From 92a379e0341a4de9f55a390f2007668a081d9239 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 18:49:27 +0530 Subject: [PATCH] Lock versions for releases: 8.19,9.1,9.2,9.3 (#5765) --- detection_rules/etc/version.lock.json | 658 ++++++++++++++++---------- pyproject.toml | 2 +- 2 files changed, 413 insertions(+), 247 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index ee2b06220..d714ac7b2 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -36,10 +36,10 @@ "version": 6 }, "0136b315-b566-482f-866c-1d8e2477ba16": { - "rule_name": "M365 Security Compliance User Restricted from Sending Email", - "sha256": "726c3f1c50cf44cc092f0812133ae46a0a7b88bf235768ab09b3313948ca4de2", + "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", + "sha256": "32f3b43818d6f5da6596d482417e82040958499d42ebf0de735791d1372a0ef2", "type": "query", - "version": 211 + "version": 212 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "Deprecated - AWS Redshift Cluster Creation", @@ -283,9 +283,9 @@ }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "rule_name": "Unusual Remote File Size", - "sha256": "5b526538699a28af2fa84b71bb25ab53268a3f8d61f67af75666b881c6317c21", + "sha256": "940b98aed51ecda72eec089172e648832d8c8a6eec2015e92e44bbbd0a52854f", "type": "machine_learning", - "version": 7 + "version": 8 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", @@ -355,9 +355,9 @@ }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "0b16a11578d690a45da3add3532561414284b7ae428fff4dd8f391703f00d1f7", + "sha256": "b4f1a15ffdc521c66555c9bd089d50abcfd235fac9000ac6f00520cf4cf35d8e", "type": "esql", - "version": 7 + "version": 8 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -379,9 +379,9 @@ }, "08933236-b27a-49f6-b04a-a616983f04b9": { "rule_name": "Alerts From Multiple Integrations by Destination Address", - "sha256": "db41eb46357309069c2f1e3d244d99464e6d0150ffa461a7d15d2558e66700f2", + "sha256": "cc691ed6a93307a1173fd5fda394c29fdc98d2fa7ac909db45e82b9df3e4e378", "type": "esql", - "version": 1 + "version": 2 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -468,10 +468,10 @@ "version": 8 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "7e292b37b6c88373ed25a37e2a1b1f82deeb9ca8559dab118b34d2c361a000c3", + "rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM", + "sha256": "ebd1536f42ca0141a7b6beb2b1e75d981b95992088751d5824b10f54c3797b98", "type": "query", - "version": 211 + "version": 212 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", @@ -517,9 +517,9 @@ }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", - "sha256": "eaef1a36013616445b077607fe1e2c6b3f6769cf57496832af13f383851d90af", + "sha256": "0ccc6af15fd729f5cb81b8ea88ff1f4911d30b894f58d96a3ba32ef834d614d7", "type": "esql", - "version": 4 + "version": 5 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -583,9 +583,9 @@ }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", - "sha256": "a51bc9237ae15669b120cd0d1e71326f9bdd934bb72e936493e63ed03bf9b29b", + "sha256": "2401df104749aaee63b22f70fa9419c84429ffd9480bff391344fd449d1b4e57", "type": "esql", - "version": 5 + "version": 6 }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", @@ -649,9 +649,9 @@ }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", - "sha256": "415e94e0ad5121c6261b79fcadd0ab0c6eff8a58d43a6390caa3a6032c4efe1d", + "sha256": "cbc38f9092c5b05d934d21db45e1e0795f8743ae2d9a7fbf2b7f4d0652743231", "type": "esql", - "version": 1 + "version": 2 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", @@ -729,6 +729,12 @@ "type": "eql", "version": 110 }, + "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { + "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", + "sha256": "8e7b6e88f72d16369595ba3f6fa07c1940d1a4aee7465ac6f4564e40e0d81cfb", + "type": "new_terms", + "version": 1 + }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", "sha256": "62236c3efc78d49212ef0d41035637d27a8639dc5eb24125db16fc4b5c5367dd", @@ -785,9 +791,9 @@ }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "c53bcf7bfadd682b86b3255c1ba83e2377ade5490ce3ed4fcf679db10915c333", + "sha256": "46c73ea2723d14ad9de10a0e66eef0f2833b48c7be940c0df3a709acb4dc3e7f", "type": "query", - "version": 117 + "version": 118 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", @@ -1026,10 +1032,10 @@ "version": 2 }, "166727ab-6768-4e26-b80c-948b228ffc06": { - "rule_name": "File Creation Time Changed", - "sha256": "1893d694283de0c895199ccaff4ff3f0c595ab567a98ef5c0fa290345b036cd5", + "rule_name": "Potential Timestomp in Executable Files", + "sha256": "141a26e1964995ca85bbc37b582076f5a4d13eff6f252e85569630fe95aee60f", "type": "eql", - "version": 109 + "version": 110 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", @@ -1069,9 +1075,9 @@ }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", - "sha256": "76d66c8f2e1211a017ecac44a93ed158e8d6502f27c4fea6b4cdd50ed9826207", + "sha256": "80cdb6c15c3dc9c7375625fea1c89ea54b6b480756a234873c252e3d23262eed", "type": "esql", - "version": 2 + "version": 3 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", @@ -1171,9 +1177,9 @@ }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "4371659ef32b1ef4816960bcc57044e06a0264e79c1637b78e7071c7af89132c", + "sha256": "5a2fa17a72429e5dca1c71f463c15e999e99ad7897637a4b66a0bfada9540daf", "type": "machine_learning", - "version": 7 + "version": 8 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", @@ -1213,9 +1219,9 @@ }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "6e9a2818596588723edbf376ee014607852f5cdc7e83a6e9378fc1f71383badd", + "sha256": "83a8f2d7386bddc053bfcb9ed1b462e2c6fee0711d78805f9f432f03029b4bda", "type": "machine_learning", - "version": 7 + "version": 8 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", @@ -1253,9 +1259,9 @@ }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", - "sha256": "72749dc26e0661fd02018957879fceadbc7207329883d27c3b4c18af798ac628", + "sha256": "9b24d5e3affe2f35f066b5e0f89bebbd70db28c0e993d6416198c571abe32b00", "type": "esql", - "version": 2 + "version": 3 }, "1a3f2a4c-12d0-4b88-961a-2711ee295637": { "rule_name": "Potential System Tampering via File Modification", @@ -1305,12 +1311,24 @@ "type": "eql", "version": 212 }, + "1b65429e-bd92-44c0-aff8-e8065869d860": { + "rule_name": "BPF Program Tampering via bpftool", + "sha256": "e84a699789d0edc48edfecd3b086d0e0b60583a630ef2d5a9fdb8e419271263a", + "type": "eql", + "version": 1 + }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", "sha256": "7bb163ffa02ead7013b9865823123774e06e0f2b67f15bd5f74d2502b70eedb1", "type": "query", "version": 210 }, + "1bb329a5-2168-4da5-b7b9-d42a51deb6dd": { + "rule_name": "Correlated Alerts on Similar User Identities", + "sha256": "c22e2f137482efcaa87dab19dc3553e257a9b32c721d931dd4986205af482070", + "type": "esql", + "version": 1 + }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "47d4620c23138f802607ae88c1771da89921da694ce270e4830492b18d2eb9bb", @@ -1397,9 +1415,9 @@ }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "5c7adbbf1c05e94781134cd249fe5beb6d03dd6e31b08a32b01adc47a7341d6f", + "sha256": "38928a45f4c6a0857efc517d37d79a536bc57a05c5e6765aeee651010e704b25", "type": "query", - "version": 111 + "version": 112 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", @@ -1409,9 +1427,9 @@ }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", - "sha256": "3a495af0c8106b892926263beb793be618ff06a8a8a51319dd1fbaa9e98d1c61", + "sha256": "f8ab4d8f44427fc8a987c9866f83bf76d09c1af99ec349ea6584a5c7d288624b", "type": "esql", - "version": 1 + "version": 2 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", @@ -1432,10 +1450,10 @@ "version": 108 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f70aa045c1e96dec56c971fae0fe82c3717a59df8f1ae64368ae447326947066", + "rule_name": "Deprecated - PowerShell Script with Discovery Capabilities", + "sha256": "bcc5e6231ae54f6a2e5b47919bc03cb87e06ee59f9a0e3419814d466ebafed45", "type": "query", - "version": 213 + "version": 214 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", @@ -1644,10 +1662,10 @@ "version": 107 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "rule_name": "Kernel Module Load via insmod", - "sha256": "168fd08fe0238633dd375945ca085d698f15bbec48b74e044ee115066be98bbf", + "rule_name": "Kernel Module Load via Built-in Utility", + "sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d", "type": "eql", - "version": 215 + "version": 216 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", @@ -1696,10 +1714,10 @@ "version": 1 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "5d77b9571fd9befb22e29f6cdfe893e29652ef95b68b9d1a4b92c1ea02d0a907", + "rule_name": "Potential Okta Brute Force (Device Token Rotation)", + "sha256": "63082f91fd3d3e60377743e9f2e158d948155ddef6efe6db444b026ff31e58b9", "type": "esql", - "version": 208 + "version": 209 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", @@ -1715,9 +1733,9 @@ }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "fd002bc758bbb043c92aa8a457a383e329ff5721b72f64d9702c8bb16bceb9ad", + "sha256": "c0142afe736323db7e77ec68ca8df2377a389d488407ec0a48f004f811012543", "type": "query", - "version": 108 + "version": 109 }, "2572f7e0-7647-4c68-a42b-d3b1973deaae": { "min_stack_version": "9.3", @@ -1831,9 +1849,9 @@ }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "610930646b3ee410a43f2a6d94ae9398b6669dc0c344808d98ce8fd6143c22d5", + "sha256": "f3e07490e13703f24bd9972072c4789312cbf42c4ad361669075995598aba108", "type": "query", - "version": 211 + "version": 212 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", @@ -1867,16 +1885,16 @@ }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", - "rule_name": "Suspicious Interactive Process Execution Detected via Defend for Containers", - "sha256": "08f34153e09cab130b0afebb32638f990d8d322bb739b0b53f9b4a35afe9e628", + "rule_name": "Suspicious Process Execution Detected via Defend for Containers", + "sha256": "c2d5e99aa5d5f7c2d4ec0558b50319e50e78c108addf943b7ccc4232c74d71cc", "type": "eql", - "version": 1 + "version": 2 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "rule_name": "M365 Teams External Access Enabled", - "sha256": "260444625c4e3f1749f82673f9a134c20860e9dd0d6eeff7ad41f9bfd0aaa4a1", + "rule_name": "Deprecated - M365 Teams External Access Enabled", + "sha256": "b83875f1dac9ec8962c9e0d434baf51e77c060c9eef0c74cedbd0aced9af4abd", "type": "query", - "version": 211 + "version": 212 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", @@ -1976,9 +1994,9 @@ }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", - "sha256": "91ff6f08e456191253b93c4f6f7cdb70f4adea410498e51b62b3dbc2432b4d78", + "sha256": "89d0958894efc5800bc1c37dbe4e22073f736ad6f2e95ae99a95e83421e0f3b3", "type": "esql", - "version": 1 + "version": 2 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", @@ -2029,10 +2047,10 @@ "version": 3 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "rule_name": "Adobe Hijack Persistence", - "sha256": "5cabd557042d3452a4bd6b95008843d8d496d4c913bc33f5c9109c6df32a7080", + "rule_name": "Deprecated - Adobe Hijack Persistence", + "sha256": "2fd56ecb1298afd514114cf19c5b066b10912b8f46028af6af05cecf9e549595", "type": "eql", - "version": 418 + "version": 419 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", @@ -2048,9 +2066,9 @@ }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", - "sha256": "a9d020f9a3f3dd75954efac81280160294feddb89cd2a0f4563c28e82bab0d3c", + "sha256": "663c7f29972d07ea8412e1361e05b81f3e4820304cea1a7cbd45ab3dbd6e05ea", "type": "esql", - "version": 1 + "version": 2 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", @@ -2060,9 +2078,21 @@ }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", - "sha256": "b5933e56597a6ac62c86eb6c05e56f6fb17396602ae2ac4e2f8af007f532bcfd", + "sha256": "4cb49f08cf5c89365a0f424c80e59095940ef6ec6a67224688a28f1c883212b3", "type": "new_terms", - "version": 2 + "version": 3 + }, + "2d05fefd-40ba-43ae-af0c-3c25e86b54f1": { + "rule_name": "BPF Program or Map Load via bpftool", + "sha256": "ec42dc0d8c393f7e859114d5d0dfea8e76e9a4dee7ee35c4ae48700ea479b355", + "type": "eql", + "version": 1 + }, + "2d3c27d5-d133-4152-8102-8d051619ec4a": { + "rule_name": "Potential Okta Password Spray (Multi-Source)", + "sha256": "69a3614d945637f774498b8d5a3480e7b78ac31b378cb9056696c5816692a51e", + "type": "esql", + "version": 1 }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", @@ -2072,9 +2102,9 @@ }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", - "sha256": "5b526c5e3b8b64acda426d7aa6bcffe7c582c40a5d2b6a9a89061d9d34eab6f6", + "sha256": "550e0e7a2940f35a6a904171e569f5a7c7657c5a8bf8ddeea1c12e84c90afacb", "type": "eql", - "version": 207 + "version": 208 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "min_stack_version": "9.1", @@ -2124,10 +2154,10 @@ "version": 108 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { - "rule_name": "M365 Identity Excessive SSO Login Errors