From febdafa1f484bc659fbd7a191fecd0b1cf8fea64 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 21:38:33 +0530 Subject: [PATCH] Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291) --- detection_rules/etc/version.lock.json | 866 +++++++++++++++++++++----- pyproject.toml | 2 +- 2 files changed, 719 insertions(+), 149 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 017769ac4..cd5c3b754 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,6 +1,6 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 309, @@ -8,12 +8,19 @@ "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "type": "query", + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", "type": "query", - "version": 310 + "version": 411 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -86,10 +93,20 @@ "version": 7 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", + "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", - "version": 103 + "version": 204 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", @@ -108,10 +125,20 @@ "version": 207 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", + "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", - "version": 103 + "version": 204 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -420,10 +447,20 @@ "version": 312 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 205, + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "type": "eql", + "version": 106 + } + }, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", + "sha256": "d8a91efd007be1ed16d117fe17458c7361f18450b73e73083ee88ec02bf6d049", "type": "eql", - "version": 105 + "version": 206 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -526,10 +563,20 @@ "version": 110 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "Member Removed From GitHub Organization", + "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", + "type": "eql", + "version": 104 + } + }, "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", - "version": 103 + "version": 204 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -567,9 +614,9 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", + "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", @@ -721,11 +768,28 @@ "type": "eql", "version": 111 }, + "0e1af929-42ed-4262-a846-55a7c54e7c84": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", + "sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e", + "type": "esql", + "version": 1 + }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", + "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", - "version": 103 + "version": 204 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -1138,7 +1202,7 @@ "version": 311 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 102, @@ -1146,12 +1210,19 @@ "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", "type": "new_terms", "version": 3 + }, + "8.14": { + "max_allowable_version": 203, + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "type": "new_terms", + "version": 104 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", "type": "new_terms", - "version": 103 + "version": 204 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -1566,9 +1637,9 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", + "sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d", "type": "query", - "version": 212 + "version": 213 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Suspicious File Creation in /etc for Persistence", @@ -1583,10 +1654,20 @@ "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "New GitHub App Installed", + "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "type": "eql", + "version": 104 + } + }, "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", - "version": 103 + "version": 204 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1605,7 +1686,7 @@ "version": 208 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 104, @@ -1613,12 +1694,19 @@ "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", "type": "query", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "type": "query", + "version": 106 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", "type": "query", - "version": 105 + "version": 206 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1721,9 +1809,9 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", + "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Discovery Capabilities", @@ -1770,10 +1858,20 @@ "version": 106 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", + "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", - "version": 103 + "version": 204 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -2040,7 +2138,7 @@ "version": 3 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -2048,18 +2146,35 @@ "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "type": "esql", + "version": 103 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", - "version": 103 + "version": 203 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 205, + "rule_name": "New GitHub Owner Added", + "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "type": "eql", + "version": 106 + } + }, "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", - "version": 105 + "version": 206 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2119,7 +2234,7 @@ "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 104, @@ -2127,12 +2242,19 @@ "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", "type": "query", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "type": "query", + "version": 106 } }, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", "type": "query", - "version": 105 + "version": 206 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -2185,6 +2307,13 @@ "type": "eql", "version": 312 }, + "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Topic Blocks Detected", + "sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d", + "type": "esql", + "version": 1 + }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", @@ -2225,9 +2354,9 @@ "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", + "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", "type": "query", - "version": 5 + "version": 6 } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -2352,9 +2481,9 @@ }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7", "type": "eql", - "version": 3 + "version": 4 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", @@ -2420,9 +2549,9 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", + "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", "type": "new_terms", - "version": 211 + "version": 212 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2431,7 +2560,7 @@ "version": 415 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 103, @@ -2439,12 +2568,19 @@ "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", "type": "query", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "type": "query", + "version": 105 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", "type": "query", - "version": 104 + "version": 205 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2690,7 +2826,7 @@ "version": 105 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 100, @@ -2705,12 +2841,19 @@ "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", "version": 103 + }, + "8.14": { + "max_allowable_version": 302, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "type": "esql", + "version": 203 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", - "version": 203 + "version": 303 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2874,6 +3017,13 @@ "type": "query", "version": 104 }, + "3216949c-9300-4c53-b57a-221e364c6457": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Word Policy Blocks Detected", + "sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17", + "type": "esql", + "version": 1 + }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", @@ -2975,10 +3125,20 @@ "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 202, + "rule_name": "GitHub Repository Deleted", + "sha256": "660476227e525d314ca01414cb724faceba46253e12dc63cc24f8ed8e5014fd5", + "type": "eql", + "version": 103 + } + }, "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b", "type": "eql", - "version": 102 + "version": 203 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -3141,7 +3301,7 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 309, @@ -3149,12 +3309,19 @@ "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "type": "query", + "version": 311 } }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", "type": "query", - "version": 310 + "version": 411 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3307,10 +3474,20 @@ "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of IP Address For GitHub User", + "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", - "version": 103 + "version": 204 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3399,9 +3576,9 @@ "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", + "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", "type": "query", - "version": 5 + "version": 6 } }, "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -3566,10 +3743,20 @@ "version": 107 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "GitHub User Blocked From Organization", + "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", + "type": "eql", + "version": 104 + } + }, "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", - "version": 103 + "version": 204 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", @@ -3630,10 +3817,20 @@ "version": 313 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of User-Agent For a GitHub User", + "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", - "version": 103 + "version": 204 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -3667,7 +3864,7 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 310, @@ -3675,12 +3872,19 @@ "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "type": "threshold", + "version": 312 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", "type": "threshold", - "version": 311 + "version": 412 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4241,7 +4445,7 @@ "version": 209 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -4249,19 +4453,26 @@ "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "type": "query", + "version": 310 } }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", "type": "query", - "version": 309 + "version": 410 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", - "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc", + "rule_name": "Unusual High Confidence Content Filter Blocks Detected", + "sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e", "type": "esql", - "version": 4 + "version": 5 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", @@ -4287,7 +4498,7 @@ "version": 313 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 104, @@ -4295,12 +4506,19 @@ "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", "type": "threshold", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "type": "threshold", + "version": 106 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", "type": "threshold", - "version": 105 + "version": 206 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -4559,9 +4777,9 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", + "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", "type": "query", - "version": 8 + "version": 9 } }, "rule_name": "Exchange Mailbox Export via PowerShell", @@ -4640,7 +4858,7 @@ "version": 107 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 103, @@ -4648,12 +4866,19 @@ "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", "type": "eql", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "type": "eql", + "version": 105 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", "type": "eql", - "version": 104 + "version": 205 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -4695,9 +4920,9 @@ "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", - "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", + "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "PowerShell PSReflect Script", @@ -5257,10 +5482,20 @@ "version": 208 }, "61336fe6-c043-4743-ab6e-41292f439603": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "New User Added To GitHub Organization", + "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", + "type": "eql", + "version": 104 + } + }, "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", - "version": 103 + "version": 204 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", @@ -5284,9 +5519,9 @@ "8.12": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", + "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -5317,7 +5552,7 @@ "version": 212 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 104, @@ -5325,12 +5560,19 @@ "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", "type": "threshold", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "type": "threshold", + "version": 106 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", "type": "threshold", - "version": 105 + "version": 206 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", @@ -5494,7 +5736,7 @@ "version": 6 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 103, @@ -5502,12 +5744,19 @@ "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", "type": "new_terms", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "type": "new_terms", + "version": 105 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", "type": "new_terms", - "version": 104 + "version": 205 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -5566,7 +5815,7 @@ "version": 113 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -5574,12 +5823,19 @@ "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", "type": "query", - "version": 309 + "version": 410 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", @@ -5588,7 +5844,7 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -5596,12 +5852,19 @@ "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", "type": "query", - "version": 309 + "version": 410 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5651,7 +5914,7 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -5659,12 +5922,19 @@ "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "type": "query", + "version": 309 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", "type": "query", - "version": 308 + "version": 409 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -5925,10 +6195,20 @@ "version": 308 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "GitHub