Lock versions for releases: 8.18,8.19,9.0,9.1 (#4960)
This commit is contained in:
github-actions[bot]
committed by
GitHub
GitHub
parent
80e44d0fb8
commit
c210a88b1f
@@ -991,9 +991,9 @@
|
||||
},
|
||||
"181f6b23-3799-445e-9589-0018328a9e46": {
|
||||
"rule_name": "Script Execution via Microsoft HTML Application",
|
||||
"sha256": "01dda1376728fe6955188499cabdad513ced58430a823ed0efa060d3e3e4fd42",
|
||||
"sha256": "8e9050616bc785d696c0a88bef0934bebc593c6d8d175e23e21d7e9021e4a63b",
|
||||
"type": "eql",
|
||||
"version": 205
|
||||
"version": 206
|
||||
},
|
||||
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
|
||||
"rule_name": "Simple HTTP Web Server Connection",
|
||||
@@ -2454,10 +2454,10 @@
|
||||
"version": 4
|
||||
},
|
||||
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
|
||||
"rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
|
||||
"sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c",
|
||||
"rule_name": "Microsoft Entra ID MFA TOTP Brute Force Attempts",
|
||||
"sha256": "00ca74cbcb463e4aab75e6f1c2caa5279929ef6c8c0ecc91e21716ab9f885a48",
|
||||
"type": "esql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
|
||||
"rule_name": "DNF Package Manager Plugin File Creation",
|
||||
@@ -3245,6 +3245,12 @@
|
||||
"type": "eql",
|
||||
"version": 318
|
||||
},
|
||||
"5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
|
||||
"rule_name": "Unusual Web Config File Access",
|
||||
"sha256": "b794e93559c621d6e245068b3dbad5a07ac97d1e4cdfd00b3083ca2c15ae8594",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
||||
"rule_name": "RDP Enabled via Registry",
|
||||
"sha256": "8d8c264f3c828e6bbfef2b4d20ae146ff9be9f011e3755c642210ed001c6c1a8",
|
||||
@@ -4157,6 +4163,13 @@
|
||||
"type": "query",
|
||||
"version": 211
|
||||
},
|
||||
"70558fd5-6448-4c65-804a-8567ce02c3a2": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "Google SecOps External Alerts",
|
||||
"sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
|
||||
"rule_name": "Suspicious Execution via MSIEXEC",
|
||||
"sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50",
|
||||
@@ -4217,6 +4230,13 @@
|
||||
"type": "query",
|
||||
"version": 5
|
||||
},
|
||||
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "Elastic Security External Alerts",
|
||||
"sha256": "422e82deeff98279777d95dbf0ed16eaf90b3bb1c5a3950ad92a7fff136b9406",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
||||
"rule_name": "Microsoft 365 Potential ransomware activity",
|
||||
"sha256": "efcdb7e0993e29ec64fe324c23c28c6b84a1994689b6ebab3cc2d46a4740d321",
|
||||
@@ -4283,6 +4303,13 @@
|
||||
"type": "eql",
|
||||
"version": 215
|
||||
},
|
||||
"74147312-ba03-4bea-91d1-040d54c1e8c3": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "Microsoft Sentinel External Alerts",
|
||||
"sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
||||
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
|
||||
"sha256": "ddf21d53d6b8b8924b7cd9e99aa28d4f195a780f81fedcabd802cfa7f5eb3443",
|
||||
@@ -5697,6 +5724,13 @@
|
||||
"type": "eql",
|
||||
"version": 209
|
||||
},
|
||||
"9b35422b-9102-45a9-8610-2e0c22281c55": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "SentinelOne Alert External Alerts",
|
||||
"sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
||||
"rule_name": "Persistence via WMI Event Subscription",
|
||||
"sha256": "c41ecc6deef7ce4de642b215d877cca87c3bdd1c8dbbddece705c8d211f78b82",
|
||||
@@ -6346,6 +6380,13 @@
|
||||
"type": "new_terms",
|
||||
"version": 13
|
||||
},
|
||||
"aeebe561-c338-4118-9924-8cb4e478aa58": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "CrowdStrike External Alerts",
|
||||
"sha256": "3ed638538030b56001a17551427ce3c28872dc46cc8d25eaf05b09d40b3973c6",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"af1e36fe-0abd-4463-b5ec-4e276dec0b26": {
|
||||
"rule_name": "Linux Telegram API Request",
|
||||
"sha256": "6ac91d1a303eaa48227d0640d61daf8090249c5177fec04c8eab7eef3e42a2c6",
|
||||
@@ -7583,6 +7624,13 @@
|
||||
"type": "eql",
|
||||
"version": 107
|
||||
},
|
||||
"d3b6222f-537e-4b84-956a-3ebae2dcf811": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "Splunk External Alerts",
|
||||
"sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
|
||||
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
|
||||
"sha256": "eaeaebdaa3240798af533bd1db03a445ea59bf9841b14a82684a4de790cf0c2b",
|
||||
@@ -8195,6 +8243,13 @@
|
||||
"type": "eql",
|
||||
"version": 218
|
||||
},
|
||||
"e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": {
|
||||
"min_stack_version": "8.18",
|
||||
"rule_name": "SentinelOne Threat External Alerts",
|
||||
"sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
|
||||
"rule_name": "First Time Seen NewCredentials Logon Process",
|
||||
"sha256": "1427e75700829bf8f8c5f393c446556c02e5016d04293bca9c2112a6d88fc352",
|
||||
@@ -8676,10 +8731,10 @@
|
||||
"version": 105
|
||||
},
|
||||
"f0cc239b-67fa-46fc-89d4-f861753a40f5": {
|
||||
"rule_name": "Microsoft Azure or Mail Sign-in from a Suspicious Source",
|
||||
"sha256": "4fd69243a3f405a2fc8dac28257d472860062369ad573cd79c1e6fc5b6add7a7",
|
||||
"rule_name": "Microsoft 365 or Entra ID Sign-in from a Suspicious Source",
|
||||
"sha256": "1c82a2568d10fea4868e5657b9934f3be6431843d1a284c5dde1fff807ea002e",
|
||||
"type": "esql",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
"f0dbff4c-1aa7-4458-9ed5-ada472f64970": {
|
||||
"rule_name": "dMSA Account Creation by an Unusual User",
|
||||
@@ -8767,9 +8822,9 @@
|
||||
},
|
||||
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
|
||||
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
|
||||
"sha256": "5377740b067e775623f0521c2d29b16c6652340c0b2039ef6eb7efd52d98693d",
|
||||
"sha256": "e3d5d22bf6f0e1c8cdf350e9585236e6eb414438bc033c531501c84f9d4d3681",
|
||||
"type": "eql",
|
||||
"version": 10
|
||||
"version": 11
|
||||
},
|
||||
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
|
||||
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "1.3.20"
|
||||
version = "1.3.21"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
Reference in New Issue
Block a user