diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 98589b10f..e73f06695 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8' + default: '8.3,8.4,8.5,8.6,8.7,8.8' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index bdeb6a60b..25df0ac75 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -930,44 +930,44 @@ def update_navigator_gists(directory: Path, token: str, gist_id: str, print_mark @dev_group.command('trim-version-lock') -@click.argument('min_version') +@click.argument('stack_version') @click.option('--dry-run', is_flag=True, help='Print the changes rather than saving the file') -def trim_version_lock(min_version: str, dry_run: bool): +def trim_version_lock(stack_version: str, dry_run: bool): """Trim all previous entries within the version lock file which are lower than the min_version.""" stack_versions = get_stack_versions() - assert min_version in stack_versions, f'Unknown min_version ({min_version}), expected: {", ".join(stack_versions)}' + assert stack_version in stack_versions, \ + f'Unknown min_version ({stack_version}), expected: {", ".join(stack_versions)}' - min_version = Version.parse(min_version) + min_version = Version.parse(stack_version) version_lock_dict = default_version_lock.version_lock.to_dict() removed = {} for rule_id, lock in version_lock_dict.items(): if 'previous' in lock: prev_vers = [Version.parse(v, optional_minor_and_patch=True) for v in list(lock['previous'])] - outdated_vers = [v for v in prev_vers if v <= min_version] + outdated_vers = [f"{v.major}.{v.minor}" for v in prev_vers if v < min_version] if not outdated_vers: continue - # we want to remove all "old" versions, but save the latest that is <= the min version as the new - # min_version. Essentially collapsing the entries and bumping it to a new "true" min - latest_version = max(outdated_vers) + # we want to remove all "old" versions, but save the latest that is >= the min version supplied as the new + # stack_version. if dry_run: - outdated_minus_current = [str(v) for v in outdated_vers if v != min_version] + outdated_minus_current = [str(v) for v in outdated_vers if v < stack_version] if outdated_minus_current: removed[rule_id] = outdated_minus_current for outdated in outdated_vers: popped = lock['previous'].pop(str(outdated)) - if outdated == latest_version: - lock['previous'][str(min_version)] = popped + if outdated >= stack_version: + lock['previous'][str(Version(stack_version[:2]))] = popped # remove the whole previous entry if it is now blank if not lock['previous']: lock.pop('previous') if dry_run: - click.echo(f'The following versions would be collapsed to {min_version}:' if removed else 'No changes') + click.echo(f'The following versions would be collapsed to {stack_version}:' if removed else 'No changes') click.echo('\n'.join(f'{k}: {", ".join(v)}' for k, v in removed.items())) else: new_lock = VersionLockFile.from_dict(dict(data=version_lock_dict)) diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index db82a3eca..c62e2c98a 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -7,6 +7,7 @@ ## Updates: ## 7.17 was intentionally skipped because it was added late and was bug fix only ## 06/2022 - dropped backport support for 7.13.0, 7.14.0, 7.15.0 as of 8.4 branch creation +## 01/2023 - dropped backport support for 7.16.0, 8.0.0, 8.1.0, 8.2.0 - https://github.com/elastic/detection-rules/pull/2450 ## Unsupported #"7.13.0": @@ -22,28 +23,28 @@ # beats: "7.15.1" # ecs: "1.11.0" +# "7.16.0": +# beats: "7.16.2" +# ecs: "1.12.2" +# endgame: "1.9.0" + +# "8.0.0": +# beats: "8.0.1" +# ecs: "8.0.1" +# endgame: "1.9.0" + +# "8.1.0": +# beats: "8.1.2" +# ecs: "8.1.0" +# endgame: "1.9.0" + +# "8.2.0": +# beats: "8.2.1" +# ecs: "8.2.1" +# endgame: "1.9.0" + ## Supported -"7.16.0": - beats: "7.16.2" - ecs: "1.12.2" - endgame: "1.9.0" - -"8.0.0": - beats: "8.0.1" - ecs: "8.0.1" - endgame: "1.9.0" - -"8.1.0": - beats: "8.1.2" - ecs: "8.1.0" - endgame: "1.9.0" - -"8.2.0": - beats: "8.2.1" - ecs: "8.2.1" - endgame: "1.9.0" - "8.3.0": beats: "8.3.3" ecs: "8.3.1" diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 6668b6cd1..f5157f888 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,15 +1,6 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "fc9d05639917fdd13a3a474200a618648fe3dbd6fbc059714179e692544d1354", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "6959ea68e624648c00260b8b0f15cd196d5b8c735a992496989e2dafdaae5661", "type": "query", @@ -17,15 +8,6 @@ }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "29906b5a42e6ac00b7559596f5c5327de6ca290d9877eb26efb0e61575b5c5e3", - "type": "eql", - "version": 9 - } - }, "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "44c9ed5ab020fb52fef50aa4102f30790986063269ed4d478521951bb0761c34", "type": "eql", @@ -33,15 +15,6 @@ }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "System Shells via Services", - "sha256": "5aff2208b89b678394ce6b10523f8a94b9b0f4040e3c3ab34d1fb21eb93b84bc", - "type": "eql", - "version": 15 - } - }, "rule_name": "System Shells via Services", "sha256": "aaad99f21f683f4ddec166d675acad5ad1f1434f8a6ebf7e7881c303202dd848", "type": "eql", @@ -56,15 +29,6 @@ }, "0136b315-b566-482f-866c-1d8e2477ba16": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "c72d8f82f106bf83eb7d5f9d25f896f0ed189396d6e2d1c852d98474a64beb90", - "type": "query", - "version": 5 - } - }, "rule_name": "Microsoft 365 User Restricted from Sending Email", "sha256": "800b46e07338fe2de6177e541487caae40e39dfecd6c44a09abea5ffc429e8e9", "type": "query", @@ -72,15 +36,6 @@ }, "015cca13-8832-49ac-a01b-a396114809f6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "eb3736cefa46a5dcce1de0ed5fa67788a24a1b819b872293ce195cdd9010cef3", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS Redshift Cluster Creation", "sha256": "7dff7627decd65e25f4571ca3ceefc9b8051395af121bf93c8b4234576ea3426", "type": "query", @@ -88,15 +43,6 @@ }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "a93161f8d12b12b14db50925d087ef2adf59daafde9fea16c12c215165b50a87", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "e494a8188f625906605b8bd31de9606107ac62aaac03ec711215e13a8f58502f", "type": "eql", @@ -111,15 +57,6 @@ }, "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "546acb2fcf58eef7251c6c37a89278982183bacaa6fdc0fa8d92e496263fcf67", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "359443e99fea9675583c8facf421e9120d5c293796b25476b746b99e36a91ec5", "type": "eql", @@ -127,15 +64,6 @@ }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", - "type": "query", - "version": 3 - } - }, "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "9a4ea5449638ca4ec6bb30aa804c16499fa5462e18252aedfd7ae6bcbe77e325", "type": "query", @@ -143,15 +71,6 @@ }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "4a340d1fec5675d9dfc9c013617fefe21a1a261c35a09dd54144b47d385c4c59", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "sha256": "9c753af8cfa4af8e249a5d5b351338c1541b3f7cdef2bd4ba97f693cab83a0b0", "type": "query", @@ -159,15 +78,6 @@ }, "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0", - "type": "threshold", - "version": 7 - } - }, "rule_name": "High Number of Process and/or Service Terminations", "sha256": "b2460fd8630aefa491590afec411fe8666e1d9c5ef4cfc06cef286ec2dc76ee2", "type": "threshold", @@ -182,15 +92,6 @@ }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of OpenSSH Binaries", - "sha256": "da887bc33601673a5a00749d1953a98ee66c546948e91f8e746a90e08fa4c049", - "type": "query", - "version": 4 - } - }, "rule_name": "Modification of OpenSSH Binaries", "sha256": "2ede08f76e0b1af3b9b7af11c48e35da5b0265ad83e5f36e7876927f8b45f2d6", "type": "query", @@ -198,15 +99,6 @@ }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "96319d6e8c7e83a6a43aa136270b48ca5bb2f42597e4b2ff315f51a5d3a9647e", - "type": "query", - "version": 10 - } - }, "rule_name": "Potential DNS Tunneling via Iodine", "sha256": "97349b731232dfbfa6e09c4f021c22cd5afbda16de5f44d87b41be13538b6f7e", "type": "query", @@ -214,15 +106,6 @@ }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "408b65909c88e865f1a0887596f07f4b24a11e39935e929a2c1d3bb91aac1475", - "type": "query", - "version": 5 - } - }, "rule_name": "Azure AD Global Administrator Role Assigned", "sha256": "288b33ef30117913f0017bba83da1caa675d73c6c6c58088ce9f550fde43042c", "type": "query", @@ -230,15 +113,6 @@ }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "de34faf4f96a549763f00c82b808b22856e14f4190971cb78e017e2d7eccd5c8", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "c65a4e89d85ae3891e7960338eb8ce36119ac9f7136e1d32121ea60fce9cc797", "type": "eql", @@ -246,15 +120,6 @@ }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "a2d10a32b4853413485f5f6915fdcf4c3cdb89c73effacb1ce4f3a76b763ee71", - "type": "eql", - "version": 8 - } - }, "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "c980b36da9cc53a66053acac4f56e6833dc02b97b2f3a8d14c95e80ccf5c54ec", "type": "eql", @@ -262,15 +127,6 @@ }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "23a86a0bf2473481c76378774eccb40698f45db12ad58515d161e5245bf8cfe7", - "type": "eql", - "version": 9 - } - }, "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "4000645be34a89baef62cbe8a335a9add136452515811364395ba9ed729fe920", "type": "eql", @@ -278,15 +134,6 @@ }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba", - "type": "query", - "version": 8 - } - }, "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "e73ae3e63708c2aba83e87e5f8f91f159b00aa8141f016d04672654a8afaece9", "type": "query", @@ -294,15 +141,6 @@ }, "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote System Discovery Commands", - "sha256": "1b9982c0a4942993c1bf78121bf735580c62c1fdc406e1ff3ee3e37eee78737c", - "type": "eql", - "version": 8 - } - }, "rule_name": "Remote System Discovery Commands", "sha256": "01a8e77cb6c60163261a9af78cd67d9327130a85bf772a58fcdc9178a253b145", "type": "eql", @@ -324,15 +162,6 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "04e0ff561e9cf8e25c144701cc06935d7771c3f428c622d0f58378374eb93d4f", - "type": "eql", - "version": 12 - } - }, "rule_name": "Potential Evasion via Filter Manager", "sha256": "b673cb928a168d285f4a78c864a556285d31236177a8adcf3b2953198726e8e9", "type": "eql", @@ -340,15 +169,6 @@ }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "d362fd4092ce222911f1e61fbfbc4b8bb7f5e6d04ea3df0bd31eaeedfaf2006b", - "type": "eql", - "version": 9 - } - }, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "8ac22dba8be871be007d376cd62ca4dd755fe996dccae1834f6dd4019a8027e5", "type": "eql", @@ -379,15 +199,6 @@ }, "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Browser Child Process", - "sha256": "dc49030353809caf15787143903515263c46d7ff699e8bed72b0e1a145e8cabb", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Browser Child Process", "sha256": "3ecf457d45509f7228dfc3cd87c1451cc2b328b00e21d72216c76d17617cb3c6", "type": "eql", @@ -395,15 +206,6 @@ }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21", - "type": "eql", - "version": 4 - } - }, "rule_name": "Launch Agent Creation or Modification and Immediate Loading", "sha256": "0e444a68ff7b43c0da48f8a6465382099b95cc8a7f09b50e8756df7daee89233", "type": "eql", @@ -411,15 +213,6 @@ }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55", - "type": "query", - "version": 3 - } - }, "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "b794ccca3f60f3f9dc0ad4837babc6d100e77072aef158eb6b153acf26d1aafa", "type": "query", @@ -433,15 +226,6 @@ }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "374f2ae1482849fd100fd62cb31c79cefe23ca89d3058ba8f7c0fc5a15b07943", - "type": "eql", - "version": 5 - } - }, "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "05f8455824b3c6f5a29fde7c5fb9e14b5e92a05fbac03ce9c6a7d104d02f2181", "type": "eql", @@ -449,15 +233,6 @@ }, "09443c92-46b3-45a4-8f25-383b028b258d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Termination followed by Deletion", - "sha256": "8e654753f94cbe50967dfba421ab8bccd10ca84d40d0a245ba08031a4e5957b6", - "type": "eql", - "version": 7 - } - }, "rule_name": "Process Termination followed by Deletion", "sha256": "8781f3f5c5a853baceb8aea9bafa5f05ee8a062c541b585129c33f5372c7b649", "type": "eql", @@ -471,15 +246,6 @@ }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "8ee919cb70451c98d111e5e7e7e2f9636a1d0064a49e02e77f997b1b14265537", - "type": "query", - "version": 5 - } - }, "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "sha256": "e9b638ed7f3e43e337695cbafa761a7fabd832f38a7fae09bea663e61f0492c3", "type": "query", @@ -487,15 +253,6 @@ }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2", - "type": "query", - "version": 9 - } - }, "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506", "type": "query", @@ -503,15 +260,6 @@ }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Anomalous Windows Process Creation", - "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Anomalous Windows Process Creation", "sha256": "00bc51b2475a281bc82637c0436c684cc292519dd3b042e7656c87381eba1bc9", "type": "machine_learning", @@ -519,15 +267,6 @@ }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "User account exposed to Kerberoasting", - "sha256": "ce5ff6004e5f73f7ba93d2299282f773bc858aeacefa8f3cc3385f6eadd25086", - "type": "query", - "version": 5 - } - }, "rule_name": "User account exposed to Kerberoasting", "sha256": "8519b3c2272cabe8be1c58dd9477ec161c9431845b51cb63321ac93704e83e17", "type": "query", @@ -535,15 +274,6 @@ }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Peripheral Device Discovery", - "sha256": "f24ca9a1f60d75defed517b7817577335a4262fbb3b7ed6b226eaea2c3c5e0ce", - "type": "eql", - "version": 8 - } - }, "rule_name": "Peripheral Device Discovery", "sha256": "f7112b01e04e9d3ef5fc49be8a5b5a76376fe15dda7f19c79e1003ad227acbd1", "type": "eql", @@ -551,15 +281,6 @@ }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "min_stack_version": "8.3", - "previous": { - "8.0": { - "max_allowable_version": 99, - "rule_name": "Threat Intel Indicator Match", - "sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718", - "type": "threat_match", - "version": 5 - } - }, "rule_name": "Threat Intel Indicator Match", "sha256": "ba224a6d2c59ed8072d4b28f8b86c7a161e511a747418aa937074171cd5a390c", "type": "threat_match", @@ -567,15 +288,6 @@ }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "f6eacd7c05b07f07ea615052aa4f672c47f4ff237bab83ee299daa65484ff83a", - "type": "query", - "version": 5 - } - }, "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", "sha256": "f42ea7acfc39b867f160d77cb67980e378220b0b29dbec1c46ba81a85b3ec497", "type": "query", @@ -590,15 +302,6 @@ }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Nping Process Activity", - "sha256": "249b51758445451417eec4803297e5a0a2451bf859faf040db420301a8db3d2e", - "type": "query", - "version": 10 - } - }, "rule_name": "Nping Process Activity", "sha256": "82a65b852cdb20f6cc1af4294168e6dee7907c89ec02e31c89b5d09f2f06095b", "type": "query", @@ -606,15 +309,6 @@ }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "d5d64a8e365a6086e3eb761be4e4722395cb58969f220252263994c9d2a86241", - "type": "eql", - "version": 8 - } - }, "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "04c744a73eed300a641fdae056d0e7d48edcf7279920e1d2572d6d75b5062436", "type": "eql", @@ -622,15 +316,6 @@ }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SharePoint Malware File Upload", - "sha256": "fd74b2c8aa258d63dfa815857d9150709e02798bba6f9903829af995d2d27d5b", - "type": "query", - "version": 5 - } - }, "rule_name": "SharePoint Malware File Upload", "sha256": "52e4662dae5a3d57aebcef8d8c8ac99e9cb8a6d96ce0efecbc4e95e04cfeb435", "type": "query", @@ -638,15 +323,6 @@ }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Service Account Key Creation", - "sha256": "9c70b737fec17aa177eea51e4447e68f4f484f94b407ee4bacf654c6c8be1f7e", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Service Account Key Creation", "sha256": "98f03bbb565359358d97ccab8ca9d6461477931b6f0366e00a62a350ad85ec91", "type": "query", @@ -654,15 +330,6 @@ }, "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "MsBuild Making Network Connections", - "sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15", - "type": "eql", - "version": 10 - } - }, "rule_name": "MsBuild Making Network Connections", "sha256": "e9e1448015a161b254426d82b35d7cd0f1c50f825c2bfe80a4cc49b540c6e97f", "type": "eql", @@ -683,15 +350,6 @@ }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "8fcce021f112699cc2b8bdd61edaaf16d26633221793e2f64a8d2b45d395e21e", - "type": "threshold", - "version": 6 - } - }, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "b51c3b4a3640f15fe935d10b2abefc1092ac197e483dd95e597947294ed638e2", "type": "threshold", @@ -699,15 +357,6 @@ }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", - "type": "query", - "version": 3 - } - }, "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "74f12365b2611f746b6b950de77421e98186ecdce39d1c929d8c200d5aa36835", "type": "query", @@ -721,15 +370,6 @@ }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "WebProxy Settings Modification", - "sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c", - "type": "query", - "version": 4 - } - }, "rule_name": "WebProxy Settings Modification", "sha256": "bd9678e07494bdcbadeae1f8a30a56bf687540192ff3411d19a45fd9b1a005fc", "type": "query", @@ -737,15 +377,6 @@ }, "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Abnormally Large DNS Response", - "sha256": "72179393e4eaeb676c7ddec38aa17e29cdb602ddbac0b4b4c2727b39bbbd33c4", - "type": "query", - "version": 9 - } - }, "rule_name": "Abnormally Large DNS Response", "sha256": "cabcfa0923767a42d630bc1550d41c1cfd0eec28064a1ff44817b3d538250a01", "type": "query", @@ -753,15 +384,6 @@ }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "9c71d67d03bb28988290278d67be14ad1ed058623cd9989b68da55945b0884d6", - "type": "eql", - "version": 9 - } - }, "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", "sha256": "95f22e9c3c60779a47a66b47a9b7794b7b4a64b32145100f8e2648077cd834fe", "type": "eql", @@ -769,15 +391,6 @@ }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "f93caaaa0c67c047837860a3ee7f31fbe03b3df7af0f7fb2c29658c22dbb89a5", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "43e6dd5a6655971d7941fec42fbd98ee9432b7a065fae76a8050dbbec30d33c1", "type": "eql", @@ -785,15 +398,6 @@ }, "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Snapshot Export", - "sha256": "14d892036447ee2dc39a6709bd9e0d3257e7f26fc746c067ed110d862c0688b8", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS RDS Snapshot Export", "sha256": "1138d533893e9778a2dbf9a263a450909515642c0bb6a613c61c11bbeee74ece", "type": "query", @@ -814,15 +418,6 @@ }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "50288dc2ce260ad28cbd659c5050727cc77e2dd0725409ad7443869e47bcd52c", - "type": "eql", - "version": 7 - } - }, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "540f7bc299a922433a0640ff6c624404386ade4960d6db7c09ae8534ab9f23c1", "type": "eql", @@ -830,15 +425,6 @@ }, "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "7b9f296c6822ee18168d7c4ab63f9d12781ebe9c8704290c6e4bbbf250b1da44", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "c13c6181165d83fa92e854fbc44b44d4ab9d630486be78b48126da0e6b28acdd", "type": "query", @@ -866,13 +452,6 @@ "12a2f15d-597e-4334-88ff-38a02cb1330b": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "344dd45b89887d9f6037e782a5c6e321a7e348581f1372c4180b8b5e2aad81e9", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Suspicious Self-Subject Review", @@ -889,13 +468,6 @@ "12cbf709-69e8-4055-94f9-24314385c27e": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "1944874623a3c0eb94b6c60e923f345644329467a5e2b4d450710fa23af51940", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Pod Created With HostNetwork", @@ -911,15 +483,6 @@ }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "14dee3b14b6f395041ed83582c528b803b220c3528665d1da4a1bc87de358524", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "a0fe76c90fa839b3f2dffa93008fdea6743c40044698affccc0a90c56c860c7a", "type": "eql", @@ -927,15 +490,6 @@ }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "dd487bb51dcb9f39021bc76a62c8cd0821d1d6a83f7dcbfa4995e6fdb51914f7", - "type": "eql", - "version": 6 - } - }, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "99840ed108ac2a3a9821a83f6b161fa033a720640a130239b98236e0d8e87093", "type": "eql", @@ -943,15 +497,6 @@ }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Rare User Logon", - "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Rare User Logon", "sha256": "38a33e55971586872591f55b06eccbedb315e91e6aa460f4c407fa16106e34e4", "type": "machine_learning", @@ -965,15 +510,6 @@ }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure External Guest User Invitation", - "sha256": "884e2787044397ab5139c3a166b7ef487915885576122d86d3eee5fa26cb6b31", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure External Guest User Invitation", "sha256": "cd3ff42d4d39f286f6ea43a9dc3e39036052e41de46a2361d7f2e03b904b56ff", "type": "query", @@ -981,15 +517,6 @@ }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068", - "type": "query", - "version": 13 - } - }, "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157", "type": "query", @@ -998,13 +525,6 @@ "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "939f1dfae51e5df729029c2bf9c6cd64c211afd38624b26e0878e4e9f0623956", - "type": "query", - "version": 4 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes User Exec into Pod", @@ -1020,15 +540,6 @@ }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "84489342541549db9a81f650e682ff2311f77daf0f1af723aa3a23da31bd3131", "type": "eql", @@ -1036,15 +547,6 @@ }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "a37caa10322b243e5b1aa27c757d8348af9ac05dff0d4f48a54774f68c207385", - "type": "query", - "version": 7 - } - }, "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "cf03af67c80afdce88b0d90377426b870072a256c1c7df1a1beea891c3ebf5da", "type": "query", @@ -1052,15 +554,6 @@ }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "8d3046d9ab68612adecfa2ba45a822de6d59c106baa88cb919d7f814adef7705", - "type": "eql", - "version": 10 - } - }, "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "fb888e09a4a11bf779b938d5e4e78e13b508c4d7adc38edf65ee6bff1a1517e4", "type": "eql", @@ -1068,15 +561,6 @@ }, "15dacaa0-5b90-466b-acab-63435a59701a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "ab01939284a35f49a970a029c0ae49717b8c8a40df7d14e420432cf17423300a", - "type": "eql", - "version": 5 - } - }, "rule_name": "Virtual Private Network Connection Attempt", "sha256": "36bb19a2a3d947e65a4f020c5343a8ca9e33aad4c743276a4b563f089945357e", "type": "eql", @@ -1084,15 +568,6 @@ }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "5856d870c5052798edc3f6128683f5e39e62d60519ada98556b15fef9fc2df55", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "1ddd06726c54971391c661c9aea4eac602559a462ed0ecd122be0d5432a23e3c", "type": "query", @@ -1107,15 +582,6 @@ }, "16904215-2c95-4ac8-bf5c-12354e047192": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "580eee276b8cd0635b5b2cc101ba4c27a33d479cf82024465043657d4ac3be67", "type": "query", @@ -1123,15 +589,6 @@ }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Group Creation", - "sha256": "e40e6fa8910826f514e017875dad384599cb9360369e8f04f154bb76879db2ba", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS IAM Group Creation", "sha256": "70eedbc5d5dbec8299ff01adeab82bfdbbeeaa1ff181941777befec486ec1724", "type": "query", @@ -1139,15 +596,6 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Component Object Model Hijacking", - "sha256": "5898cbcb8ba124f960428a6f5171e59b41b955310aa5d055f300dc1a341c1b4f", - "type": "eql", - "version": 10 - } - }, "rule_name": "Component Object Model Hijacking", "sha256": "95c23ba0bd1ede74baf8c7422054ac967d0e416022cf05f638d457e0b48b7442", "type": "eql", @@ -1155,15 +603,6 @@ }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "2dbe2743cfdae34c434469eef59b198bcabab7f9fe1700cea7401f78495d4755", - "type": "query", - "version": 7 - } - }, "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "a0bcbe249b9ff9013531a804a41432ff98b61a30b5a2249c28f8b3c691f7c766", "type": "query", @@ -1171,15 +610,6 @@ }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Username", - "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Unusual Windows Username", "sha256": "e1740f328635e9314cadc2eb52c767f0d293bbf1b95bda5a93bc40b62ccf0f54", "type": "machine_learning", @@ -1187,15 +617,6 @@ }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Service", - "sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Unusual Windows Service", "sha256": "4a9102d18894a8280bde68cc780b7c5e0a7a3a4fbdaa71b52b417ce85009ca75", "type": "machine_learning", @@ -1203,15 +624,6 @@ }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Powershell Script", - "sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Suspicious Powershell Script", "sha256": "6314693fc1aa0772a5bf5feda375c38c586fd261b5220b62fb53fc8c09ae07ac", "type": "machine_learning", @@ -1219,15 +631,6 @@ }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "c77d151fd7841b1b3c983c59fe82e450b6508c05b82dc438681abb6f12d6f006", "type": "machine_learning", @@ -1235,15 +638,6 @@ }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Remote User", - "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual Windows Remote User", "sha256": "873d5ac5bf227fe7cd005164804dbdb06312054689c1fa2d9bbf55929c9e5176", "type": "machine_learning", @@ -1251,15 +645,6 @@ }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Execution - Short Program Name", - "sha256": "a49a574d1dd2dc2b3e273604ba9444652782dad8165b44003650a266a3d8c831", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Execution - Short Program Name", "sha256": "9e56b68ffda148b7c73db7e885d67adbc99f1a6b2b3b6f51ba38bf3a4f24b250", "type": "eql", @@ -1267,15 +652,6 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Network Destination Domain Name", - "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Unusual Network Destination Domain Name", "sha256": "eac6bc2fe670f80df6a3d58547cf904d0b10bae622920b398b8d302d916ee805", "type": "machine_learning", @@ -1283,15 +659,6 @@ }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Logging Sink Modification", - "sha256": "f543b8cf2fdff969c2280c9426bcef331857717573fa30ecfdcfba95c8283625", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Logging Sink Modification", "sha256": "3d6c368434d84250789f01be13befe3c23f9cc743c66e61b35c9eed89108bee5", "type": "query", @@ -1305,15 +672,6 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Rare AWS Error Code", - "sha256": "6b29390c6c450c02027712c15174d3241eadf50fd00e80be20970e8d2385f21a", - "type": "machine_learning", - "version": 10 - } - }, "rule_name": "Rare AWS Error Code", "sha256": "8bd0f2c08153afa41209da5e3e3a0e42985509e3ae61fdcd53a73b13f29747b7", "type": "machine_learning", @@ -1328,15 +686,6 @@ }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Application Credential Modification", - "sha256": "08c7be0a262c66e42f4a684e6a3250d4686374b71f6fa817d9cf0b369eacdf81", - "type": "query", - "version": 7 - } - }, "rule_name": "Azure Application Credential Modification", "sha256": "4578d2fa5303996ca9dae8665c8478e5f83d838b6e503934124775b995cf839c", "type": "query", @@ -1344,15 +693,6 @@ }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "f914b30a66a3801986631b2260c2b0be902fee7f3f9e9ea83082a555276b833e", - "type": "eql", - "version": 5 - } - }, "rule_name": "Execution of COM object via Xwizard", "sha256": "497aa6f2e84bc38a4173e213a42122fa075df41c196f18805aadac627289c3b8", "type": "eql", @@ -1360,15 +700,6 @@ }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "fd4a95d88aee2bbce7a930bef232433c82600847adb3624342557eb85672f1c2", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS CloudTrail Log Suspended", "sha256": "b30b1697915642b261e3b8eeebcd3c96042b1d3ce68999f69004a2acd6ce6329", "type": "query", @@ -1376,15 +707,6 @@ }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "User Account