security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.19,9.1,9.2,9.3 (#5639)

Browse Source
This commit is contained in:
github-actions[bot]
2026-01-28 18:37:52 +05:30
committed by GitHub
parent d252cae4ee
commit 8b8c0beec7
4 changed files with 747 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/deprecated_rules.json
+45
View File
@@ -1,4 +1,9 @@
{
"015cca13-8832-49ac-a01b-a396114809f6": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS Redshift Cluster Creation",
"stack_version": "8.19"
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"deprecation_date": "2025/03/14",
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
@@ -59,6 +64,11 @@
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"stack_version": "7.16"
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted",
"stack_version": "8.19"
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"deprecation_date": "2025/06/26",
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
@@ -104,6 +114,11 @@
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"stack_version": "7.16"
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS RDS Security Group Creation",
"stack_version": "8.19"
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"deprecation_date": "2021/03/03",
"rule_name": "Setgid Bit Set via chmod",
@@ -204,6 +219,11 @@
"rule_name": "File and Directory Discovery",
"stack_version": "7.16"
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS ElastiCache Security Group Created",
"stack_version": "8.19"
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"deprecation_date": "2021/04/15",
"rule_name": "Tor Activity to the Internet",
@@ -219,6 +239,11 @@
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"stack_version": "7.16"
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS RDS Security Group Deletion",
"stack_version": "8.19"
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"deprecation_date": "2024/02/22",
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
@@ -374,11 +399,21 @@
"rule_name": "Whitespace Padding in Process Command Line",
"stack_version": "7.16"
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS RDS Cluster Creation",
"stack_version": "8.19"
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"deprecation_date": "2021/04/15",
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"stack_version": "7.14.0"
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS EC2 VM Export Failure",
"stack_version": "8.19"
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"deprecation_date": "2022/05/09",
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
@@ -394,11 +429,21 @@
"rule_name": "Suspicious Network Connection Attempt by Root",
"stack_version": "8.3"
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage",
"stack_version": "8.19"
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"deprecation_date": "2022/05/09",
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"stack_version": "7.16"
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"deprecation_date": "2026/01/16",
"rule_name": "Deprecated - AWS RDS Instance Creation",
"stack_version": "8.19"
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"deprecation_date": "2022/05/09",
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
detection_rules/etc/version.lock.json
+697 -351
View File
@@ -49,9 +49,9 @@
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "e70f558dc6025f7d86dc825a9927a3192dc6ea983424e6e28080fdba9ee373da",
"sha256": "3ba46fc1349a8bf917183c0721c61a73cdb30c9634e35439e7c80008d8f7e8c8",
"type": "esql",
"version": 13
"version": 14
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Detected - Elastic Defend",
@@ -65,6 +65,13 @@
"type": "new_terms",
"version": 207
},
"02275e05-57a1-46ab-a443-7fb444da6b28": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"sha256": "952901c0899f5762fcd50e767297ca8ffcf29a6bbb13ae322c70e6c160a8cb18",
"type": "eql",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50",
@@ -157,9 +164,9 @@
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS CloudFormation Stack Creation",
"sha256": "c14f634ac8d501f56487a54ce3e10ac740ec26bf38940489dbec0b47239e883a",
"sha256": "aa9bbf4e95f9d88307a86039a78988c7fe8e87827e029e593d2bc314f2f56605",
"type": "new_terms",
"version": 5
"version": 6
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Renaming of OpenSSH Binaries",
@@ -174,10 +181,20 @@
"version": 105
},
"0428c618-27f5-4d94-99e6-b254585aba69": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 100,
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043",
"type": "esql",
"version": 1
}
},
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6db6ca7bb4958bfd24a3ebc8ff577a84b540bc4138556d040d11a337439d1043",
"type": "esql",
"version": 1
"version": 101
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
@@ -205,9 +222,9 @@
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "d0e4307fe188c84b54919f0659ae4a86b4156bc304076c25ddeb1aba16b0c6d4",
"sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835",
"type": "eql",
"version": 11
"version": 12
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
@@ -445,9 +462,9 @@
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "4e66e532921a60c2debd2dae35a8fe7fd807b17a2f5f599c6386380e7769d3cb",
"sha256": "89ca0e093d48d490f8ef9e04a952b23f45c4763cb50f8b27742fdc91cc20c6ea",
"type": "eql",
"version": 8
"version": 9
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
@@ -487,9 +504,9 @@
},
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
"rule_name": "Elastic Defend and Network Security Alerts Correlation",
"sha256": "2aaa259032fc3bb4cc0da26fd7f9d70cd9129d00a3469d12d19a6a72b6abba88",
"sha256": "eaef1a36013616445b077607fe1e2c6b3f6769cf57496832af13f383851d90af",
"type": "esql",
"version": 3
"version": 4
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
@@ -617,6 +634,12 @@
"type": "query",
"version": 107
},
"0e67f4f1-f683-43c0-8d45-c3293cf31e5d": {
"rule_name": "Lateral Movement Alerts from a Newly Observed Source Address",
"sha256": "415e94e0ad5121c6261b79fcadd0ab0c6eff8a58d43a6390caa3a6032c4efe1d",
"type": "esql",
"version": 1
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "8bd791257510714b815ae04669e2f5ed846133f80ab4f376c6541bacd64856b2",
@@ -721,9 +744,9 @@
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "bed507515e00c4a06151d8f8fb70eff8c61569f774c6889d3cbda5bee2cb6010",
"sha256": "219dd5e932b1758880482e0558051af64fba130f0e282e5da6aec5c00090ba9b",
"type": "query",
"version": 210
"version": 211
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
@@ -745,9 +768,9 @@
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "469e2389b5118b4114e59d411202e54e7dc0eaaddf8cbc0347aec3f8e6ee27e0",
"sha256": "3acdb831ecb148e687e802d033deaa6355218c3c02b42df9fb149c159039ac68",
"type": "query",
"version": 210
"version": 211
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
@@ -829,9 +852,9 @@
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"rule_name": "Potential Ransomware Behavior - Note Files by System",
"sha256": "0e44245d4fd649d451bf7f350dd734cfff04db46a625091fb2e7912e67f0e290",
"sha256": "8204b19646063fea56f0893a743d86c1465aea28c9b920541a3549dc9ebead09",
"type": "esql",
"version": 212
"version": 213
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
@@ -865,9 +888,9 @@
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "420708d5b6f28d7d42a7d6ff9d7e2ab041ee8cfcdaf8ea415f9b44c14bb474f2",
"sha256": "f40ba61a95d4c3e7495c53e0c7bee3e2b7b567996c2e0cea7b3cc808c4d1f672",
"type": "eql",
"version": 208
"version": 209
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
@@ -877,9 +900,9 @@
},
"14fa0285-fe78-4843-ac8e-f4b481f49da9": {
"rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application",
"sha256": "bc937f9517d7622047ab87a3a43e46787abb2462497e66973ba7dd6971db9c9d",
"sha256": "f5561c37096b4f71f0b29f3adc5adfe88f2505bcc9814aa9b052b68f7a0cb7f2",
"type": "query",
"version": 5
"version": 6
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
@@ -889,9 +912,9 @@
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "1e3cb915d83b59aa4ce4026753c8f8cf5dc2cb885e52c87de5b04b4e0392d4fc",
"sha256": "e9f82f46cfea1b7298cf223f305e62b8a734e63548d2f0a51969e2abdd8c5a40",
"type": "eql",
"version": 5
"version": 6
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
@@ -924,10 +947,20 @@
"version": 4
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential release_agent Container Escape Detected via Defend for Containers",
"sha256": "95ff258d6ac709d104147fbee7270bf69b23fcd62a49434721b8ac5e3ea07b6b",
"type": "eql",
"version": 3
"version": 103
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
@@ -955,9 +988,9 @@
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "e74cdddfbf2602a532fc3fcea4cc547c5d31e961d0cf0c56173f6748e3059599",
"sha256": "0410eb7c7e319a25e36a3370d6a0086693311aa6adeb100e11867aaca931a2c8",
"type": "query",
"version": 210
"version": 211
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
@@ -985,9 +1018,9 @@
},
"171a4981-9c1a-4a03-9028-21cff4b27b38": {
"rule_name": "Suspected Lateral Movement from Compromised Host",
"sha256": "b1f7681a6ef3c0e7be88eadc5835961ae6a40ee528fb5f6eddc9829c2816adbc",