Reported", - "sha256": "057e870fb980ce929d0bcb356a03643380adfa04405af2eb83f363b75c204917", - "type": "threshold", - "version": 212 + "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", + "sha256": "bf27b5f423aae8f1125e4c60009329db0174ac9d72b6c52104791813da17c14f", + "type": "new_terms", + "version": 213 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", @@ -2156,9 +2186,9 @@ }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", - "sha256": "4f26a82b4aa211fad7b97f56c12a4d21842d5b79785bd735f84a8af4ecbb505c", + "sha256": "1182966a50d90ea8aa6e0dcf3bf488fd484f92fed47e6f9f6841ea493d8f235a", "type": "query", - "version": 216 + "version": 217 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", @@ -2330,9 +2360,9 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "a03ccf37c802b63d09323758b889879448364d3ce1787e95db677ef788265161", + "sha256": "426407f9d70d47d2798e31bf2fdd499117b8ae0bf6d2144f2543c4ea62d02391", "type": "eql", - "version": 318 + "version": 319 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Travel Location", @@ -2426,9 +2456,9 @@ }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "819dce4cff2719a1f6f4be28c51930017a4b137d6e1197eebdffd2ceb6ef1436", + "sha256": "a63dcd3cac0e13109997f588b8687ad8378e29f22ac15957240b8814d579bc3d", "type": "query", - "version": 110 + "version": 111 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", @@ -2504,9 +2534,9 @@ }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "dbbb08b080eb8a0dc6237a8fa9403fcee35c264da5f27da443d5e71553ddfd01", + "sha256": "0dd412be9597895aea816ce7c5b554a930386c831c7359dbc53124227be95134", "type": "machine_learning", - "version": 7 + "version": 8 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", @@ -2552,9 +2582,9 @@ }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", - "sha256": "7aa1bf4249d928691c8853f7d53ad91afa3feb71d8bef5ddda0bf736c08c0d82", + "sha256": "93f61a20155835d2e47aec16e3e4fa2a50686f2a8cb46cbe10473a471e1b4906", "type": "eql", - "version": 3 + "version": 4 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "rule_name": "Spike in User Account Management Events", @@ -2730,6 +2760,12 @@ "type": "new_terms", "version": 5 }, + "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": { + "rule_name": "AWS GuardDuty Member Account Manipulation", + "sha256": "40c120e7720460b12e7dec873f00ddc222dc36f6deb8859a453ba1c04ffadc38", + "type": "query", + "version": 1 + }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "min_stack_version": "9.3", "previous": { @@ -2778,9 +2814,9 @@ }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "ed6a046d68911151897cfdcf2a0520e0a12b11fffcb854b12c8e2cbde2d954b1", + "sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68", "type": "query", - "version": 210 + "version": 211 }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", @@ -2791,9 +2827,9 @@ "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", "rule_name": "LLM-Based Compromised User Triage by User", - "sha256": "f39f059ff6002a24c19c201ebcafb670472fec3a8803a947eda5e7f680ae2573", + "sha256": "74320f5342f4057795f4d98338ee0b6f3faf00125e6e3df43ed7f3e4e7a47c8c", "type": "esql", - "version": 1 + "version": 2 }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", @@ -2809,9 +2845,9 @@ }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "016467d7811dbed00476cc447016562141917373e312230a7d3573d566e96ae6", + "sha256": "7a39f70bd50840452642735a3e67da404e3d64e454887950151ab398e3c8fb76", "type": "machine_learning", - "version": 7 + "version": 8 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", @@ -2893,9 +2929,9 @@ }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "d632667d0e14ade78c1787c32a0a5345f42684f5878a360c8941eecb586f9e79", + "sha256": "2a301f3d0e21bf2994bfb6f0dc94ceb8bd4a934687f3a98227e7c367528996dd", "type": "machine_learning", - "version": 7 + "version": 8 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", @@ -2969,6 +3005,12 @@ "type": "eql", "version": 109 }, + "41554afd-d839-4cc2-b185-170ac01cbefc": { + "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", + "sha256": "1d21f6f6232a83d4b72d32a65c605f092c9eaaa78603c82e4d9d7adbd2cc39a2", + "type": "query", + "version": 1 + }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "fe7c4d3464cff0dabddfb6424b2fbd4e36eedae5bf156da320f3a9f43d4068cb", @@ -3038,10 +3080,10 @@ "version": 5 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "f2cddaf0e60500a194a108dfe0e27c92610bd4a455cdc6613c978dffd06b1881", - "type": "threshold", - "version": 415 + "rule_name": "Potential Okta Password Spray (Single Source)", + "sha256": "20af1f7f7992e83abaf5da57e9a22025998a2be4ab340f0ca68d5720c21a757d", + "type": "esql", + "version": 416 }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", @@ -3171,6 +3213,12 @@ "type": "esql", "version": 3 }, + "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { + "rule_name": "AWS IAM OIDC Provider Created by Rare User", + "sha256": "1cb9c0fd0274dca1ebc356d8b502ed8e73079bada5103d878b1c4611bbf060c1", + "type": "new_terms", + "version": 1 + }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", "sha256": "a5511918810879fab5872afa2bad76386c05810eb83a332eafdbbc354f50a688", @@ -3322,10 +3370,27 @@ "version": 111 }, "498e4094-60e7-11f0-8847-f661ea17fbcd": { - "rule_name": "Entra ID OIDC Discovery URL Modified", - "sha256": "0cc8e679b49189c33b8fa4a3f8bdbedc4d815611dd5b6880266e63c3f9c71e2a", + "min_stack_version": "9.2", + "previous": { + "8.19": { + "max_allowable_version": 106, + "rule_name": "Entra ID Federated Identity Credential Issuer Modified", + "sha256": "ff1e6fb43f0632db21046ece71d7058ab3cee78192896d0f3a94b2c4d381c440", + "type": "esql", + "version": 7 + }, + "9.1": { + "max_allowable_version": 206, + "rule_name": "Entra ID Federated Identity Credential Issuer Modified", + "sha256": "8aa466b92052814d35b6235ef0f0cf8bae090247c85ceacc0a8dc6f29e8f02d2", + "type": "esql", + "version": 107 + } + }, + "rule_name": "Entra ID Federated Identity Credential Issuer Modified", + "sha256": "1eb81cd186255e2682840b619c6fb99b4336bd278ada27f0d233b59ecd44c77f", "type": "esql", - "version": 6 + "version": 207 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -3347,9 +3412,9 @@ }, "4ae94fc1-f08f-419f-b692-053d28219380": { "rule_name": "Connection to Common Large Language Model Endpoints", - "sha256": "420d27afe834c13cd4781690dc6e0fc24038b9325999348e590100d83d31c0c5", + "sha256": "3757df1c47780a8ca59cef529bfea5554132941f7c7e759dda3693ddb8de1d05", "type": "eql", - "version": 