{ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "f2eff7fde63919cf5ce12fc0a43b396d4f946d0b91202749bb8e1959ba503cbd", "type": "query", "version": 416 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "9fa5bb58f3f3b4c55a18dcad65a001a8a4217afcc2ced7112a1e295bcb5a79a2", "type": "eql", "version": 321 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "rule_name": "System Shells via Services", "sha256": "2fa22b5ffca90b0b5dda594ac010099051455bf90a1290e366e75c3f6c31f353", "type": "eql", "version": 422 }, "0049cf71-fe13-4d79-b767-f7519921ffb5": { "rule_name": "System Binary Path File Permission Modification", "sha256": "dba5d16fb893bdb86a173237b75117a8e000bca4f1a47a96d9492119f8beea74", "type": "eql", "version": 7 }, "00546494-5bb0-49d6-9220-5f3b4c12f26a": { "rule_name": "Uncommon Destination Port Connection by Web Server", "sha256": "7dc587f4807bf20137a0a7d3a415b2807d481a1dd245b423be1d9addca63dff9", "type": "eql", "version": 6 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", "sha256": "91b36ea21ef5f2334a76a399ad91075977d7b149b9bab8bad35c854914d62420", "type": "query", "version": 8 }, "0136b315-b566-482f-866c-1d8e2477ba16": { "rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email", "sha256": "226cb4ca9b14010933649d9bac8285e8266edb900b2d835b38307bc6fb629385", "type": "query", "version": 213 }, "015cca13-8832-49ac-a01b-a396114809f6": { "rule_name": "Deprecated - AWS Redshift Cluster Creation", "sha256": "f6e7e8c38698de53c1f503b5a483cd61fe060eba93c72f3d9d394148f9fb36ea", "type": "query", "version": 210 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", "sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c", "type": "esql", "version": 15 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Detected - Elastic Defend", "sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416", "type": "query", "version": 5 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "076646ab6716181a2c6a88272c23d0eff028f4d43e05b1b9ba681c8fb13bb83b", "type": "new_terms", "version": 208 }, "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": { "rule_name": "AppArmor Policy Violation Detected", "sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62", "type": "eql", "version": 1 }, "02275e05-57a1-46ab-a443-7fb444da6b28": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities", "sha256": "539f711b818d81795aaa0685de7d462dde5553ec579eb775fdcf8f69ab9227d5", "type": "eql", "version": 4 }, "022c37cd-5a4f-422b-8227-b136b7a23180": { "rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", "sha256": "71236804fae2460ed5d446795ca47484be4217066c02e16e29684c83d8c4d403", "type": "new_terms", "version": 3 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50", "type": "eql", "version": 211 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "ea027afabe0d5c7840b6fa74533bd16b107d9fe59b134747165b941da38827f8", "type": "new_terms", "version": 208 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", "sha256": "4aa9842670b9ebc492a4614e4317094998cf31227ac49598907aeb5bec61c692", "type": "eql", "version": 11 }, "02a4576a-7480-4284-9327-548a806b5e48": { "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "6089c2d9e1a728c906a10e30c7d3eca6eb9962492dde251a805ef9e7b97f8ee6", "type": "eql", "version": 312 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Spike in Group Privilege Change Events", "sha256": "f1b1c78251514ea08b82d81a68811dcf1756bde9a25d7f17adff4b6f612c523a", "type": "machine_learning", "version": 5 } }, "rule_name": "Spike in Group Privilege Change Events", "sha256": "d8194e445c87e8157a08b8aacf0fd3e0cafe76ef4c01be534907b1acb4c90108", "type": "machine_learning", "version": 105 }, "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { "rule_name": "Potential Ransomware Note File Dropped via SMB", "sha256": "8faa211ae2a7bcacb59c68e92a447cfd62919035dfe3259c39c0ee886be5ece8", "type": "eql", "version": 7 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { "rule_name": "Dumping Account Hashes via Built-In Commands", "sha256": "66859e52222069071bde2462f6cd971de312d63c6ca5da48abd9bde1d8a9986a", "type": "eql", "version": 111 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { "rule_name": "M365 Exchange Email Safe Attachment Rule Disabled", "sha256": "a13cc41b5296170dea0f9410986cbb6e32524cd0655f9b7dd0cde9738b7fe8ae", "type": "query", "version": 213 }, "03245b25-3849-4052-ab48-72de65a82c35": { "rule_name": "GitHub Actions Unusual Bot Push to Repository", "sha256": "8299a1ebfbcff5d084b1ffd256aaa5dbf5d7929e8b0a9037bc7d83792b927b4c", "type": "new_terms", "version": 3 }, "035889c4-2686-4583-a7df-67f89c292f2c": { "rule_name": "High Number of Process and/or Service Terminations", "sha256": "65e29cfdd640c3d225586aceda29585c5bc3a9e76ff34a0764f403094b8c9ade", "type": "threshold", "version": 218 }, "035a6f21-4092-471d-9cda-9e379f459b1e": { "rule_name": "Potential Memory Seeking Activity", "sha256": "6f7728c25cb5067fe5f3da92b9e429591bee6ca7b05b0dc967ed772bfc19c1d4", "type": "eql", "version": 7 }, "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { "rule_name": "Suspicious Dynamic Linker Discovery via od", "sha256": "1955ce390a89fb19809e63ab7de3f8c5daa3aad4045bec36bcaa5b65779e457d", "type": "eql", "version": 108 }, "03a514d9-500e-443e-b6a9-72718c548f6c": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", "sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509", "type": "eql", "version": 5 }, "03b150d9-9280-4eb8-9906-38cfb6184666": { "rule_name": "First Time Python Accessed Sensitive Credential Files", "sha256": "aa5c2a00f56d00f3919acc63046fbd07594b643728777215c6faf15acefea5b8", "type": "new_terms", "version": 2 }, "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { "rule_name": "Potential Network Scan Executed From Host", "sha256": "74510e92c414883b3395c16038036135ff8ab99e5598ed0fa19fdadd86e0b701", "type": "threshold", "version": 8 }, "03d856c2-7f74-4540-a530-e20af5e39789": { "rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location", "sha256": "074027b2bad9f1ac786fc520f793d1c3f48adbf4c5dee422b7ac017e8197672a", "type": "eql", "version": 3 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { "rule_name": "First Time AWS CloudFormation Stack Creation", "sha256": "5a13a67e1b4bf143cfe2a0d8d3447f6a60fc0715e8494ee228a0040708d817d9", "type": "new_terms", "version": 8 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { "rule_name": "Renaming of OpenSSH Binaries", "sha256": "9ee995138cffed589e949a0c429e822f01d39ee3d4e57daa0b0130de809eae76", "type": "query", "version": 115 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", "type": "query", "version": 105 }, "0428c618-27f5-4d94-99e6-b254585aba69": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 100, "rule_name": "High Number of Protected Branch Force Pushes by User", "sha256": "c106d5b9496998b4af456df8d7df3c6ae1357af321309b4d51be2909f20ace09", "type": "esql", "version": 3 } }, "rule_name": "High Number of Protected Branch Force Pushes by User", "sha256": "eafae5474516c5620352bbf6fdc4e5746adb3cf882352bad06a19d7dbfd26020", "type": "esql", "version": 104 }, "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "dba859d27b151a923834b39a2c500f09b452ecd18fb17bc42fcedef488f957f8", "type": "eql", "version": 206 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { "rule_name": "Entra ID Global Administrator Role Assigned", "sha256": "9e8ad446f3a34d36c690d2af3ab183e06ef27545b244ce0b4f700d573cb8c71d", "type": "query", "version": 108 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { "rule_name": "User Added to the Admin Group", "sha256": "b164ca59eecebcabe9bd4bbdc1c86c640f202a21e08e0a08cdfc824610ec9d98", "type": "eql", "version": 5 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "rule_name": "Suspicious Microsoft Antimalware Service Execution", "sha256": "c4b43d411a14ed5441f18c7ac996e4d2ca17ce62a46155c9b8ef8a35e8e612f9", "type": "eql", "version": 219 }, "054853f3-2ce0-41f3-a6eb-4a4867f39cdc": { "rule_name": "M365 Defender Alerts Signal", "sha256": "b4a2a0cb67bf979baded41864bc6fa10883535dc419e6b6488ba8b1c8d0fb907", "type": "query", "version": 2 }, "054db96b-fd34-43b3-9af2-587b3bd33964": { "rule_name": "Systemd-udevd Rule File Creation", "sha256": "af7ccb91cc20e0406d5dbf0a368623b91dbe2fe0345075123197e22162c25280", "type": "eql", "version": 13 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "489f0b6d8e4c6a6b209771bd6fe6a15862f20fa603d6b726a5b1c1446bfb9099", "type": "eql", "version": 220 }, "05a50000-9886-4695-ad33-3f990dc142e2": { "min_stack_version": "9.3", "rule_name": "System Path File Creation and Execution Detected via Defend for Containers", "sha256": "651ccae1e6baff5b1d018b9d02b49fa294970a75eddd6ad69ee73c7be6983531", "type": "eql", "version": 2 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "f750da59bfae7e417e2fef8122c3e5b7520f15e8610d3c66dd63557fa6504962", "type": "eql", "version": 313 }, "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { "rule_name": "Tainted Kernel Module Load", "sha256": "d4df17e4c4a8b6081d4dc4c4682ee25d1ed06862635d77ea153047f150e1b1f7", "type": "query", "version": 10 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", "sha256": "aa3c02fb79c761a80f4964773218383ce6f2fa3d6edbb33b4228d9f58a4d7224", "type": "eql", "version": 114 }, "05f2b649-dc03-4e9a-8c4e-6762469e8249": { "rule_name": "Suspicious AWS S3 Connection via Script Interpreter", "sha256": "bdcf91c78e9c5c094fb384d21437ea44ff202ce66a874ddeb50bbd6be3ecd14f", "type": "esql", "version": 3 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", "sha256": "287d45f63f9e0a5633a9830bc210991eedc0daf0db72f995831d011600a3b750", "type": "eql", "version": 217 }, "064a2e08-25da-11f0-b1f1-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk", "sha256": "fbb58851e7b0642dbb3d884af38bac704a32fd6065228ae2d97cc8769bf6a93f", "type": "query", "version": 5 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "rule_name": "System Time Discovery", "sha256": "3c5edef6420d3b719294df8da79f6f77b0e473d0d2f3bbd1fa89103aa8f53bcf", "type": "eql", "version": 114 }, "0678bc9c-b71a-433b-87e6-2f664b6b3131": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Unusual Remote File Size", "sha256": "565ac2eb82e32aae378c10858021adb00856aa3fcca8dfff5921bec099323be0", "type": "machine_learning", "version": 9 } }, "rule_name": "Unusual Remote File Size", "sha256": "ea21c2579a2ea6d078cc251597362fa05d6ad0a2b65fc498d6c5059636d8b638", "type": "machine_learning", "version": 109 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "61186ac011e99a690ffc2ca0232ca0d4c1a56577cd1b882fc838f4adec3b1372", "type": "eql", "version": 215 }, "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": { "rule_name": "Dynamic Linker (ld.so) Creation", "sha256": "6350e0d9141e53b3f2c4ecc5b9384512cd89637b34bb845ffedb10e893777303", "type": "eql", "version": 107 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", "sha256": "e0fc6fce12b37afcc2729cc67ce98534a81f241684b19f9763e9f1220fd3d190", "type": "eql", "version": 220 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Memory Threat - Prevented- Elastic Defend", "sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd", "type": "query", "version": 4 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "b61bad8552dae17b256c73cb62eb7e5240586363ca2bdfae7dce74ffc35cb129", "type": "eql", "version": 318 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "5b3ad0cab15b804ec79acfddc6075930f20e13bdc9b7df71afa2bab6135aa015", "type": "eql", "version": 210 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", "sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072", "type": "threshold", "version": 9 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "e5ead4056278a234ee157310599f05d05e66fe7be04c4658c711e90a8fbfdd8e", "type": "eql", "version": 321 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", "sha256": "cf7654ebd4c213e045aaa2ad22109e5d4d8d75c557757a8402eabe3919da5acb", "type": "query", "version": 111 }, "080bc66a-5d56-4d1f-8071-817671716db9": { "rule_name": "Suspicious Browser Child Process", "sha256": "e0131321585947ebb113994bcb41271b69a40753710365ea30b2a1204ad5008d", "type": "eql", "version": 113 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { "rule_name": "Launch Service Creation and Immediate Loading", "sha256": "6e6a989495990c86ba5a6dc1a3178fbe5dc8a8e23542837ce40be022461703e9", "type": "eql", "version": 112 }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", "sha256": "df58a717def18bd6b87e4ee7c0b9b92e104cfaef8714f6029f3f4cc26a4c2f7a", "type": "esql", "version": 11 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", "sha256": "3e6315c69df778ac0ee943ef7672b9725a6c36ecdedf6c955d1609b9f0c936cc", "type": "eql", "version": 111 }, "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "rule_name": "First Time Seen Removable Device", "sha256": "8d49ac6a7e4266309a445287ddba7de4a7c3953b54030f6bb1b22a2579d6e607", "type": "new_terms", "version": 214 }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", "sha256": "f161b256265c51cd268982d28acc9d9220cc7c1aba15a8b036c39d9ae9253da3", "type": "eql", "version": 4 }, "08933236-b27a-49f6-b04a-a616983f04b9": { "rule_name": "Alerts From Multiple Integrations by Destination Address", "sha256": "d6accf93019b97c82298a163af364a097f31b22146454acba734fd8f76d90c6e", "type": "esql", "version": 3 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", "sha256": "ce8ca8f191f83b34e7b0a028117f3ed158af3ebc4c3f9d40a1614f01033cd93e", "type": "eql", "version": 8 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", "sha256": "bc44537711867484c6d568447d16aa07c2bebb17b8e8de3f9d5d4cd27b7877dc", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", "sha256": "cba194c97b4198045ac48cbff7beb5cf8aa6cd337abe8b945d0e921ea725f96c", "type": "machine_learning", "version": 104 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", "type": "query", "version": 100 }, "09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4": { "rule_name": "Attempt to Clear Logs via Journalctl", "sha256": "dc61913b2bea0be5a6013cb04da91ce28b84fce2780a58eb7bcb8c1a871ba003", "type": "eql", "version": 2 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { "rule_name": "Creation of Hidden Launch Agent or Daemon", "sha256": "89f5838ed3a10f58fb95b54bf3a065b1edfcbccc6e82ba7249e7714ec14af877", "type": "eql", "version": 113 }, "09443c92-46b3-45a4-8f25-383b028b258d": { "rule_name": "Deprecated - Process Termination followed by Deletion", "sha256": "b732879b1c2fe0dc643e22be8c9dfc66ffd9b3362f8964d99df43ec8ce295335", "type": "eql", "version": 114 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { "rule_name": "Member Removed From GitHub Organization", "sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9", "type": "eql", "version": 206 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", "sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244", "type": "eql", "version": 100 }, "097ef0b8-fb21-4e45-ad89-d81666349c6a": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in Special Logon Events", "sha256": "92d7807f355cf385d1fa15849d15c6fb322bf1b9dde07df1b9e0d92899819b0c", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in Special Logon Events", "sha256": "af7d7f8466de0579c7532f0e4cc5b23f711bc0484f6e516cc0f3962f7e510a6c", "type": "machine_learning", "version": 104 }, "098bd5cc-fd55-438f-b354-7d6cd9856a08": { "rule_name": "High Number of Closed Pull Requests by User", "sha256": "f46d127ff65faf71c8a8b0f3fb5821e6deb79ff046965cbe27aa8f63f7229354", "type": "esql", "version": 4 }, "09bc6c90-7501-494d-b015-5d988dc3f233": { "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "sha256": "21a80a8417bb2147dbcfad3bbd1dbac0c463712efa27f14464c0547f66e34582", "type": "eql", "version": 11 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { "rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted", "sha256": "2d00df8fc7b00a913e0c182043c1a112d1b2690af2c81572f80ad04a284e5df0", "type": "query", "version": 108 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", "sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9", "type": "query", "version": 105 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "sha256": "6a2860edb5ebe67b8ddbfd0633c2fc64f43eb9a1a0b6cb59f298b6e207944b51", "type": "query", "version": 9 }, "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "62831c7e91ee7ce21ec1904ea276f67fc1771d890a541a18fba380632f6a8e04", "type": "query", "version": 213 }, "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { "rule_name": "Yum Package Manager Plugin File Creation", "sha256": "dbae98880bf9a0c1e97107f8d4f2e8db844623eea45f77f379c744c955ea36dc", "type": "eql", "version": 10 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 311, "rule_name": "Anomalous Windows Process Creation", "sha256": "0d38cceb87101c739c8c402c9c084654ab8bea0da9d751f01e82deca56bdf848", "type": "machine_learning", "version": 212 } }, "rule_name": "Anomalous Windows Process Creation", "sha256": "4322d572dd7347e0c0b1fe18bb2c528d15656965e263d2d9209a6ccbe24facdd", "type": "machine_learning", "version": 312 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", "sha256": "02414f778b92b4c687768c61989adb3f2b632c354674ecf7c580d1e549cdba9b", "type": "query", "version": 221 }, "0b76ad27-c3f3-4769-9e7e-3237137fdf06": { "rule_name": "Systemd Shell Execution During Boot", "sha256": "09dffcc4e5124f18d47919fe93f50abaeb60d6834acf7ead306f212a6eba4afd", "type": "eql", "version": 6 }, "0b79f5c0-2c31-4fea-86cd-e62644278205": { "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", "sha256": "930b95c69bf6eea872d22434afefa58e36c3427fe3074d3010aa7531c87510b7", "type": "eql", "version": 7 }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", "sha256": "7d77a4998b0ebb67b07e857ede2aade5168aa1ae3854965f321bbac0e38be89f", "type": "eql", "version": 113 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", "sha256": "438c321a47c109bde474d6eeb1ea633ec7f60705edf876aaaa4b0a8dfec1af2b", "type": "eql", "version": 112 }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", "sha256": "15b613d3ba0acece6a8253f34df9e3f8528ec9a65642dfb2585425a083f8b7a6", "type": "esql", "version": 7 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", "sha256": "eea37dd20530605c66b9747aec38cabb0194bce5bb2991f9b1744136a6c3cf26", "type": "eql", "version": 5 }, "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { "rule_name": "Potential Hex Payload Execution via Common Utility", "sha256": "93cd06950bf1b69b6bd8abd8923e82b0e7c578c6e93606cfcd6be0f5909f8bb7", "type": "eql", "version": 107 }, "0c3c80de-08c2-11f0-bd11-f661ea17fbcc": { "rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User", "sha256": "990caac706a81700f2a8457d690ca56ba943e899e776bb8e8d053ee4aa3d5d13", "type": "new_terms", "version": 8 }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", "sha256": "de0fce0fbcce6580a6a0af3a9cbd36da077ec0b32571149301aaaf7e6b50bc35", "type": "threat_match", "version": 9 }, "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Ransomware - Detected - Elastic Defend", "sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb", "type": "query", "version": 5 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", "sha256": "156bd381d564774d81e1860d26cfc6d4a84a75a320968e06ed2b550945efaa1c", "type": "eql", "version": 316 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { "rule_name": "Deprecated - Threat Intel Indicator Match", "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", "type": "threat_match", "version": 204 }, "0cbbb5e0-f93a-47fe-ab72-8213366c38f1": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "High Command Line Entropy Detected for Privileged Commands", "sha256": "2e7d5c4df33ef2238bbf97c9d32ff1f30b544cd024426fbf7b8f60efb7289ad8", "type": "machine_learning", "version": 4 } }, "rule_name": "High Command Line Entropy Detected for Privileged Commands", "sha256": "e1065505966fda7f392ba493ac2b31b91e6f378c082d6704f3134ac39a389494", "type": "machine_learning", "version": 104 }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "sha256": "b8b8dd78b8c6c7dc7963683187e44adf10d7f96d6f8fb08ea9d8a6f1015f376b", "type": "esql", "version": 8 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated", "sha256": "894f2eba51cb0eb9109b09f87d273ae20204ec8d8ff1a5d3cd366e6650808047", "type": "new_terms", "version": 214 }, "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { "rule_name": "Multiple Alerts Involving a User", "sha256": "39146bd0ad1fcffb736b85e308c42cb31f2e2d0059d03d59be148de54965d777", "type": "esql", "version": 9 }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph", "sha256": "51e32252c859489884ccd4518fe7dae46ab0cea3f05342fccdf9a5b466fc0e2c", "type": "esql", "version": 10 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", "sha256": "dd76e3f0f0d4cc6807c6afcd4c5894467e3047dd19959748a879badf05fd647a", "type": "eql", "version": 213 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "rule_name": "Execution of File Written or Modified by Microsoft Office", "sha256": "094356d1f51021f7425e8498fdaa9e5545042553ed50aaf071c39778fedad057", "type": "eql", "version": 114 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 204, "rule_name": "AWS Access Token Used from Multiple Addresses", "sha256": "26ed2013c1d78f46c69814d77905908c7c0bb10e421da7bd59937e75d0f01fef", "type": "esql", "version": 107 } }, "rule_name": "AWS Access Token Used from Multiple Addresses", "sha256": "77f473d39331e99c4f5139d471dc7043828fe6b9f3f0cddcf60878264857b71a", "type": "esql", "version": 208 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", "sha256": "6319c31a290d00e0983d81b1971155caa96f3687a61721f79286857c1bbbbab0", "type": "esql", "version": 5 }, "0e42f920-047d-4568-b961-2a50db6c4713": { "rule_name": "Potential Persistence via Mandatory User Profile", "sha256": "b8d61454cd6ec06100946627852de41f7198a191f70683750b03297e6247a441", "type": "eql", "version": 3 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "15cd22677a8340711fed0f7030ff28056951bba6f1f4f4c74dacd31c27371ef5", "type": "new_terms", "version": 208 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "M365 SharePoint Malware File Detected", "sha256": "219149d921e9d74f4d05b7c228fa56ee3ae14df3a2c0373e981d498069bb89f4", "type": "query", "version": 213 }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive/SharePoint Excessive File Downloads", "sha256": "f8d745a83d271544f83eefd939f7a08615847df7c8b31a345065cbc06db50ccd", "type": "esql", "version": 9 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", "sha256": "a7de922125422835641adbae4ac03d3876d7db4b40c6a39e3039ef79757b5c0a", "type": "query", "version": 109 }, "0e67f4f1-f683-43c0-8d45-c3293cf31e5d": { "rule_name": "Lateral Movement Alerts from a Newly Observed Source Address", "sha256": "77726aac9ceb48e0f529980fb81396999b0c6688cf5bab0f232aa63d3a653918", "type": "esql", "version": 3 }, "0e79980b-4250-4a50-a509-69294c14e84b": { "rule_name": "MsBuild Making Network Connections", "sha256": "1d2f40489c68453c001300064c4191b3c1118961bcbf8f98ef0ae3d7af2a7f6a", "type": "eql", "version": 216 }, "0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 105, "rule_name": "Sensitive Audit Policy Sub-Category Disabled", "sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7", "type": "query", "version": 6 } }, "rule_name": "Sensitive Audit Policy Sub-Category Disabled", "sha256": "ab3e71024a071b7fdfe5a78867ce7b97ee798a14a25a3ad4d5f93579c8d00be5", "type": "esql", "version": 107 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { "rule_name": "rc.local/rc.common File Creation", "sha256": "0dd7907213fe1c2007ed13fc265447af5e1da11ec3932ac1bd234bac879ddd75", "type": "eql", "version": 120 }, "0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": { "rule_name": "Polkit Policy Creation", "sha256": "390e710ade2de69e142c5ee48c04471d137a80031e3679e2c9675a40dbc10e4e", "type": "eql", "version": 107 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", "sha256": "a0f0ae4b269a171b856191b76721c04753d2c3ed780decf03817b56e352235ee", "type": "eql", "version": 109 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { "rule_name": "Behavior - Detected - Elastic Defend", "sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c", "type": "query", "version": 5 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", "type": "query", "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "877b148eb16e5925faa6420c7ce4e5af877518280357765cf8b26d314d4866a4", "type": "threshold", "version": 314 }, "0fb25791-d8d4-42ab-8fc7-4954642de85f": { "rule_name": "Kubernetes Creation or Modification of Sensitive Role", "sha256": "b9c97990e6ca915c311408c981892865fdd39e7032758dd0bf98eb9c14eb5af0", "type": "esql", "version": 3 }, "0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": { "min_stack_version": "9.3", "rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers", "sha256": "99daa90cdf83d5fa31673dca3684a322c5b9b12882dbc2d4e82acfbc4a249401", "type": "eql", "version": 2 }, "0fe2290a-2664-4c9c-8263-b88904f12f0d": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Kubernetes Sensitive Configuration File Activity", "sha256": "0733fbd77e1dcbbf858340c7c49c0409b1c8d13fcbce786043e46d561f30f8e7", "type": "eql", "version": 2 } }, "rule_name": "Kubernetes Sensitive Configuration File Activity", "sha256": "bfc840c4e0154ce1c816dc7e6d4b277b6a431df45094be45f5f6c0166ac02aa4", "type": "eql", "version": 103 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { "rule_name": "Privilege Escalation via Root Crontab File Modification", "sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b", "type": "eql", "version": 110 }, "1004ad5b-6900-4d28-ab5b-472f02e1fdfb": { "rule_name": "AWS SSM Inventory Reconnaissance by Rare User", "sha256": "1531a1d1f980b959ce58e42c0fb6a88915457be59be0697a2a52c266a55d4f25", "type": "new_terms", "version": 3 }, "10445cf0-0748-11ef-ba75-f661ea17fbcc": { "rule_name": "AWS IAM Login Profile Added to User", "sha256": "65b7cb64433981f1907a05a2af586fe1deaa32e3e04f391a3b8be11d65cd67ef", "type": "query", "version": 5 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { "rule_name": "Linux Restricted Shell Breakout via awk Commands", "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", "type": "eql", "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { "rule_name": "WebProxy Settings Modification", "sha256": "7a9a8ca308fe9d2c8060cae7cf57cb65402bef0f911c86790a0d29b8e978c4b7", "type": "eql", "version": 211 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { "rule_name": "Ransomware - Prevented - Elastic Defend", "sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4", "type": "query", "version": 5 }, "11013227-0301-4a8c-b150-4db924484475": { "rule_name": "Abnormally Large DNS Response", "sha256": "be1fc253ed58440f6af839e8e5f79978eba0a908da3adb6fa9713f774fb8a7c0", "type": "query", "version": 110 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "f9bf3e298b294a41bb1856889477dcec525ec04804459de0294f14714ad143eb", "type": "eql", "version": 219 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "1224c28727d499af370240ca8e5ed7432294872e5d5258d9eedba7a8d8b72bb1", "type": "eql", "version": 318 }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", "sha256": "b78786276c865fe5602cfe809acdf9d0912624f137a0cf4049b4b5aefb497f84", "type": "query", "version": 213 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", "type": "query", "version": 100 }, "11dd9713-0ec6-4110-9707-32daae1ee68c": { "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "a549668ec7559114b0115b356167686dc385ac990b386fb5e9f2b612c992357d", "type": "query", "version": 119 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "e2639febbe6e8a624a43a1a5782021cc15db735aef9129b0760de784416247ab", "type": "eql", "version": 217 }, "12051077-0124-4394-9522-8f4f4db1d674": { "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", "sha256": "66bfe584a46f9c27ec808d78ca7f975b9ce6104c3bd2991510676d76e7e38cb5", "type": "query", "version": 213 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", "type": "query", "version": 100 }, "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 210, "rule_name": "User Detected with Suspicious Windows Process(es)", "sha256": "a96480b14fddea2a5966e37fb70b54db6e8ef69582f58b9ddd9e0845943ff7ac", "type": "machine_learning", "version": 111 } }, "rule_name": "User Detected with Suspicious Windows Process(es)", "sha256": "f46f877d99943deae9fa5622e50247b35000bc4fa24fcdc5637f394a543ec995", "type": "machine_learning", "version": 211 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { "rule_name": "AWS Lambda Function Created or Updated", "sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084", "type": "query", "version": 4 }, "125417b8-d3df-479f-8418-12d7e034fee3": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", "type": "query", "version": 100 }, "128468bf-cab1-4637-99ea-fdf3780a4609": { "rule_name": "Suspicious Lsass Process Access", "sha256": "13ea12c18b065bc285ea95a16119242a9882ef4c3103f521a1c701921ec69cd5", "type": "eql", "version": 212 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { "rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent", "sha256": "7c11440601de84729a35dfa170c057f749e1ed8943734cdad5d540f97f0900bf", "type": "new_terms", "version": 211 }, "12cbf709-69e8-4055-94f9-24314385c27e": { "rule_name": "Kubernetes Pod Created With HostNetwork", "sha256": "957cd8a8925cca175889fadff063ff73d18f178be083cbff70f868dfff58ad72", "type": "query", "version": 210 }, "12de29d4-bbb0-4eef-b687-857e8a163870": { "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "d32351494ff1b9ffd9ba55acf3ca09d761a8cc3d4944657b331a3e2cd0c2a611", "type": "eql", "version": 211 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "dff426ad89e3595df008b1e3eebe381001d991ed6f8556badc8cb7f03602384f", "type": "eql", "version": 321 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { "rule_name": "Persistence via Scheduled Job Creation", "sha256": "a4cef089a97baa377ce98b7cb50c1a47a4a67b0f74e854692264582b8a57614e", "type": "eql", "version": 416 }, "135abb91-dcf4-48aa-b81a-5ad036b67c68": { "rule_name": "Pluggable Authentication Module (PAM) Version Discovery", "sha256": "a9b1539d0e9db24ff1c2c89fbce7703a1e17089844275ce75a152f357dcffb33", "type": "eql", "version": 107 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in Group Membership Events", "sha256": "907893df220287d24f1906748b2da8456e68f29204e8cadd48187f98a98c5688", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in Group Membership Events", "sha256": "6833917467dfd8d34a81995993907c41c52722e7afecb30ec5fec5641477c8f2", "type": "machine_learning", "version": 104 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Rare User Logon", "sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f", "type": "machine_learning", "version": 107 } }, "rule_name": "Rare User Logon", "sha256": "e7b1144434301dcf8d3c853460221fd971055d06b21eae12d6434b5e898d91e3", "type": "machine_learning", "version": 207 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", "sha256": "a4773853ce1ea436c93f739ecc375ebc074829200e0ed449ee0e3bec0becb585", "type": "esql", "version": 215 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", "type": "query", "version": 100 }, "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", "sha256": "526f288219500704dab7160a26e0af9e6dbb812dcf0e2b12895e0f2412792343", "type": "eql", "version": 13 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { "rule_name": "Entra ID External Guest User Invited", "sha256": "3cc4581f69c27422b3f2353597665249059ba22ef323c49c2b97218a803eaac9", "type": "query", "version": 109 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { "rule_name": "RPC (Remote Procedure Call) from the Internet", "sha256": "0ad5c2e271c9001326aa27dfc63f6c35a4138bc03e6a1e4db48aaeac803e30f6", "type": "query", "version": 111 }, "14dab405-5dd9-450c-8106-72951af2391f": { "rule_name": "Office Test Registry Persistence", "sha256": "6ae151273f3904946010828516f37ea7cb7152e34ac5eebb85174cd704f59d78", "type": "eql", "version": 109 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { "rule_name": "Kubernetes User Exec into Pod", "sha256": "b84822387863316ee7e038ffc13bbf210e9d66bdd21bc0c4cbc1806a7a261d09", "type": "eql", "version": 211 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "5fb9943cdf453b43370e6f92b8be06a5dfe213e2bcd3566aa2e2bd08e9d21e7b", "type": "eql", "version": 317 }, "14fa0285-fe78-4843-ac8e-f4b481f49da9": { "rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application", "sha256": "1d5cd26347a6790ae2294701743b179765b2d5f29842f30b7564687d387f8cc7", "type": "query", "version": 8 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "da0623d8382c2550dc8e2605907d304a97ce85101085e93eaae2be757ed6242f", "type": "new_terms", "version": 209 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "1e38ba5abce5df6e94d4f7ff4ef607302c6726044195ba8953854867fec17b60", "type": "eql", "version": 8 }, "1542fa53-955e-4330-8e4d-b2d812adeb5f": { "rule_name": "Execution from a Removable Media with Network Connection", "sha256": "4f8dae1671164a15e104cf7087d42d6a879f2c0809501137ee183c0f3f3ee364", "type": "eql", "version": 7 }, "15606250-449d-46a8-aaff-4043e42aefb9": { "rule_name": "Suspicious StartupItem Plist Creation", "sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8", "type": "eql", "version": 1 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "7c14ff284718226ea6475885fa3d285019ef181a69705bed2afb9f25ce81b4fc", "type": "eql", "version": 216 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "62c79ce5bae7cf736a51c50a7e07508e4a50999a807161a4e0c68835b2a29780", "type": "eql", "version": 320 }, "15dacaa0-5b90-466b-acab-63435a59701a": { "rule_name": "Virtual Private Network Connection Attempt", "sha256": "11df8567d6795588d2f0b1c35dd8ca813fcf809258461c5483790a459bdc1cc9", "type": "eql", "version": 113 }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Kubectl Permission Discovery", "sha256": "c1da63bbab5facc4c4cb7cc3ec0cfef430b4733d91393d9b58441c092c54e0e5", "type": "eql", "version": 4 } }, "rule_name": "Kubectl Permission Discovery", "sha256": "88b8163bdbf4231ba333b88a4662e21abc05924a08f51847cda7ed108328e09c", "type": "eql", "version": 106 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", "sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a", "type": "eql", "version": 3 } }, "rule_name": "Potential release_agent Container Escape Detected via Defend for Containers", "sha256": "83cc6f40e6132026e20c447cd04f8cba5947105f81fe35a20b393a650d0ca896", "type": "eql", "version": 104 }, "1615230f-beb7-48d8-9b3f-6d10674703bf": { "rule_name": "Suspicious SIP Check by macOS Application", "sha256": "fa8c6092c9b9b8566ea7901262f4a9a3660b455e07ecb434fb833cdee30197d6", "type": "eql", "version": 2 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { "rule_name": "Azure Automation Runbook Created or Modified", "sha256": "090781ceb0f70e5c6d5854c34e2def7e8983a8c0fc34e614674ef24f4a9c74d9", "type": "query", "version": 108 }, "163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": { "rule_name": "Potential CVE-2025-32463 Nsswitch File Creation", "sha256": "811b20416cead7025ab23de710ac19ed81924cc270507221b356a395d5fd4940", "type": "eql", "version": 3 }, "166727ab-6768-4e26-b80c-948b228ffc06": { "rule_name": "Potential Timestomp in Executable Files", "sha256": "d412a6320c3b63e9d14e2897865c8df7a907154312cbc26891375687109ccfa0", "type": "eql", "version": 111 }, "16904215-2c95-4ac8-bf5c-12354e047192": { "rule_name": "Potential Kerberos Attack via Bifrost", "sha256": "d044c2e031f6739d53c3387ad4e0c7f4e1617a0fad10f442fa29118f43b2a0e0", "type": "eql", "version": 112 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "rule_name": "AWS IAM Group Creation", "sha256": "a18672298cd92d568cb52d61601a039e39aa68213d8dc698fcdfa49d06280434", "type": "query", "version": 212 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "rule_name": "Component Object Model Hijacking", "sha256": "d4267bbb2896541227ff0042bb5fd07bf0d5d673472429d931cda1a80f41b666", "type": "eql", "version": 120 }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", "sha256": "6b1835065de149596f5514acac7116d616ab69afd1ff4bd6c3187a13fe27493f", "type": "esql", "version": 8 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "e9d66fb58444a717fbb2b15ebf5f7ed7e2d888737fdf681a8537349fb9d7f291", "type": "eql", "version": 216 }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", "sha256": "96017fdffa7b8eafbd4630fac4ec0b8079bee2375bcd6ab550558ff48cf9bf1f", "type": "eql", "version": 7 }, "171a4981-9c1a-4a03-9028-21cff4b27b38": { "rule_name": "Suspected Lateral Movement from Compromised Host", "sha256": "48e0f928ed481c3e3c645ecfad961dfa891e8afe2e2b8ae94990745ace5522fb", "type": "esql", "version": 4 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "sha256": "2eeb4a2916c11aeca4185ded593f86975317296adad1f32d19f4d5f39f380f53", "type": "esql", "version": 7 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows Username", "sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows Username", "sha256": "439a53c97f890e9069f64ade7995b100cf7c08ab3c4305b076c384db5cf6477d", "type": "machine_learning", "version": 310 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows Service", "sha256": "3c42a7c62094acd7a9859c540f52484dd6a41d3d36d39aeadbc62492967e35ca", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows Service", "sha256": "0eea7398ab7fbbc674a804b6fc2fb7f331e747e7c1a28927089d51e5254a48de", "type": "machine_learning", "version": 310 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 310, "rule_name": "Suspicious Powershell Script", "sha256": "ba7ac7109c4e1c1acc0a79dd47c42520c2d82b682f5630067a1d609b593859ce", "type": "machine_learning", "version": 211 } }, "rule_name": "Suspicious Powershell Script", "sha256": "815e86bb07efd5d73767e45677054f24f0b072412b4ba7210f195289eb9e9832", "type": "machine_learning", "version": 311 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "cec4b63c64124b03e92ef65aca7cf18b5a4de706c53935cf74d95cc70cd43693", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "ac8baea0b2fd71b85c09a46482ad8e3c79f0334488c25ee2018c79f274231c4c", "type": "machine_learning", "version": 310 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows Remote User", "sha256": "96872a6f89cfe1e8ecc023430fc4349c49cb5b6ef9e4a833d422b6961741f481", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows Remote User", "sha256": "c2541cadb2d1d9936e120b6daad7cae971b5d2ba79deb01bc3a044a885695f5b", "type": "machine_learning", "version": 310 }, "178770e0-5c20-4246-b430-e216a2888b23": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Spike in User Lifecycle Management Change Events", "sha256": "ef456fac2be7a733d18054b513015e78327fb99ad44dacc99be79140341146a1", "type": "machine_learning", "version": 5 } }, "rule_name": "Spike in User Lifecycle Management Change Events", "sha256": "78e9dfe6280543b50244e70ade9ca9266f8f77531dcb55cdc872a95de1c944ae", "type": "machine_learning", "version": 105 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", "sha256": "4c1feb2d691a715844f24edbb5207bc35a4fdeee0d7314d708aeaba89adbbf0d", "type": "eql", "version": 20 }, "17b3fcd1-90fb-4f5d-858c-dc1d998fa368": { "rule_name": "Initramfs Extraction via CPIO", "sha256": "87ea53b4b70ebf750914ab208825d5c3c7161366d9b24c6267fb095279b01da7", "type": "eql", "version": 6 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "11eedb38f0535b593e7587c7ae9c0c9b1f11713712345cb14aa032c4251e687b", "type": "eql", "version": 218 }, "17e68559-b274-4948-ad0b-f8415bb31126": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 208, "rule_name": "Unusual Network Destination Domain Name", "sha256": "f645b86e534e62a3da7f7b898cd1b0ea974c51d162961a19206bd0f00a67e31f", "type": "machine_learning", "version": 109 } }, "rule_name": "Unusual Network Destination Domain Name", "sha256": "65a861fcdfcd0c2366b569e4e3c8e7a599512fa2331ece1fb23f58ed93ff1b85", "type": "machine_learning", "version": 209 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "f5b07367a229e2cc48754deee2bffbec577230719548e1c91cb73bd36b064536", "type": "eql", "version": 210 }, "183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": { "rule_name": "Simple HTTP Web Server Connection", "sha256": "b5bfa9c5bdbb2ac76c679d8e7c12aa4614561e8f0815a77d48fccf5feedd3a89", "type": "eql", "version": 7 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", "sha256": "acbdc60b1dddabc74eeaf2f73f1a26c51ced274c1226442b720a366f7bf37d2e", "type": "query", "version": 109 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", "sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e", "type": "eql", "version": 100 }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { "rule_name": "AWS Secrets Manager Rapid Secrets Retrieval", "sha256": "800ebd4d1ef253c688e649cd84fca4d2da5b8896f3537ecaa252855132cd0cc6", "type": "threshold", "version": 8 }, "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "4598c9aad50c787eadce4ce3b88adcfbc87b02c2ac5dcd9a6c3b39a445e3e6f4", "type": "machine_learning", "version": 9 } }, "rule_name": "Spike in Number of Connections Made to a Destination IP", "sha256": "12ba54701c9c9a48fe730d815cf85aa3e3e17eb721b01045f3015cf5f197813b", "type": "machine_learning", "version": 109 }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", "sha256": "718358b1e1c35b97028b4230acd16b8d1f36c355982f8acbeef3d773809c1f86", "type": "eql", "version": 12 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", "sha256": "6e73ca10f3e881fa538c71a4fa49fa6d7dd2022afd6c94c19a3c9c2bc3a24e01", "type": "eql", "version": 10 }, "1955e925-6679-4535-9c1b-28ebf369f35f": { "rule_name": "Suspicious File Creation via Pkg Install Script", "sha256": "bf39e06d8e8bcb3450813ab5d58f0a03c28e5cf9893bdc6abcfef843e67f134b", "type": "eql", "version": 2 }, "1965eab8-d17f-4b21-8c48-ad5ff133695d": { "rule_name": "Kernel Object File Creation", "sha256": "2e671c13c33cb02522db10a2ec30e4b58a107647589f9ff89a5f1b1259a43cb2", "type": "new_terms", "version": 6 }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests", "sha256": "34009951e545cd9d705e6cac58d2af9dba570cc5dcec0e69c192d165f28be6d3", "type": "esql", "version": 10 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", "sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb", "type": "machine_learning", "version": 212 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "29db7dc93ab6eab4b8b87720dd8d95683b744f2e2137115f6f3e48c204792339", "type": "machine_learning", "version": 9 } }, "rule_name": "Spike in Number of Processes in an RDP Session", "sha256": "fe983ed864521ad6cf3fe4e5be5ab60aef58b86a53412d26c0425b6eb0d442b4", "type": "machine_learning", "version": 109 }, "19f3674c-f4a1-43bb-a89c-e4c6212275e0": { "rule_name": "GitHub Exfiltration via High Number of Repository Clones by User", "sha256": "d44f81cce81f9989e3da9c9690ce5f15e1d0f708db04fecc4fc46560c28e35ba", "type": "esql", "version": 4 }, "1a1046f4-9257-11f0-9a42-f661ea17fbce": { "rule_name": "Azure RBAC Built-In Administrator Roles Assigned", "sha256": "096328c92f192c547fa70269c2a8869a2b41ea46972ff0b85f91c484b81defcc", "type": "query", "version": 3 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container", "sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a", "type": "eql", "version": 4 } }, "rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers", "sha256": "52c8bf4b88a390a02c576926ab93066b84724ffbf8a8f2adfc8bfa9edf30f233", "type": "eql", "version": 105 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { "rule_name": "Entra ID Application Credential Modified", "sha256": "d9a189bab2df94b4b6cd30d792e7891b84d4684c3d1f1b94e30aeb8769e60c62", "type": "query", "version": 109 }, "1a3d5b36-b995-4ace-9b85-8a0af429ccf6": { "rule_name": "Newly Observed High Severity Detection Alert", "sha256": "f7ccdf7bb05f6d8601a88fff8a0f0b2d1eef89acf10118fee5c63768ce9d3003", "type": "esql", "version": 6 }, "1a3f2a4c-12d0-4b88-961a-2711ee295637": { "rule_name": "Potential System Tampering via File Modification", "sha256": "8e542036316307cb533b6cf1cf8a04645ffae970672c7916e7185605a72e4be8", "type": "eql", "version": 4 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", "sha256": "7aff4b19617d22e58a7bba7919b719dbbec4df85308564a1cd3fee9363798ae2", "type": "eql", "version": 320 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "rule_name": "AWS CloudTrail Log Suspended", "sha256": "a3d4e1675ec84b3af9163b6a3759711bce84c07ff080a118e7208d181665df7c", "type": "query", "version": 215 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "rule_name": "User Account Creation", "sha256": "12119420da1871b99202f57ec10904ffc1deee90adab67e4719a1a7207bbc500", "type": "eql", "version": 317 }, "1ac027c2-8c60-4715-af73-927b9c219e20": { "rule_name": "Windows Server Update Service Spawning Suspicious Processes", "sha256": "0fa5a2a328ab55c39a78ae87ec88868fd59afbb127aeb9495fb2be890a7c8083", "type": "eql", "version": 3 }, "1aefed68-eecd-47cc-9044-4a394b60061d": { "rule_name": "React2Shell Network Security Alert", "sha256": "0bb3f9c7167e6586c90cc2a0d5c56d1239b7e0eccdfbdb6d4fb9e18757d982fe", "type": "query", "version": 2 }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", "sha256": "2f7562c182467d14f7652d3abb6608ddb866a662c35c85f285c8fd5b91f6f892", "type": "eql", "version": 7 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { "rule_name": "Connection to Internal Network via Telnet", "sha256": "a0a40875e83b365491356586b13f47638211dbab5eb725cd74e481088f4abf31", "type": "eql", "version": 212 }, "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": { "rule_name": "Remote Management Access Launch After MSI Install", "sha256": "54c52e1583a70f0e58886c3834476d8a301420a103cebf085744e0b227eabe61", "type": "eql", "version": 4 }, "1b65429e-bd92-44c0-aff8-e8065869d860": { "rule_name": "BPF Program Tampering via bpftool", "sha256": "81a039d10521f44f4281d8544ffd0b16a9b3063f8ee87612d04ff43a2da6151a", "type": "eql", "version": 2 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", "sha256": "7bb163ffa02ead7013b9865823123774e06e0f2b67f15bd5f74d2502b70eedb1", "type": "query", "version": 210 }, "1bb329a5-2168-4da5-b7b9-d42a51deb6dd": { "rule_name": "Correlated Alerts on Similar User Identities", "sha256": "68998d6567c249cc78dcca6818615a5ba8e4f942205978f489fad037876e6b4b", "type": "esql", "version": 3 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "rule_name": "Potential Internal Linux SSH Brute Force Detected", "sha256": "03f4a222aafafea3d3221e0582ccac9b11bbc82101504c84c7694b8ef873cda9", "type": "eql", "version": 16 }, "1c28becc-ec0b-4e6d-81a5-899d00348089": { "rule_name": "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket", "sha256": "b9af69ebbbeff32bb2101e0acdf8c98dc60ca99cddc9b2ecbb16b47c394956d6", "type": "eql", "version": 1 }, "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { "rule_name": "Potential Process Injection from Malicious Document", "sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef", "type": "eql", "version": 4 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Entra ID Illicit Consent Grant via Registered Application", "sha256": "fb04e2d9695cf1eb8eef84bae6c748979d9703934f64e06743e28b55e5168f56", "type": "esql", "version": 220 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", "sha256": "cf847fe5e118883f401f0194f9dc8736fb85d9bcbaf36d14d3a4d74b938ed6a8", "type": "eql", "version": 120 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created", "sha256": "872670a07996ff3b1b618f205a314336501baae58b58b0b9eb4df5a182cbe3aa", "type": "query", "version": 109 }, "1ca62f14-4787-4913-b7af-df11745a49da": { "rule_name": "New GitHub App Installed", "sha256": "98cd8a087a11aa53e292618c8047442532a33dc329c2c7c7e264ad92008f574b", "type": "eql", "version": 209 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "2d10043a1aa6786aef98747241a102b2e31aae347ae8a451f5e468c9d52f7e35", "type": "eql", "version": 214 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b205ced242cd1aea02d4b083ded2c9a8d7e55a6d6b9c2a0e4a62f113c2d1d709", "type": "new_terms", "version": 213 }, "1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": { "rule_name": "Entra ID Domain Federation Configuration Change", "sha256": "ad37538a2c191bb69fef32ecee94047d48237b5f045c30faa5d3cbba14fe1aec", "type": "query", "version": 3 }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", "sha256": "73886707ccad198484d4c6cdde082d9ef78aea65c349fa08ea0430836e23f673", "type": "eql", "version": 5 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", "sha256": "e9575c364fc387c6707b5d37b4870192b76de5fab2e194b70bc4691ef96b498f", "type": "eql", "version": 216 }, "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { "rule_name": "Initial Access via File Upload Followed by GET Request", "sha256": "2b398592c31c97af1985d6702aea4c8065619b220445521d5b75a1a48b3c1a47", "type": "eql", "version": 3 }, "1d485649-c486-4f1d-a99c-8d64795795ad": { "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", "sha256": "2756232f98fabdff059cfa55dc552f04e2c8c7042455b61eade3819dde3b4b3d", "type": "eql", "version": 3 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Profile Creation", "sha256": "92e8e6bf07d93b94bbeb7d1af6d2bd2f62f69c4dd3bedc34becebc0961db80c8", "type": "query", "version": 9 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { "rule_name": "External IP Lookup from Non-Browser Process", "sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348", "type": "eql", "version": 110 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "398b3d88b1753b2d476720085736b2bdfe86fb195e47981a3e582f66397ced53", "type": "query", "version": 114 }, "1dc56174-5d02-4ca4-af92-e391f096fb21": { "min_stack_version": "9.3", "rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers", "sha256": "de7edeb410f5b8a1e8dbb092cbe4d087a133a7ba1c66545920a487874a383294", "type": "eql", "version": 