"sha256": "76d66c8f2e1211a017ecac44a93ed158e8d6502f27c4fea6b4cdd50ed9826207",
"type": "esql",
"version": 1
"version": 2
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
@@ -1111,9 +1144,9 @@
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"sha256": "b6cd39a5dca55456dd1d2a0bffa37039a7d13d6e99f279531c6ffa6c57a6ef6f",
"sha256": "9025277d05a9b28f25e42b2ca001c86870d137286831af240685932876845347",
"type": "esql",
"version": 6
"version": 7
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
@@ -1140,10 +1173,20 @@
"version": 1
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"sha256": "8d074f725afa65640f0f03c34a5c5845de08a1a9d4d29c575892c50a57bf380b",
"type": "eql",
"version": 4
"version": 104
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Entra ID Application Credential Modified",
@@ -1153,9 +1196,9 @@
},
"1a3d5b36-b995-4ace-9b85-8a0af429ccf6": {
"rule_name": "Newly Observed High Severity Detection Alert",
"sha256": "02406b2a5524fc8695da906334e325cbc5faaabc0d1239ff1546d63dacb8670e",
"sha256": "72749dc26e0661fd02018957879fceadbc7207329883d27c3b4c18af798ac628",
"type": "esql",
"version": 1
"version": 2
},
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
"rule_name": "Potential System Tampering via File Modification",
@@ -1171,9 +1214,9 @@
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "d9dc9bfbe4e7e6fadaa10125d5161e393a48c18f4115d02909d4f591358cb399",
"sha256": "00d32e6fa5bbccc98584ca85d490bb3a869cf0f18122627e710ce3c3e0edf137",
"type": "query",
"version": 212
"version": 213
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
@@ -1285,9 +1328,9 @@
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "73a4efc0dc06d5a54db266a299ff54c7340eb0ebfe170a0c913a21deea49bb71",
"sha256": "e033fea1b5824fcb4bb6be09775b5afaba93c267fe98719d420ccc5fac613758",
"type": "query",
"version": 6
"version": 7
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
@@ -1376,15 +1419,15 @@
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "6a0e9e8d89d9acb5f15761864de10b2e020d6bd9fd2b38d95b05527ebd265d00",
"sha256": "390a8ddd1ebfe760745876334b3873130a04a7357b53a3c9f1633c02379441a7",
"type": "query",
"version": 115
"version": 116
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Sign-In Console Login with Federated User",
"sha256": "6e9e9d0016eeb4eb826db8de79279670dfa3a06d3fe5a5818eadb4a626d4e1d7",
"sha256": "c625e68b89b88e69474d98cf2961b99044f04f96a94fa852d147cfb0244d2ce7",
"type": "query",
"version": 5
"version": 6
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"rule_name": "Unusual Process Execution on WBEM Path",
@@ -1394,9 +1437,9 @@
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "59806faa11a6617f1e645848f759c4cdabdbe3a4d6bcf1db414fc8a92d23f019",
"sha256": "8987fcc178e2284c1227542322e424b652518be8cab76cb538d54ca2cc90c055",
"type": "esql",
"version": 8
"version": 9
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
@@ -1436,9 +1479,9 @@
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "45c85a6e081bc928b17e0405ee6a0a5222bbc8f3ac4409db4604e3eb06539e90",
"sha256": "f2be664b86234fbaa51823ced7027a936bf9a98ac1533b209d3aabcfbe69a841",
"type": "query",
"version": 210
"version": 211
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
@@ -1520,9 +1563,9 @@
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "a37e76aabf35162d3a4915f9e4626c3694bd4989aa1007b343dcc9bf2785d4fc",
"sha256": "188373da495c052baa5f489c9a5e4ce8d8133ede03d4aec038290f45949ebd5a",
"type": "query",
"version": 211
"version": 212
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
@@ -1560,6 +1603,12 @@
"type": "new_terms",
"version": 7
},
"23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": {
"rule_name": "Potential SAP NetWeaver Exploitation",
"sha256": "1a947a8c0e8b33f904c1ca77617bf8cc6e689ef281f75f7f41e0d5ebe10702c4",
"type": "eql",
"version": 1
},
"23cd4ba2-344e-41bf-bcda-655bea43fdbc": {
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "9e411037eb901ed4a4be89ef5b0a5f6d36e45637a15a1ff70afc11937f1244f7",
@@ -1646,9 +1695,9 @@
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "d29fbb36af27e479e3151a63b47436713f655cec342a035d2d5c06f8483610f0",
"sha256": "db895e7b67949c6c7700164a14589892cc0b07f890bcd76f290663eba89f0a36",
"type": "query",
"version": 6
"version": 7
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"rule_name": "Persistence via Update Orchestrator Service Hijack",
@@ -1674,6 +1723,13 @@
"type": "eql",
"version": 105
},
"26a989d2-010e-4dae-b46b-689d03cc22b3": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers",
"sha256": "0f913614bc84eeb793c53a337d82071dc54799ad1f8546f5444f3ab8919fc6d0",
"type": "eql",
"version": 1
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d",
@@ -1740,6 +1796,12 @@
"type": "eql",
"version": 221
},
"283683eb-f2ce-40a5-be16-fa931cb5f504": {
"rule_name": "Newly Observed Palo Alto Network Alert",
"sha256": "06c0ee8d2a9f83935613ee16386a41ee145a2726d82b353478873f07690880b9",
"type": "esql",
"version": 1
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "4b406b760e32e9a412057481852ee5187afe0ca95f051e000e375a52f6da5f6d",
@@ -1802,9 +1864,9 @@
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "910d019324ad543a1eb73a5b02ccfdecfc8069d437f9a352ec9ff0536760da80",
"sha256": "3aaa75d486f4ba4c2eb992e5edbd1b9d18d5ba4ab2475b4f71eabe69e2a35fc6",
"type": "query",
"version": 211
"version": 212
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
@@ -1820,9 +1882,9 @@
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "88b3cbb633869eb4f1b3c56cf58082902524668f47bf9c0da1f9d71e5668dd67",
"sha256": "0de08935d7b273c2883aff48269919228f3954a001f1b8a630d6c5b6a67de4e2",
"type": "new_terms",
"version": 419
"version": 420
},
"29531d20-0e80-41d4-9ec6-d6b58e4a475c": {
"rule_name": "Alerts in Different ATT&CK Tactics by Host",
@@ -1838,9 +1900,9 @@
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4",
"sha256": "d91da4e45de36496cea35cbe616336e3d2d5f81928397cd7a1301eb440e154ce",
"type": "new_terms",
"version": 2
"version": 3
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Linux SSH X11 Forwarding",
@@ -1896,6 +1958,12 @@
"type": "eql",
"version": 215
},
"2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": {
"rule_name": "Newly Observed FortiGate Alert",
"sha256": "a9d020f9a3f3dd75954efac81280160294feddb89cd2a0f4563c28e82bab0d3c",
"type": "esql",
"version": 1
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation",
"sha256": "f9995a1f0a95afb24be29dd71a3ddf5c203bb6c2b32550ca795e94f59e06b674",
@@ -2030,9 +2098,9 @@
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "626bd220c455c59636dee56cc13b8d6e035a79fcee06b113ffb73b854659b3fb",
"sha256": "4118fbde9fb7da5dfde559ee21035f3c10aedd631eb6a5a80afced7314403204",
"type": "query",
"version": 215
"version": 216
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
@@ -2072,9 +2140,9 @@
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "655c3b3d652a1f394b514d40e48d8ad32aa4ad61c36859d48dd4b0145455ad61",
"sha256": "1337e852010b0bcdf4249080f5ca94c55575a9ce0eb52bed223f32709bbf23ae",
"type": "eql",
"version": 6
"version": 7
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"rule_name": "ESXI Timestomping using Touch Command",
@@ -2132,9 +2200,9 @@
},
"32144184-7bfa-4541-9c3f-b65f16d24df9": {
"rule_name": "Potential Web Shell ASPX File Creation",
"sha256": "706d6f81cd64e9b7c43d7e6547570fcd8295082645940422412c06cc142acb03",
"sha256": "7ba990105bc83c1f1f4f503531aaaafde90450fc0cc781251c267948e03cef91",
"type": "eql",
"version": 1
"version": 2
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
@@ -2199,9 +2267,9 @@
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "2d5fca5b34846c2f7bf4ecbfb1ab1e520aa603da0c46c48dde136f9efefc6c0e",
"sha256": "20c47ad4fd1ebfa6af30670a5f1c8320fdbbb069b2af8f3184de6556eed50a90",
"type": "query",
"version": 212
"version": 213
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
@@ -2211,9 +2279,9 @@
},
"33c27b4e-8ec6-406f-b8e5-345dc024aa97": {
"rule_name": "Kubernetes Events Deleted",
"sha256": "0bf498be725596cb62f89e675d15ce2efcd2380aacacf369c0e088f4e3efa47f",
"sha256": "3740512a442422b4a21266e212c408167b5097c243274be72642c1bff27a04a0",
"type": "eql",
"version": 1
"version": 2
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
@@ -2228,10 +2296,20 @@
"version": 2
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"type": "eql",
"version": 3
}
},
"rule_name": "Dynamic Linker Modification Detected via Defend for Containers",
"sha256": "162dc3fe83095dff7ae84bbb1a7b8a20fed852e1e2c06a1944bb5b36e65de8fd",
"type": "eql",
"version": 3
"version": 103
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"rule_name": "GitHub Repository Deleted",
@@ -2247,9 +2325,9 @@
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "25471abf314a6e6870ba5924b33e35fc68a643f8944d627af6505a08a298bc11",
"sha256": "819dce4cff2719a1f6f4be28c51930017a4b137d6e1197eebdffd2ceb6ef1436",
"type": "query",
"version": 109
"version": 110
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
@@ -2421,9 +2499,9 @@
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "91741e10ac5227692cd6659e65bdb206406e59a0bb49b4beb07ee9b30d3d6a23",
"sha256": "bb7db3c3467098559484d1c9aeacc4c48a8e103859dfd04ea38ef1ba7bef6b3d",
"type": "query",
"version": 210
"version": 211