Creation", - "sha256": "1891ff7763da99e8748a754e4c9ea618908a0273d1dae964934e27ac482dcb2e", - "type": "eql", - "version": 14 - } - }, "rule_name": "User Account Creation", "sha256": "91da5464a87cde5c98128299afb48b78bdc30e5229e3387a4f17e627c03b5787", "type": "eql", @@ -1392,15 +714,6 @@ }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Connection to Internal Network via Telnet", - "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4", - "type": "eql", - "version": 8 - } - }, "rule_name": "Connection to Internal Network via Telnet", "sha256": "c2470c215f226531bcb606f6add21e9e5be2dcdd0f5a4da0e2bb7a6b60a41da8", "type": "eql", @@ -1408,15 +721,6 @@ }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "3ac35392968bc4bfe1ec662a9d0b96fd14d0f58c60be9132d68c95fc85b635c9", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS ElastiCache Security Group Modified or Deleted", "sha256": "7b54549eefd5278686e1bd0576093fd42c6a619b7a498a200737efe7bcc93f41", "type": "query", @@ -1431,15 +735,6 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "d00d3e8f0516c4848290f845aa45897ed6207d1a3f9b71738aaa821f9c3805fd", - "type": "query", - "version": 8 - } - }, "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", "sha256": "0632f4ba371145aa2b15a3655f4ecaecea2aeca4b27e04e67b46fb0241594edd", "type": "query", @@ -1447,15 +742,6 @@ }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "f48c4a2437aad0de0ff36c4dfeff61ccdccf6df20dc3ceb3cba6c9400244e0ea", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious File Creation in /etc for Persistence", "sha256": "1fd747dae1ba49d6dcc66af8535a65b79a2d9aa5d653b1ada5c3b405c9a2cd0a", "type": "eql", @@ -1463,15 +749,6 @@ }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "2717595854d57fdf2727a0361b9f0d549070644843408b2e19e67e30e64a546e", - "type": "query", - "version": 4 - } - }, "rule_name": "Azure Kubernetes Rolebindings Created", "sha256": "d60a2598b31e2c9c16a051b1cf76726ce5d8f024423f62da4ce30e959924ff97", "type": "query", @@ -1479,15 +756,6 @@ }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791", - "type": "eql", - "version": 6 - } - }, "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "81f6ddaf22cbda3bb32a7e2961398f45d8b7c13328896e18d685b4b20e362ff4", "type": "eql", @@ -1495,15 +763,6 @@ }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5", - "type": "eql", - "version": 7 - } - }, "rule_name": "Remote File Download via Script Interpreter", "sha256": "7cec02343d3ff08b2ac5d6a0ce4e774251872a0afd63f7461cf274f3c0b6b381", "type": "eql", @@ -1511,15 +770,6 @@ }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "676c2d4dfe1aa314a6f063884871cc7fd0e04da8d7e3182b2b6eaae113e6f86f", - "type": "eql", - "version": 11 - } - }, "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "8534a5760bfd1818cc44fb3d15cb7149d8b876996a0f11c0fc5b67c9167858b7", "type": "eql", @@ -1534,15 +784,6 @@ }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "2bc46ca9cbee507967b5dccfac7f86142c08d85ba6d3151747c404858da10b74", - "type": "eql", - "version": 10 - } - }, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "af6be416399eeaee6a1ed847e2f3679ae55f3064707456c416d0d5a409f3bebc", "type": "eql", @@ -1557,15 +798,6 @@ }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252", - "type": "eql", - "version": 7 - } - }, "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "1d2807970de7b535d0e81f99579f83e1916b9f85a0e57f9f6c52a1c2cac5dfeb", "type": "eql", @@ -1573,15 +805,6 @@ }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "9a24ad9aff9d1b7e5f0dd32ef47be286477cbe4f2695b212eb665007066eba72", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Storage Account Key Regenerated", "sha256": "3328d28b7049bd0768a8c49e258c4d07acf8100a03153adfeb091e534e234847", "type": "query", @@ -1589,15 +812,6 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Sudo Activity", - "sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Sudo Activity", "sha256": "774126d5ff0196be341ea3c68dea7905f35eb1d6566b6ceb6bbc6bd4ce470691", "type": "machine_learning", @@ -1612,15 +826,6 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "1fc7b0add8970a20b77449cde5c11d27e8002c537b9cd59f4b2c61070247705f", "type": "machine_learning", @@ -1628,15 +833,6 @@ }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "d2af4370e5ccb4aabdb1f4ce6b028ddd92fca5b5d6970163ee44af539b870b4e", - "type": "eql", - "version": 4 - } - }, "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "4f370c54b264e4444908b37b43daecca5de834600903973c1d115048023d11b0", "type": "eql", @@ -1644,15 +840,6 @@ }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "e3f47d3e8da634596dad903884e6404a7bd1ca78392299f700ef679f0d8844b9", - "type": "query", - "version": 10 - } - }, "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "95bb907bc085874a3566cc325863a188bd1ac263ddbc008b39980f9e3ff2fd0c", "type": "query", @@ -1660,15 +847,6 @@ }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "107eb5a4de0ac13cbd117ad1de8746519602749dc797b311ab7bc596399090fc", - "type": "eql", - "version": 9 - } - }, "rule_name": "Suspicious .NET Code Compilation", "sha256": "a0a9dc7ad8d0e844f8c93f4e26fb2a0c78ff0fc683245b9282dda37dac44bbf0", "type": "eql", @@ -1676,15 +854,6 @@ }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "1832ded92050593610491cfc98ef5d0e93dd09d196b802ee1637443001ac3ff4", - "type": "eql", - "version": 5 - } - }, "rule_name": "Creation or Modification of Root Certificate", "sha256": "aa356d8e6beade4be0b288c419af9f728c5f6e1457c801d58af8d4a7f60ad392", "type": "eql", @@ -1692,15 +861,6 @@ }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "41835cffbde1bc4c8def4abccce017a21640bc560e4e697c6436a6dbaa30ac34", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "1203a9aefca765c637dd8448ccab4f1ab77bde29afb5c50a859e5472893475a8", "type": "query", @@ -1708,15 +868,6 @@ }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Access of Stored Browser Credentials", - "sha256": "cc35011933319f19d5d25465cfc6b0b777e0e2c92545b9bd6d47bddd4b8ef7f3", - "type": "eql", - "version": 5 - } - }, "rule_name": "Access of Stored Browser Credentials", "sha256": "4bb7713dffb12de0b080193c5fdc54c11e70fc8d155f546cc071ee1bd094133d", "type": "eql", @@ -1724,15 +875,6 @@ }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "65e99f073be3045a2ed201ca6b6bf32304b1beb501977a009056ee034859e4ec", - "type": "eql", - "version": 5 - } - }, "rule_name": "LSASS Memory Dump Handle Access", "sha256": "7029a40cc6cfb90aed1a6f1287ee968dc7e224cd7bb03d53a28a1b000eeb2e9d", "type": "eql", @@ -1760,15 +902,6 @@ }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116", - "type": "query", - "version": 4 - } - }, "rule_name": "SSH Authorized Keys File Modification", "sha256": "a56037b84903d61f8b7a24676a0c69ecb2d97e68cb08598e81c94929cd49514a", "type": "query", @@ -1776,15 +909,6 @@ }, "22599847-5d13-48cb-8872-5796fee8692b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SUNBURST Command and Control Activity", - "sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e", - "type": "eql", - "version": 8 - } - }, "rule_name": "SUNBURST Command and Control Activity", "sha256": "a2070001c863fb56bf30b8b7cccbbf9193b4311815aad6e3572030988bc8dbb9", "type": "eql", @@ -1792,15 +916,6 @@ }, "227dc608-e558-43d9-b521-150772250bae": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "d6a3320318fe0bc9a9196f7470698bd1149ca127c9eb16c24f195c7f3ff1f717", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "0df73169299180ec98355a31f588e7c2bb643fb0caf65acc459ce7268ac513e4", "type": "query", @@ -1808,15 +923,6 @@ }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Shell via Web Server", - "sha256": "ad845b271a9ada61e663ccdc1032f4d9c07f07ce757333abfa7b481455026e2d", - "type": "query", - "version": 12 - } - }, "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", @@ -1824,15 +930,6 @@ }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "6d0b3a0e08e8e535f4a76760347d2d8c15e7887ae3ac62a39f1dd16b9b27115d", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "49ac3f550305bb465cbf74ff51ba9484fbbee0c9c08cbedc36ee0a7ecf23278e", "type": "query", @@ -1840,15 +937,6 @@ }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Kernel module load via insmod", - "sha256": "2c8e5266ab5da1541a55c06d3c261f4a64776941bebe6315ba84a0f6dd0cad62", - "type": "eql", - "version": 3 - } - }, "rule_name": "Kernel module load via insmod", "sha256": "6d02160bec7dd9d1651eab6d086f21ffdceb7c892337c53fa083e5efd93712a8", "type": "eql", @@ -1856,15 +944,6 @@ }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "b993dccca52b5d4477a99f7ef9be23ebd2ff8f22e6186ed8f9b33a6b3cb1156b", - "type": "eql", - "version": 7 - } - }, "rule_name": "Lateral Movement via Startup Folder", "sha256": "6cd32a489b66ded9921ade1bfb91ef333f806716187f36ca9bc7554b1a589019", "type": "eql", @@ -1872,15 +951,6 @@ }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "7602867c71364d35f82ca94e41c81d3d9f612df26487ff881a23b5545d15836b", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Blob Container Access Level Modification", "sha256": "4cad95b3cb6eb2f2107dab0dafaacb3393fb7f29826d6aa31c2fd134e5745e7e", "type": "query", @@ -1888,15 +958,6 @@ }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "819355eaae5de0d1efaf7e63f85a97b5c3f010d3afeff305b789336f94202b64", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "cabf8e1c5d440cc35f5149f32dd23cc6332af5f5ced9237a350d11f10a60084a", "type": "eql", @@ -1911,15 +972,6 @@ }, "26edba02-6979-4bce-920a-70b080a7be81": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "6800b997e4c2e3b643fe0522e8af631880e58d352b074b99f40bf8fb49b14314", - "type": "query", - "version": 4 - } - }, "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", "sha256": "61c5ef7f4e05aa853ab39b31d813d371abe1daba1350e751167e8758bd66efb2", "type": "query", @@ -1927,15 +979,6 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "c4f5f357386b15ba28af1de205a888deaf0e001d60f39435751bee223fbc3cb7", - "type": "threshold", - "version": 10 - } - }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "b1fe391f2303c93bb37c3c897a8f47d2e405bd9039dc3ddf007b4c0f84b3ab0b", "type": "threshold", @@ -1943,15 +986,6 @@ }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "065b6a9a53f1b0d420bf42e2a57ce12b9f77684422e6dd59b66a0ad77e2b9aab", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Modification", "sha256": "e44cf5df8dbb32d716d2a4362cb8385e493638cb71b141aa8aa3717205bc20bc", "type": "query", @@ -1959,15 +993,6 @@ }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "089d0ecdbcb613691dc9e414c064213c63e11df6eac4880f3ee5199aa9072446", - "type": "eql", - "version": 7 - } - }, "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "257a219daec6d7a24cca66b40f6c157bddae330fd08d398351d8f00d5b52e039", "type": "eql", @@ -1975,15 +1000,6 @@ }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Firewall Rule Modification", - "sha256": "66e3eceb3d773269f1d0fd6a4e447eacdb2003685a2e44f54df142b50f7dcbac", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Firewall Rule Modification", "sha256": "f02fe7e3a75d91628a954cc250178362f1c4b7faa1a39cd41a3a2104138ffc0b", "type": "query", @@ -1991,15 +1007,6 @@ }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "2cf5e365a6fd347095c38267456d4deb4f7645f703c0df2c7777da604f4de7db", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Teams External Access Enabled", "sha256": "9c73b9c2b54cace47d3e2a3ef52215f855ab5f0db468115a949b43b64571e34d", "type": "query", @@ -2007,15 +1014,6 @@ }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Account Password Reset Remotely", - "sha256": "ddef55a84fc5714b3eed06cab34766ed8096ead0f5d7f47aef40646e7c4de3c8", - "type": "eql", - "version": 6 - } - }, "rule_name": "Account Password Reset Remotely", "sha256": "b38e8457cc6ea7684e8e680670c148197fdfed4d3d75b911bf2449c7b543e0fd", "type": "eql", @@ -2023,15 +1021,6 @@ }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "5176f711c953c51b47e31b596f2230e9cfd42b8195fe45785435a85f712b6fda", - "type": "eql", - "version": 15 - } - }, "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "780024af7f5c78bfa1cb4ee260a6410e3c505dbbb7fea2124dab17bd3fd19a74", "type": "eql", @@ -2039,15 +1028,6 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "282272412a4945d5f698bd3f4e9469c69c4e54b7270e15886a8e6a3fb00b4bc9", - "type": "query", - "version": 10 - } - }, "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "27305767d7089a0c2bead91f22c1603ce3948e10ed90397be8c2155689b3ed24", "type": "query", @@ -2068,15 +1048,6 @@ }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "36dc480e5ec70e4c9af74ef68d2a6fd570f93d92e8df822b4b7545dea44a8cc9", - "type": "query", - "version": 7 - } - }, "rule_name": "AWS Security Group Configuration Change Detection", "sha256": "2e78a2648388f767255958ae85838c8ba40c1079aa7eb02edf60cdee127458cc", "type": "query", @@ -2084,15 +1055,6 @@ }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "72859e3a7a189ce94083d0382f1e220a0040974a14e143acd3d47e2ba1f8c8f8", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "e49cfe25277c9b82ca1e8d14e244f899d1100f9f1ed19e3b687cbdb499512d08", "type": "eql", @@ -2100,15 +1062,6 @@ }, "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "0b3202a976dc29f3f75c66ab052467c3444264673daa31059d3f7d66a50b5132", - "type": "eql", - "version": 7 - } - }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "b46c4dcdf187fee2a85d41e8a56d5adbc45f21ecbbfcaf0c4993c0bdbe77226d", "type": "eql", @@ -2116,15 +1069,6 @@ }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "a1e315972da4cc09efd55ced26e8c184ed87d6fb66a809b7e9084bfa8cca6b46", - "type": "eql", - "version": 7 - } - }, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "ebc19e7445f08b3ab8a13977c62af6df4c78a4fc8f78a970a91908300c4203b8", "type": "eql", @@ -2133,13 +1077,6 @@ "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "c0ee6425ca26e268371a5176086ec5beb58fc8ceae2a33daf00d09b473fc448c", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", @@ -2162,15 +1099,6 @@ }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Adobe Hijack Persistence", - "sha256": "b178ab23fa3f6c3794d7488ad3ced9780881fa75a10c9608be3649149c5b7a1b", - "type": "eql", - "version": 14 - } - }, "rule_name": "Adobe Hijack Persistence", "sha256": "7b5e2e49d08254a21e616d0d7c012423cc85c6901102e74741e76c61b954e248", "type": "eql", @@ -2178,15 +1106,6 @@ }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "46ccc5f940c4ecc1081a55bc5b907463b5f4a03443c2584c7ff5d4444897c325", - "type": "eql", - "version": 11 - } - }, "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "2afcb52f665f5f7654c4072688d0237a14783fdccd3072facde42a3d34927c21", "type": "eql", @@ -2194,15 +1113,6 @@ }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "a50a568f3977633c70f5057540c6eb4a81c8426cf8b417ec8d4d2be3fc4cd1f3", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "f79c93da59940cae1bebd8d7154ea7bdd93fbc304d08dad323dbb1cb92fb83a7", "type": "eql", @@ -2210,15 +1120,6 @@ }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumeration of Kernel Modules", - "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", - "type": "query", - "version": 8 - } - }, "rule_name": "Enumeration of Kernel Modules", "sha256": "4511e456a9f50c683619f539d2453155418cf0fd0db8761cc7a133e6edec44e4", "type": "query", @@ -2226,15 +1127,6 @@ }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "b769e06899d9619b0a54a288034e007dcc8ea8a8401422cf67dba285e087b633", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "3b3ddba869e13927b934a13feee218fb9bad9fabb073b8b394da384cba92276f", "type": "eql", @@ -2242,15 +1134,6 @@ }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "9427e6829127b009d4e0423ca57d1ef4fa2e36f94ee01872755bcb8028c4135a", - "type": "threshold", - "version": 7 - } - }, "rule_name": "O365 Excessive Single Sign-On Logon Errors", "sha256": "1d488ef91e96ded9a1b9dfddd9e26c6a2fdae410b8d33c28258f21f2c899bdf9", "type": "threshold", @@ -2265,15 +1148,6 @@ }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "8acf72dc610beddfe319ee7a8c6fb03105880620d6c3c0d1a9863e0370b598e3", - "type": "eql", - "version": 9 - } - }, "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "8745b588d14eb55c481e38cf15207d2321402bca2b30f3d85a71a7d3c8fde456", "type": "eql", @@ -2281,15 +1155,6 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "cc671371e4839eb14f885ef52c5e4762055d1a8fd43f3bdd3f2b209cbbddbcdd", - "type": "query", - "version": 8 - } - }, "rule_name": "Potential Process Injection via PowerShell", "sha256": "3c3c556039031f84eae43e7dc89ed38149e37a1c65aa1ef16929a4a10c420ff8", "type": "query", @@ -2297,15 +1162,6 @@ }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", - "type": "query", - "version": 6 - } - }, "rule_name": "Halfbaked Command and Control Beacon", "sha256": "846c561aa886bc0c006237aec72dd464697e504a852617c4245e047b9b8514c9", "type": "query", @@ -2313,15 +1169,6 @@ }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "db902f8c25b3bb1600a3e7e89328228a086bbda8655946640882d39f011d2162", - "type": "eql", - "version": 7 - } - }, "rule_name": "Creation of a Hidden Local User Account", "sha256": "3f82c82a2c8e77ccbe63f3cd01571f9eb976b90c2f691b676d62bb3ee3d82f32", "type": "eql", @@ -2329,15 +1176,6 @@ }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "b8e4625040554d5c1f2451a70b6f3e297aa34486444490e23fe522132ac22254", - "type": "query", - "version": 5 - } - }, "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", @@ -2345,15 +1183,6 @@ }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "783f7f7d5000b69b13e7a69593dcfa30f5a6f3718b7709cc35c9a861f5e79aac", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "0afbdaba7acf15c3327cb32ed68d2c343874a091c7227234d3a5679d97e08039", "type": "query", @@ -2361,15 +1190,6 @@ }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Disable Syslog Service", - "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Disable Syslog Service", "sha256": "4a844fe4c14f73c2ed158be5b0f7c460d370964877850b58b1c05028802ae183", "type": "query", @@ -2377,15 +1197,6 @@ }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "7cfa769e4622b0dcaa8fd6d4d1dfab115f59e2ad039c747fb202045f037bc07c", - "type": "eql", - "version": 6 - } - }, "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "99c7a3702e081f50034ee2a6f485707a2bf0fde4033f331cbe03272cf951a811", "type": "eql", @@ -2393,15 +1204,6 @@ }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "c63aadf9db63ccaf7ddbf7b7161c6cee10ab37bc1bfd97c9dcdfd673409e876d", - "type": "eql", - "version": 9 - } - }, "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "6a20e7aaf678bc1dbad20cc522972860e3c0d7ce6a419809d5ad14dbf0d59b0f", "type": "eql", @@ -2409,15 +1211,6 @@ }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Firewall Rule Creation", - "sha256": "ff221c9a9ebc80ae9b08b0f866baa376ad28f3c06c3745cddbd372115ad46b77", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Firewall Rule Creation", "sha256": "87515e6e3ccb1c2f7a19fcf70e79b03509d22901c630a765fc504ebbd3b5b663", "type": "query", @@ -2432,15 +1225,6 @@ }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e", - "type": "query", - "version": 5 - } - }, "rule_name": "Agent Spoofing - Mismatched Agent ID", "sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f", "type": "query", @@ -2448,15 +1232,6 @@ }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "943fea62ed46d1726416acf34d120b55397d708ea2908776307bfd1cc2ef6bb4", - "type": "query", - "version": 8 - } - }, "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "0ecd023337890a68318fe076b3b7d30c7a36d3cdea28c26494e94930ed77e8da", "type": "query", @@ -2464,15 +1239,6 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "364cb88794750124cf291c05db0ec791a411800f8b5a0892215efa1b21ac7168", - "type": "eql", - "version": 13 - } - }, "rule_name": "Bypass UAC via Event Viewer", "sha256": "e6dd05ab48be0d806b524c682a43ae2d060785382d48522b0608c1344c442b3c", "type": "eql", @@ -2480,15 +1246,6 @@ }, "3202e172-01b1-4738-a932-d024c514ba72": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "d733a231bb4bb41883ff22688ac80673160772a01a9cb0a01d30d6f82de76a83", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "b90fc815a3bd68bc08a8d7149141fc1583256783ba0197c4434a1fdc7258c4e6", "type": "query", @@ -2496,15 +1253,6 @@ }, "323cb487-279d-4218-bcbd-a568efe930c6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Network Watcher Deletion", - "sha256": "95f906464f7aea6a76e1cb3ac05699945bc15d2fe8449f4971b45ce615ccc662", - "type": "query", - "version": 9 - } - }, "rule_name": "Azure Network Watcher Deletion", "sha256": "6ef41c449f78258c39b4bb1940c9e184e32ee4a1b272d2362a90a87fbf09bf91", "type": "query", @@ -2512,15 +1260,6 @@ }, "32923416-763a-4531-bb35-f33b9232ecdb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181", - "type": "query", - "version": 13 - } - }, "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0", "type": "query", @@ -2528,15 +1267,6 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Program Files Directory Masquerading", - "sha256": "c2b106c6d1f8fe88d7d17a876ffb805d98a7ff98312c1a0b063079ade73aace4", - "type": "eql", - "version": 10 - } - }, "rule_name": "Program Files Directory Masquerading", "sha256": "39cbf31a7c86af526f140195342c309abcfb0a6657e2cd33995a48af7f28dd2a", "type": "eql", @@ -2544,15 +1274,6 @@ }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "cad3761270f406d3de6f1b31a7af654c06ff4ad72de8f0cc56f72056b56bb3c1", - "type": "eql", - "version": 13 - } - }, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "d0126c4cd1a06294ebb2feaca58b8741fa6a4855a598fd810d162b92f92368f7", "type": "eql", @@ -2560,15 +1281,6 @@ }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM User Addition to Group", - "sha256": "c9c22a0c2b777489ba4b3aa4c246cf6aaffaebdae98094cdd4039d9331d30f9c", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS IAM User Addition to Group", "sha256": "f9f64c8c43dbc542a243f90cb1f8998195b05c0787494a7b83a18b9d7108a758", "type": "query", @@ -2583,15 +1295,6 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Download via PowerShell", - "sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e", - "type": "eql", - "version": 7 - } - }, "rule_name": "Remote File Download via PowerShell", "sha256": "d0949b603c3913e7945e19e617f6d1788bad46c1317fb28bc362073ee6f2cb37", "type": "eql", @@ -2599,22 +1302,6 @@ }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 13, - "rule_name": "Telnet Port Activity", - "sha256": "3dd4a438c915920e6ddb0a5212603af5d94fb8a6b51a32f223d930d7e3becb89", - "type": "query", - "version": 11 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Telnet Port Activity", - "sha256": "b0bdfa73639226fb83eadc0303ad1801e0707743f96a36209aa58228d3bf6a89", - "type": "query", - "version": 14 - } - }, "rule_name": "Accepted Default Telnet Port Connection", "sha256": "15e7fe1aab91be2d8c8cf7662336d7e3db7dc28dd6aee3d08f863c2039c555b9", "type": "query", @@ -2622,15 +1309,6 @@ }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0", - "type": "query", - "version": 3 - } - }, "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "b5a9316d1ca4cd3931bdde21f87bd81576edf3bacc0cd5b76d00cde9c16948bf", "type": "query", @@ -2638,15 +1316,6 @@ }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "8bc206952bdfb0f4a3e80173859884ddc65ed10c87622cf11b8a074a6d6bb7b7", - "type": "eql", - "version": 10 - } - }, "rule_name": "Port Forwarding Rule Addition", "sha256": "49117c156432d51a3b42d0527724cd065934238093e1bd540c8ed040187cbffc", "type": "eql", @@ -2654,15 +1323,6 @@ }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "7c5a48d477f750354508c02ec3d9004066b56b5ce2c688d01d44c7cd329e9787", - "type": "eql", - "version": 14 - } - }, "rule_name": "Unusual Parent-Child Relationship", "sha256": "392cb3c47fecd3621ace510af1fcae7fadade8370632852e3428f690fccae275", "type": "eql", @@ -2670,15 +1330,6 @@ }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Network Traffic to Rare Destination Country", "sha256": "e2d23c8d2e836c669931d99cb1c47b64b5b441262a0744cf7d4d9826e1f6c6eb", "type": "machine_learning", @@ -2692,15 +1343,6 @@ }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Started from Process ID (PID) File", - "sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8", - "type": "eql", - "version": 3 - } - }, "rule_name": "Process Started from Process ID (PID) File", "sha256": "ac556a22f0203126ff2ad707b23646f38f4499e1bb384eb4449705b2dbea40c3", "type": "eql", @@ -2708,15 +1350,6 @@ }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious ImagePath Service Creation", "sha256": "9cd1fabb072bbb552bf57d8707f7557100b20d09ffb67bc0ec4204cf039bbcdd", "type": "eql", @@ -2724,15 +1357,6 @@ }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Security Group Creation", - "sha256": "25100adc67a2737ddd09ab2dd8c635399ad873710c0242f0e6afa3e58e3d979c", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS RDS Security Group Creation", "sha256": "9d96d07aa52c6d6bdbdb1fdbf10e88f57bce34f4c16414ed6ed605da7916c137", "type": "query", @@ -2740,15 +1364,6 @@ }, "37994bca-0611-4500-ab67-5588afe73b77": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "c7cc75526928d591ed126201c83d478b9222386698b765bee0f764952c683a1f", - "type": "query", - "version": 6 - } - }, "rule_name": "Azure Active Directory High Risk Sign-in", "sha256": "1817eadf9b1e8d7744fe1dabaa9ad4fc2548be336b168c43b152b519c035981a", "type": "query", @@ -2762,15 +1377,6 @@ }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Execution via System Manager", - "sha256": "3b588a6ca2d1186405396678aac45e8c22ad34e9a2cd091dcdb7ef3dae53bfbf", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS Execution via System Manager", "sha256": "2013db420f2c10500719738b10d4ea2af48b9d5413a8c01882b5eb9d87376aa8", "type": "query", @@ -2778,15 +1384,6 @@ }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "045d8e7502b926e26ab18b5c5f28ed08e69a2ea66c929a788fa41fa077a9b994", - "type": "eql", - "version": 4 - } - }, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "44ba64644024dc54a25d00866226a3e9e7e7a52551f6ac637c18327258d611a3", "type": "eql", @@ -2794,15 +1391,6 @@ }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "13da5f81dbdb334792b90ef620648df28a3b0cb81086b956da96c3011943b7d2", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "5dc3d4b26fb6d7a5870f5b587f98ded53d043ff35b39a5d1a79e515e57488dff", "type": "query", @@ -2810,15 +1398,6 @@ }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Connection via Certutil", - "sha256": "e2a886833c9313e5ed1648b2cd0aa48e43a796ee388021298e7f72833fdfc449", - "type": "eql", - "version": 11 - } - }, "rule_name": "Network Connection via Certutil", "sha256": "014e9114233036b42f2d528848e5a4ec500d6dfd8321bafd6144fb0d573c8508", "type": "eql", @@ -2826,15 +1405,6 @@ }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "0911285f8149632adde696e8aafb25cceed0b7fff1a508891c1b8ed5e9dac922", - "type": "eql", - "version": 7 - } - }, "rule_name": "Prompt for Credentials with OSASCRIPT", "sha256": "0d1ee1272f55ea776d1fd4ebffed1b50c4ce82dc55d0b03ebf23e84727695003", "type": "eql", @@ -2842,15 +1412,6 @@ }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "13224c93738cb87ff2afafd59555be1bb67d931a78e830dc523f190e8f57379b", - "type": "query", - "version": 8 - } - }, "rule_name": "User Added as Owner for Azure Service Principal", "sha256": "97d1d34640ed067b24cd9c6aec92a3218d38a9e44e5e1c3858822b9f355e152e", "type": "query", @@ -2865,15 +1426,6 @@ }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "5807817c0cf3d448a595125d017ba9fb9d059f06cb6e042ba576786a3ed1adcd", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "52afd39f5c5af5e2d8ad2a3100837da61ec94eb0d36d6e8916e2a23a37b1ef4e", "type": "query", @@ -2881,15 +1433,6 @@ }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "56ea439ae2b7c5e6b41ca7f0768cc34d29247563a1d2d643811d659e054f7fed", - "type": "eql", - "version": 7 - } - }, "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "e1dcefec6af145ae901faf505f9986afc7132c91a6f6a354481f1cc39083f09d", "type": "eql", @@ -2897,15 +1440,6 @@ }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48", - "type": "threshold", - "version": 7 - } - }, "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "e137f7851ed47fcbbd83209b3a13bd45a16a48a068989b5d9022a1d5908b51b2", "type": "threshold", @@ -2926,15 +1460,6 @@ }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c", - "type": "query", - "version": 13 - } - }, "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "bbcc9ecd7b10f4e3d3eeebb7532731a3be93c1cdc5be362edd4643a610990c99", "type": "query", @@ -2942,15 +1467,6 @@ }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "c9c718b423aee91718c0bf62f1ab14a94fe7cce3c1049c045276b5fd699561ba", - "type": "query", - "version": 4 - } - }, "rule_name": "Azure Full Network Packet Capture Detected", "sha256": "ed7c759eb27766427a4ddb53b35f5c39aadeb89cbe40c95c3cfd0a943127616e", "type": "query", @@ -2958,15 +1474,6 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c", - "type": "query", - "version": 9 - } - }, "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d", "type": "query", @@ -2974,15 +1481,6 @@ }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "f81811cb000b7963e364dacd66eb8b69a136a29dc8855ecddb89d21d0041d617", - "type": "eql", - "version": 8 - } - }, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "22086f0e2ce9875655d47be82a380eb6e0500c9063bfe9706136c418191e5d96", "type": "eql", @@ -2990,15 +1488,6 @@ }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "e164f1dead9cc83510d1756090ae6dfc77c8dcbfca29674471aa62232dad8c8f", - "type": "eql", - "version": 9 - } - }, "rule_name": "NTDS or SAM Database File Copied", "sha256": "a2c7733553d732bc6ce68234daf7bb9707c289256ef2ca9f996dc7e62a0208fb", "type": "eql", @@ -3006,15 +1495,6 @@ }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Network Port Activity", - "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual Linux Network Port Activity", "sha256": "965033b4984695bbfb8153b24254c3c543d01af03d7c7f769004ade7dce02316", "type": "machine_learning", @@ -3022,15 +1502,6 @@ }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "e4a35e3746eb87acf3634c20147f086f31ba60bf865a7071d2e487e805ba8f49", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudTrail Log Updated", "sha256": "4ea1b047bb45f7cce1ed5f5b93feefcb9e86ab41b3125a936d3812a4e5c29c36", "type": "query", @@ -3045,15 +1516,6 @@ }, "3e3d15c6-1509-479a-b125-21718372157e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Emond Child Process", - "sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Emond Child Process", "sha256": "f968dbbe6833512c669f5fd67cdb59f4ae762253fc070f8adbbe41d0eceebabe", "type": "eql", @@ -3061,15 +1523,6 @@ }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "c912293b3805322572fe2894ed6cb070418e166e88d9c9d44065e3e7a8fa9373", - "type": "eql", - "version": 7 - } - }, "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "672953828261d4ac8b2ddf31a745e7851fdaec33af943b2fdf023c429cb6f78f", "type": "eql", @@ -3077,15 +1530,6 @@ }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "3d971d8d3f05861e0d92880b25c50c248d3638001e5fbd8e6ec0e690c5b1b2a6", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "14543076c7e4ad378491ac1d8b53dc270a163251ca0cfae7c1b40d4cf49d7a30", "type": "eql", @@ -3093,15 +1537,6 @@ }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "0bf5a30ac72fec595c33431fa1e1bdc2925b1dd387b50d13e0a43796998c58b1", - "type": "threshold", - "version": 9 - } - }, "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "c2c2f1f18bd31515f4fbc65a849bdb58c56ead6aa70b4d4fb8aaee1449fdb474", "type": "threshold", @@ -3109,15 +1544,6 @@ }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "bb434ddf7feb733a486db86a3bae859e6dacf37ab4f237124aee3545eab372f5", - "type": "query", - "version": 4 - } - }, "rule_name": "CyberArk Privileged Access Security Error", "sha256": "eac32a4108db050129c6234b8b03ef41e888ffedde7571c022877c1796c3c574", "type": "query", @@ -3125,15 +1551,6 @@ }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "ecb4904f46329f1d5fb6bfc35aecf483751ef689a4287ddd8b45c72ffaa7d4e5", - "type": "eql", - "version": 4 - } - }, "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "bf56356a346a0da16ac9016af79b1a6f0eb5a362275acf07fa20e79e7ecb2556", "type": "eql", @@ -3141,15 +1558,6 @@ }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", - "type": "eql", - "version": 7 - } - }, "rule_name": "Unusual Persistence via Services Registry", "sha256": "1688156f3dd9d68553fbaa8eaa259b1efa19e91ed7d3b73c6a8f3d9db30539b0", "type": "eql", @@ -3157,15 +1565,6 @@ }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "e3169a15a582ed381d71ec7441f39b94e7b70ef75eeb2f899062384c1bcdbc2d", - "type": "eql", - "version": 6 - } - }, "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "165f98a858345927a3a807b86cbb704cbc5473ccd7d0afac46698fdd6d62f483", "type": "eql", @@ -3173,15 +1572,6 @@ }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "EggShell Backdoor Execution", - "sha256": "5ffb48fcc0228a90e171449a6aba484182df9781408e5c1306a4217261769daf", - "type": "query", - "version": 4 - } - }, "rule_name": "EggShell Backdoor Execution", "sha256": "f5664f6d22aa17c0d8a19b1c354d5b527c55951fd8c2b1931b4adc9bd15ed203", "type": "query", @@ -3189,15 +1579,6 @@ }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4", - "type": "query", - "version": 3 - } - }, "rule_name": "Potential Hidden Local User Account Creation", "sha256": "ea479dc0b5ae37a63bb40f924465763e853cc501e161367c13cb9e9d650e7e1b", "type": "query", @@ -3212,15 +1593,6 @@ }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "47d01123e73660000a53d24eb5e14dd39a5c983cc1c554abd5436125dbb7e3b6", - "type": "threshold", - "version": 8 - } - }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "20c32ae0449654c229d96f32b7577f83c6e1990b578aa631578de9a5d8c5d0c1", "type": "threshold", @@ -3235,15 +1607,6 @@ }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Login Activity", - "sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849", - "type": "machine_learning", - "version": 4 - } - }, "rule_name": "Unusual Login Activity", "sha256": "cdaceb5b80344a1b354c6bccd2f61beccb4bf0fa62b867fd1160e0ab898b85e6", "type": "machine_learning", @@ -3251,15 +1614,6 @@ }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d", - "type": "query", - "version": 9 - } - }, "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b", "type": "query", @@ -3267,15 +1621,6 @@ }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "cfb507a36698d0446c774fc7ef06ef4b5de6d367ca531d909f6f096e95896ba1", - "type": "eql", - "version": 8 - } - }, "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "5a5d4c3c1d036f652860ab42c84543cc91cdcdab19ba7da81cf4284d6d9dede8", "type": "eql", @@ -3283,15 +1628,6 @@ }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Path Activity", - "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual Windows Path Activity", "sha256": "2fee9087c66ddc4dbc6c67906bb024b58dec2cba7498d7d9b3f697c19a858071", "type": "machine_learning", @@ -3306,15 +1642,6 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "f3d686edf2d9ca3878005a30ce88485d9ef2a2120659c70763d60dca188661b9", - "type": "query", - "version": 10 - } - }, "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "57da49505fa7a935e774a271cd364bf67750bc8021808efebe06fbdec618e335", "type": "query", @@ -3322,15 +1649,6 @@ }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Event Logs Cleared", - "sha256": "22523a171ded4e5880a944e7f2bd14015c141eb0f2a9fdea86bfe18ab758ecf7", - "type": "query", - "version": 7 - } - }, "rule_name": "Windows Event Logs Cleared", "sha256": "ee11fb1944e7cc8f000dca73491c709d7bf9426c59a097b88c8cbad284dfb838", "type": "query", @@ -3338,15 +1656,6 @@ }, "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "ac2eca72a473716bdda62693b2f9724aeadb537a5476776b76e8191eb71e12cc", - "type": "eql", - "version": 9 - } - }, "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "57d0984a0a22e025af5d4d25514c62f77ee50e2843623e6df024ac2d09bc19e4", "type": "eql", @@ -3354,22 +1663,6 @@ }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 15, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "e42e40c2baa181d6c3f51c29b3ad19394bba3709da075d2c61d17bf16d393bb9", - "type": "eql", - "version": 13 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "6f997eb7cf9d5091b1747d41b5ca87f485f9515b7a8ea120ee5dc1f143d9d810", - "type": "eql", - "version": 16 - } - }, "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "c95054727729dfcf78146eb0d59d4f4861a78c4eae9eb75b70e5c79b55eda27c", "type": "eql", @@ -3377,15 +1670,6 @@ }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8", - "type": "eql", - "version": 3 - } - }, "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "9764637bd2050ec69bc27cb45b392fedf6f08f83291b2729629df5ee138476f0", "type": "eql", @@ -3393,15 +1677,6 @@ }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Process For a Linux Host", - "sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Unusual Process For a Linux Host", "sha256": "3f0ec77da4a1ee3ce1b5be00ecb5d48e9d3055dc19b8f9cc470ebe85f45c718b", "type": "machine_learning", @@ -3423,15 +1698,6 @@ }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "9d24cbe6c80544c362d427e1b23f7acef6a8dc871e8b89160ec935e35eeedd53", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "d6a9bcfaddb37f31b3411499f1c2870454642246efb1bca00035e71122ae4794", "type": "eql", @@ -3445,15 +1711,6 @@ }, "47f76567-d58a-4fed-b32b-21f571e28910": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "f7ddac7735b02e68cd1d642a6db3d68fd155364d19743b482f51b26decb0e61d", - "type": "eql", - "version": 6 - } - }, "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "685dd27478567e801e3987edc6b43fb24014a13a1c19ed558caf8e9472b62243", "type": "eql", @@ -3461,15 +1718,6 @@ }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "496bfb9b3f67c01e4e370424e21a9a6ea701f672c17bd05201f5ac349e788564", - "type": "eql", - "version": 5 - } - }, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "4955582887ac414ac1a4ffb930f0c5b70fee55137cb588f6c6cd9e0b39c43cbb", "type": "eql", @@ -3484,15 +1732,6 @@ }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "5d1cbe92ec650c7766655f7a43846444576f39f460ebd7fbbba20175343861bd", - "type": "eql", - "version": 6 - } - }, "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "ae22bea026824f7536330317bd166123a038b9fdc4d905d575e3990c5cbdf010", "type": "eql", @@ -3500,15 +1739,6 @@ }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", - "type": "query", - "version": 3 - } - }, "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "25f11627c5f96622ef4b290298d91f638424db136fb1d737f72849454fc52268", "type": "query", @@ -3516,15 +1746,6 @@ }, "493834ca-f861-414c-8602-150d5505b777": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", - "type": "threshold", - "version": 4 - } - }, "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68", "type": "threshold", @@ -3548,15 +1769,6 @@ }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", - "type": "query", - "version": 6 - } - }, "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "415aab90dbe7f905c62073c0aa550090f429218aa6b8f2465ab705f404348b45", "type": "query", @@ -3564,15 +1776,6 @@ }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "31b403ff6fa07ce7ed4ab81d3c6554a1563e623e1b134195b20053548660cddd", - "type": "eql", - "version": 15 - } - }, "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "3e73af83ebc6ba0e95169421994d295e4e2e90923930d77a5d09ebaf50d7cdda", "type": "eql", @@ -3587,15 +1790,6 @@ }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "6192e34c6abd68cbba835735bd7136ea29ded5dc353ae9ccf07cc693f0c679e7", - "type": "eql", - "version": 9 - } - }, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "be29c8666e298e01c32c4103f4a480fe4c8b3cab6f2443a86e1168732e21b547", "type": "eql", @@ -3610,15 +1804,6 @@ }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "3ed8a98d1ef9c21203e4ec08b63e50526e3000773836588648145b0b130d7f44", - "type": "threshold", - "version": 6 - } - }, "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "c42869c8bcce2f2ae75d8e6bd8e7e4898b1d7fe4f71201af04b85571fc4ab2c1", "type": "threshold", @@ -3626,15 +1811,6 @@ }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e", - "type": "query", - "version": 4 - } - }, "rule_name": "Attempt to Disable Gatekeeper", "sha256": "361e41723ea4953a48aff9241e87199571be4ba155a6f3af19cf38b5f0abab78", "type": "query", @@ -3642,15 +1818,6 @@ }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "51d1269f8e2276398c0f5d29467e8bdd1f4dbb5235021d0dc5f3b251fb6c39d7", - "type": "eql", - "version": 8 - } - }, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "9b1de654404804cd58d14ebb8dbeb49ebbcd692caa7a6907e61d4253d0ba48a8", "type": "eql", @@ -3672,15 +1839,6 @@ }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "c86bcd9cdb30e9d9ac9367c672dd7e6025fa45e77981d513a20dc812028f7af3", - "type": "eql", - "version": 8 - } - }, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "49eddcc02c1f0615daf198e246edd82009c962e79774d4845fe44d4a1af4f524", "type": "eql", @@ -3688,15 +1846,6 @@ }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Script Object Execution", - "sha256": "129776c510bb194a778681da82bc2c956b71ac053f38dea10117b4985192b247", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Script Object Execution", "sha256": "b4db7f218b043bc3bc3077473ad4b5b78204704c1b4fada76a4d3f1db4273c29", "type": "eql", @@ -3704,15 +1853,6 @@ }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "ee5d812977b79c71b85e4e55336fcc15c2d20188d2b5fcd9ac21b6fd496817ab", - "type": "query", - "version": 5 - } - }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "b3b118ad1059195cca5ad6345c2480031da54ca94602e5e88c8446dbf90c793f", "type": "query", @@ -3720,15 +1860,6 @@ }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "7cb63a043aff02554c012274584ff7ff80fc6723a0d6c1f983206c216fd55eb0", - "type": "eql", - "version": 7 - } - }, "rule_name": "Execution via TSClient Mountpoint", "sha256": "a2b74cece703ec89b5917f9974968b6645b0b34d2796d1ad495332b43f60e148", "type": "eql", @@ -3736,15 +1867,6 @@ }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "57dbd74bfd822602da425403e0a3c431ecdb96eac9008a235f5225a553549e1f", - "type": "eql", - "version": 8 - } - }, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "8b053d044fcdf2dda7bc2c0ce924cfa03ac38542627e21fa7b3bdc3f4eacbd8d", "type": "eql", @@ -3752,15 +1874,6 @@ }, "514121ce-c7b6-474a-8237-68ff71672379": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "b48aa189d57f533507819f12b46f526cb6d7ab0c49bcdf4ebf4d1de29b2c34c5", - "type": "query", - "version": 9 - } - }, "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "sha256": "4b3ee12f6ed02b5f7a530627ebcf4a03977f654840b6fa6044a377809b7ce8f2", "type": "query", @@ -3768,15 +1881,6 @@ }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Logging Sink Deletion", - "sha256": "48a7d8bc2c9f506512eeea79d30612f16df12aa5dca84286fd93f7fb9d885976", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP Logging Sink Deletion", "sha256": "7fe926c1696acefe5743902316b816b07b0c68f93be011e9c2402866b3466dac", "type": "query", @@ -3784,15 +1888,6 @@ }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4", - "type": "eql", - "version": 7 - } - }, "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "867fcc950e3b4ed1e73e2b839031c596d23839dc313e44d602de75fadee6e3b4", "type": "eql", @@ -3800,15 +1895,6 @@ }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "afd6a56c29475450e04c09eaf498ce483ade18d2de1b79d09af2820957f0073a", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "e7a27d3aee7df88116c49a7af4f9b3b557ed48c4a16e4b0b5937f67e41338e4f", "type": "query", @@ -3816,15 +1902,6 @@ }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "1bd60ae858ac0dcb98eab6ad5625674d60d39feb72b2c399e8f9deccd5440abe", - "type": "eql", - "version": 4 - } - }, "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "45d98ebd2f889a76448a6084317f103aedc0857d939d974f5356192c388071cc", "type": "eql", @@ -3832,15 +1909,6 @@ }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "3985e64b901dcf6691814ebd08009710ba3dd6a53bed60613bdedffd86599cfc", - "type": "eql", - "version": 13 - } - }, "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "906654c8d5c7082a8b13cb88e5cf252c890785c90a7e5b4a71f4dd53e0bcc0fd", "type": "eql", @@ -3848,15 +1916,6 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Network Activity", - "sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18", - "type": "machine_learning", - "version": 6 - } - }, "rule_name": "Unusual Linux Network Activity", "sha256": "43863eec75a65adda2517d686871e142cfe0cedd1a003b9e939a334b8fdb918e", "type": "machine_learning", @@ -3876,15 +1935,6 @@ }, "530178da-92ea-43ce-94c2-8877a826783d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "1cfab13a7773458aaffb8d9fcd61858f1a828710428d6924a252cc3c3482dc2e", "type": "eql", @@ -3892,15 +1942,6 @@ }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "3619ee48c368bfefcad2d7adc1df941162570787ba6b770591b8c394d54b3e7d", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS EFS File System or Mount Deleted", "sha256": "fefddfd01d7302de37ec51bb9711efb2cd727258c44850856d33e53ec577e90a", "type": "query", @@ -3908,15 +1949,6 @@ }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "63ed88064a1f87a0c2789942216e2610e00be3801d98465816e698d1a33c0230", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Diagnostic Settings Deletion", "sha256": "a33f7703c7150e2ab58f7c1af92f17d3358b8944ec15b284545340ea7c235bd6", "type": "query", @@ -3924,15 +1956,6 @@ }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "1a29db0563afdb6e7013b41d66732f8655e1cf56d8a9d96bbec53e38fe9499ff", - "type": "eql", - "version": 12 - } - }, "rule_name": "Suspicious PDF Reader Child Process", "sha256": "e9751700ecbc9f69adaa1249c8cb06e1d08f139c991bae34d0d3f9d2577a08e5", "type": "eql", @@ -3940,22 +1963,6 @@ }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 10, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "53219ff8987584e6547f9575812b0376420e95da290d5f3e600c864516a5d0d4", - "type": "eql", - "version": 8 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "eab90afc9e1bee717a0f2d2c8d444c6ea131d22bdee7de0f594f43235e7286bc", - "type": "eql", - "version": 11 - } - }, "rule_name": "Uncommon Registry Persistence Change", "sha256": "e0b3e321b94dc2b0fb7caf747b0f6d00a9583f21eef8bfaaabd67c7b58cd4585", "type": "eql", @@ -3970,15 +1977,6 @@ }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "a5518862b6e142e509712bef3ce38b3512bcaec6a6c764bf34405cba00d25086", - "type": "eql", - "version": 5 - } - }, "rule_name": "Network Logon Provider Registry Modification", "sha256": "9f30086102e19fa654b9d2f8b99a2e8b246cb2be51bb3cedc2fcf12ef5efaaac", "type": "eql", @@ -3986,15 +1984,6 @@ }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "1466eae5d9a4dbe705623258baa2696cd48caaf9b249634b5aab4f5f05adc0a6", - "type": "query", - "version": 4 - } - }, "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "b1f34d9a36127c5b57e5904fba53a388080ed0a3c8664b5578f07b827ef2b2a4", "type": "query", @@ -4002,15 +1991,6 @@ }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PsExec Network Connection", - "sha256": "f01d40062b8f60a89a6058c159db1f7725d8bf0b9bb3ac2e52cc3cf50f91cfc5", - "type": "eql", - "version": 10 - } - }, "rule_name": "PsExec Network Connection", "sha256": "dd753506c5c77591675ea1df5f95d6c573e9b2a298cd59b769a13f725b2995c4", "type": "eql", @@ -4018,15 +1998,6 @@ }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e", - "type": "query", - "version": 8 - } - }, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "1e02c0447afc51b9aca5b0c8ee43e176f21c7581578c196bd240534b9110f1fc", "type": "query", @@ -4034,15 +2005,6 @@ }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Admin Group Account Addition", - "sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6", - "type": "query", - "version": 3 - } - }, "rule_name": "Potential Admin Group Account Addition", "sha256": "8e069b6e4fd81db3c9aa54f00162e9ee563c0690394523e8291ad971d0ad0eb1", "type": "query", @@ -4050,15 +2012,6 @@ }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "1aae329188f75eb40aa473688626d40da1970b42f828fdff72427020b3a56f1b", - "type": "eql", - "version": 5 - } - }, "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "7c6f6d3d27c69cc14bb0176d0ff09097ef419db62c885f6de9f0142688774865", "type": "eql", @@ -4066,15 +2019,6 @@ }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Logging Bucket Deletion", - "sha256": "0f8d828b75d1d1185fff5eda64e2a044723a8b1aab5c9ed8d15f1087725abb14", - "type": "query", - "version": 10 - } - }, "rule_name": "GCP Logging Bucket Deletion", "sha256": "e8353127abf6464a09407f4c2493554e0898bb659b45d26fe17f191252a774ab", "type": "query", @@ -4082,15 +2026,6 @@ }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell PSReflect Script", - "sha256": "47cef88aac24764140fab221634ab4cac6d1e0fdb9d01f711a40b5c909c57031", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell PSReflect Script", "sha256": "0252746bd5d10b5eb5723a78eba7f327e0045f0c9d2a0d53b212401d17ed249f", "type": "query", @@ -4098,15 +2033,6 @@ }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab", - "type": "query", - "version": 13 - } - }, "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "05408e6d3450b8f61459e1fce920890b470a6691c922ec593b102ec10303db95", "type": "query", @@ -4114,15 +2040,6 @@ }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "814a6dd8c3abc42543896f44736ed05c0a51994d35d5f413a7cb3d666dc73a5c", - "type": "query", - "version": 10 - } - }, "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "e9490c3bf59b4ca766d6cfb1d1844fbf2dc71adcb09780c761b527ecff87b428", "type": "query", @@ -4130,15 +2047,6 @@ }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "2dc7f16072cc532537c6fe9627efeb5c18b758fba96416d36c8398993280e858", - "type": "query", - "version": 5 - } - }, "rule_name": "Azure Virtual Network Device Modified or Deleted", "sha256": "36b5cdc1f4072787f2a7ee1f75cf300934251e66bd85f8471752d14d63f3cbbc", "type": "query", @@ -4146,15 +2054,6 @@ }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell MiniDump Script", - "sha256": "5ed40da998cd797bc689f43438ef2020370ec0f926c7286b305ba9edbcfcae0b", - "type": "query", - "version": 10 - } - }, "rule_name": "PowerShell MiniDump Script", "sha256": "b80e3d3f96eb109a7eb1e59d1e8dcd1983ec9781625f11b0f06f3d2723e516db", "type": "query", @@ -4162,15 +2061,6 @@ }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "0bfe91ed225a8f88a48d4a8932529beb3194bda90c9c6c34bf7000ec4d9eb024", - "type": "eql", - "version": 15 - } - }, "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "7192352dcc66a8fe178380c2f98fc855b62641c9b58116de6b07d03197d19ca3", "type": "eql", @@ -4178,15 +2068,6 @@ }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "RDP Enabled via Registry", - "sha256": "1db0e174745538cf33858bcfbd6624c7214f52df40a4e91ff951ab7b9db7dcf2", - "type": "eql", - "version": 10 - } - }, "rule_name": "RDP Enabled via Registry", "sha256": "9b1d7e37535173aeee05ca5cb9e4f3e0b62dca6fe20af82d49471d495c1e418f", "type": "eql", @@ -4194,15 +2075,6 @@ }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b3723887b9bf279cdf495e0de89757e9d1a4490463b6993ccc1e0e387da9b934", - "type": "query", - "version": 7 - } - }, "rule_name": "Zoom Meeting with no Passcode", "sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a", "type": "query", @@ -4210,15 +2082,6 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "b6c6ef5d4f5051f04e4d065c12cfc8f3e3b5844e39331f684957f69977283d37", "type": "eql", @@ -4226,15 +2089,6 @@ }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "d21a3917238ca1a1a6b8319f592c64861d215606c6120103900ba67cbf643d14", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "30bf19aa3ae3dd45744c2d060758a3c8f40694917a6de2ff431a33baf49cfc65", "type": "eql", @@ -4242,15 +2096,6 @@ }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "4aef6221e7182cd1ec1b7a9c4601fcde475bf48061adf1d0248fd6010baf2499", - "type": "query", - "version": 4 - } - }, "rule_name": "O365 Email Reported by User as Malware or Phish", "sha256": "2967ee9d92e6919fd392653ca21163fd3cb0c2231fe79fa57a28134dcba36c9a", "type": "query", @@ -4258,15 +2103,6 @@ }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudTrail Log Created", - "sha256": "452b3ca5d359e3ff768e8c77fc4274ae51aeb2b514fcc589a4bd4f1295f42877", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudTrail Log Created", "sha256": "ffb4cba38273c8d57793ed7c2315c1371ac18365da49330998fea73b6c347805", "type": "query", @@ -4274,15 +2110,6 @@ }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux System Owner or User Discovery Activity", - "sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Linux User Discovery Activity", "sha256": "dd31b687b58346ce56f87bd367d0f79b779864ebf583e863be2f7d6d83bc242d", "type": "machine_learning", @@ -4290,15 +2117,6 @@ }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "3f39f6f5177668db2bc706c123caebf4f32fab44956ed321bd067f98e077e866", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "b30aa0fcd1b985a702d8d78016225fb7423af9e56df143b5dab8f74360c43ca6", "type": "eql", @@ -4306,15 +2124,6 @@ }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "7c73e32e581e8c012be9579704cb4af5639d44af7819e90225394d82f8dfe84a", - "type": "query", - "version": 6 - } - }, "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "71cf82dfff0f9a3d67f3f7d435cc9b41973b0451e59f1883e5ec5fd48aa86e55", "type": "query", @@ -4322,15 +2131,6 @@ }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b42e9f2369de3fa9727f635d630089197d955d8b0e0a1dcb89bcd880066ea6ab", - "type": "eql", - "version": 10 - } - }, "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "342104d22c85b187e55bacccddf0aa710534299a221f5d13a06c4d6f289b6464", "type": "eql", @@ -4338,15 +2138,6 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Virtual Machine Fingerprinting", - "sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169", - "type": "query", - "version": 8 - } - }, "rule_name": "Virtual Machine Fingerprinting", "sha256": "b2e3a06cf9d34d4d873dcc00217a5dbec87f0b8dc6571363fcd8775dea61cada", "type": "query", @@ -4354,15 +2145,6 @@ }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "807b3ee056b0f0094cf79aaf7a47f5560f16b4d853b0be14672407c7fb0fda12", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "943e36887702a9a13257189b23f4a447985b055a0d7ca2e0f66251fbe40ca4dc", "type": "eql", @@ -4370,15 +2152,6 @@ }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "b5257122319e9bc4edc6da90b4f9ce51f865585667549443dd5a5bc186e8adab", - "type": "query", - "version": 11 - } - }, "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "6ffd5479e903c8b3363f7b944493fc35ff2c85e45e1ca1be92e6a8e28084c1ba", "type": "query", @@ -4393,15 +2166,6 @@ }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "df37f1979c1a5ee441b9103aca366fb458476dd528b24f3cd605c74ea49fdbeb", "type": "machine_learning", @@ -4416,15 +2180,6 @@ }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "0f815b455140ed43bab2a6eb85a0bc7af11f3fb955ce357959ca12408b42e27e", - "type": "eql", - "version": 7 - } - }, "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "ee8c0a778d51d9f173abafcd283ef5657952de1d18ab40f9b0cf0da7ccfd9ed7", "type": "eql", @@ -4432,15 +2187,6 @@ }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "5f8c09d4a95f39252ed35586660a9bfb97cec6c902021704d19f8dba94707d9d", - "type": "eql", - "version": 8 - } - }, "rule_name": "User Added to Privileged Group", "sha256": "773f71af71834ffd02c21836b4d9857908bc26aca6b89f6aecc6e79486cac84a", "type": "eql", @@ -4455,15 +2201,6 @@ }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Login or Logout Hook", - "sha256": "6edec2c011265bc7e9989c18ec7b057ec4e790b4dbc45ed26c9800cd87f1888d", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistence via Login or Logout Hook", "sha256": "350bde74cfc457a3e9af70c0fe42765f3555d42aa0069249fee22be0c213036d", "type": "eql", @@ -4471,15 +2208,6 @@ }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "0c9b6b24a43b7dedc4a80d31fcb597b5c9672a16ff85566b03ac4f05915b07f2", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "fddf8b5aa357cb814351eccaf0ba4dd73141f7a95d2b6725f828a936510e701b", "type": "eql", @@ -4487,15 +2215,6 @@ }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious Automator Workflows Execution", "sha256": "62eccd3bfd427a45c07d34d35290c0b6ce1409164c478ca3b394738a8f271613", "type": "eql", @@ -4519,15 +2238,6 @@ }, "5e552599-ddec-4e14-bad1-28aa42404388": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "f58a40f75d1820aa083b0af15229d3a3192bb4cb2c90b6d45852d9531ba86659", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Teams Guest Access Enabled", "sha256": "50aae074ddb8947d940c38965282b736fbff99f023d2a715cb22e2dca25e2f4d", "type": "query", @@ -4541,15 +2251,6 @@ }, "60884af6-f553-4a6c-af13-300047455491": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "e195b4abc35917aed5f150ec5e04b7bfe705c776edd2df6d0d18614aab1231a8", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Command Execution on Virtual Machine", "sha256": "5637e2ee71403942ade1e207efd0fb68aad7ddb05c75fbbec08760e3d430476d", "type": "query", @@ -4557,15 +2258,6 @@ }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Service Principal Addition", - "sha256": "63f8524b34d7396a39558b7b1a71918cb1af0dd94168d585c37e41ebd3e62733", - "type": "query", - "version": 7 - } - }, "rule_name": "Azure Service Principal Addition", "sha256": "790a04ad7ff41fcd3757920bdaeedf2c17109f20ae4edce09b8dce36774e3b32", "type": "query", @@ -4573,15 +2265,6 @@ }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "d4bae7b60e7b8ae9d81564cc05893fe9ab226915e0ba6ae6f588226f2a37981b", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange DLP Policy Removed", "sha256": "ebca4569bef15eab7d2b131134f2c0a4f17b6f29255255feaba207e377d2ba7a", "type": "query", @@ -4589,15 +2272,6 @@ }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Process Network Connection", - "sha256": "b00636e435888cfbac55fabaa232b7ff7792edae939e7fd52cfd7586228f89e4", - "type": "eql", - "version": 10 - } - }, "rule_name": "Unusual Process Network Connection", "sha256": "d44b8fd15f89636c82a9b2f12b69ddacb7f54d23325e57cb7d506ec57c1f280a", "type": "eql", @@ -4605,15 +2279,6 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4260f2832dbbedc282f3767cd8e7776d8a1f4cdc13b5dac16dff8107ea31e1d3", - "type": "query", - "version": 9 - } - }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "dd53321d717e3307f2c59284b8a30aa7f702b4590ce60b467a5a2cb6c95b664c", "type": "query", @@ -4627,15 +2292,6 @@ }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "534101b851d9fae2e8255f7a270ca3d66f536b49f133fa7ef49a91d5bfed2816", - "type": "eql", - "version": 5 - } - }, "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "65f399bf70c38dfce92e0bbc0b4e676429e70705e1008e716aec59948173fd7e", "type": "eql", @@ -4643,15 +2299,6 @@ }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "cc8a4382982924e277e4c3d743dd97006b5d0d444c6c16f0af5bfa54175f1571", - "type": "eql", - "version": 9 - } - }, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "a8cdcb042d15ba2ede5aa653817d69c667d716f86b09f0413ca06f8fabc09cc4", "type": "eql", @@ -4659,15 +2306,6 @@ }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8", - "type": "query", - "version": 4 - } - }, "rule_name": "Account Configured with Never-Expiring Password", "sha256": "630de8e1e83f9aa603a3c8d81348e5ef192162f7b552d96241063e4a01556e3e", "type": "query", @@ -4696,15 +2334,6 @@ }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Connection via Signed Binary", - "sha256": "80c6dfdcbb866f19a43a66a1fcf01571c849a5d333763e6728b8cc38e96f7ada", - "type": "eql", - "version": 12 - } - }, "rule_name": "Network Connection via Signed Binary", "sha256": "d885f39c3c86786f3d8111d23ab3188d5d697e7c18e3b93f6e9f5b470a4545df", "type": "eql", @@ -4712,15 +2341,6 @@ }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Anomalous Process For a Linux Population", - "sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Anomalous Process For a Linux Population", "sha256": "1bc892877ab2a781c74918e3a74ad007e64dda74b8a8740547e16408986ac845", "type": "machine_learning", @@ -4728,15 +2348,6 @@ }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257", - "type": "query", - "version": 3 - } - }, "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "163022f4533c182c27180041866df9922c250865f14b7d261d7c8b44a30eb191", "type": "query", @@ -4751,13 +2362,6 @@ "65f9bccd-510b-40df-8263-334f03174fed": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "013298b6842e5c3da39c9653179dd8e9b62b3dfd4227f34256471cf64bcfe2ee", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Exposed Service Created With Type NodePort", @@ -4773,15 +2377,6 @@ }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "2be9c7475eaf8e2adef7e68471761491a0be92b510e4dee69d85cd0b718d5383", - "type": "eql", - "version": 5 - } - }, "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "6b420f70a71e6aa55744fdb6b29f14704d1020a60ca48e4607b3288b20affeba", "type": "eql", @@ -4796,15 +2391,6 @@ }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "WebServer Access Logs Deleted", - "sha256": "2788dc407749eecaee222081bf50995a97061ee76f3874ac5d57b024c5b0f0c4", - "type": "eql", - "version": 8 - } - }, "rule_name": "WebServer Access Logs Deleted", "sha256": "b278ad316df91b043b52c2733d1a7a52b28387c296ac7d735830aa6b2cd87c3a", "type": "eql", @@ -4812,15 +2398,6 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262", - "type": "eql", - "version": 11 - } - }, "rule_name": "Connection to Commonly Abused Web Services", "sha256": "493375483edbd760d44a9ceb4465b8f85790e3b897a6071b15871809c0b8ddb0", "type": "eql", @@ -4828,15 +2405,6 @@ }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "10a0942dd2fa026f7ea28ff8cd8dba339d13b6d1ebf0297b8b4f817fb7cf4882", "type": "eql", @@ -4851,15 +2419,6 @@ }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "1ef55d057c977c919a011ee2c0a5877b55c1b5467523826f3720ee782ceb87f5", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "920fbba08c958b8664071c20d1ba637d146ed67edef7e8cf792e6b24155ab831", "type": "query", @@ -4867,15 +2426,6 @@ }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "d56428a2ebb97ff26a961b1941691823e9c600e8c7878d6093f1eaa010965ede", - "type": "query", - "version": 6 - } - }, "rule_name": "O365 Mailbox Audit Logging Bypass", "sha256": "be4affa23789ae2a09fbd537820317eb2e39cdb1582e3fa38dc10d83f53e8aeb", "type": "query", @@ -4883,15 +2433,6 @@ }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "f2e4b16a361bc69205d6496b1d0ae5cb98c14fdc18dfd120a57d3ed1242393e3", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "89eb0d585dbafbd7f1ed391a4b5ba76bc2f8adffa69f5c6d9206537fd862d777", "type": "query", @@ -4905,15 +2446,6 @@ }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "High Number of Process Terminations", - "sha256": "32f86106ce9707e4ba55425d0e257d1a8d98fc30943af2df10ecb86ccedcb082", - "type": "threshold", - "version": 3 - } - }, "rule_name": "High Number of Process Terminations", "sha256": "8b12bdfac3e2c8d60903a28c6f5e947acc37156bb4320bf4e8dfb3d837b3ddfc", "type": "threshold", @@ -4927,15 +2459,6 @@ }, "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Image File Execution Options Injection", - "sha256": "0efe7d423a7ebfb1e3d9380de840f4ddbf0f5e4229dacbad6ebd38795ed1fe91", - "type": "eql", - "version": 7 - } - }, "rule_name": "Image File Execution Options Injection", "sha256": "6549f7a1a56c25d6a086a94608a5aa8741b126e52d9678f2935aa47d5b5d1012", "type": "eql", @@ -4943,15 +2466,6 @@ }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "New or Modified Federation Domain", - "sha256": "e410d2309f7b7bd1ec6767a6f0d4756716d3d87da15161771420026a2603c7b0", - "type": "query", - "version": 5 - } - }, "rule_name": "New or Modified Federation Domain", "sha256": "b36b28a3d7c05bc571463614e266a0db27d51920ae9cafa0b2ab15e654b98a7a", "type": "query", @@ -4959,15 +2473,6 @@ }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "95b23b6dceecf5c37c57266723121ae726f35c91584ae156eeb28b463d118cea", - "type": "query", - "version": 9 - } - }, "rule_name": "Threat Detected by Okta ThreatInsight", "sha256": "6b3365514534840a4ded646f7e1a3e0cb9eefa5c2f9a6442524d9cb7b4f1abe9", "type": "query", @@ -4975,15 +2480,6 @@ }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "40892b7e96739d876cf5ef96e0cfcb5df2803f9e217d6c15edfc656d66dfbdd0", - "type": "eql", - "version": 10 - } - }, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "e102f2d4c27072d55f55d4d1e8ad51f6e783bd9441a20972a74e4e345bffbbb1", "type": "eql", @@ -4992,20 +2488,6 @@ "68994a6c-c7ba-4e82-b476-26a26877adf6": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "b93cd2bb2b978c4a49aa012e3ba233f122287ffdb705c852467201a2f5818c37", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "b21a45d51ea3f04918d7eeaabb24efea888bc2f7a9c326ed3858bc775f4243e0", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 203, "rule_name": "Google Workspace Admin Role Assigned to a User", @@ -5021,15 +2503,6 @@ }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "81a2f954d5b7761177fa3bc11019a2955eef17aab753143bbea9a8bd67bc55a6", - "type": "eql", - "version": 8 - } - }, "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "9f1c352afefff0785a80acfbdf93d9bdb3aedaf7a02156a828d9d7c378852b19", "type": "eql", @@ -5037,15 +2510,6 @@ }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "f5a7bed82e84d98883e645ca43ca8091e0d6b505c417342c2685bc0bccc55e96", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "698c9dfd7302bb7c5ee83b30df48ce2ee828b9ed6cdddefef59070ac9eb4f2b3", "type": "query", @@ -5053,15 +2517,6 @@ }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "1c69a26d73e24b3d036b3bb0d2a5d6651123dca79c58a6df26d303222cc3aa19", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "575b2694135e659209e5f19f431d4f58c4d5899ea21d75b311710378441070c7", "type": "eql", @@ -5076,15 +2531,6 @@ }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.3", - "previous": { - "8.0": { - "max_allowable_version": 99, - "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832", - "type": "threat_match", - "version": 5 - } - }, "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "b6ac668cc6d5e2dce2615788c3f70ee23c8f8c4f5e3006c06b4e197b0174d651", "type": "threat_match", @@ -5092,15 +2538,6 @@ }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of Boot Configuration", - "sha256": "2103024f5ee4817b2e7dece3748aa9ca71c8a4ee68de02c6ed318bc1377e83e5", - "type": "eql", - "version": 14 - } - }, "rule_name": "Modification of Boot Configuration", "sha256": "60ccc5a2eb4cfa19135bf07f907f7676b64d721d93720d04697790399c1b5c54", "type": "eql", @@ -5108,15 +2545,6 @@ }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "94e15d61afdb62ad13547e0aaf3b6702c4e69ffbf47d983b6416ae9e3d6810bd", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS IAM Password Recovery Requested", "sha256": "dfff9f796b3d2a8c41f0087a29f68d83619a9b812765fa26e3267f500cd4681d", "type": "query", @@ -5124,15 +2552,6 @@ }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "3086f0755beef3bc637f52b992f4b001ed10d7155978344d650e9ab12d2b44d5", - "type": "eql", - "version": 7 - } - }, "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "4eaa1e9e5916c6fba297908e6d63181dbee461c8f0c7ff712e53dc91aabacf65", "type": "eql", @@ -5140,15 +2559,6 @@ }, "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "e5af89fb2a0cdf3e47de3ac1fc26f371b765520be293a2e451e61c793aefb73c", - "type": "eql", - "version": 11 - } - }, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "96977edeacf48ebdef08e138bb2b3ba74e28469a463d60400db755d56c409426", "type": "eql", @@ -5156,15 +2566,6 @@ }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Sensitive Files Compression", - "sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c", - "type": "query", - "version": 3 - } - }, "rule_name": "Sensitive Files Compression", "sha256": "0efabe3beb60e13d79bd2c91385a7c7bc3be3ce84639cde24bef27ba8b5f44ef", "type": "query", @@ -5172,15 +2573,6 @@ }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09", - "type": "eql", - "version": 3 - } - }, "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "22ef56a16f21d022a7426745003d5a097a4762abc7b89536c3e08a284f1b3434", "type": "eql", @@ -5195,15 +2587,6 @@ }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "e08745f50529b4335fb58264f3ee42c749085a6a0c4dcee4d04aa790d386d05d", - "type": "eql", - "version": 6 - } - }, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "f06648d5939b34c59382a9f0bdd2b1fdebc4b7e3d9d03bc963f2e57439a37e37", "type": "eql", @@ -5211,15 +2594,6 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Process For a Windows Host", - "sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a", - "type": "machine_learning", - "version": 10 - } - }, "rule_name": "Unusual Process For a Windows Host", "sha256": "204ae5f84b89f03f94fc102b211789a5849684383b039504973bcd7465abe995", "type": "machine_learning", @@ -5234,15 +2608,6 @@ }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Anomalous Process For a Windows Population", "sha256": "1ff50208dd37e68835d22ff13a894b0308ce2b10d0f0eb18a1e83ecbbd1c8504", "type": "machine_learning", @@ -5250,15 +2615,6 @@ }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AdminSDHolder Backdoor", - "sha256": "e63135af0e5924b96b28af7b3bf95259660d6458c0e1f94fee88f8d7d23538af", - "type": "query", - "version": 4 - } - }, "rule_name": "AdminSDHolder Backdoor", "sha256": "ff43f2469c9ad8d976e9faf0c5119cbe48f78a9634cb6fca841abd0f2715bd79", "type": "query", @@ -5266,15 +2622,6 @@ }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "82208392d7e64f65ffc52fefb132ec3415dabd2548e78cd6ecfc122a6d9b2090", - "type": "eql", - "version": 6 - } - }, "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "7ba99e8e02e3b9f4f5b8d0132c7c9b94e5115d2159aed3c8342abfa77f877ec9", "type": "eql", @@ -5282,15 +2629,6 @@ }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "b57198337fe983773672e9a5bbd508cdba50655dfd6243b60f7756080951f986", "type": "eql", @@ -5298,15 +2636,6 @@ }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Security Software Discovery using WMIC", - "sha256": "db29bad908a46be8a59efc119ed564e77fa8ef7c6a4bd2a47fba5e361fa0be25", - "type": "eql", - "version": 9 - } - }, "rule_name": "Security Software Discovery using WMIC", "sha256": "e9b7a40a40ba5a650aef7eb34cdd11ea51c137f8d9210ad81abcfe0a9be68a63", "type": "eql", @@ -5327,20 +2656,6 @@ "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Google Workspace Role Modified", - "sha256": "9cb9378f77ddd21f125d4bd96ae0f071a38f364c8fd7d446fb6d72144274f37a", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace Role Modified", - "sha256": "244dc1f48bcc75832806b71e104f30425388ca2f33f6810e00dd12f2906b426f", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Google Workspace Role Modified", @@ -5362,15 +2677,6 @@ }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "a4ff0cfaccd58b87eaa594425fccba1ee8ad9372d16c1f8f900f9ad8f064b7f9", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudTrail Log Deleted", "sha256": "6c66a216661a81f1bfc027b73a7ae4649731b27cd07b71f6f6011927cdab3ffd", "type": "query", @@ -5378,15 +2684,6 @@ }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Config Resource Deletion", - "sha256": "43704baff18966de9952e1a0f3c08d898c72c1231d9122fcb2eb2854ef396a56", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS Config Resource Deletion", "sha256": "f207f21734cba24d01b258a68d79b7940fcf9d2a16cc3381c3a1a9eebab96ed8", "type": "query", @@ -5394,15 +2691,6 @@ }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e", - "type": "eql", - "version": 4 - } - }, "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "2eefbc10b6fd4770b298539fd712506272927be2c8ad242b4950f24dc089b77a", "type": "eql", @@ -5410,15 +2698,6 @@ }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "f7b73fb04043a3546f845ee4b9167420e82f46abe62cc0880f760715211d4c57", - "type": "query", - "version": 4 - } - }, "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "8fe97c8e3c716ef684f76afed14acf49f6df8fa635b11647f280c1e65322835b", "type": "query", @@ -5433,15 +2712,6 @@ }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6", - "type": "query", - "version": 4 - } - }, "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "4b932dbf738ee22e2a0140704ff28e47eec6a9db76f9fe97ef5e63bdf4d8fc6c", "type": "query", @@ -5449,15 +2719,6 @@ }, "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "a0532649648f730107a0133d1d34ba08d749a89fe702237470c2e9ba8af94ad3", - "type": "eql", - "version": 5 - } - }, "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "d155bfbd4b16801e5de3c6a7af3625995ae41df9809047c8c384f3444b10c50d", "type": "eql", @@ -5465,15 +2726,6 @@ }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "c4f2f189b4b7fd579305f0b3d350ce9691203ef9c69669f8ea8b3be72f875195", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "da400de1acdad6bb9fde64e212c0518716dc2250c62e078a0f40fa41b8a6191e", "type": "eql", @@ -5481,15 +2733,6 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "de3533885523c98ef8c93be8721da011f9faaef2f59686ee92c84ad626c929c1", - "type": "query", - "version": 6 - } - }, "rule_name": "Microsoft 365 Potential ransomware activity", "sha256": "5ed8b9792817be8710679364f5e1af5fef0cf852e05c97076743efb4d24e3db2", "type": "query", @@ -5497,15 +2740,6 @@ }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "55b7a39561fa69e358537b62420d5479578bc7a658b937d80114bd6e334abce8", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "605f9a888e2693ecfd1f05ee530a9d7e986088669abf71629dcbcbbcd91c025d", "type": "query", @@ -5519,15 +2753,6 @@ }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "12b47e8a1e1df6f0c7239beff9393ef1170c61308c73a09a69f215951937952b", - "type": "eql", - "version": 12 - } - }, "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "28cfe80cd89b9b8a480b9b14501184fdfbd94d05f1e00b3ab8781162c6cec8f0", "type": "eql", @@ -5535,15 +2760,6 @@ }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "eee473b2a22ea8df57eed1ec8893c9ade87d5b5eb7916d102429055badfe191a", - "type": "query", - "version": 5 - } - }, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "7169486084b5ac92d1763d2da6ca6fc5e5ca50fb3c374cd40c9f99a100296771", "type": "query", @@ -5551,15 +2767,6 @@ }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Hour for a User to Logon", - "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Hour for a User to Logon", "sha256": "2a0d7b4f4300b43619c65eeb099809b294559fcf8320c8057b62ba8322bedec1", "type": "machine_learning", @@ -5567,15 +2774,6 @@ }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual DNS Activity", - "sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual DNS Activity", "sha256": "89a38c151792f652c09ff8ef900c8520cc2b6a0b0a377d9a0025dba0e72db939", "type": "machine_learning", @@ -5583,15 +2781,6 @@ }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6", - "type": "query", - "version": 10 - } - }, "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "ac64583e7ae5ae0b7d30afcee64a1d3f5415d1e43351b8cd71d4d428704faf34", "type": "query", @@ -5599,15 +2788,6 @@ }, "76152ca1-71d0-4003-9e37-0983e12832da": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", - "type": "query", - "version": 3 - } - }, "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "975acebfbfee11fe275fadbe5e279d2f027ceca46046b7a4d1564e298f1f58df", "type": "query", @@ -5616,13 +2796,6 @@ "764c8437-a581-4537-8060-1fdb0e92c92d": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "8845c5c341a499cd38d65de796f7a5a18d12bb9527efd90d7c1f1b89c36c02e5", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Pod Created With HostIPC", @@ -5645,15 +2818,6 @@ }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation of Hidden Shared Object File", - "sha256": "798005e896c8c1cfbceb44c167fb97fec88162d0f7ed225950029ecf2e355337", - "type": "eql", - "version": 3 - } - }, "rule_name": "Creation of Hidden Shared Object File", "sha256": "2b4230ef5db1708ed34326849e6d44a7ce2c1b35da7ab719b3d20a83ba9df9ea", "type": "eql", @@ -5661,15 +2825,6 @@ }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "cd03875e5215659d4a9dc647d4349d17c2d6ab4cfe4f196e34f114dc5de5dc93", - "type": "eql", - "version": 5 - } - }, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "664eca0571f86b61cbdc8d93b52cd435246e2d7f39cfbb4bdab36ab69d1bff7d", "type": "eql", @@ -5677,15 +2832,6 @@ }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "b7b15c433fb890a500de66e990cffb64232c3c9983db33dd7ed952206cca6e13", - "type": "eql", - "version": 9 - } - }, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "13de7cb5aca2e3527a0556f97f725accb2f0213fab25c85d668c14dae3c89006", "type": "eql", @@ -5693,15 +2839,6 @@ }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "e1035282bef10663f92eb6000566f4f1597d215a0cf5cc4b7fe21c95cb248a39", - "type": "eql", - "version": 6 - } - }, "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "9fdd3e949f6f57f4a8d12ec8d48f72152b875a11cbe3a05febde5ea846c6b9a7", "type": "eql", @@ -5709,15 +2846,6 @@ }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "User Added as Owner for Azure Application", - "sha256": "221e88f2a1891057d283196c7aab129be0f5a2eb1f8631fe80e43865e7dbe0bd", - "type": "query", - "version": 8 - } - }, "rule_name": "User Added as Owner for Azure Application", "sha256": "a97f673b735d37b32973f00c9e6ea2608c0f8e7a451e7da2ed05a256eb20d451", "type": "query", @@ -5725,15 +2853,6 @@ }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3", - "type": "query", - "version": 9 - } - }, "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "915716860c1f135cec8ba36dd5ee26b28cde838556f277fe9bfcb874ab78f8e3", "type": "query", @@ -5742,20 +2861,6 @@ "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "05659e0fca8bfd5b058797e8189179ad491969abb24b47e22e586ea42c527deb", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "5e45bae76ca5b927ec5755d9bb797b2012a6884ff93d4deb09b0127a0b0e273f", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Application Added to Google Workspace Domain", @@ -5771,15 +2876,6 @@ }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "a72422827c480ac2b9747935d238c62d58f73ac2814b048de4b484e0c71d660f", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Privilege Identity Management Role Modified", "sha256": "c90a096cbf363f1f42cf58b076b63e022b205e76679fb84b1ec6bd95a4db33d5", "type": "query", @@ -5787,15 +2883,6 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in AWS Error Messages", - "sha256": "106b495c6e5eb5e409cdb8294ecab91a7ebc9dbab945cfcdbedd158cbe87cc46", - "type": "machine_learning", - "version": 12 - } - }, "rule_name": "Spike in AWS Error Messages", "sha256": "4a821739bad394ff55f52126893666865597943bc55ee5d2433a92ff700e8c4c", "type": "machine_learning", @@ -5810,15 +2897,6 @@ }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Key Vault Modified", - "sha256": "47a0cc7f95baa26446d9632a6b279c5cc1208bf3b8ba2d27f61cdacdee9edaf4", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Key Vault Modified", "sha256": "4e3adeb6c003172b64e7a0159d691edd03b0b1732440043433a32593315ee0d2", "type": "query", @@ -5833,15 +2911,6 @@ }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "db8f5998b6c1ef6c15dbc8bcdeb7525851f386baa8e20bdefd37f4511f7e6594", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "8999e67854c72fbe1314e02d3f92145afc1186decc109621557d5173f02b472d", "type": "query", @@ -5861,15 +2930,6 @@ }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "c27a6ebbde5ed895c419e9247fb27acdbfe2112b70c5ec4cb645f19b9a694f5b", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS ElastiCache Security Group Created", "sha256": "5d9e32b76b3fc4aff322c08ddefeff9458d1cadd65801aff7e2d5cb20767d021", "type": "query", @@ -5877,15 +2937,6 @@ }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Network Enumeration", - "sha256": "1b6f54e06cc026d118a54820c8a360add1add24912d31ccadd63e7661acaeaa8", - "type": "eql", - "version": 9 - } - }, "rule_name": "Windows Network Enumeration", "sha256": "fc464c8b6f5355e4cb2f7c4ff0c1616def0ec8627d242522e6cafe054d582078", "type": "eql", @@ -5893,15 +2944,6 @@ }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "9af915cd549d5c285a49f42912dac118f64b9faf1c216e1bc345fdd6f7cbbb37", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "861d78b1f8570fe76c030a625cc5f3bd4e24c3c7d80246a011a56e47beec8734", "type": "eql", @@ -5909,15 +2951,6 @@ }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Tampering of Bash Command-Line History", - "sha256": "2b96d18fa5abf049d0a09e9ae9d08ce9926fd025ff095f2a2ac87073602ec8d7", - "type": "eql", - "version": 12 - } - }, "rule_name": "Tampering of Bash Command-Line History", "sha256": "4890ed7ae740bdeb75cb9ad063fdc380a37dd68e59c591aa9686bded5f79d1e1", "type": "eql", @@ -5941,15 +2974,6 @@ }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Service Account Creation", - "sha256": "007c9309e37591fe3ca25816e08d1be1e25944279ed9da43b1285ca58048a188", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Service Account Creation", "sha256": "45125852facbb0a351a766b9701c771b1891a42179771d35321d003de033b2d7", "type": "query", @@ -5963,15 +2987,6 @@ }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "1c6eb53bb3fe9a161a80405a8261bedc5d20b5358713447a8db60cd32ca6f117", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "ca5891778ddf0e1aba14b44ef381eb50da4fe08e279f3fd0aac2dbdc39a53c3d", "type": "eql", @@ -5979,15 +2994,6 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual City For an AWS Command", - "sha256": "16e7dd99135fbaa3f9f1b584df44a7e0f234188ddcf848e797c8936a7e80d3cf", - "type": "machine_learning", - "version": 10 - } - }, "rule_name": "Unusual City For an AWS Command", "sha256": "c87d9dbb412180d434f2f2770de509f6f4cf6ec12218bc4639fd728b1829a8a5", "type": "machine_learning", @@ -5995,15 +3001,6 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "4e779ccf1f49a38c2de417875a39930a1324e6ee7368de9a614db42b476ba077", - "type": "query", - "version": 10 - } - }, "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "61983f7e0e2a5a6846f2e64148a468e508bffa658f0914904759ddedd3c8b1ce", "type": "query", @@ -6011,15 +3008,6 @@ }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "45b135d716bf1684bcd549aab366c94aa3d640bbf603da35656891bf733ed7cd", - "type": "eql", - "version": 6 - } - }, "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "7e7274031c383ee0301e17c41a14895cced4dc69a4a63f5a3c27d58ab41e9eb5", "type": "eql", @@ -6033,15 +3021,6 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "ac0a5aab69c72adf4afd406b14b4627ac2efe4b584ed0b6fd3c71df98e0dad55", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b8ef0110a87d7c0e2b34a7e1b4364481affc0ff452c7b2b3e480725a8a3fa662", "type": "query", @@ -6056,15 +3035,6 @@ }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "304b9c056fef81640d1eec475c5d66b9689826093aac96f3581e293750584219", - "type": "eql", - "version": 5 - } - }, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "8d82f3a7e21b97429ec21ccb70f9c839a3820baef9b6a4ac092766eb15ae3303", "type": "eql", @@ -6072,15 +3042,6 @@ }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "027ba090d0505871c507a51754723e8256895b8ed102083aa2b05b93e2d31e24", - "type": "query", - "version": 6 - } - }, "rule_name": "Azure Kubernetes Pods Deleted", "sha256": "fd9f832afa3eb4db90466e05aa43684b05fbd8af82fa4d943022de552cdb9cc4", "type": "query", @@ -6101,15 +3062,6 @@ }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "0e089d3ca893acb3dc41493b56c47678ee8a9c31af770e7cbbdb13b477b3e118", - "type": "eql", - "version": 3 - } - }, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "d65657b9b5a3d00e9e1c3b0f16846ad2bb9d412e3d61e26d4cef984635227705", "type": "eql", @@ -6117,15 +3069,6 @@ }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "ae690790275a04d830343066d6671002a9a95f939102986b9711e1291616442b", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Remote Credential Access via Registry", "sha256": "5d3f6f0111eade36e60550698a809efaeb5b47f6eb8f7163ed84ab7f0423f89a", "type": "eql", @@ -6133,15 +3076,6 @@ }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "fbcec5e3319f343869931abf427186d400817f3564e7f2720236072d6113e9bf", - "type": "eql", - "version": 9 - } - }, "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "a2f04b9e35fc3fed8e30367400393375d0bb5931d212da7ad52922c63a68ff69", "type": "eql", @@ -6149,15 +3083,6 @@ }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "2c624a60350aacfd7edbee02670148038cf139f25cd0248f61f2c975e8015141", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "ba074512f68e7e07793832d289ff4f6b2effacf988b31b4952c1b4435bbda95a", "type": "query", @@ -6165,15 +3090,6 @@ }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "ff70e69014113484cc022ae28d71a4b3bee57090c3cec63a2d6e92e9aa22f53e", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS RDS Security Group Deletion", "sha256": "34e94c62ff1b62477b48e6628d9e56cdcb930f570740882c71e0c26dbaf751d7", "type": "query", @@ -6181,15 +3097,6 @@ }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Group Deletion", - "sha256": "b2a945b0a9a01661e2e49cb626d4fa31a86548be87e638f40e983ee01fafd9dd", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS IAM Group Deletion", "sha256": "e7daedc0730b98d7817da23d57537ffd483d078f72e5a0dd4c6d284df9532eab", "type": "query", @@ -6197,15 +3104,6 @@ }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Security Software Discovery via Grep", - "sha256": "842aa69813b8f9b0e5dea1537e9c52e707457bf22191d5e1525aa2e6b14cb5c7", - "type": "eql", - "version": 6 - } - }, "rule_name": "Security Software Discovery via Grep", "sha256": "129a4e1974a0392ab3bb57658105152788a1fb91d25315e845647a163ef2bde0", "type": "eql", @@ -6213,15 +3111,6 @@ }, "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "c84189dae6dd27a858b984c28e71eaab51ea763f33d1f2751c03e187debf384b", - "type": "eql", - "version": 9 - } - }, "rule_name": "Enumeration of Administrator Accounts", "sha256": "8b85c68db403f2c6c42e6248dd75b22ca1f85fcb74567d42dd285f32b77f2320", "type": "eql", @@ -6229,15 +3118,6 @@ }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "b5a9c1b1250bc364e28b68fbb0d9f068648ea66105469377e7797470547d8859", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "a6b7d0d6f00f908fa0b5b393e3a1699f387b37814334e411607abd77fc84b7fc", "type": "query", @@ -6251,15 +3131,6 @@ }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "511c1fd76c1b2e36d3bfcbdba847fdef7fac66c36378a5c88d8f22b1a07e0dd3", - "type": "query", - "version": 5 - } - }, "rule_name": "Microsoft 365 Global Administrator Role Assigned", "sha256": "06a2870dd213505ab21cf79e77102f038a0ca424bb6609f239f62e97824509c9", "type": "query", @@ -6267,15 +3138,6 @@ }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "7023870a232e75c229fce7670d936c9514f231294f18ef242f5084e928730d68", - "type": "eql", - "version": 5 - } - }, "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "deac64fa51c5d56f7e7ed9b7cb8f3d8b50176fc40eb542df4cad863b4980d492", "type": "eql", @@ -6283,15 +3145,6 @@ }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "e26456a31031a0df8d8fc53b2a116ea9983241ae39b61fda256b5dc1e11abb6d", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "76bb261d59471e797c8164721fb0e1dd65c88cbe16fc1701f03628429f0a464a", "type": "eql", @@ -6305,15 +3158,6 @@ }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "1fe268f03a22f4fe8ba24b86ca8cd99917884f39b92761d8d1e16b440e8d6569", - "type": "eql", - "version": 10 - } - }, "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "8a20330f83cbeb2b0cc8a7ab61e89a6086c130b4631b24f23204f722c36843ff", "type": "eql", @@ -6321,15 +3165,6 @@ }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Command Prompt Network Connection", - "sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007", - "type": "eql", - "version": 9 - } - }, "rule_name": "Command Prompt Network Connection", "sha256": "34c28799d02bc8a7cc28fdf8b9ad0bbc876421fa23b80633ad360a662a6dc298", "type": "eql", @@ -6337,15 +3172,6 @@ }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "e39e5487a503cf505c04da8ed3950d7af41af80b4f115ded879c6444e77acca0", - "type": "query", - "version": 4 - } - }, "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "fc3a465f743cb0857458763a131e3f071e053868719ce37fd9e7b9d993af9602", "type": "query", @@ -6353,15 +3179,6 @@ }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", - "type": "query", - "version": 8 - } - }, "rule_name": "Setuid / Setgid Bit Set via chmod", "sha256": "6a80154c3a5116e568ba0afae93dac63bd5675af257d579e4e578a852d662260", "type": "query", @@ -6369,15 +3186,6 @@ }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "a47d7783b08ae45cc48a096ac462b7ba64c071e4c726814bd2735c55d0b2291b", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "9b21d3c583122fd5e42304defab494a4c461c949cbafffc09e05d647cb65db52", "type": "eql", @@ -6385,15 +3193,6 @@ }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "9ec0f9d2f6a790cc8b9a48259789ce126d9bc5b6f99c22ce8663bd21fe54ae13", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "e612843f8f71a01687c6f3336181dc7b0c3ecab0c355105ec92ebafabaee95c5", "type": "query", @@ -6401,15 +3200,6 @@ }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious JAVA Child Process", - "sha256": "8c9d449f2d77918beb11a47ac69141e08ec8a0314266c3487cc5b7914f919d42", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious JAVA Child Process", "sha256": "d8854fc273717c92698bc56feb67d2ff72722db4497210cefe7a668fa62b567c", "type": "eql", @@ -6417,15 +3207,6 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "c0ff885682d6b3a8ec3a61fa4c7eb513fccf86a4e34a3689415a52bd739b8956", - "type": "eql", - "version": 7 - } - }, "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "1290693008facddeea11a73de3c2230b46a299dbfa58bf2beeeb4b36e6648576", "type": "eql", @@ -6433,15 +3214,6 @@ }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "de11f1daa80d49b74fadb3068f2107bfd866a31171b32101127721fc105fd299", - "type": "eql", - "version": 7 - } - }, "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "a82de5edf4c4b3a31fb70a9734322f9e504df6054cc51e0284e342a05f1f711b", "type": "eql", @@ -6449,15 +3221,6 @@ }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "aaf8e61e49cd5a9a2ff6c9ac5d61ee70922bbd40d5e949421e3eb7c1957da874", - "type": "query", - "version": 7 - } - }, "rule_name": "Azure Kubernetes Events Deleted", "sha256": "d2fda40a22fb4d46eb3a36ed6cc7bc6304f6f30019afbff7fcd240859601b9e1", "type": "query", @@ -6465,22 +3228,6 @@ }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 15, - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283", - "type": "query", - "version": 13 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "e8b7d833a2cad5ad92e04ba43b572eb374e775daa2ec9fa71f72a4b5cad614ee", - "type": "query", - "version": 16 - } - }, "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f", "type": "query", @@ -6488,15 +3235,6 @@ }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "c05edecd41eae1c1e746556cd00877c32ee249c380954c34ee4f81b5facfbfc6", - "type": "eql", - "version": 9 - } - }, "rule_name": "Unusual Child Process of dns.exe", "sha256": "3e3a2e5da1dddf91f74f1118b93dd8df723426c05e669ab022213ceec42b0077", "type": "eql", @@ -6504,15 +3242,6 @@ }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential SharpRDP Behavior", - "sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential SharpRDP Behavior", "sha256": "b6d6e42eef44c31996e2b05372f6e51d4e2387c066bff3a41f99c68daa33b8b2", "type": "eql", @@ -6520,15 +3249,6 @@ }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", - "type": "query", - "version": 10 - } - }, "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907", "type": "query", @@ -6550,15 +3270,6 @@ }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "8b35059e3e2c9c1cfabfbd9ae383daa10e26ff3840e20952d4805a3bdb73db8e", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "7fada6427b53035898bdf3b184fb3ef165f1edb9ddbf989a36fa41b0c76e32f5", "type": "eql", @@ -6566,15 +3277,6 @@ }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Automation Runbook Deleted", - "sha256": "c93cbe263234d1244103ea203ea11ca8c8bfedf4031665aee1d47cacc8de0ced", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Automation Runbook Deleted", "sha256": "4a094369167a5416694956facfb84594a711b8f4622441fe2d9376ce2c65fcb2", "type": "query", @@ -6582,15 +3284,6 @@ }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "3c1f4688843906589d65e9818a81ee523678523b5aa89db4bf3f760148663a03", "type": "eql", @@ -6598,15 +3291,6 @@ }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "336542a3a18e253dad64edcd99ce3832d6e75c600b42230f51abdbbe6edc85ab", "type": "eql", @@ -6614,15 +3298,6 @@ }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Service Account Deletion", - "sha256": "284ee563a01f7f29092045e4942635becdd0589c17ffe37a8c962b9ebfbffb3f", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Service Account Deletion", "sha256": "c0b5b2139ac252a5f5a040125ce7feb6da78a6795c17930a7d53a36a9bb6d9e0", "type": "query", @@ -6636,15 +3311,6 @@ }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Hping Process Activity", - "sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3", - "type": "query", - "version": 10 - } - }, "rule_name": "Hping Process Activity", "sha256": "275c5faadc53a27fc71b03945db1a837d685dafdb1fbee833d33beaccb9fdb18", "type": "query", @@ -6652,15 +3318,6 @@ }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "97bd59f5a9a96e0511ded5a2da4b36c10c6d31ab327079de9f57d4e5d4a7c67c", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS Deletion of RDS Instance or Cluster", "sha256": "b262da319efb5746beecc8826686ae03f9cd47389e2eb85e480613fac84ceeae", "type": "query", @@ -6668,15 +3325,6 @@ }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "ce59e6b81e04017b34df77cfe4c51e18af5013272bba925a081c6fb0ee665fa9", - "type": "eql", - "version": 6 - } - }, "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "9cd2945ebd1480cf2e3932c20be208d833c1ed1012856a7e451149420128edb0", "type": "eql", @@ -6690,15 +3338,6 @@ }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "cc8b23dc9d3e030eed1a44e8cad432bb0390a7e48ee21309fc4343fb3dc2b463", - "type": "query", - "version": 10 - } - }, "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "705b2cc98efd9b6fadc26af59015da9a1a3acde0f1f616ff90349e1c35dc9167", "type": "query", @@ -6706,15 +3345,6 @@ }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "63de1e69153fc3e3aa0522cbbf59b284da031bdd9b6141e5cad92dbc5aa4277f", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS WAF Access Control List Deletion", "sha256": "d37270d09912a1cb2b0c4c52be0e1d51afa32a73825cd6b42341ba2169f6b5fe", "type": "query", @@ -6722,15 +3352,6 @@ }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Web User Agent", - "sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual Web User Agent", "sha256": "bc549429abb49bff270ee96edfd60f31c6ce3021ccaa7bc858f341d7010b79d7", "type": "machine_learning", @@ -6738,15 +3359,6 @@ }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Web Request", - "sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "Unusual Web Request", "sha256": "32af7204aca9986374ab16a8bb33e0f0ea48fd49177e499a4e48995b48b7a799", "type": "machine_learning", @@ -6754,15 +3366,6 @@ }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "DNS Tunneling", - "sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89", - "type": "machine_learning", - "version": 5 - } - }, "rule_name": "DNS Tunneling", "sha256": "39848deb08b0bfb42017f5b6b90924fa347c0671ba07aea43b2c91a2dbeb1c3c", "type": "machine_learning", @@ -6784,15 +3387,6 @@ }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "077973b9dba0ebc75ab5c34f0b0075aa5b1517cd247e99e8b66588aadd499dc2", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "92861af382d6329730ce7ad9aa3cbb84a53b6e758495e2295b0ee98f6d6423a2", "type": "query", @@ -6800,15 +3394,6 @@ }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Sudoers File Modification", - "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", - "type": "query", - "version": 9 - } - }, "rule_name": "Sudoers File Modification", "sha256": "f613c46321294e0f2f60d3c9ef954f4fa6e1074870bf27df228ecb690302d2c1", "type": "query", @@ -6816,15 +3401,6 @@ }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "07653926c326ccebd08700b72fc84eaa740a6ba547802368f559a7d9aabca3aa", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "e58cf48a9c31689fa3e0732f2c7e7876f4a98a82b7adb03e7380e22c0c820fba", "type": "query", @@ -6832,15 +3408,6 @@ }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "4f928cce10435e844d606a37b9aabd2dc953c04bb8322a2a391ea2490c7a701a", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious SolarWinds Child Process", "sha256": "70f74d16a6aa403ef6dc14f6860479cf5f78d9422e8fc59bb95814595f53083d", "type": "eql", @@ -6848,15 +3415,6 @@ }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65", - "type": "eql", - "version": 7 - } - }, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "9e84fcf2bf2c5d1a9f8eeceaf137aeff49b4de121b73f7b58bff3af8872214f1", "type": "eql", @@ -6865,20 +3423,6 @@ "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "5ec1e79923aaa0e99aabed335419a6c200972553ebdd4d99139bdb5bee03c8e6", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "213d54562eb126f314c2a6e1a102b4d4987ee2333524f5466bcf10b27609a92e", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Google Workspace Admin Role Deletion", @@ -6894,15 +3438,6 @@ }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3", - "type": "query", - "version": 4 - } - }, "rule_name": "Modification of Standard Authentication Module or Configuration", "sha256": "88896f17453bba0e23b7f8e02fc585146f8b203355ce61d79bd6c0075c0968ae", "type": "query", @@ -6933,15 +3468,6 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote Scheduled Task Creation", - "sha256": "6160a0f0792097e86209482cea32782afd35428338b00cb36c0fe15245637629", - "type": "eql", - "version": 10 - } - }, "rule_name": "Remote Scheduled Task Creation", "sha256": "fe83b08773c5368d309129ccb5cb14003e86f1cacfec228694309197bb528d75", "type": "eql", @@ -6949,15 +3475,6 @@ }, "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "214e7786508b17298b4d5e4ca8a3b769a671e4fd6ffcf746bb954095ec2d5bed", - "type": "query", - "version": 7 - } - }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "fa665bce1bd5f32a457542562d74495a261571840f8e4ab39bbc2cc9cbf18826", "type": "query", @@ -6972,15 +3489,6 @@ }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "File made Immutable by Chattr", - "sha256": "ce1de12aa8f7582ef6d3d1846c6d640e0de6fa00d59ce5e60628804490b7c265", - "type": "eql", - "version": 3 - } - }, "rule_name": "File made Immutable by Chattr", "sha256": "3328aa469f5849dada41eef57ca7e79395a39fef5efb4a21882d364ea07624fa", "type": "eql", @@ -6988,15 +3496,6 @@ }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "f2d80ff8056ed1820ee12746dd418047054568b123e882fb2a027450fd44c366", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Create Okta API Token", "sha256": "ae0253993e1eaf34f0186cf3d7d0f136791d0ca732c546fb7a21b737c650f6c7", "type": "query", @@ -7011,15 +3510,6 @@ }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "5aeb0b55e7b86fec78236620f91f77e61f892206e3119251b7aa12a048000ff7", - "type": "eql", - "version": 9 - } - }, "rule_name": "Access to Keychain Credentials Directories", "sha256": "4171c6c32a44a16550e27dcaa141025405ae8d4526cb6c55da3272e456f64b35", "type": "eql", @@ -7034,15 +3524,6 @@ }, "97314185-2568-4561-ae81-f3e480e5e695": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "54ff733ee97e4a165dfd1039fd74be008bf78840b8c7659f031f10c84b5f8f3f", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "sha256": "df0c3ab6007ab01b0442eb8dcd1dc90c541d8fba362f7d3f9beea700be864ac6", "type": "query", @@ -7050,15 +3531,6 @@ }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "0ef7e8043ff95f5a35ab1e7a0dd0efc69ba23e525c478493718253f936751aed", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "2ec81731e02ab3036cc336d2c5e1046904c2ba1f9f673a233714fc29eae824cb", "type": "query", @@ -7066,15 +3538,6 @@ }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS SAML Activity", - "sha256": "812ed9f6bf5c927c2ba6b57066e8ccefe60290e47b5f0adeaf212f4e86625a23", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS SAML Activity", "sha256": "fe597108c7e1690d7512be9915cec91345f5e7b851d22e98a4900ddb6a18ec81", "type": "query", @@ -7082,15 +3545,6 @@ }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "6075a54140551e0fd7cc6593ecc1e93225ab830101e2e6f2a85aa8cc63d87e51", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Abuse of Repeated MFA Push Notifications", "sha256": "0811930674642f59bce1c8d85be5f1106ddb3e90e70367605ba615587de66b7c", "type": "eql", @@ -7098,15 +3552,6 @@ }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "f77318af5a1db73ac10d7dbdfca459aa65435c32e3783ce7986396369e80b14e", - "type": "eql", - "version": 9 - } - }, "rule_name": "Suspicious Zoom Child Process", "sha256": "df3e7878e875d0ef5effdfec2f135a961c77930a6ffe994978d5e94e8965b65d", "type": "eql", @@ -7133,22 +3578,6 @@ }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 9, - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef", - "type": "eql", - "version": 7 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d7812909f8d6b7f07a49520b790a1a5d653f213f6d542753f78f0d29e06b612c", - "type": "eql", - "version": 10 - } - }, "rule_name": "Startup or Run Key Registry Modification", "sha256": "c8b658b1a071b8fc106433d112fadf48f48bbb749ab7710f31b39bfa2115d425", "type": "eql", @@ -7163,15 +3592,6 @@ }, "9890ee61-d061-403d-9bf6-64934c51f638": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "17a8ba105b28a2bef5fc9686588f3e87600600df80e9916169f33fbf80a5eb26", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "a2466f68d1f31828719d60da8dbaac5f6e9fc5da8bcb2803a997f909d396024a", "type": "query", @@ -7179,15 +3599,6 @@ }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "7e266e3832b65302b422074a36cfda15fc068b534841ee2e41230749f897d098", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", "sha256": "6471164015e40253d0c1c8e6c4cf9747913ca95c6bc387f9a648fb04097bc611", "type": "query", @@ -7195,15 +3606,6 @@ }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "6e34ebc3b9fb35f0f03651ef649c19d89a83e00ad363000c7c13e4b320b85223", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS EC2 Snapshot Activity", "sha256": "e4c1ba014526b109b89bf7e3d90aaf5b60008eba5c588834538f8180e8944811", "type": "query", @@ -7211,15 +3613,6 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "3026303e47b30c3d7908350f7a4909e7023eeef7c9604e3441805456e92606e4", - "type": "query", - "version": 10 - } - }, "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "9ab23922eb244147b8146766869d5af8629bcc869464c836e684ad7e387fafe8", "type": "query", @@ -7227,15 +3620,6 @@ }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "612aeb08fb3d95a693c4e7b636be831969fe9f509515850d81f1c71057b17b76", - "type": "eql", - "version": 7 - } - }, "rule_name": "MacOS Installer Package Spawns Network Event", "sha256": "0d85416b1141ac31576216bd704c568335b3510628674a1b523b798864c3b6b0", "type": "eql", @@ -7243,15 +3627,6 @@ }, "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "5e6eb76f79365f2c3e22451f0586b9f7f6f2b725c4025b9e23ef42da22c5f816", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "670dde4ffab82f84878e03371ebeeb1549d86fd165a859a6c69e897ad2c01e80", "type": "eql", @@ -7259,15 +3634,6 @@ }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Failed Logon Events", - "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Spike in Failed Logon Events", "sha256": "f8cd329cd77dad81701611abf982000271f210ae5ed80384a02137090cafe4f2", "type": "machine_learning", @@ -7275,15 +3641,6 @@ }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Endpoint Security", - "sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09", - "type": "query", - "version": 5 - } - }, "rule_name": "Endpoint Security", "sha256": "cee77122bb31a59353a9f4b22737d0a05002244e0776613c49597c6198be5b0b", "type": "query", @@ -7298,15 +3655,6 @@ }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "a385464cd3b312a278a6ef28182942b3d46b348e577bccf6b6a8dc675fb8b5db", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Explorer Child Process", "sha256": "0edee81fdf8cb464c87acf7de5a35ccab56fee2b1eb386cf1ef63fa8e9f2d2f8", "type": "eql", @@ -7314,15 +3662,6 @@ }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "c64956f19906b8c5f1dea22b70e30365ac8dbb583f6003a7793b3c41ca7da876", - "type": "eql", - "version": 8 - } - }, "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "45e51ed8ec580126760672c1d7886d324d86b2f8a6f4e1a87f2b806d7361219c", "type": "eql", @@ -7330,15 +3669,6 @@ }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "914798e110d1bb31c1ab9703cc0b301c3f7df6714b71152e6760473b06e849e1", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistence via WMI Event Subscription", "sha256": "eb42f1728537d00d54292c74de5d786a567cfac2427a529cba1bde06f09a049d", "type": "eql", @@ -7346,22 +3676,6 @@ }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 11, - "rule_name": "Hosts File Modified", - "sha256": "7781b8fa8e3efcefff36f16dedd64ea47131e917b9a753e61c95f86427a03d06", - "type": "eql", - "version": 8 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Hosts File Modified", - "sha256": "9d05191a051ba7015c7eba4ce4c876bb0200bbdec3739b249c89f1ce4a60eb99", - "type": "eql", - "version": 12 - } - }, "rule_name": "Hosts File Modified", "sha256": "49841a36240c8471bbffa262cd743d965df3c094190a05d526fc7ab67a405852", "type": "eql", @@ -7376,15 +3690,6 @@ }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "c21df2d07d7f4513ea3c3fd1f60a19ce8dae6d618d45e58cce1d5fe045a5b1dc", - "type": "eql", - "version": 8 - } - }, "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "868067cabc8a0be28a12dbfc75dfb2ce2a189cae802cdc55c6ed9ae7333b9222", "type": "eql", @@ -7414,15 +3719,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "6f39bcd147321071e27d48d6ee2bc4fcfdb4c5920d0bfa506839c1a81d1ac606", - "type": "eql", - "version": 14 - } - }, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "3d75099acf12cac197ecf9f52cec25bd2b21c0b150deede93b23e825b0b65fc8", "type": "eql", @@ -7430,15 +3726,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "4cd8a6a7070860dbcf09cdc8a2d07796dbbbaba7c4bc67393e3a5868713f6a0e", - "type": "eql", - "version": 13 - } - }, "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "3b7e09480afd4c8012bb987bfd98b3c9122b6b410d67b0a7e9493e47575af1ca", "type": "eql", @@ -7446,15 +3733,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "0aac0eff739e989b3935785a5d9ae953c258b7e29f1dfd87cc6d1b2e06845792", - "type": "eql", - "version": 13 - } - }, "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "369134d9a4caf591a866c8b88bddee3e1d22a4b89ecb927ebeb0b20ba689b6d6", "type": "eql", @@ -7462,15 +3740,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "99f644d483aa7e62b116154134e64f342c68588a7e3cf31ec99fa65d355023f3", - "type": "eql", - "version": 12 - } - }, "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "c93bb046d19b2673d83b462fcb258eaa7e7bcb6689d3ef4d21558bad0a63d351", "type": "eql", @@ -7478,15 +3747,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "ddd272c7d3025a013cf7b4ff887e8d46913babdb205c31eb9e273a99c32f11ff", - "type": "eql", - "version": 12 - } - }, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "19893bc21a16dbd3dc5d6c5e7d6378f5b936b8625bd33a1ea607df95a53e143b", "type": "eql", @@ -7494,15 +3754,6 @@ }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b", - "type": "query", - "version": 7 - } - }, "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "2b16363130628c3499ea0c544a69b708ba945db7321be177801f2713f35ee7b3", "type": "query", @@ -7510,15 +3761,6 @@ }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "07200d6320009773c3e6531cd1c9c52f580218018e9ed04ebed4dce43a451862", - "type": "eql", - "version": 7 - } - }, "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "4bb17ce04a0b54f7dea8aa6679836b5b8f3748ed408471a6fe1aa79312c7b519", "type": "eql", @@ -7526,15 +3768,6 @@ }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "ee7a670efc2b0e1959a07caec32358b0f64a99a955dea14625db16c4cf2ae32d", "type": "machine_learning", @@ -7542,15 +3775,6 @@ }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "ec8cfaef587d9072c573177fac91a6ab6d196e321bfb0d0f785e0d70aa0782ac", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "e4c1a0bf7dd6c58ea91fd55c73fcaa1ecf66aacd4f5e558565b78f100aa12f08", "type": "eql", @@ -7558,15 +3782,6 @@ }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via DCSync", - "sha256": "345ac7678d26ee9d3db9adf2161f06a608f43a368ecb4f865a886d5ff757e776", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Credential Access via DCSync", "sha256": "5cf6d06db229af673be388f69c507b9e4b53a847d47ce9f7fc72f715b6ee31a3", "type": "eql", @@ -7574,15 +3789,6 @@ }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", - "type": "query", - "version": 8 - } - }, "rule_name": "File Permission Modification in Writable Directory", "sha256": "5f6bfe781b9aeb2c51c469922c8b2b52351efbe6ae28b355fd9995b61f4d35f4", "type": "query", @@ -7591,13 +3797,6 @@ "a00681e3-9ed6-447c-ab2c-be648821c622": { "min_stack_version": "8.6", "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "6d7151b8ae711435d5a3f87fe51fab04baafb6d64e43e891e98e48fea42f82a8", - "type": "query", - "version": 8 - }, "8.3": { "max_allowable_version": 204, "rule_name": "AWS Access Secret in Secrets Manager", @@ -7620,15 +3819,6 @@ }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "f7db93b2082fa3611d64a119be89368e720bc1c9611f9fc78b024e67030c20cf", - "type": "query", - "version": 10 - } - }, "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "39331a05f09f2185ae8b0c59d5ccbfb69feabd51cd56e072a6f31e5411ba8db3", "type": "query", @@ -7636,15 +3826,6 @@ }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "49819033aefa5809fe297a7693313d5736b3dd7f1cf9c75b6e2d3bf510ff6379", - "type": "eql", - "version": 7 - } - }, "rule_name": "InstallUtil Process Making Network Connections", "sha256": "d60176113e8082f6c2621d07cb3776d4e641604dd9353f03ab440f19ee62728c", "type": "eql", @@ -7652,15 +3833,6 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "File Deletion via Shred", - "sha256": "17e1166f1b8127f46a21c291885ad5397ddfec70435ffe0dd21873b74f3afe3c", - "type": "query", - "version": 10 - } - }, "rule_name": "File Deletion via Shred", "sha256": "4d9c285a64e5d48f5d56c73627512b1cf2fef4ad48ca8c5559bc9e7f5244c046", "type": "query", @@ -7668,15 +3840,6 @@ }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "5555c7321afa2efb68bb89aa1d082f8724038437b936b26bb609f2993898d85d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "3202f6425bcd3370e2d52fdcc5393a1b395652cb20d37ae9885a2b20e08013e5", "type": "eql", @@ -7691,15 +3854,6 @@ }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "b5ac65a63f581957f074015ba818a2b1dd5427f1195bdeea848eb558cf8bf62a", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "6eea295d8671e2068144b62de3cb85d6ff58e5e0bbffac1eef20f6875fa46f1d", "type": "query", @@ -7714,15 +3868,6 @@ }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "2791d8f9a164a800f5e848c702d3ab0456c8298a4ce580e944cc05531deabe31", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "0ce306c8954c9e8f5f08497de7dc877d455e2526cfcd8ee25d7f5a1eeb5c6b9e", "type": "eql", @@ -7730,15 +3875,6 @@ }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "1e40e74617b19ed7c7e61596961acef067e9aa8e925c41d24e23055b29940180", - "type": "eql", - "version": 6 - } - }, "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "32cedcd20b63b1285814e5814b01653f6cc6427b9feb4e7b813bac95f9101b25", "type": "eql", @@ -7769,15 +3905,6 @@ }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "046dfc582f23167ace33f512ae4ba61f612f57fc61790894f76d786f60f8ba97", - "type": "eql", - "version": 8 - } - }, "rule_name": "Execution via local SxS Shared Module", "sha256": "ceadb1271017ef280aabca7d058a1a347de2eb376769356096710698d4b7298b", "type": "eql", @@ -7785,15 +3912,6 @@ }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932", - "type": "eql", - "version": 4 - } - }, "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "eaec67974395526b30861028834bb4553c34bbbba4ebe30114ccc121e4a3a6cd", "type": "eql", @@ -7821,15 +3939,6 @@ }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "e2f36dfdc3de9b8ddc22f7495e8eb3580b8b1ec1da46bf8d928c199b6aff8d0e", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "9128759fa2e3b1f321f9075878bd897dae7b713889986ef0fc81d87469d8f62f", "type": "query", @@ -7837,15 +3946,6 @@ }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "15f50bdcf18bdc3641481a853f0e2fc7fbe8c854fb6d2d87f02df72ff951989b", - "type": "query", - "version": 7 - } - }, "rule_name": "Azure Active Directory PowerShell Sign-in", "sha256": "32f30633093a69a2f6fb9a2e9e11c9c6bec8b28a8a24f17105341fe4a18c4267", "type": "query", @@ -7853,15 +3953,6 @@ }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "e7b0b665d598b698f1d35c1ac96720ec586a4c822557256efcea65f282b86cb6", - "type": "eql", - "version": 14 - } - }, "rule_name": "Suspicious MS Office Child Process", "sha256": "8e12431693eb5a942e10237a00ad6ba1a5749974d729f0565dc03e38f95b8d99", "type": "eql", @@ -7869,15 +3960,6 @@ }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Emond Rules Creation or Modification", - "sha256": "bc7c01fa88f13cae39e43bc396abec202e2b39eb703151c6658fff5bf9e10990", - "type": "eql", - "version": 6 - } - }, "rule_name": "Emond Rules Creation or Modification", "sha256": "01eeb561917736b663155fda041f3bf52282753d19424aa8f79fd2e26a540ef9", "type": "eql", @@ -7885,15 +3967,6 @@ }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious PrintSpooler SPL File Created", - "sha256": "c90974ac2dccaf21eef2a449d1974be7945e5716d893050f5f5f707fb76bd13e", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "4519e1b0a131f527bfd923205c61c87592da52bde9a0b9af496f893f7b5eb940", "type": "eql", @@ -7901,15 +3974,6 @@ }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "bef335b8bcaff439fbf5df2b472483b38387be36ac81045d5ee346a6b34930d3", - "type": "eql", - "version": 9 - } - }, "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "5fa7ca6b50434e3d3e12556d879f6afb5ad272d323720e45aa853184e26c7914", "type": "eql", @@ -7917,15 +3981,6 @@ }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a", - "type": "query", - "version": 10 - } - }, "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "36617ec8850ae04feba7b8e3f638dbd57f270919fc6fe0f7e8fd1ee32c922bb5", "type": "query", @@ -7939,15 +3994,6 @@ }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "8bcb179876e491dc57dcb74d2471a21b560fabcada15d9c803e602b45a1e1e70", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", "sha256": "fca5d6db063f33419f452eb6aafee03ae9dd503fce594e4a95d73d86620c04ee", "type": "query", @@ -7956,20 +4002,6 @@ "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 15, - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "c6815b312e514dde1e95bfba50fc831bfbdd71cde761c45cff9928ddd5251005", - "type": "query", - "version": 13 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "c4909172dfd50108f0abed3aba686e685089632adfc228255d684fb7b32e2c7d", - "type": "query", - "version": 16 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Google Workspace Password Policy Modified", @@ -7985,15 +4017,6 @@ }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "0961c6edc3675ce139252e031dda275f7c2713ef3d76bfa44040aefb2afa7efc", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "a6dd44b10e5c7f448ed3f9baf76f29c0fb3c9a9c24efa20eb09636623532714f", "type": "eql", @@ -8001,15 +4024,6 @@ }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c", - "type": "query", - "version": 10 - } - }, "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "db21fad431416ec9441e3ecc36899ed7f07150934597bad7fea0821595ba12f1", "type": "query", @@ -8017,15 +4031,6 @@ }, "aa8007f0-d1df-49ef-8520-407857594827": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP IAM Custom Role Creation", - "sha256": "04d6d20db9c8c8bbd98a77b090067d46efc0d6091ef0abe5e63bb6798f7c803c", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP IAM Custom Role Creation", "sha256": "a4d7dce2e29fe7b02e7830250371c8111429f94a310ae4d93b1c7cabae14bec3", "type": "query", @@ -8033,15 +4038,6 @@ }, "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "System Log File Deletion", - "sha256": "9a47a157326055c14e4487b55a906009c79e7e0b45fb280ccbef121b35e74e8e", - "type": "eql", - "version": 8 - } - }, "rule_name": "System Log File Deletion", "sha256": "48c7492979a445ea4f8bd98f35515c5f7de53face5ae9972943808641bb7575d", "type": "eql", @@ -8049,15 +4045,6 @@ }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remotely Started Services via RPC", - "sha256": "e9b84550c8017aec72d49f15fe13c67df843abbb87d04fdce004e54d174ef69e", - "type": "eql", - "version": 7 - } - }, "rule_name": "Remotely Started Services via RPC", "sha256": "27a5c3b30a6e218c403b3affee3bbe07de0225fe6ef40b91886e67cd8c6aee96", "type": "eql", @@ -8065,15 +4052,6 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote Execution via File Shares", - "sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426", - "type": "eql", - "version": 4 - } - }, "rule_name": "Remote Execution via File Shares", "sha256": "bcf37193b803502f5e47a1d8e0671f594ce04190cdc6584ecf21dc98d76cf49d", "type": "eql", @@ -8081,15 +4059,6 @@ }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "48b7ed93493e8875a2c2ede6a3fd2044fe824f52866a3f31b744be58db822345", "type": "machine_learning", @@ -8097,15 +4066,6 @@ }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Persistence via Login Hook", - "sha256": "f182d2a5e737be7c35daf36c8ca3510919c2bf6cfc2379711b3a866f4069eac4", - "type": "query", - "version": 5 - } - }, "rule_name": "Potential Persistence via Login Hook", "sha256": "1d4ac527e77495e19a5d1fbf36e2a8ef924850e1c660f68fb67e352c2c08749d", "type": "query", @@ -8113,15 +4073,6 @@ }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "2ba82e2240cb3b0213c5617a7d13fb0bcb0047fdd6f3b7d46f12aae06d22e472", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious WerFault Child Process", "sha256": "da2001616e1048063e4ecc6b27540d9d919abe9a5122b1e1eede9724a812f0db", "type": "eql", @@ -8129,15 +4080,6 @@ }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual AWS Command for a User", - "sha256": "bf21bf3820a8d1fcbad4e7592d7c82a26e944e5b846959633030809fbd449532", - "type": "machine_learning", - "version": 10 - } - }, "rule_name": "Unusual AWS Command for a User", "sha256": "434f66b15154b5fc46edebb23f06a6cdd5bdb969c2436d50b9566fe72c87f977", "type": "machine_learning", @@ -8145,15 +4087,6 @@ }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "a342bfd3e7aa4925926c7efd91db9ecc8442cdeb5c66dbbcf772092e1a2d55cf", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "27c36f908231f3c0c27244127648e542bae699ca5bbdc818b7e144eaac9a807b", "type": "query", @@ -8162,20 +4095,6 @@ "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "cb726260cbf8b5a0f646d56b06b9be07fc0ff6fb2efbda14ded64114e8e1c32f", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "e83a4b6239ffd937ca01ed100a5d9d4f28967445797a34ee411768d8991f212b", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", @@ -8191,15 +4110,6 @@ }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "34465804636f17f691ad337779ed0788d8ba33e6a9a55958bc31ae23c790b663", "type": "eql", @@ -8207,15 +4117,6 @@ }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential SSH Brute Force Detected", - "sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e", - "type": "threshold", - "version": 4 - } - }, "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "df6c7d1cb4f52b5fccbde7e700a27c9e8c7f404d580ed9b0470a62b90aad957e", "type": "threshold", @@ -8223,15 +4124,6 @@ }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "a357b9a510442209bb5f8d23dabe74e4309831848d7ac1c52301f236013ec19d", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "60248497fd1daced2cb5646713792de68b3161c5d3793b42bd85ac0e4c6fb324", "type": "eql", @@ -8239,15 +4131,6 @@ }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "d429e915fb2c4125fb4990d0e489102f961dd33224c3e70220b15d3751903824", - "type": "eql", - "version": 5 - } - }, "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "4fa999e2f00c53e0a1c79484bd2c7127bbbdc6b9e48a97a097824a4b25f8e766", "type": "eql", @@ -8262,20 +4145,6 @@ "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "d1b026666d40c609533cf8728001d959fbf822a6ea704f9471b93c1e1bc79142", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "c8bca11e5b1732bfc4bffb9bf1377db165824c647a7bc60bf84ec0f947cbde14", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Google Workspace Custom Admin Role Created", @@ -8291,15 +4160,6 @@ }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "b70e724e7ed3a0764f4e30d64fa85314bc7819636d9f82c92bd6a72ecb0e9904", - "type": "query", - "version": 9 - } - }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "1df2ab2a653d16a52a82ad91d15f97aeed28529d01b5dcb1f6f370d49f392527", "type": "query", @@ -8307,15 +4167,6 @@ }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "8eb1433d514c8bcf8670859a3904ff86b03e31f4050334e9bb5fe33dbb5b35fc", - "type": "query", - "version": 7 - } - }, "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "f268fe3a948e269e6ae40dd3eeaa549e0352160e6948b2b9e13208fb3e1e6191", "type": "query", @@ -8323,15 +4174,6 @@ }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Netcat Network Activity", - "sha256": "31a31c303f07c9556120cb94db7f8c7ebfb77cc7a363376fe5262ff8f5e2c07e", - "type": "eql", - "version": 9 - } - }, "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "6ce21eb4a25106ec68f181c623bf6c23db184c87f91db459833144fb79f4eaed", "type": "eql", @@ -8346,15 +4188,6 @@ }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Local Scheduled Task Creation", - "sha256": "ea88687da0b3e350cbec589c89e6b91be2999547a3762f95b3ee42423842539b", - "type": "eql", - "version": 14 - } - }, "rule_name": "Local Scheduled Task Creation", "sha256": "16bdf378c631a5bc67c46eb5eeee152adfc662f073cc73307c98c91d71949064", "type": "eql", @@ -8362,15 +4195,6 @@ }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Timestomping using Touch Command", - "sha256": "03332052d7bcda03a20798da8475f4f192d2d0f46af22fd17630ff8952aab524", - "type": "eql", - "version": 9 - } - }, "rule_name": "Timestomping using Touch Command", "sha256": "d166013b261b74467ebee38865be0b81a1b072511ea74b4560ef8c0910aa8f07", "type": "eql", @@ -8378,15 +4202,6 @@ }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "6019d3a7c04e868bfcd2a4ce5b6be1b4dad353849b67a12816d62c13d0db55e1", - "type": "query", - "version": 4 - } - }, "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "7c237a00f6b0bd6345322502b9421a457adcd3dfec66e2ecddcb6f02c1390b6d", "type": "query", @@ -8400,15 +4215,6 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Network Traffic", - "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Spike in Network Traffic", "sha256": "99f13cfefc0aac135a5f88de5a7fd942edb6de9af03bf90a2d113891d9e701ea", "type": "machine_learning", @@ -8416,15 +4222,6 @@ }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Copy via TeamViewer", - "sha256": "bbbe884c4ab21c2cf6da78196dbe4840ac39e83bbbfd9c7b989da641d7ecf781", - "type": "eql", - "version": 10 - } - }, "rule_name": "Remote File Copy via TeamViewer", "sha256": "65df60e0889afe79423296f3c8806b32a0e2809c4cf8c4d40bac64e472316baf", "type": "eql", @@ -8432,15 +4229,6 @@ }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "c15e0ca82179bc61cad6e21dcecf05156532d48168c2e929eb9225e9929bd54c", - "type": "query", - "version": 5 - } - }, "rule_name": "Microsoft 365 Unusual Volume of File Deletion", "sha256": "f9ce2b376d71fa22fe26823243794720d947aafa6bba580615d431c8cce57a99", "type": "query", @@ -8448,15 +4236,6 @@ }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "15eb788d4a9800bec206ecacd72fceec547ba4fffccbf3f1860e532c9e9dcf2e", - "type": "eql", - "version": 12 - } - }, "rule_name": "Network Connection via Compiled HTML File", "sha256": "0725c3c6d24dee6e5512b6843cfb2ebadd86bc7856429f1f33b3b99008cba6d0", "type": "eql", @@ -8464,15 +4243,6 @@ }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Username", - "sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Unusual Linux Username", "sha256": "01193f7ed89fad98180b094c7146c46de3796d8745d46cbe6c449db4088ec7d2", "type": "machine_learning", @@ -8480,15 +4250,6 @@ }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "bae454d37c97afdf6c1303e06d1e2bf81e178a7ac750f24c8fe9702a1fccd249", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "83e947fc35dff830be5b5cd29417299fa279a14a026b0c1c7058c3ffd6ea53d1", "type": "eql", @@ -8503,15 +4264,6 @@ }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "d12bd7983ff5fe776653f790d4e8ee2333413bf1e652396a00e96742ae0ed425", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "c430ef974906fc71fbd4a42a6350e5c5319aa46403ddf098562c5c74bd44e031", "type": "query", @@ -8519,15 +4271,6 @@ }, "b45ab1d2-712f-4f01-a751-df3826969807": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "a16c71cecd3c18625bcda7dcb6b779b65910eea51f4833319401d2b876751d1b", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS STS GetSessionToken Abuse", "sha256": "ac030d5a556d8f95bf724fe2b9d048c88b03206120394193c95000b53c16d84d", "type": "query", @@ -8535,15 +4278,6 @@ }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "6117d395132d33dcb37abc399f31be1ec36cb113a46014969e3e8c346de92241", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "28b42be958d0bf8a397306dc7f0cb14cfdbe0f0eaccb5755c9de565c0880d356", "type": "query", @@ -8551,15 +4285,6 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Clearing Windows Console History", - "sha256": "38d90e293ad91df8f5b8d1b50f36ccf4ae6d4c025e1a72f7b44ee1c8cb296950", - "type": "eql", - "version": 7 - } - }, "rule_name": "Clearing Windows Console History", "sha256": "92354672c1fe3a755d17eef49c0efd019232b082a59cc56d88731a2ee2cdc490", "type": "eql", @@ -8567,15 +4292,6 @@ }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "d7ea25e3433ca8f64f4699dda914009c10dcad92b0f1eeb1bc71a13391a2560e", - "type": "eql", - "version": 16 - } - }, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "aedaa368fd725d5278502b6d511e62e5a1bbf96e126db36da08b3129a97aead3", "type": "eql", @@ -8583,15 +4299,6 @@ }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Elastic Agent Service Terminated", - "sha256": "bbf62b64c2be8fc69c5cf32a50509ac3984131a165cf3c4440aff53a0bedb78a", - "type": "eql", - "version": 4 - } - }, "rule_name": "Elastic Agent Service Terminated", "sha256": "880308f389f72cf7aa685439c096f0f36ad2470ac1db401751d081f2aeca783f", "type": "eql", @@ -8599,15 +4306,6 @@ }, "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "239fc0484293f38ab48bea2184b5897df6fddbc7c1088d9ee2995547d0f72ec8", - "type": "eql", - "version": 5 - } - }, "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "3901f48f76e370578fb6e859e02ecd8b2f2466dba437a6516ba406a6f2e7591c", "type": "eql", @@ -8615,15 +4313,6 @@ }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "cda9d6420803eeff9b35d9028aa6935ff4d213c1caa90595097960c9e1acd8bb", - "type": "query", - "version": 9 - } - }, "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "dec0e528ce72f07f7bf7bea01a9998937ee8f566408acb58fc234f02e7a2ca70", "type": "query", @@ -8631,15 +4320,6 @@ }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "60164749c3210d3649e58a3e25f0cd7d7ba346fcabafc30b70aa5bfd1c7f953c", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "e80ff50996cd7da0cca7153e82a4a23ac280c4f59a61b07d8502cd37ea7573c6", "type": "query", @@ -8647,15 +4327,6 @@ }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "caf8faad9c8fe37979f1c02c18d19d948a17fae64f01a8e5cc016a50f1cf76da", - "type": "query", - "version": 9 - } - }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "232980a0baea2530b71daf1953c4957e214ab632c7911fbdbf3ff40ceda34c98", "type": "query", @@ -8670,15 +4341,6 @@ }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "25a1de83681ef1540f609d3490620ba344894b74b2ee92d4ddc0bfb84a6b45b1", - "type": "eql", - "version": 11 - } - }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "1c3cfd6e70e03d9f721112f45395b73693dc939e2acab4b03a9fa8d286b91b75", "type": "eql", @@ -8686,15 +4348,6 @@ }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Connection via MsXsl", - "sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4", - "type": "eql", - "version": 9 - } - }, "rule_name": "Network Connection via MsXsl", "sha256": "6f4e5d8e7100430b720f9d75f74e240dcc1474460f6567531b8f636055889138", "type": "eql", @@ -8702,15 +4355,6 @@ }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "c331e0a716974ea21eae76d7b37f16e0f6b158e79b198cd009dcb38f562d1a90", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "b9146ca7a8ae489fe08a62e90cffb9ad87527f6c26aa8baf96c17ccacbc0990f", "type": "eql", @@ -8718,15 +4362,6 @@ }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Chkconfig Service Add", - "sha256": "bbf7065cbab3cc380cef1f9b3ef2e40c2686e1d5202252f23cd544a516877b0d", - "type": "eql", - "version": 3 - } - }, "rule_name": "Chkconfig Service Add", "sha256": "22dae901276ac8169daa63f07a6d610aadb6877bc6c432e80deea84a99766539", "type": "eql", @@ -8741,15 +4376,6 @@ }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "1d211f0a0697815ab2ee20f20ab3163fb61e42278fa4b5921bbad99efa68634a", - "type": "query", - "version": 7 - } - }, "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "42bf637587d3a8f91b83809d1d84296590538b74a70d6184fba7d1c8900ad6e4", "type": "query", @@ -8757,15 +4383,6 @@ }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "285891514c70f9a4bdb265d76d50a0dea755e00ad2f1ea37619fbc8450287422", - "type": "eql", - "version": 11 - } - }, "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "1bbf4461fdf126c189e3b5f47739fe17e55b71d13f0d3cd1405114ec39de703e", "type": "eql", @@ -8773,15 +4390,6 @@ }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "873d27c6621fc80c5c4890000abc5ee63099a0a04a7f19ad10551de3ecf660e5", - "type": "eql", - "version": 8 - } - }, "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "82a96d5f82420d8607068f6c4d3d2a2e8ed3ad8e073c18c8d3cf038df47684a9", "type": "eql", @@ -8789,15 +4397,6 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows Network Activity", - "sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3", - "type": "machine_learning", - "version": 7 - } - }, "rule_name": "Unusual Windows Network Activity", "sha256": "28f3dda84fe5d9628a2900149091b133ce911b7e2d8b1bec1cf45a9470580d0b", "type": "machine_learning", @@ -8805,15 +4404,6 @@ }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "fd7ce2d2723ab08731ea17180d65559e6f7a5c93cdcdf4ab2406d05846bf37de", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "584a7e12af0417fdc6f0da462e0c303fee17e8db52b08e0404be3fc8fc57c14b", "type": "eql", @@ -8821,15 +4411,6 @@ }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Resource Group Deletion", - "sha256": "225a663f235910ed9a74eb8ff36cc51095ab83677e3d8daa8954da29de2b6b62", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Resource Group Deletion", "sha256": "3b25861f68b1100642f9a3ed68c945e918ce6d65b653ee7d065ec2ab7378a294", "type": "query", @@ -8837,15 +4418,6 @@ }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "4025a11d274c2ceb96f009a6c57bf9fc493e1d91258bb40b290cc42a39464630", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS EC2 Encryption Disabled", "sha256": "3641d409b9d87793b22eedba3f45c34c83c7ce1e23a4f193be7ce0932d502f08", "type": "query", @@ -8853,15 +4425,6 @@ }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "OneDrive Malware File Upload", - "sha256": "2046461085f32a7b72d00a3fc9d855150e46efce819a90720a13f1cafdd9f451", - "type": "query", - "version": 4 - } - }, "rule_name": "OneDrive Malware File Upload", "sha256": "271d10e5de2e8992afac079441588c01bb4fea4985be37207a4f63cd14de73f3", "type": "query", @@ -8869,15 +4432,6 @@ }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "337779ecd316649e262c7e31f4d0f28ab285571f1cd3c8f3300f11ea579e9dbe", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", "sha256": "93d1b13957ac532ad6ab4712072ffdbed8a3d3107e6aec621b72742431d1c5af", "type": "query", @@ -8885,15 +4439,6 @@ }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Root Login Without MFA", - "sha256": "e41c94e88ce170a7642375c19b31680ecb8cb01b057519518c2e27ddf5dbbe43", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS Root Login Without MFA", "sha256": "f44458332d5b2a8144fd1ff683271a6e8b0fd33390d5406cd93943230f50d997", "type": "query", @@ -8901,15 +4446,6 @@ }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Storage Bucket Deletion", - "sha256": "abccd332b70f7792ac3df97f8a8c7b820f8318e6dc845c71ee3a00c7fa72d21b", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP Storage Bucket Deletion", "sha256": "9332e726255150ff772a979737bbc1b3eaf0bd72447c471aa13ad44c6b82929f", "type": "query", @@ -8917,15 +4453,6 @@ }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Install Root Certificate", - "sha256": "8a2581f2613198e069bf50428befcccde626bde5c3329f7dd6799ffef0e2b66f", - "type": "query", - "version": 4 - } - }, "rule_name": "Attempt to Install Root Certificate", "sha256": "ad822fb37207c4736738cd0b68015ee7a93e153ba5f5396b0b17b22f72834288", "type": "query", @@ -8933,15 +4460,6 @@ }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "0d5f7f7cd950530e43f8061422946c3ed98864c5d7f4e2a7b70ecbd0043b4dea", - "type": "query", - "version": 9 - } - }, "rule_name": "Azure Conditional Access Policy Modified", "sha256": "7d464f589cef8e69158a8ecfcec8ad0e0eb6b9100e4e8a046bc9d7d8331e9e65", "type": "query", @@ -8956,15 +4474,6 @@ }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Service Account Disabled", - "sha256": "446316b8793acc21c065843e48659dc5c0741e50b48348c42d8091ead70aaf88", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Service Account Disabled", "sha256": "c8ec2de9a15f80aae8f4403606fb0076e026ce39a90c23a0e6fb6ef2a52d4a5b", "type": "query", @@ -8972,15 +4481,6 @@ }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Keylogging Script", - "sha256": "055b0cdf7f95c9f6a820c512ca9e97a7ff34a41bef1599875091ab66422a238e", - "type": "query", - "version": 8 - } - }, "rule_name": "PowerShell Keylogging Script", "sha256": "aac89039eac0eb4275d4cef9ac3feccf158712f692af79d0a01d3199e97450e2", "type": "query", @@ -8988,15 +4488,6 @@ }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9", - "type": "eql", - "version": 5 - } - }, "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "815fc2bb90259f1b309040431e26fffd4189a0cba6ff5a2cc4647bbd6a6f51bf", "type": "eql", @@ -9004,15 +4495,6 @@ }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "015745600463e9a1d6e2dcb6b06f3e8a1734b07afbb6d7b4af670462e85f6a01", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "eb53ced03a788f015585b601920f6f4a160c560a1c8f42301116264368e9fac8", "type": "eql", @@ -9020,15 +4502,6 @@ }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "c108531ffe8d2942cfd96060e577320ddea84961b41d8d0dc4f3184028a7e558", - "type": "eql", - "version": 7 - } - }, "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "2cb4d66c727d0c55f63b84fa581c3f4905fe59b68ae1b74485958db2fb151dce", "type": "eql", @@ -9036,15 +4509,6 @@ }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Snapshot Restored", - "sha256": "407e232dcb7c87839e92e728b33fdd7802cd70f413d313d516e801c854217b38", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS RDS Snapshot Restored", "sha256": "dc266c4bd0ab5ec7da7930d71dbddc2e5fd6140391287b6e5cf7737ff8c9fff5", "type": "query", @@ -9052,15 +4516,6 @@ }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "43df78621e41de3c8e5e86c1af48d514b045d358635229ba8a2fd0f7cc3490f8", - "type": "eql", - "version": 7 - } - }, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "5294332a5580dd96c49e17f6059f4b6360f0a11cc6e55161d70ebd376d4663f9", "type": "eql", @@ -9068,15 +4523,6 @@ }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "e38b278f03f4d9550032ce5e2c148ddf1f16e61c50f97af58dc6383df83f80fe", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "3a1954f8a404171626cb1568b08be97608f9a5b5e7e6d468a58d399fff0f615a", "type": "eql", @@ -9084,15 +4530,6 @@ }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "eaaa0be08f9c816cdd87eda6ace86ee28b68147a27fb74acc5575b89f6b297bf", - "type": "eql", - "version": 10 - } - }, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "0eb06918abad405e01f9dd17b738297b8b83a53192d327ae7d421717d936eb54", "type": "eql", @@ -9100,15 +4537,6 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "ebeacb47380be9a09a9d1eed5566517aca491c5c2d96341e0e7638da0f325dc9", - "type": "query", - "version": 10 - } - }, "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "8d36cb1bb98e55bb4e2ed2cf06aac2db1e1f3a86b9c99dcc91ac589074a780b1", "type": "query", @@ -9123,15 +4551,6 @@ }, "c1812764-0788-470f-8e74-eb4a14d47573": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "beef9e00937e345042597f3ed53542f76ca08838731a5f61c294fb65b1f749b7", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "54cfb36ceee93e2ee85527b5272459f7146e59a5666f6a04718468b96bab5fa1", "type": "query", @@ -9139,15 +4558,6 @@ }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "5d7466ef9e04c7cd2d7070b0824a4df93383dc6a3bb31abbc7becc064a38a057", - "type": "eql", - "version": 8 - } - }, "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "3528eee51387c5e883a3e1b3f06f73293fa3e882385a02b8b898e85b84ca69ee", "type": "eql", @@ -9155,15 +4565,6 @@ }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "8f8f08af2bed9cc6fcfa6e66fcbec7c3517d0685d5adf8acc7ae1999ce7a6f87", "type": "machine_learning", @@ -9171,15 +4572,6 @@ }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Folder Action Script", - "sha256": "2b60a88bd670e6e1ee0b80ff257f00a7f4e3d30c07ea6d3795398989840050cd", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistence via Folder Action Script", "sha256": "a067d1223811e423cab7856feddfffdaf3bb0f7c2ae96b5c63ba6932e47e9a2b", "type": "eql", @@ -9187,15 +4579,6 @@ }, "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Mshta Making Network Connections", - "sha256": "c02ad5adbafb5f0e2c94101b9d8ff86a48baaa9d36ab95c07a3df386963df3c0", - "type": "eql", - "version": 8 - } - }, "rule_name": "Mshta Making Network Connections", "sha256": "9541529a97512a00d4aaaf051cb98af4785b44ea77c37bc172856182e7a6c62e", "type": "eql", @@ -9203,15 +4586,6 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "d678380453e0f0b6769da30e54f6a9ff1b02cdfd3c9f44817f5e52c3f76eccc6", - "type": "query", - "version": 10 - } - }, "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "8c71d85fb8e7ca57ddb9f334300043978dd5976f7efc1d0ad06d561ea9cad9b9", "type": "query", @@ -9219,15 +4593,6 @@ }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "59903aa0ee2b98dd7b68d87048b5cac465cb91b05eaa78dbd066f43cc692a1b9", - "type": "eql", - "version": 5 - } - }, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "5fceca86424fdaae099163a6efb0bf8414c86b58fa21b35ee5ff9789b641d7cd", "type": "eql", @@ -9235,15 +4600,6 @@ }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "f60fe5b32ff54a35a502abef27b7a8c4a8294ad3ad27523e6a38c233611f7732", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "3510e04cfcd716d998a26241461fc1ae03bdca9c148528df59246366583fd498", "type": "eql", @@ -9251,15 +4607,6 @@ }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "2a4680018cf4295914ef398a0463c2bd7dcbc3ac5ad8cbda20d0f7fcc7777c5c", - "type": "eql", - "version": 7 - } - }, "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "00879e95cee9672dd8b56d539f49ac2ce03052b142457203197359ebf551b518", "type": "eql", @@ -9267,15 +4614,6 @@ }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "cb6467aec9a8efbce200c151befc915eb2db3882b84358a4cdf00d9104327d78", - "type": "eql", - "version": 6 - } - }, "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "2e8c22beb5d6a79a5c3ba541605eac07cafb11041e4149a32bc7e4b107e0971e", "type": "eql", @@ -9283,15 +4621,6 @@ }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "58344617d62b41f202f44b3143e2f946d7600510e021c58a48cb1955c42157e9", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "00362b8b0e5afebfadf9a3e10f18c0f86595906e306bec895a1ff9a83b08c3ea", "type": "eql", @@ -9299,15 +4628,6 @@ }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "c5022f7a759d76bc0a187f9612b1034b0faa982c8e9b05ab345fe252c6ec2caf", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "0af929bae69fd3bd2354ceaf72d5eac4022135b20527b1bb7b500f40f78a6e95", "type": "query", @@ -9315,15 +4635,6 @@ }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "e74680d2801209f53df00cfcad05ff388692b52918c2ff3f018df44999e5ab68", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "0b92d4288ea80639430bbe8ebea5a05852e4d4c20b4a150b21dbe6124ecae5cd", "type": "eql", @@ -9331,15 +4642,6 @@ }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "f4cec74529561a0fc2e6dfcd5ba89600e6e9a30c2832e5070005d0d96511968d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Installation of Custom Shim Databases", "sha256": "10b1fa603f93bbc327c787ce498ee63735059ba1381029eec82541bfcf3bd2fc", "type": "eql", @@ -9347,15 +4649,6 @@ }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "ea301ca7e7d227378716c3ed96bdd9e028e2e189f0142885780ff9e9d157e6fe", - "type": "eql", - "version": 13 - } - }, "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "cc1c0f24ab02d2609bde69c2b1080e17e22814e94ab370543c78c89f42dd6f83", "type": "eql", @@ -9363,15 +4656,6 @@ }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "11c7d628e42834cf18a0ff6695673e7b4d30da3ef8efad6fef35a2ccb3ef745f", - "type": "query", - "version": 4 - } - }, "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "f059a8f7ede213e8a714e9da098089e0348d0911cdcfe111f57eb42c02d8ef07", "type": "query", @@ -9379,15 +4663,6 @@ }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "276a468726946549ef3f02c8b97760a323a403a68dbfc8f7c3263d5f94a76f69", - "type": "eql", - "version": 10 - } - }, "rule_name": "Remote File Download via MpCmdRun", "sha256": "1d0822bc5138751b4aca2f3d5a1d15a45f01cfa51932a1752abe1390ffb0d550", "type": "eql", @@ -9401,15 +4676,6 @@ }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "8c2d99b22d9a821fd2097d3c5efb649fd5b1f9082edbb56773878940c64f83c0", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "ca0f503e8fae0469ced007730bbddcb8f7ccb18fbbf43730792333ca1a09aa73", "type": "query", @@ -9417,15 +4683,6 @@ }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "96caea11aa97bb793f524a016ce9ea8a9547380f255f0468cc7b7780d1ad498a", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "82ecca8efc10bc1cc58ea10d5ac7df12452174a2eb96738f54e5d4c36bcf3854", "type": "query", @@ -9433,15 +4690,6 @@ }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "b02be7c05f4bb78a1a219cb52c0e1383c9d77a7d0091ecaaadbf9e2c177d7ab4", - "type": "eql", - "version": 5 - } - }, "rule_name": "Unusual Network Connection via DllHost", "sha256": "2bc2c24e7c38eb978b00d4664be358cb018e19e8fb5b2004dadeb91f30ecc435", "type": "eql", @@ -9450,13 +4698,6 @@ "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "01bac327794401a552f635ee0b3a0bcc5ae37d9ca094baaf92b7f233dbcbef0b", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Privileged Pod Created", @@ -9472,15 +4713,6 @@ }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "3d8b44e3b658a23b1d325e946b48ca23595108bf8b821c2afa0932775568c8fd", - "type": "eql", - "version": 9 - } - }, "rule_name": "Unusual File Modification by dns.exe", "sha256": "155fbbd9e9a6fcdcfd7063782b2c39327eebe7107bd2206d1851dad6a271b0ea", "type": "eql", @@ -9488,15 +4720,6 @@ }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Network Traffic To a Country", - "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Spike in Network Traffic To a Country", "sha256": "9f61d52eb9c31372a1a7f26794b6d09209f131d931de2b09e0109c9b5a055148", "type": "machine_learning", @@ -9504,15 +4727,6 @@ }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe", - "type": "query", - "version": 4 - } - }, "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "562b4f9d9765441f6c5e5f3ee8a71bee6337eb83c368babfda186ce6dfc75aac", "type": "query", @@ -9520,15 +4734,6 @@ }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac", - "type": "query", - "version": 13 - } - }, "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05", "type": "query", @@ -9536,15 +4741,6 @@ }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Direct Outbound SMB Connection", - "sha256": "c6c4691ccdc5e9a66fbfda821c297d1d55b5cb07d3807002a8924db894f0ab52", - "type": "eql", - "version": 10 - } - }, "rule_name": "Direct Outbound SMB Connection", "sha256": "98f8c7e1267b9d78610ae46f11ed1ad036f56aee89b27b5d90cb2199403ede07", "type": "eql", @@ -9552,15 +4748,6 @@ }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "e3eee97261e6eb96eba1f05a344fe29cafc24ef890b991f423887461f7a2fa2d", - "type": "eql", - "version": 5 - } - }, "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "08f7dfa2f2caa4e537757679fc7820400d2a971cd8c606b0dd4b8c8a7f8c9e00", "type": "eql", @@ -9574,15 +4761,6 @@ }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Parent Process PID Spoofing", - "sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230", - "type": "eql", - "version": 3 - } - }, "rule_name": "Parent Process PID Spoofing", "sha256": "e4a406b128d8db8c468d7d74ccc8571efe7707e76e7b1053d9f6e29421b63656", "type": "eql", @@ -9597,15 +4775,6 @@ }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "db395f8bb4f6026ef2835860c83420ac38c02b303bc9b84c796888e581a8ed7b", "type": "eql", @@ -9613,15 +4782,6 @@ }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "2f2961f517d0e9d4a328175bccbd326bd7faf5dfee6e9f6503416f3aca86b008", - "type": "eql", - "version": 7 - } - }, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "2faab0acaa8f54bcbcb9f3e1abd009b9150aa26083f90981134d34e72a54f6fd", "type": "eql", @@ -9629,15 +4789,6 @@ }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "85039ed0d04d2658ca81064f458976d86e88705fa02d00cf22104d46ff4085b1", - "type": "query", - "version": 10 - } - }, "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "40292ab6b3b74c0736e9142d0a2f4da6595e481d679c644ebce45713e3cf04d3", "type": "query", @@ -9645,15 +4796,6 @@ }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "0b482e9161bd3ed8bce4c2863a6411cc274efdd5134e2e3dd73e9ef1333dda0e", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", "sha256": "d3608aa64d0dd96d0b1a38306836f9ff19f6ed3b68cb7d959eb18eb762fd5149", "type": "query", @@ -9674,15 +4816,6 @@ }, "cac91072-d165-11ec-a764-f661ea17fbce": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "b8e199e0275a56f67e21011dad1879c8a66b32cfb373e69af50442d187c3c1bc", - "type": "eql", - "version": 3 - } - }, "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "eb4cfcbf1c37f3a246bbfb9a10663e1be044a08c76ea2d2d2c043fb217597da9", "type": "eql", @@ -9691,20 +4824,6 @@ "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 15, - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "599fc850f87b0b11bb3af05aa1936c1859f7c5e188c1f83be2655ea3cc71a1db", - "type": "query", - "version": 13 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "3ffdd0f16144e0dd0d207c2e8604c3cfc075b03c9e2c2bc68530c26c20242b35", - "type": "query", - "version": 16 - }, "8.3": { "max_allowable_version": 205, "rule_name": "Google Workspace MFA Enforcement Disabled", @@ -9720,15 +4839,6 @@ }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Calendar File Modification", - "sha256": "a17d553f673da651ded7a3ea66e07c128029b88490acc7ebc9e1ace84c9584a1", - "type": "query", - "version": 4 - } - }, "rule_name": "Suspicious Calendar File Modification", "sha256": "7e28654341af174f22d390087be90d6720cc8a4fb885ec887281664fc29459b3", "type": "query", @@ -9742,15 +4852,6 @@ }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Enable the Root Account", - "sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da", - "type": "query", - "version": 3 - } - }, "rule_name": "Attempt to Enable the Root Account", "sha256": "1de41b7216811e97eefabc4398c95e7c63777b807c0ca1269da386bdda134bb5", "type": "query", @@ -9774,15 +4875,6 @@ }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "bfe8159a7886d23dd38393fa9bee89ac16f4726a3c4f25cf4ed5898c41168383", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "5337e6bd0ef0b80d43f66dc8830169905a634b3a04618654f641fdc33472b218", "type": "query", @@ -9790,15 +4882,6 @@ }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "f3f3e6c106b9b59224b4adc2dcc0440429e547b549cf3968180a653aaabe5ec4", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "96d42c07c11ea1e66f37d0fe71463b4bc8ff9f7dba1c7aa62a2a77482af2d478", "type": "query", @@ -9806,15 +4889,6 @@ }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential Process Herpaderping Attempt", "sha256": "90db8e3fa447cd76698c3bfb3cf784c21813c2e0cd5b81f2a60b062f7cbba2fa", "type": "eql", @@ -9822,15 +4896,6 @@ }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "a1813eae5d63d4726b936d105486b17a6d73e0c440c903e014e7616dfe44172d", - "type": "query", - "version": 9 - } - }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "f62ce3d63c7514a1b1e3485043746bff4cbd29215e3532662de3da9a45385c48", "type": "query", @@ -9844,15 +4909,6 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Anomalous Linux Compiler Activity", "sha256": "bd9e2942ec336f2a3ebaf266d81377f6b15059e51d931aa31374b2b27e4d4f7c", "type": "machine_learning", @@ -9860,15 +4916,6 @@ }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Kernel Module Removal", - "sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32", - "type": "query", - "version": 9 - } - }, "rule_name": "Kernel Module Removal", "sha256": "cddca84af1ec5f91a0fc0a37bd4ca735cadcf7f69e45d5365ff4197ff6295b72", "type": "query", @@ -9876,15 +4923,6 @@ }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "f0ba64dc6504953e0d1713f1a46c37f9a3ddddf5ac0dac882e80bc5fb9825188", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Deactivate MFA for an Okta User Account", "sha256": "18737d6849af63f0300dab6e931af5464f8c15f68f31f5bf7bdbd6b3ccb1cdbf", "type": "query", @@ -9892,15 +4930,6 @@ }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Okta User Session Impersonation", - "sha256": "fd41cb20e5354ce70352537af6589d7fe8bddaaa3efc190dcb7f28c90016dfa9", - "type": "query", - "version": 4 - } - }, "rule_name": "Okta User Session Impersonation", "sha256": "b839129d515b067cff4aac735b1c9dc12f24f90fe301eb0b9fbc9bbbf4a4f19d", "type": "query", @@ -9915,15 +4944,6 @@ }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "89f5e200675a86a78dd4ae429ab59815d6f2fc8a788cb55a3116bdfdf2661e67", - "type": "eql", - "version": 10 - } - }, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "f6ed95c4af1ee55bdc8982ef40782959b46dae171a95566413fa375664b14128", "type": "eql", @@ -9931,15 +4951,6 @@ }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", - "type": "query", - "version": 6 - } - }, "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "efd4dd156b54adadf3583f42ef14c6f31ec98f4d4e076afa2a06b529dcfa7e16", "type": "query", @@ -9948,20 +4959,6 @@ "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "cd4f89243551c1339b5502a776a7ca15183d07da9cfd5df268a4c4b2e5954c56", - "type": "query", - "version": 12 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "05fe436d072dffdbdb136a88e93c7636e147f91bf5c02b89ba7eeed8fd336e3e", - "type": "query", - "version": 15 - }, "8.3": { "max_allowable_version": 202, "rule_name": "Domain Added to Google Workspace Trusted Domains", @@ -9977,15 +4974,6 @@ }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "556e7fd38bd70311927aa98b016c3d73f728df2a0173385f0c7a6d5f72399060", - "type": "eql", - "version": 8 - } - }, "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "53487d7bbed7b10964cc4dd976031721aae9bd6eb756c31e1407d56df83b23e2", "type": "eql", @@ -10000,15 +4988,6 @@ }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "d6965099fd14c541f08c466c817f679a6939cb7e9d4bb6bde634d79c16a5ca66", - "type": "eql", - "version": 7 - } - }, "rule_name": "Registry Persistence via AppInit DLL", "sha256": "30f6abe74cb6d7a40335376a972db84371efd6de616e496efa7f8dd0092ca97d", "type": "eql", @@ -10016,15 +4995,6 @@ }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "1f6bd29235c4140598d12135b67fc6285adab3882cdbf5fb3eda91de5dd1b2b0", - "type": "eql", - "version": 7 - } - }, "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "bd2e3a82f0da57e8e2a0d4ac051b85e1ad618170acbdb28502d1608b37342505", "type": "eql", @@ -10038,15 +5008,6 @@ }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "dfc63901f804b7cf2d08cccd4f0795208161faf81c73c1699baf48f8884fa9b1", - "type": "query", - "version": 4 - } - }, "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "bec3a6c54edbb4399a08dbf48657becd3a5a541541f120a61b1d1d4e9580d52b", "type": "query", @@ -10054,15 +5015,6 @@ }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "32c87270f7d3db1e4556a1410d02bef58c136aa70569924f60318e9b22768dd5", - "type": "eql", - "version": 7 - } - }, "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "ac50b1cb9e9105c705e57765ee02986414c63a9274108c4c9d38a2d8cfbb2b2b", "type": "eql", @@ -10070,15 +5022,6 @@ }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Clearing Windows Event Logs", - "sha256": "f60152637e6804eaa8df1e4b003a7b6f42b4ae55bc5214071a76d06d100b4f92", - "type": "eql", - "version": 17 - } - }, "rule_name": "Clearing Windows Event Logs", "sha256": "57ccdf578b33355ca397a6bbc98d06eab152799c14ce67a04bc3dfadde2c65d4", "type": "eql", @@ -10093,15 +5036,6 @@ }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Shell Execution via Apple Scripting", - "sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8", - "type": "eql", - "version": 5 - } - }, "rule_name": "Shell Execution via Apple Scripting", "sha256": "afb5f9cac913c97f1997f648dda0fa03b73ab02240c2cbc459e6757d428e1d2c", "type": "eql", @@ -10109,15 +5043,6 @@ }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "9128314e4252732403889dadd2b7748918acd7e1ce8f8541daedaba48b40d4e7", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "58adba1c923a8ce76e1a1764dc5cac882ab8ea93f2778dcf32c9c397a3aae8be", "type": "query", @@ -10125,15 +5050,6 @@ }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263", - "type": "query", - "version": 9 - } - }, "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f55b784285078033780f90e322ee607cd717bf5db25341e7e967a809e069de79", "type": "query", @@ -10141,15 +5057,6 @@ }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "10352fa0155998bc2ce3e03cd867fc884f424ce6ea7d9516e4af460a6618b657", "type": "machine_learning", @@ -10157,15 +5064,6 @@ }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "2fcc2d50400cb569889501d46152b475609c5a866e75d86051dda253511611ac", "type": "machine_learning", @@ -10173,15 +5071,6 @@ }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9", - "type": "eql", - "version": 6 - } - }, "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "2466d70da50d4817a8dcbbb37d8d8f626f4101f672b3f29fac6eca0cf9cdb84e", "type": "eql", @@ -10189,15 +5078,6 @@ }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "40a4b168923189b0651c8e31ddd382c3eee3007b4d93d968f76f9813567f708a", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "a734fea0dd23b59bccb99dbb39f55007140181853044b5bfacd32e882f62f49f", "type": "query", @@ -10205,15 +5085,6 @@ }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Service Command Lateral Movement", - "sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab", - "type": "eql", - "version": 5 - } - }, "rule_name": "Service Command Lateral Movement", "sha256": "121c180994db8c517ef59cde13b161cc4356313055a19b220dc4f6a1f200c62d", "type": "eql", @@ -10221,15 +5092,6 @@ }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "43fab9e1ad69e93f3f1d82b141356b4241d3e3b6a4abe88c87f57950893e7b8e", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "aaeb2ec822a868aa988e71b0c918565b3f1902a8ccf0013e8caee3321b8caba1", "type": "query", @@ -10237,15 +5099,6 @@ }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "5d074c906776ecd8e5847fb793728b81b80895a83cf706d49341241756921dbc", - "type": "query", - "version": 10 - } - }, "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "89e3c5186770e21fb9556161d059fcf423c8f330199da418b492128d29d2ff6a", "type": "query", @@ -10266,15 +5119,6 @@ }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "0301f13a0cce7d153d3e01f8a199d99175bf2c028af2a3146f754e5c753f93be", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "sha256": "dbf20a1e2bc0d4cdedbccc5865bddda69aca58f70f18ee6ac68eeabd3379e3fd", "type": "query", @@ -10282,15 +5126,6 @@ }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of WDigest Security Provider", - "sha256": "1ad06b0fe0245e82429077bae391d3c2af5984b53799cfcec254e3b65569743a", - "type": "eql", - "version": 7 - } - }, "rule_name": "Modification of WDigest Security Provider", "sha256": "a3d590dc38bbc65cf96456ab35d560f410a3e627abe29ac9123b9d1081ce8ee6", "type": "eql", @@ -10298,15 +5133,6 @@ }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "c66dd3b64916aa7fabacfe800aa2076f58946cd244e563af4d3b0f6cee003610", - "type": "eql", - "version": 8 - } - }, "rule_name": "Command Execution via SolarWinds Process", "sha256": "671b8a362619f5396cfce51df91caa357ab826ec2a9ab263c7189e530c6a1d05", "type": "eql", @@ -10314,15 +5140,6 @@ }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "c708af23dddbb7172b0b812a70be4c7b90797d357b2088d1db8bda43c16d92b2", - "type": "query", - "version": 8 - } - }, "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "sha256": "f03f35ec4391254bd5a95e3213e02d739334563e9a20bd8f98055f0bd56f984f", "type": "query", @@ -10330,15 +5147,6 @@ }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SystemKey Access via Command Line", - "sha256": "bad21256e2539ed2889697b46ad97e31897d99ae6b81423aa0ed71e86c03c165", - "type": "query", - "version": 4 - } - }, "rule_name": "SystemKey Access via Command Line", "sha256": "f53aa8f1a5b9e87d8a6b28487f9359beaea364e8c05cdb0c27042894e66905ba", "type": "query", @@ -10346,22 +5154,6 @@ }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 10, - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f", - "type": "query", - "version": 8 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "fb31d0eaf6786a71496f8d2605f731b9e3770b5a16af3d6e301e5b5432154634", - "type": "query", - "version": 11 - } - }, "rule_name": "Interactive Terminal Spawned via Python", "sha256": "be53fcaca6c95792ae6b79abe90def66eadec36b3c2b5f4ea4e1c40ced9af74c", "type": "eql", @@ -10369,15 +5161,6 @@ }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Blob Permissions Modification", - "sha256": "c0d96e3c996d58a507d4b57459abb95bc875d950f28a6dec3eb17e1091d5d624", - "type": "query", - "version": 4 - } - }, "rule_name": "Azure Blob Permissions Modification", "sha256": "e0d97c1b1c32137b6a20954682acc691d3e3b8865b7232a8796d2220df76c2d9", "type": "query", @@ -10385,15 +5168,6 @@ }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Logon Events", - "sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Spike in Logon Events", "sha256": "d667fdb7fbc6da319bdd447af12804d2a91a83d6e3165edc96ac687212c7050b", "type": "machine_learning", @@ -10401,15 +5175,6 @@ }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SMTP on Port 26/TCP", - "sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b", - "type": "query", - "version": 10 - } - }, "rule_name": "SMTP on Port 26/TCP", "sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f", "type": "query", @@ -10424,15 +5189,6 @@ }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "23d6f3d38e476c57d63ce8eec3ba6ce5ef7986d3db93dca2f21944b00209f9da", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "8802bab60d9f5b6625969f2cfb50f18890ac8acb69afa76f94b6e875d0627cc7", "type": "query", @@ -10440,15 +5196,6 @@ }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "5598f885f41354f84ab95aeca4b2046243900f013a7edb6a0b1bebe13f3966ad", - "type": "eql", - "version": 7 - } - }, "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "1129519b0349a4fdb1c421cc1e7701a5d832f7c13eba0180a0e8203cf42a706f", "type": "eql", @@ -10483,15 +5230,6 @@ }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "3ca4a61f3f93dba1eb22f2c680262ddc66a954a10446af5a66a3d5d179c18981", - "type": "query", - "version": 8 - } - }, "rule_name": "Multi-Factor Authentication Disabled for an Azure User", "sha256": "b2bdedbd10d7b2fe14ac813a1e6edcc9034c9817db09d94531cf97ff29c60e1f", "type": "query", @@ -10506,15 +5244,6 @@ }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "3d1e91e1892322a81b322cb102e46b9cc9913bb297aa2e3495db029019a488d9", - "type": "query", - "version": 10 - } - }, "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "b0491008a10432af0609a3d3046c5ba9697fe4ee6fe28c05d20735f663452a74", "type": "query", @@ -10535,15 +5264,6 @@ }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "520e6a810db9da762309f7f86fab50fbdab92279864f4374f2eb5bad2e042e59", - "type": "eql", - "version": 15 - } - }, "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "474db425cdf633c1f4985a1b2ea22ff85d5d13c734ba1f0e6c440ce25314f098", "type": "eql", @@ -10551,15 +5271,6 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Country For an AWS Command", - "sha256": "ae4289833d6b2477d4d3b35e5be4baa736658ec619798c552e85a718212e8dcd", - "type": "machine_learning", - "version": 12 - } - }, "rule_name": "Unusual Country For an AWS Command", "sha256": "cf5a04001f7b060fc8737714fb0075af7edb4ff168dd11ebe372c9d7fac3ee7c", "type": "machine_learning", @@ -10581,15 +5292,6 @@ }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029", - "type": "eql", - "version": 4 - } - }, "rule_name": "NullSessionPipe Registry Modification", "sha256": "eca02b96d656cb5bb1d7545ca44de5c6b565bc07f090c88b5e37336639414ae9", "type": "eql", @@ -10597,15 +5299,6 @@ }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "1402cb6fa10885f90b83f2612e179207ca87149a8fa931334c0b2c2854247ba6", - "type": "eql", - "version": 8 - } - }, "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "9c31ce6f0019d8e694291b4605b1e7075732965ec3d88dff554a1c8ba2bdc465", "type": "eql", @@ -10613,15 +5306,6 @@ }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012", - "type": "query", - "version": 9 - } - }, "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "bebf88ea049bb1787295083c3e58e39a5eb2ca0ac0412da6c1c697a99aa4e531", "type": "query", @@ -10636,15 +5320,6 @@ }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "79fe6d30045c86d83790066989a32ac5398076fce0a8e8aec15e295305a82cbc", "type": "machine_learning", @@ -10652,15 +5327,6 @@ }, "df26fd74-1baa-4479-b42e-48da84642330": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Automation Account Created", - "sha256": "c55195c2b2ed4f0018d4b847a215c4d7be7df1e3a4b7d1b250c4ea8975172370", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Automation Account Created", "sha256": "926e09c01d9a28535ee45c6b2e542a020fff0bc9b9b3876217cca6ac5d084ce3", "type": "query", @@ -10668,15 +5334,6 @@ }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Dynamic Linker Copy", - "sha256": "da1ef679ca66c6b0366910d70af13bec01a81e77bacce23a37c4c8f52039680a", - "type": "eql", - "version": 3 - } - }, "rule_name": "Dynamic Linker Copy", "sha256": "22879b612a4fc894529efe2c9849ae40609fe4de62c9bd40ca710575b0604540", "type": "eql", @@ -10685,13 +5342,6 @@ "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "min_stack_version": "8.4", "previous": { - "8.2": { - "max_allowable_version": 99, - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "5f82d1552eab33089166bf4b52136d5755de62953bde404fa8922d5d4b39ac0d", - "type": "query", - "version": 3 - }, "8.3": { "max_allowable_version": 199, "rule_name": "Kubernetes Pod Created With HostPID", @@ -10713,15 +5363,6 @@ }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Firewall Policy Deletion", - "sha256": "6f056b63bd37ce31e2fb8ff941b298f142fc93f6a9abb579ff043daf0b514d6a", - "type": "query", - "version": 9 - } - }, "rule_name": "Azure Firewall Policy Deletion", "sha256": "601b09f07040a7a4aae2b737306da9624a2ac0a71eabee5f238ce4bd2a827679", "type": "query", @@ -10729,15 +5370,6 @@ }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "3d369cbdba03a5b562dc577c209d5c92d7e9c9eb91c01e06e9469552df357ba6", - "type": "query", - "version": 5 - } - }, "rule_name": "KRBTGT Delegation Backdoor", "sha256": "3a793d4ae6798d822ab4cd898fd7543509208f045f21cd215ca013a566f62a6f", "type": "query", @@ -10752,15 +5384,6 @@ }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "97577c6feb55a61357f1c8565ad69c823d142cbb5835b15aa759ff00d37641f0", - "type": "threshold", - "version": 8 - } - }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "23bb5841739565c44acd0f0bd8f596eea3cd2a7450d383d72e0f5c73d983857c", "type": "threshold", @@ -10768,15 +5391,6 @@ }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "min_stack_version": "7.16", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf", - "type": "eql", - "version": 7 - } - }, "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", @@ -10784,15 +5398,6 @@ }, "e0f36de1-0342-453d-95a9-a068b257b053": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Event Hub Deletion", - "sha256": "22579997b9c568c17e2594954120cb37beba84d4adf9aa90e33f866fcd40502c", - "type": "query", - "version": 9 - } - }, "rule_name": "Azure Event Hub Deletion", "sha256": "dd78a77f8220a57fac6347ca0f4ada237ce03b1bea7e8f46129e55b0cb9dc04f", "type": "query", @@ -10800,15 +5405,6 @@ }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Route Table Created", - "sha256": "33c77b87c951490c44ac8b2643a1161ec8a8b1ef0850c08a6d2ebdd0e7d64014", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS Route Table Created", "sha256": "d315740dc3e4798b3116afcfb4560f332ee6cd0aaf6278c79ca52b677b4df6a0", "type": "query", @@ -10816,15 +5412,6 @@ }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Cluster Creation", - "sha256": "441fc16b46dd672112bbe72c32cc9f23a481e2e18b210364ca9b7052e18a9818", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS RDS Cluster Creation", "sha256": "97dc223646d13b5618e187e31a5c98c6a0ab584f26db51df1368528fce6313a6", "type": "query", @@ -10832,15 +5419,6 @@ }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Connection to External Network via Telnet", - "sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a", - "type": "eql", - "version": 8 - } - }, "rule_name": "Connection to External Network via Telnet", "sha256": "b619d12e944f84c602676b8dc84f896243a241ed2fa041270904106ef2cf407d", "type": "eql", @@ -10855,15 +5433,6 @@ }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", - "type": "machine_learning", - "version": 3 - } - }, "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "c2b75cb0c0ca673aeb63e131eddae7a33662ffb123e31956482e93afec3c407b", "type": "machine_learning", @@ -10871,15 +5440,6 @@ }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "f24d9851bece6511354bb48a20a6a46b1c7f8432fc427ac95d278ad0a5d2d7df", - "type": "query", - "version": 6 - } - }, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "66889b5f177bc1a9cb425581e81b726f1ac13863b2292852ac8592e52ad54bd5", "type": "query", @@ -10887,15 +5447,6 @@ }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Management Console Root Login", - "sha256": "1984c64d7c425aa3e3dfa6e37906c5c0da217a8d298ecc5438605b05a294e597", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS Management Console Root Login", "sha256": "77ec08f6d07b1f7906943747812e3b7ce673613340bc8f863608d4919c00abad", "type": "query", @@ -10910,15 +5461,6 @@ }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a569325f4987343db397f8e9bc7bd812bec981788b66c578abc8a07d6f1e96eb", - "type": "eql", - "version": 8 - } - }, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "5cb19c149c88dbbddae3ac8984c982080f7a1497bc535b486b754beeae5f8bec", "type": "eql", @@ -10926,15 +5468,6 @@ }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP IAM Role Deletion", - "sha256": "1ee46ee5f8a64de558dc4c27460715faae0e711c7d1a7af0c771060037471729", - "type": "query", - "version": 9 - } - }, "rule_name": "GCP IAM Role Deletion", "sha256": "9504e7235ae2d6d6979d6f79eefe68b450769fd53ae193de955fc717497211ea", "type": "query", @@ -10942,15 +5475,6 @@ }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "1fca27785372d869e73f5920c8e1f5a2cfe9d1d2623946389e0f92f0668c0cd3", - "type": "eql", - "version": 