From d81bc25d09f512f612e65d1e86cefee08f178383 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 13 Jan 2023 15:20:23 -0500 Subject: [PATCH] Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 (#2468) * Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 * added newline in version lock file to trigger checks * removed trailing newline from version lock file Co-authored-by: terrancedejesus Co-authored-by: terrancedejesus --- detection_rules/etc/version.lock.json | 293 +++++++++++++++++++------- 1 file changed, 221 insertions(+), 72 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 7ff477a78..b1230729e 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -334,11 +334,20 @@ "version": 2 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Drive Ownership Transferred via Google Workspace", + "sha256": "1c82ea9b65fada4ec684045bd8b3e5eaa0730b35b41ddef3dd151ff26a9d6be9", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "98600fe4b1c0c882bb99021122279f31ce5cdd2266abf34b56bab33f0cb7f190", "type": "query", - "version": 3 + "version": 104 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "min_stack_version": "8.3", @@ -547,9 +556,9 @@ "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "min_stack_version": "8.3", "rule_name": "Multiple Alerts Involving a User", - "sha256": "370e2374f3b2571a3f3119c682a5be649e235d1846b8eec75e7ba4705aac4263", + "sha256": "8d4c07265bf4bd3c24f522e31ba75c8a38f0b8d8b41064fcc50c4dcf0e4e168f", "type": "threshold", - "version": 1 + "version": 2 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "min_stack_version": "8.3", @@ -764,9 +773,9 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "571c3c9a9e52d72036dcd37ff012814d9bd65cb35c013e9a5ad0a9cb270ae47b", + "sha256": "0f8e7d4c05e2aa942a177e9e8522674ba38bc37003575e007b6ec8cbaa5c3a49", "type": "query", - "version": 2 + "version": 3 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", @@ -2184,9 +2193,9 @@ } }, "rule_name": "Potential Process Injection via PowerShell", - "sha256": "af6f4fb1b2ee6c896750bdd4d73df591989f45ce9e13a9c949f7d8919f5a7fb6", + "sha256": "8c6f27c7e2b39957500b3f0d690080088b823c905b6f202e1b1b0de855c8553f", "type": "query", - "version": 103 + "version": 104 }, "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", @@ -2248,9 +2257,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "701e6b024ca7be633acff2c87983ac3cb5f4a1ffcb7f16ff249fcab653225f5d", + "sha256": "7116ad8f42568440dcb1c9bc6b196885c1878eea0730ad2d2b0b7825393a398b", "type": "query", - "version": 103 + "version": 104 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "min_stack_version": "8.3", @@ -3375,11 +3384,20 @@ "version": 100 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Application Removed from Blocklist in Google Workspace", + "sha256": "f65ab660ff049917ef0d56928b4115a2675fd3a83ade36c9569b28cd3cf3397d", + "type": "query", + "version": 4 + } + }, "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "1425ad887371020ed16a18072658404fa91af9a56fbbdc316e44823c9370d614", "type": "query", - "version": 3 + "version": 104 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", @@ -3432,9 +3450,9 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.3", "rule_name": "PowerShell Share Enumeration Script", - "sha256": "0d9859995c28fa581240cc5695b8aa93e8f7c2595ec329b3422380c3d25fa676", + "sha256": "74c65a7829bcc251f06c98c0d4f413e59c86158ee47f518c8c9b158a3166ef82", "type": "query", - "version": 3 + "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", @@ -3782,6 +3800,13 @@ "type": "eql", "version": 101 }, + "54a81f68-5f2a-421e-8eed-f888278bb712": { + "min_stack_version": "8.3", + "rule_name": "Exchange Mailbox Export via PowerShell", + "sha256": "a48a9cbb679372bd144a77cbe76de0fbd8975e021e3052cbc9a8b7b217712c04", + "type": "query", + "version": 1 + }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", "previous": { @@ -3906,9 +3931,9 @@ } }, "rule_name": "PowerShell PSReflect Script", - "sha256": "091b0bb0507a9ca860cb1eab4a5b50c137b839deb2ce342decf68176ab91b4c6", + "sha256": "11eb65e63a95ed292472ba5a64844f98470b90ed7eaef8847ba571ec81dffaa1", "type": "query", - "version": 103 + "version": 104 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", @@ -3970,9 +3995,9 @@ } }, "rule_name": "PowerShell MiniDump