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
@@ -2529,9 +2607,9 @@
},
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
"rule_name": "AWS SNS Topic Created by Rare User",
"sha256": "6e5674a983c2dee63298075c177a37833a7edb11df47076a5975e9936ac9db95",
"sha256": "52b8cb5230887893f47fd0d99335171ba317de2e290a59aa35ff58ae5f6f071a",
"type": "new_terms",
"version": 4
"version": 5
},
"3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": {
"rule_name": "Potential Impersonation Attempt via Kubectl",
@@ -2571,21 +2649,21 @@
},
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
"rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"sha256": "e4de309165e10cecd19bd67649f19d3b153a608ccc7b06535bb824a87ef751f6",
"sha256": "470c107267da141be2217d27cd274e817711841e76123cf594f719816710abc4",
"type": "esql",
"version": 2
"version": 3
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Rare Protocol Subscription by User",
"sha256": "04efd4c830668c0beecdca7df57c9cc8e83266ef1638e870c6fb796708891368",
"sha256": "09b1c205b24ec1820aa83763ee862d5e56b7d41bba93c7a655d266acb214106a",
"type": "new_terms",
"version": 7
"version": 8
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "0bde718cb98bf450ff69a339a3ead72c159d6a0090576f4cf1778f687ce078e9",
"sha256": "426691651da55a13486adb2edaeb92be4fc3e76aa6173bcc31152e8ef79bffcb",
"type": "query",
"version": 212
"version": 213
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
@@ -2769,9 +2847,9 @@
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "6e0487fa8087c73f97c960fbddba8559fa30f0ffbd5ec6ec7cdc70836e57516e",
"sha256": "db41de2f7dde8f87a05ff3b1437f8583a12a119fca5fa5745addf8b45a77ca8b",
"type": "eql",
"version": 8
"version": 9
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
@@ -2780,16 +2858,36 @@
"version": 110
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"type": "eql",
"version": 3
}
},
"rule_name": "Mount Execution Detected via Defend for Containers",
"sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6",
"type": "eql",
"version": 3
"version": 103
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"type": "eql",
"version": 4
}
},
"rule_name": "Interactive Exec Into Container Detected via Defend for Containers",
"sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3",
"type": "eql",
"version": 4
"version": 104
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Unusual Login via System User",
@@ -2859,9 +2957,9 @@
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted",
"sha256": "f38850e4e96ee9d3ac9f7786700baa5631ddc5125cbdf637f5b81dc35f208a79",
"sha256": "f76b785c752d68bcdb8b49d66187f8e22fe050f7f4b94f4effc62169e6aa3408",
"type": "query",
"version": 6
"version": 7
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
@@ -2871,9 +2969,9 @@
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "fea0eb1b7a074a7c66598a13e49915f3809a1946f0ddcf5e238359c001a27692",
"sha256": "8ad4d9f18ebddd6e3145aca58b6e2ac3a3b3a7b78e2e3292a031e37fa680bdb2",
"type": "eql",
"version": 6
"version": 7
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
@@ -2890,9 +2988,9 @@
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "d587f84061510af81e4d24d6a46b7d23a87048e8f6d3d1172b32452a1d829ae5",
"sha256": "2508e7257e5f68a940fbb8e31ebf364ffa3e653cb4da62b6b4a633c7004d8da7",
"type": "eql",
"version": 217
"version": 218
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
@@ -2920,9 +3018,9 @@
},
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
"sha256": "8ef23b1bc55256bf385ea7528fb3840b040a0ec75e4dfcdae522a76ff08c4f40",
"sha256": "94ea66cd4f032738d36c46db9a1c7d5a6a84f64eeacd41a0e6c3f8fb4b6942a6",
"type": "esql",
"version": 2
"version": 3
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
@@ -2937,10 +3035,20 @@
"version": 2
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive File Compression Detected via Defend for Containers",
"sha256": "4cfac6296ff70d20ff834bd019d6afd9198871c12036cd15a02473a29fb199b9",
"type": "eql",
"version": 4
"version": 104
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
@@ -3100,10 +3208,20 @@
"version": 315
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"type": "query",
"version": 6
}
},
"rule_name": "Container Workload Protection",
"sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568",
"type": "query",
"version": 6
"version": 106
},
"4b74d3b0-416e-4099-b432-677e1cd098cc": {
"rule_name": "Container Management Utility Run Inside A Container",
@@ -3113,9 +3231,9 @@
},
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
"rule_name": "Forbidden Request from Unusual User Agent in Kubernetes",
"sha256": "8bdae1dfa71ac3ac4496f71a3ac201fb9856ea16bc90b26ae24513284927a10e",
"sha256": "44dbd2e2d5af2e9df06d89cf654cc195efaa14f829c983dbd7cacb1503f1378d",
"type": "eql",
"version": 1
"version": 2
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
@@ -3135,6 +3253,13 @@
"type": "eql",
"version": 314
},
"4bd306f9-ee89-4083-91af-e61ed5c42b9a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"sha256": "abb3c2c95247c1ae963a50fad9c2ab4cb792da935c24a7134f5cefed76cc18a0",
"type": "eql",
"version": 1
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "175b2c8f0b31ace9a05e0103f05f2ba382449003519ab9feeebc42dc01a0cbc5",
@@ -3173,9 +3298,9 @@
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "5eadaab1d0d86d7b1bb08cc7a0f7a80aa2c7cc383e6d35bfdf16542fb8252cc0",
"sha256": "12b357e6311ff4eea5365916c53f043cd00969e62b4dcf117b519303de5b9559",
"type": "threshold",
"version": 211
"version": 212
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
@@ -3311,9 +3436,9 @@
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "bde9c450a4ba5ea4dc0ebba10c125393d60855017c8f2b6b6fefcbce61fffecc",
"sha256": "a5abd99b2a0a622491aabaea8ba35522361bd5a944c646f467b88b38a0852bc8",
"type": "query",
"version": 210
"version": 211
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
@@ -3321,6 +3446,13 @@
"type": "eql",
"version": 118
},
"527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": {
"min_stack_version": "9.3",
"rule_name": "Tool Installation Detected via Defend for Containers",
"sha256": "0a5983733af632086adb851deb9ebad222deb931b97dbd3a38381a3cf111a07d",
"type": "eql",
"version": 1
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "a646f739b6321105caf7f40d15ddb77bc29668a1f12c883ed026d7680fe6061a",
@@ -3365,9 +3497,9 @@
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System Deleted",
"sha256": "609ed621a69c3390bab0a9033977e866424574af96e87ba8f51ba3731d8ad7cd",
"sha256": "9502632eccfa0e324016bb477fc6a2d249c08cee1d91e5ac9fa91976bd60e1d6",
"type": "query",
"version": 210
"version": 211
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deleted",
@@ -3414,9 +3546,9 @@
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "bc4331c82d520ff042039108c9e24f4e368808f251c17b5decb7e6b1bbac1236",
"sha256": "fbf103aa3c39bb293ade25f6cb74acb3444ece6c2a9ffe3441d5d8be36a1bc89",
"type": "query",
"version": 213
"version": 214
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
@@ -3528,9 +3660,9 @@
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "cb30764dd830c6b3280ea3ae57751b9f7e01af80dcb5d53a1a9acc14281aa3d8",
"sha256": "98face230511c302dabda23c6bcb794a5acc16c97b7229bb982b298b421618d0",
"type": "query",
"version": 212
"version": 213
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"rule_name": "File Staged in Root Folder of Recycle Bin",
@@ -3558,9 +3690,9 @@
},
"5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
"rule_name": "Unusual Web Config File Access",
"sha256": "b794e93559c621d6e245068b3dbad5a07ac97d1e4cdfd00b3083ca2c15ae8594",
"sha256": "8de79d7265cefe1c4c9df3381c7d64befd5e4205b2fa99aa541ffc785d375e1a",
"type": "new_terms",
"version": 1
"version": 2
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
@@ -3606,9 +3738,9 @@
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "699039f974e0dd982cabe175bf6a7cff052b4d455bbb29259aa59af48a466631",
"sha256": "9c331554770ecb70eaef91e13b8c815f94e30019ac7bece602e598f6487eaf86",
"type": "query",
"version": 211
"version": 212
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux User Discovery Activity",
@@ -3618,9 +3750,9 @@
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "fdb59fb74fdc20cb107cb18dfdd10a920734dbd05d457cffabeaf741dc1bded2",
"sha256": "9fe3cf2fe1d2d052eb9543fccef6eea8a7ac5383268b9589b016836b97b85426",
"type": "new_terms",
"version": 6
"version": 7
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"rule_name": "IPv4/IPv6 Forwarding Activity",
@@ -3702,9 +3834,9 @@
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "70177fc265fa2f24acad68cd0ef289816432b3766a1b8a43e6e4742eeb754522",
"sha256": "46ee24c7fa10dc712bdec1f2b7a584943ddaf4ed95ed89624609be1f195d0069",
"type": "new_terms",
"version": 318
"version": 319
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"rule_name": "Boot File Copy",
@@ -3720,9 +3852,9 @@
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "bef502b07f8bb429011a1f7385d17b855d65ce261a8dca424989965d4f66890e",
"sha256": "822b3f02a852acf4b757d3db5af307df3d08328bf3cf41433c24fd0c0282215d",
"type": "query",
"version": 210
"version": 211
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
@@ -3744,9 +3876,9 @@
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "be1394a99d666d5475ec563878af49732fbfaa9557e34605989f84549355c625",
