security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567)

Browse Source 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
2024-04-02 23:59:42 +05:30
committed by GitHub
parent 0e2eb5a84c
commit 8d5bd3b0f6
2 changed files with 986 additions and 558 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/deprecated_rules.json
+5
View File
@@ -64,6 +64,11 @@
"rule_name": "Potential Shell via Web Server",
"stack_version": "8.3"
},
"2377946d-0f01-4957-8812-6878985f515d": {
"deprecation_date": "2024/04/01",
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"stack_version": "8.9"
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"deprecation_date": "2022/08/03",
"rule_name": "Suspicious Process from Conhost",
detection_rules/etc/version.lock.json
+981 -558
View File
@@ -18,16 +18,16 @@
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "d6e135893b61752bf5e9ade6841683b593b05b98ac25bc8b6e6da7b35c4a2b42",
"sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc",
"type": "eql",
"version": 111
"version": 112
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
"rule_name": "System Shells via Services",
"sha256": "d72a2228f26b816836305d763e5f5d9e903ab000038bc927f5d10e28df155280",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 109
"version": 110
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -37,11 +37,20 @@
"version": 2
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f",
"type": "query",
"version": 105
"version": 206
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"min_stack_version": "8.9",
@@ -90,9 +99,9 @@
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"min_stack_version": "8.4",
"rule_name": "Process Created with an Elevated Token",
"sha256": "6c3c1a1a62be741fbfd99c0d2a69725f05c69adb7d911d8241132facbd72dbe8",
"sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db",
"type": "eql",
"version": 5
"version": 6
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.8",
@@ -118,18 +127,27 @@
"version": 106
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573",
"type": "query",
"version": 105
"version": 206
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "92dfb9997f9e81ca6045204e4c1b3ece1606c26102e22d7ee77e2de74583e5ee",
"sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d",
"type": "threshold",
"version": 108
"version": 109
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"min_stack_version": "8.3",
@@ -183,9 +201,9 @@
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "f30003f79a8a0e9dccbf5624b0938ece537c035677b4ce15bf5f88523a387123",
"sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa",
"type": "eql",
"version": 109
"version": 110
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"min_stack_version": "8.6",
@@ -197,16 +215,16 @@
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "eb124d112db3baf26a4dc6bc4e87e095d0e6e734155fd9b36dd78637d465e0e5",
"sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730",
"type": "eql",
"version": 109
"version": 110
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "23256a2ac31f12c8f6094b66ec8171c0591a4ff3519d174a53c5324467e2ce0d",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
"type": "eql",
"version": 109
"version": 110
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"min_stack_version": "8.3",
@@ -246,23 +264,23 @@
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "6496727d4e84e81c75d87d620f9a6662b800036f1ec2ee26b2a4b2435ccda542",
"sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88",
"type": "eql",
"version": 6
"version": 7
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "6b91e61058491288a8ad9c3c19c977a9b530d25111ab834806df3e86fd57ae48",
"sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c",
"type": "eql",
"version": 109
"version": 110
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "eeb82061ab01c63344201c4e0400988c1da110014c984e8d9021397e5e66a185",
"sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8",
"type": "eql",
"version": 109
"version": 110
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
@@ -281,9 +299,9 @@
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "ad1cf76b56835697ba2f77f6e4bb1a718528a7b567d45179449defd6cd4d7788",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 7
"version": 8
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -325,9 +343,9 @@
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Removable Device",
"sha256": "23f0a48d6fa3383a6840a42d5ef0d207b51657c45464929d5b0cff2d720668d8",
"sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91",
"type": "new_terms",
"version": 3
"version": 4
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"min_stack_version": "8.3",
@@ -398,11 +416,20 @@
"version": 4
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 6
"version": 106
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
@@ -442,9 +469,9 @@
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
"rule_name": "Peripheral Device Discovery",
"sha256": "ddcc25632228b69f04cb0077f4837da1a67e20ba2b4503efd99e94cb254a4203",
"sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7",
"type": "eql",
"version": 108
"version": 109
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.5",
@@ -463,11 +490,20 @@
"version": 204
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746",
"type": "query",
"version": 105
"version": 206
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"min_stack_version": "8.3",
@@ -498,11 +534,20 @@
"version": 1
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SharePoint Malware File Upload",
"sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579",
"type": "query",
"version": 106
}
},
"rule_name": "SharePoint Malware File Upload",
"sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393",
"type": "query",
"version": 105
"version": 206
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"min_stack_version": "8.3",
@@ -593,16 +638,16 @@
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "0dc9f4e57a7bc59df2f633d8c4e2610b1d538c37126f67d3090c09ce4b6ba73d",
"sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309",
"type": "eql",
"version": 109
"version": 110
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "e1a2f2164b858641ec8d28ac37bbc63ab7ecb4a201cb990859818dc99e0bc780",
"sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76",
"type": "eql",
"version": 110
"version": 111
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.9",
@@ -636,9 +681,9 @@
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "4502ceb6ad5ec2578d2604033ee78aad4096d0462f454b834f610dfcfc7291a2",
"sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba",
"type": "eql",
"version": 111
"version": 112
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.9",
@@ -665,9 +710,9 @@
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "ed42dc14705443ce7e86a7f3971eb8dc07c29cbbddcbe3b7f6b38089aff6e457",
"sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6",
"type": "machine_learning",
"version": 3
"version": 4
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
@@ -733,16 +778,16 @@
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "cb9c9bf880cbdb45311b832bfea90ff69ff754cf1dfbfc61c504fa8df6c954b4",
"sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538",
"type": "eql",
"version": 110
"version": 111
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "bed9e8d75e78762c904ad3bcbdd17b1629297363bf702e2afa19036c4c5def6c",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 107
"version": 108
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "8.3",
@@ -760,9 +805,9 @@
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "7e3a75c384a3aa4c32bba8e583878109e3a0599e3224d8e59163c1d940b3ebdc",
"sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c",
"type": "eql",
"version": 3
"version": 4
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"min_stack_version": "8.3",
@@ -804,9 +849,9 @@
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "35ce91b43c0e63015d8b8c07ed81c3f0f95c7a0c0efdd0e48a0502ce31093e07",
"sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697",
"type": "eql",
"version": 108
"version": 109
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
@@ -825,9 +870,9 @@
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "5874fd05ebf55673785abd8a4e83eac604f30bf58a18b2978747f099a47d8375",
"sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646",
"type": "eql",
"version": 111
"version": 112
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
@@ -883,9 +928,9 @@
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "1d9e06ec8fe7b0d0eec41e2a4d5a9f2c6aa6f685194c5b715d6fb5754fe3c05e",
"sha256": "3d8695589654d6d7e54c53f1ff0699ba0c8246a2e2bb9779621fec8d881676d6",
"type": "eql",
"version": 111
"version": 112
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
@@ -939,9 +984,9 @@
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "e90a5a8670e27a8eaa2704728a15f92785a494fa148c12dffcad2a8bd96118f6",
"sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22",
"type": "eql",
"version": 108
"version": 109
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"min_stack_version": "8.3",
@@ -1017,9 +1062,9 @@
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.3",
"rule_name": "Execution of COM object via Xwizard",
"sha256": "274c5d83ba69799b1b71490d04a15e288cefe59ae05c7609c9cda49fcfc4ce0a",
"sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5",
"type": "eql",
"version": 108
"version": 109
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.9",
@@ -1040,16 +1085,16 @@
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
"rule_name": "User Account Creation",
"sha256": "6d3d2de6bf958ba713b77e53d33cf74251bba8751f17193256696fbd09939ed3",
"sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb",
"type": "eql",
"version": 108
"version": 109
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"min_stack_version": "8.4",
"rule_name": "Process Created with a Duplicated Token",
"sha256": "51febd0739715d80d22439ab57ace39d85b46bb853c1af905477341ceb640fb4",
"sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802",
"type": "eql",
"version": 2
"version": 3
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
@@ -1093,7 +1138,7 @@
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
