security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4291)

Browse Source
This commit is contained in:
github-actions[bot]
2024-12-09 21:38:33 +05:30
committed by GitHub
parent 052672b09f
commit febdafa1f4
2 changed files with 719 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+718 -148
View File
@@ -1,6 +1,6 @@
{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
@@ -8,12 +8,19 @@
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a",
"type": "query",
"version": 310
"version": 411
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.14",
@@ -86,10 +93,20 @@
"version": 7
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28",
"type": "new_terms",
"version": 103
"version": 204
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.14",
@@ -108,10 +125,20 @@
"version": 207
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e",
"type": "new_terms",
"version": 103
"version": 204
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
@@ -420,10 +447,20 @@
"version": 312
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333",
"type": "eql",
"version": 106
}
},
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91",
"sha256": "d8a91efd007be1ed16d117fe17458c7361f18450b73e73083ee88ec02bf6d049",
"type": "eql",
"version": 105
"version": 206
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
@@ -526,10 +563,20 @@
"version": 110
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
"version": 104
}
},
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7",
"type": "eql",
"version": 103
"version": 204
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
@@ -567,9 +614,9 @@
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 6
"version": 7
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
@@ -721,11 +768,28 @@
"type": "eql",
"version": 111
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e",
"type": "esql",
"version": 1
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce",
"type": "new_terms",
"version": 103
"version": 204
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "SharePoint Malware File Upload",
@@ -1138,7 +1202,7 @@
"version": 311
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 102,
@@ -1146,12 +1210,19 @@
"sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e",
"type": "new_terms",
"version": 3
},
"8.14": {
"max_allowable_version": 203,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e",
"type": "new_terms",
"version": 104
}
},
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b",
"type": "new_terms",
"version": 103
"version": 204
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
@@ -1566,9 +1637,9 @@
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
"sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d",
"type": "query",
"version": 212
"version": 213
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Suspicious File Creation in /etc for Persistence",
@@ -1583,10 +1654,20 @@
"version": 102
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "New GitHub App Installed",
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
"type": "eql",
"version": 104
}
},
"rule_name": "New GitHub App Installed",
"sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec",
"type": "eql",
"version": 103
"version": 204
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.14",
@@ -1605,7 +1686,7 @@
"version": 208
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
@@ -1613,12 +1694,19 @@
"sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e",
"type": "query",
"version": 5
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e",
"type": "query",
"version": 106
}
},
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3",
"type": "query",
"version": 105
"version": 206
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.14",
@@ -1721,9 +1809,9 @@
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 6
"version": 7
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
@@ -1770,10 +1858,20 @@
"version": 106
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b",
"type": "new_terms",
"version": 103
"version": 204
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
@@ -2040,7 +2138,7 @@
"version": 3
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
@@ -2048,18 +2146,35 @@
"sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
"type": "esql",
"version": 3
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
"type": "esql",
"version": 103
}
},
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1",
"type": "esql",
"version": 103
"version": 203
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "New GitHub Owner Added",
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
"type": "eql",
"version": 106
}
},
"rule_name": "New GitHub Owner Added",
"sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6",
"type": "eql",
"version": 105
"version": 206
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.14",
@@ -2119,7 +2234,7 @@
"version": 1
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
@@ -2127,12 +2242,19 @@
"sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a",
"type": "query",
"version": 5
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a",
"type": "query",
"version": 106
}
},
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76",
"type": "query",
"version": 105
"version": 206
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
@@ -2185,6 +2307,13 @@
"type": "eql",
"version": 312
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d",
"type": "esql",
"version": 1
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27",
@@ -2225,9 +2354,9 @@
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
"type": "query",
"version": 5
"version": 6
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
@@ -2352,9 +2481,9 @@
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403",
"sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7",
"type": "eql",
"version": 3
"version": 4
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
@@ -2420,9 +2549,9 @@
"8.12": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4",
"type": "new_terms",
"version": 211
"version": 212
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
@@ -2431,7 +2560,7 @@
"version": 415
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
@@ -2439,12 +2568,19 @@
"sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47",
"type": "query",
"version": 4
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47",
"type": "query",
"version": 105
}
},
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211",
"type": "query",
"version": 104
"version": 205
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
@@ -2690,7 +2826,7 @@
"version": 105
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 100,
@@ -2705,12 +2841,19 @@
"sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
"type": "esql",
"version": 103
},
"8.14": {
"max_allowable_version": 302,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
"type": "esql",
"version": 203
}
},
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac",
"type": "esql",