2 + "version": 3 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", @@ -3430,9 +3495,9 @@ }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", - "sha256": "349376f0919d8ae78cf2e2593e35a385db6c651dcbd0f2d3bd65e481acf834bb", + "sha256": "26c370c500763204d1c4ce8130f04b1598d572b21a9846450b74d92c48b08943", "type": "query", - "version": 114 + "version": 115 }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", @@ -3524,6 +3589,12 @@ "type": "eql", "version": 317 }, + "50742e15-c5ef-49c8-9a2d-31221d45af58": { + "rule_name": "Okta Successful Login After Credential Attack", + "sha256": "55bee654e447f1127392b0f508b6b48a0436e8d2b9889b59329c8696c39cfc38", + "type": "esql", + "version": 1 + }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "765c282f30b0895e1d0260ea7fd4e8cc74f36d47fd286a736aad6211de527511", @@ -3798,15 +3869,15 @@ }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", - "sha256": "09a841c5118a34b8d536f6f40cebadb5f41059cc12cbb7dc807ab4f32267e616", + "sha256": "6c697a981e583ada22e4f514b9fe1cc69e210a0cd838679036eb1158118d1beb", "type": "query", - "version": 316 + "version": 317 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", - "sha256": "962e242f06e97443f0e68323e3eb817e85896b5eb926c984b30c2ec8d960498e", + "sha256": "c1892bef95d251f7d7a47ff403d9820d9133ad7d52d07ded161c63a0664c92ba", "type": "new_terms", - "version": 107 + "version": 108 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", @@ -3868,6 +3939,12 @@ "type": "new_terms", "version": 2 }, + "5889760c-9858-4b4b-879c-e299df493295": { + "rule_name": "Potential Okta Brute Force (Multi-Source)", + "sha256": "f01353ef2c7832ac2582fd21f0a0b382c87d1523f7b9feedbef273fead65952f", + "type": "esql", + "version": 1 + }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", "sha256": "572350cc1b7ee9eb743fe3f4cfba0c9b6316477ce99490cc1ccffdf8a74bb4ab", @@ -3905,10 +3982,10 @@ "version": 5 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { - "rule_name": "M365 Security Compliance Email Reported by User as Malware or Phish", - "sha256": "e0e674bbe5d2c36f354cd27cf17c3cf2510ee9a402be205cfa9338e705f91464", + "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", + "sha256": "7df117f2d8cc2a6407e7ce63ab750f7abac6c399fedb9cd5e5180dcbd3ff2b44", "type": "query", - "version": 211 + "version": 212 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", @@ -4007,10 +4084,10 @@ "version": 9 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "46ee24c7fa10dc712bdec1f2b7a584943ddaf4ed95ed89624609be1f195d0069", + "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", + "sha256": "fc9cef486a73aa99f5eb2449ccb3aeb22c54905f0aed559e59310a191b5b19c1", "type": "new_terms", - "version": 319 + "version": 320 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", @@ -4158,10 +4235,10 @@ "version": 107 }, "5e552599-ddec-4e14-bad1-28aa42404388": { - "rule_name": "M365 Teams Guest Access Enabled", - "sha256": "f7ab0503d3427a92950121061b0dd785b8fd2fd830dd601c342238fae4218089", + "rule_name": "Deprecated - M365 Teams Guest Access Enabled", + "sha256": "6bd26b637d8d65d21fab98797574709274097ccf34020470f0460c4fa98adbae", "type": "query", - "version": 211 + "version": 212 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", @@ -4224,10 +4301,10 @@ "version": 1 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "rule_name": "M365 Exchange DLP Policy Deleted", - "sha256": "6bd8639a31024475ca8e5c8b3f48b7452910b8d4c55782f0e93eb2ed54f12720", + "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", + "sha256": "d49413545670c96c3b5d14b25f8f532a2453b7464b7332636cb2977953371e86", "type": "query", - "version": 211 + "version": 212 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", @@ -4241,6 +4318,12 @@ "type": "eql", "version": 206 }, + "616b8d00-05f8-11f1-8f33-f661ea17fbce": { + "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", + "sha256": "9e0f60e5d2e546787e888d2c54ba461cfc4a3c257bbb2676cababb43348c99b3", + "type": "new_terms", + "version": 1 + }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", "sha256": "89c4a7e78c150d6be51a0ac7825e8c185a6b6079831022b8ba59a2cfd77f7047", @@ -4261,9 +4344,9 @@ }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "6444953107ff83401fc01f27ae794d13e3408444ee70c27f3b40202cdc04c216", + "sha256": "f0416cbdf5fa18a079d3d3c82eae6bd19b83bdf9c69f6fb2425e8242e6a585d1", "type": "query", - "version": 318 + "version": 319 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4393,9 +4476,9 @@ }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "3bfd7f995447f6b0f7f007bbaa92f8674ae06f346fd5d6ea0813150b56310cdf", + "sha256": "1ba76a28d1221550f249957c43bfccd0a28542d4170ccd39ce015e683cb07d10", "type": "esql", - "version": 9 + "version": 10 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", @@ -4615,10 +4698,10 @@ "version": 3 }, "6926b708-7964-425f-bed8-6e006379df08": { - "rule_name": "SOCKS Traffic from an Unusual Process", - "sha256": "6939e9c3d0c45a0232cf99e7f0158c1550ece754a4b9b211719491cbaf958553", + "rule_name": "FortiGate SOCKS Traffic from an Unusual Process", + "sha256": "984c1410626d079006e9478eb02012d69dbe7ab70c8dcba0271941495d44a43a", "type": "eql", - "version": 1 + "version": 2 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", @@ -4764,9 +4847,9 @@ }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "2a4553cfcf96d35a8e7b1e64f806c76645fb7e974e47de871af877e2fd45fcea", + "sha256": "13ff8d1f600483ce1e555b28c7a7a4c6b9ffc5be4d95a4a86f2f9d8d0d6c9ac5", "type": "esql", - "version": 8 + "version": 9 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -4812,9 +4895,9 @@ }, "6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", - "sha256": "6ef173bf4773699bc5652c6a4421d2ed1eb0359ff9b3d6f6b65157c06468d3ec", + "sha256": "0af28c57cd19d5320e05faaad5f00b01898a15bbb2ff2f44b2bad5017e23d748", "type": "esql", - "version": 1 + "version": 2 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", @@ -4848,9 +4931,9 @@ }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "0b41bcafb368af9d70c2de795c9775427f44e061c44b7e02fdec07832063cfb9", + "sha256": "fcd07e40992b3e612a095210ff3c48f93387e580802fa2fa7a2b78eb18a98fd9", "type": "eql", - "version": 113 + "version": 114 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", @@ -5003,10 +5086,10 @@ "version": 2 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "rule_name": "M365 Security Compliance Potential Ransomware