"type": "query",
"version": 109
"version": 111
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
@@ -1154,16 +1199,16 @@
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "d9e48c241bc31b9994d46c3c2a1a0186e25fb744c9da0059f117a7fae8c0030a",
"sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d",
"type": "eql",
"version": 108
"version": 109
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "4c8c8473db95992186d566e79adf668d651878042f01dc8c4a1de75f8a44c347",
"sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1",
"type": "eql",
"version": 5
"version": 6
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
@@ -1180,11 +1225,20 @@
"version": 3
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"sha256": "e88e967f368a84359155555ed5b6de403b41fba8223ea19c9b7449a06e834192",
"type": "query",
"version": 6
"version": 106
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
@@ -1193,6 +1247,13 @@
"type": "query",
"version": 102
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.3",
"rule_name": "Creation of a DNS-Named Record",
"sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75",
"type": "eql",
"version": 1
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.3",
"rule_name": "Creation of SettingContent-ms Files",
@@ -1252,9 +1313,9 @@
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "62b3243701eaf818aa660cdcf7e9349322ee81f633aa0084e3c524e3d32ba4e4",
"sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a",
"type": "eql",
"version": 109
"version": 110
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"min_stack_version": "8.3",
@@ -1266,9 +1327,9 @@
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "d07f6dd2837e924ff6de33cd32baf79e1da77761b30b28a595cc98b0190bcf53",
"sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53",
"type": "eql",
"version": 109
"version": 110
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.9",
@@ -1337,9 +1398,9 @@
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.3",
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "a5cc59d7cf2e2fa059c0b9764eea066885103f00f02d4d447a130f44e15b452a",
"sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354",
"type": "eql",
"version": 6
"version": 7
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"min_stack_version": "8.6",
@@ -1360,9 +1421,9 @@
"22599847-5d13-48cb-8872-5796fee8692b": {
"min_stack_version": "8.3",
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "ba55f907ef22d742e948ef03ed381c51077959c108f1166ec3e32bca889d77f0",
"sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7",
"type": "eql",
"version": 107
"version": 108
},
"227dc608-e558-43d9-b521-150772250bae": {
"min_stack_version": "8.9",
@@ -1425,9 +1486,9 @@
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "3e1f1dcee9be8b47adb401cfd92323f482f7e22611ecb85b8d301af019b18653",
"sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6",
"type": "eql",
"version": 107
"version": 108
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
@@ -1467,16 +1528,16 @@
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "126645c0dd5cdade08a0e700f459414da0f7ddf0b26b61817e7c6f1171d959fa",
"sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800",
"type": "eql",
"version": 110
"version": 111
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "b17d343699156f436fb832585a96af5844d078cf79f5fa34771f1ceb6b0e95b2",
"sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517",
"type": "eql",
"version": 6
"version": 7
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"min_stack_version": "8.3",
@@ -1486,18 +1547,36 @@
"version": 105
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9",
"type": "threshold",
"version": 107
}
},
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633",
"type": "threshold",
"version": 106
"version": 207
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"type": "query",
"version": 5
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"sha256": "a3c97823d3b6940c64c3cd69101e314c8bf84a5c63e6f3ac1358259b034546cd",
"type": "query",
"version": 5
"version": 105
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.3",
@@ -1507,11 +1586,20 @@
"version": 4
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e",
"type": "query",
"version": 105
"version": 206
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
@@ -1528,25 +1616,34 @@
"version": 104
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56",
"type": "query",
"version": 105
"version": 206
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "bd56a7406f9eb92ed5ae5f56f3b907b56ac2f13892cb6f81d1fc8810651fbedb",
"type": "eql",
"version": 111
"version": 113
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "1fb55bf7b692e5b95ce37d95f3fdaa6ad25e99035e5b7b66e15c874b197e9da7",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
"type": "eql",
"version": 110
"version": 111
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
@@ -1601,19 +1698,19 @@
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "40ce924fa3299f63687bf28ba5a09ffe6142e56f64010f766f3350db86522cf6",
"sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80",
"type": "eql",
"version": 111
"version": 112
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "042c84534e3f2e42aaad622b511e2a606ed267b5ea9d48a1e289c2ced981af4a",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
"version": 110
"version": 111
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.6",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 207,
@@ -1621,12 +1718,19 @@
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
"type": "eql",
"version": 108
},
"8.6": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"type": "new_terms",
"version": 211
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"sha256": "69aa12515cb5a6a884d8fcd0056daadf549285264513b506832693885dae1db6",
"type": "new_terms",
"version": 211
"version": 311
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -1682,23 +1786,23 @@
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.3",
"rule_name": "Adobe Hijack Persistence",
"sha256": "9511519552dcac359dd785ad280b824b18f30b72c8776b5c13589adecd28db7e",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"type": "eql",
"version": 110
"version": 111
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "43fda5bff6b8024187994b386ff239f5b34a3dbc20d13cac44e186e7ad26bb7b",
"sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b",
"type": "eql",
"version": 109
"version": 110
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "7583ab195e69ad5b71c92d119b7e50b25df405d9af54fd263467de71829c7a12",
"sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494",
"type": "eql",
"version": 108
"version": 109
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.6",
@@ -1740,25 +1844,34 @@
"version": 3
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e",
"type": "threshold",
"version": 107
}
},
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46",
"type": "threshold",
"version": 106
"version": 207
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.3",
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "b923fa419e9ac1d3e41bd75e45c9c2ef9ddde2134eb32607cb9f601891fe589c",
"sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f",
"type": "eql",
"version": 7
"version": 8
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.3",
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "3c1ac65899b1c8a54368d0242926e71b84970c3d3525c102b8fc3212e2fe5a28",
"sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4",
"type": "eql",
"version": 109
"version": 110
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
@@ -1791,9 +1904,9 @@
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "9b9c9894727201ffd4c48acd3806088c597cc81ae8b85f9dd6a9d88587a6c292",
"sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f",
"type": "eql",
"version": 109
"version": 110
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
@@ -1833,9 +1946,9 @@
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "8e9618108b6191ca96f5028c7ebad3b970904705f93ef91cc05da0a39a35841b",
"sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793",
"type": "eql",
"version": 110
"version": 111
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
@@ -1882,9 +1995,9 @@
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "80d0b61b700c1596bf6c6190a1fc56d04324e5a1f0c3b74c6e06f559810308f7",
"sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c",
"type": "eql",
"version": 111
"version": 112
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
@@ -1917,16 +2030,16 @@
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
"rule_name": "Program Files Directory Masquerading",
"sha256": "c5aa7db35a6cc9e3919372237fa8dffc8e397027df0c591dca62a660c3c826d2",
"sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa",
"type": "eql",
"version": 108
"version": 109
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "c62185b1fbe63d5cfa6260c4c2a4b70f8de70a803a1847d7d6ef4d320688dbc8",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 110
"version": 111
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.9",
@@ -1989,9 +2102,9 @@
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
"rule_name": "Port Forwarding Rule Addition",
"sha256": "a29be1699ea98079497ab6f9dbcda467f70d809fb84a0d405bd02035d126342a",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 109
"version": 110
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
@@ -2003,9 +2116,9 @@
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "0fe48302bd069b376d0c0125b9b99b6e6bc78713aa8f3ded6f2dc4d5d7c198a7",
"sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3",
"type": "eql",
"version": 110
"version": 111
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
@@ -2030,9 +2143,9 @@
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "105ca4a083fb2c40d09d028b90dc636ffb2ef5d20a4ebc06fa2bfd135a0c2a85",
"sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2",
"type": "eql",
"version": 106
"version": 107
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.9",
@@ -2170,23 +2283,23 @@
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "a95a8deb33c605f49071b6760943f92eb999d304ed26cbb4ecff1b05fdd79c5d",
"sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3",
