containers", - "sha256": "3592443fb0d2e39fa025942bdc23a32bf151877ce039710cbaf0182ee1a69a17", + "sha256": "b1f046cc6ad9e006048ddfcacca9aa967e5c89498422580dacd3eb6f803018d1", "type": "eql", - "version": 1 + "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", @@ -10659,9 +10703,9 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "15a0fd7044827c36f60417515284afb4f6fe23e1dbae54a45a6b44e8ae0887fd", + "sha256": "0b21aaef39779363afa674fe85ae790f2bd67dd153a8c951d0019ab3331332fd", "type": "eql", - "version": 415 + "version": 416 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", @@ -10687,9 +10731,9 @@ } }, "rule_name": "File Execution Permission Modification Detected via Defend for Containers", - "sha256": "cb17a8960fbe32d16f37c061338c7d98a517c4803aa4f73b976ef7ad40c15496", + "sha256": "4684363244e89ea872ffc5b25a90561dc40b3e284b58a2c4d394889bed620bf0", "type": "eql", - "version": 106 + "version": 107 }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", @@ -10705,9 +10749,9 @@ }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "cf396164e5d336a90010d7d9340539f2952de6f2af4e6f3feb848daed8b245cd", + "sha256": "33d196de5eaecf3864a3bb8ee494aaa4ee44ed5a27f25e452bcf28fa226c22dc", "type": "eql", - "version": 7 + "version": 8 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", @@ -10723,15 +10767,15 @@ }, "ed3fedc3-dd10-45a5-a485-34a8b48cea46": { "rule_name": "Unusual Remote File Creation", - "sha256": "a7a4aa5dee70a0b7400227badb99bbd92c05ec809b52bddb0719918089f99323", + "sha256": "f29aab770fc7ef7708a96949b02b0e60282b7199951b302c2fdffbd1893bb9e9", "type": "new_terms", - "version": 6 + "version": 7 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", - "sha256": "a435c4e0f2296569715d62e9a745c6e53e807369ee3ef0969605a24d68dc0661", + "sha256": "7f93a3391ea686a14d777dcd48797c99ec342fc1acccbd567b3ecdc8c3ea7cc4", "type": "query", - "version": 107 + "version": 108 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", @@ -10747,9 +10791,9 @@ }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "248af1fe0e07120481568edfaa652ca97c59f7155e4e42898736bf32eed87e29", + "sha256": "8302ac3fdd14c7129217b39eb68513aecbc6e8e75fdde0d16989df01196722dd", "type": "eql", - "version": 318 + "version": 319 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", @@ -10759,9 +10803,9 @@ }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "rule_name": "Okta FastPass Phishing Detection", - "sha256": "79bcd3e51917161d1bbbb3d46ba9ae90ed7261430e0bddd58d172517d5348729", + "sha256": "1f5ddb372f0cf39847f187a18845abb51bef25a41e38ce48fd30e9ea7bc6982b", "type": "query", - "version": 310 + "version": 311 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", @@ -10783,15 +10827,15 @@ }, "ee7726cc-babc-4885-988c-f915173ac0c0": { "rule_name": "Suspicious Execution from a WebDav Share", - "sha256": "c5748ea3783ef8a9981c04d76db7206edabc9aeec804a0174f7827ef1b46c95b", + "sha256": "ba4424b0263455a683831ed50d76d4acba6b025e45812e7416845faf04c55c54", "type": "eql", - "version": 1 + "version": 2 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "ea81b8be42aac46fe858037a08802a107f542b90f33471e6fc3a43c0b3467395", + "sha256": "7a0362350bccdcf49752c63e045a43a649ae3127354129648e3ebd3c78e2b713", "type": "eql", - "version": 112 + "version": 113 }, "eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": { "min_stack_version": "9.3", @@ -10805,27 +10849,27 @@ } }, "rule_name": "Kubectl Apply Pod from URL", - "sha256": "539eb4b8333957dbb835a5fcda5f747181b40de7bd28cfb8c4956c51c7e8ac28", + "sha256": "2871a014569f179baaf61a47aa3ed4dac8c9d1cdfcf046caa1f02877fa61f0fc", "type": "eql", - "version": 102 + "version": 103 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "rule_name": "BPF filter applied using TC", - "sha256": "52518d228cda96c48b2c5695e5de6764e65caeeafda816216817b6cbb73abd40", + "sha256": "a3ca2a4019b1f9b82a42cdaa30c22e6b21138566a0f076dff76cc58ed8d5d943", "type": "eql", - "version": 214 + "version": 215 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "ad898972711331ccf7f9526e14f2a3aeb21a112d374a94bc253896390e35af91", + "sha256": "8641c7f69ff921eb91354ab0425fd0d989f5bf8bdaea934338fa5e03118cab42", "type": "eql", - "version": 112 + "version": 113 }, "ef395dff-be12-4a6e-8919-d87d627c2174": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option", - "sha256": "15b509aa1f5ce2c13415561c334b6a518da12328ed335527951d3c70264464b1", + "sha256": "e9dbef389b92ca88b2b526127180bb1f77f872b82ed5506e5e3531967903bfa3", "type": "eql", - "version": 4 + "version": 5 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "9.3", @@ -10845,15 +10889,15 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "ace9db18b4a07550b5124ee75c0cca3828231ea1b3026a59683313dea39aff61", + "sha256": "4b9b636e3a685b6f6ba574e915d668cab21ca02cc5641de4b11ee1a8bdc146e5", "type": "eql", - "version": 216 + "version": 217 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "9667b0b7ffba66dae17bfc62970411ae6a4e086390057e42a8754c1474cbe60d", + "sha256": "501b90c5679e6b9959a55999b1892814f6969d4a2aac60d17835f827a7cda0fd", "type": "machine_learning", - "version": 7 + "version": 8 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", @@ -10863,27 +10907,27 @@ }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", - "sha256": "18b02d56b8977e6689317b231313b622102493a6d66bb8a7af4608c3ec84eaed", + "sha256": "ac3989251772227e4d3652c9525222c25c158066126ed7fc2d5ed01da5500a50", "type": "eql", - "version": 111 + "version": 112 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", - "sha256": "1e7973d1b497e6f96e61cbfaa3a288c8816dde52e132d6ea55bd329c23af6f63", + "sha256": "925aff7358596698164c5f9b33bab66d4042ee713892da8d3805c24d65199b85", "type": "query", - "version": 413 + "version": 414 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "3cfffd4d242ffeb5421de910ed98187cfc586d3e708da24716ad4d4088fa0a15", + "sha256": "086b4d37de07398af3828f86c06b19b7daa37d14b98d16b1236a284a3e119b99", "type": "eql", - "version": 114 + "version": 115 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified", - "sha256": "a988572c3f417b12e0af2abbf55d5553d198f8cb97e74208235017aac887d051", + "sha256": "d234efe00820b1869f7b07b9a42c409b2276c4803bf4907364ecea05b3ae2950", "type": "query", - "version": 107 + "version": 108 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", @@ -10893,27 +10937,27 @@ }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", - "sha256": "568644c5f0c19e90ec4b242b6ae4cd524440192c962a326f062fd4fe997d9400", + "sha256": "09d110d157380492d4d0de9d37dff770be9757b6528fca4da3a5aa560b964348", "type": "new_terms", - "version": 3 + "version": 4 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "c238de5d2b0c57efaa4780d8e7f5f95a05cf99a2ec8a5840a05e31456acd97c4", + "sha256": "32ada2c4a68d705cc598de4bde5cc1be7e0516bae9dad176373243f9fc65c0c2", "type": "eql", - "version": 110 + "version": 111 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "rule_name": "Suspicious Child Execution via Web Server", - "sha256": "a0ea44a78f0bbd39976f1721161118620c9aa5435b8992d8abf6c28af287ca94", + "sha256": "92e68a660ef180ceb453fee81c78a5fdc2c39b9351c923d2aca6901a11f0e360", "type": "eql", - "version": 112 + "version": 113 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "rule_name": "Process Capability Set via setcap Utility", - "sha256": "4c9ff6fd3bc2367862aa9960cc4f632134ecfb095ec2aede00a28e28ac26b6e4", + "sha256": "dbc36b11a558109353c290252cfc47fa5b88768748732ceb11ed91403dd76705", "type": "eql", - "version": 105 + "version": 106 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", @@ -10923,22 +10967,22 @@ }, "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { "rule_name": "Manual Loading of a Suspicious Chromium Extension", - "sha256": "426036f0b34c260a562af79e9d849b8f8aa0ee5cae04dc9020917c3acf02d99f", + "sha256": "ef1b596dbcc21f0ff44dd908eee0347efe6248aa5bdf14b884c61df77b777949", "type": "eql", - "version": 1 + "version": 2 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "d02e97bb6a0789367e1693e0b732ffa53703803ee806bfaa956690ee97b9c78b", + "sha256": "14ba46c9c0f297862c53f3a5dabcf435451495d495c1d15ae6243dd985e3d145", "type": "eql", - "version": 7 + "version": 8 }, "f20d1782-e783-4ed0-a0c4-946899a98a7c": { "min_stack_version": "9.3", "rule_name": "Unusual City For a GCP Event", - "sha256": "4234c7b13928ef16b739961abee68fe89b024428f43b5cd08e09ffce6d53e103", + "sha256": "76586ab01cd08c0c90773f9fd6ddba36eb9b8ee0571614eca39f0de1bb442d29", "type": "machine_learning", - "version": 1 + "version": 2 }, "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", @@ -10956,21 +11000,21 @@ "f246e70e-5e20-4006-8460-d72b023d6adf": { "min_stack_version": "9.3", "rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers", - "sha256": "3e7ee604dfdadac507a1fcb9f2a39b6e5718c90169c1e0bfaabd701e0c5fad63", + "sha256": "3d7e318f67c97976127e145e374accefe76ed153e63466f41c6c788e5a1ba230", "type": "eql", - "version": 1 + "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "96eccd66b8f60e06e7aabfbd9a3d372d3e994cc5b1de8d08ea6f3473c5872be8", + "sha256": "45f3aba3743e27c3175dc85c3bb918ef1ddeb13d337dd61d81634e7b6d7ed1ce", "type": "eql", - "version": 113 + "version": 114 