security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3880)

Browse Source 
(cherry picked from commit 6a28881b5f)
This commit is contained in:
github-actions[bot]
2024-07-09 19:13:24 +05:30
parent 308b755d92
commit 8909a95486
1 changed files with 146 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+146 -67
View File
@@ -100,9 +100,9 @@
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "ab12d69ccda9b4506285fbb564f8ce128934caa2d2f9710e9e95f3302456f364",
"sha256": "c09424400f8baab1bc7e15018527a7b26314073d02a79aac933a265ba32a2bf5",
"type": "eql",
"version": 2
"version": 3
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
@@ -1016,9 +1016,9 @@
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1",
"sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce",
"type": "eql",
"version": 6
"version": 7
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"rule_name": "Execution of File Written or Modified by PDF Reader",
@@ -1062,9 +1062,9 @@
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed",
"sha256": "2d27856788bfc038da39a37ddfd4558b1684b31ac76f695a6303857b37585811",
"type": "eql",
"version": 3
"version": 4
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
@@ -1321,9 +1321,9 @@
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d82f7cdce5ff254cd1b94e2f0390bef570efef35250410982b52a2614113ed42",
"type": "threshold",
"version": 208
"sha256": "9b41ccb00b782e98cb82660d5d90f3b1e1ee827ddd9194e82daa88bbf8f8f665",
"type": "esql",
"version": 209
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
@@ -1600,9 +1600,9 @@
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"rule_name": "Accessing Outlook Data Files",
"sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d",
"sha256": "a30ab7ce03863b4c455dbad0cdcdf5fa65edbe83b132873f3cbcc0aa56b3fe77",
"type": "eql",
"version": 2
"version": 3
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.13",
@@ -1940,9 +1940,9 @@
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
"sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612",
"sha256": "bd81a89f08fb4259a56c130fd500773f4e8b91d4f27b01f56aac643d845883e4",
"type": "eql",
"version": 111
"version": 112
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
@@ -2331,6 +2331,12 @@
"type": "query",
"version": 103
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "97a9bbc07dad0412d494a96fa565a7e2555e661c1e57eb06101029572ccf891a",
"type": "eql",
"version": 1
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd",
@@ -2399,9 +2405,9 @@
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "f73503ecaa32737163abde02d9b27f8d420df219be75d6ce12c1790c04f52a91",
"sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444",
"type": "new_terms",
"version": 106
"version": 107
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
@@ -2609,9 +2615,9 @@
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"rule_name": "Windows System Information Discovery",
"sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273",
"sha256": "5fc1086cb7ed0f2645c18f7164208710ed010261b5742972ab3198c01be33fb8",
"type": "eql",
"version": 4
"version": 5
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
@@ -2754,9 +2760,9 @@
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43",
"sha256": "a7b645ba7111f5db7db8a66d481d9d10e4d8207bcd39e3d29e085a9d847a5527",
"type": "eql",
"version": 3
"version": 4
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
@@ -2899,9 +2905,9 @@
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408",
"sha256": "97930f97d8510a9f34e6fa5a686f90deaa7d039bbe8c97b274463538bea0bb4c",
"type": "eql",
"version": 3
"version": 4
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"rule_name": "DNS Global Query Block List Modified or Disabled",
@@ -3258,6 +3264,12 @@
"type": "query",
"version": 6
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "417b0c6af6df3823e5c27b53ae2f2e9eb7eb16e6f01f91427f7abb1d180c9885",
"type": "eql",
"version": 1
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
@@ -3721,9 +3733,9 @@
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc",
"sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297",
"type": "eql",
"version": 114
"version": 115
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
@@ -3980,9 +3992,9 @@
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "c611056d35cd93fe81c5d897466610121a8eb8824ced600673490ea40deaba6d",
"sha256": "b06fe72841e973c578410fa85cc532be47a7199c613e59e094aaefce1e311a48",
"type": "eql",
"version": 2
"version": 3
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
@@ -4064,9 +4076,9 @@
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c",
"sha256": "049a63c5b82b17f2d6c5dd181badc64cc229ff7a1273b26c54a8703a0514f8db",
"type": "eql",
"version": 105
"version": 106
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
@@ -4107,9 +4119,9 @@
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "2db05f2e3ae056597ccc0da7403d1957ce361a9175866efd0c7e540914d0fded",
"sha256": "90b5e320db9401bdd0376dab7ae156178fbe41dfe70edf6fe1e1f02626127276",
"type": "eql",
"version": 1
"version": 2
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
@@ -4118,11 +4130,20 @@
"version": 2
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.9",
"min_stack_version": "8.12",
"previous": {
"8.9": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49",
"type": "eql",
"version": 3
}
},
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "adb75f0219164c5e3c96a145f69d0da86658f728ce7ced78350c0b40f97eb464",
"type": "eql",
"version": 2
"version": 103
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
@@ -4145,9 +4166,9 @@
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "a98fe6d999a2909e15b551344bcf8abf4c8755341d7daa2ddc121fbdd0f3eec2",
"sha256": "e67b6224776547e16d7ad98038f463469fe254811509c279e254f182d16da5c2",
"type": "esql",
"version": 1
"version": 2
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
@@ -4161,6 +4182,12 @@
"type": "eql",
"version": 4
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5",
"type": "query",
"version": 1
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "SSM Session Started to EC2 Instance",