2 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "280c95cf73f0b4d05908dee4ef63654696f4b55a5040e86f1f69d1455aab9cd4", "type": "eql", "version": 318 }, "1dd99dbf-b98d-4956-876b-f13bc0ce017f": { "rule_name": "Alerts From Multiple Integrations by User Name", "sha256": "5b591df265379ba718a43e0d8ae57ae7b2e96d60ea25cc141bb89faa9fffa7bf", "type": "esql", "version": 3 }, "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { "rule_name": "Suspicious Inter-Process Communication via Outlook", "sha256": "bdf02d8405b38f96f1a6314cda5e1200914160197006090f7af12146810ca2cb", "type": "eql", "version": 12 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", "sha256": "3caf1dd70a817330534a0dc7cdc46d615214890e6f3d34081977f33977018794", "type": "eql", "version": 211 }, "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { "rule_name": "Potential Linux Hack Tool Launched", "sha256": "d77702d18de0a8d0365973764069a898ec115292a1894c24062e7aed54979fd4", "type": "eql", "version": 109 }, "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "rule_name": "Deprecated - PowerShell Script with Discovery Capabilities", "sha256": "ad1bd87d23f66d5a3239115816acbcf857fffb8361fd598d3abda318487378fa", "type": "query", "version": 215 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "rule_name": "Azure Storage Account Key Regenerated", "sha256": "a36ca67a74f87b67b969d3970684fafaf17f731179188925f02cc6e2db6c3dd7", "type": "query", "version": 107 }, "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "rule_name": "Creation of a DNS-Named Record", "sha256": "f122d418e9dafbe14b2ca383cd8a6184aaa9aaaca6d46160e742e081b941bc9b", "type": "eql", "version": 109 }, "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "rule_name": "Creation of SettingContent-ms Files", "sha256": "2f32979d0c4c70576ae719941f88e9b734de6ca0b68d8cbca27176d73ca4769d", "type": "eql", "version": 109 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "b6df387d7eea51849c454c9111255872e0f17716467e7f7dcb96324b0a100070", "type": "new_terms", "version": 208 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Sudo Activity", "sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Sudo Activity", "sha256": "c191e024e62f5ec95b39f7a502aecbea41301bd8a555cbe351ce2d88a3dc354d", "type": "machine_learning", "version": 207 }, "1eb74889-18c5-4f78-8010-d8aceb7a9ef4": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 100, "rule_name": "Spike in Azure Activity Logs Failed Messages", "sha256": "9c8b0e80daf7cb337ca4cb7707c9b96e69b175935a5fa7b55707c9270f9a0653", "type": "machine_learning", "version": 1 } }, "rule_name": "Spike in Azure Activity Logs Failed Messages", "sha256": "b55cf9442601c13334ddbdf9f1c6553c1ee36c6be64b33cc9c2d312f36a43c55", "type": "machine_learning", "version": 101 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "5f229ee4fa489867da43771533ebd54f07045dbf3c671e4edec7850f6e2ff04d", "type": "query", "version": 118 }, "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { "rule_name": "AWS Sign-In Console Login with Federated User", "sha256": "55d45ab5f5631b527067817a7d2c2d4fd25f4b7740b19d7ed6684b84c9d198b6", "type": "query", "version": 7 }, "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "6ef4ba72caea4308333e21e9748b0103bd5465ca8e8de00cb44982b38ddc73a8", "type": "eql", "version": 108 }, "1f56f548-94ec-4678-b1ed-b1a14cca4e3a": { "rule_name": "File Creation in World-Writable Directory by Unusual Process", "sha256": "4bf3288a105dbff9ff1d8025c12a892327a0c7a5062427686efbbb056082eacc", "type": "new_terms", "version": 1 }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", "sha256": "b7c5e8e2683c1a9405ab334ea64b6abd11051146461d97a00a006a8a114ac5e3", "type": "esql", "version": 12 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux User Calling the Metadata Service", "sha256": "1a0a985a78e282cb73680c64ef0fd7dd1b06b6888ac9aa29908324720ffd8a52", "type": "machine_learning", "version": 207 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "ce63eff5ee6329ed0d754e18e681e094db4edd4554e6c5857c4a7e4eec55a7f3", "type": "eql", "version": 220 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", "sha256": "320ecccc98bfef326d6dc0f0054a1f42fc866f1bbcd92d8f3fd1352271653f0d", "type": "query", "version": 106 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", "sha256": "718eb4049a2a7d326275953bcb81b6108f6af2f80cf5681605b01c2156773965", "type": "eql", "version": 319 }, "202829f6-0271-4e88-b882-11a655c590d4": { "rule_name": "Executable Masquerading as Kernel Process", "sha256": "b71bdcfb747a7c25b0a7ecef37b73f89cfd4936ff7b67f399a7d47694f1c4992", "type": "eql", "version": 109 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "rule_name": "Creation or Modification of Root Certificate", "sha256": "da1e0288bfbf5cf9a5a637c2ff71e7b786124de06dafdd88afc745cf802cfbec", "type": "eql", "version": 317 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "rule_name": "AWS Route 53 Domain Transferred to Another Account", "sha256": "00192d120763a8e01464c5ce0165c7c8c09fd5dc69b8913668ae9889fe86e6ce", "type": "query", "version": 212 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "rule_name": "Suspicious Web Browser Sensitive File Access", "sha256": "e46abdd536b397307dd73b4a20f4296b0141a10a86a9c252ecc461420fea502d", "type": "eql", "version": 214 }, "205b52c4-9c28-4af4-8979-935f3278d61a": { "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "acfa894d6162e141d87059ad8f6bf9ab526faf4bb7d294c1c9559d4a696d8c5a", "type": "eql", "version": 209 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { "rule_name": "LSASS Memory Dump Handle Access", "sha256": "95ec166b973e8fa95beb4a3ed8c8005380916540f7218d2b4fcddf1f761a8e97", "type": "new_terms", "version": 217 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { "rule_name": "Auditd Max Login Sessions", "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", "type": "query", "version": 100 }, "210d4430-b371-470e-b879-80b7182aa75e": { "rule_name": "Mofcomp Activity", "sha256": "c0049f673475e17a60c9243c445c9cc0740541dd02cedb0ad8ad2af6aa0ec463", "type": "eql", "version": 11 }, "2112ecce-cd34-11ef-873f-f661ea17fbcd": { "rule_name": "AWS SNS Topic Message Publish by Rare User", "sha256": "3e08ddf0b5b1afd3391ad3417aeab29ba5b82004dfea27700df13240aa6f2c1e", "type": "new_terms", "version": 6 }, "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { "rule_name": "Potential Reverse Shell via Child", "sha256": "ffbef35f2979f9b0815d176123110cf20185f13031b14a773f5d555d5a5f67ef", "type": "eql", "version": 9 }, "214d4e03-90b0-4813-9ab6-672b47158590": { "rule_name": "New GitHub Personal Access Token (PAT) Added", "sha256": "59d60ae7f69e0ad09fed8b4f0d81aa233cb1aa5f95a2c4dbc67893e48c9c6a68", "type": "eql", "version": 3 }, "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "sha256": "8b75d9e37c1f4a0c2bf887e72a428e276adafb073c14a72aa32d6df0f17e18d9", "type": "new_terms", "version": 11 }, "21c3536f-b674-43db-9bfc-dcf4cf9dcc37": { "rule_name": "GitHub Secret Scanning Disabled", "sha256": "aff570e0cf948f93e3441a9f2e00aef71fc0bf2aa0b96863c7c05b6589ebb7d6", "type": "eql", "version": 2 }, "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "2e948782f65666ac3d10796a6baf18110e533c7911ec87b4302958666ded5115", "type": "eql", "version": 113 }, "220d92c6-479d-4a49-9cc0-3a29756dad0c": { "rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", "sha256": "b8ea3be7fe37d1a71bbceeadb9717e70b488e7256446ad679f347b464e34524c", "type": "esql", "version": 2 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { "rule_name": "SSH Authorized Keys File Activity", "sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d", "type": "new_terms", "version": 210 }, "22599847-5d13-48cb-8872-5796fee8692b": { "rule_name": "Deprecated - SUNBURST Command and Control Activity", "sha256": "e436ded1c2bcdb723f2a841740b8072959feceb4095c0086697c55e444763575", "type": "eql", "version": 112 }, "227cf26a-88d1-4bcb-bf4c-925e5875abcf": { "min_stack_version": "9.3", "rule_name": "Encoded Payload Detected via Defend for Containers", "sha256": "c22125aa8d5fbba0e2e7ab1379a82385d8164c305089fc053ca1bf31ed58b2e0", "type": "eql", "version": 3 }, "227dc608-e558-43d9-b521-150772250bae": { "rule_name": "AWS S3 Bucket Configuration Deletion", "sha256": "94bf56921f7182099d52dfb0db8b4469fc67827685348c0e306268756187ba80", "type": "query", "version": 214 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "rule_name": "Potential Shell via Web Server", "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", "type": "query", "version": 105 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { "rule_name": "GCP Storage Bucket Permissions Modification", "sha256": "86d21d741eff46da2d15b7f31b033ed32ecda99a9f660857b2f751ee059c149f", "type": "query", "version": 109 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { "rule_name": "Kernel Module Load via Built-in Utility", "sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d", "type": "eql", "version": 216 }, "2377946d-0f01-4957-8812-6878985f515d": { "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", "type": "eql", "version": 2 }, "2388c687-cb2c-4b7b-be8f-6864a2385048": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Potential Kubectl Masquerading via Unexpected Process", "sha256": "5b3192389352616bc5f12a2b226e1c3c6eab2403648dc902fbaf3666238b8eac", "type": "eql", "version": 2 } }, "rule_name": "Potential Kubectl Masquerading via Unexpected Process", "sha256": "6e24466e654e56308b329e2e506d4a36f3cb93890c9cc863c6f54618cdb177da", "type": "eql", "version": 104 }, "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { "rule_name": "Unknown Execution of Binary with RWX Memory Region", "sha256": "082bad18b8416bb5ccd1d0cfce8b0e590878f8eda05813006131e35463194383", "type": "new_terms", "version": 8 }, "23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": { "rule_name": "Potential SAP NetWeaver Exploitation", "sha256": "9592413691f94b0e392e5b6b6d96b45087aef7dcc204902cbee6f54c88ca0e31", "type": "eql", "version": 2 }, "23cd4ba2-344e-41bf-bcda-655bea43fdbc": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "bad7dfbcf30e7a80ff8bf2b11b59f66510afc25bcebc9113d7ba02700a792c86", "type": "eql", "version": 4 }, "23e5407a-b696-4433-9297-087645f2726c": { "rule_name": "Potential NTLM Relay Attack against a Computer Account", "sha256": "f0d7a8f00c28cdc603cdf2f3a222453dc87d3c585871a04289e06d7d65e12363", "type": "eql", "version": 2 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "Potential Okta Brute Force (Device Token Rotation)", "sha256": "1dca7f7a9f133b30aeaaf0bcefe7bfa30c7c6d26fa4a0ac58e4bf6ab5ca714f6", "type": "esql", "version": 212 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "33174dde2dcb90f51dc8b556bf7b9e4042559084fa221d4dc8f0b0d6bda99a8d", "type": "eql", "version": 211 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "rule_name": "Lateral Movement via Startup Folder", "sha256": "b2b0a82c5bf29922f290efc7dac94e8b576668840052c3300bbdb37b55f1cf21", "type": "eql", "version": 314 }, "25368123-b7b8-4344-9fd4-df28051b4c6e": { "rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon", "sha256": "fe6a9526f2f3cde09ceb6ad2abb75b5c041b596c4c3efb072057e5d8d206557b", "type": "new_terms", "version": 3 }, "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "c0142afe736323db7e77ec68ca8df2377a389d488407ec0a48f004f811012543", "type": "query", "version": 109 }, "2572f7e0-7647-4c68-a42b-d3b1973deaae": { "min_stack_version": "9.3", "rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers", "sha256": "f2f4d0bdad8b894fb254412c4e67385b007af2d2a3c4fdd609962b64f4ddc830", "type": "eql", "version": 2 }, "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { "rule_name": "Potential Reverse Shell via Background Process", "sha256": "d6a2ecf476cd2454fdbff39ec56abf5546147359689e2d4c4d2b1b13eec7d813", "type": "eql", "version": 110 }, "25a4207c-5c05-4680-904c-6e3411b275fa": { "rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree", "sha256": "7454d14373817e95309e9422997b9eb330ec75601215a6d4c0eb4b5c0d237ec6", "type": "esql", "version": 2 }, "25d917c4-aa3c-4111-974c-286c0312ff95": { "rule_name": "Network Activity Detected via Kworker", "sha256": "6f4eff66f0c65aba4c175641ec53bd362c571ddcc98a36f91f1357b1e7f21817", "type": "new_terms", "version": 10 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "sha256": "a4325d7530e0e1c4d8606448e0fda6086c035e0c00e8a6941f16716a7b0c4be9", "type": "query", "version": 7 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { "rule_name": "New Okta Authentication Behavior Detected", "sha256": "b4310f1d499651a51101aa441f2d2dbfa9526781e8c3572a6f390ee7b104c96e", "type": "query", "version": 211 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", "sha256": "847b0b60963ff676ec04a3851fcf67da0046389d6b3d572ab197169471c02e4c", "type": "eql", "version": 11 }, "263481c8-1e9b-492e-912d-d1760707f810": { "rule_name": "Potential Computer Account NTLM Relay Activity", "sha256": "c6466b3359e6b53e8f7baa6dc0c0a8268893292d2e8c70cf97aaf503f935e4f2", "type": "eql", "version": 110 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "rule_name": "Azure Blob Storage Container Access Level Modified", "sha256": "17ad4439d8cff6eb09caa234542cd8b06c1f9431660b61500250cfac88379a95", "type": "query", "version": 108 }, "264c641e-c202-11ef-993e-f661ea17fbce": { "rule_name": "AWS EC2 Deprecated AMI Discovery", "sha256": "8e6edb115aadbbe0288142ede56a886b171f90f427e56805c3b403b92787d9b0", "type": "query", "version": 8 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "da7097593202235ef983f56eee56fedd61251f27a847e34946215f5895b4d5be", "type": "eql", "version": 318 }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", "sha256": "eb93685370370e45763a4c643fb482b438ac57fbe5bb1cae4f02da532dec3ddc", "type": "esql", "version": 5 }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", "sha256": "fa8068ba6208f9c013cda667f737b51fae6f5b52b978165e1b76c35f0acd0ee1", "type": "new_terms", "version": 6 }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "8c951a0906470270b43bc3293a9d807368a4febdfe1c96dcf7585c87d42f40b0", "type": "eql", "version": 106 }, "26a989d2-010e-4dae-b46b-689d03cc22b3": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers", "sha256": "83c6cdeb9a06541ccba897ff5fded24c63515255d7a617a83ba2b1150425e39a", "type": "eql", "version": 2 }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", "sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d", "type": "eql", "version": 11 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Entra ID High Risk User Sign-in Heuristic", "sha256": "f2967ce4210d92868dcbb7f81ec19ec93006bdf594453cbf93086d8fb02edd22", "type": "query", "version": 110 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "M365 Identity User Brute Force Attempted", "sha256": "ebb4f079a3090c488a142f1c993638ab122995c8ec1213052b508848e1fc433d", "type": "esql", "version": 418 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e528a3c860f8f8de6eb7bceeebeefd1cf6ab283b09db3f9bc9ece6beb6fa532a", "type": "query", "version": 213 }, "2724808c-ba5d-48b2-86d2-0002103df753": { "rule_name": "Attempt to Clear Kernel Ring Buffer", "sha256": "cc0c2851cb9e2e1facc925729c2f7cca24af0ac04d12a8ebdbe16870cdb540a3", "type": "eql", "version": 110 }, "272a6484-2663-46db-a532-ef734bf9a796": { "rule_name": "M365 Exchange Mail Flow Transport Rule Modified", "sha256": "58f1574c18c76838ab7233c8367023b61bc2ee9fe19c6de7f38cfd9a9f760b08", "type": "query", "version": 213 }, "27569131-560e-441e-b556-0b9180af3332": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Privilege Type assigned to a User", "sha256": "6a4a1e539a2599e9b91ee64a6ae3f7c41201c686d380a2965e9e9117ab3860be", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Privilege Type assigned to a User", "sha256": "07ea6892290d7a3ab379ca9ae743312e7ac639accd3a42b44ef6d882debc7788", "type": "machine_learning", "version": 104 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "c46e02d9df71ee1e22ed5ac8f5ba1d5afab07283bd6ea70286a84474f4017c06", "type": "eql", "version": 215 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { "rule_name": "GCP Firewall Rule Modification", "sha256": "bb286cf8785e506f2b849cf456c03c150eef1646b3cba7375baf550e2adbbe61", "type": "query", "version": 109 }, "279e272a-91d9-4780-878c-bfcac76e6e31": { "min_stack_version": "9.3", "rule_name": "Suspicious Process Execution Detected via Defend for Containers", "sha256": "f59668d5789c20ac3063485cf2e2475dee1cca5257adcd26dd6792bd6a9611aa", "type": "eql", "version": 3 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { "rule_name": "Deprecated - M365 Teams External Access Enabled", "sha256": "bc0c0b0a6a0f4f1cdef846be5717cc774ae8cfcf0c777765f28656c16ed58484", "type": "query", "version": 214 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "rule_name": "Account Password Reset Remotely", "sha256": "7b6619e4799f5c51aac53ea894d15478f84f6ed434bf2f15f94fdf0570761aa1", "type": "eql", "version": 222 }, "283683eb-f2ce-40a5-be16-fa931cb5f504": { "rule_name": "Newly Observed Palo Alto Network Alert", "sha256": "6950c8ed18d7697993f1a1159f6bc0a7eb141aaff4f0243575894da36997a1b8", "type": "esql", "version": 3 }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", "sha256": "b8cf9700d169c0901439e2d0562728548640e7e876af9ac5968766217cb1f804", "type": "esql", "version": 6 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "27990b18c9a88be12901538e00f7518df2e6955d7e6825b3e6c043688e68414d", "type": "eql", "version": 216 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", "sha256": "710295c0aea28068ca3f8bab2bfe3bcca0afc8af88682411cbf523f6847963c1", "type": "query", "version": 106 }, "28738f9f-7427-4d23-bc69-756708b5f624": { "rule_name": "Suspicious File Changes Activity Detected", "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", "type": "eql", "version": 8 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", "type": "eql", "version": 100 }, "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { "rule_name": "AWS STS Role Assumption by User", "sha256": "7dc5f160fa3c93691ca733218c01f5481e0fe164bd1f9b1f0beb35a7763ec43d", "type": "new_terms", "version": 9 }, "28bc620d-b2f7-4132-b372-f77953881d05": { "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", "sha256": "40709b37a372f451eb19142e62244babb6f19d932ff23febe70379c94e8fd0e6", "type": "eql", "version": 7 }, "28d39238-0c01-420a-b77a-24e5a7378663": { "rule_name": "Sudo Command Enumeration Detected", "sha256": "08cd9c8ade957eb4b22e7e97107ab12ebabd91467a861afb99e3b6a377becb68", "type": "eql", "version": 111 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "46f7be3e59656893dfb3bcec2a1f30e7e118a703b4c52bfa1c61fee7207354ef", "type": "eql", "version": 112 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation", "sha256": "c58523c3504b477306897ad712fc266a3409aef8c601706b879c32f1efb654b3", "type": "eql", "version": 11 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "rule_name": "AWS EC2 Security Group Configuration Change", "sha256": "a2e0780759a02c4f019ded2450fbab0521f281a7495b1d6381ce9a065acc3db6", "type": "query", "version": 214 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "3333bf53f4e1d4f703ad2bfc61439dbf9db3d734bd3557e083a8d6496bbde552", "type": "eql", "version": 322 }, "2917d495-59bd-4250-b395-c29409b76086": { "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "83deebbdaf1d541ffa89b232ca76266b2cca871eb9b318fcc95ed6841e4c8d1b", "type": "new_terms", "version": 423 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4cacb8f8a73738c053cb1f103e94a0cc342a31b5e595c2d0c90538fa08e8238b", "type": "new_terms", "version": 421 }, "29531d20-0e80-41d4-9ec6-d6b58e4a475c": { "rule_name": "Alerts in Different ATT&CK Tactics by Host", "sha256": "c5405c7e3f88cfc2000c94b4c7b8d38c9d2a26b546e452f9ed097e0da1aaa240", "type": "esql", "version": 5 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "bb3f43e51cf57903cac31eea9b1da4e3c0c5398f11a673b5e3fd5770b25477f4", "type": "query", "version": 210 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "sha256": "d91da4e45de36496cea35cbe616336e3d2d5f81928397cd7a1301eb440e154ce", "type": "new_terms", "version": 3 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "rule_name": "Linux SSH X11 Forwarding", "sha256": "e4c869cb3edc72947fd52af59a07d158d9df906cfd5b80d6dcca840734074fe7", "type": "eql", "version": 109 }, "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": { "rule_name": "Microsoft Graph Request User Impersonation by Unusual Client", "sha256": "c79bf8bb0d94aaff02709efc88bdd456c06752b9e7d41a5a34bd1eeb99eed3f1", "type": "new_terms", "version": 8 }, "2a692072-d78d-42f3-a48a-775677d79c4e": { "rule_name": "Potential Code Execution via Postgresql", "sha256": "bb5d868d2632e7b5a662737cfdddf49f0aa78a0d0dda0cad6b4104330cad37ec", "type": "eql", "version": 13 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume", "sha256": "dffee6f1f33580e6cf14dd782f8158c3b7c55b5f30b1db84f04f44d575386b26", "type": "query", "version": 210 }, "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { "rule_name": "ESXI Discovery via Grep", "sha256": "37999a3afa79aa321127ff14e5839d96e719daa04d68b38cc7f79924c59a8982", "type": "eql", "version": 113 }, "2b9a3b7a-0891-4a89-abbe-dca753c403cd": { "rule_name": "Multi-Cloud CLI Token and Credential Access Commands", "sha256": "61952dce699974e95e7f7709554d81d3e2ab7e7bee7a9126f8a648e53b3da84f", "type": "esql", "version": 1 }, "2bca4fcd-5228-4472-9071-148903a31057": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", "sha256": "7fd9eda6eca11a59a902ae98e5e67013d23113287786c76e64be97d2beaa5b20", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", "sha256": "b87efefef846486cad6bc17aa7c220a3833b848d4ca87f09c1f5defda9cb428d", "type": "machine_learning", "version": 104 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "rule_name": "Deprecated - Adobe Hijack Persistence", "sha256": "d554c3a9b2cbb27ce03d73fe4c984d648404006ad784e24039acee69e3f2b78f", "type": "eql", "version": 421 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "a0709d688ae05f8fc435bd8ca93dda11365bc4a4a944b23ff637780dac62b701", "type": "eql", "version": 319 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "8d94d7fb85ae6118469b64123048223e518e64558377b9e2e140fdf98ece2a16", "type": "eql", "version": 218 }, "2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": { "rule_name": "Newly Observed FortiGate Alert", "sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff", "type": "esql", "version": 3 }, "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "rule_name": "Potential Foxmail Exploitation", "sha256": "1e6f9b0c45ad9cd728e02a922586c3466a5968c751c337ffefe09be52489aeeb", "type": "eql", "version": 208 }, "2c74e26b-dfe3-4644-b62b-d0482f124210": { "rule_name": "Delegated Managed Service Account Modification by an Unusual User", "sha256": "4cb49f08cf5c89365a0f424c80e59095940ef6ec6a67224688a28f1c883212b3", "type": "new_terms", "version": 3 }, "2d05fefd-40ba-43ae-af0c-3c25e86b54f1": { "rule_name": "BPF Program or Map Load via bpftool", "sha256": "b89854776ad866f757ee1469315dad87cb628a427e71fe40f741a0aaf4c53d5e", "type": "eql", "version": 2 }, "2d3c27d5-d133-4152-8102-8d051619ec4a": { "rule_name": "Potential Okta Password Spray (Multi-Source)", "sha256": "0b3754763f9388a104514203cdb27b710d8d0b5bd654671deb494bdd5568496a", "type": "esql", "version": 3 }, "2d58f67c-156e-480a-a6eb-a698fd8197ff": { "rule_name": "Potential Kerberos Relay Attack against a Computer Account", "sha256": "9535ca2df0f4875a40fddd9343363a41368fc737d08a1ae532dccc3fbb98f4ff", "type": "eql", "version": 3 }, "2d62889e-e758-4c5e-b57e-c735914ee32a": { "rule_name": "Command and Scripting Interpreter via Windows Scripts", "sha256": "4e77deaa22c866faec27c5fd6a98680db898f41a0261f412455fa88396d28afa", "type": "eql", "version": 210 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 105, "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", "sha256": "18afa7b414ac8a132c2035e7223b544aa80b53a5f72a0209b98f390f3de16805", "type": "esql", "version": 8 }, "9.0": { "max_allowable_version": 205, "rule_name": "Microsoft Entra ID Excessive Account Lockouts Detected", "sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842", "type": "threshold", "version": 106 }, "9.1": { "max_allowable_version": 305, "rule_name": "Entra ID Excessive Account Lockouts Detected", "sha256": "e22015b3cd61c71a94b4ee9413e7fd3b109b10fae88dcaf1da276ffa0b846144", "type": "threshold", "version": 206 } }, "rule_name": "Entra ID Excessive Account Lockouts Detected", "sha256": "f5a1ec4caef511f8190ed9a710be895fecebe6b72f29b03da749e5e4dea0b10b", "type": "threshold", "version": 306 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Unusual Kernel Module Enumeration", "sha256": "08ee164b5d1ce75b39808742849277e8261cb5961e4beed4e5b5884da7e12ccd", "type": "new_terms", "version": 215 }, "2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected", "sha256": "2038641850ec7f59a724389fa9c574dc5e7afde97a91a20ad4e700087c05d191", "type": "esql", "version": 3 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "58b8a1746c1b88f41ce38c583a0eb3520a1689f8a019913516571f21b3c095fa", "type": "eql", "version": 316 }, "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { "rule_name": "Potential THC Tool Downloaded", "sha256": "2fdf4a036c7f0d6c3aa8e7d60e6415e5dce3b059e32369e04f6f992f75d652cf", "type": "eql", "version": 109 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { "rule_name": "M365 Identity Unusual SSO Authentication Errors for User", "sha256": "dfbe6f2be34fc93b6ac0c780444a2c505c8154462a23a5c434332da089103385", "type": "new_terms", "version": 215 }, "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "0e40b02258f08b8dd3d44d58c4d7ea172b3879f29c4811844a892121c0fed325", "type": "eql", "version": 217 }, "2e0051cb-51f8-492f-9d90-174e16b5e96b": { "rule_name": "Potential File Transfer via Curl for Windows", "sha256": "4d04954b58f65d7b8123c4875c6283eb3f8855e6fdbb706299800c4893aede50", "type": "eql", "version": 8 }, "2e08f34c-691c-497e-87de-5d794a1b2a53": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual GCP Event for a User", "sha256": "f2c101f62195e21efa9dd47975b9bb08fe09f90a69be64d4d45a731682b74628", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual GCP Event for a User", "sha256": "dc4770ad5a8fc4f77f6dc6d6459c0bc5cd738459a7a2d9d13172cce489ef203b", "type": "machine_learning", "version": 102 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "rule_name": "Renamed Automation Script Interpreter", "sha256": "3412a61dea3f79000826b1ee35082aa9044c9d26e298c59e772d420c3d4fa016", "type": "eql", "version": 219 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { "rule_name": "Potential Process Injection via PowerShell", "sha256": "1f1201ba99d2842ffbcad3d15b1dcb747040fe2b58cd03c3b0438ef39413824f", "type": "query", "version": 219 }, "2e311539-cd88-4a85-a301-04f38795007c": { "rule_name": "Accessing Outlook Data Files", "sha256": "049befdbf6cac7da7b115ab1a497a5d04ad6940c94e04cc89ac097e309c67f89", "type": "eql", "version": 109 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "4abe9b19327d050b9a6b99c9ba1b465c25650d2afc82f39672d95f6cf38625d6", "type": "esql", "version": 311 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", "sha256": "7619ad084d53e74be8904ed88f92cefa4efb0957e3a99624a5146a7d5e735580", "type": "query", "version": 107 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "rule_name": "Creation of a Hidden Local User Account", "sha256": "73af61a045f616fc8d49c6765d5eed3fa39a1a7197390d2e632a01efb216cac7", "type": "eql", "version": 316 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { "rule_name": "GCP Kubernetes Rolebindings Created or Patched", "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", "type": "query", "version": 101 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "99ac9ef863cee31dd240561777099c022934a3cf76997d70d1b0f0b1414e32e2", "type": "query", "version": 217 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { "rule_name": "Attempt to Disable Syslog Service", "sha256": "83c3b8bb65af1b682a4e4e22bda3b0c8c4a7a01490b7e1a9add4b5b211590631", "type": "eql", "version": 217 }, "2f95540c-923e-4f57-9dae-de30169c68b9": { "rule_name": "Suspicious /proc/maps Discovery", "sha256": "f6b06ba2f41bccdff7861549bc087a2e1fae2ef2c4959ad2911665a2c04a9887", "type": "eql", "version": 8 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { "rule_name": "Startup Folder Persistence via Unsigned Process", "sha256": "b9b13ab82fce4582270516eb4103335c297e09ba1fb18b9305104084893f8432", "type": "eql", "version": 113 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "20024501f2158ecc1863a29ac71a7d5452d113ceaf3da322ec0b480574f1f462", "type": "eql", "version": 219 }, "301571f3-b316-4969-8dd0-7917410030d3": { "rule_name": "Malicious Remote File Creation", "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", "type": "eql", "version": 1 }, "30562697-9859-4ae0-a8c5-dab45d664170": { "rule_name": "GCP Firewall Rule Creation", "sha256": "b7443e73c34b63ea64aef8d2a73cdda1561793b4fc5ae82d1e23eddb58d45ed8", "type": "query", "version": 109 }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", "sha256": "45bc415cfbe47728cd85f5beb1db8210f3b2d2d740e54e02b7f5fc7ef97b9cad", "type": "eql", "version": 8 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", "sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91", "type": "eql", "version": 112 }, "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": { "rule_name": "Suspicious File Made Executable via Chmod Inside A Container", "sha256": "9fc179c299f0a00f746636e748563c34ee24c5ec85c28140a77bf0831f50e7b9", "type": "eql", "version": 4 }, "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { "rule_name": "Deprecated - Network Connection via Sudo Binary", "sha256": "0ccc424fd1a44356e97f8bb93e682d73a8d500ff088b5a4122bc69de9ccbbe9a", "type": "eql", "version": 8 }, "30f9d940-7d55-4fff-a8b9-4715d20eb204": { "rule_name": "Windows Script Execution from Archive", "sha256": "67a5e91404e6ae67e3f18a6dcfdac04ab77bc9dc55998558cbd6060067d8b9ab", "type": "eql", "version": 4 }, "30fbf4db-c502-4e68-a239-2e99af0f70da": { "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", "sha256": "9096aa293720333cac0af019ee0209adf832956537108d1a8d905ba213834be7", "type": "new_terms", "version": 9 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", "sha256": "6b100f429a57364a288437713e9bea4c94889faec043b71341c4c389c7dbb3ac", "type": "query", "version": 106 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", "sha256": "1aeda613e850b7c88717372baca0f5d05f2847c871014efca3813d4fe1a5f47f", "type": "query", "version": 107 }, "314557e1-a642-4dbc-af43-321bc04b6618": { "rule_name": "M365 Security Compliance Admin Signal", "sha256": "90ffab6d1e834727e5298c1c2a328ad9bf215065fe05525952503f932988d826", "type": "query", "version": 2 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", "sha256": "6bf5894df0dfec715bb0d2d840a008738c24d0e87bf6b877bbbb0407365e7668", "type": "eql", "version": 322 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", "sha256": "4ad2ee73bd7cdbe3735b30d3a6b59541b724d90a3fd64c19100f94bb7f778ed6", "type": "query", "version": 109 }, "32144184-7bfa-4541-9c3f-b65f16d24df9": { "rule_name": "Potential Web Shell ASPX File Creation", "sha256": "620c207c86f94a7f5fa5ac75c072ca7504ecdc374a9a45ffaa54cfafe6ac449a", "type": "eql", "version": 4 }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", "sha256": "07e7e04210b862e96b27eee443227c6a1fbed5882d062ae1d78886a0a1d0da3e", "type": "esql", "version": 5 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "230128099a762e79453143aa42805708865110bb5debd68d2c3c1aa35a550290", "type": "eql", "version": 9 }, "323cb487-279d-4218-bcbd-a568efe930c6": { "rule_name": "Azure VNet Network Watcher Deleted", "sha256": "a11689594efe1a3ce6bc4114c4104ae80acfd08c3f4d742549b9ff40fc94afb5", "type": "query", "version": 109 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Spike in Group Application Assignment Change Events", "sha256": "08b6d34feb24bfb3ef7b5cd94e07f722386374274b2d87f3277e125ddef5ec78", "type": "machine_learning", "version": 5 } }, "rule_name": "Spike in Group Application Assignment Change Events", "sha256": "881770a8cf25c413c1ddb170eab543e5879b4573f6dd9fd8a4f758493bbba738", "type": "machine_learning", "version": 105 }, "32923416-763a-4531-bb35-f33b9232ecdb": { "rule_name": "RPC (Remote Procedure Call) to the Internet", "sha256": "2d2ccd5ca54ed008472b8563442cef7bcbcfcca9773cf6cde8664d01bbf84c78", "type": "query", "version": 110 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", "sha256": "62c090223fc384970eab9eccabb23b4fe6793807b12491b26d209885275a6838", "type": "eql", "version": 321 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Atypical Travel Location", "sha256": "7d14aa41f43ff8c51804c5c8a5cd1605804b771df672a36172980974cf2f77a4", "type": "new_terms", "version": 10 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", "sha256": "2b1d36af98d52e7c651c30532ec344b2145caeebab5862029eebf1639017c1e6", "type": "eql", "version": 422 }, "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.2", "previous": { "9.1": { "max_allowable_version": 102, "rule_name": "Potential Masquerading as Svchost", "sha256": "4f6ac75ddc2b31218e382f6dbfe04ffc27077d66ebf97c24740e7c9d12cb028d", "type": "esql", "version": 3 } }, "rule_name": "Potential Masquerading as Svchost", "sha256": "0ae3b4874845b5b362efeaabd67d839e505a3c44968966093c21c4555b3d02d5", "type": "esql", "version": 104 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", "sha256": "ced597d9501b078532ec2d68b3248faa95d307cc6fe32bbf812094b1072877b2", "type": "eql", "version": 107 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", "sha256": "8740915ad9d3542a4b6dad50ca626d2efd14c8e2fa9e2dde5944d3f5fa80fa3e", "type": "query", "version": 215 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "rule_name": "ESXI Discovery via Find", "sha256": "a71d83b3ee92c09090ce8fd23ebd63f59231a2edccb9bd6886660caebecd03aa", "type": "eql", "version": 113 }, "33c27b4e-8ec6-406f-b8e5-345dc024aa97": { "rule_name": "Kubernetes Events Deleted", "sha256": "18095b5a2473c932c2b35399552cbb87b2b648148c1ffed71425d9c909e8016d", "type": "eql", "version": 3 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { "rule_name": "Remote File Download via PowerShell", "sha256": "ba3fdfb67c7a505e71feb3c1bb53052fa31ed7aeb2b5b9c5f1951cec0c9d3f92", "type": "eql", "version": 116 }, "33ff31e9-3872-4944-8394-81dae76c12d9": { "min_stack_version": "9.3", "rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers", "sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba", "type": "eql", "version": 1 }, "341c6e18-9ef1-437e-bf18-b513f3ae2130": { "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", "sha256": "8d52f8c87d55bec0b5f01ab261889d2ac07ff3c6a7eb1cbed03398fb111be726", "type": "eql", "version": 3 }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6", "type": "eql", "version": 3 } }, "rule_name": "Dynamic Linker Modification Detected via Defend for Containers", "sha256": "42eccedf47d0083269869acb142a647cebd64cd97a02f2693448c5df83b68fc3", "type": "eql", "version": 104 }, "344e6c7d-ceb0-4f20-ba04-7c75569a7e38": { "min_stack_version": "9.3", "rule_name": "Elastic Defend Alert from Package Manager Install Ancestry", "sha256": "82907c28a7b19202ba4090391333c6d139af03fbe541d603fd674434a6748c6a", "type": "esql", "version": 2 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "rule_name": "GitHub Repository Deleted", "sha256": "9dbead37db4773f09b4ed758283f61fe7e4562772482b18e75416654a8fe2c4c", "type": "eql", "version": 207 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", "sha256": "8ab449b25259296b7454c26d1a88b78d5c22b67f6c82f767508ffb494c3f8b15", "type": "new_terms", "version": 7 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", "sha256": "98c05891ac1d062019fd7be22d345704b8cce6b75f1ae4ec8d9787e51f40a22b", "type": "query", "version": 113 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "rule_name": "Execution via Electron Child Process Node.js Module", "sha256": "a1843f580774fd27510d03b658a031fe4440da62ef0c574ddbe795d7f77b20e2", "type": "eql", "version": 111 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "rule_name": "Port Forwarding Rule Addition", "sha256": "3ced595dce2cd24c4727be69b9fa601479fd2f2f80457f720c694e678a28b875", "type": "eql", "version": 419 }, "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 107, "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "2849aafc536aac7e9741f20e297b001e5b980e2a6a4c77bb1ca6c76b0719472c", "type": "machine_learning", "version": 8 } }, "rule_name": "Spike in Bytes Sent to an External Device", "sha256": "bff333b259468a39c107b211f1ba6331060aa97c23f5486f3654fce8a3dd4361", "type": "machine_learning", "version": 108 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)", "sha256": "07c165d99fb8e82989dfd95f7c238c2624bf70169acdf0a73405eb1cb4353b39", "type": "esql", "version": 111 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", "sha256": "898841494b2ae4193ff42978ce0f1807a55816bb416aadf5c4e073b0fc9b51bc", "type": "eql", "version": 3 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { "rule_name": "Unusual Parent-Child Relationship", "sha256": "e3d3be616bcb1a086a207ba505b838f699ef299089fdeaab832fca7e48b4df09", "type": "eql", "version": 322 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", "sha256": "7f796d399910edf9f262f06a682761ddce112875ea599e8027c80503e3a0f50d", "type": "machine_learning", "version": 109 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", "type": "eql", "version": 100 }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { "rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs", "sha256": "57d3c6aff18828252ee65176a27549f6eee324fd1ce7552e0823c3f487c57852", "type": "esql", "version": 9 }, "36755b43-a1f9-4f2c-9b61-6b240dd0e164": { "rule_name": "Executable File Download via Wget", "sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf", "type": "eql", "version": 1 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", "sha256": "976ac418b90849b5394d30625f9e55b98b84485146dec6f035af51f5458f7378", "type": "eql", "version": 115 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "rule_name": "Suspicious ImagePath Service Creation", "sha256": "ec3c0ff47791363712d7c0adefdd532d6e0641f4f5981d2cb44732d9deaa5e8d", "type": "eql", "version": 314 }, "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "43a13415ff8ef4d8e01e998e3ea19435f75aeaefaf99754435b96099dd0c2468", "type": "machine_learning", "version": 9 } }, "rule_name": "High Mean of Process Arguments in an RDP Session", "sha256": "1345a788253e2c63d8198472d6d8d2321ce9775b581b4897330441bc864b31eb", "type": "machine_learning", "version": 109 }, "37148ae6-c6ec-4fe4-88b1-02f40aed93a9": { "rule_name": "Command Obfuscation via Unicode Modifier Letters", "sha256": "45fa53855ae8537315bde347efa3cf473c4337ad0ebf67a01599501247d6c287", "type": "eql", "version": 3 }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "rule_name": "Potential Suspicious File Edit", "sha256": "bc478d05a000303ff85de650bc9b7604b2b57a7444f80337b05fca226b44d9a1", "type": "eql", "version": 110 }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)", "sha256": "771ca76a55853827aa9d3ea8bd44a66201d54913b3bc91e9e331a2dbdf94e5e7", "type": "esql", "version": 9 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "Deprecated - AWS RDS Security Group Creation", "sha256": "c9f89048a7e0698840505d8e2efd51acbecd8bb0b26cd134a6653247dba5faa1", "type": "query", "version": 210 }, "37994bca-0611-4500-ab67-5588afe73b77": { "rule_name": "Entra ID High Risk Sign-in", "sha256": "dd4b0b5074d56377ff3963b0e687dbe6e92954a3604dd00a66f4749fcff3c16b", "type": "query", "version": 111 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { "rule_name": "Anomalous Kernel Module Activity", "sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12", "type": "machine_learning", "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "rule_name": "AWS SSM `SendCommand` Execution by Rare User", "sha256": "b88228a38401d3cfaf88a020153942655bee03db41be8d1b12f2d0468b9a694a", "type": "new_terms", "version": 216 }, "37cb6756-8892-4af3-a6bd-ddc56db0069d": { "rule_name": "Disabling Lsa Protection via Registry Modification", "sha256": "c647076f76477dd2aa512614840acda934b1f94328c2a08ba9db4111d921b1c2", "type": "eql", "version": 7 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in User Account Management Events", "sha256": "903df4e7a7b2f1df89ca4373c8cb64f4d3823204bf9d85dbdde3b79ab34a955f", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in User Account Management Events", "sha256": "8f1c726255a1e3944db11d55a3907a360b2e08797aa0a0789c2980987625af7f", "type": "machine_learning", "version": 104 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b96238524f55ee991b4d048d01069616a1e1cd0bf41dd07a5f82e5c52387cb95", "type": "eql", "version": 211 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "rule_name": "Attempted Bypass of Okta MFA", "sha256": "d497cf9ebba367ccc27ffa60c83adad1b1c4ca123ed732867ca75c61a9e34383", "type": "query", "version": 415 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "rule_name": "Network Connection via Certutil", "sha256": "5e7901e98b0caf7d6571576af6676f95d6a1f8af52f4b9f99a6b7ffe6c6ea881", "type": "eql", "version": 219 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { "rule_name": "Prompt for Credentials with Osascript", "sha256": "82a7a287cd5ac7dcb591e035ffdecd15f555737bed999611a2fc015ac0aeeb4e", "type": "eql", "version": 215 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { "rule_name": "M365 Identity Login from Impossible Travel Location", "sha256": "f77d1c2a0262340c0ead77d4fb93456b8c670c291ca6d8a2dd95dbdcd6c73fac", "type": "threshold", "version": 9 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "Entra ID User Added as Service Principal Owner", "sha256": "8391a444b3933bf47281a3af89558637258d16499151f4d19fb9bd5010de3f72", "type": "query", "version": 109 }, "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { "rule_name": "External User Added to Google Workspace Group", "sha256": "1d4f576cece46f98cac0186d4b7686f927c4329e6bf393a9cbd159dbfb4770d9", "type": "eql", "version": 7 }, "39029450-8e2d-4034-81b0-15af8e4e3a4e": { "min_stack_version": "9.3", "rule_name": "Nsenter Execution with Target Flag Inside Container", "sha256": "012976abca9dfba1327ea6926edf0cf40d0126e26937b9ba13570d2367d1af56", "type": "eql", "version": 1 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "rule_name": "AWS EC2 Network Access Control List Creation", "sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3", "type": "query", "version": 213 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "rule_name": "Downloaded Shortcut Files", "sha256": "0cd2d8329df50935d117f1e8f8cbd8a6b749d5098aea10fb2ce8095fd4b8e0ce", "type": "eql", "version": 7 }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", "sha256": "ea50abca6b44953d8810e58b35a4ab0f2e456efc1ccb2adb65d1840d162060f7", "type": "esql", "version": 8 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "d1265b8223c6c20063ff460b62984e6ca6f864de6a66513d32508de2ade0d0bb", "type": "eql", "version": 314 }, "39c06367-b700-4380-848a-cab06e7afede": { "rule_name": "Systemd Generator Created", "sha256": "ba955d67667f012e2b16b7f60f9d67344026b1c6964d11f2dd1da09cd04fa97e", "type": "eql", "version": 8 }, "3a01e5c6-ce01-46d7-ac9f-52dc349695fb": { "rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request", "sha256": "7f2bf812108252f0c2cec448e9f10dfff725021983a612df901b4dd4d36b49c7", "type": "eql", "version": 3 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "046338d3b95b4b4a22498cb8fdd538e20619623197e2a583d8477e82f2f07c9c", "type": "eql", "version": 316 }, "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { "rule_name": "Suspicious Module Loaded by LSASS", "sha256": "5131b9101ab93a6759d129fbfc00a0aee661266e47e4be8ba38766b1a8d3f4af", "type": "eql", "version": 14 }, "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9", "type": "threat_match", "version": 107 }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", "type": "query", "version": 100 }, "3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": { "rule_name": "WDAC Policy File by an Unusual Process", "sha256": "bd13988291b5cb72058e02ddbb6ad4616961a1b28e358601ef15c1d62837d8e6", "type": "eql", "version": 7 }, "3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": { "rule_name": "External IP Address Discovery via Curl", "sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172", "type": "eql", "version": 1 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "rule_name": "VNC (Virtual Network Computing) to the Internet", "sha256": "6c9b9155e809656088fdd932c9134a2986d4809c75cadec68224554ef6c76397", "type": "query", "version": 111 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "rule_name": "Azure VNet Full Network Packet Capture Enabled", "sha256": "e200432935afd9d703887c7f3ef678e67887553e91570a46e0f59f266667eb62", "type": "query", "version": 110 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "9b60a36c69eb59819eabf8baff81ce0f4d7f7c8663d59efc062d57990122d231", "type": "new_terms", "version": 207 }, "3aff6ab1-18bd-427e-9d4c-c5732110c261": { "rule_name": "Suspicious Kernel Feature Activity", "sha256": "e15b8360b5fa96f7f261912197ae09404a3268f8229561e6bcc3f39b7d56448b", "type": "eql", "version": 5 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", "sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5", "type": "query", "version": 105 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "ad8c4fc9a44c93f4c1ca79d8954e509b790c3bd3199a8ea3bcdc21e55aee6a8d", "type": "eql", "version": 418 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", "sha256": "9354b45311be9fe16a9acb746a33c1bd4a40f927d7efdef1f097f9708c29702d", "type": "eql", "version": 321 }, "3c216ace-2633-4911-9aac-b61d4dc320e8": { "rule_name": "SSH Authorized Keys File Deletion", "sha256": "8ccc9ffefdcb3516217cb8bcec790571ad1559f608b2eb380758df09de98a993", "type": "eql", "version": 6 }, "3c3f65b8-e8b4-11ef-9511-f661ea17fbce": { "rule_name": "AWS SNS Topic Created by Rare User", "sha256": "3216757a897e26e81d8b37469ca11d9cd83cf3bde8bc78df45c871a1e4051459", "type": "new_terms", "version": 6 }, "3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": { "rule_name": "AWS GuardDuty Member Account Manipulation", "sha256": "a40514c715a70b1163a1e1f528f68857ffc2122ec3f68c23b33c12e87aee77c9", "type": "query", "version": 2 }, "3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Potential Impersonation Attempt via Kubectl", "sha256": "dc9f92addd41a67185697f22d88c67575a47eac0b95a555df193cccb4ce93367", "type": "eql", "version": 2 } }, "rule_name": "Potential Impersonation Attempt via Kubectl", "sha256": "6f05c685fff2f027e142e25e5d1e4228ecf4ff2b4714298055101681504880f5", "type": "eql", "version": 104 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 208, "rule_name": "Unusual Linux Network Port Activity", "sha256": "49f89efa536ef4c93f890a07191660e00b3ad881b52b10096aa23ba941d850e7", "type": "machine_learning", "version": 109 } }, "rule_name": "Unusual Linux Network Port Activity", "sha256": "21ab8bdde2ddb498cb6c6edcdfd953b4b9690ca4b6075b3281943bbb160799e3", "type": "machine_learning", "version": 209 }, "3c82bf84-5941-495b-ac41-0302f28e1a90": { "rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification", "sha256": "f137913826f4dfb346b155061fef745d733d9ac84ad693ed6646cd5fa68123b8", "type": "eql", "version": 3 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", "sha256": "b6ed31a8880a5bf50d74e9dcc03e8b2cb2a5102bcb585e66bfe54222fb8eb4d7", "type": "eql", "version": 7 }, "3ca81a95-d5af-4b77-b0ad-b02bc746f640": { "rule_name": "Unusual Pkexec Execution", "sha256": "fe48ab4d99dcee0d5c5d78d13fd52a051728cc3f40f8e2da36a99717430d3944", "type": "new_terms", "version": 107 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "31c5efd3e2588f4bbb9204805340a6f348a20c46d009ce4e27c99b2576368bbb", "type": "eql", "version": 210 }, "3d3aa8f9-12af-441f-9344-9f31053e316d": { "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68", "type": "query", "version": 211 }, "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { "rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins", "sha256": "00f3734aeadad18ecaa1bb530c67b46dd2d9a77276365492a19c14fc174dea3a", "type": "esql", "version": 6 }, "3dc4e312-346b-4a10-b05f-450e1eeab91c": { "min_stack_version": "9.3", "rule_name": "LLM-Based Compromised User Triage by User", "sha256": "08654fdc3bd24c49261ae772ea553f821ca9fe8bd83696f6e95b510b590b2b61", "type": "esql", "version": 6 }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", "sha256": "32680ca1127f1b7e76119a007029e178da00282028a5aa539ca6d3520f448c0f", "type": "new_terms", "version": 10 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "rule_name": "AWS CloudTrail Log Updated", "sha256": "781c416727462ac0e014347828b7c261ba04967713972c298db7516882f130ba", "type": "query", "version": 215 }, "3e0561b5-3fac-4461-84cc-19163b9aaa61": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "e4d464262beeebfad9dbb0a00d42af6ae0790919218e2677dd0e4f96f907e872", "type": "machine_learning", "version": 9 } }, "rule_name": "Spike in Number of Connections Made from a Source IP", "sha256": "81349653c7bef22cf29580e3ace788925cb5a9d8b543e05fb97f9a36da0e0796", "type": "machine_learning", "version": 109 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "d63e463099820ef415fca37e369392f17e227ba4229ff8aa8e48ff9dac348e8b", "type": "eql", "version": 213 }, "3e12a439-d002-4944-bc42-171c0dcb9b96": { "rule_name": "Kernel Driver Load", "sha256": "0a649a755936c4b5da4883d2cb39416fee6ed20ff38954671bfa71ebcf3d8581", "type": "eql", "version": 