diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 5073416e8..2f495446d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -462,9 +462,9 @@ "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "6e3b46e8ec99a5315db0290b20975c2f96035274d47497b5275ca90eb2284494", + "sha256": "9d97ad923ffa94a4d3255c94fdc54a132bb5032c08ba7d8ac2dc07f13d80a998", "type": "esql", - "version": 2 + "version": 3 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", @@ -741,6 +741,12 @@ "type": "eql", "version": 111 }, + "1502a836-84b2-11ef-b026-f661ea17fbcc": { + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "type": "new_terms", + "version": 1 + }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", @@ -822,9 +828,9 @@ "17261da3-a6d0-463c-aac8-ea1718afcd20": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "277c989e76a6733738b5108d8b11929cb28245277d6e555651e95d9817f2af48", + "sha256": "5abf4615f62030d3a184e6fe17870ade81d48468036f5321f9f7944060e87488", "type": "esql", - "version": 1 + "version": 2 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", @@ -928,9 +934,9 @@ }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", - "sha256": "b7e040398f159a8b9f88323be508991b8be74dda6edbece9952794f7f0fb8b9f", + "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", "type": "esql", - "version": 1 + "version": 2 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1143,9 +1149,9 @@ "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS Signin Single Factor Console Login with Federated User", - "sha256": "4dd437ce95683a2dd7fa1574b99cc12ada099be14d397cb4f3ffb0b8402f0577", + "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f", "type": "esql", - "version": 1 + "version": 2 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", @@ -1304,9 +1310,9 @@ "23f18264-2d6d-11ef-9413-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "cd51f975ba0e08a764b771c3485b3cc15cd8d2fcdfa8d905fccc99b4527690da", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", - "version": 2 + "version": 3 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", @@ -1398,15 +1404,15 @@ "8.10": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "9b41ccb00b782e98cb82660d5d90f3b1e1ee827ddd9194e82daa88bbf8f8f665", + "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", "type": "esql", - "version": 209 + "version": 210 } }, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "b6dc758cc09d7e1a4109953f931108161705e9b57b50880bd8b5da3607455b2f", + "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70", "type": "esql", - "version": 310 + "version": 311 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", @@ -1463,9 +1469,9 @@ "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "min_stack_version": "8.13", "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "65f2ba3cdd922a26ebd11dc207df001dc6debc22457618e24e8b3862b80dd36e", + "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977", "type": "esql", - "version": 1 + "version": 2 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", @@ -1730,9 +1736,9 @@ } }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "172a634e3276f1e5ef0c46619a92359182cc7a564ac5e4fba01744185d0a3b40", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", - "version": 102 + "version": 103 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -1975,9 +1981,9 @@ "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "7504470cf86420072a56c00cda97da0377e8ba87418e14b7494b444fab2e9733", + "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88", "type": "esql", - "version": 1 + "version": 2 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", @@ -2111,9 +2117,9 @@ }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "f7daf87e7268472c5c492622bbe41282533050fc573af0661576de0d55e7facb", + "sha256": "b524ff31b8e1861ed00678a96b6e3ac6e6ae60868b6a7c3f8e7127a5c07756b3", "type": "esql", - "version": 1 + "version": 2 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", @@ -2383,9 +2389,9 @@ "4182e486-fc61-11ee-a05d-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account", - "sha256": "6d2c20fb9ecb3cba051aa0a8f5a8841d3473c6e5d87d50187fe26d3715b32e66", + "sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f", "type": "esql", - "version": 1 + "version": 2 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", @@ -2732,9 +2738,9 @@ "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "809afd6116ccf0d6766b68605bfab88cb8d1b2c472a38b8dff1b7cf128110b94", + "sha256": "ec8018367ddae889657cf1cb6c99b9c0fb427d64de771d720364e8e10a5ddf6c", "type": "esql", - "version": 1 + "version": 2 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", @@ -3296,9 +3302,9 @@ "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "min_stack_version": "8.13", "rule_name": "AWS S3 Bucket Enumeration or Brute