Activity", - "sha256": "873bf6ea0ce126f98f6384575a92f4ac431c9681d3ac6877ddfa3a4c4d5acfc2", + "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", + "sha256": "2a680c4a4e1bbda3a08c46d451d0034d870388b139588ae38b32738977071f96", "type": "query", - "version": 212 + "version": 213 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", @@ -5075,6 +5158,12 @@ "type": "eql", "version": 1 }, + "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { + "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", + "sha256": "7326cf6d3997c601c7fdfb47f61c62a2ee7636dda3bb752ab1d671b794d8b908", + "type": "query", + "version": 1 + }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "3a1f9137b0ac5c869b1a85c1f9cf33b9842c078786d4f226f86133349f0dea88", @@ -5442,9 +5531,9 @@ }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", - "sha256": "dbdc25df3c87e9e0858a5da9486ca32c09a856dcfa96d9fc88e25745720a9b3a", + "sha256": "a61eb0d371a4caab4caa6d7283fbb4b4603fa27b28ebebb02a0b43a5b6f78cec", "type": "esql", - "version": 1 + "version": 2 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", @@ -5500,6 +5589,12 @@ "type": "eql", "version": 106 }, + "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { + "rule_name": "Potential Notepad Markdown RCE Exploitation", + "sha256": "d90a83b12ebbd6d7bb22e6b454d528a3c5cbcc61462859e9300a5d2c6b79885a", + "type": "eql", + "version": 1 + }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "209bb76a623ef2ceecf2a1aee175416811264a846f5849790c6d7cbb8ef45131", @@ -5526,9 +5621,9 @@ }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "63bf1b6a1cb881c4b835fa9658024abdbb4762b887b80930acde8b6883a9a2c1", + "sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463", "type": "new_terms", - "version": 104 + "version": 105 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", @@ -5544,9 +5639,9 @@ }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "1d6b0e3e9b85628bcab76103c4731640923f970e84ab576390ffd7e6e2993467", + "sha256": "273635e3d94265c8539f908bff1965b23021614338a6e90d4dc7c080147d8dde", "type": "eql", - "version": 9 + "version": 10 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -5561,10 +5656,10 @@ "version": 6 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { - "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "21338d52150e45c05db894e54d90d6ef1f3db44cf524a501e31309cfbb983e05", + "rule_name": "Deprecated - Potential PowerShell Obfuscated Script", + "sha256": "72a01fd54afb28c944bf94f431e2f37ee0678bbd7fc3d85d119f6a3282220b26", "type": "query", - "version": 108 + "version": 109 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", @@ -5592,9 +5687,9 @@ }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "rule_name": "Unusual Remote File Extension", - "sha256": "6639f9ff4a1f988b52a9cf37174c52d2d2aa6b81df7e3d3959341cd9178e1f55", + "sha256": "71c7673c8d33664e251206a8c6b33692ab2583160ba5cb665ca3f4feb143979a", "type": "machine_learning", - "version": 7 + "version": 8 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", @@ -5617,9 +5712,9 @@ }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "cfe3053df0db70d67a72023180094f2722668f0335e1ad4d7a844576c4da0d23", + "sha256": "411db9f26f4878e2033a9601ec260076e0ae315d11b48c8c388f3452cc55d9d8", "type": "eql", - "version": 314 + "version": 315 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -5629,9 +5724,9 @@ }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "d5686f550627a508b223292a2b247f4a7f7f4d16821b6a75ecd4c7a04bd3c934", + "sha256": "067bbe4c3d422970852d7c5d7dbe42bb1d0dedee1abaedd5eb778bf92e40fbbd", "type": "query", - "version": 317 + "version": 318 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", @@ -5683,9 +5778,9 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "0347e6f35d144ad0df73bc8c69dd91de5d8d5e226494bf2511856671f3c94808", + "sha256": "553ef147268721ddc516e579c19daf3baccf3cbd76f1162888b183f723f1c224", "type": "eql", - "version": 210 + "version": 211 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -5700,10 +5795,10 @@ "version": 7 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "9f08eb1c4f45c16bdd270d3cdd1c7a218ca1b406833cb1a35646cd235f82c3e8", + "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", + "sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5", "type": "query", - "version": 109 + "version": 110 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", @@ -5737,9 +5832,9 @@ }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "042802b5d6c49216900c89afe8817be16c66474e291e952d93911a9daa7e721a", + "sha256": "7fd3bf166c197928c42d5da7436ced831f7387e7d7f015061f5ecf693dd830df", "type": "esql", - "version": 7 + "version": 8 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", @@ -5884,10 +5979,10 @@ "version": 213 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "rule_name": "Command Prompt Network Connection", - "sha256": "49bfbc43dd89ec3bafeff899df67ba47d7277ba6fe766a6d712ab996f5e26918", + "rule_name": "Suspicious Command Prompt Network Connection", + "sha256": "3213a8de8068cd9157da88af05f5df49400dc63b5a902a20fbd436008c12e78d", "type": "eql", - "version": 212 + "version": 213 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", @@ -5921,9 +6016,9 @@ }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "473eabf294ab4380f9f702623f6fc613eae4d0c69170277bf305be4e4261264b", + "sha256": "dd402a12633ed1ab118bbcbc953d65b005d1dc74c6eac3297fb4350cef59619b", "type": "eql", - "version": 211 + "version": 212 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", @@ -6075,9 +6170,9 @@ }, "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "rule_name": "Multiple External EDR Alerts by Host", - "sha256": "43b9438cc1b22129cd2f0f358f1f03b8b2fb24bbd42520c4a2c57442fd3ce509", + "sha256": "dbd31b6d355226db225bd9b68f61c5b05042dc609806bf1688af4069be15682f", "type": "esql", - "version": 1 + "version": 2 }, "8d696bd0-5756-11f0-8e3b-f661ea17fbcd": { "rule_name": "Entra ID OAuth ROPC Grant Login Detected", @@ -6123,9 +6218,9 @@ }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", - "sha256": "30ed06530a8df8c680947a88d1dae55ba541eff2706b998d67c5490b646d6bf6", + "sha256": "c3a3ba5d26efb65c2238fe623846c02797e51129094d15bad8b7b5b259cf8dfb", "type": "esql", - "version": 3 + "version": 4 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", @@ -6237,10 +6332,10 @@ "version": 5 }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { - "rule_name": "Entra ID Device Registration Detected (ROADtools)", - "sha256": "3a0d5342c9036b9860359f2224c2c3c4d295bd7c9cdc705336d0fab50bb52151", + "rule_name": "Entra