"version": 203
"version": 303
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
@@ -2874,6 +3017,13 @@
"type": "query",
"version": 104
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17",
"type": "esql",
"version": 1
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e",
@@ -2975,10 +3125,20 @@
"version": 1
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 202,
"rule_name": "GitHub Repository Deleted",
"sha256": "660476227e525d314ca01414cb724faceba46253e12dc63cc24f8ed8e5014fd5",
"type": "eql",
"version": 103
}
},
"rule_name": "GitHub Repository Deleted",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b",
"type": "eql",
"version": 102
"version": 203
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
@@ -3141,7 +3301,7 @@
"version": 206
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
@@ -3149,12 +3309,19 @@
"sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4",
"type": "query",
"version": 311
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146",
"type": "query",
"version": 310
"version": 411
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.14",
@@ -3307,10 +3474,20 @@
"version": 103
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54",
"type": "new_terms",
"version": 103
"version": 204
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
@@ -3399,9 +3576,9 @@
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
"type": "query",
"version": 5
"version": 6
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
@@ -3566,10 +3743,20 @@
"version": 107
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub User Blocked From Organization",
"sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e",
"type": "eql",
"version": 103
"version": 204
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.14",
@@ -3630,10 +3817,20 @@
"version": 313
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952",
"type": "new_terms",
"version": 103
"version": 204
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
@@ -3667,7 +3864,7 @@
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
@@ -3675,12 +3872,19 @@
"sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8",
"type": "threshold",
"version": 211
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8",
"type": "threshold",
"version": 312
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669",
"type": "threshold",
"version": 311
"version": 412
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.14",
@@ -4241,7 +4445,7 @@
"version": 209
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -4249,19 +4453,26 @@
"sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269",
"type": "query",
"version": 310
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd",
"type": "query",
"version": 309
"version": 410
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Confidence Misconduct Blocks Detected",
"sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc",
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e",
"type": "esql",
"version": 4
"version": 5
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.14",
@@ -4287,7 +4498,7 @@
"version": 313
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
@@ -4295,12 +4506,19 @@
"sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb",
"type": "threshold",
"version": 5
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb",
"type": "threshold",
"version": 106
}
},
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408",
"type": "threshold",
"version": 105
"version": 206
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
@@ -4559,9 +4777,9 @@
"8.12": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 8
"version": 9
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
@@ -4640,7 +4858,7 @@
"version": 107
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
@@ -4648,12 +4866,19 @@
"sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a",
"type": "eql",
"version": 4
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a",
"type": "eql",
"version": 105
}
},
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00",
"type": "eql",
"version": 104
"version": 205
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.14",
@@ -4695,9 +4920,9 @@
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d",
"type": "query",
"version": 110
"version": 111
}
},
"rule_name": "PowerShell PSReflect Script",
@@ -5257,10 +5482,20 @@
"version": 208
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 104
}
},
"rule_name": "New User Added To GitHub Organization",
"sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4",
"type": "eql",
"version": 103
"version": 204
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.14",
@@ -5284,9 +5519,9 @@
"8.12": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
"type": "query",
"version": 113
"version": 114
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
@@ -5317,7 +5552,7 @@
"version": 212
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
@@ -5325,12 +5560,19 @@
"sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba",
"type": "threshold",
"version": 5
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba",
"type": "threshold",
"version": 106
}
},
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff",
"type": "threshold",
"version": 105
"version": 206
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.14",
@@ -5494,7 +5736,7 @@
"version": 6
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
@@ -5502,12 +5744,19 @@
"sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576",
"type": "new_terms",
"version": 4
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576",
"type": "new_terms",
"version": 105
}
},
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d",
"type": "new_terms",
"version": 104
"version": 205
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.14",
@@ -5566,7 +5815,7 @@
"version": 113
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -5574,12 +5823,19 @@
"sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876",
"type": "query",
"version": 309
"version": 410
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
@@ -5588,7 +5844,7 @@
"version": 206
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -5596,12 +5852,19 @@
"sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7",
"type": "query",
"version": 309
"version": 410
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
@@ -5651,7 +5914,7 @@
"version": 207
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -5659,12 +5922,19 @@
"sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f",
"type": "query",
"version": 309
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac",
"type": "query",
"version": 308
"version": 409
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.14",
@@ -5925,10 +6195,20 @@
"version": 308
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub Repo Created",
"sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126",
"type": "eql",
"version": 103
"version": 204
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.14",
@@ -6079,7 +6359,7 @@