"sha256": "c7b6447476c63c646a11dcddd2f18d6f0ba3ebebe596eca3d4aec3c2526d2226",
"type": "query",
"version": 106
"version": 107
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"rule_name": "FirstTime Seen Account Performing DCSync",
@@ -3808,6 +3940,13 @@
"type": "eql",
"version": 111
},
"5d1c962d-5d2a-48d4-bdcf-e980e3914947": {
"min_stack_version": "9.3",
"rule_name": "Forbidden Direct Interactive Kubernetes API Request",
"sha256": "be914b17ebae1af44b244d51b3c23386e68cba1e711e1a3016ff61269a549396",
"type": "eql",
"version": 1
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "e52b20d0a6e626ac28133aab573b99bebcb41ce8c3f24117cfd84b235119ea53",
@@ -3864,9 +4003,9 @@
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "aa10d0e3f07b5ee3e3ec9003d78828253c22e2252a4650ef1702f698824f7b90",
"sha256": "afe5cf0b41fabafb43587e9fff374222c812f9f85f2e6d494c41f2795f46e771",
"type": "threshold",
"version": 6
"version": 7
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"rule_name": "Potential File Download via a Headless Browser",
@@ -3900,9 +4039,9 @@
},
"60c814fc-7d06-11f0-b326-f661ea17fbcd": {
"rule_name": "M365 Threat Intelligence Signal",
"sha256": "aff5572a6b6ac9bb499203df4a6dd207f564d69215adcf84c625763e0ff03e7c",
"sha256": "91d57ec69f35861a701090f79984b02303e24f68999cf2cf4ca1e8cf430ac5dc",
"type": "query",
"version": 1
"version": 2
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "M365 Exchange DLP Policy Deleted",
@@ -3930,9 +4069,9 @@
},
"618bb351-00f0-467b-8956-8cace8b81f07": {
"rule_name": "AWS S3 Bucket Policy Added to Allow Public Access",
"sha256": "fa5970c1b1b13aa4f605f5963559ad1b94b7ca3fabb1f4be3c00ee0c159d9cf0",
"sha256": "432b70fbe0e399988c18b6bd0f70a80bfa5cd7b7d0848ed2fe754ecdae6ea112",
"type": "eql",
"version": 1
"version": 2
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
@@ -4114,6 +4253,13 @@
"type": "eql",
"version": 112
},
"66229f32-c460-410d-bc37-4b32322cd4bb": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"sha256": "0f9335e8f3a635d2fe4730dc26f33d4a127ac73987f7db1b63029b659c1190f4",
"type": "eql",
"version": 1
},
"6631a759-4559-4c33-a392-13f146c8bcc4": {
"rule_name": "Potential Spike in Web Server Error Logs",
"sha256": "effc61a862d7377ca5db5b1edccd523326415b1fad2a0176cf40a825888b0431",
@@ -4182,9 +4328,9 @@
},
"6756ee27-9152-479b-9b73-54b5bbda301c": {
"rule_name": "Rare Connection to WebDAV Target",
"sha256": "2256b4ec67c4244841a6cbd5d266f2fa67bf43eb4fef34a0a2f0ec5958f6cf9c",
"sha256": "79c89592ce4eeceb4031a2a222deccbfc0af47774b4091697bc5095dce3ffa51",
"type": "esql",
"version": 4
"version": 5
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
@@ -4248,9 +4394,9 @@
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "1a796b45fef7817af610de51900de7790a474344357c0c4fa558a375bb38ee72",
"sha256": "1b7b501e7883c46efe035c8b341ea0fcfabd82d6b5b1b567adc1489b4ba7109a",
"type": "query",
"version": 212
"version": 213
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"rule_name": "Suspicious Access to LDAP Attributes",
@@ -4284,15 +4430,15 @@
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "7d47c62652d1fd5b413a4b287ec7edaf4ad513a4c97d9db1b56892a3639fca0b",
"sha256": "9561f0044194d3f868b07a589cc6e35db672b4a1d17f4997ab364b92b28677f3",
"type": "query",
"version": 110
"version": 111
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "21f09a9eb0c0b32ee89284dcc5367ef735cf05c9671d9f8e4b5e34e590d62eab",
"sha256": "1d9a305b395b414fcbcd48a340bc84de15aadf87a7e92478d4eec8c24f2e1447",
"type": "esql",
"version": 10
"version": 11
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -4314,9 +4460,9 @@
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS Sign-In Root Password Recovery Requested",
"sha256": "6a87957460149a2c3c9da1446442d537242d2a1338dd78452c1333f8ef267fdc",
"sha256": "46d7bc444c3b0896efa5f0d56b1c811d852a0bc06b30a29c613a12bceb80f68c",
"type": "query",
"version": 210
"version": 211
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"rule_name": "Attempt to Disable Auditd Service",
@@ -4350,9 +4496,9 @@
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "ea6f7ad0e3989236085df546013e5d67833b0017c1734147b87e8ddc49bb7234",
"sha256": "8c0ebef4188bbef987e1a1c3bf87cbe8a894ea61606c8fffac0daa41f6c2ff05",
"type": "esql",
"version": 9
"version": 10
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
@@ -4367,10 +4513,20 @@
"version": 213
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"type": "eql",
"version": 4
}
},
"rule_name": "Container Management Utility Execution Detected via Defend for Containers",
"sha256": "4ac4af6457b467b5f177d488c77ce39c4a0b0290702497ae30e67fd0ae43e525",
"type": "eql",
"version": 4
"version": 104
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
@@ -4534,6 +4690,12 @@
"type": "machine_learning",
"version": 3
},
"6fcb4fe4-ac74-449d-855b-2bbd5c51c476": {
"rule_name": "Multiple Vulnerabilities by Asset via Wiz",
"sha256": "21d9115cd06ff66fad632bb8536510a76dbedb9bfd94e609eb472df0259fb802",
"type": "esql",
"version": 1
},
"70089609-c41a-438e-b132-5b3b43c5fc07": {
"rule_name": "Git Repository or File Download to Suspicious Directory",
"sha256": "cb888ec5cdd28b517fc5e25fad86b205b4dcad80d3a654af3170ac8efe593e9c",
@@ -4548,15 +4710,15 @@
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "a16857ee32b4be2db5379c6c403d4e617cfb454ecb0424bdaa5fffce5e1a356c",
"sha256": "79aba5e19e05a67ee76105ba02f4dd8ababc70a7cbd06a8c833f55e51a0f48c3",
"type": "query",
"version": 213
"version": 214
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "485fac61a503826def307ce0a23ba013c733dc82b4d730638d049f8a0261db08",
"sha256": "ec5d6173a7089c9a99c4018cec4613e5b87e0d90954baf0de5c452cfd9fd5e4d",
"type": "query",
"version": 212
"version": 213
},
"70558fd5-6448-4c65-804a-8567ce02c3a2": {
"rule_name": "Google SecOps External Alerts",
@@ -4584,9 +4746,9 @@
},
"713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
"rule_name": "AWS EC2 EBS Snapshot Access Removed",
"sha256": "1cf7795bf482f8ec3fa0d08f2180d30a8ab93a32deac0df895d33aa64dce9e40",
"sha256": "8375b2b999c5f940480f6e373670eb7929fed1299d974aa69e7aab0bdcd1ea1c",
"type": "eql",
"version": 4
"version": 5
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
@@ -4602,9 +4764,9 @@
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "cdca3037d4e82a827463d44736431dcdca113631f41343c8eb87c12fdcc7473d",
"sha256": "0c1f9e44362ea54dcd41479d182bcdafa0fa8dd930c120382a3d8b1bd16569bb",
"type": "eql",
"version": 320
"version": 321
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
@@ -4620,9 +4782,9 @@
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "a15693e637c235cca3744958bb5782d7a9c1f650ac3a481003295f9e61265c6b",
"sha256": "10ff6f7ba102585480c02d7d27e5114fc04dee598ef2592541cc6d8a08e5287c",
"type": "eql",
"version": 6
"version": 7
},
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
"rule_name": "Elastic Security External Alerts",
@@ -4668,15 +4830,15 @@
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf",
"sha256": "527d4c975ef02b353316848967aa3a17c73dd08fb1948043078733d94aa336dd",
"type": "new_terms",
"version": 3
"version": 4
},
"7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": {
"rule_name": "Newly Observed Elastic Defend Behavior Alert",
"sha256": "19cb9ce85128b53702793fbe54e3d07d177add913a29160df9bc844340b5cd34",
"sha256": "4f9d023add64723c8fdf24169e4519f072bda1e755b54d885a9ab3fd282c4158",
"type": "esql",
"version": 1
"version": 2
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
@@ -4732,11 +4894,18 @@
"type": "eql",
"version": 2
},
"74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": {
"min_stack_version": "9.3",
"rule_name": "DNS Enumeration Detected via Defend for Containers",
"sha256": "c9fe483624c1c5ce68d3204bdec7b49c5d76ddc4e1b5181599fbb10d3854f78f",
"type": "eql",
"version": 1
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "dc6a565326bdc13f67b5abbecf56477d61decfb1c6d3f80667b859b733d7acc4",
"sha256": "5d3683cb87a4b6feb76eab7180a861d4ee2475204293f6f6516782f4dd6d2e46",
"type": "esql",
"version": 5
"version": 6
},
"751b0329-7295-4682-b9c7-4473b99add69": {
"rule_name": "Spike in Group Management Events",
@@ -4825,9 +4994,9 @@
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "e73845a5ddaa27372a34e40d6838513747aef24c9bf09d0b9d80f49c09026199",
"sha256": "4b09604c6f3250ef34ab3b31005bb1a0faed886bb1605c15862580c2d8365528",
"type": "esql",
"version": 8
"version": 9
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "Entra ID User Added as Registered Application Owner",
@@ -4968,9 +5137,9 @@
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "AWS First Occurrence of STS GetFederationToken Request by User",
"sha256": "c1ad2b67bc76a44043c0d9cc9a233a0291e39e29cb490fbe01115d9b9d342503",
"sha256": "7f73b59426def61220e9575ea798d2e13c5f8042e708adb4930dcac5af33f0a6",
"type": "new_terms",
"version": 5
"version": 6
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
@@ -5052,9 +5221,9 @@
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "5d54c5ba4a316e66f12bf3eb0d730bfd7baa8742d2e05972447814547fb0b76f",
"sha256": "9bd31c52b89b1c34fd08553ad975e18ed5d7bc6ec0b6940c262d7d9717a12c31",
"type": "query",
"version": 6
"version": 7