Repo Created", + "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", + "type": "eql", + "version": 104 + } + }, "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", - "version": 103 + "version": 204 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", @@ -6079,7 +6359,7 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 103, @@ -6087,12 +6367,19 @@ "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", "type": "new_terms", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "type": "new_terms", + "version": 105 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", "type": "new_terms", - "version": 104 + "version": 205 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -6223,7 +6510,7 @@ "version": 3 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -6231,12 +6518,19 @@ "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", "type": "query", - "version": 309 + "version": 410 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -6887,9 +7181,9 @@ "8.12": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", + "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", @@ -7199,7 +7493,7 @@ "version": 6 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 105, @@ -7207,18 +7501,35 @@ "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", "type": "eql", "version": 6 + }, + "8.14": { + "max_allowable_version": 206, + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "type": "eql", + "version": 107 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", "type": "eql", - "version": 106 + "version": 207 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "GitHub PAT Access Revoked", + "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", + "type": "eql", + "version": 104 + } + }, "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", - "version": 103 + "version": 204 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", @@ -7243,7 +7554,7 @@ "version": 208 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -7251,12 +7562,19 @@ "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", "type": "query", - "version": 309 + "version": 410 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -7565,10 +7883,20 @@ "version": 104 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", + "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "type": "threshold", + "version": 1 + } + }, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", - "version": 1 + "version": 101 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", @@ -7576,9 +7904,9 @@ "8.12": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", + "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", "type": "query", - "version": 8 + "version": 9 } }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", @@ -7723,7 +8051,7 @@ "version": 210 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -7731,12 +8059,19 @@ "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "type": "esql", + "version": 103 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", - "version": 103 + "version": 203 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -7793,7 +8128,7 @@ "version": 210 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -7801,12 +8136,19 @@ "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "type": "esql", + "version": 103 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", - "version": 103 + "version": 203 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", @@ -7827,7 +8169,7 @@ "version": 112 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -7835,12 +8177,19 @@ "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Create Okta API Token", "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", "type": "query", - "version": 308 + "version": 409 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -7895,7 +8244,7 @@ "version": 207 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 311, @@ -7903,12 +8252,19 @@ "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", "type": "eql", "version": 212 + }, + "8.14": { + "max_allowable_version": 412, + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "type": "eql", + "version": 313 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", "type": "eql", - "version": 312 + "version": 413 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -8143,10 +8499,20 @@ "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 205, + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "type": "eql", + "version": 106 + } + }, "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", - "version": 105 + "version": 206 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9373,7 +9739,7 @@ "version": 105 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -9381,12 +9747,19 @@ "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", "type": "query", - "version": 309 + "version": 410 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", @@ -9514,7 +9887,7 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -9522,12 +9895,19 @@ "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", "type": "query", - "version": 309 + "version": 410 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9536,7 +9916,7 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -9544,12 +9924,19 @@ "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "type": "query", + "version": 309 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", "type": "query", - "version": 308 + "version": 409 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10049,6 +10436,13 @@ "type": "eql", "version": 310 }, + "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM Login Profile Added for Root", + "sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1", + "type": "esql", + "version": 1 + }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", @@ -10423,7 +10817,7 @@ "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -10431,15 +10825,22 @@ "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", "type": "query", - "version": 309 + "version": 410 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -10447,12 +10848,19 @@ "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", "type": "query", - "version": 308 + "version": 409 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -10653,7 +11061,7 @@ "version": 106 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 101, @@ -10668,12 +11076,19 @@ "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", "version": 104 + }, + "8.14": { + "max_allowable_version": 303, + "rule_name": "Multiple Device Token Hashes for Single Okta Session", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "type": "esql", + "version": 204 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", - "version": 204 + "version": 304 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -10694,7 +11109,7 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 309, @@ -10702,12 +11117,19 @@ "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "type": "query", + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", "type": "query", - "version": 310 + "version": 411 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10716,7 +11138,7 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -10724,12 +11146,19 @@ "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "type": "query", + "version": 