From b14dec9efa96470c1798b166c10591b9172570c6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 23 Mar 2026 23:45:25 +0530 Subject: [PATCH] Lock versions for releases: 8.19,9.1,9.2,9.3 (#5875) --- detection_rules/etc/version.lock.json | 368 ++++++++++++++++++-------- docs-dev/ATT&CK-coverage.md | 5 + pyproject.toml | 2 +- 3 files changed, 270 insertions(+), 105 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index e33563486..bee15a00b 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -65,6 +65,12 @@ "type": "new_terms", "version": 207 }, + "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": { + "rule_name": "AppArmor Policy Violation Detected", + "sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62", + "type": "eql", + "version": 1 + }, "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", @@ -72,6 +78,12 @@ "type": "eql", "version": 2 }, + "022c37cd-5a4f-422b-8227-b136b7a23180": { + "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", + "sha256": "3193240005005ffe39a4b8d546c9f2ea645ddcb1f574d8bd1aea201712b6baa0", + "type": "new_terms", + "version": 1 + }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50", @@ -150,6 +162,12 @@ "type": "eql", "version": 5 }, + "03b150d9-9280-4eb8-9906-38cfb6184666": { + "rule_name": "First Time Python Accessed Sensitive Credential Files", + "sha256": "838f2075137a748159619966cd450776c11dffafbdcc30122666d3dc310e90b0", + "type": "new_terms", + "version": 1 + }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", "sha256": "5be26fe7fb4dde7b807a564ff9eeac7a6b17504c9dceefcc79585a26e487de8e", @@ -337,9 +355,9 @@ }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "0ac96c06799e64900c4d1cc6dc9d7375c5be2979e8aa15d398cefbd5a2eb8f08", + "sha256": "f1f4e6d8b819fb5e66fde3baab76b5530022b5b45365fa55e5218a19f2fb1902", "type": "eql", - "version": 317 + "version": 318 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -517,9 +535,9 @@ }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "7901e313780731e3cf06385e5d06a1b6d5d5eba1fc338c461e7d9d12752feb8b", + "sha256": "ce86f3f1fdb44fad33878a2c180f3a96be54462661ae37cf787ba39b29c9ec78", "type": "eql", - "version": 109 + "version": 110 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", @@ -676,10 +694,20 @@ "version": 214 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 105, + "rule_name": "Sensitive Audit Policy Sub-Category Disabled", + "sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7", + "type": "query", + "version": 6 + } + }, "rule_name": "Sensitive Audit Policy Sub-Category Disabled", - "sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7", - "type": "query", - "version": 6 + "sha256": "fbff6a0aa16505d2d8cb07a9632dbef91e5d416239e7681efd02a5a1ccfc5830", + "type": "esql", + "version": 106 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", @@ -1074,9 +1102,9 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "7b149759b2a015ff5ec61154f83d2922c16675621a397d1c81e7bbf9e3d1f920", + "sha256": "437f8b15f0baa696bdadcf1b5d6da3bb8548f56cdf75c8baeb6b1e3562e6e7a2", "type": "eql", - "version": 118 + "version": 119 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", @@ -1334,6 +1362,12 @@ "type": "eql", "version": 212 }, + "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { + "rule_name": "Remote Management Access Launch After MSI Install", + "sha256": "04339c5baefede30ec62d7622df43d61a7eef47d7e5140c4166a4ef84c05df63", + "type": "eql", + "version": 1 + }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", "sha256": "e84a699789d0edc48edfecd3b086d0e0b60583a630ef2d5a9fdb8e419271263a", @@ -1408,9 +1442,9 @@ }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", - "sha256": "e208abb63a46c842bbc761775a0e3ad1957b29ace3b55ba082ad3794d5179585", + "sha256": "44d7a6f871c3cef4250b42b0edb9f34272d3a8d90ab59b37b4e58ff12a88c7c1", "type": "eql", - "version": 213 + "version": 214 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", @@ -1654,6 +1688,12 @@ "type": "eql", "version": 111 }, + "220d92c6-479d-4a49-9cc0-3a29756dad0c": { + "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", + "sha256": "36e7433b9ac363f3b9eb6a9f77719796db3fdf22e0cef25d0318ab203e4c92ee", + "type": "esql", + "version": 1 + }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Activity", "sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d", @@ -1761,6 +1801,12 @@ "type": "eql", "version": 312 }, + "25368123-b7b8-4344-9fd4-df28051b4c6e": { + "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", + "sha256": "c9411c14d3c259f994d78ca45f0e9303aeb82698376b4c9179418ad2875882bb", + "type": "new_terms", + "version": 