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
@@ -5148,9 +5317,9 @@
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "b20d87baa072f1c51a9d1b44383472de5ffab0894fbcbc92c0219c5a3239306a",
"sha256": "0222b8c339c6fece1da1fb65126482f2d6cb8d8dace1fa6bd49ac2231c51f724",
"type": "eql",
"version": 7
"version": 8
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
@@ -5329,9 +5498,9 @@
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "bb796fbb6709db50cf45bb757855ee8bc991b319103faac34de21cd08d1bbc00",
"sha256": "3d4e8b23caaf37cfeca9cb09bb5568d5eba46c78af72613b9b30c7f5e3043a03",
"type": "new_terms",
"version": 215
"version": 216
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
@@ -5341,15 +5510,15 @@
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "685f3960fced6a302c6af85593f333a417a9daca3f56adbfed98912a0bbb5ee8",
"sha256": "b29b22ccd587b0cd409163c8bcb8cbe450cd8de6a9879edb11b706e88090a34d",
"type": "esql",
"version": 8
"version": 9
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "c274913be86de801027a68714627b0f65176fd765156673efcebb2bcd5996bfa",
"sha256": "eb62471735cfd4bfb2cd002ade4f573a5b9115a04dd55af928694604808f56bc",
"type": "query",
"version": 210
"version": 211
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "Deprecated - AWS RDS Security Group Deletion",
@@ -5359,15 +5528,15 @@
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "73ef3887e91931d217dd3604f4855ad4d9c49ebe068af6b3d6252294cde31b55",
"sha256": "9241124c7f4220175aa98fd31ad23ff6eb875c3ff08d333a6c3c7f80a0346066",
"type": "query",
"version": 210
"version": 211
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "01d6e4b47aef34548044729f0ee107138d74024f2c3a0fd0295e4dc5b076d45d",
"sha256": "426456937bff5d6c76e9959095c5e30f7a9735e8bdad3fecebbc757628d21aae",
"type": "eql",
"version": 5
"version": 6
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
@@ -5389,15 +5558,15 @@
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "1bff13467a04532f781289acccac6530eec7856ea37dc12f8e82d159117fdaab",
"sha256": "ad55d7c869a8687881afbb4d90f0f33189652cba0b8de7c0f0f8778db0e12175",
"type": "query",
"version": 6
"version": 7
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "e2c0aa6d5b3dcbbb725543fe1664ea96a21183ab3f33b7b1f99a01d25593dc2e",
"sha256": "c30d4f3affb3f542a49d43b8722a103a8b771386946628814e8bc5b7f7bd18a6",
"type": "query",
"version": 210
"version": 211
},
"877cc04a-3320-411d-bbe9-53266fa5e107": {
"rule_name": "Kubectl Network Configuration Modification",
@@ -5509,9 +5678,9 @@
},
"8a1db198-da6f-4500-b985-7fe2457300af": {
"rule_name": "Kubernetes Unusual Decision by User Agent",
"sha256": "16245d0f0188b84f8ba8bfd90fb7a575594bdbe27999abb3cddc4e4acd2ff740",
"sha256": "4d9e25544d4884a3184114f1a37b6bab733a7eb786233b734382efe13fef78d5",
"type": "new_terms",
"version": 1
"version": 2
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
@@ -5521,9 +5690,9 @@
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "9880641ec206bdb198eec4540939718fe9edb66676a01808e978c9822d8acdf8",
"sha256": "532a58af8d89c41e3de894fde3842c7d363fe0607782382b0a6307e6ce89bfe1",
"type": "esql",
"version": 8
"version": 9
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
@@ -5634,10 +5803,20 @@
"version": 5
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"type": "eql",
"version": 5
}
},
"rule_name": "Interactive Shell Spawn Detected via Defend for Containers",
"sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5",
"type": "eql",
"version": 5
"version": 105
},
"8d4d0a23-19d3-4186-a6f1-6f0760d2e070": {
"rule_name": "Multiple External EDR Alerts by Host",
@@ -5701,9 +5880,9 @@
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "File Transfer Utility Launched from Unusual Parent",
"sha256": "fcdf66a5834dc0f87d4a2f2e2cbf37acfc71b90ca293f1a8514d69b8b71f813f",
"sha256": "7f9c0e2ac161d55ba0eb7cbe17ec9b58afd387e4186d09779061dc427cf38ba1",
"type": "esql",
"version": 8
"version": 9
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
@@ -5755,9 +5934,9 @@
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS RDS DB Instance or Cluster Deleted",
"sha256": "daa3efa31df9fdb6c67f3ae012d725a7d068c9bdce1c74ef1b3e81f6d256e2f2",
"sha256": "3602d27de89394c54e88e9f9e61c85c7fe63a2035148ba390a4631590844b731",
"type": "query",
"version": 210
"version": 211
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
@@ -5773,9 +5952,9 @@
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "e530fe9184fdc063881be5f579bf5183c9a5b55dea8ce6896ad4580f3df72b00",
"sha256": "256a589cab0178165256a49917ed4905f485c3158a20f6bb14c3df1d0cf997e7",
"type": "threshold",
"version": 4
"version": 5
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"rule_name": "InstallUtil Activity",
@@ -5816,9 +5995,9 @@
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "6c38618007e1148a3e0ab1c55514f781c9ff7c34b5b7783fd1307d8e76531f5b",
"sha256": "61c06b3226a56a2419db79c875557cc018c1da926b89cbbf2e8d3962167808ad",
"type": "query",
"version": 210
"version": 211
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
@@ -5846,9 +6025,9 @@
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "73b6bf7401d30d109605b9cf75a75198af638954f0bbe0a63547a9d1d334ff47",
"sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634",
"type": "query",
"version": 213
"version": 214
},
"929d0766-204b-11f0-9c1f-f661ea17fbcd": {
"rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application",
@@ -5948,9 +6127,9 @@
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "795307cfa5ce885d42cef8999051b0002e6cecd2dfeaf564ec0acf070ed356dc",
"sha256": "d7a3f1617beda3e7d11241a3206a0f8603150de68cfd53d84abede9af4557d63",
"type": "query",
"version": 107
"version": 108
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"rule_name": "D-Bus Service Created",
@@ -5972,9 +6151,9 @@
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "bd130b1a240a37f0fcff67e573d62ae151f92eda3579ddc0b040387d42c80804",
"sha256": "31e2f17d4f6eee75ad942db3473974cffd6ff8ed827c2e83eda081d95f4fccd6",
"type": "query",
"version": 212
"version": 213
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
@@ -5984,15 +6163,25 @@
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "21247d90931b191b5dfd6bbfe9ecf48ffd7f4bf01251fa9957234ed6dcfe002d",
"sha256": "6a9330b4f80799423ca5aa1c542e8516f4fdae2830bbc271fb8933fd7e8747ac",
"type": "new_terms",
"version": 5
"version": 6
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"sha256": "a39b6d8b42657868bd51fc294ad4f68e4913d96ed2692c0b711d82a301b287c9",
"type": "eql",
"version": 4
"version": 104
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
@@ -6055,22 +6244,32 @@
"version": 107
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"type": "eql",
"version": 3
}
},
"rule_name": "DebugFS Execution Detected via Defend for Containers",
"sha256": "6f417db542766a62e63ab34064859b422867fa877dea2028ac2b68a752952766",
"type": "eql",
"version": 3
"version": 103
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "44b98e7ec33f7126fe616d208f9d13f8d2640af1875c4ad819ba717a112c73a9",
"sha256": "28badeba84b69db9ee4eb75b4f53ecf57a1f2b8ccb9d7c366d49d05603891751",
"type": "esql",
"version": 8
"version": 9
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "3da59f908da28d47fc7e0392ff86a6c7e5b5f38ea5199a890ec9e6ab106ed9b1",
"sha256": "15e8bd9e821ff9f947a44455beebc90071a7d9a4dfedbf53a308edfee89bd817",
"type": "query",
"version": 211
"version": 212
},
"9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": {
"rule_name": "Potential HTTP Downgrade Attack",
@@ -6254,9 +6453,9 @@
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "74186d700eaba184070afd0868707a68047dd64ddb8ceae3800367c60e212878",
"sha256": "86d167e1986ba99c8b7ea81757c48cac39323a28f9f2ac0428b65a90b0687300",
"type": "eql",
"version": 8
"version": 9
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
@@ -6332,9 +6531,9 @@
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "3bfe7eaae5117b71fc1a82223959ccd472cabbc6ebdab8c26f4711762ad6eafb",
"sha256": "3b27f84b414ad14fef5c881ba7fd992f1742573d61e05a2fe2b20222eed9f15e",
"type": "new_terms",
"version": 315
"version": 316
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
@@ -6356,9 +6555,9 @@
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "f086d2d4cfdaf54e148ce831bc493cb4f91a0fefcac59b581211c43406e7679a",
"sha256": "4a20239c78d80594c4f6a58e043c0e56b3ef5484fbded24b2a3fc9c5fd95748f",
"type": "new_terms",
"version": 318
"version": 319
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"rule_name": "Process Injection by the Microsoft Build Engine",
@@ -6378,6 +6577,13 @@
"type": "machine_learning",
"version": 107
},
"9d312839-339a-4e10-af2e-a49b15b15d13": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Common Utilities",
"sha256": "98030edf36d06cdf0146bc3be290891b259b6a33b280ec19ff6382cb1126c2f3",
"type": "eql",
"version": 1
},
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Authentication Type",
"sha256": "221e95b30c3f9132594ca8d2ea13d90345e2f5e585597c7ed073f601c81148e9",
@@ -6398,15 +6604,15 @@
},
"9ebd48ac-a0e2-430a-a219-fe072a50146b": {
"rule_name": "AWS CloudTrail Log Evasion",
"sha256": "9e5d44c6c292f3f18557af3764294a0e03bfcc100c90a5eb9a012b201ecdaca2",
"sha256": "72fa86bb3d91c048d88e6a44f277390be7025a3e3382267559e14dd868db2651",