310 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", "type": "query", - "version": 309 + "version": 410 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10756,7 +11185,7 @@ "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 310, @@ -10764,15 +11193,22 @@ "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", "type": "eql", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "type": "eql", + "version": 312 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", "type": "eql", - "version": 311 + "version": 412 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 309, @@ -10780,12 +11216,19 @@ "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Okta User Session Impersonation", + "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "type": "query", + "version": 311 } }, "rule_name": "Okta User Session Impersonation", "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", "type": "query", - "version": 310 + "version": 411 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -10793,9 +11236,9 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", + "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", @@ -10810,10 +11253,20 @@ "version": 2 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", + "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", - "version": 103 + "version": 204 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -11070,7 +11523,7 @@ "version": 1 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -11078,12 +11531,19 @@ "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", "type": "query", - "version": 308 + "version": 409 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -11145,7 +11605,7 @@ "version": 308 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -11153,12 +11613,19 @@ "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", "type": "query", - "version": 309 + "version": 410 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -11806,7 +12273,7 @@ "version": 109 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 310, @@ -11814,12 +12281,19 @@ "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "type": "threshold", + "version": 312 } }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", "type": "threshold", - "version": 311 + "version": 412 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -11881,9 +12355,9 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", + "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", @@ -12040,7 +12514,7 @@ "version": 105 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -12048,12 +12522,19 @@ "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", "type": "query", - "version": 309 + "version": 410 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -12112,7 +12593,7 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -12120,12 +12601,19 @@ "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Possible Okta DoS Attack", + "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "type": "query", + "version": 309 } }, "rule_name": "Possible Okta DoS Attack", "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", "type": "query", - "version": 308 + "version": 409 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -12298,7 +12786,7 @@ "version": 107 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 310, @@ -12306,12 +12794,19 @@ "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "type": "threshold", + "version": 312 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", "type": "threshold", - "version": 311 + "version": 412 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", @@ -12591,7 +13086,7 @@ "version": 314 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 308, @@ -12599,12 +13094,19 @@ "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", "type": "query", - "version": 309 + "version": 410 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -12636,7 +13138,7 @@ "version": 6 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 205, @@ -12644,12 +13146,19 @@ "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", "type": "query", "version": 106 + }, + "8.14": { + "max_allowable_version": 306, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "type": "query", + "version": 207 } }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", "type": "query", - "version": 206 + "version": 307 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -12748,7 +13257,7 @@ "version": 108 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -12756,12 +13265,19 @@ "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "type": "query", + "version": 309 } }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", "type": "query", - "version": 308 + "version": 409 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -12833,6 +13349,13 @@ "type": "eql", "version": 110 }, + "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", + "sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c", + "type": "esql", + "version": 1 + }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", "previous": { @@ -13346,10 +13869,20 @@ "version": 101 }, "f94e898e-94f1-4545-8923-03e4b2866211": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", + "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", - "version": 103 + "version": 204 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -13403,7 +13936,7 @@ "version": 110 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.12": { "max_allowable_version": 307, @@ -13411,12 +13944,19 @@ "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "type": "query", + "version": 309 } }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", "type": "query", - "version": 308 + "version": 409 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -13505,10 +14045,20 @@ "version": 208 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "High Number of Cloned GitHub Repos From PAT", + "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", + "type": "threshold", + "version": 104 + } + }, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", + "sha256": "aa706a6df1832c500f882ba46028eb2732a866b5e6335c33fd62c18d90a7d870", "type": "threshold", - "version": 103 + "version": 204 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13546,10 +14096,20 @@ "version": 309 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", + "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", + "type": "new_terms", + "version": 104 + } + }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", - "version": 103 + "version": 204 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", @@ -13558,10 +14118,20 @@ "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 203, + "rule_name": "GitHub App Deleted", + "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "type": "eql", + "version": 104 + } + }, "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", - "version": 103 + "version": 204 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", @@ -13813,8 +14383,8 @@ }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca", "type": "eql", - "version": 5 + "version": 6 } } \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 654cd85ca..7af520606 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.1" +version = "0.3.2" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"