Lock versions for releases: 8.19,9.1,9.2,9.3 (#5888)
* Locked versions for releases: 8.19,9.1,9.2,9.3 * Update pyproject.toml --------- Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
committed by
GitHub
GitHub
parent
c6f843ef9d
commit
d9890db6ff
@@ -1044,9 +1044,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "Kubectl Permission Discovery",
|
||||
"sha256": "7b34ff0aea508f8547398667f9c008d7e8ad644cac9f386ca60ae6271002b975",
|
||||
"sha256": "6d731657ec8c591dcefb910a3a67801314448feb8ea2db28a604c77d3be33979",
|
||||
"type": "eql",
|
||||
"version": 104
|
||||
"version": 105
|
||||
},
|
||||
"160896de-b66f-42cb-8fef-20f53a9006ea": {
|
||||
"min_stack_version": "9.3",
|
||||
@@ -1434,6 +1434,12 @@
|
||||
"type": "new_terms",
|
||||
"version": 211
|
||||
},
|
||||
"1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": {
|
||||
"rule_name": "Entra ID Domain Federation Configuration Change",
|
||||
"sha256": "b991e58bb9febec0cf5ed7a76608a9ebc8025adc011b26dfe10a27851c63a867",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"1d0027d4-6717-4a37-bad8-531d8e9fe53f": {
|
||||
"rule_name": "Potential Hex Payload Execution via Command-Line",
|
||||
"sha256": "2e108812f7164bba9127e0aa6659bcd9a2c8350f27be5be3a3fd06a9dcbaf48b",
|
||||
@@ -1755,9 +1761,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
|
||||
"sha256": "8d46821a3cdc95b2621a769daff499f7f908802034e7c47f649884fb5c5bae04",
|
||||
"sha256": "d70c260690f552cfacb02450ed891f4c669046f11b94c24f5f0973a7bb51d56f",
|
||||
"type": "eql",
|
||||
"version": 102
|
||||
"version": 103
|
||||
},
|
||||
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
|
||||
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
|
||||
@@ -2860,9 +2866,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "Potential Impersonation Attempt via Kubectl",
|
||||
"sha256": "d688f985ff54d810509b5039443537aff744620740dc38d7622d3c308ca1ef51",
|
||||
"sha256": "bdaa5069decd53d75ef631a5ca01e4278a643b1b8d2943d67de98646b9816fc7",
|
||||
"type": "eql",
|
||||
"version": 102
|
||||
"version": 103
|
||||
},
|
||||
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
||||
"rule_name": "Unusual Linux Network Port Activity",
|
||||
@@ -3303,9 +3309,9 @@
|
||||
},
|
||||
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
|
||||
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
|
||||
"sha256": "ff41c11baab351eaebba65c96b1a87529582ee93161f65f77b892e94374ace8b",
|
||||
"sha256": "d0c4f9e600d97fef5ad96bac93093b7a8c14fcd1e8984e95303ff1e323528203",
|
||||
"type": "esql",
|
||||
"version": 4
|
||||
"version": 5
|
||||
},
|
||||
"47403d72-3ee2-4752-a676-19dc8ff2b9d6": {
|
||||
"rule_name": "AWS IAM OIDC Provider Created by Rare User",
|
||||
@@ -3347,6 +3353,13 @@
|
||||
"type": "eql",
|
||||
"version": 106
|
||||
},
|
||||
"47661529-15ed-4848-93da-9fbded7a3a0e": {
|
||||
"min_stack_version": "9.3",
|
||||
"rule_name": "Chroot Execution Detected via Defend for Containers",
|
||||
"sha256": "8eef44e54c58bacf8930637ce3c1ccc456d47e98096fb6b90d0117c387cfb747",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
||||
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
||||
"sha256": "a3c41fcfa1ca8b2ef3742212cb83d03ed47e7de62ec719449aea2350bc944579",
|
||||
@@ -3434,9 +3447,9 @@
|
||||
},
|
||||
"491651da-125b-11f1-af7d-f661ea17fbce": {
|
||||
"rule_name": "M365 SharePoint/OneDrive File Access via PowerShell",
|
||||
"sha256": "b0ba8c5ebe208355146f0f9744658c7e7f9984f4ec6b5fa1db9a3568a97389df",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
"sha256": "12b2f26e1de89428096370a95afe5282f53ef905809bc143ddbfe3283d5b799e",
|
||||
"type": "new_terms",
|
||||
"version": 2
|
||||
},
|
||||
"493834ca-f861-414c-8602-150d5505b777": {
|
||||
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
||||
@@ -4691,9 +4704,9 @@
|
||||
},
|
||||
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
||||
"rule_name": "Connection to Commonly Abused Web Services",
|
||||