8 }, "3e3d15c6-1509-479a-b125-21718372157e": { "rule_name": "Suspicious Emond Child Process", "sha256": "c586b75e397cda63031abb53a78c714e80a8a1dfb2d133d0e35827dcba2a6902", "type": "eql", "version": 113 }, "3e441bdb-596c-44fd-8628-2cfdf4516ada": { "rule_name": "Potential Remote File Execution via MSIEXEC", "sha256": "5dc58754cc4f82d45abfe4dc812f1a4e4823e795adf94e534fd630f2b61d6105", "type": "eql", "version": 8 }, "3e528511-7316-4a6e-83da-61b5f1c07fd4": { "rule_name": "Remote File Creation in World Writeable Directory", "sha256": "fc8e3c202ef830d2941a6ad711b2144582b8312d846d1a75ced12e2f63f22a80", "type": "new_terms", "version": 7 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "5e02c2bd1ee78f88b93c1695389467410310dd135d79cefc434fec6d0bb3b114", "type": "eql", "version": 318 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "rule_name": "Suspicious Process Creation CallTrace", "sha256": "eac8a62ca1cd0d0965dc5352545dc9eb7341fceab8cbfa3a9d801b1534511f08", "type": "eql", "version": 312 }, "3ee526ce-1f26-45dd-9358-c23100d1121f": { "rule_name": "Linux Audio Recording Activity Detected", "sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5", "type": "new_terms", "version": 2 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", "sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f", "type": "threshold", "version": 208 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { "rule_name": "CyberArk Privileged Access Security Error", "sha256": "149a70bdcd76cf9bf067b2539841f715ee8df3aa2773e8f4505c24ecda648101", "type": "query", "version": 106 }, "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { "rule_name": "Potential Protocol Tunneling via Chisel Client", "sha256": "94be773db4ae46451aaa962d086a75466bbd8d1a8f6afdd666d19cf0b51bdcde", "type": "eql", "version": 12 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { "rule_name": "Binary Executed from Shared Memory Directory", "sha256": "d0213728bd6f84baef92aa0cfd3502dddef5d9b975a87ca21fabbded914ca935", "type": "eql", "version": 116 }, "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": { "rule_name": "Potential Data Exfiltration via Rclone", "sha256": "654c6762675bbe2e86e2cdc5f2883647739cb1d40a8231cdd3156fd69752ad41", "type": "eql", "version": 4 }, "3f4d7734-2151-4481-b394-09d7c6c91f75": { "rule_name": "Process Discovery via Built-In Applications", "sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b", "type": "new_terms", "version": 7 }, "3f4e2dba-828a-452a-af35-fe29c5e78969": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "570ebb0e5a2ce71626cfe8f38f75326e77521db306168f490e68636c672152e5", "type": "machine_learning", "version": 9 } }, "rule_name": "Unusual Time or Day for an RDP Session", "sha256": "88291719875740ebfe930f0d6526a42e8de7f03c6c6eb67af3bfaa96b77b400d", "type": "machine_learning", "version": 109 }, "3f7bd5ac-9711-44b4-82c1-fa246d829f15": { "rule_name": "Command Execution via ForFiles", "sha256": "02b65a2a6c93487298996a9bfedaedb4d1436598cb4267292ef241ebc36be63e", "type": "eql", "version": 7 }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Entra ID MFA TOTP Brute Force Attempted", "sha256": "0c901fa65426f1462fb80e4ca2d1faf929654f311d89f202a3280dc35c9ab403", "type": "esql", "version": 9 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", "sha256": "719051601ba7f4bc360e488b3f96c381ddee61bc0d99d586137c39964715592e", "type": "eql", "version": 108 }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 210, "rule_name": "Unusual Process Spawned by a User", "sha256": "4c17db59f36b3743d92068c1a5b88c0bbc0e7109294544f30d95ee11f6d5d083", "type": "machine_learning", "version": 111 } }, "rule_name": "Unusual Process Spawned by a User", "sha256": "cb675206bfdfdbd51d00586a43ad5ab1b7a4b7cf9df4e553b7a9d967e5f1d711", "type": "machine_learning", "version": 211 }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", "sha256": "95545a1f85bdb02d2df6d31c2bd4f9fc0c6ad61f606abc56c7b749ec0823064c", "type": "esql", "version": 5 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", "sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a", "type": "eql", "version": 206 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "rule_name": "Unusual Persistence via Services Registry", "sha256": "8672a0625e04b58e7bbe56de0f48ddd08dee74082cfb85e5dc0eb2a5fe9209a2", "type": "eql", "version": 318 }, "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { "rule_name": "New GitHub Self Hosted Action Runner", "sha256": "8bc6935db6bda5ca9d6adfaf7c46a30e9041e429a474d22fb9bea08e8129f9e2", "type": "new_terms", "version": 4 }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", "sha256": "07ed14815a1ee29d7a2ff5875f8b1a3077e662274428187236ecfb4fc4c0cb80", "type": "new_terms", "version": 112 }, "40e60816-5122-11f0-9caa-f661ea17fbcd": { "rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected", "sha256": "e79dc5d558b08aa2d6a5ac711b6839d68982ebf44258c71d341bd4fa6f8a122c", "type": "eql", "version": 5 }, "40fe11c2-376e-11f0-9a82-f661ea17fbcd": { "rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created", "sha256": "070959c714f7a09d058737cad7ec89cc9e40d1ead7af7e3e6b3448b52335f045", "type": "new_terms", "version": 5 }, "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { "rule_name": "Unix Socket Connection", "sha256": "50405e170ddbf72168eb26b96b10d0ddeef2da2ea25dbc04fd4820ec47ce4aef", "type": "eql", "version": 109 }, "41554afd-d839-4cc2-b185-170ac01cbefc": { "rule_name": "AWS Sensitive IAM Operations Performed via CloudShell", "sha256": "f35e27ff8f1f926289ec4c5333d1a66e6a4b7bb6e3d244d9024e2e87f621ec0d", "type": "query", "version": 3 }, "416697ae-e468-4093-a93d-59661fa619ec": { "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "ecc40ef6f1887e2552a67ac50b893a78045aa90c933ed8ef9dba6dbc5db45679", "type": "eql", "version": 319 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a44f29bc649117953df7644b522fe34d02e04792ce1995c96d63aefa46581be4", "type": "new_terms", "version": 207 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "Deprecated - EggShell Backdoor Execution", "sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb", "type": "query", "version": 107 }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", "sha256": "a194f601c0396232cfc2cf076aec26674df35dbebda99b88ba26210ab1342940", "type": "eql", "version": 10 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", "sha256": "5117bb1a4b1e01d38cf252aea6b1d85875d355d76d43d8355a82c5e6c8b94ec8", "type": "eql", "version": 111 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - Mount Launched Inside a Privileged Container", "sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978", "type": "eql", "version": 3 } }, "rule_name": "Mount Execution Detected via Defend for Containers", "sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6", "type": "eql", "version": 103 }, "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container", "sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034", "type": "eql", "version": 4 } }, "rule_name": "Interactive Exec Into Container Detected via Defend for Containers", "sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3", "type": "eql", "version": 104 }, "428e9109-dc13-4ae9-84cb-100464d4c6fa": { "rule_name": "Unusual Login via System User", "sha256": "5b2247172cc6a9ec4fb03f5f3bb198e0ebbe37e546e0742e0a78510f59e8ba6e", "type": "new_terms", "version": 7 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { "rule_name": "Potential Okta Password Spray (Single Source)", "sha256": "d564134d98af7a3d81f0386dc3680e01e1259752b63bdb4657a1220d9d26a3c2", "type": "esql", "version": 418 }, "42c97e6e-60c3-11f0-832a-f661ea17fbcd": { "rule_name": "Entra ID External Authentication Methods (EAM) Modified", "sha256": "1a5cfbafaa947d1a30a0e36172836401d4ae9185aa8bc05e1c51245e1adeb397", "type": "new_terms", "version": 4 }, "42de0740-8ed8-4b8b-995c-635b56a8bbf4": { "min_stack_version": "9.3", "rule_name": "Kubelet Certificate File Access Detected via Defend for Containers", "sha256": "5607487040f92b7d283e36023a5fe5282bf400d31b48f4dbf1eb2ebc42106dca", "type": "eql", "version": 2 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "rule_name": "Process Creation via Secondary Logon", "sha256": "dbeba92d4f831b5f36a5a0d99766eb50182c1b60eade9a6452880f4ceb9db0d0", "type": "eql", "version": 116 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Login Activity", "sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Login Activity", "sha256": "ceada163683a969ff0c09eeb47c2a6548ed0c5540c6489baaba37e1279299e79", "type": "machine_learning", "version": 207 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", "type": "query", "version": 101 }, "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { "rule_name": "Linux User Added to Privileged Group", "sha256": "4087c9d1fa0fbd63a5994e714de0043354219e1486a90d369e6f9568db609f9b", "type": "eql", "version": 114 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "faa296ace7afe520ea4ef4a8f94e73bdaabf18a3fdff2491b9411910a92c7b26", "type": "eql", "version": 316 }, "444c8fad-874f-4f59-b0ea-cf26cea478bd": { "min_stack_version": "9.2", "rule_name": "AWS Account Discovery By Rare User", "sha256": "ca6ee51c94c13583db988064c27811dd1667e2ed0c6f855641192291f42480b9", "type": "new_terms", "version": 2 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows Path Activity", "sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows Path Activity", "sha256": "9521887c113dba587810eda8d843fae683aa907a35cb28d192ad2af4fea6f05c", "type": "machine_learning", "version": 310 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", "sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656", "type": "eql", "version": 7 }, "44cb1d8a-1922-4fc0-a00f-36c1caf57393": { "rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", "sha256": "2914fe3d40dd1b622e50c819001ef6f6841a9ab90204059631fee0d078b93a01", "type": "eql", "version": 2 }, "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "rule_name": "Multiple Vault Web Credentials Read", "sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326", "type": "eql", "version": 116 }, "453183fa-f903-11ee-8e88-f661ea17fbce": { "rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted", "sha256": "bdcca3f4e0bc64249b3b8122881ea1261a2d6730802c955c30624c65a57f137f", "type": "query", "version": 8 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", "sha256": "821304ada86cb1f6baa0400b3df6da59d8cddb153c4eaf0cdbd47ac7b8559261", "type": "query", "version": 106 }, "4577d441-0c05-4bfb-9068-39a0cb855269": { "min_stack_version": "9.4", "rule_name": "Rare Powershell Script", "sha256": "9c0511f7439e1c00c5d8282719bc8a3a3264846f0c2da4f4f9ee4cdcf7ec335f", "type": "machine_learning", "version": 1 }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", "sha256": "e7c9e715dfc5202e3726e02eb0845d9ebc862820f8d6f38bbc831db9a30afacf", "type": "eql", "version": 8 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", "sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439", "type": "query", "version": 216 }, "45d099b4-a12e-4913-951c-0129f73efb41": { "min_stack_version": "9.2", "rule_name": "Web Server Potential Remote File Inclusion Activity", "sha256": "eac6dd3f878185bf383aa944ce7171b5ac8f06bbac00216eda18a5633aaef77c", "type": "esql", "version": 5 }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "0ccdfbb0e5e5ffd32a9233c3ddf4f8302da0fb0f0850ce2f8d4581d3fbb3b3e5", "type": "eql", "version": 220 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "564bb0d746bd663f81363cdf9ac732590b9f53cb2de5ba98a67f800fb3539a31", "type": "eql", "version": 321 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "930128205c02f5c7f26427faefeb2d4bab4bebdacf586a93b0aa5017bef1e78b", "type": "eql", "version": 318 }, "46b01bb5-cff2-4a00-9f87-c041d9eab554": { "rule_name": "Browser Process Spawned from an Unusual Parent", "sha256": "9b29139c1b7fd40c89143857a62a03aa09c8e7963ef54f650fff4224dc441f21", "type": "eql", "version": 4 }, "46f804f5-b289-43d6-a881-9387cf594f75": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Process For a Linux Host", "sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Process For a Linux Host", "sha256": "e3f402cd3a598b9f2569f90d33ef2259c22ad46f3dc1bdc3c4c5b17eec84f8bf", "type": "machine_learning", "version": 208 }, "472b4944-d810-43cf-83dc-7d080ae1b8dd": { "rule_name": "Multiple Cloud Secrets Accessed by Source Address", "sha256": "5e4eae6eda373ea926bb58a7a366c5a8f2927a722bf046ea56b6c12f05a39d09", "type": "esql", "version": 6 }, "47403d72-3ee2-4752-a676-19dc8ff2b9d6": { "rule_name": "AWS IAM OIDC Provider Created by Rare User", "sha256": "2b8214da1cdbd0bc040957a0d7526d484399595432c8a33204adcf6632c40bc7", "type": "new_terms", "version": 3 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", "sha256": "a68393a005eedad66f216d14894d34d69d69ddf143cc9fa39a2f535685870c6b", "type": "eql", "version": 119 }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", "sha256": "80cd369aeb6877b1db2b6c12d1783ea6a5d0a624fa9017500b34cad571cef398", "type": "eql", "version": 4 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Sensitive Files Compression Inside A Container", "sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98", "type": "eql", "version": 4 } }, "rule_name": "Sensitive File Compression Detected via Defend for Containers", "sha256": "731ba52a513156d8a87d316d77433a64170711f97dc7f177f3f719aea71b3314", "type": "eql", "version": 105 }, "476267ff-e44f-476e-99c1-04c78cb3769d": { "rule_name": "Cupsd or Foomatic-rip Shell Execution", "sha256": "653a7ef1791236e63f96af404c6b02046875b405b8037d13ccb1a3e7998ba6fd", "type": "eql", "version": 107 }, "47661529-15ed-4848-93da-9fbded7a3a0e": { "min_stack_version": "9.3", "rule_name": "Chroot Execution Detected via Defend for Containers", "sha256": "59db7a4c53b4f3ddb4207c6491c7bd8d81c264d0c04da5d8788ab834607b79d7", "type": "eql", "version": 2 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "a5af415e1f2c7a456ca9118e3e4597cc2b0b71a212a73a2fa72bda8e0830cac8", "type": "eql", "version": 218 }, "47e46d85-3963-44a0-b856-bccff48f8676": { "rule_name": "DNS Request for IP Lookup Service via Unsigned Binary", "sha256": "b77d74a3141da1892738e8c0d4fd55bcbe16d6888bb1c16ec266c429adf9d305", "type": "eql", "version": 1 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { "rule_name": "Execution via Regsvcs/Regasm", "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", "type": "query", "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { "rule_name": "Apple Script Execution followed by Network Connection", "sha256": "938566ecdd4b7685b7907233ea57cfe0cb348a40ac06c7eb2716b07aab912725", "type": "eql", "version": 113 }, "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": { "rule_name": "Potential Database Dumping Activity", "sha256": "aad1b6a1095cc1013ae935d6e8045119e05fe3ef4f5834c1f9127be2395959e7", "type": "eql", "version": 2 }, "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { "min_stack_version": "9.2", "rule_name": "New USB Storage Device Mounted", "sha256": "68046728274c9ab9c11bc0b39e461e49b9a9b9848f71d7011fe77d57ba59496e", "type": "new_terms", "version": 2 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "5a1aba147a9b9f814d2d1b09cd541b22ae6d611c7fd6f3188f5920edab8078c0", "type": "eql", "version": 318 }, "48819484-9826-4083-9eba-1da74cd0eaf2": { "rule_name": "M365 Exchange Mailbox Accessed by Unusual Client", "sha256": "8a10e8db5467f33d67e8ed3dca2f5a1d079e9d210603960f09e9db3ea9d997c7", "type": "new_terms", "version": 113 }, "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "rule_name": "Potential Reverse Shell", "sha256": "e0d23e8a4ce93e59d053897dac95bd93ea4007fea82aa10026eb0f9cb6aa98c0", "type": "eql", "version": 15 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "13da83ae4ff6203a49a32508015f5afa1857f4551dfcaad34b06c929cf1e6a56", "type": "esql", "version": 119 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { "rule_name": "Unexpected Child Process of macOS Screensaver Engine", "sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8", "type": "eql", "version": 111 }, "48e60a73-08e8-42aa-8f51-4ed92c64dbea": { "rule_name": "Suspicious Microsoft HTML Application Child Process", "sha256": "7c56c9e26607fba3339913474442ef3d7bfbf6293b5c99f54d2eb96881fade95", "type": "eql", "version": 4 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { "rule_name": "Potential Persistence via Periodic Tasks", "sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5", "type": "eql", "version": 110 }, "48f657ee-de4f-477c-aa99-ed88ee7af97a": { "rule_name": "Remote XSL Script Execution via COM", "sha256": "f1c328ae4209f8dd970135e0448fcc4570c22a584600e6623a6e7b834d57b7a0", "type": "eql", "version": 8 }, "491651da-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint/OneDrive File Access via PowerShell", "sha256": "85739e22b434b14be9315877943b9eb3b82ce63928b065f96cb4631cb598768c", "type": "new_terms", "version": 4 }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", "sha256": "d94a4754a0bac94045cb963405493f79639e4750d53db7855347719f027c7a91", "type": "esql", "version": 107 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", "sha256": "9365957412d43c05676cc64a16e5849fea6369fb83f1f3bc6433834987b4d0c1", "type": "eql", "version": 114 }, "495e5f2e-2480-11ed-bea8-f661ea17fbce": { "rule_name": "Application Removed from Blocklist in Google Workspace", "sha256": "6d87b2fabfb96262dab24abba760dd06624e339e6f6754d5b80da802c4fcc200", "type": "query", "version": 111 }, "4973e46b-a663-41b8-a875-ced16dda2bb0": { "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", "version": 3 }, "497a7091-0ebd-44d7-88c4-367ab4d4d852": { "min_stack_version": "9.3", "rule_name": "Web Server Exploitation Detected via Defend for Containers", "sha256": "4f015b58f7cc44127fa2338b2af0178f6882ee823df52179f218821a49ec03e8", "type": "eql", "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "rule_name": "Process Discovery Using Built-in Tools", "sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7", "type": "eql", "version": 111 }, "498e4094-60e7-11f0-8847-f661ea17fbcd": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "Entra ID Federated Identity Credential Issuer Modified", "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d", "type": "esql", "version": 8 }, "9.1": { "max_allowable_version": 206, "rule_name": "Entra ID Federated Identity Credential Issuer Modified", "sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d", "type": "esql", "version": 108 } }, "rule_name": "Entra ID Federated Identity Credential Issuer Modified", "sha256": "75ce697b7ebba19a90b13ad5c2a00f716b1136889ac57cf0454fb38d2abf3033", "type": "esql", "version": 209 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", "sha256": "36f98006e5bfa62be0b6fb497cac3f8e786c601b1856911576321711398ff937", "type": "query", "version": 109 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", "sha256": "ebb411cb6d8deec435be6983e89ff05cf986d078ea776de1c513732dad30a8a8", "type": "eql", "version": 111 }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "rule_name": "Potential Cross Site Scripting (XSS)", "sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6", "type": "eql", "version": 2 }, "4ae94fc1-f08f-419f-b692-053d28219380": { "rule_name": "Connection to Common Large Language Model Endpoints", "sha256": "e3a857464bccee09ed43658511ac90b4b5e1ab9d35a7e6f562e8222fb1c31356", "type": "eql", "version": 6 }, "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", "type": "eql", "version": 6 }, "4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection - User Risk", "sha256": "5df9119f737237a17d5b11d6333596ed6cccdcea1c3d4ddb2115cee9fdf15a27", "type": "query", "version": 4 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "712e9f27b5d709ea5f42c73b492a3eb4b4c9d9a749c11b25a0c40218cf62765a", "type": "eql", "version": 317 }, "4b4e9c99-27ea-4621-95c8-82341bc6e512": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 105, "rule_name": "Deprecated - Container Workload Protection", "sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506", "type": "query", "version": 6 } }, "rule_name": "Container Workload Protection", "sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568", "type": "query", "version": 106 }, "4b74d3b0-416e-4099-b432-677e1cd098cc": { "rule_name": "Container Management Utility Run Inside A Container", "sha256": "4b1c24e5e2fb7b93b9cab43640dcb67a1a8d8023080af350342420b412d954a3", "type": "eql", "version": 5 }, "4b77d382-b78e-4aae-85a0-8841b80e4fc4": { "rule_name": "Kubernetes Forbidden Request from Unusual User Agent", "sha256": "88773d78b14a1bcdf590ca88cafbe442d00a5a49f47b498e65a6ac6d4a767133", "type": "new_terms", "version": 6 }, "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { "rule_name": "ProxyChains Activity", "sha256": "68defaeb26fa351359ae0446628962b14803c4baeff4ee68daf60bf8947ef046", "type": "eql", "version": 110 }, "4b95ecea-7225-4690-9938-2a2c0bad9c99": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 107, "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "94ec426a8004fc2a8a6b335f60ddaa7ac6b2e50638d6e72f242b133e0121c3a1", "type": "machine_learning", "version": 8 } }, "rule_name": "Unusual Process Writing Data to an External Device", "sha256": "1589cefc5200c7e7996d5300845a603f75f00b8ae38c6b4aaf586efc53f66089", "type": "machine_learning", "version": 108 }, "4bae6c34-57be-403a-a556-e48f9ecef0b7": { "rule_name": "M365 Quarantine and Hygiene Signal", "sha256": "f2d1e7436634073de94351647b98d9e406d09f11b6250cd96fef280126632366", "type": "query", "version": 2 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "ed8dcb92cfeba3e300ed4a8d4692886005db714dc1ec5c71e5b68c0da285cde6", "type": "eql", "version": 316 }, "4bd306f9-ee89-4083-91af-e61ed5c42b9a": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request", "sha256": "2bd3b29bb1de58aceb5f105d638bee45273c848f3ee80c7cee83e90a04964ee5", "type": "eql", "version": 3 }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", "sha256": "7836bbad444d51d5c8299aea810ea766e37ff1aaa90696ff4de74a6882d1fa3a", "type": "new_terms", "version": 7 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", "sha256": "53e870fdfb17df75e77e5625dad994b7014b21b3b90229e0436817acaa6aad78", "type": "query", "version": 116 }, "4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": { "rule_name": "Azure Storage Account Blob Public Access Enabled", "sha256": "3a0186ed0069a6b04d772c0376819879b9f3230c5f97929c81fa54bb2ba09635", "type": "new_terms", "version": 2 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { "rule_name": "Potential NetNTLMv1 Downgrade Attack", "sha256": "66c44401346ad331eee974206935f1739356fbdfa1c05b5c43a96d00aa7cf0d2", "type": "eql", "version": 5 }, "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "rule_name": "Kernel Load or Unload via Kexec Detected", "sha256": "ed5b0ee6f9acc299b7d681c6c248927820ed37d3afde535bbf22d1f88c8a5d38", "type": "eql", "version": 113 }, "4d4cda2b-9aad-4702-a0a2-75952bd6a77c": { "rule_name": "Docker Release File Creation", "sha256": "fcf46bfd3250345e843693606f5fb82feefdc1be32b6a5f2b0f4a2ba0f09777d", "type": "eql", "version": 4 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "rule_name": "AWS Management Console Brute Force of Root User Identity", "sha256": "33007e4af04655ed7b7d38d9aa4047437e04c7a32a683fb1d94d0c6f9c0126bc", "type": "threshold", "version": 214 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "rule_name": "Attempt to Disable Gatekeeper", "sha256": "15628d00707d5cb8162b39822a54eaefbaba7cacec4fe61de572319ea4b25767", "type": "eql", "version": 111 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "2547fbd8709d4cf9e8f4bd0048a897e98859ec4f7ab564261d6a52e38f94d2ef", "type": "eql", "version": 320 }, "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "18af43592e9ea1cab61766146cc9e4060b3d000eea41d6ed6b5e839350b3e422", "type": "eql", "version": 117 }, "4ec47004-b34a-42e6-8003-376a123ea447": { "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", "sha256": "3141b56172d9325f7e292f8848a1c32a7d10bbe33ba9a2d6876e5a8895c80063", "type": "eql", "version": 115 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "fee10156d1f4a3f29bc42acbf1ad6ee3ba381b251d656d9705905328d11f7503", "type": "new_terms", "version": 319 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "rule_name": "Suspicious Script Object Execution", "sha256": "8b925f4de064a926ab17d2911e80bf6947d6e864da4aad5afcebc3491a482ecb", "type": "eql", "version": 214 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "rule_name": "Unauthorized Access to an Okta Application", "sha256": "86ae4800d9e3322d8946ef71eadb796219d883ca2d8b3772316c430eff73718e", "type": "query", "version": 415 }, "4f2654e4-125b-11f1-af7d-f661ea17fbce": { "rule_name": "M365 SharePoint Search for Sensitive Content", "sha256": "4bad672d48c22df5551ec3342e6f2c08bd9615a39c6c71edae46085f8673643c", "type": "eql", "version": 2 }, "4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": { "rule_name": "Kernel Unpacking Activity", "sha256": "991d514239a7588fb6359ef0829150e5fba13a68886bf02602eff1ce014b7a26", "type": "eql", "version": 7 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", "sha256": "bbed7d005c3add1b1f91865e98385a1db6bab42d2c50a6f304be8f9987154da8", "type": "esql", "version": 9 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", "sha256": "e91467439c3544ac933948876d3564d3775402dbd9de32b4331e7677ff28d060", "type": "eql", "version": 319 }, "50742e15-c5ef-49c8-9a2d-31221d45af58": { "rule_name": "Okta Successful Login After Credential Attack", "sha256": "6dad6073685bd27507bd1019c4c661b33314e196d1df27fd1d6a4a26a3f6aa32", "type": "esql", "version": 3 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "9f970647e9f0660e49e6297139d0fac8dea160ad9a626410b76241e0e285dab4", "type": "threshold", "version": 212 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", "sha256": "38d2e2b85d115c468b86078187b4bf2e2692c83671f32a7800c8d87e8327865e", "type": "new_terms", "version": 6 }, "51176ed2-2d90-49f2-9f3d-17196428b169": { "rule_name": "Windows System Information Discovery", "sha256": "3f5f4187427fe60250c06d4030358ca518b17592c87d264baef1d7091a731c6a", "type": "eql", "version": 112 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "rule_name": "Hidden Files and Directories via Hidden Flag", "sha256": "00a937a6551df200e27af0c95020a908bd832f721000e682fd65f512541cc2c4", "type": "eql", "version": 108 }, "5134be90-42c1-4ac7-859c-4d82caaddbec": { "rule_name": "Proxy Shell Execution via Busybox", "sha256": "79b4ea149f88a2ee4fc8326864cadcd00ea7b142318e7e9100ab5c90dd688825", "type": "eql", "version": 1 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "rule_name": "Registry Persistence via AppCert DLL", "sha256": "f08796645892a9fa8f7c3b67c11e0245ae79f43f1da29dc7f672653ebf69815b", "type": "eql", "version": 418 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "M365 Exchange DKIM Signing Configuration Disabled", "sha256": "859bc8f0ef5f23b602f35c59bea15f012d43ae8c80cebb03c3b3b94220e29cd1", "type": "query", "version": 213 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { "rule_name": "GCP Logging Sink Deletion", "sha256": "511c2959e42c07c74fe71b4f3da197e85d2a1fb979e23918829861b69aa0bd04", "type": "query", "version": 109 }, "5188c68e-d3de-4e96-994d-9e242269446f": { "rule_name": "Service DACL Modification via sc.exe", "sha256": "7b9b5cddfe539d530a81415222048a2f5018ed718b45baabb26fda249de04fbd", "type": "eql", "version": 209 }, "51a09737-80f7-4551-a3be-dac8ef5d181a": { "rule_name": "Tainted Out-Of-Tree Kernel Module Load", "sha256": "a5c34d9923fd2894a45428381962c575b3377bb30cf355c2869e5344a4e04175", "type": "query", "version": 8 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "870d58a3e6ea8fe0f4085336bc6cbc3d947914097ba94babb4b5f15b0cda2444", "type": "eql", "version": 212 }, "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", "sha256": "2bea7d2c25ab910e0d606af8c8c55279b47893c6895044b905d268f6bfc3a206", "type": "eql", "version": 11 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "rule_name": "AWS GuardDuty Detector Deletion", "sha256": "0a394ab67c395bcdc27b3ad12d450d8ce316d1f4bb5eb00b82dc41ce9e6713d7", "type": "query", "version": 212 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", "sha256": "db0a78fa15e70e7486162d61b6f30566133d52e6433e0e9d7dc42ffbf6eeae48", "type": "eql", "version": 119 }, "527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": { "min_stack_version": "9.3", "rule_name": "Tool Installation Detected via Defend for Containers", "sha256": "06b375e493f4b41424c0ca40c75d93d51a0530eaa4a352ee6d7853d70b04a0d3", "type": "eql", "version": 4 }, "5297b7f1-bccd-4611-93fa-ea342a01ff84": { "rule_name": "Execution via Microsoft DotNet ClickOnce Host", "sha256": "29634fdc3cfdb91140f35c87f79547edac1b9e106807a8cc21d7ee6b51912e87", "type": "eql", "version": 4 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "cde1e6487ebcc56f9050150c0378e2da7deff62ad47b9dab28c2794674535116", "type": "eql", "version": 214 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Linux Network Activity", "sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Linux Network Activity", "sha256": "c3933dcb86a4f1abdb07a73739d56f6fd50701e0ce42c766af4402e47f547ba6", "type": "machine_learning", "version": 208 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", "sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad", "type": "machine_learning", "version": 100 }, "52afbdc5-db15-596e-bc35-f5707f820c4b": { "rule_name": "Unusual Linux Network Service", "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", "type": "machine_learning", "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { "rule_name": "Suspicious CronTab Creation or Modification", "sha256": "06aa18b798246b990e22baa71af8b598ed63603682333c4694537075d56ce774", "type": "eql", "version": 112 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "9cf2ba4a67c472e0406c42262df0bb6ccddb11451ddcf29de0d5985842a08f96", "type": "new_terms", "version": 15 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "rule_name": "AWS EFS File System Deleted", "sha256": "8cf6dfd14e01e720347865eb598fe80c73084a718b4f5703b63d214db4d68052", "type": "query", "version": 212 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deleted", "sha256": "7ca60ba6ad3527a0ae4294e9191284da98a6981a9abccf9356442eafe415f24e", "type": "new_terms", "version": 109 }, "5378a829-30c2-435a-a0f2-e3d794bd6f80": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 100, "rule_name": "Rare GCP Audit Failure Event Code", "sha256": "68286b273629f0e76ab3ed11d530a7aa0bafc6f2fce33cc438cee7402360c949", "type": "machine_learning", "version": 1 } }, "rule_name": "Rare GCP Audit Failure Event Code", "sha256": "c5481b8a55bd8c39a4b9d76e1630bd8329b9339cb43e40347317861244b7db02", "type": "machine_learning", "version": 101 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { "rule_name": "Statistical Model Detected C2 Beaconing Activity", "sha256": "13ca397ec6553f6c993d68c532077536be213be3dee894a2609b0aaea9eade5e", "type": "query", "version": 10 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { "rule_name": "Suspicious PDF Reader Child Process", "sha256": "792ed5fc6b0a36233bde6b5f3b81cb38c17352d64cb05bf7695a121087c373c2", "type": "eql", "version": 319 }, "53dedd83-1be7-430f-8026-363256395c8b": { "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "c082e3ac3a00dc4956ce3e96ea4ec33d0e3d82e54b0ccacc0ecbdcaea938c347", "type": "eql", "version": 110 }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", "sha256": "cd48b0f1d4115b1444172db9c6f59b8c60c75583bf5c511ba0df9ea374aa84f5", "type": "eql", "version": 7 }, "54214c47-be7c-4f6b-8ef2-78832f9f8f42": { "rule_name": "Network Connection to OAST Domain via Script Interpreter", "sha256": "1203b6747b51b4832b4ebefe2903731584e77306aacc9f20d75fbf1cf7d1c66e", "type": "eql", "version": 2 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", "sha256": "04bf11d21b2237ee52b0b88167f0cfa4fc196dde2f4fbfda8b651395b6ef1329", "type": "eql", "version": 217 }, "54a81f68-5f2a-421e-8eed-f888278bb712": { "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "bb8801610e32224071dc341162073ded5df413ddf4c2cdcfb9b7e8442242b149", "type": "query", "version": 215 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "rule_name": "Network Logon Provider Registry Modification", "sha256": "3cff6043bb08ad2cb24e8d37adc43a86a8670e3e4d63ab64da8590469e6d827d", "type": "eql", "version": 219 }, "55a372b9-f5b6-4069-a089-8637c00609a2": { "rule_name": "First-Time FortiGate Administrator Login", "sha256": "518282100295984ad22ded511e0efb7a009dbec8d0bbfe2c7fac69778163579b", "type": "esql", "version": 3 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "d9d7b7c944e438656c8d6c348d8acd34be6f45ef68c23cdc5c1e679c1eb476f2", "type": "eql", "version": 217 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { "rule_name": "PsExec Network Connection", "sha256": "af8f8b17e077e18ee55fe944de4a17281aedb7f00d55333d69560c44623fcfd7", "type": "eql", "version": 214 }, "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { "rule_name": "Windows Installer with Suspicious Properties", "sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d", "type": "eql", "version": 4 }, "55f711c1-6b4d-4787-930d-c9317a885adf": { "rule_name": "Suspicious Execution with NodeJS", "sha256": "0988cafc07e2277a8687b5a89074a4ad787b1cc0ad5bf564bdacb5b7c95cfe94", "type": "eql", "version": 3 }, "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 209, "rule_name": "Unusual Process Spawned by a Host", "sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f", "type": "machine_learning", "version": 110 } }, "rule_name": "Unusual Process Spawned by a Host", "sha256": "d1bc1e43d67b87351b3a10c4bd73b589d019f0eb8f4519a5fdd013f9c57732a8", "type": "machine_learning", "version": 210 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "9bc6208af462e05208a3ba998898d18819968882805d9c738507807be1b330c2", "type": "eql", "version": 210 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "8cf3c09ba2db0c7300a67369106a28725e2c5cc57e9c57d8cf14fe64d7a8c303", "type": "query", "version": 212 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { "rule_name": "Potential Admin Group Account Addition", "sha256": "87db461459ea0a1c445b59dfa9d8e7368c2afc905f30243a589b82af51f8515d", "type": "eql", "version": 211 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { "rule_name": "Dumping of Keychain Content via Security Command", "sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4", "type": "eql", "version": 112 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { "rule_name": "GCP Logging Bucket Deletion", "sha256": "a41c9b731116a7c1e1a6c3aa9f43347ea30abb1eea8076c45c74804e6b07a048", "type": "query", "version": 109 }, "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": { "rule_name": "Windows Sandbox with Sensitive Configuration", "sha256": "cb4b6f0adb8773383e682fe16570cbca4179d222ed197d04b3d89fa29926d486", "type": "eql", "version": 4 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "rule_name": "PowerShell PSReflect Script", "sha256": "6c697a981e583ada22e4f514b9fe1cc69e210a0cd838679036eb1158118d1beb", "type": "query", "version": 317 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { "rule_name": "Execution of an Unsigned Service", "sha256": "98a1bb00cc5109dfee42a633f855fff9346d0648551bebc3d0863b1561b49aa2", "type": "new_terms", "version": 109 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "rule_name": "VNC (Virtual Network Computing) from the Internet", "sha256": "5df33e1e630173c386e4532fe8fccafa945c531cdaad3bf9f65a20605287464b", "type": "query", "version": 111 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", "sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b", "type": "query", "version": 105 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { "rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted", "sha256": "914135ecccac7234592a2f0c768301fedcf43c6c78e8ec8977774bcd9ecb70aa", "type": "query", "version": 105 }, "5749282b-7524-4c9d-af9a-e2b3e814e5d4": { "rule_name": "AWS Credentials Searched For Inside A Container", "sha256": "b09e2c974cc1d80c0c75f3799dc517a1ba657bb18f02243743e329247980db61", "type": "eql", "version": 4 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { "rule_name": "PowerShell MiniDump Script", "sha256": "5c5ee438716479240dd176d2f4b269ac7093f03e6ceffde51b86912f8b8d4ee2", "type": "query", "version": 214 }, "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "4944bbed621deeb513b94814d78fab8b15895a6fbf5a4b3c12e69c50f5a82be6", "type": "eql", "version": 109 }, "57bfa0a9-37c0-44d6-b724-54bf16787492": { "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "971eb40543306c60de5695b0c5c5323b2de381b23f1e442ce30cb39d29eb2c97", "type": "eql", "version": 211 }, "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { "rule_name": "Remote GitHub Actions Runner Registration", "sha256": "8da226b40be571223b8382299f5497f08742a417a0afe756e9005488a6a3604a", "type": "eql", "version": 3 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", "sha256": "ab7e97c915d3a23943a57f5610efdbf9dfa1c8b60f4a82155800f5eb754553dc", "type": "eql", "version": 320 }, "5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": { "rule_name": "Unusual Web Config File Access", "sha256": "d0e52d0a9d67db8bc963869c1db6a15171b3f593e995b5a08bc6bde2194de611", "type": "new_terms", "version": 4 }, "5889760c-9858-4b4b-879c-e299df493295": { "rule_name": "Potential Okta Brute Force (Multi-Source)", "sha256": "cdac32489551a612c6bdd1002c5f9beb3f39e4e418574f5d004a7307b21e02c3", "type": "esql", "version": 3 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "rule_name": "RDP Enabled via Registry", "sha256": "80ca9aa2214417366e41ffd82cd9a7232496f7791e47f1fe0b600d0b8425bf40", "type": "eql", "version": 317 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { "rule_name": "Zoom Meeting with no Passcode", "sha256": "c200789d227a9970276e70d96c3d7a3dda0bca9cc890d451341d5701dc772fa8", "type": "query", "version": 106 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { "rule_name": "Potential Lateral Tool Transfer via SMB Share", "sha256": "ac7bf2a46ba5a70e8f7adf24b3dff91fc99d215a6ead840ce7f034f27e013106", "type": "eql", "version": 113 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", "sha256": "54a500e176cc9745327edf4a986bbcad4894627acf87bc50f5727b26558cd775", "type": "eql", "version": 115 }, "590fc62d-7386-4c75-92b0-af4517018da1": { "rule_name": "Unusual Process Modifying GenAI Configuration File", "sha256": "4c8318ca5f58fb1f5df70040197b63e88f8b5f390e666cc85e3eac0c39129222", "type": "new_terms", "version": 6 }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", "sha256": "7742b4d700c05a6edae94904b1648746b5b85845c114eb60cbfc8fb84972171f", "type": "eql", "version": 7 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { "rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish", "sha256": "52f073fe724020db891045530704a08c294fa95ee10247f3232467f93bd3fb85", "type": "query", "version": 213 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "rule_name": "AWS CloudTrail Log Created", "sha256": "820bd96ddd179512b9d5a0163bb9f14bab4331cc45be72aa7718ebace53c28c0", "type": "query", "version": 214 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Linux User Discovery Activity", "sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Linux User Discovery Activity", "sha256": "60849ad13847f09c4d9a8563601b9291916f289bea439f511a4171ec4a013351", "type": "machine_learning", "version": 208 }, "59bf26c2-bcbe-11ef-a215-f661ea17fbce": { "rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source", "sha256": "4ee4a4ce4a9ac868a787a8fcadc3d1b7655e2840e1b76969a14ac4571928d40a", "type": "new_terms", "version": 9 }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", "sha256": "d9cf4c038f53b5ebd1c30a304fb8870d6145d0785926200cf0374842c84220ff", "type": "eql", "version": 108 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "1f54949694e1a11f3a6cfb3b63ee8e578f5bf33cdb23bf40ea319d20845ff3d0", "type": "eql", "version": 314 }, "5a3d5447-31c9-409a-aed1-72f9921594fd": { "rule_name": "Potential Reverse Shell via Java", "sha256": "11037a250f68a1970df97139622a157e84807139f8126e5d9c7bc7cf56b3b77c", "type": "eql", "version": 13 }, "5a876e0d-d39a-49b9-8ad8-19c9b622203b": { "rule_name": "Command Line Obfuscation via Whitespace Padding", "sha256": "1bf4f552f7599807a7e15afba35b168d0ca331e3b70e945506eb527d1e088934", "type": "esql", "version": 4 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", "sha256": "3570dec854c263de8cdebc1855ebfe5f7ab4526fc849b9e3a925eca865cdb5c7", "type": "eql", "version": 6 }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", "sha256": "8e98b708a9211e5d0ebef862842c54d085108d51b98842c091c5b26228dfa6ee", "type": "eql", "version": 108 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", "sha256": "633d6227e7b67c05c46dd509f2cd8d07f37e29fa580d76f692df49fea3e78ff7", "type": "eql", "version": 111 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "2cfbca1b129860895636735b8d15df004c74a582e3be5fc79d043ee9eb08bd50", "type": "eql", "version": 314 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", "sha256": "d3606ed659895f8c1cfdbff613629c196b862c209892b801f1b8370aaaf4277d", "type": "eql", "version": 114 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", "sha256": "600013f59808acf8e3fbcb916efe820a124db6b8d3605bf5fe031d1b729b358d", "type": "eql", "version": 11 }, "5b18eef4-842c-4b47-970f-f08d24004bde": { "rule_name": "Suspicious which Enumeration", "sha256": "dfef9c7a379453c311f0bfab1d39e33e823cd53ca0d1401b0c395667b781beb7", "type": "eql", "version": 112 }, "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": { "rule_name": "Successful SSH Authentication from Unusual User", "sha256": "7be56f4b8d28507b68d83d793cca3e982deab0387b8e00b6117aafe109cb2bc3", "type": "new_terms", "version": 5 }, "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { "rule_name": "Potential Masquerading as Browser Process", "sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2", "type": "eql", "version": 9 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation", "sha256": "8a47a48d97d6455444a465225652850ef188dd562e9f8c43f6fc8781a717f891", "type": "new_terms", "version": 323 }, "5bda8597-69a6-4b9e-87a2-69a7c963ea83": { "rule_name": "Boot File Copy", "sha256": "9631f14860402dcf2e73a1613d08cf82bef87f7b793098b03b5ececfe9236c85", "type": "eql", "version": 5 }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", "sha256": "027fc040e1e9e549efb1038c541a0965a6a625c7cfa7ac595dfc9747ffca5b09", "type": "eql", "version": 7 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", "sha256": "7e201a9f630b65ea3703f55383653c8c701324ea8334853c13efb45ddd45bb79", "type": "query", "version": 212 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { "rule_name": "Process Capability Enumeration", "sha256": "958cb09fe0453597f345b91d73f1f8cf88e769e76285da2a9029817841f976b0", "type": "eql", "version": 9 }, "5c495612-9992-49a7-afe3-0f647671fb60": { "rule_name": "Successful SSH Authentication from Unusual IP Address", "sha256": "1131f0ba1299b1673272bd63bc99e020893f13a54959cc573c19f06e3c6d27c0", "type": "new_terms", "version": 5 }, "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { "rule_name": "Deprecated - SSH Process Launched From Inside A Container", "sha256": "5b2188d09bbe293e3e5d684a0febaaeb6e8027038ba64aa70585fde1b3f59fdd", "type": "eql", "version": 3 }, "5c602cba-ae00-4488-845d-24de2b6d8055": { "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "4ab3780669514a3c38d185828e425d62f8005baf7e564cfe108f7922d0d02d72", "type": "query", "version": 108 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "rule_name": "First Time Seen Account Performing DCSync", "sha256": "6efcf236f3f9c9963fb10ebd45d9b9de86581067dc5b3515bab1cdc720278271", "type": "new_terms", "version": 119 }, "5c81fc9d-1eae-437f-ba07-268472967013": { "rule_name": "Segfault Detected", "sha256": "6ae08cb11476bde01a0bc5e23c18dbeb3c64c7f9f56cadc416776d004a3f3938", "type": "query", "version": 4 }, "5c832156-5785-4c9c-a2e7-0d80d2ba3daa": { "rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory", "sha256": "f60eb9f78e9b31ecc263168312144052efe7d3d67430d9e8e4bc68396f433f20", "type": "eql", "version": 106 }, "5c895b4f-9133-4e68-9e23-59902175355c": { "rule_name": "Potential Meterpreter Reverse Shell", "sha256": "499e822266c7a93e65eed7dd53f2d4762b9ede773ae711da386d2dd215831704", "type": "eql", "version": 12 }, "5c983105-4681-46c3-9890-0c66d05e776b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux Process Discovery Activity", "sha256": "e6d2c1bb66e9d94d5a0fc9e25fe3d8dd9a75eb35f100ed631a3df105e5748711", "type": "machine_learning", "version": 207 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", "sha256": "e1ae2e1cbed489a77754e6fab8a50f37f6de818e6fa2ca20d8096664e8add36c", "type": "eql", "version": 112 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "26553adf03310ab42539ce968440da4d62fc1fd18788e3d2f13aab321c9255db", "type": "eql", "version": 215 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "rule_name": "User Added to Privileged Group in Active Directory", "sha256": "f804eba2756db8092e43ff3affebdb403dbdc631098bebd3cdaf6ba3829b043e", "type": "eql", "version": 217 }, "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "rule_name": "Persistence via PowerShell profile", "sha256": "bc50204842263093d6d6ad331922bf865f62b4a06b43ef3f9321955c32ad22ea", "type": "eql", "version": 215 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { "rule_name": "Persistence via Login or Logout Hook", "sha256": "e818c9edc963124f3fe4b690ac99f23981b4899d2ec0bbbffbb93c5590b8756b", "type": "eql", "version": 112 }, "5d1c962d-5d2a-48d4-bdcf-e980e3914947": { "min_stack_version": "9.3", "rule_name": "Forbidden Direct Interactive Kubernetes API Request", "sha256": "d27959c1650287e616fb7b235e828792e56a049f59244ffc1d56ad66b4b99d32", "type": "eql", "version": 3 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "c06d312788de6b526b2eda5008ba2de688020524b0142b2a077d564b7141a2e8", "type": "eql", "version": 216 }, "5d676480-9655-4507-adc6-4eec311efff8": { "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "ce96526f1173cee77a4a1a49988e5b43cac66b19bc7f0e268d904961da06ddc3", "type": "eql", "version": 108 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "7a9ce14eef48ed766c137dbe638528f60bbfd889852e3b0e0251ed30b6ed4b98", "type": "eql", "version": 112 }, "5e161522-2545-11ed-ac47-f661ea17fbce": { "rule_name": "Google Workspace 2SV Policy Disabled", "sha256": "048a359ddaed92e5d025d84b05ee14e0aeb65e3c2f980eefac7cd3196a48085b", "type": "query", "version": 111 }, "5e23495f-09e2-4484-8235-bdb150d698c9": { "rule_name": "Potential CVE-2025-33053 Exploitation", "sha256": "d05a70b154a7b84b4788d0e7a9beb17cf0b147169da42a8f48bafb328c5e8403", "type": "eql", "version": 3 }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", "sha256": "84ab5ac7a9d4da0254311ffb718735490af81e6cb6c191ead1f08277e7a520e9", "type": "eql", "version": 108 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Deprecated - M365 Teams Guest Access Enabled", "sha256": "266a162de1fb161531696272816f4b94596b9e60e70a673859f3162efb4333e6", "type": "query", "version": 214 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { "rule_name": "Potential PrintNightmare File Modification", "sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933", "type": "eql", "version": 100 }, "5eac16ab-6d4f-427b-9715-f33e1b745fc7": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Process Detected for Privileged Commands by a User", "sha256": "1d71fb265ec9c3ff73874aa4beadd56455b47e89abd56102a39fe0cc342da6af", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Process Detected for Privileged Commands by a User", "sha256": "5ec3183a9be36f68aded429224d36cce68ddfb8a955fcc82adb868c3880f0b8c", "type": "machine_learning", "version": 104 }, "5f0234fd-7f21-42af-8391-511d5fd11d5c": { "rule_name": "AWS S3 Bucket Enumeration or Brute Force", "sha256": "b03598902c032a90bd8c08caf8f74055975dd2b075bd845d15f0d4093459f506", "type": "threshold", "version": 9 }, "5f2f463e-6997-478c-8405-fb41cc283281": { "rule_name": "Potential File Download via a Headless Browser", "sha256": "243733569b61c9258414f81794aa80af97b0ce2a578f54cb1fc3eb3b6ffc5deb", "type": "eql", "version": 209 }, "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { "rule_name": "Potential Docker Escape via Nsenter", "sha256": "9b1fac0383ed7d24fc3004e580cec7bd3f701dee9659155fe2a61132c4c6280e", "type": "eql", "version": 5 }, "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": { "rule_name": "NetSupport Manager Execution from an Unusual Path", "sha256": "f49bf2a2ea1c32cc3ab338dd4e8f8b582091b3afe242ad98d6e048aed2256252", "type": "eql", "version": 3 }, "60884af6-f553-4a6c-af13-300047455491": { "rule_name": "Azure Compute VM Command Executed", "sha256": "8adae74085d1b365f947e33813e55390fedd6e9a18b0a155e3bc3ca16f8b6bb3", "type": "query", "version": 108 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { "rule_name": "Entra ID Service Principal Created", "sha256": "53b3bb3ed81272c5cd748118879a25c793a01b0a8bad0cf6cf57a42745b3ba2b", "type": "query", "version": 110 }, "60c814fc-7d06-11f0-b326-f661ea17fbcd": { "rule_name": "M365 Threat Intelligence Signal", "sha256": "c39e4b442c100c558bad0866d26a3af772db700ab66c684e39f81c52511c464e", "type": "query", "version": 4 }, "60da1bd7-c0b9-4ba2-b487-50a672274c04": { "rule_name": "Discovery Command Output Written to Suspicious File", "sha256": "272a08b491e9e0ed926f59f6e233f7e3a98e77d56dc61ce20e65ccc863a87d4e", "type": "eql", "version": 2 