ID Unusual Cloud Device Registration", + "sha256": "5b2c500cbc2dab1090c08cd6291b33e213a59618a2b5198d2e8b99f1b41b2dd5", "type": "eql", - "version": 2 + "version": 3 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", @@ -6327,10 +6422,10 @@ "version": 213 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "28e1eea911bb6da17c9e7545b44f86927de6020e8e4ea22af960a2610cd011e3", + "rule_name": "Deprecated - Encoded Executable Stored in the Registry", + "sha256": "819d88211a74681757c27c0eb0ea164fd5c4a94925056350fbf01ded6ddae907", "type": "eql", - "version": 415 + "version": 416 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", @@ -6369,10 +6464,10 @@ "version": 214 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "68d3152a44bb3233dd6ea2a751dd806a05611119c6d8fdd35a2ce561f77008e8", + "rule_name": "Potential Okta Credential Stuffing (Single Source)", + "sha256": "51497d3090604a3039fc966afdfe2d841061c20722995d72be05eae76c1550c8", "type": "esql", - "version": 208 + "version": 209 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -6859,6 +6954,13 @@ "type": "eql", "version": 1 }, + "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { + "min_stack_version": "9.3", + "rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers", + "sha256": "abda5d886c027c7acdd2c2c9794c552d98d75d0f329d924d0c9509263235ebb4", + "type": "eql", + "version": 1 + }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", "sha256": "221e95b30c3f9132594ca8d2ea13d90345e2f5e585597c7ed073f601c81148e9", @@ -6897,9 +6999,9 @@ }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", - "sha256": "80337ad19f41109f42a613fc874f84003c4f8ffc9d9937f5ed797ebdaba4d6b2", + "sha256": "e6f63f5a14d9fd64fa42c6876b3fc572b1ae4e05b427504913ebd567c4db37a4", "type": "esql", - "version": 7 + "version": 8 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", @@ -6915,9 +7017,9 @@ }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", - "sha256": "d4479bdaec900117e1ad75df629a9315ab2de96d27ac3c4c5d7e1057c4405497", + "sha256": "240a406d0305dd6344e374366a323c69f6639bb80c3853e6d7d82cb35a43eef3", "type": "esql", - "version": 9 + "version": 10 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -7082,10 +7184,10 @@ "version": 1 }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { - "rule_name": "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client", - "sha256": "679e694e959d98449a1ad9c234f292fee6e37b0022b58d8aa0e069a240098d5f", + "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", + "sha256": "b0cb4bda3738ab20e63d9ccd9aa054a0151377801ad9d786fbe0ec4e521cd011", "type": "new_terms", - "version": 3 + "version": 4 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", @@ -7218,9 +7320,16 @@ }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "rule_name": "High Mean of RDP Session Duration", - "sha256": "366b162a996ea520f1cbed83376ae554313278cf6473bde2325bcce3e66fc4c0", + "sha256": "98b2e7d0d5c6e743cfc10a8e3764d9e083ab3e45612f50c8e656c82b2c87a42e", "type": "machine_learning", - "version": 7 + "version": 8 + }, + "a750bbcc-863f-41ef-9924-fd8224e23694": { + "min_stack_version": "9.3", + "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", + "sha256": "2b7bf9a3de0eb18418db511b219abdc7cadd3b5cdefdd70d1cb796dd83161b36", + "type": "eql", + "version": 1 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", @@ -7240,12 +7349,24 @@ "type": "eql", "version": 315 }, + "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { + "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", + "sha256": "5cb15224ba5e3b436c88a0c808d62f5975a8a962c7c0d804baf2e704d054b03d", + "type": "eql", + "version": 1 + }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", "sha256": "4e3c23c7881aeb5c679a751675fc7441b3984d00897e461cd40ecaeba57cdc62", "type": "new_terms", "version": 6 }, + "a80ffc40-a256-475a-a86a-74361930cdb1": { + "rule_name": "AWS IAM SAML Provider Created", + "sha256": "d5cdab921477a06497e239824cd88e803d3eb45dd7f85f9bc3ef531c713c400f", + "type": "query", + "version": 1 + }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", "sha256": "96bdc6dda9b99337a375bda8f6a1c8755a9bd449a70db25466f3f8d135bc2ed8", @@ -7279,9 +7400,9 @@ "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { "min_stack_version": "9.3", "rule_name": "File Download Detected via Defend for Containers", - "sha256": "ebd2c5b6a584bc6f8f0c45d970103be1bb8ed86e9a55ffc29c52ae1e64f134c1", + "sha256": "7639716e2528d68b95b96d7b6b558489c5d3825d36ff2d4a98b810b4372c40ae", "type": "eql", - "version": 1 + "version": 2 }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", @@ -7297,9 +7418,9 @@ }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", - "sha256": "ab11651cb3fb46c70c3fdbf4479abc32ea2fb7d096747443517a1d135615d72c", + "sha256": "c1b7d0299bdbc6612b5661369ed5e4594203e23f1ac7c6f66177a0d4e9e639c5", "type": "machine_learning", - "version": 7 + "version": 8 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", @@ -7543,9 +7664,9 @@ }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "c73a0960053e36648a945ab8f7cd8431069521c690ad6b90c76f619dd2779fd1", + "sha256": "1cab4d236af2187cf214d9f7698d6bafb8c4fbbae2f26d08efeea2017a7e0f32", "type": "query", - "version": 215 + "version": 216 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", @@ -7675,9 +7796,9 @@ }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "sha256": "1e3b99a1e35a1f408d5a7a5d3947dabb2d94421e18d544ab2ca1634529dfe11e", + "sha256": "9b70b1ae2e9c9a8d5c326e930ee1d6922a8234afeb5945abdad61790a366eb47", "type": "esql", - "version": 8 + "version": 9 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "min_stack_version": "9.3", @@ -7732,10 +7853,10 @@ "version": 216 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { - "rule_name": "M365 Security Compliance Unusual Volume of File Deletion", - "sha256": "b001d8e92cbbdcf45c210b3059df4adde3925921ed48b1ab173241690bce62cb", + "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", + "sha256": "f86f481f50bb0a81e04e053d44c7884c19126b9335761ec525ef2835a4be5a26", "type": "query", - "version": 211 + "version": 212 }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", @@ -7846,9 +7967,9 @@ }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", - "sha256": "e4ec3eeaca70a7fb0ab7f2aad3186a62aed903bdb8d828be833b9f203430f468", + "sha256": "87d181da2c1d56e01ef1c972e929acaed2bc1160d0cf3f45b3741f8b073c130f", "type": "eql", - "version": 317 + "version": 318 