diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index 4484bc6ca..139fda80d 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -19,6 +19,11 @@ "rule_name": "TCP Port 8000 Activity to the Internet", "stack_version": "7.14.0" }, + "09443c92-46b3-45a4-8f25-383b028b258d": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Process Termination followed by Deletion", + "stack_version": "8.19" + }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -74,6 +79,11 @@ "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", "stack_version": "8.18" }, + "1defdd62-cd8d-426e-a246-81a37751bb2b": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", + "stack_version": "8.19" + }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "deprecation_date": "2022/07/25", "rule_name": "Auditd Max Login Sessions", @@ -109,6 +119,16 @@ "rule_name": "Malicious Remote File Creation", "stack_version": "8.9" }, + "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Network Connection via Sudo Binary", + "stack_version": "8.19" + }, + "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", + "stack_version": "8.19" + }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "deprecation_date": "2022/08/01", "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -154,11 +174,21 @@ "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "stack_version": "8.3" }, + "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", + "stack_version": "8.19" + }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "deprecation_date": "2025/07/09", "rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted", "stack_version": "8.18" }, + "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - SSH Process Launched From Inside A Container via Elastic Defend", + "stack_version": "8.19" + }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare File Modification", @@ -169,11 +199,21 @@ "rule_name": "Mknod Process Activity", "stack_version": "7.14.0" }, + "62b68eb2-1e47-4da7-85b6-8f478db5b272": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", + "stack_version": "8.19" + }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "deprecation_date": "2022/03/16", "rule_name": "Potential PrintNightmare Exploit Registry Modification", "stack_version": "7.13" }, + "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", + "stack_version": "8.19" + }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "deprecation_date": "2021/04/15", "rule_name": "SMTP to the Internet", @@ -274,6 +314,16 @@ "rule_name": "Auditd Login Attempt at Forbidden Time", "stack_version": "7.16" }, + "93f47b6f-5728-4004-ba00-625083b3dcb0": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", + "stack_version": "8.19" + }, + "947827c6-9ed6-4dec-903e-c856c86e72f3": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Creation of Kernel Module", + "stack_version": "8.19" + }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via the SSH command", @@ -299,11 +349,21 @@ "rule_name": "Trusted Developer Application Usage", "stack_version": "7.14.0" }, + "9d19ece6-c20e-481a-90c5-ccca596537de": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", + "stack_version": "8.19" + }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "deprecation_date": "2020/10/30", "rule_name": "Network Connection via Mshta", "stack_version": "7.10.0" }, + "a577e524-c2ee-47bd-9c5b-e917d01d3276": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", + "stack_version": "8.19" + }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "deprecation_date": "2023/06/22", "rule_name": "Potential SSH Brute Force Detected on Privileged Account", @@ -314,6 +374,11 @@ "rule_name": "Hex Encoding/Decoding Activity", "stack_version": "7.14.0" }, + "ac8805f6-1e08-406c-962e-3937057fa86f": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", + "stack_version": "8.19" + }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "deprecation_date": "2021/04/15", "rule_name": "Proxy Port Activity to the Internet", @@ -329,6 +394,21 @@ "rule_name": "Deprecated - AWS Root Login Without MFA", "stack_version": "8.19" }, + "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", + "stack_version": "8.19" + }, + "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", + "stack_version": "8.19" + }, + "c125e48f-6783-41f0-b100-c3bf1b114d16": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", + "stack_version": "8.19" + }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "deprecation_date": "2021/04/15", "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", @@ -369,6 +449,11 @@ "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "stack_version": "7.14.0" }, + "d55436a8-719c-445f-92c4-c113ff2f9ba5": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", + "stack_version": "8.19" + }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "deprecation_date": "2022/07/28", "rule_name": "Strace Process Activity", @@ -444,6 +529,11 @@ "rule_name": "Deprecated - AWS RDS Instance Creation", "stack_version": "8.19" }, + "f41296b4-9975-44d6-9486-514c6f635b2d": { + "deprecation_date": "2026/02/04", + "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", + "stack_version": "8.19" + }, "f52362cd-baf1-4b6d-84be-064efc826461": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 52b812472..ee2b06220 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -232,6 +232,13 @@ "type": "eql", "version": 217 }, + "05a50000-9886-4695-ad33-3f990dc142e2": { + "min_stack_version": "9.3", + "rule_name": "System Path File Creation and Execution Detected via Defend for Containers", + "sha256": "0070de4186b0d66470a7b71b34781036a4107a7cb9e7d7d07ce655d2783238c8", + "type": "eql", + "version": 1 + }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "f4e1f9d6d33fedcd444fbe238ea99dbeb66031172f00bdf4cd900ea91586d6fc", @@ -250,6 +257,12 @@ "type": "eql", "version": 113 }, + "05f2b649-dc03-4e9a-8c4e-6762469e8249": { + "rule_name": "Suspicious AWS S3 Connection via Script Interpreter", + "sha256": "6ad0f3169c575ac9324d80b785de1bf27cb43f9886ea367449546e050a7aa111", + "type": "esql", + "version": 1 + }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", "sha256": "d830586c866338070858fc3d79f60a78040bbbbf9694a72accfda57739d022bb", @@ -342,9 +355,9 @@ }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "249e1bab2c2e881486beb238f11289a9634280647a661bb203b8a4cd5f9fcce8", + "sha256": "0b16a11578d690a45da3add3532561414284b7ae428fff4dd8f391703f00d1f7", "type": "esql", - "version": 6 + "version": 7 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -688,11 +701,27 @@ "type": "threshold", "version": 313 }, + "0fb25791-d8d4-42ab-8fc7-4954642de85f": { + "rule_name": "Kubernetes Creation or Modification of Sensitive Role", + "sha256": "08d959810b52a5dd296b94b2930b0769db43f5a659b49183d2b3b6412ba706b6", + "type": "esql", + "version": 1 + }, "0fe2290a-2664-4c9c-8263-b88904f12f0d": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Kubernetes Sensitive Configuration File Activity", + "sha256": "0733fbd77e1dcbbf858340c7c49c0409b1c8d13fcbce786043e46d561f30f8e7", + "type": "eql", + "version": 2 + } + }, "rule_name": "Kubernetes Sensitive Configuration File Activity", - "sha256": "0733fbd77e1dcbbf858340c7c49c0409b1c8d13fcbce786043e46d561f30f8e7", + "sha256": "7d61d62319c071310d69e8c15bf997fdaaa97c0d900ea9029b54bb02144275aa", "type": "eql", - "version": 2 + "version": 102 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", @@ -803,16 +832,16 @@ "version": 211 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "18bcbae69b87af3c77a8829ac5c6b2b694c582c1f915a81b0334f2bda7a19b28", - "type": "query", - "version": 207 + "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", + "sha256": "3c53427258f633872c95a09f530577cf6a9ed72124f0d10cb5dd29c4d10ff5c1", + "type": "new_terms", + "version": 208 