"type": "eql",
"version": 106
"version": 107
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "7a96acd466a52a000a95a7a901ce68338cde32312c53ad710e741dba79c4d31f",
"sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035",
"type": "eql",
"version": 109
"version": 110
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "fdd555efd8dd322e1a61baac6b914d2c1413a0cd235e63b81bd359e5699bece9",
"sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f",
"type": "eql",
"version": 7
"version": 8
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
@@ -2225,16 +2338,16 @@
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "0cc9b4c66d9e04312246894acad762bceae4aecf2c325f9a58d7c3bd3f42a05a",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 109
"version": 110
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "3d513821b853d8c2375e5387149c85a0a5ed409ab49bc51e03da3056957874e3",
"sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde",
"type": "eql",
"version": 111
"version": 112
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
@@ -2243,12 +2356,28 @@
"type": "machine_learning",
"version": 103
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.3",
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c",
"type": "eql",
"version": 1
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"type": "query",
"version": 5
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"sha256": "afa86911efb5e954ddd5ac66e6ff98a64832328ccdd43ef5c3a5c73ec1172297",
"type": "query",
"version": 5
"version": 105
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.9",
@@ -2276,9 +2405,9 @@
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "ffebc8558061bb7dea44422008c6d36bf5a9a5bd236b54a4c1c347e3afeaaa7a",
"sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904",
"type": "eql",
"version": 5
"version": 6
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
@@ -2304,9 +2433,9 @@
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "628d69badc4c7cac5d27f8b5e345a0f678ff14a21da4d553f6415fc9f62d61e5",
"sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8",
"type": "eql",
"version": 109
"version": 110
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.8",
@@ -2325,11 +2454,20 @@
"version": 208
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67",
"type": "threshold",
"version": 107
}
},
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39",
"type": "threshold",
"version": 106
"version": 207
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"min_stack_version": "8.3",
@@ -2369,9 +2507,9 @@
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a User",
"sha256": "6f137c74ed8f940e891bb2048f8df801d3cc8a5b7adba6e3734f2c9da5394f68",
"sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b",
"type": "machine_learning",
"version": 3
"version": 4
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.3",
@@ -2383,9 +2521,9 @@
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "913b7ece64e8615edbf3d142cc711bdb73bd123721616e96628eba23c172a0e9",
"sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6",
"type": "eql",
"version": 107
"version": 108
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.6",
@@ -2413,9 +2551,9 @@
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "0ffed8b229232fa659665f4b08e7fc2bf4925814c0faea7b4334187b8e75ca10",
"sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71",
"type": "eql",
"version": 110
"version": 111
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.8",
@@ -2499,9 +2637,9 @@
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.3",
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "e912c188a61231bfdcc366e62f89eb1c6885c298e56a48db3d8d955f6307b0ac",
"sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6",
"type": "eql",
"version": 109
"version": 110
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.3",
@@ -2541,23 +2679,23 @@
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "0e8838bdb203c5d2583b224ce04df505c6a540eaf32e201a73e500d67873a354",
"sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41",
"type": "eql",
"version": 110
"version": 111
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "52236fcc17f178dc677b43983bcaa370fd8880a981d93b4470f67a60bd98d1eb",
"sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07",
"type": "eql",
"version": 110
"version": 111
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "83b8afb55578a79b9e61c0f4dc9589bb9fb7ab8bdac3c35dcca2eee7b4c89aaa",
"sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f",
"type": "eql",
"version": 108
"version": 109
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "8.3",
@@ -2603,16 +2741,25 @@
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "de1531fede6b492b18663d799128c21faafc14bd82543c7cb449129e0e9a9b83",
"sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e",
"type": "eql",
"version": 108
"version": 109
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.6",
"min_stack_version": "8.8",
"previous": {
"8.6": {
"max_allowable_version": 104,
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea",
"type": "new_terms",
"version": 5
}
},
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea",
"type": "new_terms",
"version": 4
"version": 105
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
@@ -2724,9 +2871,9 @@
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "f6ea79ffc24fc77b0b670584c9aa5ca184d1b9c530ad1e7835b22c26877e8123",
"sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22",
"type": "eql",
"version": 109
"version": 110
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
@@ -2752,9 +2899,9 @@
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "4c3132cd12e5b050d008e9dda6a69bb2b2711b0f9596232fc8173985858ddd79",
"sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45",
"type": "eql",
"version": 108
"version": 109
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
@@ -2796,9 +2943,9 @@
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "124e5da33a22b0f85d527b9d8d7b6e77344775624ac22f9f7877357295bfcd58",
"sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada",
"type": "eql",
"version": 111
"version": 112
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
@@ -2817,9 +2964,9 @@
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "1f58dea69a64bf4b35c2649ad0d707aa3acebce847cb0690b19d53233f956e5f",
"sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b",
"type": "eql",
"version": 110
"version": 111
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
@@ -2847,9 +2994,9 @@
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.3",
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "4800eb590fd93d7cfee2891f85ca1700e4d1b6151e4525ebbe6d01fb4b7a6737",
"sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef",
"type": "eql",
"version": 108
"version": 109
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -2875,16 +3022,25 @@
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "64fddd9615abe7545e62a0eb47f20a024c23decd8daaea1c670e1e4f518d9789",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 107
"version": 108
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87",
"type": "query",
"version": 105
"version": 206
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"min_stack_version": "8.3",
@@ -3017,9 +3173,9 @@
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "90fb6b5b747e2c33656a728d3ded9f2e44a82bf4beac024c8f53e31fd8e0a03e",
"sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b",
"type": "eql",
"version": 109
"version": 110
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
@@ -3031,23 +3187,32 @@
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "fc2a119aff01368fe7e6e9b4d6c90db7715a088bc7da33d27985eb8062ed03a7",
"sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17",
"type": "eql",
"version": 106
"version": 107
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"type": "query",
"version": 8
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 8
"version": 108
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "0d2d7574f0cce64196c045d6a82209834616721007ea1fd7bed902cd6cb8863a",
"sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59",
"type": "eql",
"version": 108
"version": 109
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
@@ -3073,9 +3238,9 @@
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "ca08c87c1c1ebfbf7d02d83341733370de9f73bc116ee4557642d0149a432182",
"sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853",
"type": "machine_learning",
"version": 3
"version": 4
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
@@ -3113,11 +3278,20 @@
"version": 104
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"sha256": "feeee2403f399c6d729c001a0178272237732cb46fe4d292f1b595d7910f782b",
"type": "query",
"version": 110
"version": 210
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"min_stack_version": "8.6",
@@ -3173,16 +3347,16 @@
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "8f3c1355379a529b94f98cc0e27d42505f77c22b44f920fbb6f2237c96008767",
"sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc",
"type": "eql",
"version": 110
"version": 111
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "e12182f0d2be63bfab11f485ecbb25e37f35b4b4736b3be8022379a95fb50937",
"sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb",
"type": "eql",
"version": 110
"version": 111
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
@@ -3201,9 +3375,9 @@
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "89d94e88b9dbd7a623d75c682c8ca3f5572371f7bb77a9995add825d2f18c57b",
"sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13",
"type": "eql",
"version": 110
"version": 111
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
@@ -3213,11 +3387,20 @@
"version": 2
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef",
"type": "query",
"version": 105
"version": 206
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"min_stack_version": "8.9",
@@ -3245,9 +3428,9 @@
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "1d981e59f3d02e064f6cd8379e9c9900be5705a0cbdcc0c596b866ae5809bcca",
"sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4",
"type": "eql",
"version": 108
"version": 109
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
@@ -3273,9 +3456,9 @@