Script", - "sha256": "58816e1e395d2b3dd424fe52412a8e0c6f41b45ac111e2135e28291a443f1ecb", + "sha256": "efa8737d826a936ed57d1404ea8b8ea907281530808f0add72c400af16dc720d", "type": "query", - "version": 103 + "version": 104 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.3", @@ -4302,11 +4327,20 @@ "version": 101 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace 2SV Policy Disabled", + "sha256": "0e4f796c44b12756ec86c03bef7bca532a986bd70cbe34fda071162af183bb2e", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "a5a33cf12e70b976a8a202090de8c4e819f48cfb96c7be5ca799a3cd710da520", "type": "query", - "version": 3 + "version": 104 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "min_stack_version": "8.3", @@ -4406,9 +4440,9 @@ } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "5e289255b3744f6c6d02f444ed0e5b133a67e62aed318d241d24a1fd7db26417", + "sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa", "type": "query", - "version": 103 + "version": 104 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", @@ -4774,7 +4808,7 @@ "version": 102 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -4789,12 +4823,19 @@ "sha256": "b21a45d51ea3f04918d7eeaabb24efea888bc2f7a9c326ed3858bc775f4243e0", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 203, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "2c52d4ab28968599f73fc69986af4d6bb32fa1a7990400dedb69a00d27923991", + "type": "query", + "version": 104 } }, "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "900e09e88ba2b9b8a350387557983bccad76402efaa5f254d620c7a35f2dc7e7", "type": "query", - "version": 103 + "version": 204 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.3", @@ -4927,9 +4968,9 @@ } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "66727f73174ac2f2c261e172136cf6c6fb2cb140f447a85b4f37da5356af8d64", + "sha256": "c67ead923f191802c3f4b9ac87ce88c947bd2556188ad794e916a19872202460", "type": "eql", - "version": 103 + "version": 104 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "min_stack_version": "8.3", @@ -5088,7 +5129,7 @@ "version": 100 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -5103,12 +5144,19 @@ "sha256": "244dc1f48bcc75832806b71e104f30425388ca2f33f6810e00dd12f2906b426f", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Role Modified", + "sha256": "daef89c776f6dbbe4af324d1e25088b7050e7ea1d1e9ab4726f530b8a5b4a5a5", + "type": "query", + "version": 103 } }, "rule_name": "Google Workspace Role Modified", "sha256": "ecaaefd4c78cf905024b3584372e31dd778a12b5a3a53cbc478adf8099648e69", "type": "query", - "version": 102 + "version": 203 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", @@ -5496,7 +5544,7 @@ "version": 101 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -5511,12 +5559,19 @@ "sha256": "5e45bae76ca5b927ec5755d9bb797b2012a6884ff93d4deb09b0127a0b0e273f", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "a3cc84e17ebd0f9217243f6d5128ebb437ecb8d4e643a5ea8d1b3e3e40f343be", + "type": "query", + "version": 103 } }, "rule_name": "Application Added to Google Workspace Domain", "sha256": "ea4f94ba987a5d1684dd0f0d8c07ad19ab402403f98ab0c3f6c90db032a9a1e4", "type": "query", - "version": 102 + "version": 203 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "min_stack_version": "8.3", @@ -5659,11 +5714,20 @@ "version": 101 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Bitlocker Setting Disabled", + "sha256": "e433cddd2695f67bea309beea9d1d29197cb7f724fd7e8b1fe04b09657cfb195", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "93dc8b13643b49a519faaa37a39d18e52b52eff11913929d9063bf0040ad8880", "type": "query", - "version": 3 + "version": 104 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "min_stack_version": "8.3", @@ -5769,9 +5833,9 @@ } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "83d4da9cb153ddbf63e9d180a6f581c16db23d16b1f8d457e680f84498386dd3", + "sha256": "8d5dd848650d0aa7e36c11cb01d8832928c0dc44d91d010b25bc66eb8e0caa76", "type": "query", - "version": 103 + "version": 104 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -6568,7 +6632,7 @@ "version": 102 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -6583,12 +6647,19 @@ "sha256": "213d54562eb126f314c2a6e1a102b4d4987ee2333524f5466bcf10b27609a92e", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "ef6d929dc2c2361a81de3f98368a4b583d1b79accfccf61f4bd2660192e320d0", + "type": "query", + "version": 103 } }, "rule_name": "Google Workspace