1 + }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "c0142afe736323db7e77ec68ca8df2377a389d488407ec0a48f004f811012543", @@ -2048,9 +2094,9 @@ }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", - "sha256": "6d83756004331146d90fc18929e7311c8383777914489f04695c9870c2a86719", + "sha256": "6bc991d4d49a1e97b058050ecf22b39b7f14ca2485a5cb04706ce0e339c32a82", "type": "new_terms", - "version": 5 + "version": 6 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", @@ -2173,9 +2219,9 @@ }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "725b9cc7320e57d8119fcc676c6b55409e1a37ea68929837b4e16654b6105966", + "sha256": "fcd23614b99095e148def771cb5dfbe0da249760f4f43c054a3abb6ea13c18ac", "type": "eql", - "version": 314 + "version": 315 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", @@ -2445,9 +2491,9 @@ }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", - "sha256": "7b066e109e29dc047b8d5180ee81d6cc258861389ecfcefea7dbe5d1a8f9a4be", + "sha256": "3503b23c3c18c821b2fe161a47d818e80df0be7b955e0702f34dae35cebbd1ab", "type": "eql", - "version": 114 + "version": 115 }, "33ff31e9-3872-4944-8394-81dae76c12d9": { "min_stack_version": "9.3", @@ -2957,6 +3003,12 @@ "type": "eql", "version": 115 }, + "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { + "rule_name": "Potential Data Exfiltration via Rclone", + "sha256": "2e3ecddf559e0628c0c0383712aba5abcadf55bcb864c269701b5f12f98a8f06", + "type": "eql", + "version": 1 + }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", "sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b", @@ -3176,6 +3228,12 @@ "type": "eql", "version": 7 }, + "44cb1d8a-1922-4fc0-a00f-36c1caf57393": { + "rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", + "sha256": "0ecac433216f510856ef55e68d0524fd3a0347b0708ed684ffb499bed9bf2a13", + "type": "eql", + "version": 1 + }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", "sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326", @@ -3202,16 +3260,16 @@ }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", - "sha256": "bee917766b11138e5e5ef204095d1635504bfc3802adeba79a2740870b10cde5", + "sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439", "type": "query", - "version": 215 + "version": 216 }, "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", - "sha256": "ff25fabd9223a7102f408eb2923f5a338aa9ebb6eb2990bab28b37fa546e040f", + "sha256": "836bf7b7a903a992358ac80bed2c8ff3f07f397efb36ab12d93757da9280dd72", "type": "esql", - "version": 1 + "version": 2 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", @@ -3313,6 +3371,12 @@ "type": "eql", "version": 112 }, + "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": { + "rule_name": "Potential Database Dumping Activity", + "sha256": "2e2294edc305537dd5c97fbbf11464f167eee021a72fd084ab5cdddee62b2244", + "type": "eql", + "version": 1 + }, "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { "min_stack_version": "9.2", "rule_name": "New USB Storage Device Mounted", @@ -3340,9 +3404,9 @@ }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "203a6f49d298d9d11ea3837d9fa044d9b18cad4ed9a7c88776386eeadec80b5e", + "sha256": "80aaccc263883da16479de247fa05463955050b307d6afcf01a64ce744b68f7c", "type": "esql", - "version": 117 + "version": 118 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", @@ -4013,9 +4077,9 @@ }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "32fd6f9021368cd31c5f61a2ea6c916fa1c6c5afb895e7b5f85cdb74cf3b3150", + "sha256": "47b60f124f8acd655a58e96f9d25ddaacdfec0e89d70fc600d8bba38e78f8950", "type": "eql", - "version": 111 + "version": 112 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", @@ -4025,15 +4089,15 @@ }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", - "sha256": "abc0bfe398cb501c7db9e673a9edc3b0d8d39180620a75eee3aa77a0bd3f435d", + "sha256": "abc0e27008b4d86a36e73961924ea3f39bc1c7fae09ed2b3e3e17d2a812608cb", "type": "new_terms", - "version": 3 + "version": 4 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", - "sha256": "580ad4755828bed2eed4fc05fda6a383cb56bcfad28fbc5784fe8aa3b56558e2", + "sha256": "613a83f0df9c2f3768df88ec52bff6d22e0eba6ca14447a6c66b0f7bdcf5efbc", "type": "eql", - "version": 5 + "version": 6 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", @@ -4085,9 +4149,9 @@ }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", - "sha256": "2b7ba34e350a043c0b1190aa7a10e4c9ccc9d59bdc70a8557087fa86129f17ad", + "sha256": "406f524f675016ccdb5300c19a77dbbf5709c9f48608737209128a31fac9c822", "type": "eql", - "version": 4 + "version": 5 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", @@ -4456,6 +4520,12 @@ "type": "new_terms", "version": 4 }, + "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { + "rule_name": "M365 SharePoint Site Sharing Policy Weakened", + "sha256": "0d544b7572d561d522b7a1f66e3d6249547e10deb500eae0e09a7284cbd87030", + "type": "query", + "version": 1 + }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", "sha256": "45658ca009518a884a05c4cc9d68fdc61b4964fc64f0c576c2daf30b3bcb9df1", @@ -4621,9 +4691,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "588b5c22c6131c00caf3b5db67ff082452f1ec848509748112d858afc25ea11e", + "sha256": "666ef6e51176ca7e40331d89b28255db0e3dd888348652674f8f7354ef86fb34", "type": "eql", - "version": 126 + "version": 127 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -4913,9 +4983,9 @@ }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Remote Monitoring and Management Tool", - "sha256": "04511da508ec7e9026719f649c7b3ebaf91040260ce93d63d701522a0b2cf21c", + "sha256": "0cebb0d5468a00c201258ecea11ecb78a034ade64ba90268854176e43d1b4832", "type": "new_terms", - "version": 115 + "version": 116 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", @@ -5027,9 +5097,9 @@ }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "3802d6b986d632b4d8b454c524e9c70e97a2025548c150279629e3a953827f8b", + "sha256": "84da8f73568810bc4a06e418203b08260dc85c43867f04478490a2f4a1c53d4b", "type": "esql", - "version": 2 + "version": 3 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "rule_name": "Spike in Special Privilege Use Events", @@ -5111,9 +5181,9 @@ }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "0c1f9e44362ea54dcd41479d182bcdafa0fa8dd930c120382a3d8b1bd16569bb", + "sha256": "9c1640b304d2ecfd067fc5ff92db9997add131c76536014281faa3cc13b006d6", "type": "eql", - "version": 321 + "version": 322 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", @@ -5199,6 +5269,12 @@ "type": "eql", "version": 6 }, + "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { + "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", + "sha256": "74803ed8898a6b97a3a3216b37765bc5bc8b9fca5526bce51cad41266e545733", + "type": "new_terms", + "version": 1 + }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", "sha256": "eef7fa38c10ee1aaee36c1f6492fc37db1b42e462bf3138c334bc5874eb3096a", @@ -5471,9 +5547,9 @@ } }, "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263", + "sha256": "34ff2faea0f0010dbb984347aa520ba5d3cb219dcb2d9090d8a798f211e7a2af", "type": "eql", - "version": 204 + "version": 205 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", @@ -5657,9 +5733,9 @@ }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", - "sha256": "d90a83b12ebbd6d7bb22e6b454d528a3c5cbcc61462859e9300a5d2c6b79885a", + "sha256": "88714010e65bea6f44a54b09c5312c0844757ded9c621de9a615efcbfc8f73d7", "type": "eql", - "version": 1 + "version": 2 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", @@ -5681,9 +5757,9 @@ }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", - "sha256": "204cd779dc6031bd76983b73b78317c57c9d6f994ce37c34e79baba33312ffdb", + "sha256": "e8f73888757eab5978f3e31aef96d979b411a46e20872f2538df52b0572a1cc3", "type": "eql", - "version": 1 + "version": 2 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", @@ -5806,6 +5882,12 @@ "type": "eql", "version": 212 }, + "8293bf1f-8dd0-434e-b52a-1aa6ec101777": { + "rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files", + "sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479", + "type": "eql", + "version": 1 + }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", "sha256": "ad582fa6b85b731dfd67150d645a69c5478eea3109f26f40072c23b827f5968d", @@ -5826,9 +5908,9 @@ }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "ab53ad1723cbcba05a3f4eea26e389306f8c217740c4fa194e7a3f5e112d3523", + "sha256": "8787d0cb27f370bbd955f6698debb537d8d9fd461b6ad06b70e5069711975bdd", "type": "esql", - "version": 2 + "version": 3 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", @@ -6255,9 +6337,9 @@ }, "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { "rule_name": "Potential Data Exfiltration Through Wget", - "sha256": "987273079c537a88603158c56ea56f99d79cdda34a3853ead1f4445489e35a1d", + "sha256": "8daccf899c1de00970772d1b6a6a89519475d13897cc49c15a3a4a4d4d619d79", "type": "eql", - "version": 1 + "version": 2 }, "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { "rule_name": "Entra ID Elevated Access to User Access Administrator", @@ -6351,9 +6433,9 @@ }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", - "sha256": "361d05f54a045b82ea3d1faae7e344acc037ffc8f81b3624498d129ea00f8d82", + "sha256": "ab16862be294a8cafb0878421a7b9aafabca479c054566f98ab72db037fcd213", "type": "new_terms", - "version": 3 + "version": 4 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", @@ -6394,9 +6476,9 @@ "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", - "sha256": "2cab88240e2e98e8fb79a3259fbd0f4623526ba79e62f420bbdb30c1d30c12ef", + "sha256": "33952d37f02671cfd9f0b61713e18036220cf9bd1a581fa74190fd1a7aceaa27", "type": "esql", - "version": 1 + "version": 2 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", @@ -6458,6 +6540,12 @@ "type": "query", "version": 3 }, + "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { + "rule_name": "First Time Python Spawned a Shell on Host", + "sha256": "e51b54650c42f9d44ee2560310bdc08ecb5641e1de49371a6ad5fe39db0610d5", + "type": "new_terms", + "version": 1 + }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", "sha256": "2ce457df9a671f64542590d29ec2bc1596c383270ec690af4ba166721023ef40", @@ -6696,9 +6784,9 @@ }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", - "sha256": "4a73054f38e7c1a0a6cd09109a0af2f1b3799c2690618d534bcd1135ee0f6064", + "sha256": "332b2fd1b93728b75ec6644427e2c70a980d7b9e53a67f205181e14114d99b4f", "type": "new_terms", - "version": 1 + "version": 2 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", @@ -6788,6 +6876,12 @@ "type": "eql", "version": 103 }, + "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { + "rule_name": "M365 SharePoint Site Administrator Added", + "sha256": "52534900cb089a485a4c94a1f500a1360cfdc36c116a0c025538279cd853204d", + "type": "query", + "version": 1 + }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", "sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121", @@ -6900,6 +6994,12 @@ "type": "eql", "version": 9 }, + "9aeca498-1e3d-4496-9e12-6ef40047eb23": { + "rule_name": "Suspicious Shell Execution via Velociraptor", + "sha256": "138f1d64018a840b6ce3d00fc5ba4b817f9e711ef2388631f0f2846b54debe9e", + "type": "eql", + "version": 1 + }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", "sha256": "f2f81d6a850a0317bfda8ce3adb7dc062645f5850734d86e983f453a3f48bcd4", @@ -7186,9 +7286,9 @@ }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", - "sha256": "57e6c9d11619a17fa33f9b5d554849c500b51728ab5a7bfa82b61c0ca7a399e1", + "sha256": "8ac9e5ba81be809685d81c56be8945e7562564d2acda52497a6a52f9d76eba2f", "type": "esql", - "version": 1 + "version": 2 }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", @@ -7204,9 +7304,9 @@ }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "cf0f38746759586b626e1934014abd885226f3d9a623a74cc9c9436ac79187aa", + "sha256": "94a64c4edcc2f609a23704924285d43d501c019eb270aa8ab580371e35072ef5", "type": "esql", - "version": 2 + "version": 3 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", @@ -7412,9 +7512,9 @@ }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", - "sha256": "5149dcf2447de7b653bdc1e10d8c6e1513f9da7bb4c24468950ea305870a553b", + "sha256": "5f23f3e55cc3e972b4ab8b3d979202308afb708a2f40538f2566149e13026d87", "type": "eql", - "version": 1 + "version": 2 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", @@ -7436,9 +7536,9 @@ }, "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", - "sha256": "5cb15224ba5e3b436c88a0c808d62f5975a8a962c7c0d804baf2e704d054b03d", + "sha256": "fa03b03f4ae7bbd7463ecc32a9d20f903f89538bd10fe1250ee3e6d6eda108a6", "type": "eql", - "version": 1 + "version": 2 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", @@ -7611,9 +7711,9 @@ }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", - "sha256": "ba6a7e7182b3e4e89dd7160487180370114627b90990a51a90214b42f7d0f8c8", + "sha256": "2b2ec6b74139595571db7fb15900c6301b821915bf8934804499f2a156001755", "type": "eql", - "version": 120 + "version": 121 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", @@ -7821,9 +7921,9 @@ }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", - "sha256": "ea072acf4eedee7c25a3325d2b82cab4234a1f2f0462c93e803c8ed564858856", + "sha256": "8d9b8457210e9a424a62e6747d90cb0a5f9f302e639ecc373cce226284489ca0", "type": "new_terms", - "version": 7 + "version": 8 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", @@ -7945,9 +8045,9 @@ }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", - "sha256": "52aa8a7867e9c06d8ac41bc7e4a521146e2bbbe4c7596ce8c45461962588f3ba", + "sha256": "b9290b1a6d982395b7ea3dab20adc846398f3fbf1226c1238bcc889627029f9a", "type": "eql", - "version": 216 + "version": 217 