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "cae0c739475e3022d321d0703176431dbaf1792d9e3f628f9cafaa57d986d412",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
"type": "eql",
"version": 108
"version": 109
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"min_stack_version": "8.3",
@@ -3308,9 +3491,9 @@
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "653114ab86902fd8f4c8ee2dad60eda337ba0cea3f366a5da9d2eddce611bf0e",
"sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3",
"type": "eql",
"version": 107
"version": 108
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.9",
@@ -3380,9 +3563,9 @@
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "c1db8c178bc05b8761de8f9b5eb2a539cde7eae8471c23a6f2dcd60aad668b67",
"sha256": "347fd2258a98937fc06440446d38f771f9d3df4b733661fc32c8df5a556b2c76",
"type": "eql",
"version": 106
"version": 107
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
@@ -3394,9 +3577,9 @@
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
"rule_name": "Persistence via PowerShell profile",
"sha256": "72a57bee7c2bd77cf45d4286782cdf3feb1c3f97ea5f10f077794593e289807f",
"sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60",
"type": "eql",
"version": 8
"version": 9
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
@@ -3408,9 +3591,9 @@
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "7f563f78e16e0d63433ac2b46218f66fc5ad3ac544c1e6b037b8c025db8eaca2",
"sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd",
"type": "eql",
"version": 107
"version": 108
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
@@ -3436,11 +3619,20 @@
"version": 106
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838",
"type": "query",
"version": 105
"version": 206
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
@@ -3463,11 +3655,20 @@
"version": 105
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9",
"type": "query",
"version": 105
"version": 206
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.3",
@@ -3491,11 +3692,20 @@
"version": 3
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"sha256": "8a06a6df25f7cd9d46fb890b91a35822e95e9ae636069608964018f12fa37d41",
"type": "query",
"version": 113
"version": 213
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
@@ -3640,9 +3850,9 @@
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "7745782aa933ea91dbfdffeaa535df98d4ba5d6b908c75cabba52d20958e79d4",
"sha256": "8e989fcdb846e7c3c657728af8bbcfd54fd55209fe4cea539ff6aa9eaad2360e",
"type": "eql",
"version": 110
"version": 111
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
@@ -3682,11 +3892,20 @@
"version": 206
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb",
"type": "query",
"version": 105
"version": 206
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.10",
@@ -3726,16 +3945,25 @@
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.3",
"rule_name": "Image File Execution Options Injection",
"sha256": "dffe42c5ab90869c537ef31605f87399b7061fd6480ca86d291ea97c3e7ad65f",
"sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c",
"type": "eql",
"version": 106
"version": 107
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "New or Modified Federation Domain",
"sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6",
"type": "query",
"version": 106
}
},
"rule_name": "New or Modified Federation Domain",
"sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8",
"type": "query",
"version": 105
"version": 206
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.10",
@@ -3756,9 +3984,9 @@
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "fe99222bad976791adb250b94f1a671e2fc854d9e940dcb1774abd08d4e941bf",
"sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f",
"type": "eql",
"version": 109
"version": 110
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
@@ -3799,12 +4027,19 @@
"type": "query",
"version": 208
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d",
"type": "eql",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "54b41030764f446ffff3a1171e5a6ab48b398793afaf92aa0a74f457a0d97ea7",
"sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459",
"type": "eql",
"version": 108
"version": 109
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"min_stack_version": "8.9",
@@ -3841,9 +4076,9 @@
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.3",
"rule_name": "Modification of Boot Configuration",
"sha256": "031efa575d3f85bf37358fccdc85ea7a26833d84a044e2dea0cd340a5b1e783d",
"sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525",
"type": "eql",
"version": 108
"version": 109
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.9",
@@ -3864,16 +4099,16 @@
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "73d8b92d5adacbda2690be1cefec6b5055b8462a0899cefb5721cdb447880250",
"sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d",
"type": "eql",
"version": 109
"version": 110
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "06d7311a4617060740277c5c255cc10d196a978a6b9d8c791dd4782f14bfafe2",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 110
"version": 111
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
@@ -3915,9 +4150,9 @@
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "f2d1dd7ef4bc9e7b8633eaca9e82e9bd3898d9211b31d2315326bdaca05e73f7",
"sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca",
"type": "eql",
"version": 107
"version": 108
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.3",
@@ -3943,9 +4178,9 @@
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "ef918ece14946f78978846c902ca1e8891e295cc7065c895ba6e7e5b0d9f59b9",
"sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa",
"type": "new_terms",
"version": 4
"version": 5
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.3",
@@ -4072,9 +4307,9 @@
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "e25fb2996e2838037ab8ab6de1cb526ff2e6af111288672810cf676904bf4d37",
"sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857",
"type": "eql",
"version": 107
"version": 108
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
@@ -4109,16 +4344,16 @@
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "ed13a55ea9f9864fa3d8cf2ec597f8c8fd6f62b93c0f4413599d1d75cb17a69e",
"sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc",
"type": "eql",
"version": 113
"version": 114
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "3e328cd1d4443b14c40bd6976483e6b0a46fc4832c5ea51543992f77cb4d976a",
"sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2",
"type": "eql",
"version": 108
"version": 109
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"min_stack_version": "8.3",
@@ -4128,11 +4363,20 @@
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f",
"type": "query",
"version": 105
"version": 206
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.10",
@@ -4163,12 +4407,19 @@
"type": "new_terms",
"version": 2
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.3",
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578",
"type": "eql",
"version": 1
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "ad9e16f4c06eeb3f11eeba4c6b5f6ebbcbd669dae6909a420cc602ada36adf32",
"sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb",
"type": "eql",
"version": 110
"version": 111
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
@@ -4275,16 +4526,16 @@
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "a810edd1617bc4ef3ae1a664742c5516a727a73fc12d9aa3e001fd9a2fbe07a9",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 109
"version": 110
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "6aeba930f5f44ebe3664c42b528c463e2e6c8ccf360ef292fad035a88e96054b",
"sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf",
"type": "eql",
"version": 110
"version": 111
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
@@ -4353,12 +4604,19 @@
"type": "machine_learning",
"version": 208
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "11fb3b45a1ccc2f104c91997fb4d7093f0efd5534a8f2048aa90ef37cc11f6cd",
"sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45",
"type": "eql",
"version": 5
"version": 6
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"min_stack_version": "8.3",
@@ -4384,9 +4642,9 @@
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "c6ede1b19124b56c850d7eedf82e3104e0dd50089d1209a233c6146d28706b7e",
"sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef",
"type": "eql",
"version": 7
"version": 8
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
@@ -4408,6 +4666,13 @@
"type": "eql",
"version": 5
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"min_stack_version": "8.3",
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39",
"type": "eql",
"version": 1
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
@@ -4589,9 +4854,9 @@
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "1f86aaab6eae3947a5345279878d86101a66a07e2bc16cc341c0ef0d1694e094",
"sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186",
"type": "eql",
"version": 108
"version": 109
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
@@ -4600,11 +4865,20 @@
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"type": "query",
"version": 111
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"sha256": "da93c9757e2bcf7faed59270b7d6ee09006cacaab0f5d201d13e988814868cf4",
"type": "query",
"version": 111
"version": 211
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
@@ -4664,16 +4938,16 @@
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "e48575e85ccf8ae97bd5dbbcdb93966f977cfa5497471f891a801e5b405c1dce",
"sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744",
"type": "eql",
"version": 109
"version": 110
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "01eb8e120deae737d0fc5aabc47de2c2ffb1ae2ad9d91fbda2f67016f9d71261",
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
"type": "eql",
"version": 110
"version": 111
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.6",
@@ -4687,9 +4961,9 @@
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "eb9b0b0b83082c3d6dbac814bde52b8353d73b0924dc994669c557a187778df9",
"sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404",
"type": "new_terms",
"version": 209
"version": 210
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.9",
