diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 0a3ef9750..31ba9227c 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.10,8.11,8.12,8.13,8.14,8.15' + default: '8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.15/8.15.base.json b/detection_rules/etc/api_schemas/8.15/8.15.base.json deleted file mode 100644 index d5272291d..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.base.json +++ /dev/null @@ -1,430 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "query", - "saved_query", - "machine_learning", - "eql", - "esql", - "threshold", - "threat_match", - "new_terms" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "author", - "description", - "name", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.eql.json b/detection_rules/etc/api_schemas/8.15/8.15.eql.json deleted file mode 100644 index d4981cbef..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.eql.json +++ /dev/null @@ -1,508 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - }, - "group_by": { - "description": "AlertSuppressionGroupBy", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - }, - "missing_fields_strategy": { - "description": "AlertSuppressionMissing", - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "group_by", - "missing_fields_strategy" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "event_category_override": { - "min_compat": "8.0", - "type": "string" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "language": { - "enum": [ - "eql" - ], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "tiebreaker_field": { - "min_compat": "8.0", - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_field": { - "min_compat": "8.0", - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "eql" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "query", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.esql.json b/detection_rules/etc/api_schemas/8.15/8.15.esql.json deleted file mode 100644 index b8d40663a..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.esql.json +++ /dev/null @@ -1,496 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - }, - "group_by": { - "description": "AlertSuppressionGroupBy", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - }, - "missing_fields_strategy": { - "description": "AlertSuppressionMissing", - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "group_by", - "missing_fields_strategy" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "language": { - "enum": [ - "esql" - ], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "esql" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "query", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json b/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json deleted file mode 100644 index 547790b07..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json +++ /dev/null @@ -1,440 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "anomaly_threshold": { - "type": "integer" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "license": { - "type": "string" - }, - "machine_learning_job_id": { - "anyOf": [ - { - "type": "string" - }, - { - "items": { - "type": "string" - }, - "type": "array" - } - ] - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "machine_learning" - ], - "type": "string" - } - }, - "required": [ - "anomaly_threshold", - "author", - "description", - "machine_learning_job_id", - "name", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json b/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json deleted file mode 100644 index 3b2fa86e0..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json +++ /dev/null @@ -1,551 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - }, - "group_by": { - "description": "AlertSuppressionGroupBy", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - }, - "missing_fields_strategy": { - "description": "AlertSuppressionMissing", - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "group_by", - "missing_fields_strategy" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "language": { - "enum": [ - "eql", - "esql", - "kuery", - "lucene" - ], - "enumNames": [], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "new_terms": { - "additionalProperties": false, - "properties": { - "field": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "history_window_start": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "value": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "field", - "value" - ], - "type": "object" - }, - "type": "array" - }, - "value": { - "description": "NewTermsFields", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - } - }, - "required": [ - "field", - "history_window_start", - "value" - ], - "type": "object" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "new_terms" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "new_terms", - "query", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.query.json b/detection_rules/etc/api_schemas/8.15/8.15.query.json deleted file mode 100644 index 6c6d9b82f..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.query.json +++ /dev/null @@ -1,500 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - }, - "group_by": { - "description": "AlertSuppressionGroupBy", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - }, - "missing_fields_strategy": { - "description": "AlertSuppressionMissing", - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "group_by", - "missing_fields_strategy" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "language": { - "enum": [ - "eql", - "esql", - "kuery", - "lucene" - ], - "enumNames": [], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "query" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "query", - "risk_score", - "rule_id", - "severity", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json b/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json deleted file mode 100644 index f2df907f6..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json +++ /dev/null @@ -1,591 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - }, - "group_by": { - "description": "AlertSuppressionGroupBy", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "minItems": 1, - "type": "array" - }, - "missing_fields_strategy": { - "description": "AlertSuppressionMissing", - "enum": [ - "suppress", - "doNotSuppress" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "group_by", - "missing_fields_strategy" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "concurrent_searches": { - "description": "PositiveInteger", - "minimum": 1, - "type": "integer" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "items_per_search": { - "description": "PositiveInteger", - "minimum": 1, - "type": "integer" - }, - "language": { - "enum": [ - "eql", - "esql", - "kuery", - "lucene" - ], - "enumNames": [], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "threat_filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "threat_index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat_indicator_path": { - "type": "string" - }, - "threat_language": { - "enum": [ - "eql", - "esql", - "kuery", - "lucene" - ], - "enumNames": [], - "type": "string" - }, - "threat_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "entries": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "enum": [ - "mapping" - ], - "type": "string" - }, - "value": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "field", - "type", - "value" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "entries" - ], - "type": "object" - }, - "type": "array" - }, - "threat_query": { - "type": "string" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "threat_match" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "query", - "risk_score", - "rule_id", - "severity", - "threat_index", - "threat_mapping", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.threshold.json b/detection_rules/etc/api_schemas/8.15/8.15.threshold.json deleted file mode 100644 index dc6f2f0a8..000000000 --- a/detection_rules/etc/api_schemas/8.15/8.15.threshold.json +++ /dev/null @@ -1,526 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "alert_suppression": { - "additionalProperties": false, - "properties": { - "duration": { - "additionalProperties": false, - "properties": { - "unit": { - "enum": [ - "s", - "m", - "h" - ], - "enumNames": [], - "type": "string" - }, - "value": { - "description": "AlertSupressionValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "unit", - "value" - ], - "type": "object" - } - }, - "required": [ - "duration" - ], - "type": "object" - }, - "author": { - "items": { - "type": "string" - }, - "type": "array" - }, - "building_block_type": { - "enum": [ - "default" - ], - "type": "string" - }, - "data_view_id": { - "type": "string" - }, - "description": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "exceptions_list": { - "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "array" - }, - "false_positives": { - "items": { - "type": "string" - }, - "type": "array" - }, - "filters": { - "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "type": "array" - }, - "from": { - "type": "string" - }, - "index": { - "items": { - "type": "string" - }, - "type": "array" - }, - "interval": { - "description": "Interval", - "pattern": "^\\d+[mshd]$", - "type": "string" - }, - "investigation_fields": { - "additionalProperties": false, - "properties": { - "field_names": { - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "field_names" - ], - "type": "object" - }, - "language": { - "enum": [ - "eql", - "esql", - "kuery", - "lucene" - ], - "enumNames": [], - "type": "string" - }, - "license": { - "type": "string" - }, - "max_signals": { - "description": "MaxSignals", - "minimum": 1, - "type": "integer" - }, - "meta": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - }, - "name": { - "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", - "type": "string" - }, - "note": { - "description": "MarkdownField", - "type": "string" - }, - "query": { - "type": "string" - }, - "references": { - "items": { - "type": "string" - }, - "type": "array" - }, - "related_integrations": { - "items": { - "additionalProperties": false, - "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "package", - "version" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "required_fields": { - "items": { - "additionalProperties": false, - "properties": { - "ecs": { - "type": "boolean" - }, - "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "ecs", - "name", - "type" - ], - "type": "object" - }, - "min_compat": "8.3", - "type": "array" - }, - "risk_score": { - "description": "MaxSignals", - "maximum": 100, - "minimum": 1, - "type": "integer" - }, - "risk_score_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "rule_id": { - "description": "UUIDString", - "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", - "type": "string" - }, - "rule_name_override": { - "type": "string" - }, - "setup": { - "description": "MarkdownField", - "min_compat": "8.3", - "type": "string" - }, - "severity": { - "enum": [ - "low", - "medium", - "high", - "critical" - ], - "enumNames": [], - "type": "string" - }, - "severity_mapping": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "operator": { - "enum": [ - "equals" - ], - "type": "string" - }, - "severity": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "required": [ - "field" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "type": "string" - }, - "type": "array" - }, - "threat": { - "items": { - "additionalProperties": false, - "properties": { - "framework": { - "enum": [ - "MITRE ATT&CK" - ], - "type": "string" - }, - "tactic": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TacticURL", - "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "technique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "TechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", - "type": "string" - }, - "subtechnique": { - "items": { - "additionalProperties": false, - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "reference": { - "description": "SubTechniqueURL", - "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", - "type": "string" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "id", - "name", - "reference" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "framework", - "tactic" - ], - "type": "object" - }, - "type": "array" - }, - "threshold": { - "additionalProperties": false, - "properties": { - "cardinality": { - "items": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" - }, - "value": { - "description": "ThresholdValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "field", - "value" - ], - "type": "object" - }, - "type": "array" - }, - "field": { - "description": "CardinalityFields", - "items": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "maxItems": 3, - "type": "array" - }, - "value": { - "description": "ThresholdValue", - "minimum": 1, - "type": "integer" - } - }, - "required": [ - "field", - "value" - ], - "type": "object" - }, - "throttle": { - "type": "string" - }, - "timeline_id": { - "description": "TimelineTemplateId", - "enum": [ - "db366523-f1c6-4c1f-8731-6ce5ed9e5717", - "91832785-286d-4ebe-b884-1a208d111a70", - "76e52245-7519-4251-91ab-262fb1a1728c", - "495ad7a7-316e-4544-8a0f-9c098daee76e", - "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", - "e70679c2-6cde-4510-9764-4823df18f7db", - "300afc76-072d-4261-864d-4149714bf3f1", - "3e47ef71-ebfc-4520-975c-cb27fc090799", - "3e827bab-838a-469f-bd1e-5e19a2bff2fd", - "4434b91a-94ca-4a89-83cb-a37cdc0532b7" - ], - "enumNames": [], - "type": "string" - }, - "timeline_title": { - "description": "TimelineTemplateTitle", - "enum": [ - "Generic Endpoint Timeline", - "Generic Network Timeline", - "Generic Process Timeline", - "Generic Threat Match Timeline", - "Comprehensive File Timeline", - "Comprehensive Process Timeline", - "Comprehensive Network Timeline", - "Comprehensive Registry Timeline", - "Alerts Involving a Single User Timeline", - "Alerts Involving a Single Host Timeline" - ], - "enumNames": [], - "type": "string" - }, - "timestamp_override": { - "type": "string" - }, - "to": { - "type": "string" - }, - "type": { - "enum": [ - "threshold" - ], - "type": "string" - } - }, - "required": [ - "author", - "description", - "language", - "name", - "query", - "risk_score", - "rule_id", - "severity", - "threshold", - "type" - ], - "type": "object" -} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index d5272291d..af501ab7d 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -52,15 +52,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index d4981cbef..3ae345171 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -113,15 +113,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index b8d40663a..636ddbd0c 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -109,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index 547790b07..af5c31c4a 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -55,15 +55,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index 3b2fa86e0..7096144f3 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -109,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index 6c6d9b82f..89ffd98a7 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -109,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index f2df907f6..9d2901f09 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -114,15 +114,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index dc6f2f0a8..7cf6e1ac0 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -88,15 +88,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 40b73d361..c499e176d 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.14.3.json.gz b/detection_rules/etc/beats_schemas/v8.14.3.json.gz deleted file mode 100644 index 4d948fb7f..000000000 Binary files a/detection_rules/etc/beats_schemas/v8.14.3.json.gz and /dev/null differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index fbeb38b08..e5191996f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index c57690aed..101bf1940 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 0206868a4..308c01607 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index c7a93c331..7fa6e41b4 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index f9de082a7..2ea7a5eaf 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 94cdfdcb6..73f3b2977 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index d8ddc7b71..b4d8d8d03 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index fee6888b9..32923a26f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index c6dbb8493..be3f12b1b 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index c29ce042e..f67edaedc 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index fad38628a..fa49b0451 