Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#4147)

2024-10-09 20:56:57 -05:00
parent 06319b7a13
commit afbca3ee75
1 changed files with 60 additions and 54 deletions
@@ -462,9 +462,9 @@
  "0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
    "min_stack_version": "8.13",
    "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
-    "sha256": "6e3b46e8ec99a5315db0290b20975c2f96035274d47497b5275ca90eb2284494",
+    "sha256": "9d97ad923ffa94a4d3255c94fdc54a132bb5032c08ba7d8ac2dc07f13d80a998",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "0ce6487d-8069-4888-9ddd-61b52490cebc": {
    "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
@@ -741,6 +741,12 @@
    "type": "eql",
    "version": 111
  },
+  "1502a836-84b2-11ef-b026-f661ea17fbcc": {
+    "rule_name": "Successful Application SSO from Rare Unknown Client Device",
+    "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e",
+    "type": "new_terms",
+    "version": 1
+  },
  "151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
    "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
    "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740",
@@ -822,9 +828,9 @@
  "17261da3-a6d0-463c-aac8-ea1718afcd20": {
    "min_stack_version": "8.13",
    "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
-    "sha256": "277c989e76a6733738b5108d8b11929cb28245277d6e555651e95d9817f2af48",
+    "sha256": "5abf4615f62030d3a184e6fe17870ade81d48468036f5321f9f7944060e87488",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "1781d055-5c66-4adf-9c59-fc0fa58336a5": {
    "rule_name": "Unusual Windows Username",
@@ -928,9 +934,9 @@
  },
  "19be0164-63d2-11ef-8e38-f661ea17fbce": {
    "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
-    "sha256": "b7e040398f159a8b9f88323be508991b8be74dda6edbece9952794f7f0fb8b9f",
+    "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "19de8096-e2b0-4bd8-80c9-34a820813fff": {
    "rule_name": "Rare AWS Error Code",
@@ -1143,9 +1149,9 @@
  "1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "AWS Signin Single Factor Console Login with Federated User",
-    "sha256": "4dd437ce95683a2dd7fa1574b99cc12ada099be14d397cb4f3ffb0b8402f0577",
+    "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "1f460f12-a3cf-4105-9ebb-f788cc63f365": {
    "rule_name": "Unusual Process Execution on WBEM Path",
@@ -1304,9 +1310,9 @@
  "23f18264-2d6d-11ef-9413-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
-    "sha256": "cd51f975ba0e08a764b771c3485b3cc15cd8d2fcdfa8d905fccc99b4527690da",
+    "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "24401eca-ad0b-4ff9-9431-487a8e183af9": {
    "rule_name": "New GitHub Owner Added",
@@ -1398,15 +1404,15 @@
      "8.10": {
        "max_allowable_version": 308,
        "rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
-        "sha256": "9b41ccb00b782e98cb82660d5d90f3b1e1ee827ddd9194e82daa88bbf8f8f665",
+        "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4",
        "type": "esql",
-        "version": 209
+        "version": 210
      }
    },
    "rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
-    "sha256": "b6dc758cc09d7e1a4109953f931108161705e9b57b50880bd8b5da3607455b2f",
+    "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70",
    "type": "esql",
-    "version": 310
+    "version": 311
  },
  "27071ea3-e806-4697-8abc-e22c92aa4293": {
    "min_stack_version": "8.12",
@@ -1463,9 +1469,9 @@
  "28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
    "min_stack_version": "8.13",
    "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
-    "sha256": "65f2ba3cdd922a26ebd11dc207df001dc6debc22457618e24e8b3862b80dd36e",
+    "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
    "rule_name": "Account Discovery Command via SYSTEM Account",
@@ -1730,9 +1736,9 @@
      }
    },
    "rule_name": "Okta User Sessions Started from Different Geolocations",
-    "sha256": "172a634e3276f1e5ef0c46619a92359182cc7a564ac5e4fba01744185d0a3b40",