@@ -4756,9 +5030,9 @@
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "113a001053d28327c493ecc11edbf7d75e750102e0e8f5d30bcd79d564cf5cb9",
"sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5",
"type": "eql",
"version": 111
"version": 112
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.9",
@@ -4790,11 +5064,20 @@
"version": 4
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66",
"type": "query",
"version": 105
"version": 206
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
@@ -4822,9 +5105,9 @@
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "45129c0ef751c5a0e94afce6b35dc37357e77b777868036377790f5c4fdf4080",
"sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443",
"type": "eql",
"version": 107
"version": 108
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
@@ -4835,9 +5118,9 @@
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "e013429a64b9dc5fb19c3b14f924b3a3a20fe2b5d6c7b02c25cc237dc5c6a3f7",
"sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50",
"type": "eql",
"version": 109
"version": 110
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
@@ -4884,9 +5167,9 @@
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "9bfce88b49a258d2ab8fb3ec0f60bfbb33b38e761b4cd49784f22e499a372754",
"sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3",
"type": "eql",
"version": 107
"version": 108
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
@@ -4930,16 +5213,16 @@
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "3692dc005e94c6cb81f8745fe73b3dcbdb7ee3c1a9ef6a92579bd1d330ffc35a",
"sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298",
"type": "eql",
"version": 107
"version": 108
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.3",
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "ea2781111fa286570f40efaaba709a54286c0669cfd802fd50b9f203a72f7fad",
"sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de",
"type": "eql",
"version": 108
"version": 109
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"min_stack_version": "8.3",
@@ -4958,9 +5241,9 @@
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "c40456bb67141fe6e52ceecbb5652a86c0f2bc25c3569c830c27830775d9d826",
"sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba",
"type": "eql",
"version": 109
"version": 110
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
@@ -5025,12 +5308,19 @@
"type": "eql",
"version": 1
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.3",
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6",
"type": "eql",
"version": 1
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"min_stack_version": "8.3",
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "d3f17c275351dce43dbed1904257d053abe2a6e174ec12f91eabbc40236f918e",
"sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c",
"type": "eql",
"version": 105
"version": 106
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.3",
@@ -5147,11 +5437,20 @@
"version": 1
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 8
"version": 108
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
@@ -5163,9 +5462,9 @@
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "030d478f5bddae65e8f04f82a6157ab452650de7a6d0b647848e842651ac9d7c",
"sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c",
"type": "eql",
"version": 2
"version": 3
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.9",
@@ -5218,16 +5517,16 @@
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "df0ba86beb4118b6f55a5970adbe558c2f9a9845cc50d152084a527067efae03",
"sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606",
"type": "eql",
"version": 109
"version": 110
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "97a385e0496447ac9bc02ec4f05003b37f913d60778bb33026ee4689321f305b",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 106
"version": 107
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.4",
@@ -5271,9 +5570,9 @@
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "8c675238fbf36a2b6439b67333f1563d27dcfb24f7fd66154eea09190df6d24f",
"sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0",
"type": "eql",
"version": 7
"version": 8
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5291,6 +5590,13 @@
"type": "query",
"version": 106
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6",
"type": "query",
"version": 1
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation",
@@ -5357,11 +5663,20 @@
"version": 7
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6",
"type": "query",
"version": 105
"version": 206
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"min_stack_version": "8.3",
@@ -5412,9 +5727,9 @@
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Zoom Child Process",
"sha256": "2ffff124b6528b62de29abc5f2e3c94b3f3da565038785122b8fbc2e0a502d46",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
"version": 109
"version": 110
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
@@ -5438,9 +5753,9 @@
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"min_stack_version": "8.3",
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "531c4084f03ee3d1b847fd5b7e1a08b698d464c9f75172572d311ce3fd3c7b78",
"sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684",
"type": "eql",
"version": 110
"version": 111
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -5464,11 +5779,20 @@
"version": 104
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c",
"type": "query",
"version": 105
"version": 206
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"min_stack_version": "8.9",
@@ -5503,9 +5827,9 @@
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "7d474c1db1e3f8cfa6fc070c3448e092cb34a2592f3dda373c71601ce7875a50",
"sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f",
"type": "eql",
"version": 3
"version": 4
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.8",
@@ -5570,16 +5894,16 @@
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Explorer Child Process",
"sha256": "59e5a0e0931a902b5c7d386df804a1f9d8a829c127bee7f062d94eae7046c813",
"sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7",
"type": "eql",
"version": 108
"version": 109
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "9076dc95ec176da1582e50d30bd0ee68097fdc5a13f6639cd77542543ff32df3",
"sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce",
"type": "eql",
"version": 108
"version": 109
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
@@ -5591,9 +5915,9 @@
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "7aa7543ffcc5542e1cc4cecc38eea33a5a697662ce334f941845b66396cabdfd",
"sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c",
"type": "eql",
"version": 110
"version": 111
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"min_stack_version": "8.11",
@@ -5626,9 +5950,9 @@
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "1557e125020f22f550954a48efb59d63def281e03eedb5aef393445f4df56377",
"sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057",
"type": "eql",
"version": 109
"version": 110
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5664,23 +5988,23 @@
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "da0d96328e9305e09c51d864be3b8ccd37f29f0be6110ed14a08805fecbaa285",
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
"type": "new_terms",
"version": 208
"version": 209
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "6039c4fddc944ad2363c6a8ed087a5f1137650a45d722478e022a34684c6925e",
"sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1",
"type": "eql",
"version": 109
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "c9187ee2ac090322d625b811f9c9758f1f3f18e52fbe549318d885af07b81912",
"sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08",
"type": "eql",
"version": 111
"version": 112
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
@@ -5701,9 +6025,9 @@
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "7e1573ee5a2439e23df62491f17b161f34b7807f0f35b767ea93b1b40e78af78",
"sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870",
"type": "new_terms",
"version": 210
"version": 211
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
@@ -5824,9 +6148,9 @@
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "9b812a2bfc24c437f4a6867a57dffa0c92f1ded49780da916eac728d36e39a20",
"sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119",
"type": "eql",
"version": 6
"version": 7
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"min_stack_version": "8.3",
@@ -5859,9 +6183,9 @@
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "53a5fc5d2f7c5de407de0f33a946575689b70044b0a333985d54afc07788e00d",
"sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a",
"type": "eql",
"version": 108
"version": 109
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -5889,16 +6213,16 @@
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"rule_name": "Execution via local SxS Shared Module",
"sha256": "45610db4c1dfb5af66fd7794c88af23acafcc45889a8cdc31535e88522b6b777",
"sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525",
"type": "eql",
"version": 107
"version": 108
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"min_stack_version": "8.3",
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "2022d77c3a450819dba114be131ab4d32b3cdcb7b5b4d5048884740fc9ffb12e",
"sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942",
"type": "eql",
"version": 107
"version": 108
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
@@ -5967,9 +6291,9 @@
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "2ddbd9552fb06d871be6cf3c6df05e82db51c0522c2c1fd0fc57533539f20d00",
"sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4",
"type": "eql",
"version": 111
"version": 112
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
@@ -5988,16 +6312,16 @@
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "d07d1d6f15fe4ec31b7e048901b93e28b9a86c97749f465ae96b0605254edb9b",
"sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef",
"type": "eql",
"version": 110
"version": 111
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "8be0d29840df5209032b472d52631f3b32a31c84e9f20329ad8cf4e232029535",
"sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02",
"type": "eql",
"version": 109
"version": 110
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