"sha256": "666ef6e51176ca7e40331d89b28255db0e3dd888348652674f8f7354ef86fb34",
|
||||
"sha256": "36c806d8631c3382ce02b6ddc4f9fe4014909b9c44ac217b7884a8d585ad71a8",
|
||||
"type": "eql",
|
||||
"version": 127
|
||||
"version": 128
|
||||
},
|
||||
"66c058f3-99f4-4d18-952b-43348f2577a0": {
|
||||
"rule_name": "Linux Process Hooking via GDB",
|
||||
@@ -5695,6 +5708,12 @@
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": {
|
||||
"rule_name": "Entra ID Custom Domain Added or Verified",
|
||||
"sha256": "dd26cd3faf49a87dbdbae5742f5eea1de370b89f32551d8795c9b5175b405cde",
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
|
||||
"rule_name": "SSH Key Generated via ssh-keygen",
|
||||
"sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843",
|
||||
@@ -5751,9 +5770,9 @@
|
||||
},
|
||||
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
|
||||
"rule_name": "Python Path File (pth) Creation",
|
||||
"sha256": "582332b2e5ad8a181f60a7d1cb57e73aa87dc9f93d3400d8c0e1167faa2a6dbe",
|
||||
"sha256": "9cb285c73a58b7f55d2270444624ce284968b053b72781884d5a33bff30e62b5",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": {
|
||||
"rule_name": "Web Server Potential SQL Injection Request",
|
||||
@@ -6063,9 +6082,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "Kubectl Network Configuration Modification",
|
||||
"sha256": "6ae6852c50cac7da8c2ea64b823c43ec4f6f8027bd4d53e469ef8fcc702a2709",
|
||||
"sha256": "610a8cb4d2094544038062f65ed4745f98198a7994038fa0aeb006581813e4de",
|
||||
"type": "eql",
|
||||
"version": 101
|
||||
"version": 102
|
||||
},
|
||||
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
||||
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
||||
@@ -7461,6 +7480,12 @@
|
||||
"type": "query",
|
||||
"version": 109
|
||||
},
|
||||
"a6129187-c47b-48ab-a412-67a44836d918": {
|
||||
"rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme",
|
||||
"sha256": "66d9cffd3773855d4fd0f97ae360322f71d92a037133a287df4d4ac524497a54",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
|
||||
"rule_name": "Threat Intel Windows Registry Indicator Match",
|
||||
"sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84",
|
||||
@@ -7570,6 +7595,13 @@
|
||||
"type": "query",
|
||||
"version": 105
|
||||
},
|
||||
"a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": {
|
||||
"min_stack_version": "9.3",
|
||||
"rule_name": "Kubectl Secrets Enumeration Across All Namespaces",
|
||||
"sha256": "dd2e61c000cb7733d1035682841ea2bd21ce20c73dc2b64c291657550b304ab2",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
|
||||
"rule_name": "Authentication via Unusual PAM Grantor",
|
||||
"sha256": "60319003b74e45deda3b2f9aef3f6d1b8a77a689505e9b01bdb66e0edc283460",
|
||||
@@ -8109,6 +8141,12 @@
|
||||
"type": "eql",
|
||||
"version": 319
|
||||
},
|
||||
"b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": {
|
||||
"rule_name": "Suspicious Python Shell Command Execution",
|
||||
"sha256": "dd9a52bf74d28ebffb64b83134917f8d6aee148108e4fb2f7cde27b41fb69285",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
|
||||
"rule_name": "Code Signing Policy Modification Through Built-in tools",
|
||||
"sha256": "b39b64612ea429e5a2ed645157eee033df7f908d4e338f5dc7f27ef9f7257b39",
|
||||
@@ -8164,9 +8202,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
|
||||
"sha256": "2480a691df156e4b8b134f42d326af3b6b6b0bbd07fbbf0423a8dd61e8097906",
|
||||
"sha256": "20b5bcb6b45398978619e78190a331e01385bd5c092d0769e6b36d1c8a28e413",
|
||||
"type": "eql",
|
||||
"version": 102
|
||||
"version": 103
|
||||
},
|
||||
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
||||
"rule_name": "Clearing Windows Console History",
|
||||
@@ -8296,6 +8334,12 @@
|
||||
"type": "query",
|
||||
"version": 1
|
||||
},
|
||||
"b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": {
|
||||
"rule_name": "Potential Credential Discovery via Recursive Grep",
|
||||
"sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0",
|
||||
"type": "esql",
|
||||