"type": "query",
"version": 1
"version": 2
},
"9edd000e-cbd1-4d6a-be72-2197b5625a05": {
"rule_name": "Suricata and Elastic Defend Network Correlation",
"sha256": "404c4cb6fe4d99fd53aac61dbd5996848279f3643675dc1b7cca7abf4d39511d",
"sha256": "069736ec0e27e4a41a9a2be1230b04c062e36fd2393cd332c593d7895d73e1ec",
"type": "eql",
"version": 1
"version": 2
},
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
@@ -6416,9 +6622,9 @@
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "e2349af7d08dca867f606f4f249e15878755f671b776eb1ca1a6fa17b882bdd4",
"sha256": "afa0e64706733be39b84d5ae11086fec9d877d20a2940d73afaad175a608b6ad",
"type": "eql",
"version": 6
"version": 7
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
@@ -6446,15 +6652,15 @@
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "7636fa8ce74d51487a578cc18069fd8c346f539efb7251cc31513cc700d5ba00",
"sha256": "eb1ea031af0b93072c60fe7de7f74b89ac24f851cffb1cdc9effa0c920bdb9ba",
"type": "new_terms",
"version": 317
"version": 318
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "Unusual Scheduled Task Update",
"sha256": "69e6b0abcb5e1c564a22b92f4edc5b2ea65a8d15678e5ee5f55a82e58fcb63f3",
"sha256": "be27942be42700441e3710adb1e8971797e4427df302caac077fb90e58cb5173",
"type": "new_terms",
"version": 116
"version": 117
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
@@ -6554,9 +6760,9 @@
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "9d63088e2b97717ca7c8c9b31b18c2ff3c6c8828c47e29e07b65de8806351bf0",
"sha256": "eaaea319c13caf1cf8e2da240548950d1975fa2cebbd2d4ee5fa97b8687ebf62",
"type": "new_terms",
"version": 5
"version": 6
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
@@ -6566,9 +6772,9 @@
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "a86c369f124cf2f2f7c82de0f059a5b27045582c8b3d5cd4946ba4b1c60c6e0f",
"sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960",
"type": "query",
"version": 112
"version": 113
},
"a300dea6-e228-40e1-9123-a339e207378b": {
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
@@ -6614,10 +6820,20 @@
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"type": "eql",
"version": 4
}
},
"rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers",
"sha256": "fe7aecdc2e1b42b756c2f4858a8500d51905c2c99a9196db75f548c326d2b233",
"type": "eql",
"version": 4
"version": 104
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary",
@@ -6638,10 +6854,20 @@
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 314,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "2b5c3815588863a4c53018c1bf78b2e9b33ac20407ad8cf036a4226b127424c4",
"type": "new_terms",
"version": 215
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "2b5c3815588863a4c53018c1bf78b2e9b33ac20407ad8cf036a4226b127424c4",
"sha256": "07e4d830eb22a626c11659d2c4d3ee7d09106df31772fc62b9088af6b2762f28",
"type": "new_terms",
"version": 215
"version": 315
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Entra ID PowerShell Sign-in",
@@ -6669,9 +6895,9 @@
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "44d2266516b212b0b177209326e4e81953e7169d03ce0615fa6d86e7754d3bc3",
"sha256": "9b5c902d75557d153526704fc38bebd9df6ca630b31a4753c02ff69f55b3afbf",
"type": "eql",
"version": 5
"version": 6
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
@@ -6847,11 +7073,17 @@
"type": "eql",
"version": 120
},
"ab7795cc-0e0b-4f9d-a934-1f17a58f869a": {
"rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)",
"sha256": "1cde5d806050171a8af5ccce92a4ee5c18676617db73c04392ef22527cca5238",
"type": "eql",
"version": 1
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "895dc39fa898513d391fbdb715eab33f741af5ca39650f27d312d9133a1a65a9",
"sha256": "71757caa90c47ad78c9750b701a3a4990bc4f2fcfb319bea634a219e08afc265",
"type": "esql",
"version": 9
"version": 10
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
@@ -6903,9 +7135,9 @@
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "3626032cffb8627b180064a9b6073e2f35f82c1c24525227e1a769596da297fe",
"sha256": "6f62627b38152a2e8e01bc9b475438152d6eaf8ca51a8ccc5aee958b6bf090ef",
"type": "query",
"version": 213
"version": 214
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
@@ -7173,9 +7405,9 @@
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "0608995dc9f8ecd5e421b6699b410ddffada935f84fcc24fdb93bc0b20716d8a",
"sha256": "0e205375dc32c8ec2ab27fb098c7166cde2e60a4e7bfeda0a3b2de5ee7b82bb9",
"type": "eql",
"version": 6
"version": 7
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
@@ -7285,6 +7517,12 @@
"type": "threshold",
"version": 4
},
"b7f77c3c-1bcb-4afc-9ace-49357007947b": {
"rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike",
"sha256": "f6080addd4a61f03f1373074922662e8f103b752b37d81947d8e23e3ff2278f0",
"type": "esql",
"version": 1
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264",
@@ -7299,9 +7537,9 @@
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "28b59fd0c6722f930f8cfbb4a8df509937160da534828ca69ea127a074375dd0",
"sha256": "1e13c08a49a32e6ba3fd692d5e4a1a4a26a4a16e1c9aeea2ee40dff66fc30010",
"type": "query",
"version": 110
"version": 111
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
@@ -7309,6 +7547,13 @@
"type": "eql",
"version": 415
},
"b84264aa-37a3-49f8-8bbc-60acbe9d4f86": {
"min_stack_version": "9.3",
"rule_name": "Tool Enumeration Detected via Defend for Containers",
"sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0",
"type": "eql",
"version": 1
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
"sha256": "bcdd20128f5b5f6c161154d5df0b9bd8f96456e094845f30e33f1b159aad6694",
@@ -7389,9 +7634,9 @@
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "4a2b8f1646095996a0e413f1f3a55c82da8297d71b617ef3345be44d075f63e7",
"sha256": "3bcb05b0905ba0f036c9669558547fe1c5c10663a53c5d1df57a888ca99d6251",
"type": "new_terms",
"version": 3
"version": 4
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
@@ -7407,9 +7652,9 @@
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "da2d04b1eb9774fcdfd7647d25d84faae3a43979f4cc57e2fec2c8c8d948f9cd",
"sha256": "de66db695baebdde84a330bfe3bde0083d66582be88489134f9799265204fbf6",
"type": "query",
"version": 5
"version": 6
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deleted",
@@ -7419,9 +7664,9 @@
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "009e2c048bca063a6320909f479f8805963329ccccc062647a0df027bedfac12",
"sha256": "439721690045cb46d6f9859269c364150b58109dbafffa7929de898b55893fc0",
"type": "query",
"version": 210
"version": 211
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "M365 OneDrive Malware File Upload",
@@ -7515,9 +7760,9 @@
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "c73a950433b021f91b81ca48b37b6ceb4a3c6059cff651352239c63ba488e9bd",
"sha256": "f7b1bc1a3d0f9605b59dd71dcc889746c9c5235ffcb7f1920e9950b7fd85819d",
"type": "query",
"version": 217
"version": 218
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"rule_name": "Potential Defense Evasion via CMSTP.exe",
@@ -7575,9 +7820,9 @@
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "5194de7967cb4987fc5b077de80c87f720fc241fd5484fbf074d0f3ba2b9db2c",
"sha256": "dcf1b4b02597d1fbb9117d6283301d1cc4dcfdaef977185fc969396736431cdf",
"type": "query",
"version": 211
"version": 212
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
@@ -7617,9 +7862,9 @@
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "c5bbdc1ecd098d1662468fe725a7c06a09fbe0ba15cc114d30c6913b14c20b38",
"sha256": "74ca3a72d0eabe28dd5c38faab3e9d4d9ea86ed1a38b68c9e88498f41f084582",
"type": "eql",
"version": 4
"version": 5
},
"c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
"rule_name": "Azure Key Vault Excessive Secret or Key Retrieved",
@@ -7660,9 +7905,9 @@
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "b0a071b09f705691be80fab8b94940c00eae4ca4783abe359197dc3bede57f69",
"sha256": "9a970e5f890eb12630cec204f47833b5e4c7575dcb58e8e2ef15689f162e64c9",
"type": "query",
"version": 210
"version": 211
},
"c18975f5-676c-4091-b626-81e8938aa2ee": {
"rule_name": "Potential RemoteMonologue Attack",
@@ -7678,9 +7923,9 @@
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "d7994db91fb25ca59eee28263fd7347665cad1aa9f609cc897bcf438c2ebcf0b",
"sha256": "729840b0257c2eb8e9321efb5e5bb49aeac8813a3cecaa56977db51e30036bcd",
"type": "new_terms",
"version": 5
"version": 6
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
@@ -7810,9 +8055,9 @@
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "02b30740298be4db37d40e2d2c538ef34665eefefb41148409d7bf4ab1be597e",
"sha256": "54486ef06f4739ce2602ae30107b8d9100006c9cfafff813156cafb6153a2266",
"type": "esql",
"version": 7
"version": 8
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
@@ -7900,9 +8145,9 @@
},
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "9bd9ec18add479c023f92b8915b4d720bd70a4aa0e3108e249f84a50eb0b55ab",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89",
"type": "new_terms",
"version": 5
"version": 6
},
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
"rule_name": "Mount Launched Inside a Container",
@@ -8014,9 +8259,9 @@
},
"c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": {
"rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource",
"sha256": "4d663dcdba58300cbf594e362a4b20af9a1e5cc389b21d24a29220ad2daf8ea7",