Admin Role Deletion", "sha256": "7b6697a97cdf6019e2920baed1a4b6396b33c1f4589dc81aab2539b378a9cdd9", "type": "query", - "version": 102 + "version": 203 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "min_stack_version": "8.3", @@ -6607,11 +6678,20 @@ "version": 101 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Custom Gmail Route Created or Modified", + "sha256": "5fd3d2b8c4d529473f1faf8da5346efc3e1c194556689eb7bba24604dfea18db", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "c316a06037035aae30e827897a80b0b965715ee7b63e7e6b1863c59d617d1292", "type": "query", - "version": 3 + "version": 104 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.3", @@ -6641,9 +6721,9 @@ } }, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "a361b95af4c8021091d89dc9a338520d4b43e6423cb8d0df588ad670d16955ad", + "sha256": "6e6d3db2b74e72a7814e88a22790a69b7bad458685f57587be4f172643d4f0f7", "type": "query", - "version": 103 + "version": 104 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", @@ -7045,11 +7125,20 @@ "version": 102 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Group Access Modified to Allow External Access", + "sha256": "172d2f04879c10e383d6f900e6bb2f9d49626e7a95d7f235e3183c36ab0e80ad", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", - "version": 3 + "version": 104 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", @@ -7369,11 +7458,20 @@ "version": 102 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", + "sha256": "4c7b59991fca9e2bb874d73b26702beea98e72c40bda59d83f8a795d18fdbcf9", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "sha256": "ebe6d8d11a370fe917eae7f3b885397f87978a7afb50ab4626fdb93bd08ef4f1", "type": "query", - "version": 3 + "version": 104 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", @@ -7555,7 +7653,7 @@ "version": 101 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 15, @@ -7570,12 +7668,19 @@ "sha256": "c4909172dfd50108f0abed3aba686e685089632adfc228255d684fb7b32e2c7d", "type": "query", "version": 16 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "b2daab0a2fb7c6a49d316684b16b34bc48a433eb4288b640b70d8f7155f44852", + "type": "query", + "version": 103 } }, "rule_name": "Google Workspace Password Policy Modified", "sha256": "d24e6279427b06647bf3fd06e31435ede2a5935b00f6d945edc95bb76184920f", "type": "query", - "version": 102 + "version": 203 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.3", @@ -7717,9 +7822,9 @@ } }, "rule_name": "Suspicious WerFault Child Process", - "sha256": "789f1a87e9509a8349805cf16c8fd134c08e9bd3105f7071f23d7bde6ccd3d06", + "sha256": "23935934e5f6286a952467374de45be57eaf2f087a3a5d7173ca4dd442eab89a", "type": "eql", - "version": 103 + "version": 104 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", @@ -7749,12 +7854,12 @@ } }, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "d725f48824504ebcff898cc7a18afb3909944fe43308737abf93e1ea5df258fd", + "sha256": "0c8d4a72c696e4332bfa9e13eb0dbd1124b52d8b7d0539a2ef5acffbd89393b6", "type": "query", - "version": 103 + "version": 104 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -7769,12 +7874,19 @@ "sha256": "e83a4b6239ffd937ca01ed100a5d9d4f28967445797a34ee411768d8991f212b", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "17446570b779206b8cae475969306c45b64cbe3a2b933fac52f4a5525d6023b2", + "type": "query", + "version": 103 } }, "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "sha256": "a053c9d367e47803d813b89bafecf8c714193d46da3a2ec7eadea82da11342cc", "type": "query", - "version": 102 + "version": 203 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "min_stack_version": "8.3", @@ -7847,7 +7959,7 @@ "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -7862,12 +7974,19 @@ "sha256": "c8bca11e5b1732bfc4bffb9bf1377db165824c647a7bc60bf84ec0f947cbde14", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "1994f125fb87d27a74be9c4dde9edc895032d5d6fa9897d86f19e87d15ba6b82", + "type": "query", + "version": 103 } }, "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "3c372d8580234e86ab7782b92f0f70b058b1cb50f36a7f7a9e6a90d83124659a", "type": "query", - "version": 102 + "version": 203 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.3", @@ -7881,9 +8000,9 @@ } }, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "fef8bce965a84d33e4643b75262aa8da05a0edd85836287ebc090895c94d2246", + "sha256": "f657373af800c74ccef1ecd06cc71ed81e019056eb98a34716f2226c6016582e", "type": "query", - "version": 