14 - } - }, "rule_name": "Process Activity via Compiled HTML File", "sha256": "7285956e917aa19f777ed3533d4da7fea80356ac420983e825ccd801b7524ef4", "type": "eql", @@ -10958,15 +5482,6 @@ }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "7e0ce795dbe9c0506d547705f5519c33f1ca279066cbd0056f58ac48444f8314", - "type": "query", - "version": 4 - } - }, "rule_name": "AWS Route53 private hosted zone associated with a VPC", "sha256": "a9771e5258a05b42239862d74d1e68d1fa34033f16f3f9c26b4732476447b4c3", "type": "query", @@ -10974,15 +5489,6 @@ }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f", - "type": "query", - "version": 10 - } - }, "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8", "type": "query", @@ -10990,15 +5496,6 @@ }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "08f9a6a7d9bdfcd6fccb7ea6baf0c48608a745befdf9be3782562c549736346b", - "type": "eql", - "version": 7 - } - }, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "39805b9df727474ff34bbbeeaadf35066b16c8d1a707b274251ce33963614b42", "type": "eql", @@ -11006,15 +5503,6 @@ }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "773655f13eb054137041e1317a67b1537cc6c6eebf234827f44638005203b357", - "type": "eql", - "version": 5 - } - }, "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", "sha256": "871fd45bf95bc756c946e2c35455dc66507184603f07314a7b743abfd66e65c5", "type": "eql", @@ -11022,15 +5510,6 @@ }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "6ea5f27f5addad69fded0976880577eb922b37615f7e5136583d5c41954cf838", - "type": "query", - "version": 9 - } - }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "6daa40545ae110d23965c10cdd3b97559c76c2a36f9fc79abe0e93316a8d36ed", "type": "query", @@ -11038,15 +5517,6 @@ }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade", - "type": "eql", - "version": 3 - } - }, "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "93b7937727492cc72b68bf3b72232f58a29fdcb39cdb6bf548afc84d22da4d4c", "type": "eql", @@ -11054,15 +5524,6 @@ }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "594ec61d54894f173198a316ad2e8f5e7d004348466a0e738d8dc0a23b7c2a42", - "type": "query", - "version": 6 - } - }, "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "00a31db2026bf1f14d964a21a3186172f66698bf1a34e405a17617beffb31dc4", "type": "query", @@ -11071,20 +5532,6 @@ "e555105c-ba6d-481f-82bb-9b633e7b4827": { "min_stack_version": "8.4", "previous": { - "7.16": { - "max_allowable_version": 15, - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "c2ac77cd236c9997bebad7dbd68fbca34417ff4c999a05fa26114d41393ec636", - "type": "query", - "version": 13 - }, - "8.0": { - "max_allowable_version": 99, - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "da0c5e7ff098e790a9bbfe529a062110d2e03eeaf932eb822601bed55710c833", - "type": "query", - "version": 16 - }, "8.3": { "max_allowable_version": 202, "rule_name": "MFA Disabled for Google Workspace Organization", @@ -11106,15 +5553,6 @@ }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Bash Shell Profile Modification", - "sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e", - "type": "query", - "version": 4 - } - }, "rule_name": "Bash Shell Profile Modification", "sha256": "8881e4963ba8313ad806441ab35b10b080666906259266d9243987fed72beeea", "type": "query", @@ -11122,15 +5560,6 @@ }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Authorization Plugin Modification", - "sha256": "54671c684270f841e5c8afcb9c0551b1860dffd29d8a2589f1b6d84ca2193107", - "type": "query", - "version": 4 - } - }, "rule_name": "Authorization Plugin Modification", "sha256": "3d4f9d875a7cbebe715e0f79db24130680e81ce3c95b2488e6804bac01b8ba8d", "type": "query", @@ -11138,15 +5567,6 @@ }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Possible Okta DoS Attack", - "sha256": "d5ee7bc5de9e1f4610bc34e85624902d13fb82124efc99058407b42bfada5a55", - "type": "query", - "version": 9 - } - }, "rule_name": "Possible Okta DoS Attack", "sha256": "d79bf4f3a31c9f68d62437e3fc948da164cba7efb2dc53ccb82e3e44b85d75c9", "type": "query", @@ -11154,15 +5574,6 @@ }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "e3a968c044da68d2f23aa6a66a47a0f3d61a734268792b0a360ce167fab200b0", - "type": "eql", - "version": 5 - } - }, "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "87bb7b5c4fe360b86247d6faf9ba1cda8ea552134a18c4c1045c1b53fa2f63d0", "type": "eql", @@ -11170,15 +5581,6 @@ }, "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7", - "type": "query", - "version": 8 - } - }, "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "e9f3a0e9f8c621c8cb1262e6e8b7406d36b2dbf66fed10d7e756d2720bb4b8ff", "type": "query", @@ -11186,15 +5588,6 @@ }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929", - "type": "eql", - "version": 4 - } - }, "rule_name": "Execution of Persistent Suspicious Program", "sha256": "36c7e57a6c89bc2f9813dc1f85dd1650af535c967cf9d52e7cdc8c9d4990503e", "type": "eql", @@ -11209,15 +5602,6 @@ }, "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "bdb348ecf6ea584e98544fef4a59aec7bf3f2242b523b3b71daa6db84836674c", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS Route Table Modified or Deleted", "sha256": "8755115362dbbcbb7295af5862d9fa7670b46667cccb181dc95dc4a012fcd609", "type": "query", @@ -11225,15 +5609,6 @@ }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "bd499e25fb8cc24f16dfb5ec400da1a758a867f6a919caef4719aecd9ec47e70", - "type": "eql", - "version": 14 - } - }, "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "5b842e03935bcd0bf01c18da831e252e82726d88efd8e99badfa0f741822426e", "type": "eql", @@ -11241,15 +5616,6 @@ }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Installation of Security Support Provider", - "sha256": "1c94a28eb10cf8d623b9c7766c3e09c1277211577525c7aef2a0d95b82902eda", - "type": "eql", - "version": 8 - } - }, "rule_name": "Installation of Security Support Provider", "sha256": "c36166149f6382278bbc2f12e03af284a945d557c1a6ba7e8b84b66593d5aed3", "type": "eql", @@ -11264,15 +5630,6 @@ }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "14c75064015b57cde04fdcd0f5358d7f17272c249bcd3874ce2ec296f9e2cefe", - "type": "threshold", - "version": 8 - } - }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "ae574796583503daf7ee6688cbb92eba2472a7b294a56a091ec363cc4778cb13", "type": "threshold", @@ -11280,15 +5637,6 @@ }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "d4182fc6f1adb47b30a48ca8dc5b8d7ccd69e295f56db8bd67beef482087b523", - "type": "query", - "version": 5 - } - }, "rule_name": "AWS EC2 VM Export Failure", "sha256": "d8c86640a7b69eda3b5bf7d31e3940366d4410341d1ed1628d859b1cbd30567a", "type": "query", @@ -11296,15 +5644,6 @@ }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "b08da1641037f279ce706e380fa8da2c89eb8fabce5c70bf3bbd42df74e4de43", - "type": "eql", - "version": 8 - } - }, "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "d8671600e447e5ffc604a3cf69e45e57ded897ab70666f50d5d45abf9cb8df85", "type": "eql", @@ -11312,15 +5651,6 @@ }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9", - "type": "eql", - "version": 4 - } - }, "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "9ae8dbc10946156ea62bdefc1cfbe386c468cb37489a480ce5d78399521f5585", "type": "eql", @@ -11334,15 +5664,6 @@ }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Automation Webhook Created", - "sha256": "40217a45f13f6e49a38e1428b1312af7a7d280737f29ed454c5516b82556c42a", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Automation Webhook Created", "sha256": "f4753972bd7ed04f9ed23aaee4f55562c9579bc04e5068ab0ac000dce3afd4d6", "type": "query", @@ -11356,15 +5677,6 @@ }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "044053705f8910f195400bf16dad023b28b4a9d17160ede41a24bc6c7081f12b", - "type": "threshold", - "version": 8 - } - }, "rule_name": "AWS IAM Brute Force of Assume Role Policy", "sha256": "a1a85b477af4b8413725fcb62209b88208532d46617e873fcb8c645275d2ce1c", "type": "threshold", @@ -11372,15 +5684,6 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Spike in Firewall Denies", - "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Spike in Firewall Denies", "sha256": "c5657166c9209a2de18b8ca9afdffb776f6a22625f050bdee7847ffa323ccc24", "type": "machine_learning", @@ -11388,15 +5691,6 @@ }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "External Alerts", - "sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403", - "type": "query", - "version": 6 - } - }, "rule_name": "External Alerts", "sha256": "31b878918fff8b8a2530233ffb091fc5e5d130ae1a25f1f3a186b146b965abc8", "type": "query", @@ -11404,15 +5698,6 @@ }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "3bba2d24ab56fc6d4d2d951047e6f4b2269b43eb68527dd062f822632e86a338", - "type": "query", - "version": 6 - } - }, "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "ac8d9b45feca5016f1cee9d440ea3f577ab97f6dbf43e1a47c67270c063d11ae", "type": "query", @@ -11420,15 +5705,6 @@ }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "48ccffc9a81724c28be76eede89fe50482103e2a7b6e501241e92a6e06a9f3a8", - "type": "eql", - "version": 4 - } - }, "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "b8463074b9b5230234487910daa8b6d8c5bd3a2a70dc2b364f72244446d9d670", "type": "eql", @@ -11436,15 +5712,6 @@ }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Disabling of SELinux", - "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", - "type": "query", - "version": 9 - } - }, "rule_name": "Potential Disabling of SELinux", "sha256": "c24aebad20f1af7c7a32bb9a8ba2c9da565e9f65b4ad5ce917fdb437f9dd835f", "type": "query", @@ -11452,15 +5719,6 @@ }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "34d22b9f451c2f7efc83c9d7cb724eaff3cdefef7d835846c87b624d83b08ff9", - "type": "eql", - "version": 9 - } - }, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "bce143d57e76c903821b58b863fbe225e2d25579a922a0de8898341448662147", "type": "eql", @@ -11468,15 +5726,6 @@ }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "e9752afbf2c33f50ae435653a04acb7a4014f7ba2879c691383213ca884424be", - "type": "eql", - "version": 10 - } - }, "rule_name": "IIS HTTP Logging Disabled", "sha256": "8a9d1d29af81c63c40e4468ccb3eb6f4715cb3086c724c657c552c9ac7b82b5d", "type": "eql", @@ -11484,15 +5733,6 @@ }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "28a26a8ea059812344fc5b88cadfd47c83328674062824657484db1da6ee98f3", - "type": "eql", - "version": 7 - } - }, "rule_name": "Process Execution from an Unusual Directory", "sha256": "fa9ab56f2ce00f10be9a6779f517efb2fd13525fef46aa06be38c3c56ae43d5b", "type": "eql", @@ -11507,15 +5747,6 @@ }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "10ac2f7a79a955d91c4ae4232125eebb8d2678851db37d3f4e3a4d47c9b00d7b", - "type": "query", - "version": 7 - } - }, "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", "sha256": "4d681383a39e51c0ebda801678fc42df905b3b46c407443db81029f0cf7e60c3", "type": "query", @@ -11523,15 +5754,6 @@ }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "231216c92c8b517d75784dfb4cb92f4d664c8b90eebbda4dc0b446280f081522", - "type": "query", - "version": 8 - } - }, "rule_name": "AWS RDS Instance/Cluster Stoppage", "sha256": "398818eec9c82f37901b7eff3e56c7cfff9068f74f5eb3300b4fb3395d76fe18", "type": "query", @@ -11539,15 +5761,6 @@ }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "da79376cfd32568b8b899acbdd94fa61e8f4b4f5fe1e2b7fe363aae8f7680549", - "type": "query", - "version": 8 - } - }, "rule_name": "Azure Global Administrator Role Addition to PIM User", "sha256": "949a29e953474fdd157968152b5f042ae8ae183a290987734bb6da5531768708", "type": "query", @@ -11555,15 +5768,6 @@ }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AdFind Command Activity", - "sha256": "c4b497868eb20d062a8f046c7796d5b43fe75871b0c7f788c6592e876e673f28", - "type": "eql", - "version": 11 - } - }, "rule_name": "AdFind Command Activity", "sha256": "63aa1ef0d6d57f12c96fc6e75efbdab828dd316c6b2f0a6a0a42d2f267d96d38", "type": "eql", @@ -11571,15 +5775,6 @@ }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "239799d589689fbfd18345dad0c3f085138b963f4aba5028e65373cc8d36df4f", - "type": "query", - "version": 7 - } - }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "6dc4ff7b0ca3ce5144945a41508e56d1514037be901492a1a07c1baad5e0cc53", "type": "query", @@ -11587,22 +5782,6 @@ }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 9, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "ce1db93b10b8a940e45490c31cdb384062d41c0cb6395c3cc706e1de4c9cb46c", - "type": "eql", - "version": 7 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "15633a53798ae01e2fdfef1f1ea0a74d7916ced0a48d742d446644cbdb8c75e8", - "type": "eql", - "version": 10 - } - }, "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "3649a9e5f7f06ca5add24938496f6744502a46039427507b7476e0a0eefd433f", "type": "eql", @@ -11610,15 +5789,6 @@ }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "2f851991fa9398f083d7cfbc06bebd99acc958c0652597f0b8872a2fec42533e", - "type": "eql", - "version": 9 - } - }, "rule_name": "Unusual Print Spooler Child Process", "sha256": "ffff54efe92b0b34c640b799f5913f2e603eb1c16dc0ee6b149d1f2ef77ea848", "type": "eql", @@ -11632,15 +5802,6 @@ }, "eea82229-b002-470e-a9e1-00be38b14d32": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "85fe1eb19d66f592dad24600606b8472dfc84b4716e64052f67af8043fef5a79", - "type": "eql", - "version": 6 - } - }, "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "7519e10f04979705d086ea59631e81722e1d34e67fda721159127bb5655d02f4", "type": "eql", @@ -11648,15 +5809,6 @@ }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "BPF filter applied using TC", - "sha256": "a890bd484df6a7b4170e055a13563f50c1b7f00282fc3b0623c176c561e6a911", - "type": "eql", - "version": 3 - } - }, "rule_name": "BPF filter applied using TC", "sha256": "240e4885a29c84f4e094b95b83d14d2207406f69283bd92ea24c1a91b1f10cc7", "type": "eql", @@ -11671,15 +5823,6 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Whoami Process Activity", - "sha256": "6255a59f1907f90afb7d99a93dc1de288448f8d5eddd72f4077c13a632048b84", - "type": "eql", - "version": 12 - } - }, "rule_name": "Whoami Process Activity", "sha256": "afebe75e87167450ec7bb066db9882b60e12c6c2edcb3dfdd1cb58f874b7ba77", "type": "eql", @@ -11687,15 +5830,6 @@ }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "607544934e3152f41a4713b12c1f809518dfe52cfe1179d9f7c6ab62b27092a9", - "type": "eql", - "version": 7 - } - }, "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "e0388bd1b4ff680dd45ee91106d8a9f2dcb5ee113d0352e95bd770c8380154c3", "type": "eql", @@ -11703,15 +5837,6 @@ }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious HTML File Creation", - "sha256": "a25733dc5db93e97dbb6099c740ad240b0c1822325ceaafe17732f7dc28dab29", - "type": "eql", - "version": 3 - } - }, "rule_name": "Suspicious HTML File Creation", "sha256": "9d64431c94337938c4c704be535f27fe958c3c735a818e76235f962d68de3ba8", "type": "eql", @@ -11719,15 +5844,6 @@ }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "d15dd5779036e85d5d88bab96e6b6cd2e9fb5025dae8ef032429d99edf7ea868", - "type": "query", - "version": 7 - } - }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "1702f9d302ca3492bc215a85a0ab94b7db183f3f162e2419ecf3119b1fe07848", "type": "query", @@ -11735,15 +5851,6 @@ }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "66097f87ce7d53ec4c5a9c78d2ad5ea9434fb4800ba59615353fa48857104300", - "type": "eql", - "version": 7 - } - }, "rule_name": "Attempt to Remove File Quarantine Attribute", "sha256": "d4eed78d57a556fbb670ded91a71216e15608586b2b5e504e42a1d438601a498", "type": "eql", @@ -11751,15 +5858,6 @@ }, "f0bc081a-2346-4744-a6a4-81514817e888": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "df8ec13cd47fc1fffe12deff3970a9194c19e52746805d646bb4f797e85a680e", - "type": "query", - "version": 5 - } - }, "rule_name": "Azure Alert Suppression Rule Created or Modified", "sha256": "1aac937a034e9aa7d16663a9672358b86762197d05247fbf54a3ed273dc682b3", "type": "query", @@ -11767,15 +5865,6 @@ }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "7a4c42f5bfb7bee1424ed3f2c6a969c641f1c4b9b7d9ce817f921f447b076725", - "type": "query", - "version": 5 - } - }, "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "2422b876fdaf75df87f0a2db4f592320544510433ad37c7b813ad965d3426f74", "type": "query", @@ -11797,15 +5886,6 @@ }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "0faaa346858f2dcb17db77667c2b5405492684ba8c0108091bb15d7a4d76ac79", - "type": "eql", - "version": 5 - } - }, "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "76871153b8f946b50a1428f2f0b6ae4bbb5e04bacb9ad6b3ac8010b4b58ff3bb", "type": "eql", @@ -11813,15 +5893,6 @@ }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "24b4d57df7a4e7ce08d3ad2bd3b675b8a5b3e8fd9173019958bacce878092ba8", - "type": "eql", - "version": 5 - } - }, "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "fae3022832bba52aa96f96a5820befcf308d0bc3fb40b143a1b3851fa7587f74", "type": "eql", @@ -11829,15 +5900,6 @@ }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SIP Provider Modification", - "sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110", - "type": "eql", - "version": 4 - } - }, "rule_name": "SIP Provider Modification", "sha256": "0e01e6fbda612f223222e52285fcf518b9ec05ff45be82a30bcc1d25de0c8a8c", "type": "eql", @@ -11845,22 +5907,6 @@ }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 11, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "3e6e50826d519b95be8230a60471e7347a0cf1a3f68d2aa857aac4ce300b05a7", - "type": "eql", - "version": 9 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "267feaf9654f7bc39c4ec3c0aeefa5ac3961a87fc6aea9c7feee3396bff425ec", - "type": "eql", - "version": 12 - } - }, "rule_name": "LSASS Memory Dump Creation", "sha256": "290ca87439a6c50b593ead7fd9bc4163c694e9c36cdf851ecf94205976c27db3", "type": "eql", @@ -11868,15 +5914,6 @@ }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS RDS Instance Creation", - "sha256": "fdb052cc421e14176073509078d7ebb84e69338f14a02d61b3687ce413a5263a", - "type": "query", - "version": 6 - } - }, "rule_name": "AWS RDS Instance Creation", "sha256": "b651f1ca6d3ab216e2d8200b45fd47d9145ee157f7fb9721742ab5a2453b0b24", "type": "query", @@ -11891,15 +5928,6 @@ }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d", - "type": "eql", - "version": 6 - } - }, "rule_name": "WMI Incoming Lateral Movement", "sha256": "c31c62ab221c4150243e8b70abf66c38db4ec476d16669a6aab46365746130f8", "type": "eql", @@ -11907,15 +5935,6 @@ }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7", - "type": "threshold", - "version": 3 - } - }, "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", "sha256": "16fad25f10dc1f87c6eb3b75be730b6858bd53d102f1b7170924c564f1c8e44f", "type": "threshold", @@ -11923,15 +5942,6 @@ }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "a527339384f08721754875fa945abf7d3cdf22d66ac5c2e8f2b62e1706013b2b", - "type": "eql", - "version": 7 - } - }, "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "fc59baca6154934a278cb36b8e28b8a350aded173cfc926c81ff3f3104eb78ff", "type": "eql", @@ -11939,15 +5949,6 @@ }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "bdb6832aff1a99405ce51272c3c4ea81e914802fc8149673b9ec7521cfe6a2cf", - "type": "query", - "version": 6 - } - }, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "ae126a233c50576be64001b5bd356bcc3f893da8117eb1998860f3032d9cd843", "type": "query", @@ -11961,15 +5962,6 @@ }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "a540d7b91d337c085613ea8d5f7a5984c3e02c2b1c6020ce9051e8c37e7eca19", - "type": "eql", - "version": 14 - } - }, "rule_name": "Windows Script Executing PowerShell", "sha256": "c93b6e0ec67483b519d5a0a62bea6c2c982fdc8c95ff8622a61947ded5e03501", "type": "eql", @@ -11991,15 +5983,6 @@ }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "006a7c779aedd42261a1a521731bcf7cbcf76d5381683aab472281003a7f7bb4", - "type": "eql", - "version": 8 - } - }, "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "ff641e7598ebdc2a99babfc04143d9405837dc9ca1e9582033bccbc6b9ceba61", "type": "eql", @@ -12007,15 +5990,6 @@ }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "55e9fa64400f766306c6c956c730b863e3abb105aad98a773032dfd336d0ad27", - "type": "eql", - "version": 14 - } - }, "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "7de275e076290256a87e2b3ed3126155aff4a5209d89b16f1c4bbb4f0f3c0b8e", "type": "eql", @@ -12023,15 +5997,6 @@ }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa", - "type": "query", - "version": 3 - } - }, "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "4382882cbcfede8d1ceea24ec9f5c576a60b05120e318caa9b3473e209eb5980", "type": "query", @@ -12039,15 +6004,6 @@ }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Azure Service Principal Credentials Added", - "sha256": "91839fac086519a95bf9186adb97fdcab72a39a1c0e719461638efa09485aae7", - "type": "query", - "version": 5 - } - }, "rule_name": "Azure Service Principal Credentials Added", "sha256": "5ce0477a42d9ef224de6a9ce9e33d0348397e764da6da42221c86966aa7e0ab4", "type": "query", @@ -12055,15 +6011,6 @@ }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "8ad42f1e8cb0d26f21a5da2eb9d80dbfad54d5a602c8d033ecbb349f0aecb297", - "type": "query", - "version": 10 - } - }, "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "6df2c964d4d87ff046075f9fe75f50531c2aa705fe95b48424d3c67e93c72d19", "type": "query", @@ -12078,15 +6025,6 @@ }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "15943bc13543a3c145d72f22f142223d4b10ef04fa295fb914b0a1ba1ace1307", - "type": "eql", - "version": 8 - } - }, "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "0316437403ae4997016f987853162fd22b5e54b80dc6c9206836bca7ebea5289", "type": "eql", @@ -12094,15 +6032,6 @@ }, "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "702da601e24ddc5235a8fc5057bd20f2a12903f1374117532cee7c9f1352f3f2", - "type": "eql", - "version": 6 - } - }, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "c90e4ef68669c1b33b27ea8d72d33a3696486d7a6e0c54761f9c1d62e68c90af", "type": "eql", @@ -12110,15 +6039,6 @@ }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "5146e28a6514142021a6718494e20683e8163f2f3998cbfb5c5e5b27b3b33396", - "type": "query", - "version": 3 - } - }, "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "d509965ca676f0870176b71b54d8bd5592c0245870ffb87a3fcc08c12140ecc4", "type": "query", @@ -12126,15 +6046,6 @@ }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "69e4d6aba25b972ffc1d02bcc6bb8a5b00e1a1e84d8d24b549b384e85e81b560", - "type": "eql", - "version": 8 - } - }, "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "27a7751430d2ca999e785298013ef016d5292094e1c6a0f8f49597e703897be2", "type": "eql", @@ -12142,15 +6053,6 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Unusual Linux System Network Configuration Discovery", - "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8", - "type": "machine_learning", - "version": 2 - } - }, "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "65a864cf0766e583509618ade7f897afb31cde49fb11e658f7d9dd60e5818a3f", "type": "machine_learning", @@ -12172,15 +6074,6 @@ }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "723e46c1bcdfafc46527365b132c23ef8da4019c75dbbb363e9768944234eeb5", - "type": "query", - "version": 9 - } - }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "f6bd7eceac3a9f5c358384b9eb45ceb6fe554256572255ed542f2f087252080d", "type": "query", @@ -12188,15 +6081,6 @@ }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "56b1ecfa2db9264a36ac1f9f8bf803d472f490b7851d54ed7cb678484069cf55", - "type": "eql", - "version": 7 - } - }, "rule_name": "Remote File Copy to a Hidden Share", "sha256": "8ecabfec5fc07d2e9e561bdde54f8ffbf85206b9803ed197be6c60ad994de95a", "type": "eql", @@ -12218,19 +6102,10 @@ }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Network Connection via Registration Utility", - "sha256": "c346662d4ca6f6e99bd7d943aaf1b6e3ff59a95a78beec24b080fdaf82289c3e", - "type": "eql", - "version": 14 - } - }, "rule_name": "Network Connection via Registration Utility", "sha256": "83991214d50a508240cb5807293a7b8e1f12e34a3c8023edd8fce38fc9136a78", "type": "eql", - "version": 103 + "version": 103 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -12240,15 +6115,6 @@ }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "bb8a45312a7cd79e9fdb40d1fe639f5a426fd830420ed64cd08efb557b612edd", - "type": "query", - "version": 9 - } - }, "rule_name": "AWS Configuration Recorder Stopped", "sha256": "fb31bb23b6bebb35b93af0a5cc1b9f83f20c53b4e4f7f342d2939cc702946376", "type": "query", @@ -12256,15 +6122,6 @@ }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "b224ba9133037909f492e2403fc22a98d8d4409df23717060ec4ee312f323658", - "type": "eql", - "version": 8 - } - }, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "605b3cad24235f69f0cb88b5dbfd0279ece71f71534ebb50478ff8334194dc96", "type": "eql", @@ -12278,15 +6135,6 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "a7f66209cee9e1f45ad0e512e71f847b6c46c94015ca52f7f08b345a9c60b28c", - "type": "eql", - "version": 12 - } - }, "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "9861db3b35101e0a676d54701eb283a724fd134bb6258b78947cf822c65f8e8f", "type": "eql", @@ -12294,22 +6142,6 @@ }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 16, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "72b6aefd420c13f2f9a75c27271f96b8fc4a9d2ba474654cf69f6a5586bab85a", - "type": "eql", - "version": 14 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "4a4057d6b10296e8a4a271e309922994d7208971a5baee1d7805193e3f27fe81", - "type": "eql", - "version": 17 - } - }, "rule_name": "Suspicious CertUtil Commands", "sha256": "5e95e13136d2a40d4cac8736b2f8020f5f0f1c73ddff780a8516e4d2af8441d7", "type": "eql", @@ -12317,22 +6149,6 @@ }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 14, - "rule_name": "Svchost spawning Cmd", - "sha256": "3d668370d9b557693bef4d3e27feee891c659346bc032f6d62a25a08561cf61f", - "type": "eql", - "version": 12 - }, - "8.2": { - "max_allowable_version": 99, - "rule_name": "Svchost spawning Cmd", - "sha256": "a5ec087e76c65ab534d4a43f658c0765caa060175968b140808538a92d80abb4", - "type": "eql", - "version": 15 - } - }, "rule_name": "Svchost spawning Cmd", "sha256": "cb9159a807c7bf419c813dc5aefd2f35b857b47c0afa8b562fa37c543da6d949", "type": "eql", @@ -12340,15 +6156,6 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "7ce1ab37d88d1e6455883aa77e2ff80ecd52499d612b2dd90dd803b11040a078", - "type": "eql", - "version": 7 - } - }, "rule_name": "Microsoft Windows Defender Tampering", "sha256": "8fdd8c5eb699e517af1963888489037d4d822f772c30fc34c0a9b2758e276bf6", "type": "eql", @@ -12356,15 +6163,6 @@ }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "3e42b34005caca684b62e9680d19d3b026730f8518c88065d34dbaa6db7db2b4", - "type": "eql", - "version": 6 - } - }, "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "9f121b7d63852994a3536d29acc723ba72ef9fab337f739de2cb7fbfaa799970", "type": "eql", @@ -12372,15 +6170,6 @@ }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", - "type": "query", - "version": 11 - } - }, "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "7ab43899684dc9dfdbd0d111723d74eae5ec0abc9b4ddd9c6e06896ed083af8b", "type": "query", @@ -12395,15 +6184,6 @@ }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "070acfe2b3f2fc4f568c643936593196e64cb629b3005c6fdc739b28ca4bc1ec", - "type": "query", - "version": 9 - } - }, "rule_name": "Microsoft 365 Exchange Transport Rule Creation", "sha256": "b2a97a4e796fd889d8a2767c60e251b137c8dd7025a5caf5a1099c25fc09e8c2", "type": "query", @@ -12411,15 +6191,6 @@ }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "min_stack_version": "8.3", - "previous": { - "7.16": { - "max_allowable_version": 99, - "rule_name": "GCP Firewall Rule Deletion", - "sha256": "028f2986eed7da7502174e85bb85dd5d500ad50a933a1d7e90343e1a8cfea632", - "type": "query", - "version": 8 - } - }, "rule_name": "GCP Firewall Rule Deletion", "sha256": "8a645f8478dab790e42789002632db237ffb037d316bf71e2c36521149813d15", "type": "query",