diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json
index 5feeedb04..106bc0f13 100644
--- a/detection_rules/etc/version.lock.json
+++ b/detection_rules/etc/version.lock.json
@@ -991,9 +991,9 @@
   },
   "181f6b23-3799-445e-9589-0018328a9e46": {
     "rule_name": "Script Execution via Microsoft HTML Application",
-    "sha256": "01dda1376728fe6955188499cabdad513ced58430a823ed0efa060d3e3e4fd42",
+    "sha256": "8e9050616bc785d696c0a88bef0934bebc593c6d8d175e23e21d7e9021e4a63b",
     "type": "eql",
-    "version": 205
+    "version": 206
   },
   "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
     "rule_name": "Simple HTTP Web Server Connection",
@@ -2454,10 +2454,10 @@
     "version": 4
   },
   "3fac01b2-b811-11ef-b25b-f661ea17fbce": {
-    "rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
-    "sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c",
+    "rule_name": "Microsoft Entra ID MFA TOTP Brute Force Attempts",
+    "sha256": "00ca74cbcb463e4aab75e6f1c2caa5279929ef6c8c0ecc91e21716ab9f885a48",
     "type": "esql",
-    "version": 2
+    "version": 3
   },
   "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
     "rule_name": "DNF Package Manager Plugin File Creation",
@@ -3245,6 +3245,12 @@
     "type": "eql",
     "version": 318
   },
+  "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
+    "rule_name": "Unusual Web Config File Access",
+    "sha256": "b794e93559c621d6e245068b3dbad5a07ac97d1e4cdfd00b3083ca2c15ae8594",
+    "type": "new_terms",
+    "version": 1
+  },
   "58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
     "rule_name": "RDP Enabled via Registry",
     "sha256": "8d8c264f3c828e6bbfef2b4d20ae146ff9be9f011e3755c642210ed001c6c1a8",
@@ -4157,6 +4163,13 @@
     "type": "query",
     "version": 211
   },
+  "70558fd5-6448-4c65-804a-8567ce02c3a2": {
+    "min_stack_version": "8.18",
+    "rule_name": "Google SecOps External Alerts",
+    "sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3",
+    "type": "query",
+    "version": 1
+  },
   "708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
     "rule_name": "Suspicious Execution via MSIEXEC",
     "sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50",
@@ -4217,6 +4230,13 @@
     "type": "query",
     "version": 5
   },
+  "720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
+    "min_stack_version": "8.18",
+    "rule_name": "Elastic Security External Alerts",
+    "sha256": "422e82deeff98279777d95dbf0ed16eaf90b3bb1c5a3950ad92a7fff136b9406",
+    "type": "query",
+    "version": 1
+  },
   "721999d0-7ab2-44bf-b328-6e63367b9b29": {
     "rule_name": "Microsoft 365 Potential ransomware activity",
     "sha256": "efcdb7e0993e29ec64fe324c23c28c6b84a1994689b6ebab3cc2d46a4740d321",
@@ -4283,6 +4303,13 @@
     "type": "eql",
     "version": 215
   },
+  "74147312-ba03-4bea-91d1-040d54c1e8c3": {
+    "min_stack_version": "8.18",
+    "rule_name": "Microsoft Sentinel External Alerts",
+    "sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f",
+    "type": "query",
+    "version": 1
+  },
   "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
     "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
     "sha256": "ddf21d53d6b8b8924b7cd9e99aa28d4f195a780f81fedcabd802cfa7f5eb3443",
@@ -5697,6 +5724,13 @@
     "type": "eql",
     "version": 209
   },
+  "9b35422b-9102-45a9-8610-2e0c22281c55": {
+    "min_stack_version": "8.18",
+    "rule_name": "SentinelOne Alert External Alerts",
+    "sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699",
+    "type": "query",
+    "version": 1
+  },
   "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
     "rule_name": "Persistence via WMI Event Subscription",
     "sha256": "c41ecc6deef7ce4de642b215d877cca87c3bdd1c8dbbddece705c8d211f78b82",
@@ -6346,6 +6380,13 @@
     "type": "new_terms",
     "version": 13
   },
+  "aeebe561-c338-4118-9924-8cb4e478aa58": {
+    "min_stack_version": "8.18",
+    "rule_name": "CrowdStrike External Alerts",
+    "sha256": "3ed638538030b56001a17551427ce3c28872dc46cc8d25eaf05b09d40b3973c6",
+    "type": "query",
+    "version": 1
+  },
   "af1e36fe-0abd-4463-b5ec-4e276dec0b26": {
     "rule_name": "Linux Telegram API Request",
     "sha256": "6ac91d1a303eaa48227d0640d61daf8090249c5177fec04c8eab7eef3e42a2c6",
@@ -7583,6 +7624,13 @@
     "type": "eql",
     "version": 107
   },
+  "d3b6222f-537e-4b84-956a-3ebae2dcf811": {
+    "min_stack_version": "8.18",
+    "rule_name": "Splunk External Alerts",
+    "sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922",
+    "type": "query",
+    "version": 1
+  },
   "d43f2b43-02a1-4219-8ce9-10929a32a618": {
     "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
     "sha256": "eaeaebdaa3240798af533bd1db03a445ea59bf9841b14a82684a4de790cf0c2b",
@@ -8195,6 +8243,13 @@
     "type": "eql",
     "version": 218
   },
+  "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": {
+    "min_stack_version": "8.18",
+    "rule_name": "SentinelOne Threat External Alerts",
+    "sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e",
+    "type": "query",
+    "version": 1
+  },
   "e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
     "rule_name": "First Time Seen NewCredentials Logon Process",
     "sha256": "1427e75700829bf8f8c5f393c446556c02e5016d04293bca9c2112a6d88fc352",
@@ -8676,10 +8731,10 @@
     "version": 105
   },
   "f0cc239b-67fa-46fc-89d4-f861753a40f5": {
-    "rule_name": "Microsoft Azure or Mail Sign-in from a Suspicious Source",
-    "sha256": "4fd69243a3f405a2fc8dac28257d472860062369ad573cd79c1e6fc5b6add7a7",
+    "rule_name": "Microsoft 365 or Entra ID Sign-in from a Suspicious Source",
+    "sha256": "1c82a2568d10fea4868e5657b9934f3be6431843d1a284c5dde1fff807ea002e",
     "type": "esql",
-    "version": 2
+    "version": 3
   },
   "f0dbff4c-1aa7-4458-9ed5-ada472f64970": {
     "rule_name": "dMSA Account Creation by an Unusual User",
@@ -8767,9 +8822,9 @@
   },
   "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
     "rule_name": "Google Workspace Object Copied to External Drive with App Consent",
-    "sha256": "5377740b067e775623f0521c2d29b16c6652340c0b2039ef6eb7efd52d98693d",
+    "sha256": "e3d5d22bf6f0e1c8cdf350e9585236e6eb414438bc033c531501c84f9d4d3681",
     "type": "eql",
-    "version": 10
+    "version": 11
   },
   "f3403393-1fd9-4686-8f6e-596c58bc00b4": {
     "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
diff --git a/pyproject.toml b/pyproject.toml
index baa15d21f..bb7a65603 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.20"
+version = "1.3.21"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"