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "94f5a4b12f95d49f1508d5c15a309ac12d286e04d0e26123498a94005fc399af", + "sha256": "2a6679b8ec4feee4091109685833d57445de939c658377f5a6a27773a57cb7f6", "type": "query", - "version": 208 + "version": 209 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", @@ -888,9 +917,9 @@ }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", - "sha256": "f40ba61a95d4c3e7495c53e0c7bee3e2b7b567996c2e0cea7b3cc808c4d1f672", + "sha256": "cf1c663833ab749a97c110eb45d0228ed320353b274995fff26ec5b6488b25d8", "type": "eql", - "version": 209 + "version": 210 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", @@ -922,6 +951,12 @@ "type": "eql", "version": 6 }, + "15606250-449d-46a8-aaff-4043e42aefb9": { + "rule_name": "Suspicious StartupItem Plist Creation", + "sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8", + "type": "eql", + "version": 1 + }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "21792bd878e448ec862da9cc5bf6e3b5f64978c7a1e9ad278a91cd0dd908326d", @@ -941,10 +976,20 @@ "version": 112 }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Kubectl Permission Discovery", + "sha256": "c1da63bbab5facc4c4cb7cc3ec0cfef430b4733d91393d9b58441c092c54e0e5", + "type": "eql", + "version": 4 + } + }, "rule_name": "Kubectl Permission Discovery", - "sha256": "c1da63bbab5facc4c4cb7cc3ec0cfef430b4733d91393d9b58441c092c54e0e5", + "sha256": "7b34ff0aea508f8547398667f9c008d7e8ad644cac9f386ca60ae6271002b975", "type": "eql", - "version": 4 + "version": 104 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", @@ -962,6 +1007,12 @@ "type": "eql", "version": 103 }, + "1615230f-beb7-48d8-9b3f-6d10674703bf": { + "rule_name": "Suspicious SIP Check by macOS Application", + "sha256": "232a4bd93c50355d6ea770cd06a363c1777f939be142b3e759abc4eba094138d", + "type": "eql", + "version": 1 + }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "ccff816d3b5217865698a800af2ba48cf248e6704d67b488436bd6259be29eba", @@ -982,9 +1033,9 @@ }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "c1c429ce7d8d01884d2354119390babd9a3b1cd6c1b082626cdb66adcab48dd1", + "sha256": "0626527bb17e1ca3b9ae1e90bed0f13a81152908cce78d40a11e8cc9d8b709de", "type": "eql", - "version": 110 + "version": 111 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", @@ -994,9 +1045,9 @@ }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", - "sha256": "07391674964f4ab57f29fb37e8ad1618dd899f3b8abd1ced5b15ecae703690e9", + "sha256": "7b149759b2a015ff5ec61154f83d2922c16675621a397d1c81e7bbf9e3d1f920", "type": "eql", - "version": 117 + "version": 118 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", @@ -1136,6 +1187,12 @@ "type": "eql", "version": 9 }, + "1955e925-6679-4535-9c1b-28ebf369f35f": { + "rule_name": "Suspicious File Creation via Pkg Install Script", + "sha256": "0a64f7723f488b5a5aaedf74fbc2c5eea7ab8e890d2138f3da1694b5a0fec32a", + "type": "eql", + "version": 1 + }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", "sha256": "ba9962370e567452f85b765d9e529539c0332e858e748851ab1a63dbd9815488", @@ -1561,6 +1618,13 @@ "type": "eql", "version": 111 }, + "227cf26a-88d1-4bcb-bf4c-925e5875abcf": { + "min_stack_version": "9.3", + "rule_name": "Encoded Payload Detected via Defend for Containers", + "sha256": "d6ebb5e57c278b1a9b1275aee015d7e6059d8352ec49837ae572a152c3b44db1", + "type": "eql", + "version": 1 + }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "188373da495c052baa5f489c9a5e4ce8d8133ede03d4aec038290f45949ebd5a", @@ -1592,10 +1656,20 @@ "version": 2 }, "2388c687-cb2c-4b7b-be8f-6864a2385048": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Potential Kubectl Masquerading via Unexpected Process", + "sha256": "5b3192389352616bc5f12a2b226e1c3c6eab2403648dc902fbaf3666238b8eac", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Kubectl Masquerading via Unexpected Process", - "sha256": "5b3192389352616bc5f12a2b226e1c3c6eab2403648dc902fbaf3666238b8eac", + "sha256": "8d46821a3cdc95b2621a769daff499f7f908802034e7c47f649884fb5c5bae04", "type": "eql", - "version": 2 + "version": 102 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", @@ -1645,6 +1719,13 @@ "type": "query", "version": 108 }, + "2572f7e0-7647-4c68-a42b-d3b1973deaae": { + "min_stack_version": "9.3", + "rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers", + "sha256": "c7663a155471fff8ff929fa79611c9b8a5bdb6f45c70f80a2ad6170e9ab67a25", + "type": "eql", + "version": 1 + }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", "sha256": "87752d0d2674be61e35e91cd109a9bc7c29f88b96135fcdd527bc9b9a3185371", @@ -1784,6 +1865,13 @@ "type": "query", "version": 107 }, + "279e272a-91d9-4780-878c-bfcac76e6e31": { + "min_stack_version": "9.3", + "rule_name": "Suspicious Interactive Process Execution Detected via Defend for Containers", + "sha256": "08f34153e09cab130b0afebb32638f990d8d322bb739b0b53f9b4a35afe9e628", + "type": "eql", + "version": 1 + }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "M365 Teams External Access Enabled", "sha256": "260444625c4e3f1749f82673f9a134c20860e9dd0d6eeff7ad41f9bfd0aaa4a1", @@ -1923,10 +2011,10 @@ "version": 12 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "c92d0dedf58fe91d8544ae9e0e6b3bfd3e2d0e07b1ac785743deecf4313da818", + "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", + "sha256": "e4cccea06a30da3b02e7dbe87de564aa89ade0c37ffd59e8e30bdc6cf4f0c780", "type": "query", - "version": 208 + "version": 209 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", @@ -2017,6 +2105,12 @@ "type": "new_terms", "version": 214 }, + "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { + "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", + "sha256": "eaf9d7580fe68d994bc9dd5059a77678717d826f1027ca65b9dbb286ab41f332", + "type": "esql", + "version": 1 + }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "725b9cc7320e57d8119fcc676c6b55409e1a37ea68929837b4e16654b6105966", @@ -2289,6 +2383,13 @@ "type": "eql", "version": 114 }, + "33ff31e9-3872-4944-8394-81dae76c12d9": { + "min_stack_version": "9.3", + "rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers", + "sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba", + "type": "eql", + "version": 1 + }, "341c6e18-9ef1-437e-bf18-b513f3ae2130": { "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", "sha256": "d535abad52b8d6adb581e3d93e127daceb495d7d568e7909e07888cff673237b", @@ -2383,6 +2484,12 @@ "type": "esql", "version": 6 }, + "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { + "rule_name": "Executable File Download via Wget", + "sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf", + "type": "eql", + "version": 1 + }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", "sha256": "6165a31cec72ee460cd8e53b67fe0da967b0f32bbe123f7ad1243b90483dcb9d", @@ -2475,9 +2582,9 @@ }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with Osascript", - "sha256": "7dd8ee328e2ef5fa7aafec424fdd0433a803f6b5ea76afe2f9d07ab2a427eb5a", + "sha256": "b5759121d56608be8b41755b2685e9332b61fa9b5220e13d1ad7ede9144752a3", "type": "eql", - "version": 213 + "version": 214 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", @@ -2527,6 +2634,12 @@ "type": "eql", "version": 7 }, + "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { + "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", + "sha256": "befed322a39aa806451d32ff48e001b234b58ed1b1ce44bacc40e509e8f51a21", + "type": "eql", + "version": 1 + }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "a48541ec5ea28eba5a75f325730d4f1b8492343efbdee7039f65b368fd650367", @@ -2557,6 +2670,12 @@ "type": "eql", "version": 4 }, + "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { + "rule_name": "External IP Address Discovery via Curl", + "sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172", + "type": "eql", + "version": 1 + }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "b2370cf022a97844dc68bdabfcf7602ace007aad1da28145f9832a3f8104bcc9", @@ -2612,10 +2731,20 @@ "version": 5 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Potential Impersonation Attempt via Kubectl", + "sha256": "dc9f92addd41a67185697f22d88c67575a47eac0b95a555df193cccb4ce93367", + "type": "eql", + "version": 2 + } + }, "rule_name": "Potential Impersonation Attempt via Kubectl", - "sha256": "dc9f92addd41a67185697f22d88c67575a47eac0b95a555df193cccb4ce93367", + "sha256": "d688f985ff54d810509b5039443537aff744620740dc38d7622d3c308ca1ef51", "type": "eql", - "version": 2 + "version": 102 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", @@ -2623,6 +2752,12 @@ "type": "machine_learning", "version": 108 }, + "3c82bf84-5941-495b-ac41-0302f28e1a90": { + "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", + "sha256": "18fe84303cd10390a63bedefefe74d000e354fbf6b6e498762afdfe1def7c97d", + "type": "eql", + "version": 1 + }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", "sha256": "7e139f90c3e517c0e4d321c2e1f8c85980072158ef2c577fc65ca7091b81ab0f", @@ -2653,6 +2788,13 @@ "type": "esql", "version": 3 }, + "3dc4e312-346b-4a10-b05f-450e1eeab91c": { + "min_stack_version": "9.3", + "rule_name": "LLM-Based Compromised User Triage by User", + "sha256": "f39f059ff6002a24c19c201ebcafb670472fec3a8803a947eda5e7f680ae2573", + "type": "esql", + "version": 1 + }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", "sha256": "09b1c205b24ec1820aa83763ee862d5e56b7d41bba93c7a655d266acb214106a", @@ -2817,9 +2959,9 @@ }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", - "sha256": "f68b743a23bfe7ffa247d045fb16ff26bf8d5131da26b263ae9484ef7f5a8bea", + "sha256": "3182151b918f1eb8735a78061444af2e61b835bb51025b310d342915bd4049c6", "type": "new_terms", - "version": 2 + "version": 3 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", @@ -2840,10 +2982,10 @@ "version": 207 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { - "rule_name": "EggShell Backdoor Execution", - "sha256": "c6db4a83796d7cf928722343a6a4db5399169434467a6a3af013e63c9ec4b104", + "rule_name": "Deprecated - EggShell Backdoor Execution", + "sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb", "type": "query", - "version": 106 + "version": 107 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", @@ -2907,6 +3049,13 @@ "type": "new_terms", "version": 2 }, + "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { + "min_stack_version": "9.3", + "rule_name": "Kubelet Certificate File Access Detected via Defend for Containers", + "sha256": "ac7f3df4cbc5e5487d605fc840c2e142f6d4479b7bcec3e8da8cfbad8db0b388", + "type": "eql", + "version": 1 + }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", "sha256": "3c3c993e8730eb3546b9a22b493dcf55eba6a7e9215c41c15ce7dbb82a53e283", @@ -3062,6 +3211,12 @@ "type": "eql", "version": 216 }, + "47e46d85-3963-44a0-b856-bccff48f8676": { + "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", + "sha256": "b77d74a3141da1892738e8c0d4fd55bcbe16d6888bb1c16ec266c429adf9d305", + "type": "eql", + "version": 1 + }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", @@ -3153,6 +3308,13 @@ "type": "eql", "version": 3 }, + "497a7091-0ebd-44d7-88c4-367ab4d4d852": { + "min_stack_version": "9.3", + "rule_name": "Web Server Child Shell Spawn Detected via Defend for Containers", + "sha256": "2836307f3b351a22d2986635ec61828cb144fabc433c6320de3eaa7c42f2d530", + "type": "eql", + "version": 1 + }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", "sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7", @@ -3230,10 +3392,10 @@ "version": 4 }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { - "rule_name": "Forbidden Request from Unusual User Agent in Kubernetes", - "sha256": "44dbd2e2d5af2e9df06d89cf654cc195efaa14f829c983dbd7cacb1503f1378d", - "type": "eql", - "version": 2 + "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", + "sha256": "bce55d444f06dadedac1ad5fcab4e1b83ad531d1a3c30d85dac9d116dfb2998a", + "type": "new_terms", + "version": 3 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", @@ -3449,9 +3611,9 @@ "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "min_stack_version": "9.3", "rule_name": "Tool Installation Detected via Defend for Containers", - "sha256": "0a5983733af632086adb851deb9ebad222deb931b97dbd3a38381a3cf111a07d", + "sha256": "60bd0870424af064060e3b1ad24aed4a9995fa9765dae5c3a1e175186c971501", "type": "eql", - "version": 1 + "version": 2 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", @@ -3538,6 +3700,12 @@ "type": "eql", "version": 6 }, + "54214c47-be7c-4f6b-8ef2-78832f9f8f42": { + "rule_name": "Network Connection to OAST Domain via Script Interpreter", + "sha256": "b23a8e48776683b5d40549babe8be8f226fea5f293ee533b5441bef2203396ef", + "type": "eql", + "version": 1 + }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "85b3ae783986f75b82921357341bc4ee866a9da2bf84fdf8a1c810f6ded404b1", @@ -3556,6 +3724,12 @@ "type": "eql", "version": 216 }, + "55a372b9-f5b6-4069-a089-8637c00609a2": { + "rule_name": "First-Time FortiGate Administrator Login", + "sha256": "c8ae5b46d71c1deaa2facaa60f2af5cf5b1ff5ebf20e1db487ae74f4c3be7e8d", + "type": "esql", + "version": 1 + }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "d9d7b7c944e438656c8d6c348d8acd34be6f45ef68c23cdc5c1e679c1eb476f2", @@ -3720,9 +3894,9 @@ }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", - "sha256": "68cef9a54176b73c5ecbf9160c65e315256db4145b8274d1c2c86824396a98b7", + "sha256": "abc0bfe398cb501c7db9e673a9edc3b0d8d39180620a75eee3aa77a0bd3f435d", "type": "new_terms", - "version": 2 + "version": 3 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", @@ -4043,6 +4217,12 @@ "type": "query", "version": 2 }, + "60da1bd7-c0b9-4ba2-b487-50a672274c04": { + "rule_name": "Discovery Command Output Written to Suspicious File", + "sha256": "0f20b925e290e8b322e4fbca19247555026e2be561e5f19adeeed82693fbd764", + "type": "eql", + "version": 1 + }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "M365 Exchange DLP Policy Deleted", "sha256": "6bd8639a31024475ca8e5c8b3f48b7452910b8d4c55782f0e93eb2ed54f12720", @@ -4067,6 +4247,12 @@ "type": "eql", "version": 108 }, + "618a219d-a363-4ab1-ba30-870d7c22facd": { + "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", + "sha256": "72da74c741d7d212fe291bf91eec7e01a0a2927b05681655ce4fcdda5b27197b", + "type": "esql", + "version": 1 + }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", "sha256": "432b70fbe0e399988c18b6bd0f70a80bfa5cd7b7d0848ed2fe754ecdae6ea112", @@ -4121,6 +4307,12 @@ "type": "eql", "version": 9 }, + "62ba8542-1246-4647-9b84-98aa1bc0760a": { + "rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon", + "sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31", + "type": "eql", + "version": 1 + }, "63153282-12da-415f-bad8-c60c9b36cbe3": { "rule_name": "Process Backgrounded by Unusual Parent", "sha256": "75b9496ea55a4093c1a530bf9d5d06b67b782ad0fea18e9f34fc26ae90875888", @@ -4135,21 +4327,21 @@ }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "9f435a9831cb785e2b5c2aa59f2c2f214b372f26823c951d64a269d307591e30", + "sha256": "3eb4cf8191b540261c82f3be237b1d7d0d7a6c89daac1922c17723115c99e60b", "type": "query", - "version": 10 + "version": 11 }, "63c056a0-339a-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "18aa9f9e78bf1f5f528922bfa2420988c64ddf1d85a04ba6234d3954b6e8caa6", - "type": "query", - "version": 9 + "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", + "sha256": "a51b22abe731e1bf42bee2f8ab1b1e5278704564385639b3e04c29090100abdd", + "type": "new_terms", + "version": 10 }, "63c057cc-339a-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "93b73fe3d15ca4f29227bf0188faabb45ee0a73da43affd5fabf3f85e275e954", - "type": "query", - "version": 10 + "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", + "sha256": "34c05c49fad5144c6d74e2060f98c8e4b73196e62fa7d647790619127fd75deb", + "type": "new_terms", + "version": 11 