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { "rule_name": "Deprecated - M365 Exchange DLP Policy Deleted", "sha256": "b61525284954c4fc0497d4722706527fd82f0c909a0d9d5d8436eb4eb64c73eb", "type": "query", "version": 214 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { "rule_name": "Unusual Process Network Connection", "sha256": "20c0a63a1c617c1d92a564858fc23ec78f1cd2737c5ea492135d8d6d73d6cf20", "type": "eql", "version": 213 }, "61336fe6-c043-4743-ab6e-41292f439603": { "rule_name": "New User Added To GitHub Organization", "sha256": "20989b28438ebb27b577cc7e27b4a8fddb5f0e786199089dbf791275399a39f7", "type": "eql", "version": 207 }, "616b8d00-05f8-11f1-8f33-f661ea17fbce": { "rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client", "sha256": "b8a0677840e2ac54c009dfc71b670853c992e15ab05a71bbbeed68c4b46d35e3", "type": "new_terms", "version": 3 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "rule_name": "Interactive Logon by an Unusual Process", "sha256": "89c4a7e78c150d6be51a0ac7825e8c185a6b6079831022b8ba59a2cfd77f7047", "type": "eql", "version": 108 }, "618a219d-a363-4ab1-ba30-870d7c22facd": { "rule_name": "FortiGate FortiCloud SSO Login from Unusual Source", "sha256": "1633c7aa0014d0a78d937ad7c074f29e3aae5b3ddaf38ce799a5141b9cdebaec", "type": "esql", "version": 4 }, "618bb351-00f0-467b-8956-8cace8b81f07": { "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", "sha256": "3add80c1e8b09bdfcf8f584070eca230034c9b21f79833ba3fe4693e6f61f11c", "type": "eql", "version": 3 }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "be24ceae2afa9baef47813fd03666ea34a8f4036452bf224e709f3f059656acb", "type": "query", "version": 320 }, "61c31c14-507f-4627-8c31-072556b89a9c": { "rule_name": "Mknod Process Activity", "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", "type": "query", "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "6383b77739e2749c866d9629ec58d853e848460e9543fa91f5fc5bdfb1ed81f9", "type": "eql", "version": 218 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "e0477a60892cad9da6b82baf80a54de4df04b8f72415f9f443b405c02849bc35", "type": "threshold", "version": 211 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "42257f22a246a40f1b6a636be55d328756204c2ab6229c57d6bed4129300b5df", "type": "eql", "version": 211 }, "627374ab-7080-4e4d-8316-bef1122444af": { "rule_name": "Private Key Searching Activity", "sha256": "79f110a532df654130e63c8b81f83d83d968d2789069f0c82d5fc5cd50e602da", "type": "eql", "version": 107 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { "rule_name": "Account Configured with Never-Expiring Password", "sha256": "9b330c0df477e18fc4f7752d72e5b9bd2518f96989dc84c247943246459ff92c", "type": "eql", "version": 217 }, "62b68eb2-1e47-4da7-85b6-8f478db5b272": { "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", "sha256": "ed5ff57cbeb63400deadf4043db9a50648c79985b315214fa0826a98bc3f6839", "type": "eql", "version": 9 }, "62ba8542-1246-4647-9b84-98aa1bc0760a": { "rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon", "sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31", "type": "eql", "version": 1 }, "63153282-12da-415f-bad8-c60c9b36cbe3": { "rule_name": "Process Backgrounded by Unusual Parent", "sha256": "030fd3f59aba85e33e9013260fe60ecd2b7e4e805aece285791cb170737d59d9", "type": "new_terms", "version": 5 }, "632906c6-ba8f-44c0-8386-ec0bbc8518bf": { "rule_name": "M365 SharePoint Site Sharing Policy Weakened", "sha256": "df946fcbb376eb3a51b2e8299075494cccd95d5229b4b956537d4f162ce80731", "type": "query", "version": 3 }, "63431796-f813-43af-820b-492ee2efec8e": { "rule_name": "Network Connection Initiated by Suspicious SSHD Child Process", "sha256": "3b0351c806161fe08412397624b92f4f969afffbb96b21e055a0631d33614a4f", "type": "eql", "version": 9 }, "63c05204-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", "sha256": "e6322acdcf8bfdea43c886c81f1d74c7982802542e500006806f52c422a951b3", "type": "query", "version": 12 }, "63c056a0-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent", "sha256": "7de86c2aa0f76814053d0f5818bc392c8c2e59db281f8891357f87d0057dfc26", "type": "new_terms", "version": 12 }, "63c057cc-339a-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent", "sha256": "298014d2796245f46bde784ce5a8c9a9bd75184e6d80bab634ae84b03fa3710c", "type": "new_terms", "version": 13 }, "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { "rule_name": "Sensitive Registry Hive Access via RegBack", "sha256": "4fba1a906dc24aa562d7f26cec26c9dcda0607ed266e8b587cfddf5a6f683d29", "type": "eql", "version": 7 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "rule_name": "Network Connection via Signed Binary", "sha256": "ba4096f48f3a66bf6278a94d26beb5dd78a438641db6fc511bf73d79bbe9986d", "type": "eql", "version": 213 }, "640f0535-f784-4010-b999-39db99d2daeb": { "rule_name": "Potential Git CVE-2025-48384 Exploitation", "sha256": "96a8f21a03b2eacdcb3c26f34ea7073e5fb7b7804eab2e552278f4b9a8524d75", "type": "eql", "version": 2 }, "640f79d1-571d-4f96-a9af-1194fc8cf763": { "rule_name": "Dynamic Linker Creation", "sha256": "a3ad27a4e1aba1d93a8fcff149f1e5ae7d0563416aa19c3e8221f2661ddface0", "type": "eql", "version": 9 }, "642ce354-4252-4d43-80c9-6603f16571c1": { "rule_name": "System Public IP Discovery via DNS Query", "sha256": "dadbb6d434afb19f97ab0d84b81956da85c5714c7113d0f80e6e22d72df1407b", "type": "eql", "version": 3 }, "647fc812-7996-4795-8869-9c4ea595fe88": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Anomalous Process For a Linux Population", "sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217", "type": "machine_learning", "version": 107 } }, "rule_name": "Anomalous Process For a Linux Population", "sha256": "cfbfe676b63f196bd4399206148f3a8920d108155f2abfa3c4bf59600cb422e0", "type": "machine_learning", "version": 207 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", "sha256": "c6de97f12a7345d14030b631a6baa062804944e85c22ece163742abc536d4b59", "type": "eql", "version": 112 }, "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { "rule_name": "Network Connection via Recently Compiled Executable", "sha256": "7a4ee8a9aed27286d48b832645557e5b2b3be000c4b6d33e49f64977508ff9da", "type": "eql", "version": 12 }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", "sha256": "db724e0530dad97417c3737f077e737a1dfdf44b5ae1d4621f68d2fba0a4c75d", "type": "esql", "version": 12 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", "sha256": "cc3d4c8b00317668d507150f4b0441132efe96a271f0e24182e1cf439f2bb036", "type": "eql", "version": 4 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { "rule_name": "Potential PrintNightmare Exploit Registry Modification", "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", "type": "eql", "version": 100 }, "65432f4a-e716-4cc1-ab11-931c4966da2d": { "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "d8cda461562a61f7ce64ed7629a070991b408f4432d740fc350a331768e162f6", "type": "eql", "version": 206 }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", "sha256": "0d9923c694d6f9e84a63f6978e5c542e08285a98fca12980503e9b9e6e4e7909", "type": "new_terms", "version": 5 }, "656739a8-2786-402b-8ee1-22e0762b63ba": { "rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent", "sha256": "b755ed320d3960e63c0cc92dbb2de8e1a6292117110a7f2412799824e5118874", "type": "new_terms", "version": 4 }, "65f28c4d-cfc8-4847-9cca-f2fb1e319151": { "rule_name": "Unusual Web Server Command Execution", "sha256": "3d0ea0342f221d21119aee57a595095918d0fd86ad7f58cee311309b90fd0800", "type": "new_terms", "version": 3 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "b25056edc655b86fef84b34e0ac3641910735b515a07aedaa5f68db48b4f6937", "type": "query", "version": 209 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { "rule_name": "Attempt to Mount SMB Share via Command Line", "sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1", "type": "eql", "version": 112 }, "66229f32-c460-410d-bc37-4b32322cd4bb": { "min_stack_version": "9.3", "rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers", "sha256": "42652c071cbc82b5d5b670ff8b27255c0e0da12b974caa887303d2f29b94ed4f", "type": "eql", "version": 3 }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", "sha256": "e61b3bdfbbae99ac498171b194cea724b8e328dca23b9288ceda1d39ac1355d0", "type": "esql", "version": 4 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", "sha256": "a7ac6a2e16d97312a1f7e3689e445d816e61c1b2556bd4fc7d7a784553b57be0", "type": "eql", "version": 12 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "c8b7ed1cedb954e68d572f77deae21770e0c4204727df0625f6c6f1e66411a6b", "type": "new_terms", "version": 210 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "rule_name": "WebServer Access Logs Deleted", "sha256": "46b302e1052795242c5c6996364c7327c196bff092c53ab16033cb472970e7a3", "type": "eql", "version": 211 }, "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", "sha256": "af55f3437d949d59400578ea1514295bd1960458ff28643620ab709ce16f75c9", "type": "eql", "version": 11 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", "sha256": "04483092ea7111ceb52a82ec96688eb7a5720d3ed3caf36c7e6e078b4713255c", "type": "eql", "version": 131 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", "sha256": "766af4a5b4b8dee8f8ef9498c1f216ad14f6f4755a93fd323998698d1ea1eb05", "type": "eql", "version": 108 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "42588eba4cedbc1d14e04f7d2306290a2b24362be89e2d67847e34d5a2348eae", "type": "eql", "version": 212 }, "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "a70d87036505f114e41a399e3573e388e43a05046ff89eea597353a7778de895", "type": "query", "version": 120 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "rule_name": "Attempt to Modify an Okta Policy", "sha256": "f71ab483864d71a48cf0507edbbd3dff6d995b6508879227e0b7e250970c8097", "type": "query", "version": 415 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added", "sha256": "9e19b7471a462cb1508940d24058f3413af1a9726f051383aea06f04e4d56d76", "type": "query", "version": 213 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", "sha256": "92dc23143cbc051ac463e1539ef050749a186cdfe3109f3ac86c9460ddd6f70b", "type": "esql", "version": 8 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e6ecd90c1ffa19eca2a67af1b6c71e975b28190e2c7f1f5c14e41903155bbe1b", "type": "query", "version": 414 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", "type": "query", "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "rule_name": "High Number of Process Terminations", "sha256": "d4b68db35dd8a14409e6834fd97cc1e2a3b99967615f1f2270ae10e6d04dc2b3", "type": "threshold", "version": 118 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", "type": "eql", "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { "rule_name": "Image File Execution Options Injection", "sha256": "4abbdf2842ee1bcb6bdcb3f3b63039758c8b7295afb207b98f0304bc9077d56b", "type": "eql", "version": 315 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { "rule_name": "M365 Exchange Federated Domain Created or Modified", "sha256": "ff4eb2e457d5e3ebe7454a8eb3478eb11c7a177531c3ddd4ab3336c25709cc38", "type": "query", "version": 214 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "944fb024ccefc8bb13bca9d85069633c0bd5b285d5b4e1fc8045e2bc1b44d5b1", "type": "query", "version": 413 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "7f9baf27023307f44d511ff57ee099cdad40f2129fc367ca76d75a969c89d1a1", "type": "eql", "version": 317 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { "rule_name": "Google Workspace Admin Role Assigned to a User", "sha256": "beb7c099e4c87d3147444605e39e6fb2a85af130454c62d43ae6eba5307ce395", "type": "query", "version": 211 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "f7eb5ecf08a0a74de530a080fd2441011bc3c38249a554220b2e2d15494fb386", "type": "eql", "version": 212 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "rule_name": "AWS CloudWatch Log Group Deletion", "sha256": "ca809a6bd6c5e473da5a47132318262a0953bf2a6bf09e1a3bcf772bcdea2d77", "type": "query", "version": 215 }, "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "f279475dc730bc14f2dfd1ac9bc7084af731d369aaac73cf5fc818804da8e062", "type": "eql", "version": 110 }, "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { "rule_name": "AWS RDS DB Snapshot Created", "sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720", "type": "query", "version": 3 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "1b42f6edf559e3d2b60263d34ea41d60e23f6ac770cfd98134dd27d88a284084", "type": "eql", "version": 214 }, "68e90a9b-0eab-425e-be3b-902b0cd1fe9c": { "rule_name": "Suspicious Path Mounted", "sha256": "c0ba7548cc496aae440498c2f64657c17215d4d8c1fc31821b516a0e55804eb3", "type": "eql", "version": 3 }, "6926b708-7964-425f-bed8-6e006379df08": { "rule_name": "FortiGate SOCKS Traffic from an Unusual Process", "sha256": "d649b848c5586e36017ccecc790367c99ca06795b3a429e69b524a3653d2bd55", "type": "eql", "version": 3 }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "sha256": "746b43837e7ae358433e6c7a94c73a422528fb56a1902ab5a8be4999867587d0", "type": "query", "version": 113 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", "sha256": "a9bc6c80faa8050ae1541d7eee9897b8fbdb2612cca00069af0033e33a4817b1", "type": "esql", "version": 13 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, "69c116bb-d86f-48b0-857d-3648511a6cac": { "rule_name": "Suspicious rc.local Error Message", "sha256": "9454ca1b21ce6bfe21d078e24b4f7889fa8857ff6d3aee43af4c4ffae0519891", "type": "query", "version": 8 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "afc10ab90f42c4075c81973e33977dfced66e7b5da2b5a85c40e181edfa63058", "type": "eql", "version": 316 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "rule_name": "AWS Sign-In Root Password Recovery Requested", "sha256": "7b5ac4f195b8c0bbcc320b3d13f89fa4e87ebc1dda5d046a05b109076ae52048", "type": "query", "version": 213 }, "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { "rule_name": "Attempt to Disable Auditd Service", "sha256": "b5bf8c334323c23629142910af291aa50391c82eed1b8a9f7c51e8d40d09d95d", "type": "eql", "version": 106 }, "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { "rule_name": "AWS EC2 AMI Shared with Another Account", "sha256": "38688952422703a3d3b321bdf3df09ef1d9a20fe5477a4b7a6bead6e6c13dcd7", "type": "query", "version": 7 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "f7c6d6964c3063f4a75d0ad2dd294083ed44eb61f6393e97482687d8b587d708", "type": "eql", "version": 315 }, "6aace640-e631-4870-ba8e-5fdda09325db": { "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "0e421040f2de589edbc8b55db8ee6a3865f670eccc1b4c5e9cc39c27d5b2e377", "type": "eql", "version": 423 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", "sha256": "59a05181f1febc098b481acbd5cbd5725a57456d619a875909a207d3929c2b9c", "type": "eql", "version": 113 }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", "sha256": "e113a73efc518c41b6df6bd67190ab672c30b13dbda77e7e3445ed9d8e54c13f", "type": "esql", "version": 12 }, "6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": { "rule_name": "Suspicious Curl to Google App Script Endpoint", "sha256": "25885ed63993320aa591be8ec7247e8cc1829c062e58638919cafebcf46b1d04", "type": "eql", "version": 2 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", "sha256": "b4b1d4f080ee2f9ae817ac8f03b7e3665f07014ce68c646701880b9ad6378f45", "type": "new_terms", "version": 214 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "411e56079688143dac201cc66fee2dd6b1e6a533df93203d4e3f5c056e6646be", "type": "eql", "version": 214 }, "6c6bb7ea-0636-44ca-b541-201478ef6b50": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Container Management Utility Run Inside A Container", "sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc", "type": "eql", "version": 4 } }, "rule_name": "Container Management Utility Execution Detected via Defend for Containers", "sha256": "914c8911ec926b779845b78a8a67ea55b68742b53eeed37aeece8e781654f707", "type": "eql", "version": 105 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "413515468916ea9977f82c881044a80545cce0cb54435a0b57493530e91809a5", "type": "eql", "version": 314 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { "rule_name": "GitHub Repo Created", "sha256": "53e7e459aac5ef6a3b6aa399a0afefb7b4ec4727ffc73d731a6b4344b0b83431", "type": "eql", "version": 207 }, "6cf17149-a8e3-44ec-9ec9-fdc8535547a1": { "rule_name": "Suspicious Outlook Child Process", "sha256": "24294021daf4daac36d25201ce441fdef000f6859d77838c88d1b4c620d1c902", "type": "eql", "version": 5 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 315, "rule_name": "Unusual Process For a Windows Host", "sha256": "c12d3d95f0d7c995800fde4303065b27add02c60576194f2f91d0515e2aa519c", "type": "machine_learning", "version": 216 } }, "rule_name": "Unusual Process For a Windows Host", "sha256": "9342a3ec46ad8d944851a0ed0e81e1916668c1c67eb353a745fdabb4ddd0d70e", "type": "machine_learning", "version": 316 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", "sha256": "52515d5e9039aa01279cbaea65ab4da9d7718f306506f0a16edabfcb918a1a7d", "type": "eql", "version": 9 }, "6da6f80f-fe41-4814-8010-453e6164bd40": { "rule_name": "Suspicious Curl from macOS Application", "sha256": "3b2cab38c63f83f8b75a1a46cc2952021ecb6c26c6c258ef2158796eb2b26a89", "type": "eql", "version": 2 }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", "sha256": "eff0f62ddd3e0af974bfb14ab0530dd3f3a2a50d19bb8323fca26a786c9f7542", "type": "esql", "version": 12 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", "sha256": "0f941a4eec0eae5e8eafaea7a2a635dfc143067d98587953b98d26e0c1e891cd", "type": "eql", "version": 106 }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "rule_name": "First Time Seen Remote Monitoring and Management Tool", "sha256": "9ec7d753b697c54652c65201dc1dcd09e6fdc59686ea6113b73fc595265689fb", "type": "new_terms", "version": 117 }, "6e2355cc-c60a-4d92-a80c-e54a45ad2400": { "rule_name": "Loadable Kernel Module Configuration File Creation", "sha256": "dfa88fafc1898a28d3c0b60e028940c7c8bf94c78ffec613d0a7fb9d99618482", "type": "eql", "version": 6 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 310, "rule_name": "Anomalous Process For a Windows Population", "sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac", "type": "machine_learning", "version": 211 } }, "rule_name": "Anomalous Process For a Windows Population", "sha256": "1e7c0617e681eb446d4f478862986e4d1a36fd313f0832c4b7a9a09033adb6d9", "type": "machine_learning", "version": 311 }, "6e4f6446-67ca-11f0-a148-f661ea17fbcd": { "rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)", "sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9", "type": "query", "version": 1 }, "6e5189c4-d3a5-4114-8cb3-bd3a65713f19": { "rule_name": "System and Network Configuration Check", "sha256": "362706edae4c15e704ffd619c77917cdbb538f4a44606d6f6c6632301bb6750c", "type": "eql", "version": 2 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", "sha256": "dc6bffc49011189309e7b9497e36f0d750f096ab012779a4e963c370a87370a0", "type": "query", "version": 215 }, "6e92a21a-58e7-449a-9cfd-9f563f59ac88": { "rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host", "sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26", "type": "esql", "version": 5 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { "rule_name": "Enumeration of Users or Groups via Built-in Commands", "sha256": "ab4fc675056ec570e1d0fcee0b5dade33ef3d33131e6bf6d225cffcf9d59ab10", "type": "eql", "version": 213 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "4f362555c866031271f8abb08e9f19566d14cb22bd946bed7430bca32e1d9ca1", "type": "eql", "version": 215 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "rule_name": "Security Software Discovery using WMIC", "sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5", "type": "eql", "version": 217 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", "type": "query", "version": 100 }, "6eb862bb-013d-4d4f-a14b-341433ca1a1f": { "rule_name": "Unusual Exim4 Child Process", "sha256": "7e0456ccada902df35ecfeda239bfbc50dfd31a0dc386834fb8f2ea91eb4039d", "type": "new_terms", "version": 4 }, "6ee947e9-de7e-4281-a55d-09289bdf947e": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding", "sha256": "97da24e60bffad5b475a89da7cb4210ecec866dcac2b9017ae9bc655d0a947be", "type": "eql", "version": 115 }, "6f024bde-7085-489b-8250-5957efdf1caf": { "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "76b7e15f05c16a73302c84e24542e26b21f45b57610fde617b93be59af49017c", "type": "eql", "version": 108 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", "type": "query", "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "87db5b1008a9782f6cdf83f6404d979b3324bcc547da1c4228118130307d4f8f", "type": "new_terms", "version": 212 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", "sha256": "50ac1ff7656d514815a0c4e4c39c449371e045968bc2d901f7d696b6bfaeceba", "type": "query", "version": 210 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { "rule_name": "Linux Restricted Shell Breakout via the find command", "sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6", "type": "eql", "version": 100 }, "6fa0f15b-1926-419b-8de2-fce1429797ba": { "rule_name": "Suspicious SeIncreaseBasePriorityPrivilege Use", "sha256": "2dc11ea177c7c2f16472de6dbab833afbf3a072256b6d50918a81d0ff453de33", "type": "query", "version": 2 }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", "sha256": "27e2f30dca9a09abd668da24cbc5efaf03c1466422e00b09ec2d3c29f085da0e", "type": "esql", "version": 5 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in Special Privilege Use Events", "sha256": "9774db65e26243e3f10e5b6d0e36b4993c05c3829a7b6333476c120ac88fa3c7", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in Special Privilege Use Events", "sha256": "838b61827d24324be69e2a9674684812960a9c05f5a20d8913051d9a8ae60821", "type": "machine_learning", "version": 104 }, "6fcb4fe4-ac74-449d-855b-2bbd5c51c476": { "rule_name": "Multiple Vulnerabilities by Asset via Wiz", "sha256": "0610ae726a3381c2a47b8847eccbe0161250a1617583d4adc8aa5389802803bc", "type": "esql", "version": 3 }, "70089609-c41a-438e-b132-5b3b43c5fc07": { "rule_name": "Git Repository or File Download to Suspicious Directory", "sha256": "cbf5324511ebf3d256beb8dd0237adcb4d5d5057979ca6751efcf7a7e11f8152", "type": "eql", "version": 4 }, "7020ff25-76d7-4a7d-b95b-266cf27d70e8": { "rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container", "sha256": "f71732f04d4bb9024781631a563a70bc613f39033a63805b0e4f5383ed9f5398", "type": "new_terms", "version": 3 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { "rule_name": "AWS CloudTrail Log Deleted", "sha256": "ef329416e88fd93ee0e0517742245b288bd8c1cd49172672a51d8b93a6a83875", "type": "query", "version": 216 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "rule_name": "AWS Config Resource Deletion", "sha256": "3fa1996d6fb2e966a0696cc5971c64d5a29c229f00cf24cf2ef9fa58cc3f261e", "type": "query", "version": 214 }, "70558fd5-6448-4c65-804a-8567ce02c3a2": { "rule_name": "Google SecOps External Alerts", "sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3", "type": "query", "version": 1 }, "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50", "type": "eql", "version": 105 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "rule_name": "Persistence via WMI Standard Registry Provider", "sha256": "dc2e28cbbbea2af5186b2e45d7fa37497ae783a755934eea904b531ac9f88b16", "type": "eql", "version": 113 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209", "type": "eql", "version": 111 }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", "sha256": "98bb1d28c3cc0f6c239a56a9034dfea2bebed6256e2716dcf375e509c4de8ebd", "type": "eql", "version": 7 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", "sha256": "f6ead63e1234253e25aea1bb53b931f40995439f8381bf0772392858405f8080", "type": "query", "version": 12 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { "rule_name": "Modification of Dynamic Linker Preload Shared Object", "sha256": "48698d164ee9ef1e5911162525352f757091d4171f69f61e66b484e3292a3312", "type": "new_terms", "version": 215 }, "71bccb61-e19b-452f-b104-79a60e546a95": { "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "9b65d29fa4cc5f9c11bea2a136e01f88ea77400beade01ab8c4bd36dbed7bb4d", "type": "eql", "version": 324 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "7c65898dade61844fe46d042846acb9ef9efc5f9db5d01aa35cdffc5e0069b05", "type": "eql", "version": 214 }, "71d6a53d-abbd-40df-afee-c21fff6aafb0": { "rule_name": "Suspicious Passwd File Event Action", "sha256": "6f10456533b056d27a062e3cd7f1b222441c8c716455684202ebbc452087ad19", "type": "eql", "version": 8 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "sha256": "0d241c897dd9c807d936d644c16d714e96efa6b0d3a0742664dc6a58b71cc197", "type": "eql", "version": 9 }, "720fc1aa-e195-4a1d-81d8-04edfe5313ed": { "rule_name": "Elastic Security External Alerts", "sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee", "type": "query", "version": 2 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { "rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity", "sha256": "d6f4b7bdab6bfe9124312ba384a8f64ac35e481f8ee848ed5a0e9ed15340afb2", "type": "query", "version": 215 }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", "sha256": "9a4a0b4c3a7765a9f5aa08a40f32fe99e81d8e88a0251547e6e9c333931bdc14", "type": "esql", "version": 7 }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", "sha256": "c2ba7bc1f82579e203cf13c0276ae7a02175109e13c3b84aa194fb79ac1745b3", "type": "eql", "version": 4 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "f4492ee7450c2a4666b4a18506e59ba9cb9d94cc04f8edbcd923c1dfd1580dd5", "type": "query", "version": 415 }, "72c91fc0-4ac0-11f0-811f-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device", "sha256": "1813453768a993697cc1479da5b1308872b3f2f780e62c10476e0809dca043f7", "type": "new_terms", "version": 3 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", "sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6", "type": "eql", "version": 100 }, "72ed9140-fe9d-4a34-a026-75b50e484b17": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", "sha256": "527d4c975ef02b353316848967aa3a17c73dd08fb1948043078733d94aa336dd", "type": "new_terms", "version": 4 }, "7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": { "rule_name": "Newly Observed Elastic Defend Behavior Alert", "sha256": "991c0b527369d84cb5ee39d4b00d92c6f07f1ea690d1589e4b8a2324575ff59e", "type": "esql", "version": 3 }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "1e8acd425801d27306a75395ad7553fa89218783a9d5978e7cc46f96b06ee580", "type": "eql", "version": 210 }, "7318affb-bfe8-4d50-a425-f617833be160": { "rule_name": "Potential Execution of rc.local Script", "sha256": "529e1dbda15b3376095352d027735777a2397abe273d5ddbb29f3d1bd7214944", "type": "eql", "version": 7 }, "73344d2d-9cfb-4daf-b3c5-1d40a8182b86": { "rule_name": "AWS API Activity from Uncommon S3 Client by Rare User", "sha256": "4613606a794054e2bcc448e1d406d42931e2fe1c4b16baf16da9c7202686428f", "type": "new_terms", "version": 3 }, "734239fe-eda8-48c0-bca8-9e3dafd81a88": { "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", "sha256": "77e205ee183f6c0e0cde587784b03809024a7e9b5cc57a8f974dd2ce582aaaef", "type": "eql", "version": 7 }, "737626a2-4dca-4195-8ecd-68ef96fd1bad": { "min_stack_version": "9.3", "rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers", "sha256": "eb5c59bba857613a7fb8d8110f1155d944972005c6f68ebc4ea9fec1a1a12df4", "type": "eql", "version": 2 }, "737b5532-cf2e-4d40-9209-d7aec9dd25d5": { "rule_name": "Potential PowerShell Obfuscated Script via High Entropy", "sha256": "5708605ae509a80e9e65f2dbe00db765afb07010b91d983c26301632cb269bf1", "type": "query", "version": 3 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "21a540abdca1fa56360f1f68e121ab1cc3feebfc055b9922cca7e2f49bfca3b0", "type": "eql", "version": 217 }, "74147312-ba03-4bea-91d1-040d54c1e8c3": { "rule_name": "Microsoft Sentinel External Alerts", "sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f", "type": "query", "version": 1 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", "sha256": "a9d6c1c782deeaef26911bdcca095460eb5de2281e53e7079c6db36ac880dd22", "type": "eql", "version": 211 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Hour for a User to Logon", "sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Hour for a User to Logon", "sha256": "ac721977de331da992d8c388a41ca573de3fa2661d93b6d29a41a90a9bc1d896", "type": "machine_learning", "version": 207 }, "746edc4c-c54c-49c6-97a1-651223819448": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual DNS Activity", "sha256": "e1aabfdf1dee210cd9bc10313dc7768d22ebcda60d7349abe52426f526903db3", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual DNS Activity", "sha256": "25d810e576a232cff1b05e8e1cafc5777193188de0f8be7a9f076a6512e89705", "type": "machine_learning", "version": 208 }, "74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61": { "rule_name": "Long Base64 Encoded Command via Scripting Interpreter", "sha256": "dd5b413bc795678ac76282ad2b90729974c94632a7d245e19db1783c66b64d64", "type": "esql", "version": 1 }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Kubectl Workload and Cluster Discovery", "sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34", "type": "eql", "version": 2 } }, "rule_name": "Kubectl Workload and Cluster Discovery", "sha256": "3fb59d0debefff5c213a62421bae47af81fdede0f7c3848bdfca03c7fd031d20", "type": "eql", "version": 103 }, "74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": { "min_stack_version": "9.3", "rule_name": "DNS Enumeration Detected via Defend for Containers", "sha256": "c5699f232d2c200ebee161e0ddfb53f45756ab0e1b8961965e65a95f0993eee1", "type": "eql", "version": 2 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", "sha256": "e43ca4e552859a703fda789890e9beecc00906c3805250b4156acc7bc56b7cbc", "type": "esql", "version": 9 } }, "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", "sha256": "86a8f77e493766f2573af3fd44aa5355acd0aee0ec046bc6bee7f1022fea8ab1", "type": "esql", "version": 109 }, "751b0329-7295-4682-b9c7-4473b99add69": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Spike in Group Management Events", "sha256": "46dbe1f415014fc4ff087fd37f1d098ed96134081a662bb61724fb2e6c4e779c", "type": "machine_learning", "version": 5 } }, "rule_name": "Spike in Group Management Events", "sha256": "6111ce5b8cc57029859f4d7d1f13628833682f103a77863112e446c6c0cc6f3e", "type": "machine_learning", "version": 105 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", "sha256": "9fc432aa9a279cced87c9fda16b8665d2628e1dab0015863865b7afb8f2a813a", "type": "new_terms", "version": 112 }, "75c53838-5dcd-11f0-829c-f661ea17fbcd": { "rule_name": "Azure Key Vault Unusual Secret Key Usage", "sha256": "697c251dced5fdee5d4b9057aa2f791ab784595cc2b812fc403b7fe96b202bb8", "type": "new_terms", "version": 4 }, "75dcb176-a575-4e33-a020-4a52aaa1b593": { "rule_name": "Service Disabled via Registry Modification", "sha256": "69703b792212ac650f5366d9c9672d3727d599a31dc333a09e730b29acaff933", "type": "eql", "version": 6 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "rule_name": "Web Application Suspicious Activity: Unauthorized Method", "sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da", "type": "query", "version": 105 }, "75f9b95f-370b-4ff3-a84c-66d9ec0b84eb": { "rule_name": "Nsenter to PID Namespace via Auditd", "sha256": "f88c26dc7d5fb9ad8dc2e4c143876eed2b3cdafaa896df247ffb58aa20da89be", "type": "query", "version": 1 }, "76152ca1-71d0-4003-9e37-0983e12832da": { "rule_name": "Potential Privilege Escalation via Sudoers File Modification", "sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf", "type": "query", "version": 108 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { "rule_name": "Kubernetes Pod Created With HostIPC", "sha256": "3873bd6f2cb62ec83ea96f063ed37b195de67943416ef7620e3e8fc66c8a5cf5", "type": "query", "version": 210 }, "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "99fbc0670843f40742c6738d7b65a175e21e572c0104971752b9a0481f21d03b", "type": "eql", "version": 119 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "rule_name": "Creation of Hidden Shared Object File", "sha256": "fdaa141067192258d1fba1bc103d8e8971607fbf4b6aad9407dadd5afc396de9", "type": "eql", "version": 215 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "7a17f084e6192844b2f877437f8109cad8496af43a28efbf89b5d5b8a40ed209", "type": "eql", "version": 211 }, "76de17b9-af25-49a0-9378-02888b6bb3a2": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual Country for an Azure Activity Logs Event", "sha256": "5e21adc950dc411f6f016793cc3e07955a770c3440428d18b0d8632c142e8c6e", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual Country for an Azure Activity Logs Event", "sha256": "daad53aa4c99d2d19175b91467d915c42a7f126b889c1a81734f3a78d05f6575", "type": "machine_learning", "version": 102 }, "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "rule_name": "Potential Reverse Shell via Suspicious Child Process", "sha256": "60456e0811186e9f508af57452cb7f817f28f4cee61eda0f03c1f2c5b8a81d31", "type": "eql", "version": 15 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "01ae46d4f651856933ca7c8347ea064170f254722c3796b0dff3566bcd3e9e8c", "type": "eql", "version": 421 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "0144659d5bb4aa17f606b5607bc2c8f3c8aa5e81be4a31afa402a200ff25cc34", "type": "eql", "version": 321 }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", "sha256": "c2d560f60f74a23d2e584cb249c922e56a552e5f3a1c99eda122d4d0bff70fc0", "type": "esql", "version": 12 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "Entra ID User Added as Registered Application Owner", "sha256": "c60444bf7db1c5dbe2aaa41078d472a6d0f4989088577b2fd9de8fd099b0171d", "type": "query", "version": 109 }, "7787362c-90ff-4b1a-b313-8808b1020e64": { "rule_name": "UID Elevation from Previously Unknown Executable", "sha256": "b2f265c1c6f02ff0149022c18138a9ef408fa696e50c27e9d3445721816237f5", "type": "new_terms", "version": 9 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", "sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75", "type": "query", "version": 106 }, "781f8746-2180-4691-890c-4c96d11ca91d": { "rule_name": "Potential Network Sweep Detected", "sha256": "8cd906472fcb1e0eab241dcb4b3e15dc1d20c8b99da3affe9cb3b454b7b9eeb6", "type": "threshold", "version": 15 }, "78390eb5-c838-4c1d-8240-69dd7397cfb7": { "rule_name": "Yum/DNF Plugin Status Discovery", "sha256": "4ee525bb41e218ef13fb88f401ac12bc1f5f99fa86cac02a671bd02fc136b7a9", "type": "eql", "version": 108 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "89f593e9c2cc1086cf274ad161b75d49ea5f24797707c2ace2f1890b733afdb5", "type": "query", "version": 210 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { "rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified", "sha256": "17c1e3c3e1f2363cca5097d1febb1c1fdfe1dbe7ec5c36f72b89312dc365a544", "type": "query", "version": 111 }, "78c6559d-47a7-4f30-91fe-7e2e983206c2": { "rule_name": "Unusual Kubernetes Sensitive Workload Modification", "sha256": "476c9475efcc39f0bfcb65ff6f40dba940e50eb387e43d16645a8701bb24bc15", "type": "new_terms", "version": 3 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", "sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89", "type": "machine_learning", "version": 212 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "2a433940966f2f0fe891fea3f39e6171fa12e90c3e5ad849e26484da381596f7", "type": "eql", "version": 315 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", "sha256": "fc36a81054625c5902ae6500e85e00b2a9fc03c2150826c8f62a33430d0202e3", "type": "eql", "version": 7 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "rule_name": "Unsigned DLL Loaded by Svchost", "sha256": "9ea32cdb4aba86e589f83ad01881254cc615057b09a596f8a1740009fe17a0ea", "type": "eql", "version": 12 }, "79124edf-30a8-4d48-95c4-11522cad94b1": { "rule_name": "File Compressed or Archived into Common Format by Unsigned Process", "sha256": "9f0dd07e9624660f7c948faf37e93c69ecb2938712118952d7030e874b4d22cc", "type": "eql", "version": 7 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "rule_name": "Azure Key Vault Modified", "sha256": "560c80b54abbb9cafeb5763facbe1bfc1170340cdba87d2d26f437a953ebba55", "type": "new_terms", "version": 109 }, "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "e952b2c22ea74d519101db31f240accb3c939550221f13dc5f35591267a4d717", "type": "eql", "version": 5 }, "9.0": { "max_allowable_version": 203, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263", "type": "eql", "version": 104 }, "9.1": { "max_allowable_version": 305, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c", "type": "eql", "version": 206 } }, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "b8466ad6bbac620f7b3c11957e157be4a1d5210c764eaefdf7289fda21a7f9d2", "type": "eql", "version": 307 }, "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { "rule_name": "SSL Certificate Deletion", "sha256": "5fbbd63d53cc0bd3f5bbee608b8d9827efa8a7109088607acffa178fec33e640", "type": "eql", "version": 105 }, "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { "rule_name": "Potential Masquerading as System32 Executable", "sha256": "3333d79d05ec9e15466500362c0268b37e40266434c27aabb9d73657780de11b", "type": "eql", "version": 9 }, "79e7291f-9e3b-4a4b-9823-800daa89c8f9": { "rule_name": "Linux User Account Credential Modification", "sha256": "795cea2132f0be536e09c042566c70bedbac1d9a32d7d90a6e8263771c4988b8", "type": "eql", "version": 5 }, "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "rule_name": "Potential File Transfer via Certreq", "sha256": "9cc0e6419c073ff3ff662d338732b39dfadec281284f8660850c09294746617a", "type": "eql", "version": 217 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "cb8b9a7be0c9d85f513c4b408bd065b0757c377d6e23ab723dc55a1741e20517", "type": "query", "version": 219 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { "rule_name": "Network Sniffing via Tcpdump", "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", "type": "query", "version": 100 }, "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { "rule_name": "AWS First Occurrence of STS GetFederationToken Request by User", "sha256": "e68fa16e0202bd0bc07a1d9c59cc6181f3add4f34d17e2e78a88be517363d37f", "type": "new_terms", "version": 7 }, "7ab5b02c-0026-4c71-b523-dd1e97e15477": { "rule_name": "M365 AIR Investigation Signal", "sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85", "type": "query", "version": 1 }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", "sha256": "99fca949ae8edfb7afb964e72886e6e40bb9aa3611aba9a895220b6a5d0f2bba", "type": "eql", "version": 11 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via SSH Backdoor", "sha256": "115b28ee0d196e28e67c341ab955d79013a022f4f7a4f1e7899195e22fb80d16", "type": "eql", "version": 11 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { "rule_name": "File and Directory Discovery", "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", "type": "eql", "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "rule_name": "Deprecated - AWS ElastiCache Security Group Created", "sha256": "d73d32e46188296a20f50b9c74ae911374036b587ff978a813cffdc26e567c3d", "type": "query", "version": 210 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "rule_name": "Windows Network Enumeration", "sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93", "type": "eql", "version": 216 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "132d0281d9ffb39716b5e09b2766d142277327f0aa62e243fc7be053cda4e360", "type": "eql", "version": 105 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "dd30b5f7a318ad5565b52afd773e5291c49e0651eeb6c859d4b29d254f2a8ef4", "type": "eql", "version": 312 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { "rule_name": "Tampering of Shell Command-Line History", "sha256": "86c142a7a15c278ed74582e86edcee7de433f554bb163446de4fa128c5a46b6a", "type": "eql", "version": 111 }, "7c2e1297-7664-42bc-af11-6d5d35220b6b": { "rule_name": "APT Package Manager Configuration File Creation", "sha256": "0f2225c0e5a72b8db9a421b84b3d7600a08c7515a0f9198c8171b5d44ec8a112", "type": "eql", "version": 9 }, "7caa8e60-2df0-11ed-b814-f661ea17fbce": { "rule_name": "Google Workspace Bitlocker Setting Disabled", "sha256": "ae791bdb776e660c7036a0cd0a7a5d8657ddacbac0fa524b8c3f09de72e8443b", "type": "query", "version": 111 }, "7ce5e1c7-6a49-45e6-a101-0720d185667f": { "rule_name": "Git Hook Child Process", "sha256": "e1aafa5f4d3337d194ce54fa78c294dd28edec70497f58d3cfefde65ee48e549", "type": "eql", "version": 107 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "79fdf63a5b07ec050f2e4bccf65b9edcd7fa0acde10d5690ad4573db1c639f17", "type": "query", "version": 109 }, "7d02c440-52a8-4854-ad3f-71af7fbb4fc6": { "rule_name": "Alerts From Multiple Integrations by Source Address", "sha256": "1b10a9f9c9fdd43c1e8e5a1457824e37efbddc0f82866117cf399d9e5831b8ae", "type": "esql", "version": 3 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { "rule_name": "AWS Lambda Layer Added to Existing Function", "sha256": "98b713e30dc1a5a360825e71125517e2765b46a0ac94fb83c2b75e0695d261c7", "type": "query", "version": 9 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { "rule_name": "Tor Activity to the Internet", "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", "type": "query", "version": 100 }, "7dc45430-7407-4790-b89e-c857c3f6bf23": { "rule_name": "Potential Execution via FileFix Phishing Attack", "sha256": "b0942940cb83f01e92f2566f95c101e49dd424f3a7121f93f6fc4199d90c588d", "type": "eql", "version": 3 }, "7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": { "rule_name": "Entra ID Custom Domain Added or Verified", "sha256": "62e7543d4496ac6e879f5717d0348eb2a77d4585482a48073792c0f094f57367", "type": "query", "version": 2 }, "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { "rule_name": "SSH Key Generated via ssh-keygen", "sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843", "type": "eql", "version": 106 }, "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { "rule_name": "Suspicious Kworker UID Elevation", "sha256": "85bbf6cf0101b56ff21d6892fe6fb8895c06afbd4c9ab6bace4d8db07ede02ba", "type": "eql", "version": 7 }, "7e23dfef-da2c-4d64-b11d-5f285b638853": { "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "d223ec9ab8f7b8c61d6100d7408999304a0de71fe37a9e8eb43cbc6b4a7ed459", "type": "eql", "version": 316 }, "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b": { "rule_name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces", "sha256": "91f40a360d614d4e374653898a06a606f41d52979be1f57ce06ddb453217f93c", "type": "query", "version": 1 }, "7e5c0e5a-95a5-404e-a5b0-278d35dc3325": { "rule_name": "AWS EC2 Stop, Start, and User Data Modification Correlation", "sha256": "5085178d8ef62259fb3d7a651f12d9b8070eec2122578fbd32b611c1df0df882", "type": "esql", "version": 1 }, "7e763fd1-228a-4d43-be88-3ffc14cd7de1": { "rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed", "sha256": "602390ce15528f3c17793e86c7683d855e54283b997afff2b59450a9133c229f", "type": "eql", "version": 5 }, "7eb54028-ca72-4eb7-8185-b6864572347db": { "rule_name": "System File Ownership Change", "sha256": "1e042eae7f87d61976c6c536ce63589d0e4f670101060411413e6cb718dd5017", "type": "eql", "version": 4 }, "7efca3ad-a348-43b2-b544-c93a78a0ef92": { "rule_name": "Security File Access via Common Utilities", "sha256": "dfd9d1738b7b47ca18ef97c110717eb2ebb80cd79bf43dcd58d9f5ca4f7dc466", "type": "eql", "version": 107 }, "7f3521dd-fb80-4548-a7eb-8db37b898dc2": { "rule_name": "Potential Notepad Markdown RCE Exploitation", "sha256": "cc73b75d6cfcb37cd8e753f3fd5b547f4507ecfb610651a20433dac419ada718", "type": "eql", "version": 4 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "37d093b58d917e0eb1a4d8f9b92723a63feff6e1f14d8f8be3cfa3f2b9b5fb6a", "type": "eql", "version": 214 }, "7f3a9c2e-1d4b-5e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "Potential Root Effective Shell from Non-Standard Path via Auditd", "sha256": "d0f106dcb3ff6ae76fa7b71147a962b1e967aa7e742d48988008a8e178d54fa9", "type": "query", "version": 1 }, "7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": { "rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation", "sha256": "6cf3054443a5d4ce4ad838455a77599f465d2a6d1b7aac00f871e31970d212ad", "type": "eql", "version": 4 }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", "sha256": "5357e1bfb039ea8b93e129b2cdac2371d183c097a8351e7f1b28d086e81f487f", "type": "eql", "version": 7 }, "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { "rule_name": "Web Server Potential SQL Injection Request", "sha256": "30aa21ec0a72baf965a1cc4c73807f1dba317eeb02fee3d038e5f6869527cd9b", "type": "eql", "version": 3 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", "sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463", "type": "new_terms", "version": 105 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", "sha256": "11fb6ed836d3d13fda309a2ddebc6784355450f5e65c15241634917d7de7a449", "type": "eql", "version": 20 }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "M365 Exchange Mailbox Items Accessed Excessively", "sha256": "5712eee0f955297e794d9c01a9e2b82c4704a5f852b2a23492292651861f45ff", "type": "query", "version": 4 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "sha256": "fc200a3dd1eacf187d77b981115f644d11a90ee47affcd553b303b26d9b02e9c", "type": "eql", "version": 12 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "rule_name": "Enumeration of Kernel Modules via Proc", "sha256": "5a2251601cf605cb63463e81b7f57bf842eb1dd019bcc6e1a5d05909114cea77", "type": "new_terms", "version": 111 }, "800e01be-a7a4-46d0-8de9-69f3c9582b44": { "rule_name": "Unusual Process Extension", "sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d", "type": "eql", "version": 6 }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "rule_name": "Deprecated - Potential PowerShell Obfuscated Script", "sha256": "fefa473559337a11c4edaefa3914f1b5e6809c26b04da1e9eb98f17f147f93a2", "type": "query", "version": 110 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", "sha256": "9ee1ebd6c05bbcb790468a9e8e11271e207a5620aa553dae437bbcb645fceeb7", "type": "new_terms", "version": 6 }, "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "be4fcdd1b914e92f16ebb75fc86828552c9fc7abda2685ac63b28f7d9a3f2054", "type": "eql", "version": 108 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", "sha256": "99bf6df5902600b0c743678eb247b68b3d1fdec36e3c5d7f879c547fd0141726", "type": "machine_learning", "version": 213 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", "sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77", "type": "query", "version": 105 }, "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Unusual Remote File Extension", "sha256": "33a6b5894bf572fe38a6958bae8ae131abc5dc3bbc817b80fd113e9e3864b0ff", "type": "machine_learning", "version": 9 } }, "rule_name": "Unusual Remote File Extension", "sha256": "6abbaa944d0c5d273806bc58f6c8e79ceb52c0924dd195ee94aee3930230f16d", "type": "machine_learning", "version": 109 }, "8154d01d-04d1-4695-bcbb-95a1bb606355": { "rule_name": "Gatekeeper Override and Execution", "sha256": "991965250b10d42aec5d6ee76ab2fd8a361227d80eb667d76a4fa93528ded285", "type": "eql", "version": 2 }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", "sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3", "type": "new_terms", "version": 5 }, "81892f44-4946-4b27-95d3-1d8929b114a7": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual Azure Activity Logs Event for a User", "sha256": "7c5faa919e74876e3f34492417b53d9f00eda55ae6d361c298363b9a310af609", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual Azure Activity Logs Event for a User", "sha256": "0c6c500f67d15e6e004f30895284446912eed2946c7433eb1b2e43ac9cb1368d", "type": "machine_learning", "version": 102 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "b2573abd94d397aa342b54649a68d6dd61b1eab6fa2a85262d80622ade46a7e4", "type": "eql", "version": 317 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", "type": "query", "version": 100 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "7a4d5185d5e5d9b1908bab0d3aca30a9fd909de1e7ed5bd9973f17ea38c45131", "type": "query", "version": 320 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "rule_name": "Temporarily Scheduled Task Creation", "sha256": "19540fa8823bf220012c9be723cb349c87f01d6257c20b38423e67c4c11e70e2", "type": "eql", "version": 114 }, "8248323e-f888-4134-a26f-37a6362f7231": { "min_stack_version": "9.3", "rule_name": "DNS to Commonly Abused Web Services", "sha256": "dbb5583417dd597c8f05b913273b53b8409710f3ae1eb6b9aa6e9eb4c83092fd", "type": "eql", "version": 1 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "5b5b70876d3001d659553913b8987b5454fa88d97ba664716d9d4d284a02725d", "type": "eql", "version": 213 }, "8293bf1f-8dd0-434e-b52a-1aa6ec101777": { "rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files", "sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479", "type": "eql", "version": 1 }, "82f842c2-7c36-438c-b562-5afe54ab11f4": { "rule_name": "Suspicious Path Invocation from Command Line", "sha256": "277df1300e839607dcd3b2f0c822ad6033930c8c4c737859b4bc8f29cacd38e4", "type": "new_terms", "version": 7 }, "834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": { "rule_name": "Manual Dracut Execution", "sha256": "29c7059375d06cd1cc12a302f2333031ad5939f3b5d67b5793afadddfdaea7fd", "type": "eql", "version": 