+    "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
    "type": "esql",
-    "version": 102
+    "version": 103
  },
  "2e580225-2a58-48ef-938b-572933be06fe": {
    "rule_name": "Halfbaked Command and Control Beacon",
@@ -1975,9 +1981,9 @@
  "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
    "min_stack_version": "8.13",
    "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts",
-    "sha256": "7504470cf86420072a56c00cda97da0377e8ba87418e14b7494b444fab2e9733",
+    "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "35df0dd8-092d-4a83-88c1-5151a804f31b": {
    "rule_name": "Unusual Parent-Child Relationship",
@@ -2111,9 +2117,9 @@
  },
  "393ef120-63d1-11ef-8e38-f661ea17fbce": {
    "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
-    "sha256": "f7daf87e7268472c5c492622bbe41282533050fc573af0661576de0d55e7facb",
+    "sha256": "b524ff31b8e1861ed00678a96b6e3ac6e6ae60868b6a7c3f8e7127a5c07756b3",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "397945f3-d39a-4e6f-8bcb-9656c2031438": {
    "rule_name": "Persistence via Microsoft Outlook VBA",
@@ -2383,9 +2389,9 @@
  "4182e486-fc61-11ee-a05d-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account",
-    "sha256": "6d2c20fb9ecb3cba051aa0a8f5a8841d3473c6e5d87d50187fe26d3715b32e66",
+    "sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
    "rule_name": "Potential Hidden Local User Account Creation",
@@ -2732,9 +2738,9 @@
  "4f855297-c8e0-4097-9d97-d653f7e471c4": {
    "min_stack_version": "8.13",
    "rule_name": "Unusual High Confidence Misconduct Blocks Detected",
-    "sha256": "809afd6116ccf0d6766b68605bfab88cb8d1b2c472a38b8dff1b7cf128110b94",
+    "sha256": "ec8018367ddae889657cf1cb6c99b9c0fb427d64de771d720364e8e10a5ddf6c",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "4fe9d835-40e1-452d-8230-17c147cafad8": {
    "rule_name": "Execution via TSClient Mountpoint",
@@ -3296,9 +3302,9 @@
  "5f0234fd-7f21-42af-8391-511d5fd11d5c": {
    "min_stack_version": "8.13",
    "rule_name": "AWS S3 Bucket Enumeration or Brute Force",
-    "sha256": "071ea0ec03009a13928231287c341607f6c9f838c32f33dbc078bccdd880b482",
+    "sha256": "a366e2eee10ae91beb23435fce8669f66873ea66f853247db77a3306a663658e",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "5f2f463e-6997-478c-8405-fb41cc283281": {
    "rule_name": "Potential File Download via a Headless Browser",
@@ -3657,9 +3663,9 @@
  "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
    "min_stack_version": "8.13",
    "rule_name": "AWS IAM User Created Access Keys For Another User",
-    "sha256": "f37f973f474742e8a38e13c139ca15569ef5585dd173927ac51ce82ef9c18c16",
+    "sha256": "510bb33cd6e4ff669488ead2bbf9cd16c6edfe7b3dc3e34f21ac9bdbd363c379",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "699e9fdb-b77c-4c01-995c-1c15019b9c43": {
    "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
@@ -3933,9 +3939,9 @@
  "725a048a-88c5-4fc7-8677-a44fc0031822": {
    "min_stack_version": "8.13",
    "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
-    "sha256": "9833e1154749ec30abad0a12bd9f185fd40fadb91d561bcd7441cb088b7c9f98",
+    "sha256": "0d8c4f63b2c1118c7f733ba63e750d4be576cc723a90b009d54d738150a26f7b",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "729aa18d-06a6-41c7-b175-b65b739b1181": {
    "rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
@@ -4355,9 +4361,9 @@
  "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
-    "sha256": "e67b6224776547e16d7ad98038f463469fe254811509c279e254f182d16da5c2",
+    "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "80084fa9-8677-4453-8680-b891d3c0c778": {
    "rule_name": "Enumeration of Kernel Modules via Proc",
@@ -5012,9 +5018,9 @@
  "94e734c0-2cda-11ef-84e1-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "Multiple Okta User Authentication Events with Client Address",
-    "sha256": "51bedd9974378d0cf2ac060ec589b9d6c5c34c9532ce5ef37f4a16cd0e1561d2",
+    "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "9510add4-3392-11ed-bd01-f661ea17fbce": {