Force", - "sha256": "071ea0ec03009a13928231287c341607f6c9f838c32f33dbc078bccdd880b482", + "sha256": "a366e2eee10ae91beb23435fce8669f66873ea66f853247db77a3306a663658e", "type": "esql", - "version": 2 + "version": 3 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", @@ -3657,9 +3663,9 @@ "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "f37f973f474742e8a38e13c139ca15569ef5585dd173927ac51ce82ef9c18c16", + "sha256": "510bb33cd6e4ff669488ead2bbf9cd16c6edfe7b3dc3e34f21ac9bdbd363c379", "type": "esql", - "version": 2 + "version": 3 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -3933,9 +3939,9 @@ "725a048a-88c5-4fc7-8677-a44fc0031822": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "9833e1154749ec30abad0a12bd9f185fd40fadb91d561bcd7441cb088b7c9f98", + "sha256": "0d8c4f63b2c1118c7f733ba63e750d4be576cc723a90b009d54d738150a26f7b", "type": "esql", - "version": 1 + "version": 2 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", @@ -4355,9 +4361,9 @@ "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "e67b6224776547e16d7ad98038f463469fe254811509c279e254f182d16da5c2", + "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff", "type": "esql", - "version": 2 + "version": 3 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -5012,9 +5018,9 @@ "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "51bedd9974378d0cf2ac060ec589b9d6c5c34c9532ce5ef37f4a16cd0e1561d2", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", - "version": 2 + "version": 3 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -5043,9 +5049,9 @@ "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "min_stack_version": "8.13", "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "e2c27c3f6d1a4fbe980d5489ddcf7534108876d1454a281129555139fbb308fc", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", - "version": 2 + "version": 3 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", @@ -5271,9 +5277,9 @@ "9aa4be8d-5828-417d-9f54-7cd304571b24": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "6fefd72c277cd75eb7a8ef7ad56be46dff3cc3dc600c49b50c2c8e7f5249af7f", + "sha256": "60d3dc739bbd0ee15729bae5c658e4b16b0df0df19766cf61c89cd067a1e3526", "type": "esql", - "version": 2 + "version": 3 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", @@ -5701,9 +5707,9 @@ "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "min_stack_version": "8.13", "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "9cb68a665ab8fb65cda28c7f6d955319eae1629b493c01c6bc144c5ceb04ffd1", + "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0", "type": "esql", - "version": 1 + "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", @@ -5917,9 +5923,9 @@ "b1773d05-f349-45fb-9850-287b8f92f02d": { "min_stack_version": "8.13", "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "6a40ebf3c73e6c53af80cb80bd9a27f9b1048603919e041e0c114c02154787a6", + "sha256": "2cb4a1af62c34bdc871fd3012417ff9685bdb6c1e8f410c1ed773f8c3845929b", "type": "esql", - "version": 1 + "version": 2 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -6584,9 +6590,9 @@ "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { "min_stack_version": "8.13", "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "sha256": "ea87a73121dd2f2b972bc579e698ba337b748af8736a94fb31bfc63ea89816c4", + "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb", "type": "esql", - "version": 1 + "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", @@ -6756,9 +6762,9 @@ } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "ce1b6ad3aa66993d7eb446cb0b45e2b75f20d505adc12a2bcf198b3a413ee774", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", - "version": 103 + "version": 104 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -7306,9 +7312,9 @@ "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "8979a73ae9ab4764b2093fc3309d75e33d1a0cbb4d0324ecb205316fbcd81be4", + "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e", "type": "esql", - "version": 2 + "version": 3 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", @@ -7361,9 +7367,9 @@ "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "min_stack_version": "8.13", "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "5b5ba08eead004cb3d4496535950dc93033040262d718f2307f0585fd0a266dc", + "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1", "type": "esql", - "version": 2 + "version": 3 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", @@ -8123,9 +8129,9 @@ "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "min_stack_version": "8.13", "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "ed5ccf8325568487fa6a05a27f41c8db181f2d419f3dd29514ecc2c7950669c3", + "sha256": "f613ba59ddc970edf688e657b1f179a4a61355efddd7fc08207b9cdffd329aad", "type": "esql", - "version": 1 + "version": 2 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "min_stack_version": "8.10",