7 }, "835c0622-114e-40b5-a346-f843ea5d01f1": { "rule_name": "Potential Linux Local Account Brute Force Detected", "sha256": "a2bb9648be410edc4f63b16588b57cd265841be85791537e0d4635d059306344", "type": "esql", "version": 14 }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", "sha256": "985bf66729f4fbb6875ca03651b5f088856495eb5e52ed0c62d9c950a63b5641", "type": "esql", "version": 5 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted", "sha256": "886e69fd58d0b30bee105947d384e6ea7ca847b28e272a7a462e23162be0cbb7", "type": "query", "version": 108 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { "rule_name": "Linux Restricted Shell Breakout via the mysql command", "sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194", "type": "eql", "version": 100 }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "f37d18299f2b6ae378e9ebbda386f621a87953d1876e6a1d5d05d56a2a42375e", "type": "eql", "version": 214 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", "sha256": "e7181205724d4dd074ed7813ffe5b2b8d1e6b3d21158bb791df05b329db185d9", "type": "eql", "version": 115 }, "8446517c-f789-11ee-8ad0-f661ea17fbce": { "rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role", "sha256": "4ba4a6143b3e9c0796753566012abd8ce4d00f6dc4a07026f37ecdae32914447", "type": "new_terms", "version": 9 }, "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script", "sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5", "type": "query", "version": 110 }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", "sha256": "e03a6361412c5e8705b679c6544081b684e4b0d563f052e0624e583983c7baec", "type": "eql", "version": 7 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "rule_name": "Potential Upgrade of Non-interactive Shell", "sha256": "a68732ae9d35dba87c95fbec9aec936ab7565c1de5ba804a22841eadf018b195", "type": "eql", "version": 108 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "910ab24992b092b670b8f46bc6acd50d1ebd6641c4c0afbe68cb426c5c30f8bc", "type": "eql", "version": 219 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "rule_name": "Potential Remote Credential Access via Registry", "sha256": "574d715b6ce4b597ea59f0da4cbc28681d04fd706bffc3261faddca6bb433510", "type": "eql", "version": 114 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", "sha256": "b3fd7ce2686a4da739298c81e33a67dfa9c63b11eb3976fa0b8c45ac55facc8a", "type": "new_terms", "version": 217 }, "85d9c573-ad77-461b-8315-9a02a280b20b": { "min_stack_version": "9.3", "rule_name": "Process Killing Detected via Defend for Containers", "sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d", "type": "eql", "version": 1 }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", "sha256": "e2f5f510ca7a02c9742e8740fd5c6a609fdbff33b7d65d755b9a2a93ef2d248b", "type": "esql", "version": 11 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", "sha256": "10bbd6b833bdba66080b6ea0671751c89bbd7d3fc0518fa6f03c456539502df0", "type": "esql", "version": 12 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", "sha256": "941cacbf7dfc86fc7816d9a2c8584951737f2b4dcf09ad1841befdc1cfa1ffe5", "type": "query", "version": 212 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "rule_name": "Deprecated - AWS RDS Security Group Deletion", "sha256": "38f7dc5b29c5986c717c1259d1a767564079165597fcf2388d0c68538bc9609a", "type": "query", "version": 210 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "rule_name": "AWS IAM Group Deletion", "sha256": "3abaf9bcf2904f994396d8543bd3aaeef43a2e98d31e9eefa381b426864ee55a", "type": "query", "version": 212 }, "86aa8579-1526-4dff-97cd-3635eb0e0545": { "rule_name": "NetworkManager Dispatcher Script Creation", "sha256": "af4d1639fa424646c1f9aea3aa4e17d4c520b08a657af139282fba725cfc76d9", "type": "eql", "version": 7 }, "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { "rule_name": "Potential Linux Reverse Connection through Port Knocking", "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", "type": "eql", "version": 1 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "rule_name": "Security Software Discovery via Grep", "sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7", "type": "eql", "version": 113 }, "871ea072-1b71-4def-b016-6278b505138d": { "rule_name": "Enumeration of Administrator Accounts", "sha256": "4bbc068166c4cd467e8b63f0500aaddf001c6469a8ae6a620d661881570e619f", "type": "eql", "version": 220 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "sha256": "e339c78401a6804c63a87a211a0a0487e1e57f189247c6bf1d912d29cfc286d6", "type": "query", "version": 9 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "rule_name": "AWS EventBridge Rule Disabled or Deleted", "sha256": "5f457fe98b665b8a9e62cc644d1ab36295835009aa64a66b3ba48a3a15c0e423", "type": "query", "version": 213 }, "877cc04a-3320-411d-bbe9-53266fa5e107": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 100, "rule_name": "Kubectl Network Configuration Modification", "sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7", "type": "eql", "version": 1 } }, "rule_name": "Kubectl Network Configuration Modification", "sha256": "a1894306d2121d58ca0fbece2a5bf937c976bf968265df675e6644c2ee86bd99", "type": "eql", "version": 103 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", "type": "query", "version": 100 }, "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { "rule_name": "Linux Clipboard Activity Detected", "sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac", "type": "new_terms", "version": 10 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "rule_name": "M365 Identity Global Administrator Role Assigned", "sha256": "826d91fd08a94cba97478f637b721a622927885f74aa5e12a9c39555ba33dc67", "type": "query", "version": 215 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { "rule_name": "Sublime Plugin or Application Script Modification", "sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282", "type": "eql", "version": 113 }, "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { "rule_name": "Potential Sudo Hijacking", "sha256": "15290009b50a0be19faab5d4bcf8b037b1133350ac236ed74d1fef9b7f28e36c", "type": "eql", "version": 112 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "79766485064b150c88c72e4318717a5ae5fbf67996a675b6a6fc90adc2bd6c35", "type": "eql", "version": 212 }, "894326d2-56c0-4342-b553-4abfaf421b5b": { "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "91e82c47e7296c7f031bd60c2e9a11cbad7708537f7897a41fc725b48242bcdb", "type": "eql", "version": 108 }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", "sha256": "e571b65fc24fca4eca6d1be59574531c2d30099725b3b2636dfca04cf3dca1fd", "type": "esql", "version": 8 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", "type": "eql", "version": 100 }, "896a0a38-eaa0-42e9-be35-dfcc3e3e90ae": { "rule_name": "FortiGate Overly Permissive Firewall Policy Created", "sha256": "d1d718262a55ce4eb2f3109b52008bb31b4730548cc74c0bb2f88c2066874849", "type": "eql", "version": 2 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "997ff3e71d520c0732a123e1d0ad70cdd6bf378b08cb0676dcb3dc3b8be50005", "type": "eql", "version": 215 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "rule_name": "Suspicious Command Prompt Network Connection", "sha256": "78c4503367d09652a555301342470eda60e4bb0bbbdede4115675d26689da852", "type": "eql", "version": 215 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { "rule_name": "Persistence via DirectoryService Plugin Modification", "sha256": "dd084e812cce1783a6f9ba2487369dcde52524dd9ebbdf42cbb46fbc6775cb61", "type": "eql", "version": 111 }, "8a024633-c444-45c0-a4fe-78128d8c1ab6": { "rule_name": "Suspicious Symbolic Link Created", "sha256": "85b2f05242ef2b243497149f4a9ced74f2092360b32956fbd76fa5877477b9ae", "type": "eql", "version": 11 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "bfbc2e038be0e058b013edc804ae3cbf9358bf4e7a5e60ec7708fd9335b00208", "type": "eql", "version": 213 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", "sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf", "type": "eql", "version": 206 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", "sha256": "3cdc89e93768197c70d988777a765055e5d99d6ff147c94e5015d96650a4f6ce", "type": "eql", "version": 110 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "b1b9d970b94d1f0d33fee26a4679f1232d96921a54d9a4d0c247b861915dce0f", "type": "eql", "version": 214 }, "8a1db198-da6f-4500-b985-7fe2457300af": { "rule_name": "Kubernetes Unusual Decision by User Agent", "sha256": "87463c0ee2b94b85ef1a97b095d7804388e7ec85b856a29cf58045acff6110ef", "type": "new_terms", "version": 6 }, "8a556117-3f05-430e-b2eb-7df0100b4e3b": { "rule_name": "FortiGate Administrator Login from Multiple IP Addresses", "sha256": "9dcb51c768e95cbd73655d85347ee0163b46f11470f3d673caf5994a6cf16314", "type": "esql", "version": 3 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "9af183f0898497548e96c09ddfe9a51ebc3e65db6be58b64891ede967f7a09ff", "type": "query", "version": 415 }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", "sha256": "df522ce5e98dfecebb085a50f07d0317c34618922825d910d3e36754b4d631b9", "type": "esql", "version": 12 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", "sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693", "type": "new_terms", "version": 209 }, "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "sha256": "500aa971acca151f7325aa6f5b1b35a36cd749170866c9f0f3f9a5d1061d008b", "type": "eql", "version": 110 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "0891db2139f619c3e12aa7ff813fb6c47c0b921921e10f68302d2cc5e09094fc", "type": "eql", "version": 315 }, "8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": { "rule_name": "Azure Storage Account Keys Accessed by Privileged User", "sha256": "ef60832a362b19da1ecb80f507f7097c504c401b7bfae720da603f222f294c0f", "type": "new_terms", "version": 2 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "155748dc2cb03082c198d49c5b3a63d68bcbb946ac0249b60cdd1c0ad240e967", "type": "eql", "version": 316 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { "rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted", "sha256": "8e4798edae7eb2301c9219ac5243fe24e10cd947652efff3d972e522037a0d38", "type": "query", "version": 109 }, "8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": { "rule_name": "Several Failed Protected Branch Force Pushes by User", "sha256": "161df6cf4be2d2363710a4fe6c657d1b60e3e64c8b7438588f60e9f60d3528b5", "type": "esql", "version": 4 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "rule_name": "RDP (Remote Desktop Protocol) from the Internet", "sha256": "a116199798ce219c0aceb2948a7979d20498678ec9bb86abedd8ddb7e974d16b", "type": "query", "version": 110 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "rule_name": "Unusual Child Process of dns.exe", "sha256": "115d29537b2bf7faefb1fac91860d7d62bba80d66b4344f46aadb922bd980abd", "type": "eql", "version": 319 }, "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": { "rule_name": "GitHub Private Repository Turned Public", "sha256": "991c4ac5ed8d79ec82589e11ec67a2d11efbc523875013051b96457b55be274a", "type": "eql", "version": 2 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { "rule_name": "Potential SharpRDP Behavior", "sha256": "4cf3598e184cd3c8984d8d33d2a1c2d9b9516554d1c903ef569a66889fe0c998", "type": "eql", "version": 112 }, "8c8df61f-ed2a-4832-87b8-ee30812606e0": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line", "sha256": "0adfd339ad27a6b8b76c80aedee937f94c4f97230a6eb989be7cc055dc705db6", "type": "eql", "version": 2 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", "sha256": "8d6b03d8b977dac1e4f97975d2503c23388923c451ba2f613c2166c4691efcc8", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", "sha256": "b1badadb630b67c0ce5e1097220bb27225d8f7c5aeafd602875395912a5854c2", "type": "machine_learning", "version": 104 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", "sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918", "type": "query", "version": 105 }, "8cb84371-d053-4f4f-bce0-c74990e28f28": { "rule_name": "Potential Successful SSH Brute Force Attack", "sha256": "a96fb4b4b383179cc72cb5eae13d8db7519f05a462df336a7c09f4ff2348581e", "type": "eql", "version": 16 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { "rule_name": "RPM Package Installed by Unusual Parent Process", "sha256": "fd3063980542ef2a702e17a3d1846cff65911774f84b6f95d92358d7c03f8e7b", "type": "new_terms", "version": 6 }, "8cd49fbc-a35a-4418-8688-133cc3a1e548": { "rule_name": "Proxy Execution via Windows OpenSSH", "sha256": "e08100fdb189d4a8d88e1b98e86124b022055743f5ea002e7c6e51addcb26261", "type": "eql", "version": 3 }, "8d366588-cbd6-43ba-95b4-0971c3f906e5": { "rule_name": "File with Suspicious Extension Downloaded", "sha256": "0bf06ca7dbd6bf33afe26f82f0a013a7c48a33b7aa69fe2114aa607308c21adb", "type": "eql", "version": 6 }, "8d3d0794-c776-476b-8674-ee2e685f6470": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container", "sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd", "type": "eql", "version": 5 } }, "rule_name": "Interactive Shell Spawn Detected via Defend for Containers", "sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5", "type": "eql", "version": 105 }, "8d4d0a23-19d3-4186-a6f1-6f0760d2e070": { "rule_name": "Multiple External EDR Alerts by Host", "sha256": "796c80711f75aa99686c41d6b4c990ca5897bf90204be59ed446c63bddbf82a9", "type": "esql", "version": 5 }, "8d696bd0-5756-11f0-8e3b-f661ea17fbcd": { "rule_name": "Entra ID OAuth ROPC Grant Login Detected", "sha256": "7c732e1ccfa76a9e4b864a9a5cc905c699b322c8fd19066eb9ae614ad50d1e82", "type": "new_terms", "version": 4 }, "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": { "rule_name": "Potential Data Exfiltration Through Wget", "sha256": "3fd2b1b4a83e83cd6cc4d3b9171acbf2a8727daa0a182983a596c27976019c1c", "type": "eql", "version": 3 }, "8d9c4128-372a-11f0-9d8f-f661ea17fbcd": { "rule_name": "Entra ID Elevated Access to User Access Administrator", "sha256": "83c4b5a6c2d976377276bf4663925ff8f4c92cb2bd44e8d4ff715af6e89ca335", "type": "new_terms", "version": 5 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { "rule_name": "Potential Privilege Escalation via PKEXEC", "sha256": "b076e4e14884d25fba16f078694f7925272dd885b2e4091bc53e86bf8312b0fe", "type": "eql", "version": 213 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", "sha256": "4310e0e0dd6ef5d366aac17c4b8233b9ed3a2a2603d418aeb156e14b7ca3bc2d", "type": "query", "version": 108 }, "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "753cd28018873970c400a8298c254ce1524a2b19087d022f3c34d946504e3669", "type": "eql", "version": 213 }, "8e39f54e-910b-4adb-a87e-494fbba5fb65": { "rule_name": "Potential Outgoing RDP Connection by Unusual Process", "sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d", "type": "eql", "version": 6 }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", "sha256": "3d44c73a3692bf5d2e82a05e5660e69202bc834886ad39fb4b6b3fe0211e845a", "type": "esql", "version": 6 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", "sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2", "type": "eql", "version": 108 }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "File Transfer Utility Launched from Unusual Parent", "sha256": "836b3c4bc02c3e85bb2f6eaa8fec7d019a33b393b55fb392dc33c9c865f2deb6", "type": "esql", "version": 12 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "79d2a9160017926198d637f08dc603fedbb7cd4fbd83d17b74b08580ee1474bd", "type": "eql", "version": 108 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", "sha256": "97d9b5554bd6133e3e4d7eab81bb0e47fff98c0f0126fc4f675c97058901bb29", "type": "eql", "version": 113 }, "8f8004e1-0783-485f-a3da-aca4362f74a7": { "rule_name": "Linux User or Group Deletion", "sha256": "9097975f7890b4d531b35ae33794bd65145b919c575d26e22fa95c26151a5f1c", "type": "eql", "version": 2 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "166e37431a08e33591ca315008ea56f76f0f709bf7e858c2dd2fe622cccd981e", "type": "eql", "version": 212 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { "rule_name": "GCP Service Account Deletion", "sha256": "76199312383db1b95ac2268eaada459efb3d102690231973671f8a2c499dfde3", "type": "query", "version": 108 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", "sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62", "type": "eql", "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { "rule_name": "Hping Process Activity", "sha256": "5452130912b7e1ab2aa128c84c0b21c6969d10067f9d01105f86b08e0a26dcab", "type": "eql", "version": 213 }, "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { "rule_name": "GenAI Process Connection to Unusual Domain", "sha256": "411e1e52013103268793186989a70512a23fff33bd76a04df70efccab5657b4f", "type": "new_terms", "version": 5 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "rule_name": "AWS RDS DB Instance or Cluster Deleted", "sha256": "01f5c53e0534cf3e8f1dbc49a95dffba600a0a04c5417d52cf36cd471cf5a624", "type": "query", "version": 212 }, "9056d577-4da5-47bf-8c94-6c0b1bb3f8a5": { "rule_name": "Chroot Execution in Container Context on Linux", "sha256": "1327e72d0dfdb1e0f8b9b5f3fefee53813631ef25ed39a9bbba78105ed320c11", "type": "query", "version": 1 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", "sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43", "type": "eql", "version": 106 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "rule_name": "Keychain Password Retrieval via Command Line", "sha256": "3767b47364ab96c700f9ddf5ee8bf9636f68b00a9d5b36d8c98ee2483cd8cd65", "type": "eql", "version": 114 }, "909bf7c8-d371-11ef-bcc3-f661ea17fbcd": { "rule_name": "Excessive AWS S3 Object Encryption with SSE-C", "sha256": "04c5ec27d3a9b03f4132d923b9bcf00154388d2360fe8789359516fccfc3187d", "type": "threshold", "version": 6 }, "90babaa8-5216-4568-992d-d4a01a105d98": { "rule_name": "InstallUtil Activity", "sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c", "type": "eql", "version": 107 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { "rule_name": "Auditd Login Attempt at Forbidden Time", "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", "type": "query", "version": 100 }, "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { "min_stack_version": "9.2", "rule_name": "Web Server Local File Inclusion Activity", "sha256": "03d1493423cf1eecb33f5c4bb9d629da961d04391cab206a3651b60855ddd1e8", "type": "esql", "version": 5 }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", "sha256": "aa1f61fe8a16a44fd7569befb93e71d7bf94d8ade6285a0afabf70257ebdf9ec", "type": "new_terms", "version": 5 }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Entra ID Unusual Cloud Device Registration", "sha256": "ef5f1f198548e65c9ed5cb95c3b011532c0de3d57edca67c59a6007529e93b0c", "type": "eql", "version": 5 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { "rule_name": "GCP Virtual Private Cloud Route Creation", "sha256": "b710a75749f1c2ca395821015bbfa00e3870d75a89785e4506f4029b9d54445c", "type": "query", "version": 109 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { "rule_name": "AWS WAF Access Control List Deletion", "sha256": "b772aae4fecd07fc3fda61945a74f84d5f31d5e5371a490c75a2c1f5e39b21d9", "type": "query", "version": 212 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Web User Agent", "sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Web User Agent", "sha256": "cfcad42e56eaf65d1ad977504ea2a1122b7bec964cd4aa3c09f5aaa0983e206a", "type": "machine_learning", "version": 207 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Web Request", "sha256": "c2a5dcf47a109617f2ae0c83a92116a8d4b1a8335b84b9c65d58ab3333ed2ea0", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Web Request", "sha256": "6674d243b24f7dbdaa41751d1c4dc3244e6757de2c25baff5ebbd5d32e1422d5", "type": "machine_learning", "version": 208 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "DNS Tunneling", "sha256": "f497eccc9233e8257ed6e93ccb53e711b11690bb288e1e79e9d3562fb7773c14", "type": "machine_learning", "version": 108 } }, "rule_name": "DNS Tunneling", "sha256": "6d6bb3df7c940826fbc2cbff1da1ad41b1dd196c901b034d0f7f1bfe259397a0", "type": "machine_learning", "version": 208 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb", "type": "threshold", "version": 102 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634", "type": "query", "version": 214 }, "929d0766-204b-11f0-9c1f-f661ea17fbcd": { "rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application", "sha256": "5b1525d9fb3e1d0b955b43b502826a19998607b96fce7d351b5f2a4b656a61fe", "type": "query", "version": 5 }, "92a36c98-b24a-4bf7-aac7-1eac71fa39cf": { "rule_name": "First Time Python Spawned a Shell on Host", "sha256": "be63d148ae752f2a10774f0a44d74f9d112e91c8757bb2b6821252b3481ce6c1", "type": "new_terms", "version": 2 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "rule_name": "A scheduled task was created", "sha256": "7efafffc437abbe227a0503113191f580362de2d55f7d83279aa4718b2ad5227", "type": "eql", "version": 115 }, "92d3a04e-6487-4b62-892d-70e640a590dc": { "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "ba06cd9a60b678a177105f360eee0602b9dbae4dc739bd308111e4ccf706fe98", "type": "eql", "version": 111 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { "rule_name": "AWS STS Role Assumption by Service", "sha256": "a7f3fb92910eb74a17595421262ef4c0c685a07e4e5512f18cdb96117b34f30b", "type": "new_terms", "version": 216 }, "93120a05-caf5-47f6-a305-e8abee463fb9": { "rule_name": "Kubernetes Pod Creation Using Common Debug or Base Images", "sha256": "75899e6bc8d17dbb87ecafbe4e9e56a1a465d8e7dffd767f9a24ac2d03860358", "type": "new_terms", "version": 1 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Activity", "sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578", "type": "eql", "version": 211 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "rule_name": "AWS VPC Flow Logs Deletion", "sha256": "c55bac37daa9321802740fb410156e014f7560d5cc079d927f224956d090523e", "type": "query", "version": 213 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "rule_name": "Suspicious SolarWinds Child Process", "sha256": "b1ca64a473159cace9469b404e6e212f76b072963ef57f2082259313d45d3b85", "type": "eql", "version": 214 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "rule_name": "Deprecated - Encoded Executable Stored in the Registry", "sha256": "f68b4a5cc0a9b8ae595d15919b1ce6607fa1a1b6e08ef5f73c6b91d35996c7ac", "type": "eql", "version": 419 }, "93dd73f9-3e59-45be-b023-c681273baf81": { "rule_name": "Linux Video Recording or Screenshot Activity Detected", "sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b", "type": "new_terms", "version": 2 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { "rule_name": "Google Workspace Admin Role Deletion", "sha256": "69b1e02d3a36de758cf981011b13ecfc3134cc52eeaa7686b2f2aef99248120e", "type": "query", "version": 210 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", "sha256": "1e54e18fae8c9afcee81de6f64a1d344e006e894e2357424bbdf76c9accceb1c", "type": "new_terms", "version": 208 }, "94418745-529f-4259-8d25-a713a6feb6ae": { "rule_name": "Executable Bit Set for Potential Persistence Script", "sha256": "36ac08934324e18a5d413160904562eb2048ebc1ec0386d2e5c65e183599afbb", "type": "eql", "version": 109 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Deprecated - Creation of Kernel Module", "sha256": "f57e1a7d616beee44b8df1ddbe37efef07389ae2b99b7b1490801184286ed01d", "type": "eql", "version": 6 }, "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "3507e4b16ab8077d5b8ded1a95748032027b442f316dbc78a0ac441986535426", "type": "eql", "version": 216 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Potential Okta Credential Stuffing (Single Source)", "sha256": "c9bdd66f536436153709d92c363c2bfc9637912240daf7eb789913fb2a9f4efe", "type": "esql", "version": 211 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "e9260d441ee6bb2650fab753e31ab175e5b98418141b067ed6cd3a942bd81750", "type": "query", "version": 110 }, "951779c2-82ad-4a6c-82b8-296c1f691449": { "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "c0132ac1a7c0915024784aa3942547eb1ab31b0ca04f36d96800c8bd7ae1d279", "type": "query", "version": 110 }, "952c92af-d67f-4f01-8a9c-725efefa7e07": { "rule_name": "D-Bus Service Created", "sha256": "a18c513e885014629b1256650fe3ded14d233dc2ed783efca6ecb4b8af1946fa", "type": "eql", "version": 7 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", "sha256": "d806114e9175121535a78373c2f4f747985e6a90c11f6e960c3370037b71e866", "type": "eql", "version": 215 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", "sha256": "4062c9fbacade77b466ba4c8c18199e74c0d56a88a9eeef6fdc5d2d4494315d7", "type": "new_terms", "version": 5 }, "959a7353-1129-4aa7-9084-30746b256a70": { "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ac705fd1257ac37bcda167b715884142ebe726b87d21f9f82b2b0bbd48822ee4", "type": "query", "version": 214 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "a266665d423c29eff07547ef4fd37eec7dc215b9f139f64484299c2a1bc49456", "type": "esql", "version": 211 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", "sha256": "7d65bad7fb01c9df8886dd57509eeb3dab22246cd5bdb3030a6770a70c26d822", "type": "new_terms", "version": 8 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3", "type": "eql", "version": 4 } }, "rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers", "sha256": "8731c52d5893d47420bbb5a3b0149d7db6bfb0f0bb7297e2fd1c7cbbb03a5f01", "type": "eql", "version": 105 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "rule_name": "File made Immutable by Chattr", "sha256": "f924c739edb9ebd321df9baebfbf20c658b48cffa6bc33e56a3061d08f2160d1", "type": "eql", "version": 217 }, "96b2a03e-003b-11f0-8541-f661ea17fbcd": { "rule_name": "AWS DynamoDB Scan by Unusual User", "sha256": "922c37a1cdb6f1cd90a88e213929b164bbb8346fecf5aaf2548d04f5c1200ffb", "type": "new_terms", "version": 6 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "rule_name": "Attempt to Create Okta API Token", "sha256": "6b1686cc7b6a837576f758cc91736ce0308787558a588f34d90d5cb568304455", "type": "query", "version": 414 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", "sha256": "fb6f0c3d4a4b1103cffd1214243faf16011837bf6185ed9dd364b4b00955967d", "type": "eql", "version": 17 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process", "sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71", "type": "eql", "version": 212 }, "96f29282-ffcc-4ce7-834b-b17aee905568": { "rule_name": "Potential Backdoor Execution Through PAM_EXEC", "sha256": "132131e91bb5571399245226355bb06a9e2707dbe7eebedaa18d51a965601746", "type": "eql", "version": 4 }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "3f327621ed0547019a5b5d0a878ab68f39d8bea7a021464559cbccee95018f77", "type": "eql", "version": 114 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", "sha256": "32963455b75df93504e8d1002eaa12a8821f55aa19be3c4fee1115dc42f8708c", "type": "eql", "version": 6 }, "97314185-2568-4561-ae81-f3e480e5e695": { "rule_name": "M365 Exchange Anti-Phish Rule Modification", "sha256": "5085f954d4ff259286c61446ad71512f3a21abc0c58e2e492aea0ccb050116d8", "type": "query", "version": 212 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { "rule_name": "GCP Storage Bucket Configuration Modification", "sha256": "f2cc5c75a97f850533473a4b070a5de9e09cadd3e2d2ab3e3594bf7a4f0bd19c", "type": "query", "version": 109 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container", "sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319", "type": "eql", "version": 3 } }, "rule_name": "DebugFS Execution Detected via Defend for Containers", "sha256": "cb201a9e31aa49674cb68601b095f1fe2812900a8e7b104b8e5a35913c4cd69c", "type": "eql", "version": 104 }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", "sha256": "5bf6380747f1cb95b184818ca866517ab8cd592d255de6dee340594eb30015d8", "type": "esql", "version": 12 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", "sha256": "101588c75ca495165b4a75b184b63ce8f2ecc204a09f8a1f687e32708adb06e5", "type": "query", "version": 214 }, "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { "rule_name": "Potential HTTP Downgrade Attack", "sha256": "332b2fd1b93728b75ec6644427e2c70a980d7b9e53a67f205181e14114d99b4f", "type": "new_terms", "version": 2 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", "sha256": "a44033692c37bed24ce3925b6ca42e5bd9fb6b47ee30ff08d20220ff77e28f9c", "type": "eql", "version": 419 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "rule_name": "Suspicious Zoom Child Process", "sha256": "1a18715f4ab14be5a645089d5e96d2d98eaf64d7c8b4239d84d2d0c8b518fbfa", "type": "eql", "version": 423 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", "sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f", "type": "eql", "version": 100 }, "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { "rule_name": "Suspicious Renaming of ESXI Files", "sha256": "34932396b727d338f36c36468067ccae5bda12c0704d2824ff90b34548bbe134", "type": "eql", "version": 13 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { "rule_name": "Base64 Encoding/Decoding Activity", "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", "type": "query", "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { "rule_name": "Startup or Run Key Registry Modification", "sha256": "d7a6f3d9e2ace9040d8e06757f2efc2c06486ff524feba35e5e3a743560622d6", "type": "eql", "version": 120 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "sha256": "dafbd42605333aa135c1efb0261e9eb5359dffe444e4979a8dea91630c9e80ff", "type": "eql", "version": 9 }, "9822c5a1-1494-42de-b197-487197bb540c": { "rule_name": "Git Hook Egress Network Connection", "sha256": "cc8a4cc0fb13f05a7da5ab6cfb6cd3695172d812a45c53e6a907e9695ba46683", "type": "eql", "version": 7 }, "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", "sha256": "d8b0db21eaf28b6c2ede7046c2a599db635f704533c740913838a7ef0b324a85", "type": "eql", "version": 107 }, "98843d35-645e-4e66-9d6a-5049acd96ce1": { "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154", "type": "eql", "version": 107 }, "9890ee61-d061-403d-9bf6-64934c51f638": { "rule_name": "GCP IAM Service Account Key Deletion", "sha256": "9e0d0436cb2a69e6b72f3dc82fd928e79dd5ee95eaf0a59877b5e93864791dc7", "type": "query", "version": 109 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { "rule_name": "M365 Exchange Management Group Role Assigned", "sha256": "12f387e3566dfd84bdb25e5380d9df4277a814500ce2286d1b624994ca9552d8", "type": "query", "version": 213 }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Kubectl Configuration Discovery", "sha256": "f1ce3b64d18b203d2a5640f04f3f140a038e195d7d299e1891dcd2e4cd5b0c67", "type": "eql", "version": 3 } }, "rule_name": "Kubectl Configuration Discovery", "sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10", "type": "eql", "version": 103 }, "98cfaa44-83f0-4aba-90c4-363fb9d51a75": { "min_stack_version": "9.2", "rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts", "sha256": "36a458a86040717891dffe0223608c244d185d931205bbeee4113444efced15a", "type": "esql", "version": 2 }, "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": { "rule_name": "M365 SharePoint Site Administrator Added", "sha256": "dd4667aa3346d5aaf3c34b89d393074ecf11bf0188f022df8a39f52ad5c089a9", "type": "query", "version": 2 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", "sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121", "type": "query", "version": 212 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", "sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612", "type": "query", "version": 105 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "Suspicious Installer Package Spawns Network Event", "sha256": "10b68299303c79e2f3f73069791e5403b756335bc4d4d502987b6d7352fd276b", "type": "eql", "version": 113 }, "994e40aa-8c85-43de-825e-15f665375ee8": { "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4", "type": "eql", "version": 116 }, "9960432d-9b26-409f-972b-839a959e79e2": { "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "97c6179e37d6a79ce2058fadfe181ef06473676782811c2c2c42619d9ef9d70f", "type": "eql", "version": 314 }, "999565a2-fc52-4d72-91e4-ba6712c0377e": { "rule_name": "Access Control List Modification via setfacl", "sha256": "14fa79860f040a253d5c11c72158206f1e5d8427bf093ceea28e56c485e5deb0", "type": "eql", "version": 107 }, "99ac5005-8a9e-4625-a0af-5f7bb447204b": { "rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query", "sha256": "a2d97fff1bd846c160d0686891ff780be940567b549646c42ea3501261c01f27", "type": "eql", "version": 3 }, "99c2b626-de44-4322-b1f9-157ca408c17e": { "rule_name": "Web Server Spawned via Python", "sha256": "310b1e61d9b41741178106b8ba4ed0c827b48f8a08a902c110a7820c4292770e", "type": "eql", "version": 106 }, "99c9af5a-67cf-11f0-b69e-f661ea17fbcd": { "rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS", "sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28", "type": "query", "version": 1 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Spike in Failed Logon Events", "sha256": "258d2a4aff6f38a12e7faee6637ec4ac5c3e839daa6ead4587fd9871bbdc57ae", "type": "machine_learning", "version": 108 } }, "rule_name": "Spike in Failed Logon Events", "sha256": "6c2a61bfd4d95da96708ad6dd4ffad62c9111f9ab7950b025deef83d487990df", "type": "machine_learning", "version": 208 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security (Elastic Defend)", "sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25", "type": "query", "version": 108 }, "9a3884d0-282d-45ea-86ce-b9c81100f026": { "rule_name": "Unsigned BITS Service Client Process", "sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c", "type": "eql", "version": 5 }, "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { "rule_name": "Potential Shadow File Read via Command Line Utilities", "sha256": "e8efbccb131f12cbf2af6152d092d09160eccb18d0bf83fc5d299a3bb5ed419a", "type": "new_terms", "version": 213 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "rule_name": "Suspicious Explorer Child Process", "sha256": "df0048d2667b6c222cfdce393bfaed7e9c0b0ff9f393e1e2179394241e1acdf9", "type": "eql", "version": 315 }, "9a6f5d74-c7e7-4a8b-945e-462c102daee4": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Kubeconfig File Discovery", "sha256": "308de3e9eb7308216c0635af6334abd3db7814ad46abf18c269f84d999abd623", "type": "eql", "version": 3 } }, "rule_name": "Kubeconfig File Discovery", "sha256": "952491df2d553d81ac6123388594fb05d3495f6ad8592f77c734e2f8c1ec0938", "type": "eql", "version": 104 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "3810a0fccc9e811440eae244a951df04360e69e721dfcf8f30aa58e24469f983", "type": "eql", "version": 316 }, "9aa4be8d-5828-417d-9f54-7cd304571b24": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", "sha256": "da64cc799df3d7b93ccb5ae04e3e099d02a697837a05f18e35f295b53e2747fb", "type": "eql", "version": 10 }, "9aeca498-1e3d-4496-9e12-6ef40047eb23": { "rule_name": "Suspicious Shell Execution via Velociraptor", "sha256": "6b99269e68808661c7b097b7da16cf8d7325e44f45bb3d3d2420dc40f42bcdd8", "type": "eql", "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { "rule_name": "GitHub Owner Role Granted To User", "sha256": "8c4046c8e10aa286e834471735eccdfa372b1419bfbe3dfca6713b231951221e", "type": "eql", "version": 211 }, "9b35422b-9102-45a9-8610-2e0c22281c55": { "rule_name": "SentinelOne Alert External Alerts", "sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699", "type": "query", "version": 1 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "rule_name": "Persistence via WMI Event Subscription", "sha256": "374c1fe670e524331c98bbb4ec7592c692b262eb48d79de575d8a792ab4a3eb2", "type": "eql", "version": 319 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "sha256": "08b7cbc1fe957a8e96b47412dde3a48dee6dd1c2196e026c8300003adc915044", "type": "eql", "version": 10 }, "9c0f61fa-abf4-4b11-8d9d-5978c09182dd": { "rule_name": "Potential Command Shell via NetCat", "sha256": "e984f394b7db575dabb5ab5eae23ab9c57ebb2227b9f11c38f7cad14f9f9a7bb", "type": "eql", "version": 2 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { "rule_name": "Hosts File Modified", "sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc", "type": "eql", "version": 214 }, "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { "rule_name": "Unusual Interactive Shell Launched from System User", "sha256": "9ece81aaee4ed5b034cf8a085367eaccce1145402d65119600ff18fed390a0d4", "type": "new_terms", "version": 6 }, "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "19de9f9fc0e3eecf2d6c781ee13ed518693898c4ae017773ae00935a3c0461b8", "type": "eql", "version": 115 }, "9c951837-7d13-4b0c-be7a-f346623c8795": { "rule_name": "Potential Enumeration via Active Directory Web Service", "sha256": "0c85320dda4c263897f73786db5f64709cee15a949bdeb737af5e0699732c8d8", "type": "eql", "version": 7 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "b196224da05961cc60a8e23ab01d266096b0a93b7052944f664f549754b8f810", "type": "eql", "version": 315 }, "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { "rule_name": "Google Workspace User Group Access Modified to Allow External Access", "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", "type": "query", "version": 104 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { "rule_name": "Trusted Developer Application Usage", "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", "type": "query", "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "81212b96cde03acf5a34ba614c8863dcc6824d7342a7a9bb0de627b78ae23a56", "type": "new_terms", "version": 318 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "a5a2120ba773b49b0c59e22922b4d05a1af99a127f4a6bdf1f9aee20e15bedcf", "type": "eql", "version": 319 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "c7e89da2a2aa3a6c364cad023a1d462109ad48931c034f3dbd9796b13a413f5a", "type": "eql", "version": 220 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "0982e8339b388a70826a63e397b5e247bacd15c4aa96fa2be11d965afd150e48", "type": "eql", "version": 214 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "42048d40cc9b676d20a7f287ad562321f8a39036183d95d04b769aebead1de85", "type": "new_terms", "version": 321 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "934d4f4f579d6487e86d38b573a7fedca4169097d8914b5859aedc7ba96931f5", "type": "eql", "version": 212 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", "sha256": "1f613942d9635e2ee4408f035335dc11248c2834c138baa4e331d1a0ec21274c", "type": "eql", "version": 111 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux Process Calling the Metadata Service", "sha256": "f8d8912ae2d8039dc804a4fb2851251923c29ebace475dcf20f4bd3b87bcc4fa", "type": "machine_learning", "version": 207 }, "9d312839-339a-4e10-af2e-a49b15b15d13": { "min_stack_version": "9.3", "rule_name": "Direct Interactive Kubernetes API Request by Common Utilities", "sha256": "d0d094b1f3d2824d3f539e132c5573e5b8d9e94f113705086cb90fc35438b8dc", "type": "eql", "version": 3 }, "9d94d61b-9476-41ff-a8d3-3d24b4bb8158": { "min_stack_version": "9.3", "rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers", "sha256": "f8be6f477a2da1a7d940956c6dbc04076b17f5ab491021aaa8b623554c49eae5", "type": "eql", "version": 2 }, "9e11faee-fddb-11ef-8257-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Authentication Type", "sha256": "c99ca37b4a4b58fb57cfc77836e72bbe603e86068b3ea86669df86ac64e69d76", "type": "new_terms", "version": 8 }, "9e5dbd3b-5e19-4648-a1cf-c2649c91b015": { "min_stack_version": "9.3", "rule_name": "Namespace Manipulation Using Unshare in a Container", "sha256": "e432f9cf681f15c99f6ef764b574776af1db178c2e2367382ffb482750acf8f5", "type": "eql", "version": 1 }, "9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": { "rule_name": "Potential Password Spraying Attack via SSH", "sha256": "3cbe10aca00d7c1efe266e506d7f5a7d57600ad6207ecce6d61f2bb650737630", "type": "esql", "version": 3 }, "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { "rule_name": "Potential SSH Password Grabbing via strace", "sha256": "c9bef573b3f690c4d008b46914f0168b42c2944eb1945c737c89d8a76e6f4aa4", "type": "eql", "version": 3 }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", "sha256": "b08fe11bdf17d81c9516472a841db7993c175996a06773032ef7b92282f89ebc", "type": "query", "version": 3 }, "9ed5d08f-aad6-4c03-838c-d686da887c2c": { "rule_name": "Okta AiTM Session Cookie Replay", "sha256": "39164513ba294600eae6f1e6a7d5ac56cf28a69c5d48983ffe6a3f7ce5639f99", "type": "esql", "version": 3 }, "9edd000e-cbd1-4d6a-be72-2197b5625a05": { "rule_name": "Suricata and Elastic Defend Network Correlation", "sha256": "2ab8e7a7800653b9e37968900393df0f9f2f5d33441573121f0280acbe34c2cd", "type": "eql", "version": 4 }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", "sha256": "b33c684120dc6f9e6274cf518cc990c7730ed0e47045a4cb79d4cf11bb098b76", "type": "esql", "version": 10 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", "sha256": "22b08b978d2a7ffdaf6487814a21eac8a8b3882f05c0c72938e5ada70b2f223d", "type": "eql", "version": 9 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", "sha256": "de326157f887fe153178406c21d4c6d5b7083d7b37989d95fbe88cc3b47cf107", "type": "eql", "version": 216 }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", "sha256": "a51bf01a5df76390c908b50a4a9b7c3fb2cdad0ed9c8e0c55d50b16b67c240d7", "type": "esql", "version": 12 }, "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": { "rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP", "sha256": "427dd26601fe597a174af7d832b94eb1a8f5786d002b426dd2946745d63601c8", "type": "new_terms", "version": 2 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", "sha256": "9c42ae537b615ded60d491c0690bcaa728c5fe70c54e4d67b5d0a21a63b88776", "type": "new_terms", "version": 221 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { "rule_name": "File Permission Modification in Writable Directory", "sha256": "d93040becd8bbf8f42f58453634aae7a7ea3e2544497b11c5ebe435f07c4b01b", "type": "new_terms", "version": 216 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "8795f294df2824f66b4130cdff5d174717d9981c7dd6f859e37bbcb28b3c398b", "type": "new_terms", "version": 319 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "rule_name": "Unusual Scheduled Task Update", "sha256": "c67025ab0d89afff2e717de898cb55d5689c8aad67826167a03b0cd4c9bc284b", "type": "new_terms", "version": 118 }, "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { "rule_name": "Potential Privilege Escalation via Python cap_setuid", "sha256": "e33dee9e1e0472fe7b4bb95a33a85484750138d145fa1fd68bad0ec533d1e2db", "type": "eql", "version": 9 }, "a0fbd7a9-1923-4e05-92df-b484168f17bc": { "rule_name": "Sensitive File Access followed by Compression", "sha256": "4229ab56c54c29e2fee1021f6509406944d50803d252c497dd310d99fed68335", "type": "eql", "version": 2 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { "rule_name": "GCP Pub/Sub Topic Creation", "sha256": "b7563d73159d22dee91b57c70d5c21d5a8a4e1bda6dac44d4d928cd855957b07", "type": "query", "version": 110 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { "rule_name": "InstallUtil Process Making Network Connections", "sha256": "e62636c003eda020e0336d2bf353771df79401bc70067f267bf5059c2bce00dc", "type": "eql", "version": 212 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", "sha256": "5efdf2a253cb05a0a0e2d843c94d7196d97edc860d48285c4275b8aa17f1887f", "type": "eql", "version": 216 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "253c914e9293edebec6c7faf581b9cef1faa6bab72fc5ae1ce5284af5d7a0a04", "type": "eql", "version": 213 }, "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "015324413a84362600add02b8df771116af2de4f119d3868ab9425704251e0d8", "type": "eql", "version": 215 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { "rule_name": "GCP Virtual Private Cloud Route Deletion", "sha256": "5c9184b7bbce98b4980ceaaf2d6c8d70b16c21ace2d1ecb51d7c6cfb7050a0dc", "type": "query", "version": 109 }, "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { "rule_name": "My First Rule", "sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba", "type": "threshold", "version": 5 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { "rule_name": "Potential Reverse Shell Activity via Terminal", "sha256": "1933279eb0a1f69eecd6e4e705790232b200372e83e832ecfb52e1319e301f5e", "type": "eql", "version": 112 }, "a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": { "rule_name": "Azure Storage Account Deletion by Unusual User", "sha256": "352c5821d7eca95826730550a43559e960148a7696f8b66ee023fbedc192978c", "type": "new_terms", "version": 2 }, "a1b2c3d4-e5f6-4789-a0b1-c2d3e4f5a6b7": { "rule_name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity", "sha256": "c3bf694ddbb0183b499e816bed860e55e57086d6f8bee87f6eead524f76a96ff", "type": "esql", "version": 1 }, "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": { "rule_name": "Potential Account Takeover - Logon from New Source IP", "sha256": "3eb049e7a57e256acae41fb8b3da9603ace0b0d8167ea059564a83f64cc7a5b2", "type": "esql", "version": 3 }, "a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": { "rule_name": "Entra ID Protection Admin Confirmed Compromise", "sha256": "54a26dec737e913d13398210e60b5e0765bc4f57976293f5c9666910f23ef99a", "type": "query", "version": 3 }, "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", "sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea", "type": "eql", "version": 1 }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", "sha256": "f069dfa7e85bd95eea645793c221cb5329e75544f6b1b6646cc55a104a95ee7f", "type": "esql", "version": 5 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", "sha256": "d0040002c9b7c60e5e303893dd4a5ca29f8df89596c3191f76c6af9d7d2eaf06", "type": "eql", "version": 11 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "1094a50c56d7017e3b7cacacb46da4f3f742a1927fcbbd986b23e9f2cb7b8632", "type": "eql", "version": 317 }, "a22b8486-5c4b-4e05-ad16-28de550b1ccc": { "rule_name": "Unusual Preload Environment Variable Process Execution", "sha256": "8ee49a67c0bedcc25c790e6d57a0835f5748dc89b35eb4dd6c0736231edeace1", "type": "new_terms", "version": 6 }, "a22f566b-5b23-4412-880d-c6c957acd321": { "rule_name": "AWS STS AssumeRole with New MFA Device", "sha256": "6935a7b9fd5f67e312b06f45233bc7e9e6e832dc3f93a9c0b1f84cb7624bb384", "type": "new_terms", "version": 8 }, "a2795334-2499-11ed-9e1a-f661ea17fbce": { "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", "sha256": "8ffc100a7b1d4ce6518d28c266f7b80ca1898c4505645909bdfea0f8f22ac297", "type": "query", "version": 112 }, "a2951930-dd35-438c-b10e-1bbdc5881cb4": { "rule_name": "Kubernetes Cluster-Admin Role Binding Created", "sha256": "e69d0cfdb03d64b04b04b0301086a748d32f13d2f828a3b71177061780ee9f68", "type": "query", "version": 2 }, "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "rule_name": "PowerShell Mailbox Collection Script", "sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960", "type": "query", "version": 113 }, "a300dea6-e228-40e1-9123-a339e207378b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", "sha256": "553c6e6e65c43d5ee933841dbf34f7d9a9ea80e08e543900e277036686cbddfa", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", "sha256": "a296f2e27d0d4e3f4f6c7ab90fc49f8f4a0b4c14d49775288666a234e4b403b2", "type": "machine_learning", "version": 104 }, "a337c3f8-e264-4eb4-9998-22669ca52791": { "rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected", "sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3", "type": "esql", "version": 2 }, "a3cc60d8-2701-11f0-accf-f661ea17fbcd": { "rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client", "sha256": "38c9a1b455477aee830f90a89dae1d703f545c3d857cf4262153a23b2e0c80ba", "type": "new_terms", "version": 6 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "rule_name": "Execution via local SxS Shared Module", "sha256": "45e496a5db75cfaeacfff862a81984feb874e83dda47302b806b3018d6b902b8", "type": "eql", "version": 315 }, "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { "rule_name": "AWS EC2 Instance Interaction with IAM Service", "sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed", "type": "eql", "version": 4 }, "a4b740e4-be17-4048-9aa4-1e6f42b455b1": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 100, "rule_name": "Spike in GCP Audit Failed Messages", "sha256": "640606acf483065052865e9a6e801d491b8afb375423dfb06058d87b0b54b602", "type": "machine_learning", "version": 1 } }, "rule_name": "Spike in GCP Audit Failed Messages", "sha256": "0293cbc3c1b896acdee5fb53bfe925958fc9d5ec773806a13d9e468e89a65005", "type": "machine_learning", "version": 101 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { "rule_name": "Windows Registry File Creation in SMB Share", "sha256": "494c2ead2012b6ac1746c05e790ae1b33e01a2c4944d8d5ceea9b180635be2eb", "type": "eql", "version": 114 }, "a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a": { "rule_name": "Kubernetes Secret get or list with Suspicious User Agent", "sha256": "e46a2fbbff2a97fc224bcfc204b6da19f6797f396c7f45d04837c9c0e237ffc6", "type": "query", "version": 1 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { "rule_name": "Network Connection via Mshta", "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", "type": "eql", "version": 100 }, "a4f7a295-aba1-4382-9c00-f7b02097acbc": { "rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process", "sha256": "787d2f5521dc4499fb6b01d857d4e2f1c96bb9acf94725a4dc16764d99962411", "type": "eql", "version": 2 }, "a52a9439-d52c-401c-be37-2785235c6547": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - Netcat Listener Established Inside A Container", "sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196", "type": "eql", "version": 4 } }, "rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers", "sha256": "7e3bfec1c4781db2d7417c710ec2883216a3b33ff5bfd0292f1c72cf76b48f18", "type": "eql", "version": 105 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", "sha256": "ac4f1de021eef140be9defb824c7e9ee6b9253d4f74b46a48f745b35d636d7ee", "type": "new_terms", "version": 5 }, "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { "rule_name": "Potential Reverse Shell via UDP", "sha256": "682586bdb044ed6ab9f2d86aa3803980638ce1756f871292eca8c0f20adae25e", "type": "eql", "version": 12 }, "a5f0d057-d540-44f5-924d-c6a2ae92f045": { "rule_name": "Potential SSH Brute Force Detected on Privileged Account", "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", "type": "eql", "version": 5 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 314, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "ce3fd44cac75566f4e140bffa3f637c3283d0882621b0b5f292369e185473e54", "type": "new_terms", "version": 216 } }, "rule_name": "AWS IAM Assume Role Policy Update", "sha256": "527325250cfdd394de8beb2562d3f3d0b44210d85cdfb77b26cfbcbb2c56a852", "type": "new_terms", "version": 317 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "rule_name": "Entra ID PowerShell Sign-in", "sha256": "5d891782faacde7c072c3f8e3819b0e10c0932cbea16e27587b86081ee4e243e", "type": "query", "version": 110 }, "a6129187-c47b-48ab-a412-67a44836d918": { "rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme", "sha256": "34085bc10fd883d07e4593354c15c2b5a740f637f8f8a0dac8b18c02556d89dc", "type": "esql", "version": 2 }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", "sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84", "type": "threat_match", "version": 9 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", "sha256": "61beceda1e8d0cc9099934a9ad0a0bcae06126b1650941b03a8b4e36c8c1f191", "type": "eql", "version": 320 }, "a640ef5b-e1da-4b17-8391-468fdbd1b517": { "rule_name": "Execution via GitHub Actions Runner", "sha256": "ea34a8cd8b428ffac29baa616dc58a516e9d24a3ae30c3525c5fdf5478d1bc34", "type": "eql", "version": 3 }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", "sha256": "6ce6628461a895263040879ad1dfccf958216ebc96b9c795d5b3ce688836c641", "type": "eql", "version": 7 }, "a68da7d6-7eab-45bd-97c5-93b469c0706e": { "rule_name": "Shell History Clearing via Environment Variables", "sha256": "947c4f4f578b77ec8de5b9313a87559740ab6d5272631cd859175d57e2c06c80", "type": "eql", "version": 1 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", "sha256": "0aef85561df73b765eb845f8de00dd44020df10da07314fb87273d339f48199e", "type": "eql", "version": 113 }, "a6d4e070-b9b9-4294-b028-d9e21ad47413": { "rule_name": "Entra ID Protection User Alert and Device Registration", "sha256": "310fb191964cd8a1481bfde5eabce117f3b6e1f1134007c7bb846f0d233c50c7", "type": "eql", "version": 4 }, "a74c60cb-70ee-4629-a127-608ead14ebf1": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "High Mean of RDP Session Duration", "sha256": "54d4c476c777d29b060e86d324c7eccca8db5647602b0b9efa9792822185c764", "type": "machine_learning", "version": 9 } }, "rule_name": "High Mean of RDP Session Duration", "sha256": "0cf7caa172c255e31f5dcf206ca1101b180773c822559efef5ad87fde3d2d054", "type": "machine_learning", "version": 109 }, "a750bbcc-863f-41ef-9924-fd8224e23694": { "min_stack_version": "9.3", "rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers", "sha256": "31e7a49e77598252a554c7de32610e73a9bcd249edd8f11c4d792f3e14f2916d", "type": "eql", "version": 3 }, "a7577205-88a1-4a08-85d4-7b72a9a2e969": { "min_stack_version": "9.2", "rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal", "sha256": "b08945299b2979bc5b4cb397789d41998ee6fc5b71db51bfe41012ad68ba8e2b", "type": "esql", "version": 3 }, "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": { "rule_name": "Execution via OpenClaw Agent", "sha256": "a9fb3ddbff42c0d57d6e0002f0d6155ea00cf381999b2af63577940aa8776c47", "type": "eql", "version": 4 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "rule_name": "Suspicious Print Spooler SPL File Created", "sha256": "9a80dda429d15a1d127b965b832c36ae3ecc37b8d11e618da12fd5c3d7c2d9db", "type": "eql", "version": 118 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "09188e85df6c935a817c69aff47b5bb33c503487e0fb04907d556b52211719f9", "type": "eql", "version": 317 }, "a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": { "rule_name": "M365 Purview Security Compliance Signal", "sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4", "type": "query", "version": 1 }, "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": { "rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", "sha256": "26c16152fd28558423e9c60d5393ad5482ec38ef5492aeb15ecfb8587231fddc", "type": "eql", "version": 3 }, "a80d96cd-1164-41b3-9852-ef58724be496": { "rule_name": "Privileged Docker Container Creation", "sha256": "a43c4cce90f10259b7f083ff5adbd8eca3f9cc3b122406f30ace77a409419d1b", "type": "new_terms", "version": 7 }, "a80ffc40-a256-475a-a86a-74361930cdb1": { "rule_name": "AWS IAM SAML Provider Created", "sha256": "8d2440f5b8111e88075595c64071b426a241d0e78819f05d6c66caeca7046f04", "type": "query", "version": 3 }, "a8256685-9736-465b-b159-f25a172d08e8": { "rule_name": "Suspicious Curl to Jamf Endpoint", "sha256": "c823ebf0672517c8ed1929f4379c1fac131417b4c0dca9ef94e1dea1560ad82a", "type": "eql", "version": 2 }, "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { "rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker", "sha256": "84fcc460d0f329b6494b2756d4cb004798d5c54d8f76ee6b19ac2b149fc59a3a", "type": "query", "version": 8 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { "rule_name": "Web Application Suspicious Activity: POST Request Declined", "sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338", "type": "query", "version": 105 }, "a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": { "min_stack_version": "9.3", "rule_name": "Kubectl Secrets Enumeration Across All Namespaces", "sha256": "dd2e61c000cb7733d1035682841ea2bd21ce20c73dc2b64c291657550b304ab2", "type": "eql", "version": 1 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "f46594fa786a8d96dc492f49de6a09e7c4bf69b2f8f6bba7fc371fe01c0140c3", "type": "new_terms", "version": 6 }, "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { "rule_name": "Suspicious File Downloaded from Google Drive", "sha256": "b083c7c924a0947dc0048039147a36632af5a70ced0a58b91f8d089faa8cf44f", "type": "eql", "version": 9 }, "a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": { "min_stack_version": "9.3", "rule_name": "File Download Detected via Defend for Containers", "sha256": "dd24216e43c8d2d97f235518778ef26185e2277d713a56fc385c92a5ed05305b", "type": "eql", "version": 3 }, "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": { "rule_name": "Newly Observed ScreenConnect Host Server", "sha256": "42aea7c755e89c2bd3dc07f143d1900120f97192aa9e1d3400c34f98c42e26eb", "type": "esql", "version": 3 }, "a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": { "rule_name": "Azure Storage Blob Retrieval via AzCopy", "sha256": "4cafd5b1d72e9099750d39514142a06221336044dc6ab66d5df8acf39358c552", "type": "new_terms", "version": 3 }, "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", "sha256": "55145a5b782b65b05f5834f544ec591950f607a59669ef53b3cf1cd0dfce7950", "type": "esql", "version": 4 }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "High Variance in RDP Session Duration", "sha256": "f9c8c7c261451895bad9202f8a232c6e4062e1d272ece1ec51d009c841579e71", "type": "machine_learning", "version": 9 } }, "rule_name": "High Variance in RDP Session Duration", "sha256": "3f9e29581657650330798e93e0d4b843c0de67a256b30133da018e49aca461f2", "type": "machine_learning", "version": 109 }, "a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b": { "rule_name": "AWS IAM Sensitive Operations via Lambda Execution Role", "sha256": "722248fbd97f34880ac46f44b6881220135ab96b0ffbff1f45977226ab809dde", "type": "query", "version": 1 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", "sha256": "bd9b1c164a07769ffeb8aeb475e7e3e4f8d0a0787d5e419ee1ca1e160d2149c9", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", "sha256": "8a3a0a541278d7abc6675acd56413d6d3ec869a0bebfb0ef0bbb8f846c5adfc5", "type": "machine_learning", "version": 104 }, "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", "sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe", "type": "eql", "version": 1 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", "type": "query", "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { "rule_name": "M365 Exchange Email Safe Link Policy Disabled", "sha256": "6b995af6f7a66f483caeb7f4b0ed5e4fbce766890078ac36b73135b287bebc97", "type": "query", "version": 213 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { "rule_name": "Google Workspace Password Policy Modified", "sha256": "ab5be5778aeb2192c5a6b094c17c63ba6bec949da499eff193f5208975a9bf86", "type": "query", "version": 210 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "3b30278eb35bd453721b5e6a3709354920655bc529e57a4de4d76c5c1194a794", "type": "eql", "version": 215 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "rule_name": "IPSEC NAT Traversal Port Activity", "sha256": "165337503847ed379edc1c1e54e7503406682e6849717aa2668355066215f1c6", "type": "query", "version": 110 }, "aa1e007a-2997-4247-b048-dd9344742560": { "rule_name": "Script Interpreter Connection to Non-Standard Port", "sha256": "e45fd015a2a23f9dae370bf76c6835579ef979403f82f2256fcf2c71dadae0e8", "type": "eql", "version": 2 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "117615ae9f7bbcdf2f22d30db030b964809f545f13d82041ceafa1c2b45773da", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "65061d6e84d85ff3f20ca8420b9fb9f8bad47f3264055c2fd6c4347a74673750", "type": "machine_learning", "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { "rule_name": "GCP IAM Custom Role Creation", "sha256": "08a46011d52f72f80b008709b145d97420698886ef6cd771ecba32a0ed3ac316", "type": "query", "version": 109 }, "aa895aea-b69c-4411-b110-8d7599634b30": { "rule_name": "System Log File Deletion", "sha256": "7633b03ab034572bab063198511ae4e111488b09f58f32812662c42da32b9762", "type": "eql", "version": 218 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "rule_name": "Remotely Started Services via RPC", "sha256": "6044bf376ccf04ea41cce6830f9e16bb0e4e844f7476ebbddb782cf23d5f3dc4", "type": "eql", "version": 218 }, "aaab30ec-b004-4191-95e1-4a14387ef6a6": { "rule_name": "Veeam Backup Library Loaded by Unusual Process", "sha256": "40212eadfc73ddc6d9f2fba89b444a4f0646b6c991c6f16e3b33e61216bb6cda", "type": "eql", "version": 6 }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", "sha256": "e2a2498e73e3f61c27758713a85c042b5c136d49093f9f6e33faaf38267ece36", "type": "threat_match", "version": 10 }, "aabdad51-51fb-4a66-9d82-3873e42accb8": { "rule_name": "GRUB Configuration Generation through Built-in Utilities", "sha256": "27610c9d7787e7f52bb7ead9aef37e9fb044dd6430bbe3d6769401682fde8596", "type": "eql", "version": 6 }, "ab25369e-ea5e-46f1-9cd5-478a0a4a131a": { "rule_name": "Multiple Elastic Defend Alerts by Agent", "sha256": "ca36982b65f983afbd58ef8087bb1e67f1468ce5ff36888897cfda5e08b2e4f6", "type": "esql", "version": 2 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", "sha256": "800ec5ed633507891479b778135ca7c8a5269e65744649d1d8a0ea40408dc5d7", "type": "eql", "version": 123 }, "ab7795cc-0e0b-4f9d-a934-1f17a58f869a": { "rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)", "sha256": "9eb2c45dfa3291e5f9ceaf2caf261fbed05150c8688cdfc93f3c7731b5759f90", "type": "eql", "version": 3 }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", "sha256": "8ccdf67f1d4b379fa6cc68be39217c56969856cc4f90870f049c0942c6268d93", "type": "esql", "version": 12 }, "ab9a334a-f2c3-4f49-879f-480de71020d3": { "rule_name": "Unusual Library Load via Python", "sha256": "7a0ef5b6fa33fef315d70305319e2f28b52ecf4bcd373708a98ffb1312146928", "type": "eql", "version": 2 }, "aba3bc11-e02f-4a03-8889-d86ea1a44f76": { "rule_name": "Perl Outbound Network Connection", "sha256": "1199004d18d11cefa9e43650db5c565969e006d67b5da5d7cb5ec77c33114b01", "type": "eql", "version": 2 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 309, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "bb1a749f861f7459448bb4e1a2eb19dc2a26f353fb57634eed0ccea7218f3cff", "type": "machine_learning", "version": 210 } }, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "9a73061513a45d35de86697c4b677a0b2e5dbc1f1d9a84b7f5d0d24234dda985", "type": "machine_learning", "version": 310 }, "abc7a2be-479e-428b-b0b3-1d22bda46dd9": { "rule_name": "Google Calendar C2 via Script Interpreter", "sha256": "cd3aac05b993742d0c467053b7548c79623f2da5a4d979c6abe448b797d3411c", "type": "eql", "version": 2 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", "sha256": "3458d345ab11b49c4e091f9cf2f1b6535e27e905407265f7ac9aef9dfb91564b", "type": "query", "version": 112 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "rule_name": "Suspicious WerFault Child Process", "sha256": "f72e495d77718926a77986259bf53a198b1fd96ed96ead06aa95fc1b3bb9cd6d", "type": "eql", "version": 420 }, "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { "rule_name": "Git Hook Created or Modified", "sha256": "d613f940d2dddc9dad9333b8188f60d43dc30443a11f82c3821da4d4ac7cf4f7", "type": "eql", "version": 108 }, "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "rule_name": "Outlook Home Page Registry Modification", "sha256": "3453811ef45dfeac70ddf054126131c00f9dc9bc32ded269570d7ed0d3c660f1", "type": "eql", "version": 209 }, "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "8d4e2f6cb5d21f8244e59e8c3b20856df8349b82ee18227dc9c8ee312213e81a", "type": "eql", "version": 105 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 312, "rule_name": "Unusual AWS Command for a User", "sha256": "6329bd421d92474b7b724414f883a3a46da0190498df4f628e370b759c237af3", "type": "machine_learning", "version": 213 } }, "rule_name": "Unusual AWS Command for a User", "sha256": "39f69f2d45fbc7e8dc0ec930f3b66d28754b3502bea0b2b1b8d0a8b7a229d199", "type": "machine_learning", "version": 313 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", "sha256": "17ae9656179a2b6fb7f79aea315027f19f3111acdcf84c547588963f22d80cda", "type": "eql", "version": 11 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "3f9b5483fae2eb0413c7c38ead3683419d62efc4ed179f45151f5383ccff6ef4", "type": "query", "version": 216 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", "sha256": "72223005ab05d709e4988e024d34920e78f0de89f73f36f865dace15179a2abc", "type": "query", "version": 211 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { "rule_name": "Potential Command and Control via Internet Explorer", "sha256": "5df363ed16d64f340d500cc7c16cf64ac44edbe112391910d8559bcf4cfeede5", "type": "eql", "version": 111 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { "rule_name": "Potential macOS SSH Brute Force Detected", "sha256": "ad378adde9bbf820b6da8dd6764e50a48c987669c717ca222e023f1a01b17553", "type": "threshold", "version": 112 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "6e6fcdde0fee19516c1e5836d84451a1720fa05f69d37486795cb309731a5d0f", "type": "eql", "version": 315 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "b2f6c9bec79b6a35c9205b12fefba6eea6a3d58cc512e07f94ff0aedc61f79d0", "type": "eql", "version": 317 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { "rule_name": "Proxy Port Activity to the Internet", "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", "type": "query", "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { "rule_name": "Google Workspace Custom Admin Role Created", "sha256": "c7bbefa6cd24512e29b52401dd4e13dae67b32db59c469837cc5157d7fb8f7ad", "type": "query", "version": 210 }, "ad5a3757-c872-4719-8c72-12d3f08db655": { "rule_name": "Openssl Client or Server Activity", "sha256": "8ee09f0722e3d4094b5116fcd3ccdf47c8466d3dedaf45a2bce8131e571a5590", "type": "eql", "version": 108 }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Decline in host-based traffic", "sha256": "d3443af533d8c9c71544393bbb3528bab9f2a4528d9d339f101e5d8628f1a384", "type": "machine_learning", "version": 5 } }, "rule_name": "Decline in host-based traffic", "sha256": "a9db6c29e8b8c460f4f349d40a9db66f98d86d48043a2c992b7cb77ae0d82c0c", "type": "machine_learning", "version": 105 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "51d7f733e3374dcbe3976ae51a6bc313af267acc5db56d25e523260a910d942b", "type": "query", "version": 217 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { "rule_name": "Kerberos Cached Credentials Dumping", "sha256": "7e0e9edcd353321915ab04263138fc1a2c2cd6827c51ba0fe5874b5472b53d0f", "type": "eql", "version": 111 }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", "sha256": "750bf0616ef3c52e7f9c6631ec3e3cfea69beba6673151f2e6c6e12bd6e124ca", "type": "eql", "version": 111 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", "sha256": "9a8cd6f888fb568bcebde8a607523abff1e1b5f2093b48a188b2627cf7128d9f", "type": "eql", "version": 216 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", "sha256": "25f56d2f9491f0092ef37953f27c85ac8fb17360040a148f54492118de0a5e17", "type": "eql", "version": 14 }, "ae32268b-bfd0-4c35-b002-13461b5830ca": { "rule_name": "AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN", "sha256": "16982d441cf7c3bd9a76f4382a9c20f7c5a0b6c0d541357c5d9ee793ea06855f", "type": "query", "version": 1 }, "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { "rule_name": "Suspicious File Creation via Kworker", "sha256": "6e872d7e24f0c0631132efe9f516b618480f9f40705f831a449c368918b4bb77", "type": "eql", "version": 111 }, "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": { "rule_name": "Suspicious React Server Child Process", "sha256": "8fc6e17b6f87f1749ad3b2ec19e38059ad1d2b55818befec965af351912cd17d", "type": "eql", "version": 3 }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "883090677565ee7aa2d93b1e7f79a7aa9d9ea846e70568a4cba3893649ac00bd", "type": "eql", "version": 211 }, "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "rule_name": "Shared Object Created by Previously Unknown Process", "sha256": "178fb249bd43c2383b67d1411b9fb257d092c368cea0ac05d03be5b785d42606", "type": "new_terms", "version": 15 }, "aeebe561-c338-4118-9924-8cb4e478aa58": { "rule_name": "CrowdStrike External Alerts", "sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45", "type": "query", "version": 2 }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", "sha256": "0a3c43255d3c95aedd0f97b4e22701b135b6b447294478eeb2109f17a773414d", "type": "eql", "version": 5 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "Entra ID OAuth Device Code Grant by Unusual User", "sha256": "4fc095fc9ea36c19a1fb10bbbbccdb154cdd62f352e4dae8ea2ae5159c322f82", "type": "new_terms", "version": 10 }, "af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": { "rule_name": "Okta Alerts Following Unusual Proxy Authentication", "sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514", "type": "eql", "version": 3 }, "afa135c0-a365-43ab-aa35-fd86df314a47": { "rule_name": "Unusual User Privilege Enumeration via id", "sha256": "7d10e6efd142a09f199ae3461997c14ec7ea789aa43adcd41b7177e7664189c9", "type": "eql", "version": 10 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "rule_name": "Local Scheduled Task Creation", "sha256": "29f6f4c86ee173e96f81e6df15192dbe3420e73d4bde62a8efc9a4a338676008", "type": "eql", "version": 213 }, "afd04601-12fc-4149-9b78-9c3f8fe45d39": { "rule_name": "Network Activity Detected via cat", "sha256": "c7ba64794076705bc9730b99d67877072cc6f9ae46d2bea1a55cc73dab2a3ebc", "type": "eql", "version": 12 }, "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": { "rule_name": "Curl Execution via Shell Profile", "sha256": "90ee59b3a454a03021437f01fc2442fd3503fe941f69d4a9b7fda0d1ca4af237", "type": "eql", "version": 2 }, "afe6b0eb-dd9d-4922-b08a-1910124d524d": { "rule_name": "Potential Privilege Escalation via Container Misconfiguration", "sha256": "7f9907f21f21b24e6aac00e4e7706f5dbc9c8ab5891e9ece18d88f30aaec68da", "type": "eql", "version": 11 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "rule_name": "Timestomping using Touch Command", "sha256": "4fd7e132e755404d1ae3176095c943d11912cc430d74e29e24622bf7b9118cf2", "type": "eql", "version": 110 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", "sha256": "2de0c7e6afc5a090ed826fbef600250fcaf3386d0dea5229916795bef6153462", "type": "eql", "version": 111 }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", "sha256": "d051b64ad0087c58738ea692d5e4f34df38958811cba31ac68d403b214bdfb77", "type": "esql", "version": 5 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", "sha256": "b7f6e527b15faa58aea7339a5470321f39e1884c6936aae54c724743a99b9b66", "type": "eql", "version": 208 }, "b07f0fba-0a78-11f0-8311-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Web Service", "sha256": "8dee5585853fc2cc29d0a3fa86c34646de7bc439f3082c135445169f367d5ede", "type": "new_terms", "version": 6 }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", "sha256": "e448d9b59d2f49b4c015b5980d16a6a35c92a493127292ce515a5a6d268491f6", "type": "esql", "version": 11 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Kubeconfig File Creation or Modification", "sha256": "6a08ab8625a65609aa0bef37ef07d25179e617112666f1746d309fc4c5863570", "type": "eql", "version": 3 } }, "rule_name": "Kubeconfig File Creation or Modification", "sha256": "c170db655cc983bc2f7399ca8f83b883daa93945d755cb705d587cfed18454bf", "type": "eql", "version": 104 }, "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { "rule_name": "Hidden Directory Creation via Unusual Parent", "sha256": "a716f97119f1a7d01b1d42ed01f50aa1449a2b0330b185499e04caa530245f62", "type": "eql", "version": 106 }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", "sha256": "e961ffee8a9b22251e73628ba1a1675421a7f04f8279b096b29fa3ec412f31c1", "type": "esql", "version": 7 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", "type": "query", "version": 100 }, "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "rule_name": "Potential Network Share Discovery", "sha256": "d7a2f1e37fdf49243ac43e4049ebc1395e41378971a27a1bbc4df975c9ac465a", "type": "eql", "version": 110 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", "sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b", "type": "machine_learning", "version": 108 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", "sha256": "9cbdcf3fafd22659be1b5e8eea827bb8893cc7512c49d88c46dd4cde92880ee2", "type": "eql", "version": 218 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { "rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion", "sha256": "34ec15b2762501830ba72e2159a10d9fa8710df212375f979160411eb08ffcb5", "type": "query", "version": 213 }, "b29b7652-219f-468b-aa1f-5da7bcc24b03": { "rule_name": "Potential Traffic Tunneling using QEMU", "sha256": "3bed4972669528914c4056e133fe899c9b4d6e66d957bce8d06c418ce3f1a32e", "type": "eql", "version": 3 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "rule_name": "Network Connection via Compiled HTML File", "sha256": "df2d7525dd2d1f86cbcda0b5d9da2f2a62195e24e8a9a26ea63b47ecc7a2a7d4", "type": "eql", "version": 214 }, "b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": { "rule_name": "Azure Storage Account Deletions by User", "sha256": "9f4fc0bbadb6f42109d9f6264472caa5cfbd9ae6935c6b3e0a098c00ede91f06", "type": "threshold", "version": 2 }, "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": { "rule_name": "Potential Account Takeover - Mixed Logon Types", "sha256": "fec263f1a8e25a341fbc4d919058aefe36ed0aa33d27a7bef776cc039a301126", "type": "esql", "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { "rule_name": "GenAI Process Compiling or Generating Executables", "sha256": "fcd00363e060ee80ac289741c1c9004fa4bbe11c759b50769070b13d5466008b", "type": "eql", "version": 3 }, "b2c3d4e5-f6a7-8901-bcde-f23456789012": { "rule_name": "GenAI or MCP Server Child Process Execution", "sha256": "26ee62ae8a201d334f1e43011a5acaa008ecb5e19c928b921faa25e0d95582b0", "type": "eql", "version": 3 }, "b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c": { "rule_name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization", "sha256": "24583dae8dc1aba73158f2983e7c0a370cbddc64cdf80ad1a3ed2b84d9ea8870", "type": "new_terms", "version": 1 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux Username", "sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux Username", "sha256": "a673ca8052fc4de0d8f2386e8976429868d4129e24c96fe5d0352c5de423237f", "type": "machine_learning", "version": 207 }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", "sha256": "ba3d38a0e3792f9fc94cbca598270b727fea2afd947bc1a201a93fd18ce7746b", "type": "eql", "version": 9 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "378bd1d2c1a58cde20ec32623670281d8a2167d171f8bfd09ec3a767c466ab03", "type": "eql", "version": 322 }, "b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": { "rule_name": "Suspicious Python Shell Command Execution", "sha256": "6cdfde87acbd94abc4aa15493236dc5cc3d5ba2b9477e6a84979cf1309c83e1f", "type": "esql", "version": 4 }, "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "572bc27e692189379dafcde1361251f5e3e288eabd3bf6783395dc77d479a941", "type": "eql", "version": 216 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { "rule_name": "Potential Persistence via Atom Init Script Modification", "sha256": "aa4c16259c4ca94dffd3cb61e6cdba1aa20599065aaf7ae56a8a21eb1b08a65d", "type": "eql", "version": 111 }, "b45ab1d2-712f-4f01-a751-df3826969807": { "rule_name": "AWS STS GetSessionToken Usage", "sha256": "b0f5631b927606bf9cd543de35f1eb1f4e1a5a5655e0dcc70fa9ef1b9dc1fd81", "type": "query", "version": 211 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "rule_name": "At.exe Command Lateral Movement", "sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0", "type": "eql", "version": 108 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "rule_name": "Attempt to Delete an Okta Policy", "sha256": "09cc425582bd4ac3d390cbb63c58e980708b2e3f438f39b376f3f2a95b4a2346", "type": "query", "version": 415 }, "b4bd186b-69c6-45ad-8bef-5c35bbadeaef": { "min_stack_version": "9.3", "rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers", "sha256": "ea1e6c16c05f513bef9a7fce9aea0e625892b08e71fb0657730605a640764afd", "type": "eql", "version": 2 }, "b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c": { "rule_name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects", "sha256": "3116ce1fbded5e4cc884ac4a680158bc2822f8ed3e02e97ac4223252d5d278c3", "type": "esql", "version": 1 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", "sha256": "8184ab730ee2e991794ad836b1317d48d6b4ea0e58c4fc42fb00db88f9ca8bef", "type": "eql", "version": 10 }, "b53f1d73-150d-484d-8f02-222abeb5d5fa": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Kubernetes Direct API Request via Curl or Wget", "sha256": "df70d0745c16f105c5b28d1558cd717f10f40ed6dc2158b67f3455c357249582", "type": "eql", "version": 2 } }, "rule_name": "Kubernetes Direct API Request via Curl or Wget", "sha256": "5848bf5a4bd044df06ef95227df444a60c1471ca1bcb5523d37347327c87dc52", "type": "eql", "version": 104 }, "b5877334-677f-4fb9-86d5-a9721274223b": { "rule_name": "Clearing Windows Console History", "sha256": "ec49b73ddecb2a3d97ae0249883658375bafc409d58d3f59db1174f5aaeb3f85", "type": "eql", "version": 320 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "22aeae9e6e806d1a9e4216f3485b6f9bc573e3efebfcb756f488b3510e88378c", "type": "eql", "version": 317 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { "rule_name": "Systemd Service Started by Unusual Parent Process", "sha256": "0021061d622b59482f91129c9afd828047712d6ca62d4a338937389e67656e41", "type": "new_terms", "version": 8 }, "b625c9ad-16e5-4f16-8d38-3e9631952554": { "rule_name": "AWS CloudShell Environment Created", "sha256": "5c7433e67902ee4b52322b5abc5120bfc4053b3280ef95a2a30a852c97a66aaf", "type": "query", "version": 3 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { "rule_name": "Elastic Agent Service Terminated", "sha256": "a72ebf831df03c21d401b9f11214fb6941e12203f4375308a7cf89f9a8d39865", "type": "eql", "version": 114 }, "b64b183e-1a76-422d-9179-7b389513e74d": { "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "c8097fa09dce15e87aeff4ba80fdb83d373b329e1e3c1253d68ead481505686a", "type": "eql", "version": 215 }, "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "rule_name": "Potential Veeam Credential Access Command", "sha256": "05e08f6a48db8458789f9657614baed791232ae181993e95ccdf444a38300d81", "type": "eql", "version": 210 }, "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "0a84161e37b3038a5efaae0ed7135d830767e9480bffeb05bdba6fb297f50e2c", "type": "eql", "version": 110 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "14d28d7f25487dce62c1587886b4b74480f9c2a4198f69e2e55470d4d623e08d", "type": "query", "version": 109 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "fc573fd91afba592e2599a9f648c7f7c87ba1b94a672fe37c1f1bc6f40fc905a", "type": "query", "version": 415 }, "b799720e-40d0-4dd6-9c9c-4f193a6ed643": { "min_stack_version": "9.3", "rule_name": "File Creation and Execution Detected via Defend for Containers", "sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220", "type": "eql", "version": 1 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", "sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3", "type": "threshold", "version": 4 }, "b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": { "rule_name": "FortiGate Configuration File Downloaded", "sha256": "b65dfbbd01ddf09e8bd7de4c17e9af0caeda5f94219d9520352f4f63c62a2c71", "type": "eql", "version": 3 }, "b7f77c3c-1bcb-4afc-9ace-49357007947b": { "rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike", "sha256": "3fc38efdfb54c28bd83b93be278e07a0480084d972768a3dac3e6d6187408cb7", "type": "esql", "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "d606a36377e206ed6b63e174f9aa93773b33099aaf113724d19e45c60c18555f", "type": "query", "version": 414 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", "sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b", "type": "new_terms", "version": 8 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "310b917a14e643bd8b9da746b930eca41250db760858b9591499e47052cc695e", "type": "query", "version": 113 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "372472e0e1be987ba5607f0b0985f7873818d79075d5d551094c911df93db55c", "type": "eql", "version": 418 }, "b84264aa-37a3-49f8-8bbc-60acbe9d4f86": { "min_stack_version": "9.3", "rule_name": "Tool Enumeration Detected via Defend for Containers", "sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0", "type": "eql", "version": 1 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", "sha256": "8902326fd29e6491af0a64878eb8f4e07e31da66e984848dff33107dfc14dc6f", "type": "eql", "version": 212 }, "b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Recovery Services Resource Deleted", "sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342", "type": "query", "version": 1 }, "b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e": { "rule_name": "AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure", "sha256": "9ee4397ac53d88b12b6a16d40ab8c34703453f21aa536fd9946f4989fc31d8f7", "type": "esql", "version": 1 }, "b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": { "rule_name": "Potential Credential Discovery via Recursive Grep", "sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0", "type": "esql", "version": 1 }, "b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": { "rule_name": "M365 Purview DLP Signal", "sha256": "e3ef983c1782d0d31d55c56f099f438dbf0e1180aa4222c17d078488f0692878", "type": "query", "version": 2 }, "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "rule_name": "Kirbi File Creation", "sha256": "ecaa3fb532fa9adc94bdd4490159fd87d162a316b180bcc92f9911131f8bbaa3", "type": "eql", "version": 316 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "a458c8f1dd0880bd480c3221aa2fc1e68d92b55fb0a6899029388a4bc3ef00b2", "type": "eql", "version": 313 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { "rule_name": "Chkconfig Service Add", "sha256": "d0cc5c171239dbcb104a7489e747f4fa4712d1f0b9d0c7c2c40c266c6e44d456", "type": "eql", "version": 219 }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", "sha256": "39ff2ecd53d1273176883da80f5c853cba5c7d5cffe7daac11a6b8735507dd0f", "type": "eql", "version": 6 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "sha256": "58aea1cb23aecb61ecd0ad28ac516172a01ae3e42abf8d9fbb4ef879b389ee77", "type": "threshold", "version": 6 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "e1354aee6d1923e8a2981bf59472687a27e3af9e89fa81c9d248a652d6f15fce", "type": "eql", "version": 214 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { "rule_name": "Creation of Hidden Files and Directories via CommandLine", "sha256": "ccc20438dabf95f6714661407dca782bba70fc5acf468c799afa0997f7cfbd74", "type": "eql", "version": 116 }, "b9960fef-82c6-4816-befa-44745030e917": { "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "5623b8facb7575ee89888665115a6288b762d8c7cae967408f985102c8808ddb", "type": "eql", "version": 317 }, "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { "rule_name": "File Creation by Cups or Foomatic-rip Child", "sha256": "dca11625c815b4157b45c06d2d04e7f72ef5ba0ecdd1fed7cc9cfd8e42cd42ac", "type": "eql", "version": 107 }, "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": { "rule_name": "Anomalous React Server Components Flight Data Patterns", "sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232", "type": "eql", "version": 1 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 310, "rule_name": "Unusual Windows Network Activity", "sha256": "6dd4b33d728787835db1ae21a3cba7bf99af83a6470d46cbd1476d0dffaa9c59", "type": "machine_learning", "version": 211 } }, "rule_name": "Unusual Windows Network Activity", "sha256": "0833f86da12207c117de1da3165a8d471bbf136effa8f292075b2d66982d01cd", "type": "machine_learning", "version": 311 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", "sha256": "54a16034019a7ff529433229ee9420420463a6b64f855b1f8182e9c979f31d11", "type": "new_terms", "version": 6 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", "sha256": "881df1bf3e0d1bd5035f0163b4c6fbea98426fdad7f5e30cd133d408466dfd22", "type": "eql", "version": 8 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "6454e889c2cf1a148a8d04442b4e67982eff43b66dfcdbe6816253576c2ae7b6", "type": "eql", "version": 214 }, "bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": { "rule_name": "AWS SQS Queue Purge", "sha256": "461b925e57497fdcaf88f08873d86a0fb8d0e9ea1252e6c241ef05fffd27a95d", "type": "query", "version": 8 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { "rule_name": "Azure Resource Group Deleted", "sha256": "4966f18990999e99b3a63b622da1f44cd27813206a0d44992e191ef7efd3f6d8", "type": "query", "version": 109 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", "sha256": "72ecee4d940e2c2157819f24ecedf8a8cb830b55105eac72e766fe6ced901463", "type": "query", "version": 213 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "M365 OneDrive Malware File Upload", "sha256": "f04d6d39681c375512b7e813dc80c792d70026ba6d551afbfa7734b166ea15cd", "type": "query", "version": 213 }, "bba8c7d1-172b-435d-9034-02ed9289c628": { "rule_name": "Potential Etherhiding C2 via Blockchain Connection", "sha256": "adf13fd4f74075a1c4d807c951b541af172e2bded395dbbfe1ba42983acd3d22", "type": "eql", "version": 2 }, "bbaa96b9-f36c-4898-ace2-581acb00a409": { "rule_name": "Potential SYN-Based Port Scan Detected", "sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce", "type": "threshold", "version": 14 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "rule_name": "M365 Teams Custom Application Interaction Enabled", "sha256": "826ec6d81ce8b9a10f38fc995c045cd647df5d059bdac072fb532a9260900581", "type": "query", "version": 214 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "rule_name": "Deprecated - AWS Root Login Without MFA", "sha256": "1f43dead85d0d3544a5c39d1e599b0413d8338a3bd86555c4c1259946d0a1686", "type": "query", "version": 212 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "rule_name": "GCP Storage Bucket Deletion", "sha256": "37900dac2079159d4340059ef6567def876171c5672fdfc7278c6c8f0ca6fe79", "type": "query", "version": 108 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { "rule_name": "Potential Privilege Escalation via Enlightenment", "sha256": "e0ba4cc9f179a908179ae1b8fb08501b168e5dd989246796d70691f3f4eff7f0", "type": "eql", "version": 7 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { "rule_name": "Attempt to Install Root Certificate", "sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52", "type": "eql", "version": 110 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { "rule_name": "Entra ID Conditional Access Policy (CAP) Modified", "sha256": "988c323c28814045bd05e064128d2969aaebf8c51e11e47537a3e2aa3f0767d2", "type": "new_terms", "version": 110 }, "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", "sha256": "a62aee60a38df90f6eeb03a3e144acc5341673270c9a27db837e523ad4a145b5", "type": "eql", "version": 10 }, "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { "rule_name": "File and Directory Permissions Modification", "sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5", "type": "eql", "version": 4 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { "rule_name": "GCP Service Account Disabled", "sha256": "c37a8742cc3fe968d7ca34eae92c6bbf6d72f20a731a8e600078e0c76f998332", "type": "query", "version": 108 }, "bcaa15ce-2d41-44d7-a322-918f9db77766": { "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "sha256": "56d1f942df83d7f90dce141e8d61ea6c55751a210ce9f2acedfd94a2aea52eea", "type": "query", "version": 10 }, "bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": { "rule_name": "Entra ID Protection Alerts for User Detected", "sha256": "bf979378a73ec562baf65cabd933ec22b6c70d6c288387eed998e3836179e977", "type": "eql", "version": 5 }, "bd18f4a3-c4c6-43b9-a1e4-b05e09998110": { "rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab", "sha256": "87629b7d4d5b9fc75f1a26d77b396e39a528483a25c72d1238b5ebf5271839b9", "type": "eql", "version": 4 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Spike in Privileged Command Execution by a User", "sha256": "99ea8a26e2591f788b098171cdedaae4b59e16b257d990f96f5dc7fda4e3c272", "type": "machine_learning", "version": 4 } }, "rule_name": "Spike in Privileged Command Execution by a User", "sha256": "7279a20292c17acab33b638a44a567480719079cc6518fe2f59f35f86e1e2cd4", "type": "machine_learning", "version": 104 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { "rule_name": "PowerShell Keylogging Script", "sha256": "2b2c41d8349db184a3dfcf109c0e32f06a4e29eb8036f85956a55e479cedaf1c", "type": "query", "version": 219 }, "bd3d058d-5405-4cee-b890-337f09366ba2": { "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1", "type": "eql", "version": 109 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "f236da0018f3c95714b7f47d42df3c3389fcd252069efa50f02ee8bebb468f09", "type": "eql", "version": 214 }, "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", "sha256": "17aa7bf5c9f4b42c826a680248a06f16bf511e1af4de7d8e86c3e23611e706be", "type": "eql", "version": 12 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "7eaec669020f14dddbe892f76fd4b204a602a2c3cd1cd4174098514f6abc7b6a", "type": "eql", "version": 215 }, "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { "rule_name": "Execution via Windows Command Debugging Utility", "sha256": "caed468a427a737d9f364fbc48acbfd232a094fd7c94911ccb2b0d0c53acba07", "type": "eql", "version": 111 }, "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 210, "rule_name": "Host Detected with Suspicious Windows Process(es)", "sha256": "78e88e33d9c078480535176d94c745523d1b5cdc53faa7f6dc0c4bb98f303dca", "type": "machine_learning", "version": 111 } }, "rule_name": "Host Detected with Suspicious Windows Process(es)", "sha256": "65c718364c96010a79d85d5d5f9d03c5177768aef95e93280491ac2544384804", "type": "machine_learning", "version": 211 }, "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Unusual Remote File Directory", "sha256": "3b62f382cca1d5aa8845239afb457e39f5a035382660884911727b4dd5f91aba", "type": "machine_learning", "version": 9 } }, "rule_name": "Unusual Remote File Directory", "sha256": "a88cb06ef463fb2f2dd4327dd31c5d47692a0c11539c9e458a25c9f32b348668", "type": "machine_learning", "version": 109 }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", "sha256": "10a4816f54ea177fa9e3d1289e45f425f1497b53d4964f359dcd7a1cdd2e729d", "type": "eql", "version": 7 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "eb48a9a1d6f3695d16aabc2eac3cb9e8194fb43afd70c67b86f37958aff0734e", "type": "eql", "version": 318 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", "sha256": "4b30455cb83458f81769269a3dcfb5e5d22f50e9966e84c186dacdc5f9522ba9", "type": "query", "version": 214 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", "sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008", "type": "new_terms", "version": 8 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0", "type": "machine_learning", "version": 7 } }, "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", "sha256": "e2736f2b927fe65d4fc0264b0645cba4262fbd1677b221588f935a637edb5e29", "type": "machine_learning", "version": 107 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "0b824a6c76d9e6ba990e3246a364639ed381da6595f7a64e4d7f87c5775b5c41", "type": "eql", "version": 219 }, "c0136397-f82a-45e5-9b9f-a3651d77e21a": { "rule_name": "GenAI Process Accessing Sensitive Files", "sha256": "7c9b692a829b9a52b6aad77ef0ca0d339f3a4ee67c3e4adddb2bafcc92231395", "type": "eql", "version": 7 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "0bd519abe65e56eef7207d3456911a0aaaeb511637bdc1491f081d31cf4b7bcc", "type": "eql", "version": 114 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "b6eebc798b4afada8d3bfa956f8703fcae15edef82c4f929e74945195f9edfee", "type": "eql", "version": 316 }, "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { "rule_name": "AWS IAM Login Profile Added for Root", "sha256": "fc6421375be76d4d0aeb919f460c45ddcd0823a216c78aec752e89f1a089b287", "type": "eql", "version": 7 }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Azure Key Vault Excessive Secret or Key Retrieved", "sha256": "6a9647be6235ab05a6f7dfabd7f0d07837ac5d2715b017dd8a41615e3cbda393", "type": "esql", "version": 9 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b", "type": "eql", "version": 4 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", "sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615", "type": "query", "version": 105 }, "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea", "type": "query", "version": 108 }, "c125e48f-6783-41f0-b100-c3bf1b114d16": { "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", "sha256": "2c94180ce81703e6ed2e0d45922383a36583db9bd0d3e62b3068a2abf17b5cc6", "type": "eql", "version": 12 }, "c17ffbf9-595a-4c0b-a126-aacedb6dd179": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 100, "rule_name": "Rare Azure Activity Logs Event Failures", "sha256": "c7ab4512404f799560ec6c788cef728597921e7cd5a135d3d184b219d3352eea", "type": "machine_learning", "version": 1 } }, "rule_name": "Rare Azure Activity Logs Event Failures", "sha256": "e2a374e0c05a03580026cac6094e7fd3d00628dc2cf6965875239f25a04d15b0", "type": "machine_learning", "version": 101 }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", "sha256": "ffae753e96e57c8e771abab86446ad7034e302f6824a3d98b89951e0504bc73c", "type": "query", "version": 213 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", "sha256": "ca992e1b21d0fb0f0754149fd57b64002ad44fe7f9e500b94ef60dabd6554ff0", "type": "eql", "version": 7 }, "c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User", "sha256": "2b8eebb4194717375909b29a3d0a794425d40404f5ccf9adf851172212ad6a63", "type": "new_terms", "version": 2 }, "c1a9ed70-d349-11ef-841c-f661ea17fbcd": { "rule_name": "Unusual AWS S3 Object Encryption with SSE-C", "sha256": "53db6d3be010ac57b9e40bf2d75485e498825d37934550bd8ab3cf91ba0d85e7", "type": "new_terms", "version": 8 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { "rule_name": "AWS EC2 User Data Retrieval for EC2 Instance", "sha256": "bb336839fab870f4b8ceed4a37e64fa3808c9d4ec3557d5d7eb61cb308f89cab", "type": "new_terms", "version": 9 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "rule_name": "Unsigned DLL Loaded by a Trusted Process", "sha256": "ee0bd1f86590675b1968e6c9acb3c60ff51ea57e2c22d45881495ae30a89caae", "type": "eql", "version": 107 }, "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482", "type": "eql", "version": 7 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fc40884b4f7c36580a2055b06ccce31e99c605042fc0bfad38e16a5124224c40", "type": "eql", "version": 319 }, "c28750fa-4092-11f0-aca6-f661ea17fbcd": { "rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected", "sha256": "3bb7c14559704f363959d8ac1e158dcd85bbb01bd5c2d2cf2c3355b5257e5843", "type": "eql", "version": 3 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux Network Connection Discovery", "sha256": "3dc62da3e3d7eced397232fa5845611453226b59e213bd3c2165f786154ca80d", "type": "machine_learning", "version": 207 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", "sha256": "0e4561214fbcbee7b437528faea36307cf2255abd709788284dc2e7f5a740232", "type": "eql", "version": 113 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "sha256": "3928140ff2c2daa2baa63a3c01524bc5693142c460ae8797ab4165dacfd176cb", "type": "eql", "version": 7 }, "c2a91e88-4f4b-4e1d-9c7b-8fde112a9403": { "rule_name": "Kubernetes Multi-Resource Discovery", "sha256": "ba3c836d664df993f5eb60a7daa1e03e7ba8979b31107abda39886337b6eb0fb", "type": "esql", "version": 1 }, "c2d90150-0133-451c-a783-533e736c12d7": { "rule_name": "Mshta Making Network Connections", "sha256": "67d1ef2cd2105b6cecf6813688a2ace55466bd1724113c42d7270a1b06b04c3f", "type": "eql", "version": 213 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", "sha256": "2ce243e8fc579af6ca9724a16a2f30f2190e9528ffef9972a75dcbfe94ce987e", "type": "query", "version": 106 }, "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", "sha256": "f813eeef96588e7cc2eb90e1e91b32f2b9304bdb6c040357a4cf1ef6b41f0748", "type": "new_terms", "version": 7 }, "c37ffc64-da75-447e-ad1c-cbc64727b3b8": { "rule_name": "Suspicious Usage of bpf_probe_write_user Helper", "sha256": "7382f00fdf9d126382835eb8bee6dff6b8ee9806023856161c3f82b90b2ca17d", "type": "query", "version": 5 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "fe431606017738cc0bd512442d6aee9241821aa49a4476107d876e8521e564b3", "type": "eql", "version": 415 }, "c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": { "rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group", "sha256": "a1d9d307839b1e0d90287d6c6ed01a10b4b39429715cb89a1c24aa185ef4492a", "type": "new_terms", "version": 2 }, "c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": { "rule_name": "Suspicious Execution from VS Code Extension", "sha256": "0f323f54766502b2aad2e8d828583874f64015a7eeec98250bf8732f25af760a", "type": "eql", "version": 3 }, "c3d4e5f6-a7b8-9012-cdef-123456789abc": { "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", "sha256": "0e3a9be309a444967ebb0ea0d972afde8a15a17b8b25372f908c366b1d81db60", "type": "eql", "version": 3 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "6a1e4a58107207bd64985edd80b630efbfb2c0257405b1e8eb91b08ce480f0eb", "type": "eql", "version": 108 }, "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": { "rule_name": "Multiple Remote Management Tool Vendors on Same Host", "sha256": "a2a54475f704eefeffbf2dcbcf805691146faa7d3123844010c0c45770bd3871", "type": "esql", "version": 3 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "b2f5778133cc8aec0658f483a77022ff1900c12bf95be595d306fb72db8ed0e5", "type": "eql", "version": 317 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6bacc434838270cd66c5fd783aca76bc1c83083165ba5a2b6dcff8bc6d8969a5", "type": "eql", "version": 313 }, "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "rule_name": "Windows System Network Connections Discovery", "sha256": "212aaec8993088800bd4d7f70a7332eaf7e5bc714183097e26fb19acf8ebc70e", "type": "eql", "version": 7 }, "c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": { "min_stack_version": "9.3", "rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host", "sha256": "fc81aa909cb501f68b3d1b1b9a5221be71de1100519e486fe5065e5bcb504f44", "type": "esql", "version": 3 }, "c55badd3-3e61-4292-836f-56209dc8a601": { "rule_name": "Attempted Private Key Access", "sha256": "433198f3e83515be6a9fb2d81a58e55f395ca9b6c12755ce513c08a8eccdf886", "type": "eql", "version": 111 }, "c562a800-cf97-464e-9d6f-84db91e86e10": { "rule_name": "Elastic Defend and Email Alerts Correlation", "sha256": "1d45173532d147acd49f542150b35f7e6997ea1d1c48a6d1d776f8414cf10ed5", "type": "esql", "version": 4 }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", "sha256": "2d14a4c5396bcc49e6fe161442552ba4adf549a8847239fa8ecdb52c67edeb8c", "type": "esql", "version": 