security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Prep for next release 8.16 (#3914)"

Browse Source 
This reverts commit 4245a815d2.
This commit is contained in:
eric-forte-elastic
2024-07-23 14:06:04 -04:00
parent 4245a815d2
commit baee89de9b
145 changed files with 1630 additions and 4469 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.10,8.11,8.12,8.13,8.14,8.15'
default: '8.9,8.10,8.11,8.12,8.13,8.14'
jobs:
pr:
detection_rules/etc/api_schemas/8.15/8.15.base.json
-430
View File
@@ -1,430 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"esql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.eql.json
-508
View File
@@ -1,508 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.esql.json
-496
View File
@@ -1,496 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"esql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"esql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json
-440
View File
@@ -1,440 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"anomaly_threshold": {
"type": "integer"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.new_terms.json
-551
View File
@@ -1,551 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"description": "NewTermsFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
],
"type": "object"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.query.json
-500
View File
@@ -1,500 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.threat_match.json
-591
View File
@@ -1,591 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"items_per_search": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.15/8.15.threshold.json
-526
View File
@@ -1,526 +0,0 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
}
},
"required": [
"duration"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/master/master.base.json
+102 -8
View File
@@ -52,15 +52,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.eql.json
+102 -8
View File
@@ -113,15 +113,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.esql.json
+102 -8
View File
@@ -109,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.machine_learning.json
+102 -8
View File
@@ -55,15 +55,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.new_terms.json
+102 -8
View File
@@ -109,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.query.json
+102 -8
View File
@@ -109,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.threat_match.json
+102 -8
View File
@@ -114,15 +114,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/api_schemas/master/master.threshold.json
+102 -8
View File
@@ -88,15 +88,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v8.14.3.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/packages.yaml
+3 -3
View File
@@ -4,7 +4,7 @@ package:
maturity:
- production
log_deprecated: true
name: '8.16'
name: '8.15'
registry_data:
categories:
- security
@@ -13,7 +13,7 @@ package:
subscription: basic
capabilities:
- security
kibana.version: ^8.16.0
kibana.version: ^8.15.0
description: Prebuilt detection rules for Elastic Security
format_version: 3.0.0
icons:
@@ -28,5 +28,5 @@ package:
license: Elastic-2.0
title: Prebuilt Security Detection Rules
type: integration
version: 8.16.0-beta.1
version: 8.15.0-beta.1
release: true
detection_rules/etc/stack-schema-map.yaml
+5 -10
View File
@@ -72,13 +72,13 @@
# ecs: "8.8.0"
# endgame: "8.4.0"
# "8.9.0":
# beats: "8.9.0"
# ecs: "8.9.0"
# endgame: "8.4.0"
## Supported
"8.9.0":
beats: "8.9.0"
ecs: "8.9.0"
endgame: "8.4.0"
"8.10.0":
beats: "8.10.3"
ecs: "8.10.0"
@@ -107,9 +107,4 @@
"8.15.0":
beats: "8.13.4"
ecs: "8.11.0"
endgame: "8.4.0"
"8.16.0":
beats: "8.14.3"
ecs: "8.11.0"
endgame: "8.4.0"
detection_rules/etc/version.lock.json
+489 -160
View File
@@ -1,5 +1,15 @@
{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2",
"type": "query",
@@ -14,23 +24,23 @@
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 110
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "System Shells via Services",
"sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 110
}
},
"rule_name": "System Shells via Services",
"sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465",
"sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465",
"type": "eql",
"version": 313
},
@@ -241,19 +251,19 @@
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 8
},
"8.11": {
"max_allowable_version": 209,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d",
"type": "eql",
"version": 110
},
"8.9": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 8
}
},
"rule_name": "Local Account TokenFilter Policy Disabled",
@@ -355,7 +365,7 @@
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
@@ -580,6 +590,7 @@
"version": 5
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "87966613bf1e01dcb3a76da7179be8b64db8e7af206075273d4919a384b5d773",
"type": "query",
@@ -624,19 +635,19 @@
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 108
},
"8.11": {
"max_allowable_version": 309,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 108
}
},
"rule_name": "Persistence via Scheduled Job Creation",
@@ -699,6 +710,7 @@
"version": 109
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740",
"type": "query",
@@ -838,6 +850,7 @@
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e",
"type": "threshold",
@@ -964,6 +977,7 @@
"version": 108
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54",
"type": "query",
@@ -976,6 +990,7 @@
"version": 110
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449",
"type": "query",
@@ -1020,7 +1035,7 @@