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "ee2c306632aee8a22150db2c7587372127fa5271d41bb6482a9de851728670bd", + "sha256": "327423f201c4aefab10ca8e4a5e9604d884907651d4475cc37c199a277b289a8", "type": "eql", - "version": 214 + "version": 215 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Detected - Elastic Defend", @@ -10998,9 +11042,9 @@ }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", - "sha256": "fe3ea9fd1b170164d8daf973f8b612f71ce7ec34e095f92b8c657f899b33e35a", + "sha256": "281209a49e92e2367ec89f538621f986a7198e5592b2ba61c7b93e3e2ff8dafc", "type": "query", - "version": 1 + "version": 2 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", @@ -11016,51 +11060,51 @@ }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", - "sha256": "e3d5d22bf6f0e1c8cdf350e9585236e6eb414438bc033c531501c84f9d4d3681", + "sha256": "c5c1f181bfd0f814c6079ac55df87c7d8908c680a9aa9a6b4970ad08f892b39b", "type": "eql", - "version": 11 + "version": 12 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "cc612f1f8949a5a302e700bfce9e41755c128540eb3c8ba1fd55732719b8c692", + "sha256": "e86a0477a7cb46e3ade238a3b3e865a455c9ce4830f4b82a07926f3c757e1546", "type": "query", - "version": 8 + "version": 9 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", - "sha256": "09e8a918c81fe0701b414046f7b2978cf6917f27d256594f18f20c0766f12651", + "sha256": "7c530140bf12b6317b1633953a2135892b451f0fd02d2ca3be84802b33a9f878", "type": "eql", - "version": 215 + "version": 216 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "3ba917f1ed940e767bf7bb2718523c84ade13c97c047be506fc17e8391856d86", + "sha256": "0514c676be47b85dcf14f42d8d1cdf053122f7506f0b5eef242a105e5dfe4ed1", "type": "threshold", - "version": 108 + "version": 109 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", - "sha256": "761746a21d11fe68935d152466349eda5c767337ab48bddf66f4f99acc061b21", + "sha256": "6a81be3e4096d5230ed6ddb6d5e9ed0624a4404f651a9aaaee9491b33a744050", "type": "eql", - "version": 9 + "version": 10 }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", - "sha256": "4e8a1d0b5d2d08befba089df12e7d27768455c6c08f58a912f825e916e665108", + "sha256": "461cca8e6da44cb954ccd1568e0195772daa254860053359bea965b58e5b3560", "type": "esql", - "version": 10 + "version": 11 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", - "sha256": "515ee3620ceebe5a3c857932d84400a916c4dfbbc3383564bcfb866b360ffc3f", + "sha256": "e0cd0eab0070a7deca66e3db5b6508709873263b818c68be1f560cd32e5ccbb1", "type": "new_terms", - "version": 5 + "version": 6 }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "95e422ccd18e1dad7d4806054cb0a70a9b5645c4ff9713a90146dab8aa2806c9", + "sha256": "0f61ee6203f327c572d953395eaa56f5f1e41d35e47e6b590f427f379aeec032", "type": "esql", - "version": 3 + "version": 4 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -11070,9 +11114,9 @@ }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "rule_name": "Remote Desktop File Opened from Suspicious Path", - "sha256": "26f9f4f5c8a08b36972822b6f7cb3ab8523673772d71d9c8284730bf427c7345", + "sha256": "7f753ea6ff1bc5ae4a855cc1ba35ab3db8c16622e28476c35412ea97e77a5741", "type": "eql", - "version": 6 + "version": 7 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", @@ -11088,9 +11132,9 @@ }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Pluggable Authentication Module or Configuration Creation", - "sha256": "5cd5abcec00ab4d48721e29f5b4cc866f7eca9cd14922809c30ba8ec33f3fbe6", + "sha256": "4e7927ea9ee84da27a6bc1fc12f753e2d873328a3a1f8113354afe2c2889690e", "type": "eql", - "version": 8 + "version": 9 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", @@ -11100,9 +11144,9 @@ }, "f4b857b3-faef-430d-b420-90be48647f00": { "rule_name": "OpenSSL Password Hash Generation", - "sha256": "a164b65b563ecd65fc0fbd6d8300fed0c16b4c6af4a648f638316832a8a14b51", + "sha256": "578fa837f0af51bf69c436d7ba2cc8d249f7fc6cfc00be5c25b0ba71b3069fa7", "type": "eql", - "version": 5 + "version": 6 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", @@ -11112,9 +11156,9 @@ }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", - "sha256": "cb6ce5435bb465794285c5c4f9f24703ff68bad3a3f7ec90b462e3decfeca0be", + "sha256": "2ecc5312b7dd25b04f1124d44fdcf991f2650e3684b81ba6910730dbb18db5b7", "type": "new_terms", - "version": 6 + "version": 7 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", @@ -11124,9 +11168,9 @@ }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "3fcd77e51226a469c34f70b54591a6b2d919e2192ba24ed71fd90921290431cc", + "sha256": "6212d9d93c65c1e446bdeb51474d2abaded9566ccad6cbc8ef83ff0fed9163ac", "type": "eql", - "version": 