"version": 1
|
||||
},
|
||||
"b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": {
|
||||
"rule_name": "M365 Purview DLP Signal",
|
||||
"sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7",
|
||||
@@ -8550,9 +8594,9 @@
|
||||
},
|
||||
"be70614d-4295-473c-a953-582aef41c865": {
|
||||
"rule_name": "Potential Data Exfiltration Through Curl",
|
||||
"sha256": "b473299604ae3ab3ae196b7fd790ffe7ac3e4fc11881a5cccd79510e5582e25c",
|
||||
"sha256": "6ebfa1674b4fb1f63c8b2f093c2b147a12ca9cc31050e7e5dcc13e1338e4bd3e",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
||||
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
||||
@@ -9112,6 +9156,12 @@
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"cbda9a0e-2be4-4eaa-9571-8d6a503e9828": {
|
||||
"rule_name": "Kubernetes Secret Access via Unusual User Agent",
|
||||
"sha256": "779866cad0e79ce9f2c9c7234c09cc2ccc2d4642c9bec7b268d036a244638cd6",
|
||||
"type": "new_terms",
|
||||
"version": 1
|
||||
},
|
||||
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
||||
"rule_name": "Process Discovery via Tasklist",
|
||||
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
||||
@@ -9650,9 +9700,9 @@
|
||||
},
|
||||
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
|
||||
"rule_name": "Python Site or User Customize File Creation",
|
||||
"sha256": "23e9b2ae32366bd7367b52c73f3e73c3b04f0351467e4f9a4b06d5d28f145dbb",
|
||||
"sha256": "60863e4019007a38c549c67afc285d909ed41523046489f619dd198934b92715",
|
||||
"type": "eql",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
||||
"rule_name": "Azure Blob Storage Permissions Modified",
|
||||
@@ -10637,9 +10687,9 @@
|
||||
}
|
||||
},
|
||||
"rule_name": "File Execution Permission Modification Detected via Defend for Containers",
|
||||
"sha256": "c02875fc6dfc7d8a299910738b01d4334c0184bc205d79b15c22974fb6271f10",
|
||||
"sha256": "cb17a8960fbe32d16f37c061338c7d98a517c4803aa4f73b976ef7ad40c15496",
|
||||
"type": "eql",
|
||||
"version": 105
|
||||
"version": 106
|
||||
},
|
||||
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
|
||||
"rule_name": "Kubernetes Forbidden Creation Request",
|
||||
@@ -11629,6 +11679,12 @@
|
||||
"type": "eql",
|
||||
"version": 10
|
||||
},
|
||||
"feba48f6-40ca-4d04-b41f-5dfa327de865": {
|
||||
"rule_name": "Data Encrypted via OpenSSL Utility",
|
||||
"sha256": "7e4c14c019100eba38aacd09b9887e2a69be967cb5d4d31da74999b96845c8d4",
|
||||
"type": "eql",
|
||||
"version": 1
|
||||
},
|
||||
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
|
||||
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
|
||||
"sha256": "296701dc33e1684c4011dbf1ccfd9d85369255ae83c23295e720aa97b8e4136d",
|
||||
|
||||
@@ -182,6 +182,7 @@ coverage from the state of rules in the `main` branch.
|
||||
|[Elastic-detection-rules-tags-microsoft-entra-id-protection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-protection.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-entra-id-sign-in-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id-sign-in-logs.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-entra-id](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-entra-id.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-exchange-online-message-trace](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange-online-message-trace.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-exchange](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-exchange.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-graph-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph-activity-logs.json&leave_site_dialog=false&tabs=false)|
|
||||
|[Elastic-detection-rules-tags-microsoft-graph](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-microsoft-graph.json&leave_site_dialog=false&tabs=false)|
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "1.6.9"
|
||||
version = "1.6.10"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
Reference in New Issue
Block a user