103 + "version": 104 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "min_stack_version": "8.3", @@ -8294,9 +8413,9 @@ "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "min_stack_version": "8.3", "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", - "sha256": "02f6fe3d4d2515b002c8108cdcc4be44a4379be8edb2d52bfc6f36a6dc956eae", + "sha256": "c0cab21b20611d9b1a263e9298c27e29fb538f6289afccfb13bb814958052974", "type": "threshold", - "version": 2 + "version": 3 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.3", @@ -8541,9 +8660,9 @@ } }, "rule_name": "PowerShell Keylogging Script", - "sha256": "03ce6493c19d1a809851b4007f1eac51dc3cb71a800286ceccb48c38d35002d7", + "sha256": "cf831ea0e6e09584f2304383208a6412f6948628b50083815985e0281224fda7", "type": "query", - "version": 103 + "version": 104 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.3", @@ -9227,7 +9346,7 @@ "version": 103 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 15, @@ -9242,12 +9361,19 @@ "sha256": "3ffdd0f16144e0dd0d207c2e8604c3cfc075b03c9e2c2bc68530c26c20242b35", "type": "query", "version": 16 + }, + "8.3": { + "max_allowable_version": 205, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "c2c4cecb5067e1562eb9b4381cb2f02f94d8eb714461d1985ff84449ddb93285", + "type": "query", + "version": 106 } }, "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "34e19b874f33327105443e1ceee3593b9bcb1b30eb30f5795bf9102bb91339c1", "type": "query", - "version": 105 + "version": 206 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "min_stack_version": "8.3", @@ -9288,11 +9414,20 @@ "version": 101 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", + "previous": { + "8.3": { + "max_allowable_version": 103, + "rule_name": "Google Workspace User Organizational Unit Changed", + "sha256": "3518355a90ee6354be595124e70b25d82c59ea2fbdd8bbbcc0d0e2a62512acdb", + "type": "query", + "version": 4 + } + }, "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "d60b7181cd6749f1c0bad9cba1e5b7729a705db850228a659eec5f107737a162", "type": "query", - "version": 3 + "version": 104 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "min_stack_version": "8.3", @@ -9461,7 +9596,7 @@ "version": 102 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 14, @@ -9476,12 +9611,19 @@ "sha256": "05fe436d072dffdbdb136a88e93c7636e147f91bf5c02b89ba7eeed8fd336e3e", "type": "query", "version": 15 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "2422828361db58c9cb60d2f0b2d137390daca7d29b102789915ec3e3aa883430", + "type": "query", + "version": 103 } }, "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "d78af46dd84eb3d641be256da5b6c0645335b47293787741d08ae3dc07ff0ed5", "type": "query", - "version": 102 + "version": 203 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.3", @@ -10333,9 +10475,9 @@ } }, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "b7d9a84b34f7f5c23cdf325de8e97c6d1f72f685f26b659e435f33c59a6153ff", + "sha256": "df2b42656b315cd8e12e0096dabeb608860871497071ca47c3a8d6fe12739c68", "type": "query", - "version": 103 + "version": 104 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.3", @@ -10514,7 +10656,7 @@ "version": 103 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { - "min_stack_version": "8.3", + "min_stack_version": "8.4", "previous": { "7.16": { "max_allowable_version": 15, @@ -10529,12 +10671,19 @@ "sha256": "da0c5e7ff098e790a9bbfe529a062110d2e03eeaf932eb822601bed55710c833", "type": "query", "version": 16 + }, + "8.3": { + "max_allowable_version": 202, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "7f4d5eb6734f8c3c60ded7d24a7a3339afd5255c9fd1bf01acfe5972e671f89b", + "type": "query", + "version": 103 } }, "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "374a8185c7f83236836608b1bd1b4aa5ea94dfbb014a9ecbc59316b18f977a26", "type": "query", - "version": 102 + "version": 203 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", @@ -10838,9 +10987,9 @@ } }, "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "e2884c04f54ee6d27c4563c9199517c6ad5f56733dc0b0fc51a4cebb6602706e", + "sha256": "61731234033af30d76cb16b67695025f656a28ab6010571fc3eaa82657bcb16e", "type": "query", - "version": 103 + "version": 104 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3",