    "rule_name": "Google Workspace Custom Gmail Route Created or Modified",
@@ -5043,9 +5049,9 @@
  "95b99adc-2cda-11ef-84e1-f661ea17fbce": {
    "min_stack_version": "8.13",
    "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
-    "sha256": "e2c27c3f6d1a4fbe980d5489ddcf7534108876d1454a281129555139fbb308fc",
+    "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "9661ed8b-001c-40dc-a777-0983b7b0c91a": {
    "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
@@ -5271,9 +5277,9 @@
  "9aa4be8d-5828-417d-9f54-7cd304571b24": {
    "min_stack_version": "8.13",
    "rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
-    "sha256": "6fefd72c277cd75eb7a8ef7ad56be46dff3cc3dc600c49b50c2c8e7f5249af7f",
+    "sha256": "60d3dc739bbd0ee15729bae5c658e4b16b0df0df19766cf61c89cd067a1e3526",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
    "rule_name": "GitHub Owner Role Granted To User",
@@ -5701,9 +5707,9 @@
  "ab8f074c-5565-4bc4-991c-d49770e19fc9": {
    "min_stack_version": "8.13",
    "rule_name": "AWS S3 Object Encryption Using External KMS Key",
-    "sha256": "9cb68a665ab8fb65cda28c7f6d955319eae1629b493c01c6bc144c5ceb04ffd1",
+    "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "abae61a8-c560-4dbd-acca-1e1438bff36b": {
    "rule_name": "Unusual Windows Process Calling the Metadata Service",
@@ -5917,9 +5923,9 @@
  "b1773d05-f349-45fb-9850-287b8f92f02d": {
    "min_stack_version": "8.13",
    "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
-    "sha256": "6a40ebf3c73e6c53af80cb80bd9a27f9b1048603919e041e0c114c02154787a6",
+    "sha256": "2cb4a1af62c34bdc871fd3012417ff9685bdb6c1e8f410c1ed773f8c3845929b",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
    "rule_name": "Potential Persistence via Cron Job",
@@ -6584,9 +6590,9 @@
  "c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
    "min_stack_version": "8.13",
    "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
-    "sha256": "ea87a73121dd2f2b972bc579e698ba337b748af8736a94fb31bfc63ea89816c4",
+    "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "c749e367-a069-4a73-b1f2-43a3798153ad": {
    "rule_name": "Attempt to Delete an Okta Network Zone",
@@ -6756,9 +6762,9 @@
      }
    },
    "rule_name": "Multiple Device Token Hashes for Single Okta Session",
-    "sha256": "ce1b6ad3aa66993d7eb446cb0b45e2b75f20d505adc12a2bcf198b3a413ee774",
+    "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
    "type": "esql",
-    "version": 103
+    "version": 104
  },
  "cc653d77-ddd2-45b1-9197-c75ad19df66c": {
    "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
@@ -7306,9 +7312,9 @@
  "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
    "min_stack_version": "8.13",
    "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
-    "sha256": "8979a73ae9ab4764b2093fc3309d75e33d1a0cbb4d0324ecb205316fbcd81be4",
+    "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
    "rule_name": "Unusual Child Process from a System Virtual Process",
@@ -7361,9 +7367,9 @@
  "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
    "min_stack_version": "8.13",
    "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
-    "sha256": "5b5ba08eead004cb3d4496535950dc93033040262d718f2307f0585fd0a266dc",
+    "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1",
    "type": "esql",
-    "version": 2
+    "version": 3
  },
  "df959768-b0c9-4d45-988c-5606a2be8e5a": {
    "rule_name": "Unusual Process Execution - Temp",
@@ -8123,9 +8129,9 @@
  "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
    "min_stack_version": "8.13",
    "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
-    "sha256": "ed5ccf8325568487fa6a05a27f41c8db181f2d419f3dd29514ecc2c7950669c3",
+    "sha256": "f613ba59ddc970edf688e657b1f179a4a61355efddd7fc08207b9cdffd329aad",
    "type": "esql",
-    "version": 1
+    "version": 2
  },
  "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
    "min_stack_version": "8.10",