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
@@ -1120,7 +1135,7 @@
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Access of Stored Browser Credentials",
"sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563",
@@ -1261,12 +1276,14 @@
"version": 5
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec",
"type": "query",
"version": 1
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c",
"type": "query",
@@ -1311,7 +1328,7 @@
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
@@ -1431,19 +1448,19 @@
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
"version": 111
},
"8.11": {
"max_allowable_version": 312,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
"version": 111
}
},
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
@@ -1454,7 +1471,7 @@
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
@@ -1468,6 +1485,7 @@
"version": 311
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1",
"type": "query",
@@ -1506,19 +1524,19 @@
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636",
"type": "eql",
"version": 112
},
"8.11": {
"max_allowable_version": 312,
"rule_name": "Adobe Hijack Persistence",
"sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636",
"type": "eql",
"version": 112
}
},
"rule_name": "Adobe Hijack Persistence",
@@ -1731,19 +1749,19 @@
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 111
},
"8.11": {
"max_allowable_version": 312,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious MS Outlook Child Process",
@@ -1796,19 +1814,19 @@
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 110
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 110
}
},
"rule_name": "Port Forwarding Rule Addition",
@@ -1891,7 +1909,7 @@
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598",
@@ -1905,6 +1923,16 @@
"version": 206
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
"type": "query",
"version": 107
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b",
"type": "query",
@@ -2009,19 +2037,19 @@
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 110
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 110
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
@@ -2050,7 +2078,7 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
@@ -2215,6 +2243,7 @@
"version": 106
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"min_stack_version": "8.10",
"rule_name": "Mount Launched Inside a Privileged Container",
"sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d",
"type": "eql",
@@ -2227,6 +2256,16 @@
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621",
"type": "threshold",
"version": 108
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3",
"type": "threshold",
@@ -2539,6 +2578,16 @@
"version": 107
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
"type": "query",
"version": 106
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd",
"type": "query",
@@ -2558,6 +2607,7 @@
"version": 109
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca",
"type": "threshold",
@@ -2578,19 +2628,19 @@
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 108
},
"8.11": {
"max_allowable_version": 309,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 108
}
},
"rule_name": "Registry Persistence via AppCert DLL",
@@ -2677,6 +2727,7 @@
"version": 106
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "cce1af93176b643f8c69e79b1ef19c94e25df9e6f6607ba60b50433fd8914264",
"type": "new_terms",
@@ -2722,7 +2773,7 @@
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
@@ -2766,6 +2817,7 @@
"version": 5
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870",
"type": "eql",
@@ -2780,7 +2832,7 @@
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Potential Admin Group Account Addition",
"sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4",
@@ -2808,7 +2860,7 @@
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
@@ -3138,7 +3190,7 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
@@ -3164,6 +3216,7 @@
"version": 110
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e",
"type": "threshold",
@@ -3292,7 +3345,7 @@
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489",
@@ -3312,6 +3365,16 @@
"version": 9
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede",
"type": "query",
@@ -3324,6 +3387,16 @@
"version": 206
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de",
"type": "query",
@@ -3360,6 +3433,16 @@
"version": 207
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
"type": "query",
"version": 105
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8",
"type": "query",
@@ -3459,19 +3542,19 @@
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 111
},
"8.11": {
"max_allowable_version": 312,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a",
"type": "eql",
"version": 213
},
"8.9": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 111
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
@@ -3588,6 +3671,7 @@
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f",
"type": "new_terms",
@@ -3666,6 +3750,7 @@
"version": 3
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c",
"type": "query",
@@ -3678,6 +3763,16 @@
"version": 206
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354",
"type": "query",
@@ -3716,7 +3811,7 @@
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb",
@@ -3798,19 +3893,19 @@
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 110
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
@@ -3875,19 +3970,19 @@
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
},
"8.11": {