11 + "version": 12 }, "f541ca3a-5752-11f0-b44b-f661ea17fbcd": { "rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected", @@ -11136,9 +11180,9 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", - "sha256": "63504b45de08ac60e947b5c14b035dac62d99c21b83c7a4b4ec514718274a3f8", + "sha256": "264b4899ef3cefac559933fcac41d2d42b656dc38b8b4a595dffa5b6c0bfbb12", "type": "eql", - "version": 314 + "version": 315 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", @@ -11148,46 +11192,46 @@ }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "rule_name": "Rare SMB Connection to the Internet", - "sha256": "85aa99a054bc951c424dbbd1370be140b58104a2af079671be01f409fce66d1d", + "sha256": "fd652aabce416c86c10c7059fd5ff466d05b4119ca6bc670b78f3fcfde1812a0", "type": "new_terms", - "version": 211 + "version": 212 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "35631fdae636c785efe1e73f4d79126c72bd13989ea378c9dc433297c2ad42d0", + "sha256": "e2478afe8591053489cbda3bfcc55b4842a4119642e5d56d3ce788a9179b5c3f", "type": "query", - "version": 110 + "version": 111 }, "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": { "min_stack_version": "9.3", "rule_name": "Kubelet Pod Discovery Detected via Defend for Containers", - "sha256": "fa389bca269e14286f8cea1c5c9e8d2111a1d1d534a488c3c19363f409cbd697", + "sha256": "7723c687b0c450f64a00cee36d7c3931bd7c021d6ff6833cf9c9271a2a5f42f7", "type": "eql", - "version": 1 + "version": 2 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", - "sha256": "2104b6abd124b33aa4ba66650b7c9c6981626f1d93a7a3a712a22891a8210b48", - "type": "eql", - "version": 110 - }, - "f5c005d3-4e17-48b0-9cd7-444d48857f97": { - "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "7d55c24807d5e11d68b942c22f26d003376325dc2940ae98d118906ceb07f421", + "sha256": "0e72674c9e5b508cb58ff78ab6d5d918767df0ff88c1a86cec3981f283555247", "type": "eql", "version": 111 }, + "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "rule_name": "Setcap setuid/setgid Capability Set", + "sha256": "3000740cd69fe252c0029fb2309de620fe221dc6bdbb6873c6de6c6dec2414f9", + "type": "eql", + "version": 112 + }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", - "sha256": "892146af9028d4e03537dd1233b7a26ed1239787574f281d9204b25cab92ee63", + "sha256": "5e26435a6c6b152cc9c108374c72cd5a9f0766698e6eaf34ecfb75df00fb5d27", "type": "machine_learning", - "version": 110 + "version": 111 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", - "sha256": "b3aeacc283aba77fab3366bc3519f42fb6dc01607663db4ba67a67ee5efd409f", + "sha256": "b8a837130b3b5d74204a8537614a5612a561e68b829c89916fbf5f67d9505c72", "type": "eql", - "version": 11 + "version": 12 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", @@ -11203,16 +11247,16 @@ }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "72d6ffe9d368a4201f747eaaddfb00673f47079f4e5e11524d775d7352ebe202", + "sha256": "e44cc2803ee91b1dfe83cb1006d9209add5b8ac45d8bac02236bd6a022fe2177", "type": "eql", - "version": 7 + "version": 8 }, "f66a6869-d4c7-4d20-ab13-beefd03b63b4": { "min_stack_version": "9.3", "rule_name": "Environment Variable Enumeration Detected via Defend for Containers", - "sha256": "027b3215839ba15dbe8fa88451f7537ead96e5c39072209f9de455446fd2da30", + "sha256": "4940432d89d05102af4274afb80384ca2bda0d452e0521a1afc0879a5237b699", "type": "eql", - "version": 1 + "version": 2 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -11222,9 +11266,9 @@ }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "55f87f6cb95594cde489f7fbc1c78ae461b53294d959a80b4daa38923b1fa95c", + "sha256": "08ad8ed2e2ca485401fa0335d86ab975c721be7927df7d41f56076abb95d7db6", "type": "eql", - "version": 110 + "version": 111 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "9.2", @@ -11238,39 +11282,39 @@ } }, "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", - "sha256": "6cec1911a7c8af3fc5091d352854bcfe521af7739b5b7b10183edf8c3e3e5dfe", + "sha256": "d6c1961a83a29873b120fdfea8882d1738a1c515182782f9a9b57a2b000e1836", "type": "new_terms", - "version": 107 + "version": 108 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "f56190b966c8b01230a154a0851ed2e59d80595a1de876b0764e3d046e9bea51", + "sha256": "a5be06782ebc2892b498e90d1562a35d2dc23a8685801a269f11c65230d8a223", "type": "esql", - "version": 10 + "version": 11 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", - "sha256": "4c6019ccf42c348cb2a29ee08d4a35da9880807d962fb9fc188a5141e3532d87", + "sha256": "eebdb2655e2b5099eff58e0d27a0579b6c4801de9985e30ec4caa4b8f5f0c59c", "type": "query", - "version": 2 + "version": 3 }, "f754e348-f36f-4510-8087-d7f29874cc12": { "rule_name": "AWS Sign-In Token Created", - "sha256": "5a4040e73d23453205709b9e456464e7d162621cff2e1513ca9e81c7a3b97414", + "sha256": "b4f3c7bb4e908abc5172e54beffa1e362454012ebbc480fe2d7ce71b7112cd71", "type": "query", - "version": 1 + "version": 2 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", - "sha256": "7123d78652fee531afc9d913c683b786e750e8fea34b80fe043c72af99909774", + "sha256": "e74aea796502decaa57c31bdfcbbb1fd65f68a826f3c3e1f3f6fdf7cb458fa3b", "type": "eql", - "version": 6 + "version": 7 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Entra ID Service Principal Credentials Created by Unusual User", - "sha256": "9408efd3b40a1edce701707f8b2eb8304dd34bd7dc0a40781b638b195c025399", + "sha256": "fc57ea21237e412537f32ffd71bcbf98d2bb681ea933271aec872c9083a1121e", "type": "new_terms", - "version": 108 + "version": 109 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", @@ -11296,9 +11340,9 @@ } }, "rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers", - "sha256": "f4bffbc221ab135eae28675f5c599a369cf70b32f57f5c8e7c1426f72ddb310e", + "sha256": "14f95ad2256fe5d602c0c02461a1ad0140159a49d4af60382a20a6d2511f1cfd", "type": "eql", - "version": 105 + "version": 106 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", @@ -11315,33 +11359,33 @@ "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", "rule_name": "Service Account Namespace Read Detected via Defend for Containers", - "sha256": "54cdee057e604fae8b8629fb7e641ec29e9b46917648e63203fbd8a5f0f52430", - "type": "eql", - "version": 2 - }, - "f7c70f2e-4616-439c-85ac-5b98415042fe": { - "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "e014f76230f1cf349a09ebfaffcd9a5b48436e9f2ac8f84cd7f352fc63f8e1ca", - "type": "new_terms", - "version": 7 - }, - "f7d588ba-e4b0-442e-879d-7ec39fbd69c5": { - "rule_name": "Potential SAP NetWeaver WebShell Creation", - "sha256": "5ef7adfab7e5ad994436c7c51bb8593c125f817dba1b6574dc78f5f1c3019a32", - "type": "eql", - "version": 1 - }, - "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { - "rule_name": "AWS CLI with Kali Linux Fingerprint Identified", - "sha256": "9ecf45d00058271bf4fa11c2e9f63e56a95e59e9fb13bd243c0bcb5e1ad1e0fd", + "sha256": "9f57c86383c5c1b1e2b9f7f6640f0c0651119f9ae170973ee430a1280981cecc", "type": "eql", "version": 3 }, + "f7c70f2e-4616-439c-85ac-5b98415042fe": { + "rule_name": "Potential Privilege Escalation via Linux DAC permissions", + "sha256": "273a68b602a7b719ceb9864ebcbbf2d46da699434458da9c37a16b290bdcd808", + "type": "new_terms", + "version": 8 + }, + "f7d588ba-e4b0-442e-879d-7ec39fbd69c5": { + "rule_name": "Potential SAP NetWeaver WebShell Creation", + "sha256": "1ec092ad267fde831ed0f6df37ec577f9d2275d7956117a0052e4eb35ee7068d", + "type": "eql", + "version": 2 + }, + "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { + "rule_name": "AWS Suspicious User Agent Fingerprint", + "sha256": "d8f55b7cb56235069f1574c53c746da0a83543aeb82424b30a43b6d6ceebf502", + "type": "eql", + "version": 4 + }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "7f5921e49d7d378d9126e4e01f1bb63e3abd0633ab4ee92b798e220f40aa258c", + "sha256": "c106cab6e8eb5fb2f17e701d9ba2a7fc83348e1bd9ad61146224fa3a5eafe3d9", "type": "eql", - "version": 313 + "version": 314 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", @@ -11351,9 +11395,9 @@ }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "41e5f6292b3da2fa4e4cc8ef8570dcfe66b54c1617c8e677241d550643887f49", + "sha256": "ab72bdf494ad1fe2b76321bce5c7385b100ac9456193bbd02076b9162c828500", "type": "eql", - "version": 9 + "version": 10 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", @@ -11369,27 +11413,27 @@ }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "9b00ce7091da71e0b1b89223c76bab169fa1371f533d50810c46f8bfbdd7a8d3", + "sha256": "6ad8153a0270d506806ee7548badabd6c58733c8a3ba72db790c95688dd6a4a6", "type": "query", - "version": 109 + "version": 110 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "4cdb24a07ee208f032eb6af7f9b7479f039879b8d59682896a08b3a03db5875c", + "sha256": "1a739777354336f165335933f02b0862a00db8dcb86d7fd948ac59e3beaf7d06", "type": "eql", - "version": 105 + "version": 106 }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", - "sha256": "33e0146feb9de871b5ada55b0af64c3223f0c8f03ad5434f251ab66a85956093", + "sha256": "2161c82acd72e33700b0364812054c76003c9e68b25db81829ca3aed831c74e8", "type": "eql", - "version": 1 + "version": 2 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", - "sha256": "d5a3a16d749ae91452f393b87578d057671c3e1eb36e9a68367d6160ec3bfd52", + "sha256": "17321d3d74af2ddb12d9920ceb84fd2b8ca8e772fcb350e32526d5c46c5672c8", "type": "new_terms", - "version": 