@@ -6027,11 +6351,20 @@
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2",
"type": "query",
"version": 105
"version": 206
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"min_stack_version": "8.4",
@@ -6052,9 +6385,9 @@
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "1b00d88e46d2c46a81b2d4ff330ea35d106e96c250135e83c8f9464f7fa4dce9",
"sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd",
"type": "eql",
"version": 107
"version": 108
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"min_stack_version": "8.3",
@@ -6080,16 +6413,16 @@
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "227b14152ef406f1f76685d2ce4eaa7e142e3dccdf9c18cf6244a4dddf55cb07",
"sha256": "a1bf5a848d6b73efd9cf627fe30e5f4f04215c6bb8bdd5f29b9e4749d22f7e6c",
"type": "eql",
"version": 110
"version": 111
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"min_stack_version": "8.3",
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "9e919b338b25f9098acdb28f9ac805dd9d43425d8909e4aab5909c4c45f6a148",
"sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3",
"type": "eql",
"version": 1
"version": 2
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
@@ -6122,9 +6455,9 @@
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "2f8517fcc799e218e702b6dbc5f69ca0a73a8c4829958fa3b4a4017656953c25",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 111
"version": 112
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
@@ -6267,9 +6600,9 @@
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "e46d6ec23006876133bf7f4911655b998c5f56cffbaef8488e7f9d052cde7391",
"sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184",
"type": "eql",
"version": 4
"version": 5
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
@@ -6288,9 +6621,9 @@
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
"rule_name": "Local Scheduled Task Creation",
"sha256": "f568b0ef55ded0b22b5b7dd6b7b744ee901e68e1a8ec576c5f7c736ca1cb06d0",
"sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6",
"type": "eql",
"version": 106
"version": 107
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
@@ -6350,16 +6683,25 @@
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "ff89ad4aea94c4e2d244dad812d4839a1f9d5e6e2da0237d8c78ede5a866a855",
"sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4",
"type": "eql",
"version": 110
"version": 111
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf",
"type": "query",
"version": 105
"version": 206
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.3",
@@ -6378,16 +6720,16 @@
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "c2dd0de863712d8823fec709659ea8a08962a32c4a34cd409a13020217234029",
"sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf",
"type": "eql",
"version": 110
"version": 111
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "88b124d798fdc009c75ce590cb5313122089d2ac66fb58e6c2e75eec66b367be",
"sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e",
"type": "eql",
"version": 6
"version": 7
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
@@ -6445,16 +6787,16 @@
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "f8d74d2c65e451203da1ba4c2ef800514575ffc18fcd3459bbaa537c6c85723c",
"sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681",
"type": "eql",
"version": 110
"version": 111
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "1e1adb586a134fbb525d8e85a924a9ed9fd88a64cf4e00c2a16c9b123248e520",
"sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3",
"type": "eql",
"version": 110
"version": 111
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -6540,9 +6882,9 @@
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "bb62b769a2f4afd8ca4c917f5fd3c32ff9150db63688f907e5df4d2e37e91b70",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 107
"version": 108
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.3",
@@ -6554,16 +6896,16 @@
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.3",
"rule_name": "Kirbi File Creation",
"sha256": "ac09f79864ad4373c578be0ef95a154f24210dc62a17424c2fc90ef3275ef10a",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 4
"version": 5
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "43bf576ded7e0de4ef6ba09eda56e0e82559c76c74254fd774de05559f6b8d5a",
"sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d",
"type": "eql",
"version": 108
"version": 109
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
@@ -6603,9 +6945,9 @@
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "630c3fd24836df1312da52e9a6f0a374049088974a55d1e8147b02323e80283e",
"sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8",
"type": "eql",
"version": 108
"version": 109
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.3",
@@ -6624,9 +6966,9 @@
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "99cfc367982521de6af65b58f549f4f4c67b5ab33da03ca14f04bab37a3f5b59",
"sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671",
"type": "eql",
"version": 108
"version": 109
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
@@ -6652,11 +6994,20 @@
"version": 205
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "OneDrive Malware File Upload",
"sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814",
"type": "query",
"version": 106
}
},
"rule_name": "OneDrive Malware File Upload",
"sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa",
"type": "query",
"version": 105
"version": 206
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
@@ -6666,11 +7017,20 @@
"version": 5
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee",
"type": "query",
"version": 107
}
},
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3",
"type": "query",
"version": 106
"version": 207
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"min_stack_version": "8.9",
@@ -6761,9 +7121,9 @@
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "49000faea36134e08ac5c4ff3d8cc8b84b5988a96fd65e353c45b5dcf1816b59",
"sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c",
"type": "eql",
"version": 105
"version": 106
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
@@ -6782,9 +7142,9 @@
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "ff0debce710d52c303c02bdc17b9b38d4ac32fc6e847d04a076063e6dfd4bb18",
"sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f",
"type": "machine_learning",
"version": 3
"version": 4
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.9",
@@ -6796,9 +7156,9 @@
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "a1189a1dc60f8e7159d10f793ee8b06a65af312c1fe3716004dbc4f108ed9012",
"sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4",
"type": "eql",
"version": 108
"version": 109
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.9",
@@ -6833,9 +7193,9 @@
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "7f05d87c5d2477fe79fb8c9cbce0f3b28ffc41fff1f214a4fdd9833b0705ece6",
"sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e",
"type": "eql",
"version": 110
"version": 111
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
@@ -6847,9 +7207,9 @@
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "0246217f877df40526e3bc741011b89c6efb820aa436be5c3256cd7013db5d8f",
"sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8",
"type": "eql",
"version": 108
"version": 109
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
@@ -6907,9 +7267,9 @@
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "bcf33fe084537eed737bc441a6039ec1342b377f77dc505600f40b2ba8666ba4",
"sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef",
"type": "eql",
"version": 109
"version": 110
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
@@ -6949,9 +7309,9 @@
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "b88bece498dfaea5718d4d986625f0145871e56ab8f4101bdf228e4c98842108",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 106
"version": 107
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"min_stack_version": "8.3",
@@ -6963,16 +7323,16 @@
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.3",
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "0d984ea0a0db400769aa7d3f97f7ea303d827c03bc543743cf2e23f2a850d7f0",
"sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e",
"type": "eql",
"version": 108
"version": 109
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "527381ede531c0557419ed0a6bb636ea08e18112216dcaf858ae6256f42aa360",
"sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff",
"type": "eql",
"version": 106
"version": 107
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
@@ -7019,16 +7379,16 @@
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
"rule_name": "Installation of Custom Shim Databases",
"sha256": "2374c5bb1877f116a333acf337c2c31df95ab45d58c6649a372498f6507b45b9",
"sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6",
"type": "eql",
"version": 107
"version": 108
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "e0090d1a50eac10f4ade38ddb5c37dcedaf650a113144b7796a5c0f982f5b952",
"sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712",
"type": "eql",
"version": 109
"version": 110
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
@@ -7040,9 +7400,9 @@
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "a8f12f89203ac9f50f27c410b52db86730251b6f88772a401d2d5dece5460954",
"sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f",
"type": "eql",
"version": 111
"version": 112
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
@@ -7108,9 +7468,9 @@
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "b061f8aef46c559f3298c402f159b47b452a82c26a266b003760902b7ebe0059",
"sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf",
"type": "eql",
"version": 109
"version": 110
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
@@ -7156,9 +7516,9 @@
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"min_stack_version": "8.3",
"rule_name": "Parent Process PID Spoofing",
"sha256": "e1789b1189d98d1c0dd3e14aef3df67f994982f60001aab44c9785a8bab9bb3a",
"sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733",
"type": "eql",
"version": 105
"version": 106
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
@@ -7170,23 +7530,23 @@
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "244a5e84242633bf3546c512386425c374c6ef20cad83ad6e67b25e99fa3f0b5",
"sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319",
"type": "eql",
"version": 109
"version": 110
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "cb843dd0438b6f8219a949e952ec61f69968fe41c3eec24c9aae7be06defd202",
"sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411",
"type": "eql",
"version": 109
"version": 110
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "a5e68609def010ae4cea5c31b29ec9740ce793360ee2d0c8995ce5c93286ed58",
"sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51",
"type": "eql",
"version": 4
"version": 5
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
@@ -7196,18 +7556,27 @@
"version": 102
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82",
"type": "query",
"version": 105
"version": 206
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "677fab8ea10b09bc3d160f2d6ddf60228e80c7b07b65c9b0df182542f4001b4c",
"sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a",
"type": "eql",
"version": 7
"version": 8
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
@@ -7403,11 +7772,20 @@
"version": 207
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
"type": "query",
"version": 11
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "3dd4e764e7be53ae0b8b137bef23861b698be87d17b04674b73f347810f11142",
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
"type": "query",
"version": 10
"version": 111
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.8",
@@ -7419,9 +7797,9 @@
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "1caaa5871fbfa78e0fe8a2323cbd8f452c5b1c8e166f80ae3f04b1efbe27608b",
"sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7",
"type": "eql",
"version": 108
"version": 109
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
@@ -7463,9 +7841,9 @@
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.3",
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "c8491acd12050d86d23ba74328aa0ac1d4f5ac05dee80019a088ee29b63ae3cc",
"sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766",
"type": "eql",
"version": 111
"version": 112
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
@@ -7491,23 +7869,23 @@
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "85d7491d891f74d1943d6d66829f7f495b2686bf716a2b2eff86964fc2f53af1",
"sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292",
"type": "eql",
"version": 109
"version": 110
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "5f6a70d2ab2ac48645204e364a9d62da9e1f2834d58ad132edebba377a066615",
"sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197",
"type": "eql",
"version": 110
"version": 111
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "0d684b691957fc890cd55538f666f64f489388c1a1dc12a1be16a5bc3b4de1ee",
"sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2",
"type": "eql",
"version": 4
"version": 5
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
@@ -7532,16 +7910,16 @@
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "a5cfe995f5e61234b19b795e2e09d04cb07d7e0d5a3ea85415ad9aee106ee259",
"sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0",
"type": "eql",
"version": 109
"version": 110
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "7ab223b5ae8dccf7fe5e240a84aa15d0c3e7b5fb84756dca29ba288fe1bf6bc7",
"sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576",
"type": "eql",
"version": 111
"version": 112
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
@@ -7625,9 +8003,9 @@
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "0e1e3b5f59d53215ae4432116b3ff34d82492327031fb05030a06a280f0fa027",
"sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c",
"type": "eql",
"version": 105
"version": 106
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.10",
@@ -7689,32 +8067,50 @@
"version": 9
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91",
"type": "query",
"version": 105
"version": 206
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.3",
"rule_name": "Modification of WDigest Security Provider",
"sha256": "b7c8f207268472165a7e8eb713ed3eb05723b6ff76a5933201d0405e647fd390",
"sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df",
"type": "eql",
"version": 108
"version": 109
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "e37263b5a6b5f6fad1b0ee0d7becddea5d24c5bbddbd0f16d1af2bc113a0e299",
"sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192",
"type": "eql",
"version": 110
"version": 111
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d",
"type": "query",
"version": 105
"version": 206
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"min_stack_version": "8.3",
@@ -7761,9 +8157,9 @@
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "aa9adda1ac8dfe9c91e83c7741e046bb1553fda39b7e023d70c58e86fa012e11",
"sha256": "2caaa3d2f80549be9ff1f1641f9f9f202ecdadf6b83b01fa9486affa8bdb566f",
"type": "eql",
"version": 6
"version": 7
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.9",
@@ -7784,16 +8180,16 @@
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "ffc3442e6c3cc20722b9c1f1a32d35551a15964ac11f7cdfc592b76719af0cc8",
"sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1",
"type": "eql",
"version": 110
"version": 111
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "4fa393159012945bc722ed714aa371599d8c9cff942177209a16fa499c5c32af",
"sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d",
"type": "eql",
"version": 8
"version": 9
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
@@ -7839,9 +8235,9 @@
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "6787d79433584e75afd2d32b2e0f9b054030958c1d82150a5ee9f0a5f5122b3a",
"sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3",
"type": "eql",
"version": 5
"version": 6
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
@@ -7873,9 +8269,9 @@
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "f37ab90a54a6c291b9cd4aa976743cd7ac5deb2abcac55cab6d64b965bfe48e7",
"sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99",
"type": "eql",
"version": 109
"version": 110
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.9",
@@ -7896,16 +8292,16 @@
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "44f7baab75f773277a10c7030dcd1cfd26a107a3dc957f0fcb5163db547ae530",
"sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d",
"type": "eql",
"version": 1
"version": 2
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "6f5f7a6cfcaa1257d531efd9068625980be3884a9960c90a3894be9c4711f295",
"sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a",
"type": "eql",
"version": 6
"version": 7
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"min_stack_version": "8.3",
@@ -7917,16 +8313,16 @@
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "81c0aab3146bff977cf56daa4f6b8155b87a26c42990da92e1ead146d5ff2e3c",
"sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735",
"type": "eql",
"version": 107
"version": 108
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "2cf508d63c723bf1c8a65c682aca188141a400cdc3761094a901e95e793ac9bf",
"sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a",
"type": "eql",
"version": 109
"version": 110
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
@@ -7947,16 +8343,16 @@
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "66c6b23d0b93c2a355ec7809c00272dad9d6ae5d8e1b8c594010f6d352504e9c",
"sha256": "4f92c23c30b19e9208d921b84d709ec2775f026b2fe995a4ca3644cdf56c2d4f",
"type": "new_terms",
"version": 103
"version": 104
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
"rule_name": "First Time Seen Driver Loaded",
"sha256": "ad243a0040fbf3b300d379e356e6d3eb10209a2132942ac2f4e08962b1e8bd79",
"sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58",
"type": "new_terms",
"version": 6
"version": 7
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.3",
@@ -8127,11 +8523,20 @@
"version": 104
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.3",
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"type": "query",
"version": 112
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"sha256": "3cf8ff583ef123ebe0ef752da349e94652bcd203d089689bf6cfba36e727cc9d",
"type": "query",
"version": 112
"version": 212
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"min_stack_version": "8.11",
@@ -8166,16 +8571,16 @@
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "a5106b1d322ebadff7f28fbf1c711accfdc2a15bc9eb9040d4a3d09bd1aae28e",
"sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc",
"type": "eql",
"version": 6
"version": 7
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "585acd10a78e513b1329c305c032f10d56c20983fb6b6e247a83f36cbc5dd540",
"sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d",
"type": "eql",
"version": 110
"version": 111
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
@@ -8187,9 +8592,9 @@
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.3",
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "58b1c0d846d88c3860eca433ef5b9a49f46dccbb09d40c042618fb5cab6a109b",
"sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e",
"type": "eql",
"version": 109
"version": 110
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.9",
@@ -8217,9 +8622,9 @@
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "71a21b95dc853aa7a9f3bdebacbefd8c18bdae166c17c5eeadf71662eeede388",
"sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e",
"type": "eql",
"version": 106
"version": 107
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
@@ -8341,9 +8746,9 @@
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.3",
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "1c76bc2a08b06825a177b0a25d39ca39d581ca953d40329e61cf82fd06714d77",
"sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478",
"type": "eql",
"version": 106
"version": 107
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.8",
@@ -8394,16 +8799,16 @@
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.3",
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "2894b45c8036eb38c332ca6f58cdcc5e872a80caa4e846636d051be8a166fcfe",
"sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765",
"type": "eql",
"version": 107
"version": 108
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
"rule_name": "Installation of Security Support Provider",
"sha256": "1acfa2f251d1860e05ac5ffd7e0d7fa0801737551ea5e58c102b5caf3fca6c97",
"sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c",
"type": "eql",
"version": 107
"version": 108
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
@@ -8470,16 +8875,16 @@
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "c5b7eef8ade7d3485a90b117038e54a8f7a1c4f8dd13df848304bb26845d46a5",
"sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f",
"type": "eql",
"version": 110
"version": 111
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "a0ba2b3c599f12c32b5a0939253f61624c5aaef4f8bec7e3c2a58427a1421f1c",
"sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e",
"type": "eql",
"version": 104
"version": 105
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.9",
@@ -8510,9 +8915,9 @@
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "9b562c38c4d362ac35e21b39fa028b653058315e266fd5853a388763e141b873",
"sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd",
"type": "machine_learning",
"version": 3
"version": 4
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"min_stack_version": "8.9",
@@ -8582,23 +8987,23 @@
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "288578d5369a79c6373c3c0b0ce30d1e04accf4297f4378905ea03e926ef0304",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 108
"version": 109
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "4a54459a60e0157dbebdb4fa49edc3c3b44da95324d09ce432d90dfadc18cf16",
"sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8",
"type": "eql",
"version": 109
"version": 110
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "07d39ae66d7a091b5542973de8f3a914e6079b735c9af7282ec779f0f6eb0c91",
"sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2",
"type": "eql",
"version": 109
"version": 110
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "8.8",
@@ -8608,11 +9013,20 @@
"version": 2
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df",
"type": "query",
"version": 105
"version": 206
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"min_stack_version": "8.3",
@@ -8647,9 +9061,9 @@
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "4cd8390b9a5306f1e517291c56dbd8724ce905bf484b914443323165263e92fa",
"sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1",
"type": "eql",
"version": 110
"version": 111
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
@@ -8670,9 +9084,9 @@
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "71c2c3a84c8776d4d55a196976af7988e418dd9269e2d47fbaa5e735f4e2a8b5",
"sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6",
"type": "eql",
"version": 111
"version": 112
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
@@ -8700,9 +9114,9 @@
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "407e751c426680a73a9f75665f0416cc6532f6ad24f7abe9cfa304be168522a1",
"sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c",
"type": "eql",
"version": 107
"version": 108
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
@@ -8748,9 +9162,9 @@
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
"rule_name": "Whoami Process Activity",
"sha256": "4367c7704290df656ff19eb3a68c7889e48d56cbce072457becfd69f434e35ba",
"sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202",
"type": "eql",
"version": 110
"version": 111
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
@@ -8762,9 +9176,9 @@
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "4af429bb1a2ee50c8ac17ce95cf78b67a2c514674d9f537ef5476aca56d12721",
"sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe",
"type": "eql",
"version": 107
"version": 108
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
@@ -8848,16 +9262,16 @@
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
"rule_name": "SIP Provider Modification",
"sha256": "c9dd167236850ac8454b12127e31227e9bec1f9f5fd5a7786a600c1aba78e290",
"sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf",
"type": "eql",
"version": 106
"version": 107
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Creation",
"sha256": "1753a2eee380188ceaa72056436275f1455b3e3bc6e9068cd318a9b0505cc539",
"sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4",
"type": "eql",
"version": 108
"version": 109
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"min_stack_version": "8.9",
@@ -8927,9 +9341,9 @@
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "5d08c860cfdbbde6caa690f18df854a3f106b160401ffe9bdaef82b0f41d5804",
"sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc",
"type": "eql",
"version": 107
"version": 108
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.3",
@@ -8954,9 +9368,9 @@
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "b94e86645b289d8348ed42486795e77da783afb122ec48187d0350f3a20f52b3",
"sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577",
"type": "eql",
"version": 110
"version": 111
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
@@ -8968,9 +9382,9 @@
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.3",
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "b05c4528acef62397c715cb60d9752fa133ecba94e25e996871b92f58378b891",
"sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5",
"type": "new_terms",
"version": 2
"version": 3
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
@@ -8996,9 +9410,9 @@
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "841e7e3d259ad21fa37fbfa7cb65713dd10650212ef402434dcd94505006936c",
"sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312",
"type": "machine_learning",
"version": 3
"version": 4
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"min_stack_version": "8.3",
@@ -9017,16 +9431,16 @@
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "82da4dcd3d85bbbce79c9338731f2d3faabeb93b9f8bd758a346c1bb3844926c",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
"type": "eql",
"version": 109
"version": 110
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "8c281efdd7ae17ef1dcf2df2b466453e0c5a6df40e5d5431f4389d20b1a438a0",
"sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841",
"type": "eql",
"version": 108
"version": 109
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
@@ -9075,9 +9489,9 @@
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.3",
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "a60814f61dac11aa9d05163cc55d8da2b2cfb21fc612ed5f4d4d348060e57e80",
"sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177",
"type": "eql",
"version": 110
"version": 111
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"min_stack_version": "8.11",
@@ -9089,9 +9503,9 @@
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "51aacad9edd6ee0e09aa36fcdc008de023969ea682b6b8e0810e61d65a8311f0",
"sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec",
"type": "eql",
"version": 108
"version": 109
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
@@ -9103,9 +9517,9 @@
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "9dd2a2b3b83b8e850ca46a07ef95f7e14a78d5dc1d5e016c069ea25579284240",
"sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b",
"type": "eql",
"version": 109
"version": 110
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.8",
@@ -9124,9 +9538,9 @@
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "17194641e5b83110a15ad1ea56df6e69c2061a202fd582a587fa4581966173fa",
"sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734",
"type": "eql",
"version": 6
"version": 7
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
@@ -9161,9 +9575,9 @@
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "d32ada1465167b6293df7280629172d0509463e769904db94d5f248237f0f48f",
"sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525",
"type": "eql",
"version": 108
"version": 109
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
@@ -9182,9 +9596,9 @@
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "a71e0082cbfb886e234b2dde6fb3a70a5084af0eb33e07cf1a8e2841693cfb67",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 8
"version": 9
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
@@ -9248,9 +9662,9 @@
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "43cf4780d862e228583a5b86075630c0a699c981a923c89a6d17347b3f9a403b",
"sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e",
"type": "eql",
"version": 108
"version": 109
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.8",
@@ -9275,16 +9689,16 @@
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.3",
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "8da3991d43d27d1307bfe952667feeaee10a17f086024460a72695f6a069495a",
"sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469",
"type": "eql",
"version": 109
"version": 110
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CertUtil Commands",
"sha256": "828207753a4524cab2f050a270a6c7daae8f14ef3bc46fdddabeb6e5a4fbaf9c",
"sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b",
"type": "eql",
"version": 107
"version": 108
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.6",
@@ -9298,9 +9712,9 @@
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "0f97a093a060747af65927b28394e233712aca82f61b9e3a0841aba43b6656a7",
"sha256": "c2e725e9eb19e33d6be3fc8161e3923a7db648a6233feb31e68837e724c7800c",
"type": "new_terms",
"version": 210
"version": 211
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
@@ -9333,16 +9747,16 @@
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "ca97f32f23e5e5a8a9980f4544b94a40f0c491f70e47c9a5d1bacc9f2acaf0c4",
"sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275",
"type": "eql",
"version": 109
"version": 110
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "40b6160ff1840321119de9eaf4ab17ad8efd8941b316318fda962bb59ada871b",
"sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5",
"type": "eql",
"version": 3
"version": 4
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",
@@ -9382,16 +9796,25 @@
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "3ebb73fb1bc78e99a7321c9da744e2462cb56b7b8b3a372342993176f40608c2",
"sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18",
"type": "eql",
"version": 6
"version": 7
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.3",
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88",
"type": "query",
"version": 105
"version": 206
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"min_stack_version": "8.3",