11 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", "sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833", "type": "eql", "version": 109 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "7c840986983f33b226bd6ec8dbb5af504749920819a8f73fcf5c660ed9c2debe", "type": "eql", "version": 315 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { "rule_name": "GCP Virtual Private Cloud Network Deletion", "sha256": "2c04fe383e0cbfd24a060a3f7df45e8a67ad83994225466b84eee7b04d91bcb4", "type": "query", "version": 109 }, "c595363f-52a6-49e1-9257-0e08ae043dbd": { "rule_name": "Pod or Container Creation with Suspicious Command-Line", "sha256": "6a5835653ce8a44460f7a6265334f5715cec34eef906940d610adfd93fef4883", "type": "eql", "version": 2 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "70e2670083262dede9e0ac99658ca19c7de178ec58e04799de51dd05c7de93a5", "type": "eql", "version": 214 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "rule_name": "Installation of Custom Shim Databases", "sha256": "c3c888b4c5012aed4c984e2bbe771206e5733964fdc51d7858755a9152742a52", "type": "eql", "version": 315 }, "c5da2519-160c-4cc9-bf69-b0223e99d0db": { "rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt", "sha256": "6b7e94971186501aac3530e4bee4b1247c1391d2aa9afe212581dacb76d121a5", "type": "eql", "version": 3 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "cf437520e3f654ae85ed65b5d0a9052889488f787bfefcf1a529f15710dd1037", "type": "eql", "version": 318 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "rule_name": "CyberArk Privileged Access Security Recommended Monitor", "sha256": "427f6a1dc62cfc31d666ea507e0534d2ccb1b1ab11ded936a7c642aca66c0ac2", "type": "query", "version": 107 }, "c5fc788c-7576-4a02-b3d6-d2c016eb85a6": { "rule_name": "Initramfs Unpacking via unmkinitramfs", "sha256": "670705faa3fa17cf9262d86f5f84c89d2b19a8d98e66695f0d696dd97dee6195", "type": "eql", "version": 6 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "rule_name": "Remote File Download via MpCmdRun", "sha256": "fb2fe11496bbfc2388fa376d8b542bf097de5191513c3955377d9ab1235a6d06", "type": "eql", "version": 320 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", "type": "query", "version": 100 }, "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { "rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", "sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49", "type": "esql", "version": 4 }, "c6b40f4c-c6a9-434e-adb8-989b0d06d005": { "rule_name": "Suspicious Kerberos Authentication Ticket Request", "sha256": "8736d228be608f8444c05b92524b70cad9521695df3889cb526d6ff03c7ca3d5", "type": "eql", "version": 4 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 105, "rule_name": "AWS IAM API Calls via Temporary Session Tokens", "sha256": "98462394a43af08b12e31e4b72725b2ed44e614a442c664eefc4aa99c918bbf4", "type": "new_terms", "version": 7 } }, "rule_name": "AWS IAM API Calls via Temporary Session Tokens", "sha256": "900d6953f4a641966f554449d8d96bb0358a325597f719a61787949c359dcd23", "type": "new_terms", "version": 108 }, "c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": { "rule_name": "Mount Launched Inside a Container", "sha256": "4d00e7499220c3c3a60f9749322ef6e1454af67f7ae410f4f6d7c3f28dff5f95", "type": "eql", "version": 3 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "db008a5c21d6a79b33bf9ea050857ae15016c5c6e40839e50335eb211f5f1295", "type": "query", "version": 414 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "rule_name": "Attempt to Modify an Okta Application", "sha256": "2e4dcf9c3c6df85922d74052995819ef82f67954d3d74e3ce29388cb2497151b", "type": "query", "version": 413 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", "sha256": "5abdcb56935324216ff8d42e978ebb491fbe54cafcc4d7fe8b3ac582d9ad5be1", "type": "eql", "version": 7 }, "c766bc56-fdca-11ef-b194-f661ea17fbcd": { "rule_name": "Entra ID User Sign-in with Unusual Client", "sha256": "2754c97acd73e4a1a90ee94002f7eb0e7e45f5d98ba148f2d48097b6cf7db360", "type": "new_terms", "version": 7 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "rule_name": "Unusual Network Connection via DllHost", "sha256": "968760f56651ba90e6f5231336d0b45578d1163d2f2e90f692dffe853c7a96cf", "type": "eql", "version": 213 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { "rule_name": "Kubernetes Privileged Pod Created", "sha256": "ce477162c8755daf91cd6ec21a989119639bc8eb2c0373f6e74309d5885da2ca", "type": "query", "version": 210 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "rule_name": "Unusual File Operation by dns.exe", "sha256": "5e7a49ea7a36e33b0fee16211e255c693da22703192b2401d1fe49fe7ba2915f", "type": "new_terms", "version": 218 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", "sha256": "3400eb9c633145b2e7439c65f498db5bfb7dcafd680699d908e79e11eda2a0fd", "type": "machine_learning", "version": 110 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", "sha256": "c214ac68f9bcf286e1bb6d40a6982c5bb92697877f85be0a95fbf6efa738cd74", "type": "eql", "version": 112 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { "rule_name": "SMB (Windows File Sharing) Activity to the Internet", "sha256": "10648d7de1f37e2c2263dd57fc51389dffef0106a8e191d1c6011101668c0d04", "type": "new_terms", "version": 111 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "rule_name": "SMB Connections via LOLBin or Untrusted Process", "sha256": "748d8e74b57ecaf308003adab7aad2e238595a50ae2ad8ab015b3f5553d1e10c", "type": "eql", "version": 117 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { "rule_name": "Virtual Machine Fingerprinting via Grep", "sha256": "10971404f4a346079b0483d85790d52dc211b28704722b156c33bb04e4afd15d", "type": "eql", "version": 109 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { "rule_name": "Nmap Process Activity", "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", "type": "query", "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { "rule_name": "Parent Process PID Spoofing", "sha256": "df65039d7edf82d347ef415b2522979d9e33f3f6c9dfccfe777461e024aaf91f", "type": "eql", "version": 111 }, "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "rule_name": "Potential Linux Ransomware Note Creation Detected", "sha256": "5970502fee1978894616af37f79e879604513bcf66ed22247fb150855080e587", "type": "eql", "version": 15 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "0a734ad1795c3fce393559e4e4e0ef121722612a0ce4601020f58a7da3a813eb", "type": "eql", "version": 319 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "352973abc5de6aa343cb0a43ebacdc47da892f5ab3ceaee64421d64f9d3f85d1", "type": "eql", "version": 319 }, "c8e4f1a2-9b3d-4c5e-a6f7-8b9c0d1e2f3a": { "rule_name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization", "sha256": "8a3498f14621e9a31ea7d7aba56abfba0a48df0847f409fdbc1aa98c97650e11", "type": "new_terms", "version": 1 }, "c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": { "rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource", "sha256": "bd1d6bba6db66e65f1767382604d9b24e1294f3a9ffa4af53d24e543b873f322", "type": "new_terms", "version": 4 }, "c8f4a2e1-9b3d-4c7e-8f2a-1d0e5b6c7a89": { "rule_name": "Kubernetes RBAC Wildcard Elevation on Existing Role", "sha256": "8be233686963dcee1e3681959cf8ee8ad11a290cf119c734323ac12993497b94", "type": "esql", "version": 1 }, "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "rule_name": "Potential Masquerading as Communication Apps", "sha256": "cc426be014bfdaeb8153646d980d01ba3d006c7438be1bf1d22e0e29711ea1f6", "type": "eql", "version": 13 }, "c9636a6e-125e-11f1-9cd3-f661ea17fbce": { "rule_name": "M365 Exchange MFA Notification Email Deleted or Moved", "sha256": "094dc18b50795209d755efb3bdd0584e88c9ec87bae1488a08941d8589795aaf", "type": "eql", "version": 3 }, "c9847fe9-3bed-4e6b-b319-f9956d6dd02a": { "rule_name": "Potential Remote Install via MsiExec", "sha256": "1f8c37ec7d8732adc850d44f0551c23cc024a117e900d86c18eddc1e1f5037c1", "type": "eql", "version": 5 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", "sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f", "type": "query", "version": 105 }, "ca3bcacc-9285-4452-a742-5dae77538f61": { "rule_name": "Polkit Version Discovery", "sha256": "9057c8fc734774b49324b875ba5e83569cc77adb125c1abb70688ebfedcdbcc3", "type": "eql", "version": 7 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "M365 Exchange Malware Filter Rule Modified", "sha256": "40e40f2b6cade21188d70b1cc6876d692ccaf50e173a15c2d7f5bc6e26d1448b", "type": "query", "version": 213 }, "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", "sha256": "2f434bb2fbc6b983bdb724b37e5d80a5191ada3fb55aee8ae2afd61e994acbd9", "type": "eql", "version": 15 }, "caaa8b78-367c-11f0-beb8-f661ea17fbcd": { "rule_name": "Entra ID User Reported Suspicious Activity", "sha256": "942738b94399d43ced484e1f6170b1627d22e29e30946bf629ef8b2978c50837", "type": "query", "version": 6 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { "rule_name": "Auditd Login from Forbidden Location", "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", "type": "query", "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { "rule_name": "Abnormal Process ID or Lock File Created", "sha256": "7741096692f9fe425bdb8c608cb7b6d139ecb608252b6e1bc29bea7446dce8b8", "type": "new_terms", "version": 219 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "rule_name": "Google Workspace MFA Enforcement Disabled", "sha256": "8c2d19d60ea0eca73775d4c700e75c6ce53042b1235213dee6ff1a31e37bb5b1", "type": "query", "version": 212 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { "rule_name": "Suspicious Calendar File Modification", "sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e", "type": "eql", "version": 110 }, "cbbe0523-33f3-4420-b88d-5c940d9e72c1": { "rule_name": "FortiGate Super Admin Account Creation", "sha256": "d7217f55364d8322b66e8c599721d64499e35c2cfb070e0b4e9ec22e497896a1", "type": "eql", "version": 2 }, "cbda9a0e-2be4-4eaa-9571-8d6a503e9828": { "rule_name": "Kubernetes Secret Access via Unusual User Agent", "sha256": "5c721d5177cca18be2b221ec5d1a2c3dbecc53be6c90ecc978f09a0ae0be5672", "type": "new_terms", "version": 3 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { "rule_name": "Process Discovery via Tasklist", "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", "type": "query", "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { "rule_name": "Attempt to Enable the Root Account", "sha256": "dc65243f14859cec0de10c90d31e854d1dfab19c45872d94ad5938971bf56fe6", "type": "eql", "version": 111 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "276e47f1c1a7661fdcc6d3c2b07f2989d6a5b3e39c40c0dfdf0fd3f7b8bc418b", "type": "esql", "version": 311 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa", "type": "machine_learning", "version": 7 } }, "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", "sha256": "e2f7d9be525edcabce6a79ec3d4e29a0d63faf3b3ce5c662631e46deee74aeb8", "type": "machine_learning", "version": 107 }, "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { "rule_name": "Google Workspace User Organizational Unit Changed", "sha256": "7ec6f7bcf0fd4a713ff9c6ad38220d76e00bca8d333e36385bc55f3afc788495", "type": "query", "version": 111 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { "rule_name": "GCP Pub/Sub Subscription Deletion", "sha256": "0b14b06375574bc3460aa42b0883902a71dda721561cbc763b1346983d30439d", "type": "query", "version": 109 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "f78afd3ef31ec247c8f93c3bded0ef9093593d4a4242d2da616e845a91d47463", "type": "query", "version": 416 }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Entra ID User Sign-in Brute Force Attempted", "sha256": "504d60716fcab3c62c39017161592cd1f993a179ce83dd9c3d56a64b35a046c1", "type": "esql", "version": 9 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", "type": "eql", "version": 105 }, "cccc9be5-d8b0-466e-8a37-617eae57351a": { "rule_name": "M365 Entra ID Risk Detection Signal", "sha256": "80306f186a6e389d65f795a639aa14cc2d0d5e9278ce95f2eadbef633acdebc2", "type": "query", "version": 2 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "1f05b381a736d947775748f47767925c574667300ceab8fba31733fe5f0f0fea", "type": "query", "version": 415 }, "cd24c340-b778-44bd-ab69-2f739bd70ce1": { "min_stack_version": "9.3", "rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers", "sha256": "e426cd61370f7a3337d24e8fa843cb3ff9bc78469f0b54ef7f2f20320130b2e9", "type": "eql", "version": 3 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", "type": "query", "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Anomalous Linux Compiler Activity", "sha256": "35c7e422c3df463c1657227267587350013b8a6f6625e624b528caddc9621936", "type": "machine_learning", "version": 108 } }, "rule_name": "Anomalous Linux Compiler Activity", "sha256": "d580170ce5f9b525d575b03481dc0cff351e862ea09c42f5d0d27f1e1567dc86", "type": "machine_learning", "version": 208 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", "sha256": "94cc28cf394367383a56845044b14d18c01451f0e54fcce503353ef789d7d0cc", "type": "eql", "version": 215 }, "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { "rule_name": "Downloaded URL Files", "sha256": "e7da9e328dc068e58d02c3588b1b8169288b6dc8641369ffef8fa2f3dd2a7da5", "type": "eql", "version": 9 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "d062e4cdfbd30c711e2dc526868a474e5bed707bf2cd718b1b73f589d6d63332", "type": "eql", "version": 419 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "rule_name": "Okta User Session Impersonation", "sha256": "d1e454f298e77b0999edbb6252ad1bb10f84eff94a05ea0522b3bb3c02859802", "type": "query", "version": 416 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "4be76e64dd78a60dd653583d166ff23a96f61d81cc9540d321047abcbecc57ac", "type": "query", "version": 221 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", "sha256": "fa212f11ff7dc31c458f4c5b4a44abf511bad5178eaab6a43dd2471e02b8de8b", "type": "eql", "version": 7 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "cb096a6dea392aedfc4158c3ea6faa4bbc4ba5dc20f240c5c486db678b44a67e", "type": "new_terms", "version": 208 }, "ce08cdb8-e6cb-46bb-a7cc-16d17547323f": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual City for an Azure Activity Logs Event", "sha256": "30df431b2784b5a707dfdd493977ad52e071e6ea4ef199bc4a1474e010c0f823", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual City for an Azure Activity Logs Event", "sha256": "e8a2532663bc99ed107bd3f71dfca99a418b5e691dd0c8311d997b2dcbcf37e7", "type": "machine_learning", "version": 102 }, "ce4a32e5-32aa-47e6-80da-ced6d234387d": { "rule_name": "GRUB Configuration File Creation", "sha256": "8171cdc003b23ecc74cd941913d99aa321de69230dc036f86df3e89ee88cc8a6", "type": "eql", "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d05044b0347897f56e49915d07ac39e23e1ccd2ce9e72cc40f427e958b496251", "type": "eql", "version": 318 }, "ce73954b-a0a4-4f05-b67b-294c500dac77": { "rule_name": "Kubernetes Service Account Secret Access", "sha256": "f037b6877c9466fa03677ff27ac9dc757799db083eafb89b01048fb5fb2e5336", "type": "eql", "version": 4 }, "cebabc1e-1145-4e39-b04b-34d621ee1e2c": { "min_stack_version": "9.3", "rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers", "sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d", "type": "eql", "version": 1 }, "cf2b8cf5-3364-4396-b551-42aae9b6d37e": { "rule_name": "AWS SSM Session Manager Child Process Execution", "sha256": "503d37331fe7187fb01b1d447fea2925952becaaadf1c18dccb8337fd23ad792", "type": "query", "version": 1 }, "cf307a5a-d503-44a4-8158-db196d99c9df": { "rule_name": "Unusual Kill Signal", "sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63", "type": "eql", "version": 2 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "rule_name": "Cobalt Strike Command and Control Beacon", "sha256": "1b90eba9a9e009732a4566d19620ff6a110c5d3ed75e1459e87850d2b6fa4d07", "type": "query", "version": 108 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "rule_name": "Domain Added to Google Workspace Trusted Domains", "sha256": "03ce40b74fdb6629caa18779e5369e9b7cb5144ddcc273d2708ffb29de856174", "type": "query", "version": 210 }, "cf575427-0839-4c69-a9e6-99fde02606f3": { "rule_name": "Deprecated - Unusual Discovery Activity by User", "sha256": "13f9e9049c5bddcdde9abfd3501c2925eb76c07771c5c7a4c2e3cc40842774e0", "type": "new_terms", "version": 3 }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "rule_name": "Trap Signals Execution", "sha256": "5d1c2a7fa37d485677c9525e57187ee14cae40657b6b37b87075a86b32fd53f2", "type": "eql", "version": 6 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "1cf0003b3ca2311e92a88d6dfe5f2172d9c346610169fa2fe67cca1dbb6e51da", "type": "eql", "version": 322 }, "cffbaf47-9391-4e09-a83c-1f27d7474826": { "rule_name": "Archive File with Unusual Extension", "sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb", "type": "eql", "version": 4 }, "d00f33e7-b57d-4023-9952-2db91b1767c4": { "rule_name": "Namespace Manipulation Using Unshare", "sha256": "7ce775edec6e2b9fd8f1f5e9790a1455232f7e73618d25ead665bd65ef08c238", "type": "eql", "version": 116 }, "d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": { "rule_name": "FortiGate Administrator Account Creation from Unusual Source", "sha256": "7daf11e701fa16bab823faa10886c4ccaae4187b0fb8c0bd88c578e3fb308798", "type": "new_terms", "version": 2 }, "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - AWS Credentials Searched For Inside A Container", "sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f", "type": "eql", "version": 3 } }, "rule_name": "Cloud Credential Search Detected via Defend for Containers", "sha256": "152389ffbec21b8c6cf4900a221557e3cbba23580dac8dcec675d8f6d38962d7", "type": "eql", "version": 104 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "rule_name": "Registry Persistence via AppInit DLL", "sha256": "b4f7eba2bacf2674558ed2020f01ac7344ecff673f119c66d8bf69963e5bdcd2", "type": "eql", "version": 317 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "91f370c60039a671e72337449587aafc3949520d1bc4a0aad944f952d97292f6", "type": "eql", "version": 319 }, "d121f0a8-4875-11f0-bb2b-f661ea17fbcd": { "rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker", "sha256": "7b37bd4e071c45f94202000f79dbdb61c43277a88f56832e69af3e5209713192", "type": "query", "version": 4 }, "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { "rule_name": "Expired or Revoked Driver Loaded", "sha256": "5ce22bd1666f3e32e386cc8496062f37329380d440efdd91c6fe1802dc7323dc", "type": "eql", "version": 10 }, "d197478e-39f0-4347-a22f-ba654718b148": { "rule_name": "Compression DLL Loaded by Unusual Process", "sha256": "b8ef92cb19cb52e0bd7fb40cff7396636355fc683271c5bf1dbbd88a63e7753c", "type": "eql", "version": 6 }, "d19a2399-f8e2-4b10-80d8-a561ce9d24d1": { "rule_name": "System Binary Symlink to Suspicious Location", "sha256": "83f4835ace6e0cacb08b95892e3708076af8aa86de8a18edb56b641b451e2d61", "type": "new_terms", "version": 5 }, "d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7": { "rule_name": "AWS Rare Source AS Organization Activity", "sha256": "3aa90af79b03b53c743e4dcd0fd751c08cd550e2cc7cd3d6befd75fe1f03aa3c", "type": "esql", "version": 1 }, "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { "rule_name": "AWS EC2 Instance Console Login via Assumed Role", "sha256": "61f85c45874c50154a1dccbfdaa725b0313fe326ded94f01931dc0e5d05735c1", "type": "eql", "version": 8 }, "d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": { "rule_name": "Curl or Wget Egress Network Connection via LoLBin", "sha256": "ce203e6ef36a4f383860bdf870609761df68e02c57e8d531399a85f8423111d2", "type": "eql", "version": 2 }, "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": { "rule_name": "Privileged Container Creation with Host Directory Mount", "sha256": "75d684bf84179e6a25e644ac7d2db82a2d829dfdf5935cebecd941e03db6bf7d", "type": "eql", "version": 2 }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", "type": "query", "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { "rule_name": "Potential Microsoft Office Sandbox Evasion", "sha256": "762e4b15bacae2524f2eb4f6453f08cbabda5dc4ec577ed0a48d96b0f24b35df", "type": "eql", "version": 111 }, "d26331be-affe-46b2-bf4e-203d0e2d364c": { "rule_name": "AppArmor Profile Compilation via apparmor_parser", "sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366", "type": "eql", "version": 1 }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "7d7f91e46122ecfa96e68cf202a12ce57732a41f839a42d4fb9c06d5e92c3f06", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "0cedef065a88abd73d1662ab02552fdeee793d2ccf56f8eb78f729788dd786cf", "type": "machine_learning", "version": 104 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "d7a79c8c0bd79359418e9da37bf2de94c0807cd52386fb3373d97586dd42a0f4", "type": "eql", "version": 318 }, "d32f0c27-8edb-4bcf-975e-01696c961e08": { "rule_name": "AppArmor Policy Interface Access", "sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96", "type": "eql", "version": 1 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { "rule_name": "Clearing Windows Event Logs", "sha256": "5bc1c4710d8d050588cfa022146eb44a57881fee2248fe986267feba1f4b5e51", "type": "eql", "version": 322 }, "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "rule_name": "Remote Windows Service Installed", "sha256": "351040da536a8a222689ecf0d8ab1ba90a409e476f1222298de6b66d923d882d", "type": "eql", "version": 114 }, "d3551433-782f-4e22-bbea-c816af2d41c6": { "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98", "type": "eql", "version": 107 }, "d3b6222f-537e-4b84-956a-3ebae2dcf811": { "rule_name": "Splunk External Alerts", "sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922", "type": "query", "version": 1 }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", "sha256": "5159602762205589013e36bbd555824dadecd1d06e4df9e447253d043ff44ff9", "type": "esql", "version": 11 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", "sha256": "dde2f1948e3783288c5dda0fd4b020d47ac4e2ebc6daebe917d4a373dac35ab9", "type": "eql", "version": 113 }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", "sha256": "6bd7b6a580b9950f4a7a1d4911e00797056e57451d2c13d8236fa85a164dfcc6", "type": "eql", "version": 8 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", "sha256": "e0d1d6ba9b6ddf06ad72a0643f809d174cf9219b545d4dafb9b3c180160d2b19", "type": "query", "version": 413 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", "sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b", "type": "query", "version": 105 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 206, "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d", "type": "machine_learning", "version": 107 } }, "rule_name": "Unusual Linux System Information Discovery Activity", "sha256": "573b1809a649fa13bd4353d662f89857a9fe492c5d4c9c5572453e947abb52da", "type": "machine_learning", "version": 207 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "c9833b1d069a636b244cc7e624faecf1e2964d7a6b4cf53d49455c51c3a33462", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Source IP for a User to Logon from", "sha256": "eb3d13a478da5da270de435f9b6c3ac9f2aaa9e410767a5c8d5872f74b1a0e79", "type": "machine_learning", "version": 208 }, "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": { "rule_name": "Azure Compute Snapshot Deletions by User", "sha256": "0590c3ea783eef7a74ae9523153050ad013e39861a445e6d94296ba3c30fcb00", "type": "threshold", "version": 2 }, "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": { "min_stack_version": "9.3", "rule_name": "Elastic Defend Alert from GenAI Utility or Descendant", "sha256": "2f69f97c7af3342e8ab161cd591c78a70c34aaa5b8ac43abe43090bb0658f4c5", "type": "esql", "version": 2 }, "d4e8f0a1-2b3c-4d5e-a6f7-8b9c0d1e2f3a": { "rule_name": "AWS IAM Customer Managed Policy Version Created or Default Version Set", "sha256": "b358dbfbed4eaf573315c79ec108874c58ce7ac3db8f94f63f765622b36a20d4", "type": "query", "version": 1 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", "sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817", "type": "eql", "version": 112 }, "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": { "rule_name": "Kernel Module Load from Unusual Location", "sha256": "42ab912e8f87151cc830318d80b8fcacef86ad752a051c7f3c2a5bafdcc76af5", "type": "eql", "version": 3 }, "d55436a8-719c-445f-92c4-c113ff2f9ba5": { "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", "sha256": "e033856be7ad362345e1ba2b993b90b1aaeec55773bbadf68127329c2ac3bed8", "type": "eql", "version": 11 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "sha256": "39da3f93465e6657006f53771e217c4fc049da876a80117b4cd2e4d6ba155a2f", "type": "eql", "version": 8 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "072f511c23260ba660cacdaedd1876a631d69a1b695e05b41ea3ca3448285f51", "type": "eql", "version": 315 }, "d591d7af-399b-4888-b705-ae612690c48d": { "rule_name": "Newly Observed High Severity Suricata Alert", "sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626", "type": "esql", "version": 3 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "3086f8e9b0537db524ac52264f95c531385a9dd43a5942e444649fcad336c138", "type": "query", "version": 415 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "rule_name": "Service Command Lateral Movement", "sha256": "f6e11ce06e76dae63a181eb541563bd9478e69b749f15e3a5ac84fdefd47e11d", "type": "eql", "version": 212 }, "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { "rule_name": "Unusual DPKG Execution", "sha256": "189ec619c7b3f1acbaf3ec85c31d1cdef910e9f4fb1e9eee4e320cf66524c3eb", "type": "eql", "version": 8 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "rule_name": "AWS CloudWatch Log Stream Deletion", "sha256": "a46f7108d987f5867d7a89f6ebead05786233dab13864eafc0980d67d2bbb886", "type": "query", "version": 215 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "rule_name": "GCP Pub/Sub Subscription Creation", "sha256": "afdbda3dde84fa473ded32b17d3c9c5a7f31bc6f7d069c45b4bd2a449afcae34", "type": "query", "version": 110 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { "rule_name": "Strace Process Activity", "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", "type": "query", "version": 100 }, "d6702168-2be6-4d7d-a549-9bff67733df3": { "rule_name": "IBM QRadar External Alerts", "sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365", "type": "query", "version": 1 }, "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b", "type": "eql", "version": 118 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "rule_name": "M365 Exchange Anti-Phish Policy Deleted", "sha256": "9511b82aeec35d19961ca08da3e0fe578cfd57551921a610cef015721b43bc6e", "type": "query", "version": 213 }, "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": { "rule_name": "Potential Protocol Tunneling via Cloudflared", "sha256": "ce6454a80c785ff43356dc00ba0a798148f8a47cb228ba6ada6f7401d7741728", "type": "eql", "version": 4 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "rule_name": "Modification of WDigest Security Provider", "sha256": "6e66c624263fb09663f0683aee91a1c75afb76f643f116aa5e9eb16e8a6915d5", "type": "eql", "version": 217 }, "d70c966f-c5ef-4228-9548-346593cd422d": { "rule_name": "Unusual Process Connection to Docker or Containerd Socket", "sha256": "7d3b65bfb9efed8938e8d51a738e97060eb210b496bc611a1795c93ec01ffe47", "type": "query", "version": 1 }, "d7182e12-df8f-4ecf-b8f8-7cc0adcec425": { "rule_name": "Pbpaste Execution via Unusual Parent Process", "sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9", "type": "eql", "version": 1 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "rule_name": "Command Execution via SolarWinds Process", "sha256": "6c8f7e690fc992ad98b1a2c1101f2ba9ed50cca218d536e7c1884a8f52471e45", "type": "eql", "version": 319 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { "rule_name": "M365 Exchange Malware Filter Policy Deleted", "sha256": "3adaab0d509bfe15b688bc4f88053464321d610fa1ec88316130980d84582fb0", "type": "query", "version": 213 }, "d74d6506-427a-4790-b170-0c2a6ddac799": { "rule_name": "Suspicious Memory grep Activity", "sha256": "bd02b6e884a029c82503af499237b283074d0ca5c44c925afc8f88dcd6162644", "type": "eql", "version": 109 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { "rule_name": "SystemKey Access via Command Line", "sha256": "0eb4e9b2e8d7ae7e32cea1ab9708d0e2c67a166339ae6128cf014faf53bb202b", "type": "eql", "version": 211 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { "rule_name": "Interactive Terminal Spawned via Python", "sha256": "6903d7db95ea1e3cd259c3ce0b5ca1cea3642360c9cfae1b6e55c16f174b1c7d", "type": "eql", "version": 216 }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", "sha256": "b1b0ab169ce762f2b928b00dbc60e869cc527620231972f6845fb6d33ec29a8b", "type": "eql", "version": 7 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Storage Permissions Modified", "sha256": "ded822ec5092e708b8c124227dbc29b933f95ea146bf4d92834bc41105e150bf", "type": "query", "version": 110 }, "d7b57cbd-de03-4c3b-8278-daa1ee4a6772": { "rule_name": "Suspicious Apple Mail Rule Plist Modification", "sha256": "a0c45fe46654506f314348d84713c3f366b341eea449497c5470f69c930e5b6b", "type": "eql", "version": 2 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Spike in Logon Events", "sha256": "317c0266782452758057ef761b442ef54ece9724de45c6cdbb81cc02870772b1", "type": "machine_learning", "version": 108 } }, "rule_name": "Spike in Logon Events", "sha256": "c29b7f8eaa644ba59a41c217b164035424b0b42506ea6cae59993fbfea56b596", "type": "machine_learning", "version": 208 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", "sha256": "d525b40ecee5195fb6dd26c7e0a3b458d1002aa5d043016b236c48332cf0b40b", "type": "query", "version": 111 }, "d84a11c0-eb12-4e7d-8a0a-718e38351e29": { "rule_name": "Potential Machine Account Relay Attack via SMB", "sha256": "dd7dbcab64a1af066709c965e6e904bd1f93c69923a1cde4221dbe5b39ceea64", "type": "eql", "version": 4 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "rule_name": "Untrusted Driver Loaded", "sha256": "521c26dd7b4a866375b12d8bf94fc96f58c4609c18d20e1af2bbb6737116b711", "type": "eql", "version": 13 }, "d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": { "rule_name": "Potential REMCOS Trojan Execution", "sha256": "9980c44f4485b07a1b435cab511bf5458e092b30640924be72d91e2438814535", "type": "eql", "version": 3 }, "d8f2a1b3-c4e5-6789-abcd-ef0123456789": { "rule_name": "Ollama API Accessed from External Network", "sha256": "e3733d532630c219d6614d21fb75e356d22f16ec0a9ff3f0f60224843ab8c594", "type": "eql", "version": 2 }, "d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": { "rule_name": "Azure Compute Restore Point Collections Deleted", "sha256": "38554163bf5d4d1b147f9137f117e510d8f097d49b32da256957eb1ab28fe4f0", "type": "threshold", "version": 2 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "rule_name": "AWS IAM Deactivation of MFA Device", "sha256": "f45c32cad0da7a071d36e956585cc06c542c9a29b537439c503a699b2e8937d5", "type": "query", "version": 216 }, "d93e61db-82d6-4095-99aa-714988118064": { "rule_name": "NTDS Dump via Wbadmin", "sha256": "b5b01fd3137c66953523e88ed94247e81d9efe10e2782519d665bfeeb5e77648", "type": "eql", "version": 209 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "f0818620cb57af36acddfe05cb87d184601a31dbe28ba5e8bd4f5e367bd4cd38", "type": "eql", "version": 318 }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", "sha256": "951ee0aea30e70bfde8e78165a1547a8b00bdc808aad4a313029de907d78bfc6", "type": "eql", "version": 6 }, "d9bfa475-270d-4b07-93cb-b1f49abe13da": { "min_stack_version": "9.3", "rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers", "sha256": "07b381c84cab6bd05cd985d2912671b0d45207acb284af1f93837b49a556c20c", "type": "eql", "version": 3 }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", "sha256": "9c333571d80d149931449ce4fe2f16cc2b89cb7d0b97e5360a06a35349eec9f6", "type": "eql", "version": 4 }, "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "dc6aa3431de19bd229cf92b2a7fd92a72dc57231303e70f142c18278d1252d14", "type": "eql", "version": 208 }, "da0d4bae-33ee-11f0-a59f-f661ea17fbcd": { "rule_name": "Entra ID Protection - Risk Detection", "sha256": "0f39ccaeadc0c6cf3a2ee85643d96368b7334c7b492b8517a90569b012196537", "type": "query", "version": 2 }, "da0ebebe-5ad3-4277-95e7-889f5a69b959": { "rule_name": "System Information Discovery via dmidecode from Parent Shell", "sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b", "type": "eql", "version": 2 }, "da4f56b8-9bc5-4003-a46c-d23616fbc691": { "rule_name": "PANW and Elastic Defend - Command and Control Correlation", "sha256": "9c4cc881a8a05c1e645c6fe4391834b009ca46b5124f18c1b821ee66b634a942", "type": "eql", "version": 2 }, "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "f176da9360e2f2c3e8860fe15eb235214bcd1dcb323c49fd9e72e96df1a1b1aa", "type": "eql", "version": 217 }, "da7f5803-1cd4-42fd-a890-0173ae80ac69": { "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "sha256": "d887a9027105bdf4a170339cbb9e7012eb40383c6c65812c787c1f612543ae11", "type": "query", "version": 9 }, "da7f7a93-26e1-49ce-b336-963c6dc17c7b": { "rule_name": "Multiple Machine Learning Alerts by Influencer Field", "sha256": "261d3febfee5e90a2350910f92af7a263d627358d8f42ad07c4a9e339509fdb5", "type": "esql", "version": 3 }, "da87eee1-129c-4661-a7aa-57d0b9645fad": { "rule_name": "Suspicious Service was Installed in the System", "sha256": "674d5611f7c4e7c2d56833a0a0b8b8f7afb23a14664b0b58853854141dfebc4a", "type": "eql", "version": 117 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", "sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443", "type": "eql", "version": 100 }, "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c380424b1c7a8b15cd6c69f19e2aeb996b3c3fc438a6d4bf4b91a48d47e8f852", "type": "new_terms", "version": 111 }, "dacfbecd-7927-46a7-a8ba-feb65a2e990d": { "rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", "sha256": "7698bb07813a340c67e08c1e0d6c46f4495d8677699f8d9107e8b142f7ca07f9", "type": "eql", "version": 3 }, "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": { "rule_name": "Github Activity on a Private Repository from an Unusual IP", "sha256": "cdc80e68084ebe217495f688541fa82a88b6d61c98e0db63dc780d2bdb4f097d", "type": "new_terms", "version": 3 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { "rule_name": "Entra ID MFA Disabled for User", "sha256": "f6bdc31ea3c2eddf3ce464b3867eaec5b1aa65d326c6a8d9e15c3efe12d9debb", "type": "query", "version": 111 }, "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "7bd11c1b9d14c0b64b5fc2d21036e0a4f3582a43c218da0a6826ca7aa6a33559", "type": "eql", "version": 210 }, "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "c054d7bcf3340f3352424a90c89e9d0445764287f7293857c90eb806c386af43", "type": "eql", "version": 217 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", "sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119", "type": "query", "version": 105 }, "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": { "rule_name": "Entra ID Service Principal with Unusual Source ASN", "sha256": "47e4c635bd2fc84b836711971b0d8c151eafaf5a921900bf220e58aea6fc9e00", "type": "new_terms", "version": 3 }, "dc0b7782-0df0-47ff-8337-db0d678bdb66": { "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", "sha256": "04a000054fd086fe35b3e52f9d3eb48095fbb9e0b2f9aacddf7ec8e892c6d415", "type": "eql", "version": 111 }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "rule_name": "Git Hook Command Execution", "sha256": "df35f25f9ccc47ef6da1162061e6426b9e9a36091db4987ef34c162d36beacfd", "type": "eql", "version": 108 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", "type": "threat_match", "version": 100 }, "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { "rule_name": "Potential Hidden Process via Mount Hidepid", "sha256": "7e94ec06da053b5379f26e7355e1de6a3ec95c67115e9537b7ace9a1e062ad88", "type": "eql", "version": 115 }, "dc765fb2-0c99-4e57-8c11-dafdf1992b66": { "rule_name": "Dracut Module Creation", "sha256": "e7901044b018b0d51e7579987769d7d815f196e226c06f7802072f53c04388c1", "type": "eql", "version": 6 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "47d52567d1c3bae001db77709a1e8aff40f889ce53a7aaf7c9c0218fccf56010", "type": "eql", "version": 317 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", "sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f", "type": "machine_learning", "version": 212 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", "sha256": "ec304aa55d1d4f1641743ac7118be33facd1da2f08d730f7ba48d716f6a02747", "type": "eql", "version": 212 }, "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual Country For a GCP Event", "sha256": "c007ef6fbd3ab40348587d3c21a2cdd12d03971945ea59b220b0d84cf3b8d802", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual Country For a GCP Event", "sha256": "e1b3ec7e1ad5085043b0e15521b9f164298bfc915884a6f8315a6e202ea53c00", "type": "machine_learning", "version": 102 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "rule_name": "Attempt to Install or Run Kali Linux via WSL", "sha256": "b4dec363cc87b83e8de55fe91c72957864534614c92d32f07c9a2356c8ea2b41", "type": "eql", "version": 217 }, "dd52d45a-4602-4195-9018-ebe0f219c273": { "rule_name": "Network Connections Initiated Through XDG Autostart Entry", "sha256": "61c08b145f474da52f1ef04e85dcb57c8943bda0687f41fc8d07ac5da39fcb73", "type": "eql", "version": 9 }, "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { "rule_name": "Reverse Shell Created via Named Pipe", "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", "type": "eql", "version": 6 }, "dd983e79-22e8-44d1-9173-d57dba514cac": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Docker Socket Enumeration", "sha256": "7138568f73259e78a31af51d2811c2a36244b38986fb20b48baf9928b692deaa", "type": "eql", "version": 4 } }, "rule_name": "Docker Socket Enumeration", "sha256": "3b20c039973e88cff852dc38dbf06dcab6f9f7dddf03fff3e2c9b9ea124a1b4a", "type": "eql", "version": 105 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "rule_name": "NullSessionPipe Registry Modification", "sha256": "57fc4d41f585e9622767d73c6374d8b6d69d72f69433691499262a4bf492032c", "type": "eql", "version": 316 }, "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", "sha256": "ae224b4b5bf9c3ce6f6db645cadbc8352cd2f23dad4cf4b8359ff9cb689618e3", "type": "eql", "version": 9 }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { "rule_name": "File Creation in /var/log via Suspicious Process", "sha256": "5f8ad4b3b68a18b84f5a900a3c5491e09f7b0f7e7080c501e059c8c08178977c", "type": "new_terms", "version": 5 }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "M365 Identity User Account Lockouts", "sha256": "5e9c7aba985f7171c814ece90db1ada7159ce434f744a6aaedd5bb6ec9c1e41d", "type": "esql", "version": 9 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "7791d75c96deb296d5cba1980599b03dd2283e6d586e2f8a6e12acdd83d40bb5", "type": "eql", "version": 319 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { "rule_name": "Base16 or Base32 Encoding/Decoding Activity", "sha256": "cc614eb9ec6ed03a159b5db0dbf49482ecd4ad3eff42784b233103ac0f8201a2", "type": "eql", "version": 216 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { "rule_name": "Query Registry using Built-in Tools", "sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd", "type": "new_terms", "version": 108 }, "deee5856-25ba-438d-ae53-09d66f41b127": { "rule_name": "AWS EC2 Export Task", "sha256": "543ead44f26c16aa26bc746708c06f6531c20c28051bd501212c956b5a5e761c", "type": "query", "version": 4 }, "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", "sha256": "554697d96fc03f19bf3758bd9118b506f368879575889f932f4049755fd5e0bb", "type": "eql", "version": 2 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", "sha256": "a86e29ad36c65e20a6de39029ef2fd2b315fa075aa314ff2142a7f24e4da833a", "type": "new_terms", "version": 13 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 308, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8", "type": "machine_learning", "version": 209 } }, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "b583da4a2219e9b0c1ca1bbb77ab1d2d1fa46c5e8caddef587789c410db5b995", "type": "machine_learning", "version": 309 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", "sha256": "48fc5e51a731f7f4cd946c1dd4f14311045c44adaeefced003d70db94d583d69", "type": "query", "version": 107 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { "rule_name": "Dynamic Linker Copy", "sha256": "74975fc1c4e9c6ba277040431b9fdeb13dcda0d536146b120add215ed4d701df", "type": "eql", "version": 216 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { "rule_name": "Kubernetes Pod Created With HostPID", "sha256": "83dd265459b1aa87e352d134366f7a3ddb21c45e95d2c3239472e71faefe7530", "type": "query", "version": 210 }, "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", "sha256": "e4dc1206fa6f829adfd9c13606980e85749ca4905cf5b656b4f4c60403d268c6", "type": "eql", "version": 9 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { "rule_name": "Unusual Process Execution - Temp", "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", "type": "query", "version": 100 }, "df9c0e92-5dee-4f1d-a760-3a5c039e4382": { "rule_name": "Detection Alert on a Process Exhibiting CPU Spike", "sha256": "1c1c33cb7492423d273e6363aba2b89549219fb617f2f7249b70a650f68c8226", "type": "esql", "version": 4 }, "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "fabd1d888ece7ed98e8dbde37327e15de97291c9b270edd70a6f55113489b9d4", "type": "eql", "version": 210 }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", "sha256": "eda677d08740a19834e652dd899736788b11c6cd08b52433e01e03a32ff45778", "type": "eql", "version": 9 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure VNet Firewall Policy Deleted", "sha256": "42fd83bb3ed5bb7a69511e4c90baba7006569871c9591996af8add54ba3f9535", "type": "query", "version": 108 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { "rule_name": "KRBTGT Delegation Backdoor", "sha256": "60f2e83e2e758d10795f462a4227d514cbaf954e3f734e293bcd14b0923008d8", "type": "eql", "version": 213 }, "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "e589be7d2f86dabb5960decd210508e1d28f819cda2df6b1bb9b7902a8b06c62", "type": "eql", "version": 114 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "834c73e30108eabb04f904e2f9fb59222b3e3be8401ea3dc2ee9e6d14a39e09e", "type": "threshold", "version": 417 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", "sha256": "009201c6e671258aeae2bedc88405596018aabb7b315facd99b1f46ae2585cd3", "type": "eql", "version": 111 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { "rule_name": "Whitespace Padding in Process Command Line", "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", "type": "eql", "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { "rule_name": "Azure Event Hub Deleted", "sha256": "c2a4134579286f6aa1a9ecb0c4e6b4e70eafff7901ea15b721a52a78df45774d", "type": "query", "version": 109 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { "rule_name": "AWS EC2 Route Table Created", "sha256": "9b67864d91e23c630e30222f8b30ed291ee313d56d56ea5b11db2d831b11f177", "type": "new_terms", "version": 214 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "rule_name": "Deprecated - AWS RDS Cluster Creation", "sha256": "fbb6042f3855329eb580ee709a18e2bb89dc13f2ec1b6a3ed538b69cdc0b5c50", "type": "query", "version": 210 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "rule_name": "Connection to External Network via Telnet", "sha256": "531ef817962d765ea1d1873aaba42843ea3beaae12f70d493be1b6b58326b983", "type": "eql", "version": 213 }, "e1db8899-97c1-4851-8993-3a3265353601": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca", "type": "machine_learning", "version": 7 } }, "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "sha256": "f99d7c4b92f8aa673ebfc37fc27f755a33e5229dfab0fe63a64aeef8a64e7a63", "type": "machine_learning", "version": 107 }, "e2258f48-ba75-4248-951b-7c885edf18c2": { "rule_name": "Suspicious Mining Process Creation Event", "sha256": "c6b59218f0bd6a67c42d0853ef8efecafa69decfbdb0aa5c7f7edfe917c74a92", "type": "eql", "version": 112 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "8b21616a77df814353badde453886243eb0d298bd177dfbd772563f9cc9a6229", "type": "machine_learning", "version": 108 } }, "rule_name": "Spike in Successful Logon Events from a Source IP", "sha256": "c5424dd0ac4759274a714f7da569350b4c2f72b6cda74241734321138dd7a90c", "type": "machine_learning", "version": 208 }, "e26c0f76-2e80-445b-9e98-ab5532ccc46f": { "rule_name": "Full Disk Access Permission Check", "sha256": "e7bb1fd6bdeaf8d10f670322c516617a75eaaa78ba368b994860add677b7f488", "type": "eql", "version": 2 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "330e090e05d199d784a30dba2d9a2b95c747892566f0625825f70a6c9a46c893", "type": "query", "version": 322 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { "rule_name": "Network Traffic Capture via CAP_NET_RAW", "sha256": "fab7fa210a76157c989ee04aefd0795f455e6c208c1448b2998bc869fbc08430", "type": "new_terms", "version": 7 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { "rule_name": "Suspicious pbpaste High Volume Activity", "sha256": "10d2ec7341493ccc024bc77312d038463740052c2544a13310264eb38ec7352a", "type": "eql", "version": 5 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "rule_name": "AWS Management Console Root Login", "sha256": "0f802b676e0147391d3eea1fc954cdbc66de1ad2fe46885703ab67114a37fe22", "type": "query", "version": 214 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "rule_name": "System Network Connections Discovery", "sha256": "f40303a3b6fe56ee00bf1284cc98b8436149887e35ef2c1c694e84084ad8f79c", "type": "new_terms", "version": 8 }, "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "04376f49d3990dd86495c5322be8f5874dcdbda9800cd52e23e796d938b71bff", "type": "eql", "version": 215 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "2a2acd0d225dd9d8108f917f710d14db75d681995fd899aa981695fd4099ed06", "type": "eql", "version": 219 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "rule_name": "GCP IAM Role Deletion", "sha256": "320dce36d39b239293241a690b6787ec6882b7ecdc06c47d04b83e1b21d0242f", "type": "query", "version": 108 }, "e302e6c3-448c-4243-8d9b-d41da70db582": { "rule_name": "Potential Data Splitting Detected", "sha256": "70959d883cd0b3cf2e76630d3a39639178bb9c1f3664108165d1b139efff9d29", "type": "eql", "version": 107 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { "rule_name": "Process Activity via Compiled HTML File", "sha256": "060bd0e9905307e347187d0f7842f8203cb47e8722ab5137d88a4a17ee7fbf5a", "type": "eql", "version": 319 }, "e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": { "rule_name": "FortiGate SSO Login Followed by Administrator Account Creation", "sha256": "cae7737dc54b6466c847d786b61bf90bd201f9da376d07c052e4788915499dab", "type": "eql", "version": 3 }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties", "sha256": "a372e57ef0cef6f9c6715b56c0715f3e8ac8e1a4d65dc400f90aa6c3b39e9bfd", "type": "esql", "version": 8 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC", "sha256": "3b98604c6f720ab440e9969e3346fc5362018681bd80872c3f4fb70111fa3f4c", "type": "query", "version": 213 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", "sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea", "type": "query", "version": 105 }, "e3c7a891-4b2d-4e8c-a1f0-9d8e7c6b5a4d": { "rule_name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity", "sha256": "902d233527477d56bcbc2c834c105bf68b4b29cb533c1e1b99a2b114cf40f1c8", "type": "new_terms", "version": 1 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "e31a7dca3b6a465b5101c181f1b879b428da800176d02b1221220729aaf0d431", "type": "eql", "version": 211 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "rule_name": "KDE AutoStart Script or Desktop File Creation", "sha256": "86251b2eca0b5f3acf7e5da5bfb34467b59c79339df8798d4a928e1e2efc6cad", "type": "eql", "version": 220 }, "e3f5a566-df31-40cc-987c-24bc4bb94ba5": { "rule_name": "Persistence via a Hidden Plist Filename", "sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e", "type": "eql", "version": 1 }, "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": { "rule_name": "SentinelOne Threat External Alerts", "sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e", "type": "query", "version": 1 }, "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "79becf1ff7996919b22b9cac49062931ff331b772499da8b3f52b527c7dfeb78", "type": "new_terms", "version": 111 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "bdb8ba5a49e48f7068f93d065fa8dae667a8f2b828e9d74eeb56ab6119ff210b", "type": "query", "version": 415 }, "e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912": { "rule_name": "Sensitive Identity File Open by Suspicious Process via Auditd", "sha256": "374ca4536093e555bbef4ff26ebe4be6c8bcbbab2c9b655caaecca14ce351224", "type": "query", "version": 1 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "a8d5740eabcbbb09f46fbfdeb0e4366b51fdccf32faeee210f7108501110e476", "type": "eql", "version": 213 }, "e4feea34-3b62-4c83-b77f-018fbef48c00": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", "sha256": "6c2fc392dbcba443e196542410750563e9e343c482f502df61fa7227e31fc2bb", "type": "eql", "version": 5 } }, "rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token", "sha256": "58839416fc9659a82bb183c3877b216b52626c83025ba5e2caffa9396998ce00", "type": "eql", "version": 106 