"max_allowable_version": 202,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c",
"type": "eql",
"version": 103
},
"8.9": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
@@ -4010,6 +4105,7 @@
"version": 104
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898",
"type": "query",
@@ -4036,7 +4132,7 @@
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49",
@@ -4093,6 +4189,7 @@
"version": 1
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "SSM Session Started to EC2 Instance",
"sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc",
"type": "new_terms",
@@ -4137,7 +4234,7 @@
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
@@ -4159,7 +4256,7 @@
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.11",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a",
@@ -4275,6 +4372,7 @@
"version": 112
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68",
"type": "query",
@@ -4359,6 +4457,7 @@
"version": 5
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c",
"type": "eql",
@@ -4383,6 +4482,16 @@
"version": 108
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b",
"type": "query",
@@ -4583,7 +4692,7 @@
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
@@ -4609,6 +4718,7 @@
"version": 3
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.9",
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c",
"type": "query",
@@ -4635,19 +4745,19 @@
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 107
},
"8.11": {
"max_allowable_version": 308,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4",
"type": "eql",
"version": 209
},
"8.9": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 107
}
},
"rule_name": "Encoded Executable Stored in the Registry",
@@ -4736,6 +4846,16 @@
"version": 111
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9",
"type": "query",
@@ -4772,6 +4892,7 @@
"version": 104
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"min_stack_version": "8.10",
"rule_name": "File System Debugger Launched Inside a Privileged Container",
"sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9",
"type": "eql",
@@ -4784,6 +4905,16 @@
"version": 206
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
"type": "eql",
"version": 107
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed",
"type": "eql",
@@ -4792,19 +4923,19 @@
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
"version": 110
},
"8.11": {
"max_allowable_version": 311,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6",
"type": "eql",
"version": 212
},
"8.9": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Zoom Child Process",
@@ -5061,6 +5192,7 @@
"version": 210
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9",
"type": "new_terms",
@@ -5254,6 +5386,7 @@
"version": 102
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"min_stack_version": "8.9",
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a",
"type": "new_terms",
@@ -5359,19 +5492,19 @@
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 112
},
"8.11": {
"max_allowable_version": 313,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10",
"type": "eql",
"version": 214
},
"8.9": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious WerFault Child Process",
@@ -5621,6 +5754,16 @@
"version": 3
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6",
"type": "query",
@@ -5645,6 +5788,7 @@
"version": 111
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"min_stack_version": "8.9",
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "a074138b6a33a4b9b1a130c6f7b65c67cdb9876c041ca0b69884d42473c8b69b",
"type": "new_terms",
@@ -5681,6 +5825,16 @@
"version": 103
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6",
"type": "query",
@@ -5693,6 +5847,16 @@
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3",
"type": "query",
@@ -5713,19 +5877,19 @@
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 108
},
"8.11": {
"max_allowable_version": 309,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04",
"type": "eql",
"version": 210
},
"8.9": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 108
}
},
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
@@ -5742,19 +5906,19 @@
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 5
},
"8.11": {
"max_allowable_version": 206,
"rule_name": "Kirbi File Creation",
"sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22",
"type": "eql",
"version": 107
},
"8.9": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 5
}
},
"rule_name": "Kirbi File Creation",
@@ -6016,6 +6180,7 @@
"version": 206
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance",
"sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc",
"type": "query",
@@ -6067,19 +6232,19 @@
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 107
},
"8.11": {
"max_allowable_version": 308,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87",
"type": "eql",
"version": 209
},
"8.9": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 107
}
},
"rule_name": "Persistence via BITS Job Notify Cmdline",
@@ -6172,12 +6337,32 @@
"version": 100
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f",
"type": "query",
"version": 206
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32",
"type": "query",
@@ -6356,6 +6541,16 @@
"version": 104
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c",
"type": "query",
@@ -6368,6 +6563,16 @@
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
"type": "query",
"version": 106
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f",
"type": "query",