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
@@ -6087,12 +6367,19 @@
"sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d",
"type": "new_terms",
"version": 4
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d",
"type": "new_terms",
"version": 105
}
},
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9",
"type": "new_terms",
"version": 104
"version": 205
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
@@ -6223,7 +6510,7 @@
"version": 3
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -6231,12 +6518,19 @@
"sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff",
"type": "query",
"version": 309
"version": 410
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
@@ -6887,9 +7181,9 @@
"8.12": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5",
"type": "query",
"version": 111
"version": 112
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
@@ -7199,7 +7493,7 @@
"version": 6
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 105,
@@ -7207,18 +7501,35 @@
"sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031",
"type": "eql",
"version": 6
},
"8.14": {
"max_allowable_version": 206,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031",
"type": "eql",
"version": 107
}
},
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d",
"type": "eql",
"version": 106
"version": 207
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub PAT Access Revoked",
"sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5",
"type": "eql",
"version": 103
"version": 204
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
@@ -7243,7 +7554,7 @@
"version": 208
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -7251,12 +7562,19 @@
"sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3",
"type": "query",
"version": 309
"version": 410
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
@@ -7565,10 +7883,20 @@
"version": 104
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
"type": "threshold",
"version": 1
}
},
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
"type": "threshold",
"version": 1
"version": 101
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.14",
@@ -7576,9 +7904,9 @@
"8.12": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 8
"version": 9
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
@@ -7723,7 +8051,7 @@
"version": 210
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
@@ -7731,12 +8059,19 @@
"sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
"type": "esql",
"version": 3
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
"type": "esql",
"version": 103
}
},
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380",
"type": "esql",
"version": 103
"version": 203
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
@@ -7793,7 +8128,7 @@
"version": 210
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
@@ -7801,12 +8136,19 @@
"sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
"type": "esql",
"version": 3
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
"type": "esql",
"version": 103
}
},
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379",
"type": "esql",
"version": 103
"version": 203
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
@@ -7827,7 +8169,7 @@
"version": 112
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -7835,12 +8177,19 @@
"sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d",
"type": "query",
"version": 309
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19",
"type": "query",
"version": 308
"version": 409
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
@@ -7895,7 +8244,7 @@
"version": 207
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 311,
@@ -7903,12 +8252,19 @@
"sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee",
"type": "eql",
"version": 212
},
"8.14": {
"max_allowable_version": 412,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee",
"type": "eql",
"version": 313
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286",
"type": "eql",
"version": 312
"version": 413
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.14",
@@ -8143,10 +8499,20 @@
"version": 4
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
"type": "eql",
"version": 106
}
},
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68",
"type": "eql",
"version": 105
"version": 206
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.14",
@@ -9373,7 +9739,7 @@
"version": 105
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -9381,12 +9747,19 @@
"sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9",
"type": "query",
"version": 309
"version": 410
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
@@ -9514,7 +9887,7 @@
"version": 103
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -9522,12 +9895,19 @@
"sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48",
"type": "query",
"version": 309
"version": 410
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
@@ -9536,7 +9916,7 @@
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -9544,12 +9924,19 @@
"sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60",
"type": "query",
"version": 309
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff",
"type": "query",
"version": 308
"version": 409
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
@@ -10049,6 +10436,13 @@
"type": "eql",
"version": 310
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1",
"type": "esql",
"version": 1
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
@@ -10423,7 +10817,7 @@
"version": 2
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -10431,15 +10825,22 @@
"sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9",
"type": "query",
"version": 309
"version": 410
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -10447,12 +10848,19 @@
"sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd",
"type": "query",
"version": 309
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010",
"type": "query",
"version": 308
"version": 409
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
@@ -10653,7 +11061,7 @@
"version": 106
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 101,
@@ -10668,12 +11076,19 @@
"sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
"type": "esql",
"version": 104
},
"8.14": {
"max_allowable_version": 303,
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
"type": "esql",
"version": 204
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f",
"type": "esql",
"version": 204
"version": 304
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
@@ -10694,7 +11109,7 @@
"version": 104
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
@@ -10702,12 +11117,19 @@
"sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e",
"type": "query",
"version": 310
"version": 411
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
@@ -10716,7 +11138,7 @@
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -10724,12 +11146,19 @@
"sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c",
"type": "query",
"version": 310
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4",