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", @@ -4189,9 +4381,9 @@ }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "e58f9a734b08aaa71549e4b36faff3a83f6755807a7120cd13d38d06a684c382", + "sha256": "f04f7762a2d3bbdd47fc5d15c9ccbbdf7c3920065615febd7cfe2ecd45a20eab", "type": "eql", - "version": 110 + "version": 111 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", @@ -4201,9 +4393,9 @@ }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "55c9cb90e44de948472e103b21f29429a8e60efef9592375ede5db5192ffe80f", + "sha256": "3bfd7f995447f6b0f7f007bbaa92f8674ae06f346fd5d6ea0813150b56310cdf", "type": "esql", - "version": 8 + "version": 9 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", @@ -4256,9 +4448,9 @@ "66229f32-c460-410d-bc37-4b32322cd4bb": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers", - "sha256": "0f9335e8f3a635d2fe4730dc26f33d4a127ac73987f7db1b63029b659c1190f4", + "sha256": "b46c90e3fb46b1ed19f04b00acefbe47de9bebecafc766b1f2395be6d66db5b7", "type": "eql", - "version": 1 + "version": 2 }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", @@ -4292,9 +4484,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "6323241d77c967570202a22974f5d2aea22433a60155794a44268995fc764561", + "sha256": "588b5c22c6131c00caf3b5db67ff082452f1ec848509748112d858afc25ea11e", "type": "eql", - "version": 125 + "version": 126 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -4500,6 +4692,12 @@ "type": "esql", "version": 10 }, + "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { + "rule_name": "Suspicious Curl to Google App Script Endpoint", + "sha256": "e2fc6cd326556ed26877b749ff45a326d60917f1600dd11d2af16624358755ed", + "type": "eql", + "version": 1 + }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", "sha256": "00cbc975bf2bb4c3eabce8c28956e5676b088239f60aedb0397f4e4c6e3bb64e", @@ -4558,11 +4756,17 @@ "type": "eql", "version": 8 }, + "6da6f80f-fe41-4814-8010-453e6164bd40": { + "rule_name": "Suspicious Curl from macOS Application", + "sha256": "c6696e22c0f6ea9d62054fd0a21b17180d6a932ffcdf222d3cbd4ca42f32170e", + "type": "eql", + "version": 1 + }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "8e74c22ed5070ecb3f6e9fff9f6107ff601362772244dabd84bab5298cad1ecb", + "sha256": "2a4553cfcf96d35a8e7b1e64f806c76645fb7e974e47de871af877e2fd45fcea", "type": "esql", - "version": 7 + "version": 8 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -4572,9 +4776,9 @@ }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "f2678627c0e56eb4770e873cc45c7aefb4d5ee4d62ae0f5f2e5ac0951de029d2", + "sha256": "213c2d203380501be08aecccb31169f1fb616edad4188e5f3f290ce6edd7b24c", "type": "new_terms", - "version": 113 + "version": 114 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", @@ -4594,6 +4798,12 @@ "type": "query", "version": 1 }, + "6e5189c4-d3a5-4114-8cb3-bd3a65713f19": { + "rule_name": "System and Network Configuration Check", + "sha256": "a39bd3cc0735f30a80651410c92c4d6c2d965fe1b0719d5ce05215534f48bd47", + "type": "eql", + "version": 1 + }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "dc6bffc49011189309e7b9497e36f0d750f096ab012779a4e963c370a87370a0", @@ -4740,9 +4950,9 @@ }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "12adb8caa4cf41e1a492cf42db6b2578138926e4fc661af44d4ad81f498d9768", + "sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209", "type": "eql", - "version": 110 + "version": 111 }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", @@ -4752,9 +4962,9 @@ }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "02a340a8f7a03f9f711f2ef54847fafadb802ebf54d749f2dde581698a9e874f", + "sha256": "e0e1831b2349191eba34af454905c373ca7a88563bdba740fec6039dce4f5885", "type": "query", - "version": 9 + "version": 10 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", @@ -4794,9 +5004,9 @@ }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "M365 Security Compliance Potential Ransomware Activity", - "sha256": "6b7032f529e56817c5e92596644b07fa8cd6fc50c50c5d8bf67e3343697fcfb2", + "sha256": "873bf6ea0ce126f98f6384575a92f4ac431c9681d3ac6877ddfa3a4c4d5acfc2", "type": "query", - "version": 211 + "version": 212 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", @@ -4858,6 +5068,13 @@ "type": "eql", "version": 6 }, + "737626a2-4dca-4195-8ecd-68ef96fd1bad": { + "min_stack_version": "9.3", + "rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers", + "sha256": "914bcc5197cf41c4c4e45b450b881a1cccfcb8cb88385ff00dba131d1a82a7d5", + "type": "eql", + "version": 1 + }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "3a1f9137b0ac5c869b1a85c1f9cf33b9842c078786d4f226f86133349f0dea88", @@ -4889,10 +5106,20 @@ "version": 107 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Kubectl Workload and Cluster Discovery", + "sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34", + "type": "eql", + "version": 2 + } + }, "rule_name": "Kubectl Workload and Cluster Discovery", - "sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34", + "sha256": "72b36e719acfa3ff798e7b986ca4a13227619e6e45f91695ff986bf2d8af3c17", "type": "eql", - "version": 2 + "version": 102 }, "74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": { "min_stack_version": "9.3", @@ -4945,9 +5172,9 @@ }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "08c7392344a8d4c14e89412d74635a4e2cdb2169726330efa92df7708f7c358b", + "sha256": "fad10679c3e41ef62b3464b9a30fea4414b61d69f36e2952798e696aeadbdf0c", "type": "query", - "version": 208 + "version": 209 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", @@ -5317,9 +5544,9 @@ }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "0222b8c339c6fece1da1fb65126482f2d6cb8d8dace1fa6bd49ac2231c51f724", + "sha256": "1d6b0e3e9b85628bcab76103c4731640923f970e84ab576390ffd7e6e2993467", "type": "eql", - "version": 8 + "version": 9 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", @@ -5369,6 +5596,12 @@ "type": "machine_learning", "version": 7 }, + "8154d01d-04d1-4695-bcbb-95a1bb606355": { + "rule_name": "Gatekeeper Override and Execution", + "sha256": "8afead563aec10ecbe9ff320f472d7ef9aaecb7af95c998f1f5e9db6c65350e4", + "type": "eql", + "version": 1 + }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", "sha256": "fd8454b2d4f97083b893c89b35068c9403dc7aab3220e1c766af3c15bade3745", @@ -5504,9 +5737,9 @@ }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "bdd5af09eec5fbd3fe9fcaea365b98da862ceddafc94458b1e8dd149158d4334", + "sha256": "042802b5d6c49216900c89afe8817be16c66474e291e952d93911a9daa7e721a", "type": "esql", - "version": 6 + "version": 7 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", @@ -5546,9 +5779,9 @@ }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", - "sha256": "9c27e817350dbd08dc61d8370dca3e347fe4982b295ab1564fd94b663d5ac4af", + "sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7", "type": "eql", - "version": 112 + "version": 113 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", @@ -5569,10 +5802,20 @@ "version": 211 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 100, + "rule_name": "Kubectl Network Configuration Modification", + "sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7", + "type": "eql", + "version": 1 + } + }, "rule_name": "Kubectl Network Configuration Modification", - "sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7", + "sha256": "6ae6852c50cac7da8c2ea64b823c43ec4f6f8027bd4d53e469ef8fcc702a2709", "type": "eql", - "version": 1 + "version": 101 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -5628,6 +5871,12 @@ "type": "eql", "version": 100 }, + "896a0a38-eaa0-42e9-be35-dfcc3e3e90ae": { + "rule_name": "FortiGate Overly Permissive Firewall Policy Created", + "sha256": "dce4787b06484f9e268d774d7f7f6199d15c9024ebf21b96d01d29eda07c2b61", + "type": "eql", + "version": 1 + }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "ebee242d6ebd5dd4df5eb9d53e35e8796a2b0bcb6e499808ec159da4d51abda8", @@ -5678,9 +5927,15 @@ }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", - "sha256": "4d9e25544d4884a3184114f1a37b6bab733a7eb786233b734382efe13fef78d5", + "sha256": "02bd2e5594b646fce653c4f45cd7fe8be705a608f5bf1ff46d0a0efcc0dddb22", "type": "new_terms", - "version": 2 + "version": 3 + }, + "8a556117-3f05-430e-b2eb-7df0100b4e3b": { + "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", + "sha256": "4fb953698ceae0d3a2368b598e494768631fda61e787c814fd8b14648970ed61", + "type": "esql", + "version": 1 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", @@ -5928,9 +6183,9 @@ }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", - "sha256": "54d98d1a3325c4107d4a9ef29a8a5ad27904f7e0f32bc825273a32f66aaebca2", + "sha256": "361d05f54a045b82ea3d1faae7e344acc037ffc8f81b3624498d129ea00f8d82", "type": "new_terms", - "version": 2 + "version": 3 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", @@ -6350,10 +6605,20 @@ "version": 211 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 102, + "rule_name": "Kubectl Configuration Discovery", + "sha256": "f1ce3b64d18b203d2a5640f04f3f140a038e195d7d299e1891dcd2e4cd5b0c67", + "type": "eql", + "version": 3 + } + }, "rule_name": "Kubectl Configuration Discovery", - "sha256": "f1ce3b64d18b203d2a5640f04f3f140a038e195d7d299e1891dcd2e4cd5b0c67", + "sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10", "type": "eql", - "version": 3 + "version": 103 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", @@ -6375,9 +6640,9 @@ }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "5257a1165317b78ed8768db7c8d21da327d5eb2d254d1402b03969784ed75a8a", + "sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4", "type": "eql", - "version": 115 + "version": 116 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", @@ -6440,10 +6705,20 @@ "version": 312 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 102, + "rule_name": "Kubeconfig File Discovery", + "sha256": "308de3e9eb7308216c0635af6334abd3db7814ad46abf18c269f84d999abd623", + "type": "eql", + "version": 3 + } + }, "rule_name": "Kubeconfig File Discovery", - "sha256": "308de3e9eb7308216c0635af6334abd3db7814ad46abf18c269f84d999abd623", + "sha256": "9cf4ca024bd0b6a65da57d83de692104a85e503c0b78462225df6cfa64aeb91e", "type": "eql", - "version": 3 + "version": 103 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", @@ -6489,9 +6764,9 @@ }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", - "sha256": "9c992604af2cc7a71d3a4bf04eb2606874191966c82583c6927b8ae56b94c18b", + "sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc", "type": "eql", - "version": 213 + "version": 214 }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", @@ -6608,6 +6883,12 @@ "type": "query", "version": 2 }, + "9ed5d08f-aad6-4c03-838c-d686da887c2c": { + "rule_name": "Okta AiTM Session Cookie Replay", + "sha256": "3c8b25b3282976d4718265e11ce3ffa5a131cfff8bb053549a80ef90c6610b8a", + "type": "esql", + "version": 1 + }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", "sha256": "069736ec0e27e4a41a9a2be1230b04c062e36fd2393cd332c593d7895d73e1ec", @@ -6616,9 +6897,9 @@ }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", - "sha256": "3027c775591ff01adb31b74c15f22907a1d9bce26336f841e186498b8f7a1ca4", + "sha256": "80337ad19f41109f42a613fc874f84003c4f8ffc9d9937f5ed797ebdaba4d6b2", "type": "esql", - "version": 6 + "version": 7 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", @@ -6634,9 +6915,9 @@ }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", - "sha256": "af5ebf7d63f746e53c24845669712ae33d120da4a4c9b6e367e55d6e40dd5566", + "sha256": "d4479bdaec900117e1ad75df629a9315ab2de96d27ac3c4c5d7e1057c4405497", "type": "esql", - "version": 8 + "version": 9 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -6668,6 +6949,12 @@ "type": "eql", "version": 8 }, + "a0fbd7a9-1923-4e05-92df-b484168f17bc": { + "rule_name": "Sensitive File Access followed by Compression", + "sha256": "e910bf96c71ee8bb6fec3cc3fde5260a1fed7f1c8601a0b631e0f7af2bd9217b", + "type": "eql", + "version": 1 + }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "99fda56283f6a5bc7b7a2a8f783178516e9590efeb3d04c0a96f7ba53346810e", @@ -6770,6 +7057,12 @@ "type": "query", "version": 110 }, + "a2951930-dd35-438c-b10e-1bbdc5881cb4": { + "rule_name": "Kubernetes Cluster-Admin Role Binding Created", + "sha256": "53c6415a825693d1082030f2418e73a5c0d9b060e7482c1890ddbd2c48728f5a", + "type": "query", + "version": 1 + }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", "sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960", @@ -6782,6 +7075,12 @@ "type": "machine_learning", "version": 3 }, + "a337c3f8-e264-4eb4-9998-22669ca52791": { + "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", + "sha256": "07c213ebd7d0107bf8690e3353e74ed32a3fa4c99e2dcb4e6a90c5b51ce33882", + "type": "esql", + "version": 1 + }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client", "sha256": "679e694e959d98449a1ad9c234f292fee6e37b0022b58d8aa0e069a240098d5f", @@ -6819,6 +7118,12 @@ "type": "eql", "version": 100 }, + "a4f7a295-aba1-4382-9c00-f7b02097acbc": { + "rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process", + "sha256": "9bd9decc9c822a522bace342351db9b5899645c1b92caefa46a2b009e1b258d3", + "type": "eql", + "version": 1 + }, "a52a9439-d52c-401c-be37-2785235c6547": { "min_stack_version": "9.3", "previous": { @@ -6917,6 +7222,12 @@ "type": "machine_learning", "version": 7 }, + "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { + "rule_name": "Execution via OpenClaw Agent", + "sha256": "5149dcf2447de7b653bdc1e10d8c6e1513f9da7bb4c24468950ea305870a553b", + "type": "eql", + "version": 1 + }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "7e536fc3989bef73d2411edbb92974c04d3cc027f95843bd49731c3a42aa5367", @@ -6935,6 +7246,12 @@ "type": "new_terms", "version": 6 }, + "a8256685-9736-465b-b159-f25a172d08e8": { + "rule_name": "Suspicious Curl to Jamf Endpoint", + "sha256": "96bdc6dda9b99337a375bda8f6a1c8755a9bd449a70db25466f3f8d135bc2ed8", + "type": "eql", + "version": 1 + }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", "sha256": "16514f9c9cd35b419a7ea68569c80f7a25b1f66370b0276cfa62cb3ec62b0c42", @@ -6959,6 +7276,13 @@ "type": "eql", "version": 8 }, + "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { + "min_stack_version": "9.3", + "rule_name": "File Download Detected via Defend for Containers", + "sha256": "ebd2c5b6a584bc6f8f0c45d970103be1bb8ed86e9a55ffc29c52ae1e64f134c1", + "type": "eql", + "version": 1 + }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", "sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683", @@ -7019,6 +7343,12 @@ "type": "query", "version": 108 }, + "aa1e007a-2997-4247-b048-dd9344742560": { + "rule_name": "Script Interpreter Connection to Non-Standard Port", + "sha256": "b395e05708d4c9e34bae97f6daf956aa4e62e1d0b6d36e3342294d4e1fa442fb", + "type": "eql", + "version": 1 + }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "3ab7c41b734b153c7587be53dfc664648e566347fe8811622b4ec7949d802ed9", @@ -7085,12 +7415,30 @@ "type": "esql", "version": 10 }, + "ab9a334a-f2c3-4f49-879f-480de71020d3": { + "rule_name": "Unusual Library Load via Python", + "sha256": "8d7fc19513012d8ab86d3ad4472b072a5722b6e85b2d0dcf628a1f4568016ba7", + "type": "eql", + "version": 1 + }, + "aba3bc11-e02f-4a03-8889-d86ea1a44f76": { + "rule_name": "Perl Outbound Network Connection", + "sha256": "44441dd2aaf2ceb05edf4613d7ec999000efd12bb8d89d09c06b0711794db3ac", + "type": "eql", + "version": 1 + }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "f4415dd1ab33127524c8f8e5d3d96559ff08c874c75581ea1f418527b37f297c", "type": "machine_learning", "version": 209 }, + "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { + "rule_name": "Google Calendar C2 via Script Interpreter", + "sha256": "49b0695a34b73511dba9f1d043a882b463dcee2a9a40a7ce26a3056fc2699e8e", + "type": "eql", + "version": 