@@ -6398,12 +6603,32 @@
"version": 2
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
"type": "query",
"version": 106
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5",
"type": "eql",
"version": 207
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Okta User Session Impersonation",
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
"type": "query",
"version": 107
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7",
"type": "query",
@@ -6412,7 +6637,7 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
@@ -6558,6 +6783,16 @@
"version": 107
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6",
"type": "query",
@@ -6607,6 +6842,16 @@
"version": 106
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a",
"type": "query",
@@ -6939,6 +7184,16 @@
"version": 6
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0",
"type": "threshold",
"version": 108
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e",
"type": "threshold",
@@ -7001,7 +7256,7 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.12",
"previous": {
"8.10": {
"8.9": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
@@ -7088,6 +7343,16 @@
"version": 2
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6",
"type": "query",
@@ -7130,6 +7395,16 @@
"version": 107
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Possible Okta DoS Attack",
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
"type": "query",
"version": 105
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e",
"type": "query",
@@ -7214,6 +7489,7 @@
"version": 7
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b",
"type": "eql",
@@ -7226,6 +7502,16 @@
"version": 105
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 206,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d",
"type": "threshold",
"version": 108
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce",
"type": "threshold",
@@ -7336,19 +7622,19 @@
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 109
},
"8.11": {
"max_allowable_version": 310,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
"type": "eql",
"version": 211
},
"8.9": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 109
}
},
"rule_name": "Mimikatz Memssp Log File Detected",
@@ -7405,6 +7691,16 @@
"version": 112
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c",
"type": "query",
@@ -7423,6 +7719,16 @@
"version": 5
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 102,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932",
"type": "query",
"version": 3
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c",
"type": "query",
@@ -7495,6 +7801,16 @@
"version": 107
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395",
"type": "query",
@@ -7821,6 +8137,16 @@
"version": 9
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.10",
"previous": {
"8.9": {
"max_allowable_version": 204,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
"type": "query",
"version": 105
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392",
"type": "query",
@@ -7847,19 +8173,19 @@
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.13",
"previous": {
"8.10": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 9
},
"8.11": {
"max_allowable_version": 210,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc",
"type": "eql",
"version": 111
},
"8.9": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 9
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
@@ -7928,6 +8254,7 @@
"version": 1
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68",
"type": "new_terms",
@@ -8018,12 +8345,14 @@
"version": 5
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.9",
"rule_name": "Cron Job Created or Modified",
"sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4",
"type": "eql",
"version": 11
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "f2663204a55cb4e897803fbc5d1f136637511d520fa0c559bf7234323858ab5e",
"type": "query",
docs/versioning.md
+3 -3
View File
@@ -4,22 +4,22 @@ This document provides detailed information about the different versions that ar
## Current Version
The current version of prebuilt detection rules is `v8.15`.
The current version of prebuilt detection rules is `v8.14`.
## Previous Versions Released
The following version(s) are released along with the current version.
- `v8.14`
- `v8.13`
- `v8.12`
- `v8.11`
### Previous Versions Maintained
The following version(s) are maintained along with the current version.
- `v8.11`
- `v8.10`
- `v8.9`
## End of Life Policy
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+8 -6
View File
@@ -2,18 +2,20 @@
creation_date = "2020/07/06"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/21"
[rule]
author = ["Nick Jones", "Elastic"]
description = """
An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may
attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time
a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue`
or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are
setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An
adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely
on the compromised service's IAM role to access the secrets in Secrets Manager.
a specific user identity has programmatically retrieved a secret value from Secrets Manager using the
`GetSecretValue` or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2
instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets
Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other
service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.