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", @@ -7864,9 +7985,9 @@ }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "4bf42ef8a88e79ed1398887aa8603db3edc9c8f73ae5cc50f8f9a0851ced3281", + "sha256": "fcce1d412bc6e04155cb2f2e0d2b67e8e87ab12f59f1583f946967f9cb1a2242", "type": "eql", - "version": 111 + "version": 112 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -7919,9 +8040,9 @@ }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", - "sha256": "f6080addd4a61f03f1373074922662e8f103b752b37d81947d8e23e3ff2278f0", + "sha256": "5e33ef87d305f50f061545ef99ce1dd5b9ce6bfa3247837f6e2355532fbe5fcd", "type": "esql", - "version": 1 + "version": 2 }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", @@ -8208,9 +8329,9 @@ }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "rule_name": "Unusual Remote File Directory", - "sha256": "06701c5b78ef2356abadfab4ca53924769a7a007843b2337e6d6cbf16eac8d76", + "sha256": "b656146b40333aa0bbb38207431e1bda4ac60ed0c81425452fc9bdbeb293966a", "type": "machine_learning", - "version": 7 + "version": 8 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", @@ -8292,9 +8413,9 @@ }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "00569a9b31b0877aebf27e35148d1eb321eb3fce94e84b0d5bfc0200b24775c1", + "sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea", "type": "query", - "version": 107 + "version": 108 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", @@ -8447,6 +8568,13 @@ "type": "eql", "version": 6 }, + "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { + "min_stack_version": "9.3", + "rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host", + "sha256": "c0d66e17e9785feeec08ca3facd4df547341800aa13d146f280878dd710f5426", + "type": "esql", + "version": 1 + }, "c55badd3-3e61-4292-836f-56209dc8a601": { "rule_name": "Attempted Private Key Access", "sha256": "e707e3c1a46f94d7499ab0a59780aea166d33755a2683120a0dd1227eaf3df43", @@ -8846,9 +8974,9 @@ }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "6a3a41432334b7098df61a7139dca98767324dea23216d6d9fd8e10be74d51aa", + "sha256": "1fea0a2f7ea3bb2c16b62b1430f80ebd513dac2500b61d345a23a244da6d0f00", "type": "query", - "version": 219 + "version": 220 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", @@ -8913,10 +9041,10 @@ "version": 208 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { - "rule_name": "Unusual Discovery Activity by User", - "sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230", + "rule_name": "Deprecated - Unusual Discovery Activity by User", + "sha256": "13f9e9049c5bddcdde9abfd3501c2925eb76c07771c5c7a4c2e3cc40842774e0", "type": "new_terms", - "version": 2 + "version": 3 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "rule_name": "Trap Signals Execution", @@ -9068,9 +9196,9 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "6ce4c54b7198d58dfe8cee0510a717d29bff8c546465fc3ec0511e5e542404bb", + "sha256": "739247a92bc9484d0dcb60b1be1c780d2409c02187834df1752f6b3cc122e3d4", "type": "esql", - "version": 7 + "version": 8 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -9120,6 +9248,12 @@ "type": "eql", "version": 111 }, + "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { + "rule_name": "Kernel Module Load from Unusual Location", + "sha256": "185037951f98309195facc3ecee3aeb8fac6f83994d9d0fb18bf5d13651f3961", + "type": "eql", + "version": 1 + }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "e033856be7ad362345e1ba2b993b90b1aaeec55773bbadf68127329c2ac3bed8", @@ -9140,9 +9274,9 @@ }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", - "sha256": "25910a2a4dbe9fc970c6f30a8d259ee6897adabc4ff0ae3a4cae2c7c725e4cc0", + "sha256": "5429febf472a2b6a92abaf89cbe7b824b49407e8a1704ee6415bac4a4abcf45a", "type": "esql", - "version": 1 + "version": 2 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", @@ -9318,6 +9452,13 @@ "type": "eql", "version": 4 }, + "d9bfa475-270d-4b07-93cb-b1f49abe13da": { + "min_stack_version": "9.3", + "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", + "sha256": "9a8879a1b9bab3940164561c3907250d88bce0a1a16c2c2ac5de71620cfb7523", + "type": "eql", + "version": 1 + }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "abaae9b121b4c9e85fe7f81aa82f7048fed76d2dfcef8712ec4ff82c33a93706", @@ -9338,9 +9479,9 @@ }, "da0ebebe-5ad3-4277-95e7-889f5a69b959": { "rule_name": "System Information Discovery via dmidecode from Parent Shell", - "sha256": "5a3dd88c61deb47e5f69f51e5308a818fb91527083875aa651418898630fba91", + "sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b", "type": "eql", - "version": 1 + "version": 2 }, "da4f56b8-9bc5-4003-a46c-d23616fbc691": { "rule_name": "PANW and Elastic Defend - Command and Control Correlation", @@ -9362,9 +9503,9 @@ }, "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "rule_name": "Multiple Machine Learning Alerts by Influencer Field", - "sha256": "feaa5c21298a7ac10094ac4ac7a46dceb91da9bd249f817cbe301f594226d4a4", + "sha256": "bbac8cf5212f002212b5f8bf7bd3d272ce4cfefbc2fc7e77631b044646ec3b81", "type": "esql", - "version": 1 + "version": 2 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "rule_name": "Suspicious Service was Installed in the System", @@ -9404,9 +9545,9 @@ }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "ed9f706184fc5034e51bb0a6bee7ee427e2f4a69479c5d6d7a813a3e26977c55", + "sha256": "3d2e5ac48ff0dd732d63a309fd8645c301330bfc555cc67fe1e4e842f3604e9a", "type": "eql", - "version": 213 + "version": 214 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", @@ -9601,9 +9742,9 @@ }, "df9c0e92-5dee-4f1d-a760-3a5c039e4382": { "rule_name": "Detection Alert on a Process Exhibiting CPU Spike", - "sha256": "571c0d2b1601d9b022ee332914385ea82ca4b2468a245cdfb1ccd3e60db1b211", + "sha256": "f5ac0710ca1245ab366c3b05727497d8c3380c801d3c5d4c58c457f5221c2e67", "type": "esql", - "version": 1 + "version": 2 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", @@ -9703,9 +9844,9 @@ }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "030ebc3173772db7df46d78fb8e17ab8542bfbbb95507a0854746d3c1170b41e", + "sha256": "907edd17e466a818cba2a0af32a363af70af30da65bab6787f7c3c1cbe02cf49", "type": "query", - "version": 320 + "version": 321 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", @@ -9955,9 +10096,9 @@ }, "e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "rule_name": "Lateral Movement Alerts from a Newly Observed User", - "sha256": "af6e6bc1bdc5322ecf674c90c4311e0e276424f55d2ca670379ffa0f1cdb1242", + "sha256": "25b15177e88f841bf8797680046c7a6100044cfd433d8f0ecb13ec8c5ac90a43", "type": "esql", - "version": 