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index b6b691d49..c83abbaf4 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 94c7ec0b2..41abef8c5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index f4c08acf3..d3028e7fa 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index 04ecc2b53..3342706e2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index 6e910ea58..71bb49002 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 6d08bd92c..b2daee501 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index f94eba3fd..e2f2c6fe7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index a0f474f5f..027a22a99 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index ff0a3984c..087b86f30 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 115b2bb90..6fa41576a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index f46e2ce39..f6931cb85 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 379bbbdfd..85b90f6fb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 25788ac3c..554bd9a8a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index e110aedfb..56279aa94 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index d2339925f..cf076502c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 21a60727a..2d1daab05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index e68ffade9..07d6d4258 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 6a7254090..77356dc42 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 89c086be9..5c511a042 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 67174eeff..05e742b78 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 2db3fd0a5..8c2aa0988 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index b8be59f40..87e729e0b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 6925b286c..68de0b27b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 88311eeb6..f5063ffab 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index c26bba1cc..7f05f813c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 029393fb0..ac9ec9f87 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 7abade071..42abc0bca 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 0d9abb473..4d5897672 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 266d0eec4..3fbaa8e56 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 096adbfd3..1e457c8a7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 76164cd04..62498d665 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index b5eaae6fa..bf37a704d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index ff98ce362..91b794a97 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index fa24ab645..f04329a12 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index de90070d6..47af0f73a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 6d8479629..b3036ba3a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index f48b16cf8..b5dd97e3b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index fb707b6de..e7b2412a1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 44ce35d8b..fdd10da3f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 82439e144..33c2534d1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 54a0c5455..bc4e6ccf8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index b51124a32..2e1f28dac 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 3ed132f32..5aed1007e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 44c0d34bf..44e08e82d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 9fcd1510b..373d8105c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 51325f7d7..009a8cb61 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 6d7d9e5cc..61c9bb928 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index b507567c0..c878f4f08 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index d8a213444..7f96d056e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz index 12b52562f..1c1b0b7cb 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 4c14112a0..4cf7ab622 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 9b6ab9782..65b634c30 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index 39a654bb4..e54683907 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -4,7 +4,7 @@ package: maturity: - production log_deprecated: true - name: '8.16' + name: '8.15' registry_data: categories: - security @@ -13,7 +13,7 @@ package: subscription: basic capabilities: - security - kibana.version: ^8.16.0 + kibana.version: ^8.15.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -28,5 +28,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.16.0-beta.1 + version: 8.15.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index c3941bfe0..f2ea604e4 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -72,13 +72,13 @@ # ecs: "8.8.0" # endgame: "8.4.0" -# "8.9.0": -# beats: "8.9.0" -# ecs: "8.9.0" -# endgame: "8.4.0" - ## Supported +"8.9.0": + beats: "8.9.0" + ecs: "8.9.0" + endgame: "8.4.0" + "8.10.0": beats: "8.10.3" ecs: "8.10.0" @@ -107,9 +107,4 @@ "8.15.0": beats: "8.13.4" ecs: "8.11.0" - endgame: "8.4.0" - -"8.16.0": - beats: "8.14.3" - ecs: "8.11.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 20cd02480..21c6d05d8 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,5 +1,15 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", "type": "query", @@ -14,23 +24,23 @@ "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 209, - "rule_name": "System Shells via Services", - "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", - "type": "eql", - "version": 110 - }, "8.11": { "max_allowable_version": 311, "rule_name": "System Shells via Services", "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", "type": "eql", "version": 212 + }, + "8.9": { + "max_allowable_version": 209, + "rule_name": "System Shells via Services", + "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", + "type": "eql", + "version": 110 } }, "rule_name": "System Shells via Services", - "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", + "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", "type": "eql", "version": 313 }, @@ -241,19 +251,19 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 107, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", - "type": "eql", - "version": 8 - }, "8.11": { "max_allowable_version": 209, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", "type": "eql", "version": 110 + }, + "8.9": { + "max_allowable_version": 107, + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", + "type": "eql", + "version": 8 } }, "rule_name": "Local Account TokenFilter Policy Disabled", @@ -355,7 +365,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -580,6 +590,7 @@ "version": 5 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "AWS Lambda Function Created or Updated", "sha256": "87966613bf1e01dcb3a76da7179be8b64db8e7af206075273d4919a384b5d773", "type": "query", @@ -624,19 +635,19 @@ "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 207, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", - "type": "eql", - "version": 108 - }, "8.11": { "max_allowable_version": 309, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", "type": "eql", "version": 210 + }, + "8.9": { + "max_allowable_version": 207, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", + "type": "eql", + "version": 108 } }, "rule_name": "Persistence via Scheduled Job Creation", @@ -699,6 +710,7 @@ "version": 109 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", "type": "query", @@ -838,6 +850,7 @@ "version": 100 }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", "type": "threshold", @@ -964,6 +977,7 @@ "version": 108 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54", "type": "query", @@ -976,6 +990,7 @@ "version": 110 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "AWS IAM Roles Anywhere Profile Creation", "sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449", "type": "query", @@ -1020,7 +1035,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -1120,7 +1135,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1261,12 +1276,14 @@ "version": 5 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", "type": "query", "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "New Okta Authentication Behavior Detected", "sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c", "type": "query", @@ -1311,7 +1328,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1431,19 +1448,19 @@ "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 210, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", - "type": "eql", - "version": 111 - }, "8.11": { "max_allowable_version": 312, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", "type": "eql", "version": 213 + }, + "8.9": { + "max_allowable_version": 210, + "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", + "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", + "type": "eql", + "version": 111 } }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", @@ -1454,7 +1471,7 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1468,6 +1485,7 @@ "version": 311 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1", "type": "query", @@ -1506,19 +1524,19 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 210, - "rule_name": "Adobe Hijack Persistence", - "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", - "type": "eql", - "version": 112 - }, "8.11": { "max_allowable_version": 312, "rule_name": "Adobe Hijack Persistence", "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", "type": "eql", "version": 213 + }, + "8.9": { + "max_allowable_version": 210, + "rule_name": "Adobe Hijack Persistence", + "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", + "type": "eql", + "version": 112 } }, "rule_name": "Adobe Hijack Persistence", @@ -1731,19 +1749,19 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 210, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", - "type": "eql", - "version": 111 - }, "8.11": { "max_allowable_version": 312, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", "type": "eql", "version": 213 + }, + "8.9": { + "max_allowable_version": 210, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", + "type": "eql", + "version": 111 } }, "rule_name": "Suspicious MS Outlook Child Process", @@ -1796,19 +1814,19 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 209, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", - "type": "eql", - "version": 110 - }, "8.11": { "max_allowable_version": 311, "rule_name": "Port Forwarding Rule Addition", "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", "type": "eql", "version": 212 + }, + "8.9": { + "max_allowable_version": 209, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", + "type": "eql", + "version": 110 } }, "rule_name": "Port Forwarding Rule Addition", @@ -1891,7 +1909,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -1905,6 +1923,16 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b", "type": "query", @@ -2009,19 +2037,19 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 209, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", - "type": "eql", - "version": 110 - }, "8.11": { "max_allowable_version": 311, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", "type": "eql", "version": 212 + }, + "8.9": { + "max_allowable_version": 209, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", + "type": "eql", + "version": 110 } }, "rule_name": "Unusual Parent Process for cmd.exe", @@ -2050,7 +2078,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -2215,6 +2243,7 @@ "version": 106 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { + "min_stack_version": "8.10", "rule_name": "Mount Launched Inside a Privileged Container", "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", "type": "eql", @@ -2227,6 +2256,16 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", + "type": "threshold", + "version": 108 + } + }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3", "type": "threshold", @@ -2539,6 +2578,16 @@ "version": 107 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd", "type": "query", @@ -2558,6 +2607,7 @@ "version": 109 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca", "type": "threshold", @@ -2578,19 +2628,19 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 207, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", - "type": "eql", - "version": 108 - }, "8.11": { "max_allowable_version": 309, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", "type": "eql", "version": 210 + }, + "8.9": { + "max_allowable_version": 207, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", + "type": "eql", + "version": 108 } }, "rule_name": "Registry Persistence via AppCert DLL", @@ -2677,6 +2727,7 @@ "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { + "min_stack_version": "8.9", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "cce1af93176b643f8c69e79b1ef19c94e25df9e6f6607ba60b50433fd8914264", "type": "new_terms", @@ -2722,7 +2773,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -2766,6 +2817,7 @@ "version": 5 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870", "type": "eql", @@ -2780,7 +2832,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -2808,7 +2860,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -3138,7 +3190,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -3164,6 +3216,7 @@ "version": 110 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e", "type": "threshold", @@ -3292,7 +3345,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -3312,6 +3365,16 @@ "version": 9 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede", "type": "query", @@ -3324,6 +3387,16 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de", "type": "query", @@ -3360,6 +3433,16 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", + "type": "query", + "version": 105 + } + }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8", "type": "query", @@ -3459,19 +3542,19 @@ "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 210, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", - "type": "eql", - "version": 111 - }, "8.11": { "max_allowable_version": 312, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", "type": "eql", "version": 213 + }, + "8.9": { + "max_allowable_version": 210, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", + "type": "eql", + "version": 111 } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", @@ -3588,6 +3671,7 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f", "type": "new_terms", @@ -3666,6 +3750,7 @@ "version": 3 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c", "type": "query", @@ -3678,6 +3763,16 @@ "version": 206 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354", "type": "query", @@ -3716,7 +3811,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -3798,19 +3893,19 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 209, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", - "type": "eql", - "version": 110 - }, "8.11": { "max_allowable_version": 311, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435", "type": "eql", "version": 212 + }, + "8.9": { + "max_allowable_version": 209, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", + "type": "eql", + "version": 110 } }, "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -3875,19 +3970,19 @@ "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 100, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", - "type": "eql", - "version": 1 - }, "8.11": { "max_allowable_version": 202, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c", "type": "eql", "version": 103 + }, + "8.9": { + "max_allowable_version": 100, + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", + "type": "eql", + "version": 1 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", @@ -4010,6 +4105,7 @@ "version": 104 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS Lambda Layer Added to Existing Function", "sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898", "type": "query", @@ -4036,7 +4132,7 @@ "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", @@ -4093,6 +4189,7 @@ "version": 1 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "SSM Session Started to EC2 Instance", "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", "type": "new_terms", @@ -4137,7 +4234,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -4159,7 +4256,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -4275,6 +4372,7 @@ "version": 112 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", "type": "query", @@ -4359,6 +4457,7 @@ "version": 5 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { + "min_stack_version": "8.10", "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c", "type": "eql", @@ -4383,6 +4482,16 @@ "version": 108 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b", "type": "query", @@ -4583,7 +4692,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -4609,6 +4718,7 @@ "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c", "type": "query", @@ -4635,19 +4745,19 @@ "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 206, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", - "type": "eql", - "version": 107 - }, "8.11": { "max_allowable_version": 308, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", "type": "eql", "version": 209 + }, + "8.9": { + "max_allowable_version": 206, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", + "type": "eql", + "version": 107 } }, "rule_name": "Encoded Executable Stored in the Registry", @@ -4736,6 +4846,16 @@ "version": 111 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Create Okta API Token", "sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9", "type": "query", @@ -4772,6 +4892,7 @@ "version": 104 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { + "min_stack_version": "8.10", "rule_name": "File System Debugger Launched Inside a Privileged Container", "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", "type": "eql", @@ -4784,6 +4905,16 @@ "version": 206 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", + "type": "eql", + "version": 107 + } + }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed", "type": "eql", @@ -4792,19 +4923,19 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 209, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", - "type": "eql", - "version": 110 - }, "8.11": { "max_allowable_version": 311, "rule_name": "Suspicious Zoom Child Process", "sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6", "type": "eql", "version": 212 + }, + "8.9": { + "max_allowable_version": 209, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", + "type": "eql", + "version": 110 } }, "rule_name": "Suspicious Zoom Child Process", @@ -5061,6 +5192,7 @@ "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { + "min_stack_version": "8.9", "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", "type": "new_terms", @@ -5254,6 +5386,7 @@ "version": 102 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { + "min_stack_version": "8.9", "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", "type": "new_terms", @@ -5359,19 +5492,19 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 211, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", - "type": "eql", - "version": 112 - }, "8.11": { "max_allowable_version": 313, "rule_name": "Suspicious WerFault Child Process", "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", "type": "eql", "version": 214 + }, + "8.9": { + "max_allowable_version": 211, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", + "type": "eql", + "version": 112 } }, "rule_name": "Suspicious WerFault Child Process", @@ -5621,6 +5754,16 @@ "version": 3 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6", "type": "query", @@ -5645,6 +5788,7 @@ "version": 111 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { + "min_stack_version": "8.9", "rule_name": "Systemd Service Started by Unusual Parent Process", "sha256": "a074138b6a33a4b9b1a130c6f7b65c67cdb9876c041ca0b69884d42473c8b69b", "type": "new_terms", @@ -5681,6 +5825,16 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6", "type": "query", @@ -5693,6 +5847,16 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3", "type": "query", @@ -5713,19 +5877,19 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 207, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", - "type": "eql", - "version": 108 - }, "8.11": { "max_allowable_version": 309, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", "type": "eql", "version": 210 + }, + "8.9": { + "max_allowable_version": 207, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", + "type": "eql", + "version": 108 } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", @@ -5742,19 +5906,19 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 104, - "rule_name": "Kirbi File Creation", - "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", - "type": "eql", - "version": 5 - }, "8.11": { "max_allowable_version": 206, "rule_name": "Kirbi File Creation", "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", "type": "eql", "version": 107 + }, + "8.9": { + "max_allowable_version": 104, + "rule_name": "Kirbi File Creation", + "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", + "type": "eql", + "version": 5 } }, "rule_name": "Kirbi File Creation", @@ -6016,6 +6180,7 @@ "version": 206 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", "type": "query", @@ -6067,19 +6232,19 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 206, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", - "type": "eql", - "version": 107 - }, "8.11": { "max_allowable_version": 308, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", "type": "eql", "version": 209 + }, + "8.9": { + "max_allowable_version": 206, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", + "type": "eql", + "version": 107 } }, "rule_name": "Persistence via BITS Job Notify Cmdline", @@ -6172,12 +6337,32 @@ "version": 100 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f", "type": "query", "version": 206 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32", "type": "query", @@ -6356,6 +6541,16 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", + "type": "query", + "version": 107 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c", "type": "query", @@ -6368,6 +6563,16 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", + "type": "query", + "version": 106 + } + }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f", "type": "query", @@ -6398,12 +6603,32 @@ "version": 2 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate MFA for an Okta User Account", + "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", + "type": "query", + "version": 106 + } + }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5", "type": "eql", "version": 207 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Okta User Session Impersonation", + "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", + "type": "query", + "version": 107 + } + }, "rule_name": "Okta User Session Impersonation", "sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7", "type": "query", @@ -6412,7 +6637,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -6558,6 +6783,16 @@ "version": 107 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", + "type": "query", + "version": 105 + } + }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", "type": "query", @@ -6607,6 +6842,16 @@ "version": 106 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a", "type": "query", @@ -6939,6 +7184,16 @@ "version": 6 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", + "type": "threshold", + "version": 108 + } + }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e", "type": "threshold", @@ -7001,7 +7256,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.10": { + "8.9": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -7088,6 +7343,16 @@ "version": 2 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6", "type": "query", @@ -7130,6 +7395,16 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Possible Okta DoS Attack", + "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", + "type": "query", + "version": 105 + } + }, "rule_name": "Possible Okta DoS Attack", "sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e", "type": "query", @@ -7214,6 +7489,7 @@ "version": 7 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", "sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b", "type": "eql", @@ -7226,6 +7502,16 @@ "version": 105 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 206, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", + "type": "threshold", + "version": 108 + } + }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce", "type": "threshold", @@ -7336,19 +7622,19 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 208, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", - "type": "eql", - "version": 109 - }, "8.11": { "max_allowable_version": 310, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", "type": "eql", "version": 211 + }, + "8.9": { + "max_allowable_version": 208, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", + "type": "eql", + "version": 