"""
false_positives = [
"""
rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
+4 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/11"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/06"
[rule]
author = ["Elastic"]
@@ -73,7 +75,7 @@ references = [
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
"https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/",
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum",
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html",
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html"
]
risk_score = 47
rule_id = "185c782e-f86a-11ee-9d9f-f661ea17fbce"
rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml
+4 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/12"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/06/03"
[rule]
author = ["Elastic"]
@@ -28,6 +30,7 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag"
note = """
## Triage and Analysis
### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag
rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml
+4 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/12"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/09"
[rule]
author = ["Elastic"]
@@ -27,6 +29,7 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS S3 Bucket Expiration Lifecycle Configuration Added"
note = """
## Triage and Analysis
### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added
rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/28"
[rule]
author = ["Elastic"]
@@ -25,7 +27,8 @@ interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "Insecure AWS EC2 VPC Security Group Ingress Rule Added"
note = """## Triage and Analysis
note = """
## Triage and Analysis
### Investigating Insecure AWS EC2 VPC Security Group Ingress Rule Added
rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/30"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/28"
[rule]
author = ["Elastic"]
@@ -19,6 +21,7 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS Lambda Layer Added to Existing Function"
note = """
## Triage and Analysis
### Investigating AWS Lambda Layer Added to Existing Function
@@ -58,7 +61,7 @@ For further guidance on managing Lambda functions and securing AWS environments,
references = [
"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence",
"https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html",
"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html",
"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html"
]
risk_score = 21
rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc"
rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/17"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/29"
[rule]
author = ["Elastic"]
@@ -23,6 +25,7 @@ language = "eql"
license = "Elastic License v2"
name = "AWS S3 Bucket Policy Added to Share with External Account"
note = """
## Triage and Analysis
### Investigating AWS S3 Bucket Policy Change to Share with External Account
@@ -62,6 +65,7 @@ references = [
risk_score = 47
rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce"
setup = """
## Setup
S3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information.
@@ -99,4 +103,3 @@ reference = "https://attack.mitre.org/techniques/T1537/"
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/14"
[rule]
author = ["Elastic"]
rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/20"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/06/03"
[rule]
author = ["Elastic"]
@@ -26,6 +28,7 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Roles Anywhere Profile Creation"
note = """
## Triage and Analysis
### Investigating AWS IAM Roles Anywhere Profile Creation
@@ -65,7 +68,7 @@ references = [
"https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
"https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/",
"https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
"https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html",
"https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html"
]
risk_score = 21
rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce"
rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/20"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/06/03"
[rule]
author = ["Elastic"]
@@ -27,6 +29,7 @@ language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA"
note = """
## Triage and Analysis
### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA
@@ -65,7 +68,7 @@ For further guidance on managing IAM Roles Anywhere and securing AWS environment
references = [
"https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
"https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
"https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html",
"https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html"
]
risk_score = 47
rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce"
rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
+8 -3
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/30"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/28"
[rule]
author = ["Elastic"]
@@ -12,14 +14,17 @@ the `AddPermission` API call with the `Principal` set to `*` which allows any AW
Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary
code.
"""
false_positives = ["Lambda function owners may legitimately update the function policy to allow public invocation."]
false_positives = [
"Lambda function owners may legitimately update the function policy to allow public invocation.",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
name = "AWS Lambda Function Policy Updated to Allow Public Invocation"
note = """## Triage and Analysis
note = """
## Triage and Analysis
### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation
rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
+5 -2
View File
@@ -2,7 +2,9 @@
creation_date = "2024/04/30"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/06/03"
[rule]
author = ["Elastic"]
@@ -18,7 +20,8 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Instance Connect SSH Public Key Uploaded"
note = """## Triage and Analysis
note = """
## Triage and Analysis
### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded
rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2021/05/17"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
min_stack_version = "8.9.0"
updated_date = "2024/05/21"
[rule]
author = ["Austin Songer"]
rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
+3 -1
View File
@@ -2,7 +2,9 @@
creation_date = "2023/10/26"
integration = ["cloud_defend"]
maturity = "production"
updated_date = "2024/07/23"
min_stack_comments = "New field added to ecs : container.security_context.privileged"
min_stack_version = "8.10.0"
updated_date = "2024/01/05"
[rule]
author = ["Elastic"]

Some files were not shown because too many files have changed in this diff Show More