"sha256": "8a9ebdfe9236d7201f3e30cc3841547ebbacf7f90f7567d0b5da622f349dfcfd",
"type": "new_terms",
"version": 1
"version": 2
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
@@ -8272,10 +8517,20 @@
"version": 114
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"type": "eql",
"version": 3
}
},
"rule_name": "Cloud Credential Search Detected via Defend for Containers",
"sha256": "06225be504fa72a83c99628e858b3fe5b84aa7da72d9175202ed5f07c09c016f",
"type": "eql",
"version": 3
"version": 103
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"rule_name": "Registry Persistence via AppInit DLL",
@@ -8315,9 +8570,9 @@
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "dc4be03b3cabdd5eb5c069e8e9928c051a7d2b318d4ec84867d01950c4ca3a36",
"sha256": "e81a04e3fd65b851b65dbec3a2b0a2b3d8ce15389bf8ddbc09e564e84ab18324",
"type": "eql",
"version": 5
"version": 6
},
"d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": {
"rule_name": "Curl or Wget Egress Network Connection via LoLBin",
@@ -8393,9 +8648,9 @@
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "f754c6d0d951940fc7c786c9b64fdcdadf44f8e92eb5c966b6aa14d75a295129",
"sha256": "0278be6dda863249c11fe7d34a3ca5b26ea3b6d7608b458d13d3f818c99b7681",
"type": "eql",
"version": 5
"version": 6
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"rule_name": "Attempt to Delete an Okta Application",
@@ -8451,6 +8706,12 @@
"type": "eql",
"version": 313
},
"d591d7af-399b-4888-b705-ae612690c48d": {
"rule_name": "Newly Observed High Severity Suricata Alert",
"sha256": "25910a2a4dbe9fc970c6f30a8d259ee6897adabc4ff0ae3a4cae2c7c725e4cc0",
"type": "esql",
"version": 1
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13",
@@ -8471,9 +8732,9 @@
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "313dd47de223ded6e583141bf47a74eb807094e82ec1a02716dcf8d4c2573e7a",
"sha256": "5dd0735831fd4a14204ba795e70b8a5793d58eaa264bfa1a33c4c7094e438fd5",
"type": "query",
"version": 212
"version": 213
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
@@ -8591,9 +8852,9 @@
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "867082f23f5b65eb23304481836fac8d814f835e5cdb1b6568990f1a7dfdf816",
"sha256": "3f8b720637522efa339b3f4d6a37132a0afde5245c9d019e1cc04b4692608858",
"type": "query",
"version": 213
"version": 214
},
"d93e61db-82d6-4095-99aa-714988118064": {
"rule_name": "NTDS Dump via Wbadmin",
@@ -8790,9 +9051,9 @@
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "b3ca27c45d2de7b202cc549993210a03f1957b463a3f9bbcefb64f7add983b2d",
"sha256": "65db2d31f29446ab309635049de6eda871a92d9ca2cc4aaff2e83bd9aea6239f",
"type": "eql",
"version": 7
"version": 8
},
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
"rule_name": "File Creation in /var/log via Suspicious Process",
@@ -8826,9 +9087,9 @@
},
"deee5856-25ba-438d-ae53-09d66f41b127": {
"rule_name": "AWS EC2 Export Task",
"sha256": "04e0ea59740f3bbe3725c404643d4a307fc746c79a4b4a13bab468c4e51a1d6f",
"sha256": "db05870aa6ed8aaa9c35c23f2f027925b38e3f3641f4286a390c61be5c6a59b4",
"type": "query",
"version": 1
"version": 2
},
"df0553c8-2296-45ef-b4dc-3b88c4c130a7": {
"rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners",
@@ -8868,9 +9129,9 @@
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "0ea7a9667e0f94a73639fcccf64290ba4166d4aec6157b99cee23d42147754b8",
"sha256": "b14d3376a6870792125d64eb34405c64d913f93a299965903e0b1ff9f69959e9",
"type": "eql",
"version": 7
"version": 8
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
@@ -8878,6 +9139,12 @@
"type": "query",
"version": 100
},
"df9c0e92-5dee-4f1d-a760-3a5c039e4382": {
"rule_name": "Detection Alert on a Process Exhibiting CPU Spike",
"sha256": "571c0d2b1601d9b022ee332914385ea82ca4b2468a245cdfb1ccd3e60db1b211",
"type": "esql",
"version": 1
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "04754d1f1115e42d25e09ec628091486bee331e78bf83009b4038c838f2f8606",
@@ -8934,9 +9201,9 @@
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS EC2 Route Table Created",
"sha256": "fe71bd2e04d2740f750bee99dce9836d1c19395bd839f149df0d88d449550a3a",
"sha256": "0107e5ff857bb3b08c9181ad8398d51eb0862148b3a6e45e1e18d3ef85982147",
"type": "new_terms",
"version": 211
"version": 212
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "Deprecated - AWS RDS Cluster Creation",
@@ -8988,9 +9255,9 @@
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "019e82bf0a7ce94d7eb9d5ef8c69792e65dcf4fed414132cf22f8f1bc105439c",
"sha256": "49e6685002f2a8bc63d3cf02f27027400fddc6ac909333f6472c52b60845fa6b",
"type": "query",
"version": 212
"version": 213
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
@@ -9036,9 +9303,9 @@
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC",
"sha256": "57996ad4fb1ac5a6f7f0124da526d8241ec3eff29d0fd0957f798a2006ab7c97",
"sha256": "bb79588455fb19ea641cea5b513903bcfd62f5d8d8714dda71986fdc80fdcc13",
"type": "query",
"version": 210
"version": 211
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
@@ -9084,9 +9351,9 @@
},
"e4feea34-3b62-4c83-b77f-018fbef48c00": {
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "3da608bdd3be04c0b1aa7b2ad31fd632e8a0447cfdbdfad2d286168d4f8f6b38",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d",
"type": "eql",
"version": 3
"version": 4
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User",
@@ -9202,6 +9469,12 @@
"type": "eql",
"version": 5
},
"e819b7eb-c2d4-4adc-b0c9-658aeb140450": {
"rule_name": "Lateral Movement Alerts from a Newly Observed User",
"sha256": "af6e6bc1bdc5322ecf674c90c4311e0e276424f55d2ca670379ffa0f1cdb1242",
"type": "esql",
"version": 1
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "2f9cf61e66c50847a30dfde7b4a3bbf289e90674920e25039f08a8953eb1eace",
@@ -9228,15 +9501,15 @@
},
"e8b37f18-4804-4819-8602-4aba1169c9f4": {
"rule_name": "GitHub Actions Workflow Modification Blocked",
"sha256": "0b92ce2e2b8840814c9543c400442734d9e19182c9e518f8f32de07d2508d6f3",
"sha256": "8a03e6a43d6c01bdf79a1197212c01b4c7c27862f9dbe9176f70cc1506b487e2",
"type": "esql",
"version": 4
"version": 5
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "9b8d379c12a7bfbde5c49431b8583f858819263472a48003b8b105c5504a48b0",
"sha256": "651f7eb7bc6d9f26754d5a8e04106fb4b65004ed9bf01a8c593c6df5ca9482aa",
"type": "eql",
"version": 7
"version": 8
},
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Table Exported to S3",
@@ -9324,9 +9597,9 @@
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"sha256": "f14b002eebcbbb555471d258b2d7843d5ea29c1f6968943863f83e6cae46568c",
"sha256": "0c0f0eb2a7f6d55541448bebed4b150affcf95c0e6cc3fd1c4524b8fa02d6480",
"type": "threshold",
"version": 213
"version": 214
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
@@ -9342,21 +9615,27 @@
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "af86440d8e74a3463325d061cfbf3f755cc974d7c9e0929ccd302ad2b2a9b4f1",
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
"type": "query",
"version": 106
"version": 107
},
"eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": {
"rule_name": "Telnet Authentication Bypass via User Environment Variable",
"sha256": "c869b726c71065ef1c6ec9bc86d8d6c93a4576e456ad1a9e49a6cb90158de156",
"type": "eql",
"version": 1
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "10eb0280947ec17c29778c035e83012e6e2f0fea9e7d7515426d242db9fbcf1f",
"sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27",
"type": "query",
"version": 109
"version": 110
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "73ed7f4606338a54521e32877619bc354d61bd8652897f531386f61601c386ed",
"sha256": "76ee3184eccc1adb58829a3db55ed8a13a43cc08ce6f1e29cc4696c5b979c901",
"type": "query",
"version": 216
"version": 217
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
@@ -9370,6 +9649,13 @@
"type": "query",
"version": 5
},
"eb958cb3-dead-42b6-94ff-b9de6721fab2": {
"min_stack_version": "9.3",
"rule_name": "Curl SOCKS Proxy Detected via Defend for Containers",
"sha256": "3592443fb0d2e39fa025942bdc23a32bf151877ce039710cbaf0182ee1a69a17",
"type": "eql",
"version": 1
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745",
@@ -9395,16 +9681,26 @@
"version": 318
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"type": "eql",
"version": 4
}
},
"rule_name": "File Execution Permission Modification Detected via Defend for Containers",
"sha256": "c464aef0348ff82a20e8148ae70d2a55f66f0e8c371fa69e80415085ad2db41a",
"type": "eql",
"version": 4
"version": 104
},
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
"rule_name": "Kubernetes Forbidden Creation Request",
"sha256": "f5caae0dcb60c6fa3450e3b0775008d7e50eac2bfde465d39cadd799713d67f0",
"sha256": "d033bf3df19beb0e8f39e0a74b8438439e657b5a940999c60096803581fdc6d8",
"type": "eql",
"version": 1
"version": 2
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "M365 Exchange Inbox Forwarding Rule Created",
@@ -9527,10 +9823,20 @@
"version": 3
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers",
"sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad",
"type": "eql",
"version": 3
"version": 103
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
@@ -9612,9 +9918,9 @@
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "8a13d49d9f7ae5db75943a19a2ddd120f65594d8ea51715e52c0c2e122f7ac52",