"type": "query",
"version": 309
"version": 410
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
@@ -10756,7 +11185,7 @@
"version": 3
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
@@ -10764,15 +11193,22 @@
"sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31",
"type": "eql",
"version": 211
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31",
"type": "eql",
"version": 312
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857",
"type": "eql",
"version": 311
"version": 412
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
@@ -10780,12 +11216,19 @@
"sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Okta User Session Impersonation",
"sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7",
"type": "query",
"version": 311
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4",
"type": "query",
"version": 310
"version": 411
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.14",
@@ -10793,9 +11236,9 @@
"8.12": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
"type": "query",
"version": 11
"version": 12
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
@@ -10810,10 +11253,20 @@
"version": 2
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14",
"type": "new_terms",
"version": 103
"version": 204
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.14",
@@ -11070,7 +11523,7 @@
"version": 1
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -11078,12 +11531,19 @@
"sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb",
"type": "query",
"version": 309
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d",
"type": "query",
"version": 308
"version": 409
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
@@ -11145,7 +11605,7 @@
"version": 308
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -11153,12 +11613,19 @@
"sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2",
"type": "query",
"version": 309
"version": 410
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.14",
@@ -11806,7 +12273,7 @@
"version": 109
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
@@ -11814,12 +12281,19 @@
"sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068",
"type": "threshold",
"version": 211
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068",
"type": "threshold",
"version": 312
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238",
"type": "threshold",
"version": 311
"version": 412
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
@@ -11881,9 +12355,9 @@
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2",
"type": "query",
"version": 112
"version": 113
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
@@ -12040,7 +12514,7 @@
"version": 105
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -12048,12 +12522,19 @@
"sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5",
"type": "query",
"version": 309
"version": 410
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.14",
@@ -12112,7 +12593,7 @@
"version": 107
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -12120,12 +12601,19 @@
"sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Possible Okta DoS Attack",
"sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e",
"type": "query",
"version": 309
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579",
"type": "query",
"version": 308
"version": 409
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
@@ -12298,7 +12786,7 @@
"version": 107
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
@@ -12306,12 +12794,19 @@
"sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4",
"type": "threshold",
"version": 211
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4",
"type": "threshold",
"version": 312
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425",
"type": "threshold",
"version": 311
"version": 412
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
@@ -12591,7 +13086,7 @@
"version": 314
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
@@ -12599,12 +13094,19 @@
"sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a",
"type": "query",
"version": 309
"version": 410
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.14",
@@ -12636,7 +13138,7 @@
"version": 6
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 205,
@@ -12644,12 +13146,19 @@
"sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c",
"type": "query",
"version": 106
},
"8.14": {
"max_allowable_version": 306,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c",
"type": "query",
"version": 207
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54",
"type": "query",
"version": 206
"version": 307
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.14",
@@ -12748,7 +13257,7 @@
"version": 108
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -12756,12 +13265,19 @@
"sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6",
"type": "query",
"version": 309
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1",
"type": "query",
"version": 308
"version": 409
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
@@ -12833,6 +13349,13 @@
"type": "eql",
"version": 110
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c",
"type": "esql",
"version": 1
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.14",
"previous": {
@@ -13346,10 +13869,20 @@
"version": 101
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737",
"type": "new_terms",
"version": 103
"version": 204
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux Network Configuration Discovery",
@@ -13403,7 +13936,7 @@
"version": 110
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.14",
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
@@ -13411,12 +13944,19 @@
"sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b",
"type": "query",
"version": 208
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b",
"type": "query",
"version": 309
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317",
"type": "query",
"version": 308
"version": 409
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.14",
@@ -13505,10 +14045,20 @@
"version": 208
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
"type": "threshold",
"version": 104
}
},
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4",
"sha256": "aa706a6df1832c500f882ba46028eb2732a866b5e6335c33fd62c18d90a7d870",
"type": "threshold",
"version": 103
"version": 204
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
@@ -13546,10 +14096,20 @@
"version": 309
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010",
"type": "new_terms",
"version": 103
"version": 204
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
@@ -13558,10 +14118,20 @@
"version": 3
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub App Deleted",
"sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7",
"type": "eql",
"version": 103
"version": 204
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
@@ -13813,8 +14383,8 @@
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366",
"sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca",
"type": "eql",
"version": 5
"version": 6
}
}