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", @@ -7975,9 +8075,9 @@ }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", - "sha256": "6fe0f08ade5d4fc0987a2467cbde981ee38c90a5d96697e3e6851627833b4c8d", + "sha256": "09c99a80ca039fd0666a6d10512f3feb61fe4b3aeab6c4f625ac892d13462fdb", "type": "esql", - "version": 1 + "version": 2 }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", @@ -8086,11 +8186,17 @@ "type": "new_terms", "version": 7 }, + "b625c9ad-16e5-4f16-8d38-3e9631952554": { + "rule_name": "AWS CloudShell Environment Created", + "sha256": "c4fccaa7aab536283674e16a7b11aa361376826cbb7bd03f2eb2bdb49c64a25a", + "type": "query", + "version": 1 + }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", - "sha256": "fcce1d412bc6e04155cb2f2e0d2b67e8e87ab12f59f1583f946967f9cb1a2242", + "sha256": "f58ebba1d4063ee0e5e0fad5b21e9dd7db61d517b25b32a324094ba175a2b5e2", "type": "eql", - "version": 112 + "version": 113 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", @@ -8444,9 +8550,9 @@ }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", - "sha256": "53cc5a9d04e15ec57a48fb6af8a1ff2b709bf16321d5922c8056bf7b8864c3ab", + "sha256": "b473299604ae3ab3ae196b7fd790ffe7ac3e4fc11881a5cccd79510e5582e25c", "type": "eql", - "version": 4 + "version": 5 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -8480,9 +8586,9 @@ }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", - "sha256": "4fc4636a05f3599f85b982d5f7d263da10e5cfb2f0ba232aad9df852859b5e1c", + "sha256": "bd69d866074bf4d6cd69d9bd018b8dbfc035fccbb9aea55c4d0fd9a2bbf0a2d1", "type": "eql", - "version": 3 + "version": 4 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", @@ -8665,6 +8771,12 @@ "type": "eql", "version": 107 }, + "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { + "rule_name": "Multiple Remote Management Tool Vendors on Same Host", + "sha256": "add88597d7ea3d73b19793a00e9750921e39c153eaefdf2a8a06b9bd6c4e6499", + "type": "esql", + "version": 1 + }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "fdd1ad3da3e246ada1aaa83d67e8f2b8a887e5f1473d9de6e4a45910ca70e4ad", @@ -8936,9 +9048,9 @@ }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", - "sha256": "3ea4b2750fc23762da8a0f57f1cbbb92a984c24550de5eacd33590b75b809f69", + "sha256": "c059148c2721ed1f7b2d8824e5dd41b2d93e06364fe138d59d4295a56ce0484d", "type": "eql", - "version": 1 + "version": 2 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", @@ -9295,6 +9407,12 @@ "type": "eql", "version": 110 }, + "d26331be-affe-46b2-bf4e-203d0e2d364c": { + "rule_name": "AppArmor Profile Compilation via apparmor_parser", + "sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366", + "type": "eql", + "version": 1 + }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "4a27a3971ab4ac2abd8929f07178a8052f887401d8443d1e1f49f090638b2f20", @@ -9307,6 +9425,12 @@ "type": "eql", "version": 315 }, + "d32f0c27-8edb-4bcf-975e-01696c961e08": { + "rule_name": "AppArmor Policy Interface Access", + "sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96", + "type": "eql", + "version": 1 + }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", "sha256": "6b9f951c8a016b83f49461ef758a4357b60f7b5a193b7244d68edf903d216ae8", @@ -9394,9 +9518,9 @@ }, "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { "rule_name": "Kernel Module Load from Unusual Location", - "sha256": "185037951f98309195facc3ecee3aeb8fac6f83994d9d0fb18bf5d13651f3961", + "sha256": "56e955ca39d25c4cfa531933b411d67ed74652d81495207e8d2ef7c743af219d", "type": "eql", - "version": 1 + "version": 2 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", @@ -9458,6 +9582,12 @@ "type": "query", "version": 100 }, + "d6702168-2be6-4d7d-a549-9bff67733df3": { + "rule_name": "IBM QRadar External Alerts", + "sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365", + "type": "query", + "version": 1 + }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b", @@ -9470,6 +9600,12 @@ "type": "query", "version": 211 }, + "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { + "rule_name": "Potential Protocol Tunneling via Cloudflared", + "sha256": "91bcd19a0c6ac9d676ba46dab1a6f60a67056006f701cdedc9b6984a39e4eeeb", + "type": "eql", + "version": 1 + }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", "sha256": "b78d84ead9c2e2f8c0b080d7539804c006d2e82dda1e1d1bb489a991d1db248a", @@ -9669,6 +9805,12 @@ "type": "new_terms", "version": 110 }, + "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { + "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", + "sha256": "3290943a7f9eac7a81b22c85d4475823a85bc512db43b7fb89cfad523ea17c84", + "type": "eql", + "version": 