207 + "version": 208 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -11405,21 +11449,21 @@ }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", - "sha256": "b81d0b73d164001b8e1540672ae510843355372f5ed90223d71be86812b9cd27", + "sha256": "3677a7454991a183ca50685f05c67cfbb7ab40cf6d1228854c5bc90678c5ed52", "type": "query", - "version": 1 + "version": 2 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", - "sha256": "81bcee1c190422617ecec5060d5c56cac2493d8ea917f010d9ecb2c97e1c8082", + "sha256": "775f70e17e3838a8d2e278660b53423e29621be18e0b48b83607a9eba3dd59a2", "type": "eql", - "version": 207 + "version": 208 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "sha256": "2ecbf0a719e60c1a4d65cc86c0d02ce00fa12333fbb32e834f271fc17367cd24", + "sha256": "38bd2f9e10713d14fe22bca802a8451930bea026c19babeddec2c1c26e14a9ab", "type": "esql", - "version": 9 + "version": 10 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Accounts Brute Force", @@ -11435,9 +11479,9 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "e429a1bb7579d75e52d9c21dba63b12b1d6d5efe9aa7dbff56eb09d652825da3", + "sha256": "9fc867fa956909614f0c374d0eef744aaa01a9f0bc9c8c4cb346e4abe5b2e9f0", "type": "esql", - "version": 11 + "version": 12 }, "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "rule_name": "Newly Observed Process Exhibiting High CPU Usage", @@ -11447,9 +11491,9 @@ }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "1b028848a7c0c89d6a35c04425246332f3a3d075fd2c35a8865d6a80f2107ea0", + "sha256": "1490071c689a9d0493c0a1bdde622ec455d2ac911fbd3d44d6c76a846ff2f1d8", "type": "eql", - "version": 317 + "version": 318 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", @@ -11459,9 +11503,9 @@ }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "d1a2565f06c73545ea8ed2035cf39758845220914c54c84574ca09aee433fb19", + "sha256": "75eae6a378cd9de230df241678954eca014909ff202bd7530fd66caad62920c5", "type": "eql", - "version": 12 + "version": 13 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", @@ -11477,9 +11521,9 @@ }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "43e8b63eb9570e74bea2bd40c0278bb6bd6689e146817245638379783aeb1e04", + "sha256": "e1b06ffe4e33874ed8e0700e601b69f3c9138637316c92d5c31067e7384a7006", "type": "eql", - "version": 109 + "version": 110 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", @@ -11489,9 +11533,9 @@ }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "0b2014b51f05dc7bab6bf89177d97bfe529a2168a887e107d01282c03ab79482", + "sha256": "cf2ef18d44f8723b31d04f647c610a7afc8d9dc610321e26c8861181a2a7a635", "type": "threshold", - "version": 207 + "version": 208 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", @@ -11507,21 +11551,21 @@ }, "fb542346-1624-4cf2-bcc7-c68abaab261b": { "rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs", - "sha256": "a8a874542376d67bfb7e56d83b295e1b28912d3a594ba3364a7f056091b145ed", + "sha256": "b7658647fd18f717cf27e94dc7503078ad59c72e1477332c507001cd361c4b10", "type": "eql", - "version": 1 + "version": 2 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "rule_name": "Unusual Group Name Accessed by a User", - "sha256": "9f2db22b9e734b5a889262f1f2f439535f666e0297237040c15e016852a51ff1", + "sha256": "910816869ac69e52dd49d7b50213a32f674a8abcca1169b8dae5d9d0ca26a27d", "type": "machine_learning", - "version": 3 + "version": 4 }, "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { "rule_name": "Dylib Injection via Process Environment Variables", - "sha256": "7da78ac164b35b7695d523d656762c1510c83d8e8889eb47d0e9153a3ef95e84", + "sha256": "3da41c31ba94d685cd75f85322328359014c5be38f21ccf09593a68bf338b641", "type": "eql", - "version": 1 + "version": 2 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -11531,15 +11575,15 @@ }, "fbad57ec-4442-48db-a34f-5ee907b44a22": { "rule_name": "Potential Fake CAPTCHA Phishing Attack", - "sha256": "8e3289b4539e63e0d4bbe85963ed47f490894e78c1b8e45d5b57da403063d53f", + "sha256": "0a1986244d8bb19d2fab065d31df99978b0474330486bd0ceaa03fd2727d8675", "type": "eql", - "version": 1 + "version": 2 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", - "sha256": "f1169e957a20125ed74336cc3fa63c1c0f4d95f9affb1dff7262a2ab43453162", + "sha256": "b6972d4f3235fe5015a16b59e32f209fef18168efd59112b1173e3341709c0b2", "type": "machine_learning", - "version": 3 + "version": 4 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", @@ -11549,9 +11593,9 @@ }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", - "sha256": "1f4d2ebb8ad5c86faee9ef8bab795952baa6d520b4d4f15f39063ab84c86a639", + "sha256": "6bbf5a0a14f640c392995936cd0704eb2b79897183695742f96a246f51386081", "type": "query", - "version": 4 + "version": 5 }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", @@ -11561,21 +11605,21 @@ }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "5a82f8caac0fe4454c5282d9afcc90b60b161d0c3799c54bd699873bfc0a5905", + "sha256": "2c4a7c07729a478594b21a511f1a9f979a8312c4a0dc56da8076580881a0c175", "type": "eql", - "version": 312 + "version": 313 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", - "sha256": "e48789ac4282a1b2d6273567fbd11cf4ac27ad3e4f605c515108f3468274a1ac", + "sha256": "b75dda67fd9da77f1320ea7c94c736e499c45243b2d3a1f0775caeca732cf753", "type": "new_terms", - "version": 207 + "version": 208 }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", - "sha256": "71c27f7195ec6a29dadac01c5679565bdbb368f049b138fb1a4ea088756ec63a", + "sha256": "c59c8e3d79a2cd6347c827d35bb0e57598f41c6667eda09b298a6bdff4958634", "type": "eql", - "version": 1 + "version": 2 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", @@ -11591,9 +11635,9 @@ }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", - "sha256": "fcbb49983377e93047c9f5a2a4f5dcf889f9a9e308e22fc7dd85ac8b69f77402", + "sha256": "2d62847cab8c33a052e502836ad121caf86f64b238197c9a1b2938d4e27c5f5e", "type": "eql", - "version": 7 + "version": 8 }, "fd00769d-b18d-450a-a844-7a9f9c71995e": { "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", @@ -11603,9 +11647,9 @@ }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", - "sha256": "0f605aa5517a6ddb5f3a5cd04b4b6e30a44d35fcb3b13f030655b6a428b252c8", + "sha256": "e51549bf7834d3a0abbe08f6469acc71cd816cc3542fb505d9af289c2afae781", "type": "eql", - "version": 207 + "version": 208 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", @@ -11627,15 +11671,15 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", - "sha256": "382f88c563097d4a8091b774c5ae43d94baa29779ece49ef509c639e57494bbc", + "sha256": "939e7894f13daf5708d2c85416fec8b91aeb8951c4cc059f29a99d7c386786c6", "type": "eql", - "version": 315 + "version": 316 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "33447fa26939a022e4a103627c64288d1909ecce7376d823c0d28f19006d7a95", + "sha256": "658d4e647f7bfe468cbb5355f6d31f0c7b1dde0c2dfa120eea56e0cd22ca56f8", "type": "new_terms", - "version": 425 + "version": 426 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -11651,27 +11695,27 @@ }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "aab00e43628fbf27cb1346ec2f5b519d10644c98ff198583648ba08ab65f088d", + "sha256": "5c4a081737775e263f75482121cc7ace98104ad4bbf787e3e44b70235945369f", "type": "query", - "version": 111 + "version": 112 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "1992da8023f1475e7ecead13adb32485cb6a234a3f49e3d3e880464a2402d474", + "sha256": "4f61d5a4d2aea076af8a4b48cd80ffa83a42e7c5bc8144c04f396ba5571cb1ac", "type": "query", - "version": 111 + "version": 112 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "90aa76c4f7daef4acec489e280a63032de791c9a2a5fe91e3474bb593165a881", + "sha256": "d9c865f4237f4a014bef544884fd6715a5f3bb6ef22bd7e705a40aa286fe445d", "type": "eql", - "version": 317 + "version": 318 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "rule_name": "Spike in host-based traffic", - "sha256": "7d0904f2a6c2a004781895aff437401514b91b5b08ebb3f2ee87de5341e110a7", + "sha256": "539f0007ba47959012c3d761d040a6d76269a8994675b2f51c844ca81e899ef4", "type": "machine_learning", - "version": 4 + "version": 5 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", @@ -11681,15 +11725,15 @@ }, "feba48f6-40ca-4d04-b41f-5dfa327de865": { "rule_name": "Data Encrypted via OpenSSL Utility", - "sha256": "7e4c14c019100eba38aacd09b9887e2a69be967cb5d4d31da74999b96845c8d4", + "sha256": "6d5bc57ab69832dcf1fceb1113c15bd50ef32043aeac5c753aa45d8ef84fb133", "type": "eql", - "version": 1 + "version": 2 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", - "sha256": "296701dc33e1684c4011dbf1ccfd9d85369255ae83c23295e720aa97b8e4136d", + "sha256": "e5501cb17cf5fe1cb22ce9ae6e8396575c212a05d10b7f191f96bde4173277f8", "type": "eql", - "version": 4 + "version": 5 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", @@ -11711,9 +11755,9 @@ }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "rule_name": "Potential DGA Activity", - "sha256": "f662722869546977900cdcf6f61af6921039cb77001c739166a0c0338860eae8", + "sha256": "305c65ba2a0c6e6b8dd78bcd8fce09f2491e6ed7c1ad1c495e321db25ddd0c2e", "type": "machine_learning", - "version": 8 + "version": 9 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", @@ -11723,9 +11767,9 @@ }, "ff18d24b-2ba6-4691-a17f-75c4380d0965": { "rule_name": "Suspicious JavaScript Execution via Deno", - "sha256": "d5dbd70a27f0f56416d46fbf0ab1cd9ae7b67b0a76c5343bde0ec3596b3d5e3c", + "sha256": "aae2b755e36776da4fd6721b130bedbe3399b5fc5400550fc6ea690072aa8b68", "type": "eql", - "version": 1 + "version": 2 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", @@ -11747,9 +11791,9 @@ }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", - "sha256": "4a88bab059f05b02eb58e86a81c507e014566594a60cf5b281da458f592d8b69", + "sha256": "71c8152bd1f4ea310db48f0487624fb6e55fbd763a1f7a196f392abf4c644b26", "type": "query", - "version": 211 + "version": 212 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", @@ -11759,15 +11803,15 @@ }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", - "sha256": "77a309ec983a7d24866bd6b5e90d5423ef1edf0411c0eb6a116b4cb33996448c", + "sha256": "00d05c917b8ab9ff264282af0f59c82fcc130494435e2649d0232f0b3c677c3e", "type": "query", - "version": 107 + "version": 108 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "7dee889e4307b772481635d2b67ec6dfbc300840bfed47d7b74ea140549cfc50", + "sha256": "fd78dc142d1cddc2c1b468082eba4a5caf404e211bf2b2fb770e0bb2218f5810", "type": "eql", - "version": 111 + "version": 112 }, "ffa676dc-09b0-11f0-94ba-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Top Level Domain", @@ -11777,8 +11821,8 @@ }, "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { "rule_name": "Suspicious TCC Access Granted for User Folders", - "sha256": "6329ee62398952755171a82d57fd5c59d159290b7d4fab00d7fe6043899ca3ea", + "sha256": "d7c925205ac4209a78c8c60e52b5ad975f5ca3a956f42e12337fa8dfa1035e98", "type": "esql", - "version": 2 + "version": 3 } } \ No newline at end of file diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index ee5929233..7539afb53 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -87,6 +87,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-aws-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-iam.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-kms](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-kms.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-lambda](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-lambda.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-organizations](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-organizations.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-rds](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-rds.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-route-53](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-route-53.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-s3](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-s3.json&leave_site_dialog=false&tabs=false)| @@ -125,6 +126,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-crowdstrike.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-cyberark-pas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cyberark-pas.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-data-exfiltration-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-data-exfiltration-detection.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-data-protection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-data-protection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-defense-evasion](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-defense-evasion.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-device-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-device-control.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-discovery](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-discovery.json&leave_site_dialog=false&tabs=false)| @@ -186,6 +188,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-microsoft-purview-dlp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-purview-dlp.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-purview](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-purview.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-microsoft-threat-intelligence](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-threat-intelligence.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-ml](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ml.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 06251aa8b..61c71b2e9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.12" +version = "1.6.13" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"