1 + "version": 2 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", @@ -10009,9 +10150,9 @@ }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "e77f96858b8f3e569684058a79626aae64e8ae0ecf506bc05a7baffeda7fc18e", + "sha256": "c9c8e405e6ac8fa5c9711db9949851e54148dbab50f0f01943ea9202de3054cd", "type": "esql", - "version": 10 + "version": 11 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -10051,9 +10192,9 @@ }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "rule_name": "Spike in Remote File Transfers", - "sha256": "975b13f7e3596d2d2ea7620626795e49aed292a53d358ee3efc1f7f1ef347e34", + "sha256": "6eab278586da677be043352e5acc6918724d546e2a66017c7babdd4f44d5a2f9", "type": "machine_learning", - "version": 7 + "version": 8 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", @@ -10318,9 +10459,9 @@ }, "ef395dff-be12-4a6e-8919-d87d627c2174": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option", - "sha256": "b22e530003eb3b5b3e0eae371dbd8a89d3cb42c2fb015cbfcdc9cb0d79afed99", + "sha256": "15b509aa1f5ce2c13415561c334b6a518da12328ed335527951d3c70264464b1", "type": "eql", - "version": 3 + "version": 4 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "9.3", @@ -10363,10 +10504,10 @@ "version": 111 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "d92a66888822d35e66809a1c34f7e2a8a0429973e9e2ba1971c23ead1cfa2518", + "rule_name": "Okta User Assigned Administrator Role", + "sha256": "1e7973d1b497e6f96e61cbfaa3a288c8816dde52e132d6ea55bd329c23af6f63", "type": "query", - "version": 412 + "version": 413 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -10388,9 +10529,9 @@ }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", - "sha256": "5d219233df7958e01f0195614bd5fa03615d79b120eb1122cd93bccc65fb5f25", + "sha256": "568644c5f0c19e90ec4b242b6ae4cd524440192c962a326f062fd4fe997d9400", "type": "new_terms", - "version": 2 + "version": 3 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", @@ -10438,9 +10579,9 @@ "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", "rule_name": "LLM-Based Attack Chain Triage by Host", - "sha256": "4e87fa86daf458374804412a96b23724e212635c2fbae7efd46e46ff8325a970", + "sha256": "a8e526596cd31695f761b1c473b0d8067336519cb1918dd798f4d7752e5a7f6b", "type": "esql", - "version": 1 + "version": 2 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", @@ -10448,6 +10589,13 @@ "type": "eql", "version": 107 }, + "f246e70e-5e20-4006-8460-d72b023d6adf": { + "min_stack_version": "9.3", + "rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers", + "sha256": "3e7ee604dfdadac507a1fcb9f2a39b6e5718c90169c1e0bfaabd701e0c5fad63", + "type": "eql", + "version": 1 + }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "96eccd66b8f60e06e7aabfbd9a3d372d3e994cc5b1de8d08ea6f3473c5872be8", @@ -10528,9 +10676,9 @@ }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", - "sha256": "1e15020044447b4f243d928c5820afc2f536ceb7031e116f3f52abe23a435efe", + "sha256": "8840b0c126687d686b10af54ad284385b8385dd1400d81f180b14c807162c05b", "type": "esql", - "version": 8 + "version": 9 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", @@ -10726,9 +10874,9 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "d400fe1c09c7e41f7178725b46bd74810243c3a0a406f71cb255002651486de3", + "sha256": "4966b256f77320a536fd06f26771860ce412bb74324a875bca6867ac35dd79c3", "type": "esql", - "version": 8 + "version": 9 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", @@ -10756,9 +10904,9 @@ }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", - "sha256": "3bb1b5457415afbc01790c12c23c72752d168bf76ed767c4e9eaae3a240e3f3a", + "sha256": "4f767eb21c0e9bf26fdc415d37852193d399b3803909b03b97f98d81741f4054", "type": "esql", - "version": 3 + "version": 4 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -10885,6 +11033,12 @@ "type": "eql", "version": 11 }, + "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { + "rule_name": "Okta Admin Console Login Failure", + "sha256": "b81d0b73d164001b8e1540672ae510843355372f5ed90223d71be86812b9cd27", + "type": "query", + "version": 1 + }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", "sha256": "81bcee1c190422617ecec5060d5c56cac2493d8ea917f010d9ecb2c97e1c8082", @@ -10893,9 +11047,9 @@ }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "sha256": "b46923fa1eca5a5c55503188812f8b17851e20dc338fc0546f0291d8e0f6258c", + "sha256": "459fdfc9a0bf0c7e11816d78422d6f072d79db1e1bcc876e972c71d10a2739f4", "type": "esql", - "version": 7 + "version": 8 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Account Brute Force", @@ -10911,9 +11065,9 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "2f3e5e0c6bf6ba23117783c2dae2684d8df44ec53d4506fb0a9f75e096d2a338", + "sha256": "a8fb8ff65c77ca30e4b18c8cfe9a98058e413bb924c285e9eb647e2cb7d43baa", "type": "esql", - "version": 9 + "version": 10 }, "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "rule_name": "Newly Observed Process Exhibiting High CPU Usage", @@ -10981,6 +11135,12 @@ "type": "threshold", "version": 1 }, + "fb542346-1624-4cf2-bcc7-c68abaab261b": { + "rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs", + "sha256": "a8a874542376d67bfb7e56d83b295e1b28912d3a594ba3364a7f056091b145ed", + "type": "eql", + "version": 1 + }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "rule_name": "Unusual Group Name Accessed by a User", "sha256": "9f2db22b9e734b5a889262f1f2f439535f666e0297237040c15e016852a51ff1", @@ -11023,6 +11183,12 @@ "type": "query", "version": 4 }, + "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { + "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", + "sha256": "1ce71d93152a8ed2bd61129845956d2556e7c325395c705b5fb6a49ec397ecf7", + "type": "eql", + "version": 1 + }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "5a82f8caac0fe4454c5282d9afcc90b60b161d0c3799c54bd699873bfc0a5905", @@ -11121,9 +11287,9 @@ }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "103f74536c4e37ff883b84981835bc8056adec27739d13553205d37b95f434ff", + "sha256": "1992da8023f1475e7ecead13adb32485cb6a234a3f49e3d3e880464a2402d474", "type": "query", - "version": 110 + "version": 111 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", diff --git a/pyproject.toml b/pyproject.toml index 50ad1643e..fbe6a1175 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.47" +version = "1.5.48" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"