1 + }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", "sha256": "7e678bb2e91b5748488cd6fc3db4e567d29471f1977f03b00c7fcc37bbacbacf", @@ -9699,6 +9841,12 @@ "type": "query", "version": 105 }, + "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": { + "rule_name": "Azure Service Principal Authentication from Multiple Countries", + "sha256": "a3374ebe2417fa418ec0532baa788b5b2ded9d847dead371b7a0699ab62ed7be", + "type": "esql", + "version": 1 + }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "e9b9e809e2cf545314cb6ddadbc533e5c7aba5f5ece5aa2d433d7050c32fc96f", @@ -9862,9 +10010,9 @@ }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", - "sha256": "ac9cc08ad57d99552a1e64869b824606cb84aac4a9422b28d7e0709556bbe73d", + "sha256": "003233b091321e0a4fe6df57cdaa994539bb71b6dd12601da5a6fd5f01de11d2", "type": "eql", - "version": 214 + "version": 215 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", @@ -9886,9 +10034,9 @@ }, "df9c0e92-5dee-4f1d-a760-3a5c039e4382": { "rule_name": "Detection Alert on a Process Exhibiting CPU Spike", - "sha256": "83a996f5513897b32f3f2090c57c0cb08be06399fea34777c922db1e09a1d437", + "sha256": "1c1c33cb7492423d273e6363aba2b89549219fb617f2f7249b70a650f68c8226", "type": "esql", - "version": 3 + "version": 4 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", @@ -10160,9 +10308,9 @@ }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", - "sha256": "7b3881595d49f8c46922a27a82169b94ccb18bc2d422e115d3aa868f60e25f6f", - "type": "new_terms", - "version": 2 + "sha256": "852b7662551d2f31372bcde3d5232a889196a760de7cb2516e7ce37075e95609", + "type": "esql", + "version": 3 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", @@ -10248,6 +10396,12 @@ "type": "eql", "version": 1 }, + "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { + "rule_name": "Potential Protocol Tunneling via Yuze", + "sha256": "da8044c4f43ed4839eb4e34c47fa76d078c1149e5f37d29600c0df04067e11b0", + "type": "eql", + "version": 1 + }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", "sha256": "0d70a846b5231fa5055bd8dab47d27adc7650f6ea92664b759685a8cff6e619c", @@ -10274,9 +10428,9 @@ }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", - "sha256": "87bb95ec51998b4cc3776ac6ea954345392ef4dceeed8419e8d14876e93246dc", + "sha256": "2c86e3a65889b2dcc098107030beb9848fa1a54fc6f7874911e7148f919a36d2", "type": "new_terms", - "version": 3 + "version": 4 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", @@ -10495,9 +10649,9 @@ }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", - "sha256": "9e91ca025b63d79752f894d8552c8a137c8709df963dd3702ff1285b14c5168a", - "type": "query", - "version": 212 + "sha256": "b993745b45fbc5109fc2f625b7cc15b902271dfaf502d2d85d2fa5208f31de8b", + "type": "eql", + "version": 213 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", @@ -10854,9 +11008,9 @@ }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "b7997278cd12830ba691f272f4ac953dbaf2fc6fc873c92ee9e7c1694d8ae2ab", + "sha256": "95e422ccd18e1dad7d4806054cb0a70a9b5645c4ff9713a90146dab8aa2806c9", "type": "esql", - "version": 2 + "version": 3 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -11104,9 +11258,9 @@ }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "c4ba59b94734be47cc6d314a83bc972398a47bbee058573371f2237cfc4076a6", + "sha256": "35d3ea41fa9ffee27aaa289788a090d3a14737ce66c8825d1c8f7b4120bbd05a", "type": "eql", - "version": 315 + "version": 316 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", @@ -11195,9 +11349,9 @@ }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "7ef402a44d7dbf5d88feec38221121de12a30dcf8ec090899d53b9cdf34a2242", + "sha256": "366cb6c3328cef16cb3c1cea540e261884f849c12470d35ec36d48668d76c807", "type": "eql", - "version": 11 + "version": 12 }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", @@ -11218,10 +11372,10 @@ "version": 9 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "rule_name": "Privileged Account Brute Force", - "sha256": "78aeaab7e3bf4d6d513db619e43eb7454c6f800492e403b6873fe8c17bf7d95b", + "rule_name": "Privileged Accounts Brute Force", + "sha256": "8fa3055e557162d0cd158764a538f0dc70116cc3ce0500980b9140e49da04ce3", "type": "esql", - "version": 117 + "version": 118 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", @@ -11351,9 +11505,9 @@ }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", - "sha256": "1ce71d93152a8ed2bd61129845956d2556e7c325395c705b5fb6a49ec397ecf7", + "sha256": "932ab00c7e5ac71de6d9da2454af4619e78995498c9e33eee3ca284013f4ff26", "type": "eql", - "version": 