1 + }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", "sha256": "8817908d1fcc931d10eaa32b81fbcb6a57cbbb8130bf2b99e7f1ded843a88c10", @@ -7283,6 +7631,12 @@ "type": "eql", "version": 11 }, + "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": { + "rule_name": "Curl Execution via Shell Profile", + "sha256": "d8cd404e877272b325b702a0e8ac4f18db2c194ae25f1bec87a5deb487850f3c", + "type": "eql", + "version": 1 + }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "d8caabf41661b7eede526f852cecc1cb3fb45052aaaf902375b23226bf0ecca4", @@ -7315,21 +7669,31 @@ }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", - "sha256": "fc7f704d5dcc9301e09f1db4409626544ca1a2e150ffe2ee6a7a384bc67bd015", + "sha256": "9797dcc6378c0d57e76f5bd680375872b642a475cef26b5bbdf5a241bf149ec5", "type": "new_terms", - "version": 4 + "version": 5 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "sha256": "f17c2974e94ed069dc68f6dba21a74be901b6a8db8c751f0e3e54ca93d94cf09", + "sha256": "1e3b99a1e35a1f408d5a7a5d3947dabb2d94421e18d544ab2ca1634529dfe11e", "type": "esql", - "version": 7 + "version": 8 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 102, + "rule_name": "Kubeconfig File Creation or Modification", + "sha256": "6a08ab8625a65609aa0bef37ef07d25179e617112666f1746d309fc4c5863570", + "type": "eql", + "version": 3 + } + }, "rule_name": "Kubeconfig File Creation or Modification", - "sha256": "6a08ab8625a65609aa0bef37ef07d25179e617112666f1746d309fc4c5863570", + "sha256": "66a13f6294c6ee5ca9b08ab89692540cb784861984f18bb86b41db4c2b14b9c9", "type": "eql", - "version": 3 + "version": 103 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", @@ -7373,6 +7737,12 @@ "type": "query", "version": 211 }, + "b29b7652-219f-468b-aa1f-5da7bcc24b03": { + "rule_name": "Potential Traffic Tunneling using QEMU", + "sha256": "cd6c7c8ebd7053c22aea64363f762d7a129e69574650d16e1cff644d71ec01ab", + "type": "eql", + "version": 1 + }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", "sha256": "5ae46136e4a5238cfa794a88f7f0b05e83998ae1b1211edf89c69ad05cf6b4d0", @@ -7393,9 +7763,9 @@ }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", - "sha256": "223b956a529959c9e18df158fc49c4954749b3b139a4e0e2c98d9056fe6cb7e4", + "sha256": "e63520b1ec668be51223850b69f8993bb005a5c45f77738dd229a1d2e4254334", "type": "eql", - "version": 1 + "version": 2 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", @@ -7445,6 +7815,13 @@ "type": "query", "version": 413 }, + "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { + "min_stack_version": "9.3", + "rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers", + "sha256": "e26d8865848df84bf05891fff57ff9bafd1acf3c54e699d5cd07d4c923ed9727", + "type": "eql", + "version": 1 + }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "3852b315ecbd762ca27f312ca2ad0f3b674dff45eca735c17f0bdddcd36e9769", @@ -7452,10 +7829,20 @@ "version": 9 }, "b53f1d73-150d-484d-8f02-222abeb5d5fa": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Kubernetes Direct API Request via Curl or Wget", + "sha256": "df70d0745c16f105c5b28d1558cd717f10f40ed6dc2158b67f3455c357249582", + "type": "eql", + "version": 2 + } + }, "rule_name": "Kubernetes Direct API Request via Curl or Wget", - "sha256": "df70d0745c16f105c5b28d1558cd717f10f40ed6dc2158b67f3455c357249582", + "sha256": "2480a691df156e4b8b134f42d326af3b6b6b0bbd07fbbf0423a8dd61e8097906", "type": "eql", - "version": 2 + "version": 102 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", @@ -7511,12 +7898,25 @@ "type": "query", "version": 413 }, + "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { + "min_stack_version": "9.3", + "rule_name": "File Creation and Execution Detected via Defend for Containers", + "sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220", + "type": "eql", + "version": 1 + }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3", "type": "threshold", "version": 4 }, + "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": { + "rule_name": "FortiGate Configuration File Downloaded", + "sha256": "dadf194589874cdb80905bdf9fda73d3c06041b662cef7f27dc6fa15a1a8a1a8", + "type": "eql", + "version": 1 + }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", "sha256": "f6080addd4a61f03f1373074922662e8f103b752b37d81947d8e23e3ff2278f0", @@ -7674,6 +8074,12 @@ "type": "query", "version": 211 }, + "bba8c7d1-172b-435d-9034-02ed9289c628": { + "rule_name": "Potential Etherhiding C2 via Blockchain Connection", + "sha256": "0239484ec551525aec443a437f14bbce8e9235329a703ffc6613bc8c74510667", + "type": "eql", + "version": 1 + }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", "sha256": "352b0d2453ef219a0e530c3488bdd1b9548690c7bc717e3b5fd20a03b2fa88ee", @@ -7844,15 +8250,15 @@ }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", - "sha256": "3c9f3b3ef9af8031776fe27168c4702ab9a7366dd5ef819a5df845f0936e5167", + "sha256": "4fc4636a05f3599f85b982d5f7d263da10e5cfb2f0ba232aad9df852859b5e1c", "type": "eql", - "version": 2 + "version": 3 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "3194a97a3ddcdf805d1dd80b9746243334be76e30e2727bac3465ff1ad50b75f", + "sha256": "5208299f996ad99bd98466a5f61746b69aacc186c2a0462be9bf785783db4e0e", "type": "eql", - "version": 112 + "version": 113 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", @@ -8187,9 +8593,9 @@ }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "c4d55835405fe3610511a901ceb9705081ef13881c425253b7a329e3aaa9c97d", + "sha256": "9aa019833cca8394d175d9d6f5b2baacae100ed7cb549100a54180eef77ea9bf", "type": "query", - "version": 208 + "version": 209 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", @@ -8295,9 +8701,9 @@ }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "62c7199540ac150e45c1a00f4151cb763f421b6664f72d0d6c05eed2593e63b0", + "sha256": "fb6a11f3a9fb02a05961368d62c9db5f12cf99258f9083decba913f341320074", "type": "eql", - "version": 13 + "version": 14 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", @@ -8329,6 +8735,12 @@ "type": "eql", "version": 110 }, + "cbbe0523-33f3-4420-b88d-5c940d9e72c1": { + "rule_name": "FortiGate Super Admin Account Creation", + "sha256": "16b6c260bc4650bc90da2cee64b21e22b2c5661ea91d7c4babb2ba055292197a", + "type": "eql", + "version": 1 + }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", @@ -8389,6 +8801,13 @@ "type": "query", "version": 413 }, + "cd24c340-b778-44bd-ab69-2f739bd70ce1": { + "min_stack_version": "9.3", + "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", + "sha256": "f3008bfe96f0c05c6c297439f3dcd6f545b950b428e93451c419188a4c8757fa", + "type": "eql", + "version": 1 + }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", @@ -8468,6 +8887,13 @@ "type": "eql", "version": 3 }, + "cebabc1e-1145-4e39-b04b-34d621ee1e2c": { + "min_stack_version": "9.3", + "rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers", + "sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d", + "type": "eql", + "version": 1 + }, "cf307a5a-d503-44a4-8158-db196d99c9df": { "rule_name": "Unusual Kill Signal", "sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63", @@ -8516,6 +8942,12 @@ "type": "eql", "version": 114 }, + "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { + "rule_name": "FortiGate Administrator Account Creation from Unusual Source", + "sha256": "cf55391bf0ce9a58032099e6d67ffab973f4413bbb9277d300fcc3580cd93f94", + "type": "new_terms", + "version": 1 + }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "9.3", "previous": { @@ -8636,9 +9068,9 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "dd4e01f53870047ab9f41483bffe252b90cb05c0bb0ab58486ef12de9c1e7c7e", + "sha256": "6ce4c54b7198d58dfe8cee0510a717d29bff8c546465fc3ec0511e5e542404bb", "type": "esql", - "version": 6 + "version": 7 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -8766,6 +9198,12 @@ "type": "eql", "version": 214 }, + "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { + "rule_name": "Pbpaste Execution via Unusual Parent Process", + "sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9", + "type": "eql", + "version": 1 + }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", "sha256": "0fa5e6c2ae95f0dfa6d132058644c70bac38f08a2148bf5eb9b6a26dd7ceaf09", @@ -8808,6 +9246,12 @@ "type": "query", "version": 109 }, + "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { + "rule_name": "Suspicious Apple Mail Rule Plist Modification", + "sha256": "0f15e69cc154771f61534e30c9066d955ed06e8098f4f9a80e3d8f4b6e45eb78", + "type": "eql", + "version": 1 + }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", "sha256": "354592452a896e760a771da189694898283fef283e30b4cd3fc4d2c8f0deaf52", @@ -8916,6 +9360,12 @@ "type": "query", "version": 8 }, + "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { + "rule_name": "Multiple Machine Learning Alerts by Influencer Field", + "sha256": "feaa5c21298a7ac10094ac4ac7a46dceb91da9bd249f817cbe301f594226d4a4", + "type": "esql", + "version": 1 + }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "rule_name": "Suspicious Service was Installed in the System", "sha256": "9a5fb2e46cf6489a1a39cd0be4a26dae1c3f91c4ab96dd6cece8cda288fe4de4", @@ -9038,10 +9488,20 @@ "version": 6 }, "dd983e79-22e8-44d1-9173-d57dba514cac": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 103, + "rule_name": "Docker Socket Enumeration", + "sha256": "7138568f73259e78a31af51d2811c2a36244b38986fb20b48baf9928b692deaa", + "type": "eql", + "version": 4 + } + }, "rule_name": "Docker Socket Enumeration", - "sha256": "7138568f73259e78a31af51d2811c2a36244b38986fb20b48baf9928b692deaa", + "sha256": "58cc67adcc51ab6b32e392ef0edb01b69d46a6c5e44666e2f95cb708f722ebca", "type": "eql", - "version": 4 + "version": 104 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", @@ -9123,9 +9583,9 @@ }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "4b95619d1fc7907067fd8e87ab4ba3d92d9b9febf9f8aa235c1cdb9dfeba3a0c", + "sha256": "6473e4704235670950fe8e088ecbe56511ae0184f0bd6e59a0b9180e5049b37d", "type": "query", - "version": 208 + "version": 209 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", @@ -9235,6 +9695,12 @@ "type": "machine_learning", "version": 107 }, + "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { + "rule_name": "Full Disk Access Permission Check", + "sha256": "513dd07104c0782edbca0973652ff1c0affc115b879c08c56ce1bd500d587595", + "type": "eql", + "version": 1 + }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "030ebc3173772db7df46d78fb8e17ab8542bfbbb95507a0854746d3c1170b41e", @@ -9295,6 +9761,12 @@ "type": "eql", "version": 316 }, + "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { + "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", + "sha256": "94bc6e3515c8fcb6f1fe62327d4d4a02ccab5f9520a1e457b4c9b56868a0b76a", + "type": "eql", + "version": 1 + }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", "sha256": "10e92fbdc7b268665e8611e80d3c2104328b31411a49372fdefe7d868a964903", @@ -9325,6 +9797,12 @@ "type": "eql", "version": 219 }, + "e3f5a566-df31-40cc-987c-24bc4bb94ba5": { + "rule_name": "Persistence via a Hidden Plist Filename", + "sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e", + "type": "eql", + "version": 1 + }, "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": { "rule_name": "SentinelOne Threat External Alerts", "sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e", @@ -9463,6 +9941,12 @@ "type": "new_terms", "version": 211 }, + "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { + "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", + "sha256": "ce53d5d2947803141c22295600533afed56ad3287b80b85ca8c9dd0d17b0af3d", + "type": "eql", + "version": 1 + }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", "sha256": "0d70a846b5231fa5055bd8dab47d27adc7650f6ea92664b759685a8cff6e619c", @@ -9525,9 +10009,9 @@ }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "afb2298d561191299355f2c8ad468638887da490b515bb655937212a67746f4f", + "sha256": "e77f96858b8f3e569684058a79626aae64e8ae0ecf506bc05a7baffeda7fc18e", "type": "esql", - "version": 9 + "version": 10 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -9577,6 +10061,12 @@ "type": "eql", "version": 100 }, + "e9fe3645-f588-43d6-99f5-437b3ef56f25": { + "rule_name": "AWS EC2 Serial Console Access Enabled", + "sha256": "4f14c69238fcb650530a5884d6ebbbfe0c80780c84a29a6d26d078bb3114929b", + "type": "query", + "version": 1 + }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", "sha256": "8214976ada75f1392c7072b184b4e333f9e13a69726fc7c43c3ee15f2c60bf2d", @@ -9704,9 +10194,9 @@ }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", - "sha256": "f742537b0fa52a3301a80db69cef158f42f90bd59446bc1c857c5ae1e2d9c0d1", + "sha256": "9e91ca025b63d79752f894d8552c8a137c8709df963dd3702ff1285b14c5168a", "type": "query", - "version": 211 + "version": 212 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", @@ -9799,10 +10289,20 @@ "version": 112 }, "eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": { + "min_stack_version": "9.3", + "previous": { + "8.19": { + "max_allowable_version": 101, + "rule_name": "Kubectl Apply Pod from URL", + "sha256": "548e6c3705fae441b48d6c6931d33d907796f823cd985983d79c6041af367472", + "type": "eql", + "version": 2 + } + }, "rule_name": "Kubectl Apply Pod from URL", - "sha256": "548e6c3705fae441b48d6c6931d33d907796f823cd985983d79c6041af367472", + "sha256": "539eb4b8333957dbb835a5fcda5f747181b40de7bd28cfb8c4956c51c7e8ac28", "type": "eql", - "version": 2 + "version": 102 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "rule_name": "BPF filter applied using TC", @@ -9916,6 +10416,12 @@ "type": "query", "version": 6 }, + "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { + "rule_name": "Manual Loading of a Suspicious Chromium Extension", + "sha256": "426036f0b34c260a562af79e9d849b8f8aa0ee5cae04dc9020917c3acf02d99f", + "type": "eql", + "version": 1 + }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", "sha256": "d02e97bb6a0789367e1693e0b732ffa53703803ee806bfaa956690ee97b9c78b", @@ -9929,6 +10435,13 @@ "type": "machine_learning", "version": 1 }, + "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { + "min_stack_version": "9.3", + "rule_name": "LLM-Based Attack Chain Triage by Host", + "sha256": "4e87fa86daf458374804412a96b23724e212635c2fbae7efd46e46ff8325a970", + "type": "esql", + "version": 1 + }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", "sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca", @@ -9965,6 +10478,12 @@ "type": "eql", "version": 314 }, + "f2e21713-1eac-4908-a782-1b49c7e9d53b": { + "rule_name": "Kubernetes Service Account Modified RBAC Objects", + "sha256": "fe3ea9fd1b170164d8daf973f8b612f71ce7ec34e095f92b8c657f899b33e35a", + "type": "query", + "version": 1 + }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", "sha256": "4de3d5e198211653435573047cfbbcede3b079ce2d9b1e159ebc6c4a8e1bcda3", @@ -9996,10 +10515,10 @@ "version": 215 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { - "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "30bbcb2db2e6948e533d161b1e93e4097dc3f3e563b50843a3ac644e11961f66", + "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", + "sha256": "3ba917f1ed940e767bf7bb2718523c84ade13c97c047be506fc17e8391856d86", "type": "threshold", - "version": 107 + "version": 108 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", @@ -10009,9 +10528,9 @@ }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", - "sha256": "b1f0957f3c9b620308bfd3dc2b14f50114a2184e78165639fc95e898174b6d64", + "sha256": "1e15020044447b4f243d928c5820afc2f536ceb7031e116f3f52abe23a435efe", "type": "esql", - "version": 7 + "version": 8 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", @@ -10121,6 +10640,13 @@ "type": "query", "version": 110 }, + "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": { + "min_stack_version": "9.3", + "rule_name": "Kubelet Pod Discovery Detected via Defend for Containers", + "sha256": "fa389bca269e14286f8cea1c5c9e8d2111a1d1d534a488c3c19363f409cbd697", + "type": "eql", + "version": 1 + }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", "sha256": "2104b6abd124b33aa4ba66650b7c9c6981626f1d93a7a3a712a22891a8210b48", @@ -10200,9 +10726,9 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "6140de3c404c59e56145fde2ae32439f365f95bed4bbe843288e70a554010008", + "sha256": "d400fe1c09c7e41f7178725b46bd74810243c3a0a406f71cb255002651486de3", "type": "esql", - "version": 7 + "version": 8 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", @@ -10271,9 +10797,9 @@ "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", "rule_name": "Service Account Namespace Read Detected via Defend for Containers", - "sha256": "7b0b11fdb40acf5873635341cd6f110b54cedf319d1c0e18e33a074215df40e3", + "sha256": "54cdee057e604fae8b8629fb7e641ec29e9b46917648e63203fbd8a5f0f52430", "type": "eql", - "version": 1 + "version": 2 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", @@ -10367,9 +10893,9 @@ }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "sha256": "883920a831a8faa6182001323d2bc5d8199465f54c97091bc1060cbd092f2a81", + "sha256": "b46923fa1eca5a5c55503188812f8b17851e20dc338fc0546f0291d8e0f6258c", "type": "esql", - "version": 6 + "version": 7 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Account Brute Force", @@ -10385,9 +10911,15 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "b6f78c47b58a2e1f26a0301bc71ea07c360352365b3691e45fb59063e128092a", + "sha256": "2f3e5e0c6bf6ba23117783c2dae2684d8df44ec53d4506fb0a9f75e096d2a338", "type": "esql", - "version": 8 + "version": 9 + }, + "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { + "rule_name": "Newly Observed Process Exhibiting High CPU Usage", + "sha256": "b6e23d1b2f53b36d09252c99a34fd67b30e68ccf7faf46c5516504738b92f2b7", + "type": "esql", + "version": 1 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", @@ -10455,6 +10987,12 @@ "type": "machine_learning", "version": 3 }, + "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { + "rule_name": "Dylib Injection via Process Environment Variables", + "sha256": "7da78ac164b35b7695d523d656762c1510c83d8e8889eb47d0e9153a3ef95e84", + "type": "eql", + "version": 1 + }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", @@ -10521,6 +11059,12 @@ "type": "eql", "version": 7 }, + "fd00769d-b18d-450a-a844-7a9f9c71995e": { + "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", + "sha256": "df1b7a9eee719cedbb64cb235247c2ab465f23806209179a82088f85d0d39f4e", + "type": "query", + "version": 1 + }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "0f605aa5517a6ddb5f3a5cd04b4b6e30a44d35fcb3b13f030655b6a428b252c8", @@ -10553,9 +11097,9 @@ }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", - "sha256": "ade0fa41fbd68a90a2597eeeacde9dc13e92fe918ead94f8462cd1bf0da48931", + "sha256": "33447fa26939a022e4a103627c64288d1909ecce7376d823c0d28f19006d7a95", "type": "new_terms", - "version": 424 + "version": 425 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", @@ -10682,5 +11226,11 @@ "sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce", "type": "new_terms", "version": 3 + }, + "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { + "rule_name": "Suspicious TCC Access Granted for User Folders", + "sha256": "14436e33164f86a8e456f0a6ac11a53c2da7a2238add394df63ac4e5a120d36c", + "type": "esql", + "version": 1 } } \ No newline at end of file diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index b7e47f290..135e746a8 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -25,7 +25,6 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-auditbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-auditbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-endgame-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-endgame-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-filebeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-filebeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-indexes-logs-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-apache](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-apache_tomcat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache_tomcat.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-auditd_manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-auditd_manager.json&leave_site_dialog=false&tabs=false)| @@ -58,10 +57,8 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-logs-suricata](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-suricata.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-system.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-windows](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-windows.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-indexes-metrics-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-metrics-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-ml_beaconing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-ml_beaconing.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-packetbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-packetbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| -|[Elastic-detection-rules-indexes-traces-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-traces-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-winlogbeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-winlogbeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-active-directory-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-active-directory-monitoring.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-active-directory](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-active-directory.json&leave_site_dialog=false&tabs=false)| @@ -140,6 +137,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-exfiltration](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exfiltration.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-exploit-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exploit-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-file-integrity-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-file-integrity-monitoring.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-fortinet-fortigate](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-fortinet-fortigate.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-fortinet](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-fortinet.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-gcp-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-gcp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp.json&leave_site_dialog=false&tabs=false)| @@ -186,6 +184,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-network-traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network-traffic.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-network](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-network.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-nginx](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-nginx.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-observavility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-observavility.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-okta-system-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta-system-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-okta.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-onedrive](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-onedrive.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 303062362..f04756285 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.41" +version = "1.5.42" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"