109 } }, "rule_name": "Mimikatz Memssp Log File Detected", @@ -7405,6 +7691,16 @@ "version": 112 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 205, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", + "type": "query", + "version": 106 + } + }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c", "type": "query", @@ -7423,6 +7719,16 @@ "version": 5 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 102, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", + "type": "query", + "version": 3 + } + }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c", "type": "query", @@ -7495,6 +7801,16 @@ "version": 107 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", + "type": "query", + "version": 105 + } + }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395", "type": "query", @@ -7821,6 +8137,16 @@ "version": 9 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { + "min_stack_version": "8.10", + "previous": { + "8.9": { + "max_allowable_version": 204, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", + "type": "query", + "version": 105 + } + }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392", "type": "query", @@ -7847,19 +8173,19 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.13", "previous": { - "8.10": { - "max_allowable_version": 108, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", - "type": "eql", - "version": 9 - }, "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", "type": "eql", "version": 111 + }, + "8.9": { + "max_allowable_version": 108, + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", + "type": "eql", + "version": 9 } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", @@ -7928,6 +8254,7 @@ "version": 1 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { + "min_stack_version": "8.9", "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68", "type": "new_terms", @@ -8018,12 +8345,14 @@ "version": 5 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { + "min_stack_version": "8.9", "rule_name": "Cron Job Created or Modified", "sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4", "type": "eql", "version": 11 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { + "min_stack_version": "8.9", "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "f2663204a55cb4e897803fbc5d1f136637511d520fa0c559bf7234323858ab5e", "type": "query", diff --git a/docs/versioning.md b/docs/versioning.md index 3b6d212fe..120c88b70 100644 --- a/docs/versioning.md +++ b/docs/versioning.md @@ -4,22 +4,22 @@ This document provides detailed information about the different versions that ar ## Current Version -The current version of prebuilt detection rules is `v8.15`. +The current version of prebuilt detection rules is `v8.14`. ## Previous Versions Released The following version(s) are released along with the current version. -- `v8.14` - `v8.13` - `v8.12` +- `v8.11` ### Previous Versions Maintained The following version(s) are maintained along with the current version. -- `v8.11` - `v8.10` +- `v8.9` ## End of Life Policy diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 6ef420d4e..0d26d2a0a 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,18 +2,20 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/21" [rule] author = ["Nick Jones", "Elastic"] description = """ An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time -a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue` -or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are -setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An -adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely -on the compromised service's IAM role to access the secrets in Secrets Manager. +a specific user identity has programmatically retrieved a secret value from Secrets Manager using the +`GetSecretValue` or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 +instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets +Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other +service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index f549188c2..6a461c5fd 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/06" [rule] author = ["Elastic"] @@ -73,7 +75,7 @@ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html", + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html" ] risk_score = 47 rule_id = "185c782e-f86a-11ee-9d9f-f661ea17fbce" diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index b77b7bdd9..49991c235 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -28,6 +30,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag" note = """ + ## Triage and Analysis ### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml index 00d6eb47d..2a418c92b 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/09" [rule] author = ["Elastic"] @@ -27,6 +29,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS S3 Bucket Expiration Lifecycle Configuration Added" note = """ + ## Triage and Analysis ### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 305ae622f..68e331cd8 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/28" [rule] author = ["Elastic"] @@ -25,7 +27,8 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Insecure AWS EC2 VPC Security Group Ingress Rule Added" -note = """## Triage and Analysis +note = """ +## Triage and Analysis ### Investigating Insecure AWS EC2 VPC Security Group Ingress Rule Added diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index edd6adb37..bb931db93 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/28" [rule] author = ["Elastic"] @@ -19,6 +21,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS Lambda Layer Added to Existing Function" note = """ + ## Triage and Analysis ### Investigating AWS Lambda Layer Added to Existing Function @@ -58,7 +61,7 @@ For further guidance on managing Lambda functions and securing AWS environments, references = [ "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence", "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html", - "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html", + "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html" ] risk_score = 21 rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc" diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index 814222060..de6ffb8f6 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/29" [rule] author = ["Elastic"] @@ -23,6 +25,7 @@ language = "eql" license = "Elastic License v2" name = "AWS S3 Bucket Policy Added to Share with External Account" note = """ + ## Triage and Analysis ### Investigating AWS S3 Bucket Policy Change to Share with External Account @@ -62,6 +65,7 @@ references = [ risk_score = 47 rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce" setup = """ + ## Setup S3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information. @@ -99,4 +103,3 @@ reference = "https://attack.mitre.org/techniques/T1537/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" - diff --git a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml index a32e91109..b78ef5fb5 100644 --- a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml +++ b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index 1d800bd68..de2c9e7b1 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -26,6 +28,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS IAM Roles Anywhere Profile Creation" note = """ + ## Triage and Analysis ### Investigating AWS IAM Roles Anywhere Profile Creation @@ -65,7 +68,7 @@ references = [ "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html", + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html" ] risk_score = 21 rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce" diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index d55e1007a..4b861a95d 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -27,6 +29,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA" note = """ + ## Triage and Analysis ### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA @@ -65,7 +68,7 @@ For further guidance on managing IAM Roles Anywhere and securing AWS environment references = [ "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html", + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html" ] risk_score = 47 rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce" diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index 7bc76bfde..bcb5afe62 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/28" [rule] author = ["Elastic"] @@ -12,14 +14,17 @@ the `AddPermission` API call with the `Principal` set to `*` which allows any AW Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. """ -false_positives = ["Lambda function owners may legitimately update the function policy to allow public invocation."] +false_positives = [ + "Lambda function owners may legitimately update the function policy to allow public invocation.", +] from = "now-60m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Lambda Function Policy Updated to Allow Public Invocation" -note = """## Triage and Analysis +note = """ +## Triage and Analysis ### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation diff --git a/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml index 1e152b855..192f021e8 100644 --- a/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -18,7 +20,8 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS EC2 Instance Connect SSH Public Key Uploaded" -note = """## Triage and Analysis +note = """ +## Triage and Analysis ### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index a9ae9733a..a829a60fe 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/05/21" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index 84a94f11e..4cf8e6fd7 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "New field added to ecs : container.security_context.privileged" +min_stack_version = "8.10.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index b8ce04a31..b31bbb7fb 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "New field added to ecs : container.security_context.privileged" +min_stack_version = "8.10.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 9c8bc89db..ea7727195 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 784415774..41faf63df 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2024/01/05" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -62,8 +64,8 @@ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] -timestamp_override = "event.ingested" type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and event.action:user.account.lock diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 97acf978e..a37c44ed5 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/12/05" [rule] author = ["Elastic"] @@ -89,22 +91,21 @@ framework = "MITRE ATT&CK" id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.003" -name = "Password Spraying" -reference = "https://attack.mitre.org/techniques/T1110/003/" + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" -[[rule.threat.technique.subtechnique]] -id = "T1110.004" -name = "Credential Stuffing" -reference = "https://attack.mitre.org/techniques/T1110/004/" - + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 028c53515..90a04039a 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -62,8 +64,8 @@ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] -timestamp_override = "event.ingested" type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and event.category:authentication and event.outcome:failure diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 4928a9685..cb94c0ab0 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 3805fbaab..99463df31 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ad52a9a46..2fd57af1d 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index ce7bba717..856ad4b93 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] @@ -62,12 +64,7 @@ references = [ risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 46ef83fbb..81e9923cb 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] @@ -62,12 +64,7 @@ references = [ risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index acd680fa6..299402106 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 36613952a..b8808bd73 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index cce0b1165..3eacae43c 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index ed5c99bdb..a4d1686a6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 59904f601..46d6272fc 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] @@ -68,12 +70,7 @@ references = [ risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Network Security Monitoring", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index c41eaf5ac..396b1a511 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index aaa03a77d..ed6f28598 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 81b03d599..4155e2adb 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2024/01/05" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -52,6 +54,7 @@ This rule is designed to detect a suspiciously high number of password reset or The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ + references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -61,8 +64,8 @@ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] -timestamp_override = "event.ingested" type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 4206790ee..d8a9dbacb 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] @@ -48,6 +50,7 @@ The rule alerts when attempts are made to revoke an Okta API token. The API toke The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ + references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index bb616b52b..e50772963 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] @@ -20,7 +22,8 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" -note = """## Triage and analysis +note = """ +## Triage and analysis ### Investigating Attempt to Deactivate an Okta Application diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 491434bdc..f7a58cf61 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 54eebeb0a..c1d8d4462 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index df11b192b..50fbb993e 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index c43477fdb..40fc9df68 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/07" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 7cf72503b..72f8d4059 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/07" [rule] author = ["Elastic"] @@ -54,13 +56,15 @@ references = [ risk_score = 47 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta", +] timestamp_override = "event.ingested" type = "query" -query = ''' -event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* -''' +query = '''event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*''' [[rule.threat]] diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 054c5ca07..e67cf18bd 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,11 +2,16 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/07" [rule] author = ["Austin Songer"] -description = "Detects when Okta FastPass prevents a user from authenticating to a phishing website.\n" +description = """ +Detects when Okta FastPass prevents a user from authenticating to a phishing website. +""" + index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" @@ -23,7 +28,7 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" ] risk_score = 47 rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" @@ -50,4 +55,3 @@ reference = "https://attack.mitre.org/techniques/T1566/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index cca876385..1065307a1 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index a752278a6..179c342c0 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/06" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index d029b99e5..0edfa5597 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 31391fa33..bd2b55415 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,19 +2,22 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/07" + [rule] author = ["Elastic"] description = """ -Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may -indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a -different location. +Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. """ -false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."] +false_positives = [ + "A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.", +] from = "now-30m" -index = ["filebeat-*", "logs-okta*"] interval = "60m" +index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Multiple Okta Sessions Detected for a Single User" @@ -25,7 +28,7 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" ] risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" @@ -33,26 +36,24 @@ severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "threshold" - query = ''' event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* - and not (okta.actor.id: okta* or okta.actor.display_name: okta*) + and not (okta.actor.id: okta* or okta.actor.display_name: okta*) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" + [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" - - [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -61,8 +62,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.threshold] field = ["okta.actor.id"] value = 1 + [[rule.threshold.cardinality]] field = "okta.authentication_context.external_session_id" value = 3 - diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 163765359..007370eca 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -2,8 +2,10 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" promotion = true -updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 41a42b3ea..3d6cc61ca 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 509a3b9c5..e43376c7a 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 21dae60ef..e4747856d 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index ba2223c67..e80120621 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index edbca91a4..ef170cd0c 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/12/16" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 4192b2904..512118891 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,13 +2,14 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/06" [rule] author = ["Elastic"] description = """ -Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within -Okta. +Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. """ from = "now-30m" index = ["filebeat-*", "logs-okta*"] @@ -54,6 +55,7 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", + ] risk_score = 47 rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd" @@ -66,22 +68,20 @@ query = ''' event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [[rule.threat.technique.subtechnique]] id = "T1556.007" name = "Hybrid Identity" reference = "https://attack.mitre.org/techniques/T1556/007/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" - +reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b751ae40e..393117f63 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/10/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index a4901c38e..542cf5ae6 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" +min_stack_version = "8.10.0" +updated_date = "2023/11/10" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 7a2ef3b84..056dc2937 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,7 +2,9 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/07/18" [transform] [[transform.osquery]] @@ -34,10 +36,10 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes" author = ["Elastic"] description = """ This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious -directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of -unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a -command and control server. Detecting and investigating such behavior can help identify and mitigate potential security -threats, protecting the system and its data from potential compromise. +directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution +of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such +as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential +security threats, protecting the system and its data from potential compromise. """ from = "now-59m" index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"] @@ -200,15 +202,14 @@ not destination.ip:( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" - [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -217,8 +218,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-20d" - - diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 456ee5921..bd76cff86 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,20 +2,22 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/07/18" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' -OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE -'/var/spool/cron/crontabs/%') +SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE +'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE +'/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%') """ [[transform.osquery]] label = "Osquery - Retrieve Cron File Information" -query = "SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\n" +query = """ +SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab') +""" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" @@ -48,7 +50,6 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ @@ -175,7 +176,6 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" - query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -207,56 +207,56 @@ event.action in ("rename", "creation") and file.path : ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" + [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" - - [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index 505f5f00c..ed5a45ca2 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,25 +2,46 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2024/05/17" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE -'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) +SELECT * FROM file WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/user/.config/systemd/user/%' +) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS -file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS -file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE -'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path -LIKE '/home/{{user.name}}/.config/systemd/user/%' ) +SELECT + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN groups g ON f.gid = g.gid +WHERE ( +path LIKE '/etc/systemd/system/%' OR +path LIKE '/usr/local/lib/systemd/system/%' OR +path LIKE '/lib/systemd/system/%' OR +path LIKE '/usr/lib/systemd/system/%' OR +path LIKE '/home/{{user.name}}/.config/systemd/user/%' +) """ [[transform.osquery]] @@ -47,11 +68,10 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" - [rule] author = ["Elastic"] description = """ -Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious +Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. @@ -134,7 +154,7 @@ This rule monitors the execution of the systemctl binary to start, enable or ree """ references = [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "b605f262-f7dc-41b5-9ebc-06bafe7a83b6" @@ -165,16 +185,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend", -] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and @@ -193,37 +212,37 @@ not ( ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -232,8 +251,7 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - - diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 2fee0dc96..94635f5bf 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,7 +2,9 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2024/03/06" [rule] author = ["Elastic"] @@ -41,33 +43,32 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" - query = ''' event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*)) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -76,8 +77,7 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors", "agent.id"] + [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" - - diff --git a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml index 86698b837..b00fc3db0 100644 --- a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml +++ b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml @@ -2,7 +2,9 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.9.0" +updated_date = "2024/06/10" [rule] author = ["Elastic"] @@ -33,7 +35,7 @@ tags = [ "Data Source: Amazon EC2", "Use Case: Log Auditing", "Tactic: Discovery", - "Rule Type: BBR", + "Rule Type: BBR" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules_building_block/execution_aws_lambda_function_updated.toml b/rules_building_block/execution_aws_lambda_function_updated.toml index 134b5db50..4e6bcfea4 100644 --- a/rules_building_block/execution_aws_lambda_function_updated.toml +++ b/rules_building_block/execution_aws_lambda_function_updated.toml @@ -1,9 +1,11 @@ [metadata] -bypass_bbr_timing = true creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" +updated_date = "2024/04/20" +bypass_bbr_timing = true [rule] author = ["Elastic"]