1 + "version": 2 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", @@ -11511,6 +11665,12 @@ "type": "eql", "version": 19 }, + "ff18d24b-2ba6-4691-a17f-75c4380d0965": { + "rule_name": "Suspicious JavaScript Execution via Deno", + "sha256": "d5dbd70a27f0f56416d46fbf0ab1cd9ae7b67b0a76c5343bde0ec3596b3d5e3c", + "type": "eql", + "version": 1 + }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "c725902f0e85dff5bad6928200527e7b0f5da156f4dbe5de51b229844a6a11e9", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index 1f5c3ff21..f29e6e812 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -56,6 +56,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-logs-sonicwall_firewall](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-sonicwall_firewall.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-suricata](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-suricata.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-system.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-indexes-logs-traefik](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-traefik.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-windows.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-ml_beaconing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-ml_beaconing.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-packetbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-packetbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| @@ -74,6 +75,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-automated-response-tracking](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-automated-response-tracking.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-cloudshell](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudshell.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-config](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-config.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-dynamodb](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-dynamodb.json&leave_site_dialog=false&tabs=false)| @@ -100,6 +102,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-aws-waf](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-waf.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-activity-logs.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-azure-arc](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-arc.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure-key-vault](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-key-vault.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure-platform-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-platform-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-azure-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-azure-storage.json&leave_site_dialog=false&tabs=false)| @@ -221,6 +224,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-t0085](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0085.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-t0086](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0086.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-threat-detection.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-traefik](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-traefik.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-triplecross](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-triplecross.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-ueba](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ueba.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-vulnerability](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-vulnerability.json&leave_site_dialog=false&tabs=false)| @@ -229,4 +233,5 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-windows-security-event-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-windows-security-event-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-windows-system-event-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-windows-system-event-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-windows.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-winlogbeat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-winlogbeat.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-zoom](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-zoom.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 02b3bbd62..6e0300954 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.6" +version = "1.6.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"