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "23a60ea4249e0fcdf1f870c4a69bd461fdadf3f92058a07315813a7b88e72d3c", "type": "eql", "version": 219 }, "e516bf56-d51b-43e8-91ec-9e276331f433": { "rule_name": "Network Activity to a Suspicious Top Level Domain", "sha256": "7a5e47f5bd44607aa08a96e9f60e4b5e3e991f52a1a3e2ad835a3808872c2cbe", "type": "eql", "version": 4 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { "rule_name": "MFA Disabled for Google Workspace Organization", "sha256": "a6c636f24c7cf63487a0db4ee93fdb305a9e7766647d78bc310af47ac06f4733", "type": "query", "version": 210 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { "rule_name": "RDP (Remote Desktop Protocol) to the Internet", "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", "type": "query", "version": 100 }, "e5d69377-f8cf-4e8f-8328-690822cd012a": { "rule_name": "GitHub Authentication Token Access via Node.js", "sha256": "6a417d5d405f2f5407cee4783101473ada9b188d889fb655c65694110b02a589", "type": "eql", "version": 4 }, "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": { "rule_name": "First Time Seen DNS Query to RMM Domain", "sha256": "4572e3ea14df0faf4b8084faac4976128fcfc92c6bfc45ba262f2580675fd50c", "type": "esql", "version": 4 }, "e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b": { "rule_name": "AWS EC2 Instance Profile Associated with Running Instance", "sha256": "226b26472af2c538610d1e0a15b1a952dd0fba90d63486b1e74c9a11f2ad4ea2", "type": "query", "version": 1 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", "sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e", "type": "query", "version": 108 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { "rule_name": "Authorization Plugin Modification", "sha256": "17b73d3e39ffba68bb956e466370e9d6eaa7ebe30fc50598af1a624b1e18229c", "type": "eql", "version": 112 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "rule_name": "Possible Okta DoS Attack", "sha256": "f9ff8587149b2afa762f584f9089d3731b0b31ba76799adcff06c4fb444ae831", "type": "query", "version": 414 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", "sha256": "048555dd2466b4a537ebc22441d66a2efefb466f5505a45d435f0319e2802734", "type": "eql", "version": 113 }, "e7075e8d-a966-458e-a183-85cd331af255": { "rule_name": "Default Cobalt Strike Team Server Certificate", "sha256": "727bfa432760b50171e1894d8c8b244ab5ccfc62c5b925c757c41d179d78d45c", "type": "query", "version": 110 }, "e707a7be-cc52-41ac-8ab3-d34b38c20005": { "rule_name": "Potential Credential Access via Memory Dump File Creation", "sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22", "type": "eql", "version": 6 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "rule_name": "Execution of Persistent Suspicious Program", "sha256": "17d574e7c23e80225a66e3a65e6914c036850e0db1f4e6e732f50f3c24f8f160", "type": "eql", "version": 212 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4b20d1a797938d4bf6c8b100b8530798861aa4c34bac581498f7f945caa17d5d", "type": "eql", "version": 313 }, "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { "rule_name": "Potential Windows Session Hijacking via CcmExec", "sha256": "a945f7bf00629ecb400737b7b14b28993acd3c43139ce6dd8fe3d023b380a938", "type": "eql", "version": 6 }, "e74d645b-fec6-431e-bf93-ca64a538e0de": { "rule_name": "Unusual Process For MSSQL Service Accounts", "sha256": "f0e1c5528f65f66b87d2190eb338e758a3f0d5b44557e8e747dbefac8ca09623", "type": "eql", "version": 7 }, "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "e80bd4c0aced2a70668f8e19c3570f377d60d152d9baaa79c02cd9bf97d29419", "type": "eql", "version": 207 }, "e7856173-6489-449f-80ec-c1f5fcd7b87c": { "rule_name": "Suspicious SUID Binary Execution", "sha256": "6bd584f1d16f040129a26cae8109dcf87db5067d5f2c179e516e43aed9b929d3", "type": "query", "version": 1 }, "e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b": { "rule_name": "Curl or Wget Execution from Container Context", "sha256": "8f366e09f9e245ce0ba56adb44531b854bedb456939e125c7f713d7d02b76cc1", "type": "query", "version": 1 }, "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { "rule_name": "Potential Linux Credential Dumping via Unshadow", "sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310", "type": "eql", "version": 114 }, "e7cd5982-17c8-4959-874c-633acde7d426": { "rule_name": "AWS EC2 Route Table Modified or Deleted", "sha256": "2205c6c53afda6b21954cb4f3f25c96fc5c6978dda5e38205c466147e8b8c8f4", "type": "new_terms", "version": 213 }, "e7e0588b-2b55-4f88-afd1-cf98e95e0f58": { "rule_name": "Suspicious Outbound Network Connection via Unsigned Binary", "sha256": "0cab3f24cd193b08178b94d7a007dffe133ccb4bce1d98ee99aeee1e030c00eb", "type": "eql", "version": 2 }, "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": { "rule_name": "Potential Protocol Tunneling via Yuze", "sha256": "412e9aaeeb919c12903d28a97892e212d3f62b2429054811f7956dceb7871b7d", "type": "eql", "version": 4 }, "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { "rule_name": "Network Connection by Cups or Foomatic-rip Child", "sha256": "9dadc34c752b9bc0928030b436c8dc050e4c931a424ac3abd0aabc8c86180945", "type": "eql", "version": 6 }, "e819b7eb-c2d4-4adc-b0c9-658aeb140450": { "rule_name": "Lateral Movement Alerts from a Newly Observed User", "sha256": "a3258f0d15c7c51105bf8854c5ce37f0d660fb5f008b73587d0eb4314de34c12", "type": "esql", "version": 3 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "d84f36a2afbc144fef44ad9e64b127adac38a0aa0a79935942cc31275e6af59f", "type": "eql", "version": 220 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "rule_name": "Installation of Security Support Provider", "sha256": "96b67730d8ffb341e813867e0276ae18c765a4a89c3710d2963454743335821a", "type": "eql", "version": 315 }, "e882e934-2aaa-11f0-8272-f661ea17fbcc": { "rule_name": "Microsoft Graph Request Email Access by Unusual User and Client", "sha256": "afb5abbe83d85e4bfc0c4355dcb0fcdc60a91012e0ee14f6f6fc77e177fcda7a", "type": "new_terms", "version": 6 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "rule_name": "Host File System Changes via Windows Subsystem for Linux", "sha256": "d3e0d905b618b1535f2deed8102de10f9c45d79e7038e76eab62094063d444b0", "type": "eql", "version": 114 }, "e8b37f18-4804-4819-8602-4aba1169c9f4": { "rule_name": "GitHub Actions Workflow Modification Blocked", "sha256": "6938ae0fe092466ebe7a800629949a38ad4eb3da443917c54766b67839d2912d", "type": "esql", "version": 6 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", "sha256": "af263b39de7d96dc66778483b32a18131d2d78f294fccb516b20f02b3561d26a", "type": "eql", "version": 10 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", "sha256": "e9c43384f812c32ac9f5ea58d4ce394b5a607f68a6941a3949ad2dd1c8c6ed49", "type": "new_terms", "version": 7 }, "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", "sha256": "bed94ea17205b8c891d4ddb047a885b0302d991f1f9be008ba2c8dc7e4483618", "type": "new_terms", "version": 112 }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", "sha256": "b59e0cbc56c4fb53787bc00632c6ceab167a0694f6b7fecc962d87dbbea24286", "type": "esql", "version": 13 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "bf0cca05ac39585a934fe378753788c53700f3e8756741b90086a08ec42e370c", "type": "threshold", "version": 417 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "Deprecated - AWS EC2 VM Export Failure", "sha256": "7339232c396fb3ef53df007330bd3fdbe73aba02804975f4a767f59c658cb33f", "type": "query", "version": 210 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 107, "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "85e2742ed6e3a554393ca3c7c7b3462fbeb726e083b4f63bc562360141a1b8fa", "type": "machine_learning", "version": 8 } }, "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", "sha256": "5b22d537d80ab2e0d67e5b165b971868811ca16c1d70bb8c02f4909f50c8945d", "type": "machine_learning", "version": 108 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "d6c1aa3c45cbcc3f9d96b8f85efd889c870bb8993049a36ef372ca20e882d8c7", "type": "eql", "version": 318 }, "e9a3b2c1-d4f5-6789-0abc-def123456789": { "rule_name": "Ollama DNS Query to Untrusted Domain", "sha256": "5e3e4830d4541a4e622121b68abbd2dfd611a6127af90ffcc80d8a462369afc5", "type": "eql", "version": 2 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { "rule_name": "Potential LSA Authentication Package Abuse", "sha256": "baa994c1fe7f4dc602b62d56e07acb6a0e3752a04ab6347f182416d3ae2a0465", "type": "eql", "version": 111 }, "e9b0902b-c515-413b-b80b-a8dcebc81a66": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Spike in Remote File Transfers", "sha256": "2f20bc8bdb8336b52144c14c8d650bf10d1c3cd7ac2005fda6d231be3ce129cd", "type": "machine_learning", "version": 9 } }, "rule_name": "Spike in Remote File Transfers", "sha256": "b5fc44379578795228550e1b83eaeb9e7e0126f4ed99201198f0cefb85c52110", "type": "machine_learning", "version": 109 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", "type": "eql", "version": 100 }, "e9fe3645-f588-43d6-99f5-437b3ef56f25": { "rule_name": "AWS EC2 Serial Console Access Enabled", "sha256": "50914bbf617175010dadedcd2ca391ecc37c172b7ed25599aa28b3f97dd1e043", "type": "query", "version": 3 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { "rule_name": "Azure Automation Webhook Created", "sha256": "7c465669f1e16c050c57c78eaf0a6374fc5a02a2a17346e81ea0e4e1ce2aef99", "type": "query", "version": 107 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { "rule_name": "SSH (Secure Shell) from the Internet", "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", "type": "query", "version": 100 }, "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 210, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "cde5761fb379a2ebd52bded54373ddfa826286728ad4637aa03d845220da0c91", "type": "machine_learning", "version": 111 } }, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "18f984692e2ec7a1945f11db130429aaea89ba4e32aa4187f2def7337275a873", "type": "machine_learning", "version": 211 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", "sha256": "aa1c1625dd82eb24ec01c42ec65095f631d903642a4a3e7aed22ba4a1355b97f", "type": "threshold", "version": 216 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", "sha256": "43fbc760dbb9d213111df81edfb92ab4f4902eb6c46f5bdfe3b1f0e215a38432", "type": "machine_learning", "version": 109 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", "sha256": "0392cad4ebbd3925824fb6d7902f524c2bc25be9f9b7c642869fb070d18502d2", "type": "eql", "version": 10 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", "sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5", "type": "query", "version": 107 }, "eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": { "rule_name": "Telnet Authentication Bypass via User Environment Variable", "sha256": "addac13158f89b3addaf29024a1c49c9396a2f87bc029975ea1f19735fcb49ab", "type": "eql", "version": 3 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27", "type": "query", "version": 110 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "eaa7dc28c0ba71007f9a46582afef0a8096c44e0a86adce631ad580e33bc8acc", "type": "query", "version": 218 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "rule_name": "Suspicious Network Connection Attempt by Root", "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", "type": "eql", "version": 104 }, "eb804972-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Behavior - Prevented - Elastic Defend", "sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69", "type": "query", "version": 5 }, "eb958cb3-dead-42b6-94ff-b9de6721fab2": { "min_stack_version": "9.3", "rule_name": "Curl SOCKS Proxy Detected via Defend for Containers", "sha256": "b1f046cc6ad9e006048ddfcacca9aa967e5c89498422580dacd3eb6f803018d1", "type": "eql", "version": 2 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { "rule_name": "Potential Disabling of SELinux", "sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745", "type": "eql", "version": 215 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "faf606497245f3d7e09a8ae6abe6afb788c439573a1eae221c0786d44878c8a4", "type": "eql", "version": 418 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "rule_name": "IIS HTTP Logging Disabled", "sha256": "15c46a24e64047ef68bd03a84b821a716b491971416ef9b02883d970c07d56c7", "type": "eql", "version": 318 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "rule_name": "Process Execution from an Unusual Directory", "sha256": "bc67d00162d4bd5880558c09ba1388898c1594d83fe5d71927eaed1a8669f51e", "type": "eql", "version": 320 }, "ec604672-bed9-43e1-8871-cf591c052550": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Deprecated - File Made Executable via Chmod Inside A Container", "sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c", "type": "eql", "version": 4 } }, "rule_name": "File Execution Permission Modification Detected via Defend for Containers", "sha256": "4684363244e89ea872ffc5b25a90561dc40b3e284b58a2c4d394889bed620bf0", "type": "eql", "version": 107 }, "ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": { "rule_name": "Kubernetes Forbidden Creation Request", "sha256": "09dc580af4f250fb15a73dc047af068447edce0b410ee07b9845a39184a09496", "type": "eql", "version": 3 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { "rule_name": "M365 Exchange Inbox Forwarding Rule Created", "sha256": "b993745b45fbc5109fc2f625b7cc15b902271dfaf502d2d85d2fa5208f31de8b", "type": "eql", "version": 213 }, "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", "sha256": "33d196de5eaecf3864a3bb8ee494aaa4ee44ed5a27f25e452bcf28fa226c22dc", "type": "eql", "version": 8 }, "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { "rule_name": "Executable File with Unusual Extension", "sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d", "type": "eql", "version": 4 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage", "sha256": "2eba03080f61dc66ae0a110e2c12eaf47e267f31eb5fea196cf483d6b9a64510", "type": "query", "version": 210 }, "ed3fedc3-dd10-45a5-a485-34a8b48cea46": { "rule_name": "Unusual Remote File Creation", "sha256": "f29aab770fc7ef7708a96949b02b0e60282b7199951b302c2fdffbd1893bb9e9", "type": "new_terms", "version": 7 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "rule_name": "Entra ID Global Administrator Role Assigned (PIM User)", "sha256": "7cc31a789b7c74143fda38cba04d25c2603889e20c7dcd188f4ece32bf1d1426", "type": "query", "version": 109 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { "rule_name": "AdFind Command Activity", "sha256": "5da6851210dd75f83e92706270154d54c07273e615cfe18134a17e7bf4ee3969", "type": "eql", "version": 319 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "703363f0e0174c2ee80e6f77652694e5162cc28d87e1c2e204dca58e5356c34c", "type": "query", "version": 414 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "2ad58626d16eda853776294192c4b7c37d50f48d4f20496bcdbc93e9f3d61f2e", "type": "eql", "version": 321 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "rule_name": "Linux User Account Creation", "sha256": "5560af4da75f6828cfd7b29908eba789035a6a7fb66d4380dc6d4acc5ff5a967", "type": "eql", "version": 10 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "rule_name": "Okta FastPass Phishing Detection", "sha256": "6dbed41461451dc5040bb4d309300f105a9ff9e96c0e3dcf65baa67ffdd640af", "type": "query", "version": 312 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", "sha256": "680b0b509c4530e793e2e495bc660350fca76194950aca3d7499505c0eed9ade", "type": "eql", "version": 217 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", "sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6", "type": "eql", "version": 4 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", "sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80", "type": "eql", "version": 100 }, "ee7726cc-babc-4885-988c-f915173ac0c0": { "rule_name": "Suspicious Execution from a WebDav Share", "sha256": "193a9582b8a88c80c2ec2d4d03cc840cba670833923fc58cb2815ed2e060ab0f", "type": "eql", "version": 3 }, "eea82229-b002-470e-a9e1-00be38b14d32": { "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", "sha256": "7a0362350bccdcf49752c63e045a43a649ae3127354129648e3ebd3c78e2b713", "type": "eql", "version": 113 }, "eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 101, "rule_name": "Kubectl Apply Pod from URL", "sha256": "548e6c3705fae441b48d6c6931d33d907796f823cd985983d79c6041af367472", "type": "eql", "version": 2 } }, "rule_name": "Kubectl Apply Pod from URL", "sha256": "2871a014569f179baaf61a47aa3ed4dac8c9d1cdfcf046caa1f02877fa61f0fc", "type": "eql", "version": 103 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { "rule_name": "BPF filter applied using TC", "sha256": "a3ca2a4019b1f9b82a42cdaa30c22e6b21138566a0f076dff76cc58ed8d5d943", "type": "eql", "version": 215 }, "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", "sha256": "8641c7f69ff921eb91354ab0425fd0d989f5bf8bdaea934338fa5e03118cab42", "type": "eql", "version": 113 }, "ef395dff-be12-4a6e-8919-d87d627c2174": { "rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option", "sha256": "e9dbef389b92ca88b2b526127180bb1f77f872b82ed5506e5e3531967903bfa3", "type": "eql", "version": 5 }, "ef65e82c-d8b4-4895-9824-5f6bc6166804": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 102, "rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File", "sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a", "type": "eql", "version": 3 } }, "rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers", "sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad", "type": "eql", "version": 103 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", "sha256": "1db39e102de230f0e5f11a6c3d8bc5633bbbb419481894a8935bb3421b5cf5c7", "type": "eql", "version": 219 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 107, "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "501b90c5679e6b9959a55999b1892814f6969d4a2aac60d17835f827a7cda0fd", "type": "machine_learning", "version": 8 } }, "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "sha256": "71567755940d538c15fd90849caad5bf4ee4a89e0afd72f43b9ceac4f9ec3f1b", "type": "machine_learning", "version": 108 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "90d47b1e899493d89143f8cd27fabf5811ebff7fe3c0fc8cefd0ad0f234155d4", "type": "eql", "version": 214 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { "rule_name": "Suspicious HTML File Creation", "sha256": "8f7b437675b9cbd0e34995768cab78c83a9aaf0aa77c6029975fa1df36288295", "type": "eql", "version": 113 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "rule_name": "Okta User Assigned Administrator Role", "sha256": "2fd1365685f9e79ac576991cdb849afc70a64f0b0a5704b845cb04f44a7892c1", "type": "query", "version": 415 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "sha256": "086b4d37de07398af3828f86c06b19b7daa37d14b98d16b1236a284a3e119b99", "type": "eql", "version": 115 }, "f0bc081a-2346-4744-a6a4-81514817e888": { "rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified", "sha256": "8b1cd77d90733f7dbd27b5fa93888a24d03bd9e802b97882331f8fd173e040cf", "type": "query", "version": 109 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source", "sha256": "b018cb831bab9746612fb38c1c6080689b2ab4bb4ccfa34a88b794eb86e4b5a7", "type": "esql", "version": 7 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", "sha256": "09d110d157380492d4d0de9d37dff770be9757b6528fca4da3a5aa560b964348", "type": "new_terms", "version": 4 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { "rule_name": "Execution with Explicit Credentials via Scripting", "sha256": "32ada2c4a68d705cc598de4bde5cc1be7e0516bae9dad176373243f9fc65c0c2", "type": "eql", "version": 111 }, "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { "rule_name": "Suspicious Child Execution via Web Server", "sha256": "92e68a660ef180ceb453fee81c78a5fdc2c39b9351c923d2aca6901a11f0e360", "type": "eql", "version": 113 }, "f18a474c-3632-427f-bcf5-363c994309ee": { "rule_name": "Process Capability Set via setcap Utility", "sha256": "dbc36b11a558109353c290252cfc47fa5b88768748732ceb11ed91403dd76705", "type": "eql", "version": 106 }, "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { "rule_name": "Forwarded Google Workspace Security Alert", "sha256": "fa20fb477b98059cdcedc8515e55e02f1f0f705253f61f5f68683154a52bf7c8", "type": "query", "version": 7 }, "f1f3070e-045c-4e03-ae58-d11d43d2ee51": { "rule_name": "Manual Loading of a Suspicious Chromium Extension", "sha256": "ef1b596dbcc21f0ff44dd908eee0347efe6248aa5bdf14b884c61df77b777949", "type": "eql", "version": 2 }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", "sha256": "8ad36bf549c8e2d030b047008548086597c14917e95fb16824216d0b6e03fbc9", "type": "eql", "version": 9 }, "f20d1782-e783-4ed0-a0c4-946899a98a7c": { "min_stack_version": "9.4", "previous": { "9.3": { "max_allowable_version": 101, "rule_name": "Unusual City For a GCP Event", "sha256": "76586ab01cd08c0c90773f9fd6ddba36eb9b8ee0571614eca39f0de1bb442d29", "type": "machine_learning", "version": 2 } }, "rule_name": "Unusual City For a GCP Event", "sha256": "8eb28f90d5cd908568c9a395131d2080306c30096616c06ee1c3985dbdaa83f9", "type": "machine_learning", "version": 102 }, "f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": { "min_stack_version": "9.3", "rule_name": "LLM-Based Attack Chain Triage by Host", "sha256": "c1f09b9398519eeca1ca5751ca9ef554c12bcecc242670114227526c401ca16f", "type": "esql", "version": 4 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", "sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca", "type": "eql", "version": 107 }, "f246e70e-5e20-4006-8460-d72b023d6adf": { "min_stack_version": "9.3", "rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers", "sha256": "3d7e318f67c97976127e145e374accefe76ed153e63466f41c6c788e5a1ba230", "type": "eql", "version": 2 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { "rule_name": "Creation of Hidden Login Item via Apple Script", "sha256": "45f3aba3743e27c3175dc85c3bb918ef1ddeb13d337dd61d81634e7b6d7ed1ce", "type": "eql", "version": 114 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { "rule_name": "Potential OpenSSH Backdoor Logging Activity", "sha256": "327423f201c4aefab10ca8e4a5e9604d884907651d4475cc37c199a277b289a8", "type": "eql", "version": 215 }, "f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789": { "rule_name": "AWS STS GetFederationToken with AdministratorAccess in Request", "sha256": "91174dba23bc43a851dead24976835e0676adbd66157638393d08f763e89f99e", "type": "query", "version": 1 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Detected - Elastic Defend", "sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa", "type": "query", "version": 5 }, "f2c43e8c-ccf2-4eab-9e9a-e335da253773": { "rule_name": "M365 Purview Insider Risk Signal", "sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841", "type": "query", "version": 1 }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", "sha256": "fb2f06600975682327919ea6da257a7190a1e93ff582838cf3175181d49386cd", "type": "esql", "version": 5 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", "sha256": "dd9efc0a3ffb4c20b6356fa5966046c6d5c8014667ba8d56f8028261e21cd508", "type": "eql", "version": 316 }, "f2e21713-1eac-4908-a782-1b49c7e9d53b": { "rule_name": "Kubernetes Service Account Modified RBAC Objects", "sha256": "970354cbf4c8525c8836fda8fdd3ab8f107769ab8b4d4a7c341afd376449a261", "type": "query", "version": 3 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "rule_name": "LSASS Memory Dump Creation", "sha256": "e67746f8ea85b9aebd84e067fe5be4217f8d5382337a0a23661ea8202ab92a64", "type": "eql", "version": 316 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "rule_name": "Deprecated - AWS RDS Instance Creation", "sha256": "863ac4e46bb8284dfcebade9676b5ed0fb1c1ca7b91932266ea432c660e6b7c3", "type": "query", "version": 210 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "rule_name": "Google Workspace Object Copied to External Drive with App Consent", "sha256": "9d1a8b1da8853216b701b3b7ccea1089b6689b2a0de289b79746bd6a7db343f0", "type": "eql", "version": 13 }, "f3403393-1fd9-4686-8f6e-596c58bc00b4": { "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "sha256": "e86a0477a7cb46e3ade238a3b3e865a455c9ce4830f4b82a07926f3c757e1546", "type": "query", "version": 9 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { "rule_name": "WMI Incoming Lateral Movement", "sha256": "79000745ecb9f28c29dc37aa11e735c6fd1e2071d72b6c828cdc06293ce6d97b", "type": "eql", "version": 218 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { "rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt", "sha256": "0514c676be47b85dcf14f42d8d1cdf053122f7506f0b5eef242a105e5dfe4ed1", "type": "threshold", "version": 109 }, "f3818c85-2207-4b51-8a28-d70fb156ee87": { "rule_name": "Suspicious Network Connection via systemd", "sha256": "6a81be3e4096d5230ed6ddb6d5e9ed0624a4404f651a9aaaee9491b33a744050", "type": "eql", "version": 10 }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", "sha256": "461cca8e6da44cb954ccd1568e0195772daa254860053359bea965b58e5b3560", "type": "esql", "version": 11 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", "sha256": "e0cd0eab0070a7deca66e3db5b6508709873263b818c68be1f560cd32e5ccbb1", "type": "new_terms", "version": 6 }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", "sha256": "5812c308169a8a574e71c2c86b2e0de69913521b67e5d655346bf0f7e65fb092", "type": "esql", "version": 6 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", "sha256": "155ff4eef509d2fc7fd1c2d2123e8343f5ccec6b90178d7647703aec30eacf8b", "type": "threat_match", "version": 9 }, "f401a0e3-5eeb-4591-969a-f435488e7d12": { "rule_name": "Remote Desktop File Opened from Suspicious Path", "sha256": "8eb6f9850d1ca4101a9c31eef37742993dbb0a0b9ea08a5e1bd5e36338f86abe", "type": "eql", "version": 9 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", "sha256": "27658290df434832b404370cab3edf8183411d533f7a367cdc636a7c386590ed", "type": "eql", "version": 11 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "65c544d6e400d0909d79ad3a1e0f79b5cf5fcdd3fb01a1a073adc46c69aafb31", "type": "eql", "version": 313 }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Pluggable Authentication Module or Configuration Creation", "sha256": "4e7927ea9ee84da27a6bc1fc12f753e2d873328a3a1f8113354afe2c2889690e", "type": "eql", "version": 9 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal", "sha256": "fae91cdc5143504077c9cc353440c3df9dc19a9fb86b257633e5cee480d0754f", "type": "query", "version": 219 }, "f4b857b3-faef-430d-b420-90be48647f00": { "rule_name": "OpenSSL Password Hash Generation", "sha256": "578fa837f0af51bf69c436d7ba2cc8d249f7fc6cfc00be5c25b0ba71b3069fa7", "type": "eql", "version": 6 }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", "sha256": "f9eaf69ddd185f8b4c607c763db8ca5e3206d6599f48108b961d0a79fb572322", "type": "esql", "version": 7 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", "sha256": "2ecc5312b7dd25b04f1124d44fdcf991f2650e3684b81ba6910730dbb18db5b7", "type": "new_terms", "version": 7 }, "f52362cd-baf1-4b6d-84be-064efc826461": { "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", "type": "eql", "version": 100 }, "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { "rule_name": "Suspicious Data Encryption via OpenSSL Utility", "sha256": "6212d9d93c65c1e446bdeb51474d2abaded9566ccad6cbc8ef83ff0fed9163ac", "type": "eql", "version": 12 }, "f541ca3a-5752-11f0-b44b-f661ea17fbcd": { "rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected", "sha256": "3f339217cd8eae50f29ce9fcb9124f0a7526f85b0ad85961b8583156f1823d6d", "type": "query", "version": 3 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "rule_name": "Windows Script Executing PowerShell", "sha256": "f633d19c3abff0200df7cb8e9904664c8aac48f10ecf058e5eacbfc730a9c3d6", "type": "eql", "version": 317 }, "f5488ac1-099e-4008-a6cb-fb638a0f0828": { "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", "sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355", "type": "eql", "version": 4 }, "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "rule_name": "Rare SMB Connection to the Internet", "sha256": "7cba8d9dc86077834c99f4032ae1cfd0578a03e74b98f5af2a786a578f374476", "type": "new_terms", "version": 214 }, "f5861570-e39a-4b8a-9259-abd39f84cb97": { "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "e2478afe8591053489cbda3bfcc55b4842a4119642e5d56d3ce788a9179b5c3f", "type": "query", "version": 111 }, "f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": { "min_stack_version": "9.3", "rule_name": "Kubelet Pod Discovery Detected via Defend for Containers", "sha256": "7723c687b0c450f64a00cee36d7c3931bd7c021d6ff6833cf9c9271a2a5f42f7", "type": "eql", "version": 2 }, "f59668de-caa0-4b84-94c1-3a1549e1e798": { "rule_name": "WMIC Remote Command", "sha256": "0e72674c9e5b508cb58ff78ab6d5d918767df0ff88c1a86cec3981f283555247", "type": "eql", "version": 111 }, "f5c005d3-4e17-48b0-9cd7-444d48857f97": { "rule_name": "Setcap setuid/setgid Capability Set", "sha256": "3000740cd69fe252c0029fb2309de620fe221dc6bdbb6873c6de6c6dec2414f9", "type": "eql", "version": 112 }, "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 210, "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", "sha256": "5e26435a6c6b152cc9c108374c72cd5a9f0766698e6eaf34ecfb75df00fb5d27", "type": "machine_learning", "version": 111 } }, "rule_name": "Parent Process Detected with Suspicious Windows Process(es)", "sha256": "6087543daca9986a612585855dcfc77d192fd4a1e20ab80710f3619022cc0cc8", "type": "machine_learning", "version": 211 }, "f5fb4598-4f10-11ed-bdc3-0242ac120002": { "rule_name": "Masquerading Space After Filename", "sha256": "b8a837130b3b5d74204a8537614a5612a561e68b829c89916fbf5f67d9505c72", "type": "eql", "version": 12 }, "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { "rule_name": "Account or Group Discovery via Built-In Tools", "sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371", "type": "new_terms", "version": 7 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "dbf7164e7bc3f1a792a0e2ee5a048cbda99b3aed0d7af7693f32134c4bdab517", "type": "eql", "version": 317 }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", "sha256": "1dff4a3354ffb01188e7144a8483bb555136a03b278e0b3410d4233e5fd77d8b", "type": "eql", "version": 9 }, "f66a6869-d4c7-4d20-ab13-beefd03b63b4": { "min_stack_version": "9.3", "rule_name": "Environment Variable Enumeration Detected via Defend for Containers", "sha256": "4940432d89d05102af4274afb80384ca2bda0d452e0521a1afc0879a5237b699", "type": "eql", "version": 2 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "3eecb4705dfa3aca68572467da4f1e62c4ff2fa7df0aefd85aca9094d24a9f29", "type": "eql", "version": 316 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { "rule_name": "SoftwareUpdate Preferences Modification", "sha256": "08ad8ed2e2ca485401fa0335d86ab975c721be7927df7d41f56076abb95d7db6", "type": "eql", "version": 111 }, "f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c": { "rule_name": "AWS KMS Key Policy Updated via PutKeyPolicy", "sha256": "823e0533246b6570195a0c0456c4cbbe2a722ac375ce8f8b0c850026c5bdb314", "type": "query", "version": 1 }, "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { "min_stack_version": "9.2", "previous": { "8.19": { "max_allowable_version": 106, "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", "sha256": "95b168aaae5816d4dd8032d851a24980d140d4a9e0603b56f4fa88d79af15a4a", "type": "new_terms", "version": 8 } }, "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", "sha256": "c07fa7fae81922d04accf363a9e78642676d26e8aee182c0560cf0824f2ac45d", "type": "new_terms", "version": 109 }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", "sha256": "e9712cbae119495bbc148f3c7ddb66a6c11d34127865165f2a9572d6ecdff0ba", "type": "esql", "version": 12 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", "sha256": "55de9b4b300ea2acb263f1cc4cbed9585e7669be566e58e1fa22c6db3d9e7a9c", "type": "query", "version": 4 }, "f754e348-f36f-4510-8087-d7f29874cc12": { "rule_name": "AWS Sign-In Token Created", "sha256": "b4f3c7bb4e908abc5172e54beffa1e362454012ebbc480fe2d7ce71b7112cd71", "type": "query", "version": 2 }, "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { "rule_name": "System Hosts File Access", "sha256": "e74aea796502decaa57c31bdfcbbb1fd65f68a826f3c3e1f3f6fdf7cb458fa3b", "type": "eql", "version": 7 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { "rule_name": "Entra ID Service Principal Credentials Created by Unusual User", "sha256": "6e45ed34b41c65dea5f26b4fd76c9a2d93cd04c869ff1233f8c9f818ae8ea9fb", "type": "new_terms", "version": 110 }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", "sha256": "16873d6b08a266ce4c13f00b9cccef6dd41c64d850c8a5f83b593c93662d037c", "type": "esql", "version": 5 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", "sha256": "79d4a35620619779083ee70524a8ef1682a27632b98289f7456caa69d6568239", "type": "query", "version": 214 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "9.3", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container", "sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104", "type": "eql", "version": 5 } }, "rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers", "sha256": "14f95ad2256fe5d602c0c02461a1ad0140159a49d4af60382a20a6d2511f1cfd", "type": "eql", "version": 106 }, "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", "sha256": "0df65b003548a28c9f18c010d2dd59a06433f01121e7a155c496e0b44d3cb6c1", "type": "new_terms", "version": 6 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "27b911863a0e93338b177cb55bbbcb19a306892e7f2ec0d6e264e1ae71959810", "type": "eql", "version": 318 }, "f7c64a1b-9d00-4b92-9042-d3bb4196899a": { "min_stack_version": "9.3", "rule_name": "Service Account Namespace Read Detected via Defend for Containers", "sha256": "9f57c86383c5c1b1e2b9f7f6640f0c0651119f9ae170973ee430a1280981cecc", "type": "eql", "version": 3 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { "rule_name": "Potential Privilege Escalation via Linux DAC permissions", "sha256": "273a68b602a7b719ceb9864ebcbbf2d46da699434458da9c37a16b290bdcd808", "type": "new_terms", "version": 8 }, "f7d588ba-e4b0-442e-879d-7ec39fbd69c5": { "rule_name": "Potential SAP NetWeaver WebShell Creation", "sha256": "1ec092ad267fde831ed0f6df37ec577f9d2275d7956117a0052e4eb35ee7068d", "type": "eql", "version": 2 }, "f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": { "rule_name": "AWS Suspicious User Agent Fingerprint", "sha256": "27d2eb5e6870d7c227dd3a411c07293fecb8f8f2f775777480a7dd0e02bc409d", "type": "eql", "version": 5 }, "f81ee52c-297e-46d9-9205-07e66931df26": { "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "19fa275f01d141046af620130c54383997bbfb159cc343503bd148ff624abf21", "type": "eql", "version": 315 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4", "type": "eql", "version": 110 }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", "sha256": "ab72bdf494ad1fe2b76321bce5c7385b100ac9456193bbd02076b9162c828500", "type": "eql", "version": 10 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "01d3cd8eb31e61543055122ffea2e86a0bf0f5be3388459c2f465a0301c572cb", "type": "eql", "version": 317 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { "rule_name": "Malicious File - Prevented - Elastic Defend", "sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b", "type": "query", "version": 5 }, "f8822053-a5d2-46db-8c96-d460b12c36ac": { "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "8b8cfdc1b6e853232d72a002e0d118a07d7b24e93ac97350d75f63492b64600f", "type": "query", "version": 111 }, "f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10": { "rule_name": "Kubernetes Secret get or list from Node or Pod Service Account", "sha256": "c8c9c251cc5939d6149f56787247eac3841a1012d35b82125ec7fc7bb70ab005", "type": "query", "version": 1 }, "f909075d-afc7-42d7-b399-600b94352fd9": { "rule_name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent", "sha256": "1f3539efa4a2f15732756c9d225c458db94a94e3e76db2e5e75c56fc4ef25b98", "type": "eql", "version": 107 }, "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { "rule_name": "Potential Secret Scanning via Gitleaks", "sha256": "4861674e448f597aa53a76a1d592c4eeeeb880c7a635868424b52dbd07885f11", "type": "eql", "version": 3 }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "17321d3d74af2ddb12d9920ceb84fd2b8ca8e772fcb350e32526d5c46c5672c8", "type": "new_terms", "version": 208 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 207, "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf", "type": "machine_learning", "version": 108 } }, "rule_name": "Unusual Linux Network Configuration Discovery", "sha256": "b6a7707b778a054c85270746ef3d0855539421ee3103f6c883ea68097524173b", "type": "machine_learning", "version": 208 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", "sha256": "8f1a587012787e08bd7b994c54b371e5ff8d27a2cf4b52b93f0541c8eeb0a2a5", "type": "eql", "version": 13 }, "f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": { "rule_name": "Okta Admin Console Login Failure", "sha256": "3677a7454991a183ca50685f05c67cfbb7ab40cf6d1228854c5bc90678c5ed52", "type": "query", "version": 2 }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", "sha256": "db212e9bc4d6e1742a38a366ddb3b13939e0bbe4e792978053b32dc4fafbcd64", "type": "eql", "version": 210 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", "sha256": "38bd2f9e10713d14fe22bca802a8451930bea026c19babeddec2c1c26e14a9ab", "type": "esql", "version": 10 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Accounts Brute Force", "sha256": "8afcd5fb546282c618329fe4b5405930b900d0c5f91b6a3894ab8f38df780dbd", "type": "esql", "version": 119 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "3f42d9f4d6c683fa8e24940e81e098732937f7c261ff50f3c743c37d18f8492d", "type": "query", "version": 413 }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", "sha256": "9fc867fa956909614f0c374d0eef744aaa01a9f0bc9c8c4cb346e4abe5b2e9f0", "type": "esql", "version": 12 }, "f9de0949-94d8-441d-ae9a-8eb1e040acf2": { "rule_name": "Newly Observed Process Exhibiting High CPU Usage", "sha256": "ac67c25e692fc04e2eeae6c2c6c597c4c637f8d746afc513e7b9e0370b67cdf7", "type": "esql", "version": 2 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", "sha256": "703a7a28c0e9d60ac345d7ff3b528565b332ae1f6e8e959878c741327fbc0108", "type": "eql", "version": 320 }, "fa210b61-b627-4e5e-86f4-17e8270656ab": { "rule_name": "Potential External Linux SSH Brute Force Detected", "sha256": "9731338ba3f551d2349c7c13e09c98d974880b06e1b03a55ee03454295de4adb", "type": "eql", "version": 11 }, "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "rule_name": "Potential Reverse Shell via Suspicious Binary", "sha256": "75eae6a378cd9de230df241678954eca014909ff202bd7530fd66caad62920c5", "type": "eql", "version": 13 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "339af3c6decf44171d39eb6af3fe6a811d9c725f06886ed9865a5eabd9310f8d", "type": "eql", "version": 321 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", "sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054", "type": "eql", "version": 113 }, "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { "rule_name": "Potential Masquerading as System32 DLL", "sha256": "e1b06ffe4e33874ed8e0700e601b69f3c9138637316c92d5c31067e7384a7006", "type": "eql", "version": 110 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "rule_name": "Network Connection via Registration Utility", "sha256": "d3f5c7183ddff278c200bf2ed689942fb3e756bea5404573d607b22e0d90da44", "type": "eql", "version": 212 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "bf668bb17c3ea7604e554f63825a99d9153ff36affd8b4b9ebb087cba806ff0f", "type": "threshold", "version": 209 }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", "sha256": "6d7efa2625569a818bc649d0e39b3174fdce1739aa2da7102b945a217e3912e6", "type": "esql", "version": 5 }, "fb3ca230-af4e-11f0-900d-f661ea17fbcc": { "rule_name": "Okta Multiple OS Names Detected for a Single DT Hash", "sha256": "e00405635f604093c0a8a65f92aa45f3a61a087ba4372ea7b1d6a2b5e06d486a", "type": "threshold", "version": 1 }, "fb542346-1624-4cf2-bcc7-c68abaab261b": { "rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs", "sha256": "b7658647fd18f717cf27e94dc7503078ad59c72e1477332c507001cd361c4b10", "type": "eql", "version": 2 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Group Name Accessed by a User", "sha256": "910816869ac69e52dd49d7b50213a32f674a8abcca1169b8dae5d9d0ca26a27d", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Group Name Accessed by a User", "sha256": "667f169cd9b1cccf4aea8c89b3535d32676adf3648fb6ec26bd809d1a57539e4", "type": "machine_learning", "version": 104 }, "fb8790fc-d485-45e2-8d6e-2fb813f4af95": { "rule_name": "Dylib Injection via Process Environment Variables", "sha256": "3da41c31ba94d685cd75f85322328359014c5be38f21ccf09593a68bf338b641", "type": "eql", "version": 2 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", "type": "query", "version": 100 }, "fbad57ec-4442-48db-a34f-5ee907b44a22": { "rule_name": "Potential Fake CAPTCHA Phishing Attack", "sha256": "33d00e4c6fe087be1ef08b31b40a606e5e9c71ae3c9df80f964991477494d542", "type": "eql", "version": 3 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 103, "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "b6972d4f3235fe5015a16b59e32f209fef18168efd59112b1173e3341709c0b2", "type": "machine_learning", "version": 4 } }, "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "2a0c28333cbc2b59a754048dac4ba1ba85e1e32f9407e91291bbe69a9abbcf5d", "type": "machine_learning", "version": 104 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { "rule_name": "AWS Configuration Recorder Stopped", "sha256": "992873866168b6dc2174c2626fb35218105596756c2e0301459d4c664ae9ea8d", "type": "query", "version": 212 }, "fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": { "rule_name": "Process Started with Executable Stack", "sha256": "fd1e26f5a72a073b0f04248104e8a153e66925a0edbac78669638790918671c2", "type": "query", "version": 6 }, "fc552f49-8f1c-409b-90f8-6f5b9869b6c4": { "rule_name": "Elastic Defend Alert Followed by Telemetry Loss", "sha256": "67f6095aaaf71d37cb9ae1e5b587093cea6fa579d3654a9353068eb9b0edef4d", "type": "eql", "version": 3 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "b9b40ca0af3b9ae7237ee58b9db28fdb68df1dc944e6582fc0cf91ee188b4e5d", "type": "eql", "version": 315 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b75dda67fd9da77f1320ea7c94c736e499c45243b2d3a1f0775caeca732cf753", "type": "new_terms", "version": 208 }, "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": { "rule_name": "Proxy Execution via Console Window Host", "sha256": "da23ef37ab245220584b0229ede378558147536d721124480c11f605078401a3", "type": "eql", "version": 4 }, "fcd2e4be-6ec4-482f-9222-6245367cd738": { "rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration", "sha256": "61bd95935880280101cb47357cfba9fda77a633cad787f7e0f4983dcf66fccf7", "type": "eql", "version": 4 }, "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": { "rule_name": "Threat Intel Email Indicator Match", "sha256": "cfa8a4fcc12561cec5bb571ef7f143d87543fe860577aa1f11b2b284b2e7ecb2", "type": "threat_match", "version": 2 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", "sha256": "2d62847cab8c33a052e502836ad121caf86f64b238197c9a1b2938d4e27c5f5e", "type": "eql", "version": 8 }, "fd00769d-b18d-450a-a844-7a9f9c71995e": { "rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount", "sha256": "84051400b1ae5421cfb0710d08885fc6ccb194cced886576497e63909acfa9c9", "type": "query", "version": 2 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "eec1892d492dc25cab5480d300e33e9aac87bcbb4386d100cab35cb223d38ce6", "type": "eql", "version": 209 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "sha256": "74a0ff1c1a288bfbe8134ef5390dc9c7a9081b9e769c155809243aa52e7bd168", "type": "new_terms", "version": 9 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { "rule_name": "Linux Restricted Shell Breakout via the expect command", "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", "type": "eql", "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "ef85670df7af1d67434ee4a084dae6785d63ea6fad1da9fed5bfefceaed92178", "type": "eql", "version": 319 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", "sha256": "33778ead57b302d2250b723cf23c47fec7f96b8dcff8dfd99fc8f806e4ed0484", "type": "eql", "version": 318 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "rule_name": "Svchost spawning Cmd", "sha256": "17b5ec1f17eb3bdc6ba867893df9d9201b1818c50d9896f84da7c3d4c94db588", "type": "new_terms", "version": 428 }, "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { "rule_name": "Image Loaded with Invalid Signature", "sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47", "type": "eql", "version": 4 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "rule_name": "System Binary Moved or Copied", "sha256": "c20425759c10146a7e712fece38e597058b1970b880b8dc01d9683d931348140", "type": "eql", "version": 18 }, "fddff193-48a3-484d-8d35-90bb3d323a56": { "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "44814458fede28b8e96ffe4731862abd5077e5562e02d387ad816b812454f814", "type": "query", "version": 113 }, "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "4f61d5a4d2aea076af8a4b48cd80ffa83a42e7c5bc8144c04f396ba5571cb1ac", "type": "query", "version": 112 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", "sha256": "49ad33faa96836050c4fe6962330a51b2947b18372a2c7614579d27da4012c4f", "type": "eql", "version": 320 }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 104, "rule_name": "Spike in host-based traffic", "sha256": "539f0007ba47959012c3d761d040a6d76269a8994675b2f51c844ca81e899ef4", "type": "machine_learning", "version": 5 } }, "rule_name": "Spike in host-based traffic", "sha256": "907d81f3a0d242ae72cb95a3525f28b646be7b2537e8437b213254a0e2ac1660", "type": "machine_learning", "version": 105 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", "sha256": "889fbc6f1fe7867a60c30e0988ce0a1ecca3b10ed4d68247409e0bbb156e228a", "type": "eql", "version": 11 }, "feba48f6-40ca-4d04-b41f-5dfa327de865": { "rule_name": "Data Encrypted via OpenSSL Utility", "sha256": "6d5bc57ab69832dcf1fceb1113c15bd50ef32043aeac5c753aa45d8ef84fb133", "type": "eql", "version": 2 }, "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", "sha256": "e5501cb17cf5fe1cb22ce9ae6e8396575c212a05d10b7f191f96bde4173277f8", "type": "eql", "version": 5 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "51805a54ccba7e11dd5249f3383c0faa260594148db400d814d4112d22e5b4ae", "type": "eql", "version": 313 }, "fef62ecf-0260-4b71-848b-a8624b304828": { "rule_name": "Potential Process Name Stomping with Prctl", "sha256": "d2d8d9adc0b0a1e18a247c5c551721be0f8dae7e8136df787c2c7c7b44f86070", "type": "eql", "version": 6 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "sha256": "b271213c5408f3105b6c293a194441c0a6ee0a8f56895b6c8b5d514a45f29206", "type": "query", "version": 108 }, "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { "min_stack_version": "9.4", "previous": { "8.19": { "max_allowable_version": 108, "rule_name": "Potential DGA Activity", "sha256": "305c65ba2a0c6e6b8dd78bcd8fce09f2491e6ed7c1ad1c495e321db25ddd0c2e", "type": "machine_learning", "version": 9 } }, "rule_name": "Potential DGA Activity", "sha256": "1892ab19dfbba7c5209d5416fac24916cec60b288ae4bbe9f0dfcad7fbb548ad", "type": "machine_learning", "version": 109 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "rule_name": "Cron Job Created or Modified", "sha256": "911f2754934b26787ef6ce346dd060a5ff237c442db717002c7f6c6d0678ec96", "type": "eql", "version": 19 }, "ff18d24b-2ba6-4691-a17f-75c4380d0965": { "rule_name": "Suspicious JavaScript Execution via Deno", "sha256": "cb55c046d8dfe8230113d03f862c936b4cc6f55c682a4004ef707a95803af2f3", "type": "eql", "version": 3 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "b1c612a39634c76d3859749ffcf4a66830efa742e42ac76353710085e9a89c75", "type": "eql", "version": 8 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", "sha256": "2c61b250e1b3df4306e4f76d4df13c3f7cd624151ef683d9746e1b5640096676", "type": "esql", "version": 18 }, "ff46eb26-0684-4da3-9dd6-21032c9878e1": { "rule_name": "Active Directory Discovery using AdExplorer", "sha256": "e2bc14f1daa81650bb1547ff4439ba2e4f96fe3959eff2fe3d7e6aa1f47e84bd", "type": "eql", "version": 3 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "M365 Exchange Mail Flow Transport Rule Created", "sha256": "3af2c69e8e417302ef11f5cad05379d42ead8135a8bb69dbf6e400195e16d2e0", "type": "query", "version": 213 }, "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "156d6c92921c8a78a426d13399acfc82335279f41bb1ca1b3b514f78e2d95be0", "type": "eql", "version": 206 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { "rule_name": "GCP Firewall Rule Deletion", "sha256": "2d21b1f06254849904bc0f96312aaddd5dbde583bae425bbb2b4e8cd08c5977c", "type": "query", "version": 109 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "fd78dc142d1cddc2c1b468082eba4a5caf404e211bf2b2fb770e0bb2218f5810", "type": "eql", "version": 112 }, "ffa676dc-09b0-11f0-94ba-b66272739ecb": { "rule_name": "Unusual Network Connection to Suspicious Top Level Domain", "sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce", "type": "new_terms", "version": 3 }, "ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": { "rule_name": "Suspicious TCC Access Granted for User Folders", "sha256": "d7c925205ac4209a78c8c60e52b5ad975f5ca3a956f42e12337fa8dfa1035e98", "type": "esql", "version": 3 } }