@@ -4562,9 +4589,9 @@
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity",
"sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b",
"sha256": "35fb8f0b0b8dc7f267f657ff3e2bed84da9697e91d1b78c4aa6fefab084e96e7",
"type": "eql",
"version": 2
"version": 3
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
@@ -5140,6 +5167,12 @@
"type": "machine_learning",
"version": 104
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "17ecf0959839ce503bd007ec83692ce66c8030a9fb479e52cf63f27f40bce235",
"type": "eql",
"version": 1
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079",
@@ -5238,10 +5271,10 @@
"version": 110
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c",
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "f88225fa0fa8f945e8a2c742913108af721f807ca41fe1e300d3d6546236bcd2",
"type": "query",
"version": 106
"version": 107
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
@@ -5340,6 +5373,12 @@
"type": "eql",
"version": 110
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID Device Code Auth with Broker Client",
"sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323",
"type": "query",
"version": 1
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
@@ -5431,6 +5470,13 @@
"type": "eql",
"version": 111
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"min_stack_version": "8.13",
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "9cb68a665ab8fb65cda28c7f6d955319eae1629b493c01c6bc144c5ceb04ffd1",
"type": "esql",
"version": 1
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676",
@@ -5491,10 +5537,10 @@
"version": 108
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65",
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "c387b952f7259ac6c595aba8c0f9182063b9497dd22302e8b1d3bcd1e582de79",
"type": "query",
"version": 205
"version": 206
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
@@ -5671,6 +5717,12 @@
"type": "machine_learning",
"version": 104
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "8b76484fc36e6fadcda9a04a2159138a7848fea3ac58faa33232daf8efb18d03",
"type": "eql",
"version": 1
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "eef346faba690b1ca2c851bf022d97d9087f5626a0d024a6714c3d09e9ba26d0",
@@ -6027,9 +6079,9 @@
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b",
"sha256": "9a43bf8c991e44191f2acddfa4de48dc8498f1fb4a31f0a465da7803607b88e9",
"type": "eql",
"version": 2
"version": 3
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
@@ -6068,10 +6120,10 @@
"version": 109
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f",
"type": "query",
"version": 206
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968",
"type": "eql",
"version": 207
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
@@ -6226,15 +6278,15 @@
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access",
"sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c",
"sha256": "a2d23373933dc72a8fac22e848478c79809b64fb82b1e2df5411efd914a02daa",
"type": "eql",
"version": 3
"version": 4
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
"sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862",
"sha256": "d21521b9419d33d88ccc37d41184f3f1c212c72630806481b83b8ec03e10e97e",
"type": "eql",
"version": 3
"version": 4
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"rule_name": "Potential Remote Desktop Shadowing Activity",
@@ -6455,11 +6507,20 @@
"version": 106
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 2
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 101,
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 2
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "1ff1f2a88a1700579b30e869574672a0f8a4a59710be9c14164041681731b380",
"type": "esql",
"version": 102
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
@@ -6589,6 +6650,12 @@
"type": "query",
"version": 111
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification",
"sha256": "81f59855dd3863c54604646a10250287d80095942c3a3bc9eee85d811a248f72",
"type": "eql",
"version": 1
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
@@ -6816,9 +6883,9 @@
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641",
"sha256": "48076f4a909ea3f9abf572fc3180287a6d83b02bb0f84aa4ea5b11fb9f93a2d1",
"type": "eql",
"version": 10
"version": 11
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
@@ -7785,11 +7852,17 @@
"type": "query",
"version": 2
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "e6460a31449c23f8abfc491157dd710febce134e74e0b2a94674e4238594f31f",
"type": "eql",
"version": 1
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification",
"sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9",
"sha256": "6a7bad61674e33450053730006659a7d557c3faee437029c328754e645def6bc",
"type": "eql",
"version": 2
"version": 3
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
@@ -7822,10 +7895,10 @@
"version": 206
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
"sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9",
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "18b327ef6f413b2cb43af2cf759d7cc99e9e0a560008ea0cf27fd3c329ff1ce7",
"type": "eql",
"version": 4
"version": 5
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
@@ -7926,9 +7999,9 @@
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"rule_name": "WMIC Remote Command",
"sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f",
"sha256": "4bed051c9dd04e9af8e3a2e7e5b745d2c9e666d5041466fe01e618f2e9aa3a90",
"type": "eql",
"version": 4
"version": 5
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
@@ -7960,6 +8033,12 @@
"type": "eql",
"version": 110
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "5d49105f2099fe1c95a69e97a0bc950a38fa1c2c94f564b11948f80c348c3513",
"type": "eql",
"version": 1
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841",
@@ -8281,9 +8360,9 @@
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "6b4878af88365170479ac74ad0afcc51029ed6448d58fcb9f720bb70d9f25c45",
"sha256": "9a60c969dcfdec4a4768f18d3d13d2f00acd9243d6c791a967a0515aa7917bec",
"type": "eql",
"version": 8
"version": 9
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",