"sha256": "d02e97bb6a0789367e1693e0b732ffa53703803ee806bfaa956690ee97b9c78b",
"type": "eql",
"version": 6
"version": 7
},
"f20d1782-e783-4ed0-a0c4-946899a98a7c": {
"min_stack_version": "9.3",
@@ -9697,9 +10003,9 @@
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "5c97a54b229583340a1a00241aa32f4bb1b09172b24c7ca84090e9e69653014c",
"sha256": "761746a21d11fe68935d152466349eda5c767337ab48bddf66f4f99acc061b21",
"type": "eql",
"version": 8
"version": 9
},
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
@@ -9853,9 +10159,16 @@
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "54e022f155300bd083ae3a1d4abb3d750bfbfa0d9764c4b939fc2e266a475c85",
"sha256": "72d6ffe9d368a4201f747eaaddfb00673f47079f4e5e11524d775d7352ebe202",
"type": "eql",
"version": 6
"version": 7
},
"f66a6869-d4c7-4d20-ab13-beefd03b63b4": {
"min_stack_version": "9.3",
"rule_name": "Environment Variable Enumeration Detected via Defend for Containers",
"sha256": "027b3215839ba15dbe8fa88451f7537ead96e5c39072209f9de455446fd2da30",
"type": "eql",
"version": 1
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
@@ -9870,10 +10183,20 @@
"version": 110
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "b3c32636964b52850bbe219b1d46df5e11ff74998859388137839aa155bb529f",
"type": "new_terms",
"version": 7
}
},
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "b3c32636964b52850bbe219b1d46df5e11ff74998859388137839aa155bb529f",
"sha256": "6cec1911a7c8af3fc5091d352854bcfe521af7739b5b7b10183edf8c3e3e5dfe",
"type": "new_terms",
"version": 7
"version": 107
},
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
@@ -9913,15 +10236,25 @@
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "30ed79f143f19b812c553f6517437051b39d72cc08bd8f2375e9cad74663376f",
"sha256": "6ada016a934606d912dacab8241969dd93d1076577dd1741588cbbdd0a7a3179",
"type": "query",
"version": 212
"version": 213
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"type": "eql",
"version": 5
}
},
"rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers",
"sha256": "f4bffbc221ab135eae28675f5c599a369cf70b32f57f5c8e7c1426f72ddb310e",
"type": "eql",
"version": 5
"version": 105
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
@@ -9935,12 +10268,25 @@
"type": "eql",
"version": 315
},
"f7c64a1b-9d00-4b92-9042-d3bb4196899a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Namespace Read Detected via Defend for Containers",
"sha256": "7b0b11fdb40acf5873635341cd6f110b54cedf319d1c0e18e33a074215df40e3",
"type": "eql",
"version": 1
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "e014f76230f1cf349a09ebfaffcd9a5b48436e9f2ac8f84cd7f352fc63f8e1ca",
"type": "new_terms",
"version": 7
},
"f7d588ba-e4b0-442e-879d-7ec39fbd69c5": {
"rule_name": "Potential SAP NetWeaver WebShell Creation",
"sha256": "5ef7adfab7e5ad994436c7c51bb8593c125f817dba1b6574dc78f5f1c3019a32",
"type": "eql",
"version": 1
},
"f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": {
"rule_name": "AWS CLI with Kali Linux Fingerprint Identified",
"sha256": "9ecf45d00058271bf4fa11c2e9f63e56a95e59e9fb13bd243c0bcb5e1ad1e0fd",
@@ -10069,9 +10415,9 @@
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
"sha256": "72c407d915c781086a8ec4e79df0dcebec9db4e0d510107febae62c4277f1732",
"sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054",
"type": "eql",
"version": 112
"version": 113
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
@@ -10129,9 +10475,9 @@
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "6323fe9e19fd0f0d8d212ac6c60eab26c2946a47ce3101f32c5c92ba06d59cd2",
"sha256": "e321ac71904b38ac1d8cd69e2c42acbaddaeb9a13ea72f048fe899741b5e613e",
"type": "query",
"version": 210
"version": 211
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
@@ -10183,9 +10529,9 @@
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "fc95f2e738fea8b3f5c3b4f3b32d44acdbe1ddac5c85868bfc0aebc16b733110",
"sha256": "65f323aa4c16663d824d2073835378825966b7bba7c5d6a2c0c35e90e5e6803b",
"type": "new_terms",
"version": 7
"version": 8
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
@@ -10207,9 +10553,9 @@
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
"sha256": "2912289edd95c2285d9fb553d124ff5099b84cf5d8b179221b139ac534c65137",
"sha256": "ade0fa41fbd68a90a2597eeeacde9dc13e92fe918ead94f8462cd1bf0da48931",
"type": "new_terms",
"version": 423
"version": 424
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
@@ -10225,9 +10571,9 @@
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "1a005d14b137cfd7034a5960d99103c7f2ef5ce215bb933dcfa5c8741e655484",
"sha256": "aab00e43628fbf27cb1346ec2f5b519d10644c98ff198583648ba08ab65f088d",
"type": "query",
"version": 110
"version": 111
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
@@ -10291,15 +10637,15 @@
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "c856dc43828db7fa202981782f293b815fc5282e7b70e542f5f5561f5eaf328e",
"sha256": "c725902f0e85dff5bad6928200527e7b0f5da156f4dbe5de51b229844a6a11e9",
"type": "eql",
"version": 6
"version": 7
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "77b0370857cbff35b6591573dee597b7c6f27170f8fc55fa9f050c150772d83e",
"sha256": "8c10501ce86f18c3be3435c923b228298606f73818b611f539f520e1e40320a3",
"type": "esql",
"version": 14
"version": 15
},
"ff46eb26-0684-4da3-9dd6-21032c9878e1": {
"rule_name": "Active Directory Discovery using AdExplorer",
docs-dev/ATT&CK-coverage.md
+4
View File
@@ -32,6 +32,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-indexes-logs-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-aws.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azure.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-cisco_ftd](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cisco_ftd.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-cloud_defend](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cloud_defend.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-crowdstrike](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-crowdstrike.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-cyberarkpas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-cyberarkpas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-endpoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-endpoint.events.json&leave_site_dialog=false&tabs=false)|
@@ -53,6 +54,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-indexes-logs-oktaWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-oktaWILDCARD.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-panw](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-panw.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-sentinel_one_cloud_funnel](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-sentinel_one_cloud_funnel.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-sonicwall_firewall](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-sonicwall_firewall.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-suricata](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-suricata.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-system.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-indexes-logs-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-windows.json&leave_site_dialog=false&tabs=false)|
@@ -124,6 +126,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-device-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-device-control.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-discovery](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-discovery.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-domain-generation-algorithm-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-domain-generation-algorithm-detection.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-defend-for-containers](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend-for-containers.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-defend](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-elastic-endgame](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-endgame.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-email](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-email.json&leave_site_dialog=false&tabs=false)|
@@ -199,6 +202,7 @@ coverage from the state of rules in the `main` branch.
|[Elastic-detection-rules-tags-saas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-saas.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sentinelone](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sentinelone.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sharepoint](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sharepoint.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sonicwall](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sonicwall.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-storage.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-suricata](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-suricata.json&leave_site_dialog=false&tabs=false)|
|[Elastic-detection-rules-tags-sysmon](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sysmon.json&leave_site_dialog=false&tabs=false)|
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.5.36"
version = "1.5.37"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"