Mika Ayenson, PhD
586 lines
25 KiB
JSON
586 lines
25 KiB
JSON
{
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "CreateCluster is routine Redshift lifecycle noise; real abuse paths (snapshot sharing, role abuse, security group exposure) are covered by other rules. See PR elastic/detection-rules#5367.",
|
|
"rule_name": "Deprecated - AWS Redshift Cluster Creation",
|
|
"stack_version": "8.19"
|
|
},
|
|
"03a514d9-500e-443e-b6a9-72718c548f6c": {
|
|
"deprecation_date": "2025/03/14",
|
|
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
|
|
"stack_version": "8.14"
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"deprecation_date": "2023/09/25",
|
|
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
|
|
"stack_version": "8.3"
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Expensive Defend correlation from a generic process event; flagged for deprecation as a noisy edge case during top-noisy rule tuning. See PR elastic/detection-rules#5449.",
|
|
"rule_name": "Deprecated - Process Termination followed by Deletion",
|
|
"stack_version": "8.19"
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"deprecation_date": "2023/07/03",
|
|
"rule_name": "Deprecated - Threat Intel Indicator Match",
|
|
"stack_version": "8.5"
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"stack_version": "7.16"
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"deprecation_date": "2021/08/02",
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"stack_version": "7.13"
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "User Discovery via Whoami",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"stack_version": "7.16"
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "ElastiCache CacheSecurityGroup APIs apply only to retired EC2-Classic; modern VPC deployments are covered by AWS EC2 Security Group Configuration Change. See PR elastic/detection-rules#5334.",
|
|
"rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted",
|
|
"stack_version": "8.19"
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"deprecation_date": "2025/06/26",
|
|
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
|
|
"stack_version": "8.18"
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Windows High Severity tuning batch for persistent false positives. See PR elastic/detection-rules#5094.",
|
|
"rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader",
|
|
"stack_version": "8.19"
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"stack_version": "7.16"
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"deprecation_date": "2023/03/04",
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"stack_version": "8.3"
|
|
},
|
|
"2377946d-0f01-4957-8812-6878985f515d": {
|
|
"deprecation_date": "2024/04/01",
|
|
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
|
|
"stack_version": "8.9"
|
|
},
|
|
"28738f9f-7427-4d23-bc69-756708b5f624": {
|
|
"deprecation_date": "2024/07/18",
|
|
"rule_name": "Suspicious File Changes Activity Detected",
|
|
"stack_version": "8.10"
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"deprecation_date": "2022/08/03",
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"stack_version": "7.16"
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"deprecation_date": "2022/10/04",
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"stack_version": "8.3"
|
|
},
|
|
"301571f3-b316-4969-8dd0-7917410030d3": {
|
|
"deprecation_date": "2023/12/14",
|
|
"rule_name": "Malicious Remote File Creation",
|
|
"stack_version": "8.9"
|
|
},
|
|
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux privilege-escalation DR tuning batch. See PR elastic/detection-rules#5511.",
|
|
"rule_name": "Deprecated - Network Connection via Sudo Binary",
|
|
"stack_version": "8.19"
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Query keyed on an undocumented, likely-invalid field value; the false positives could not be solved at the rule level. See PR elastic/detection-rules#5552.",
|
|
"rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID",
|
|
"stack_version": "8.19"
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"deprecation_date": "2022/08/01",
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"stack_version": "7.16"
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "CreateDBSecurityGroup targets retired EC2-Classic; VPC security group changes are covered by AWS EC2 Security Group Configuration Change. See PR elastic/detection-rules#5350.",
|
|
"rule_name": "Deprecated - AWS RDS Security Group Creation",
|
|
"stack_version": "8.19"
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"deprecation_date": "2021/03/03",
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"stack_version": "7.13"
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"deprecation_date": "2025/01/17",
|
|
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"stack_version": "8.12"
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"deprecation_date": "2022/09/13",
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"stack_version": "8.5"
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"deprecation_date": "2021/03/17",
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
|
|
"deprecation_date": "2023/09/25",
|
|
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
|
|
"stack_version": "8.6"
|
|
},
|
|
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
|
|
"deprecation_date": "2025/03/04",
|
|
"rule_name": "Potential Cross Site Scripting (XSS)",
|
|
"stack_version": "8.12"
|
|
},
|
|
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
|
|
"deprecation_date": "2023/11/02",
|
|
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
|
|
"stack_version": "8.3"
|
|
},
|
|
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Superseded by new ESQL Linux brute-force rules during the credential-access DR tuning rework. See PR elastic/detection-rules#5483.",
|
|
"rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected",
|
|
"stack_version": "8.19"
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"deprecation_date": "2025/07/09",
|
|
"rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
|
|
"stack_version": "8.18"
|
|
},
|
|
"5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux lateral-movement DR tuning batch, with updated triage guidance attached. See PR elastic/detection-rules#5505.",
|
|
"rule_name": "Deprecated - SSH Process Launched From Inside A Container via Elastic Defend",
|
|
"stack_version": "8.19"
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"deprecation_date": "2022/03/16",
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"stack_version": "7.13"
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Mknod Process Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Linux BBR tuning: marked deprecated as a noisy rule with zero useful hits. See PR elastic/detection-rules#5514.",
|
|
"rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection",
|
|
"stack_version": "8.19"
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"deprecation_date": "2022/03/16",
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"stack_version": "7.13"
|
|
},
|
|
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Superseded by new ESQL Linux brute-force rules during the credential-access DR tuning rework. See PR elastic/detection-rules#5483.",
|
|
"rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected",
|
|
"stack_version": "8.19"
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "SMTP to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"deprecation_date": "2023/07/03",
|
|
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"stack_version": "8.5"
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"deprecation_date": "2022/08/02",
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"stack_version": "7.16"
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"stack_version": "7.16"
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"deprecation_date": "2022/08/02",
|
|
"rule_name": "File and Directory Discovery",
|
|
"stack_version": "7.16"
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "ElastiCache CacheSecurityGroup APIs apply only to retired EC2-Classic; modern VPC deployments are covered by AWS EC2 Security Group Configuration Change. See PR elastic/detection-rules#5334.",
|
|
"rule_name": "Deprecated - AWS ElastiCache Security Group Created",
|
|
"stack_version": "8.19"
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"stack_version": "7.16"
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "DeleteDBSecurityGroup targets retired EC2-Classic; modern VPC RDS deployments are covered by AWS EC2 Security Group Configuration Change. See PR elastic/detection-rules#5350.",
|
|
"rule_name": "Deprecated - AWS RDS Security Group Deletion",
|
|
"stack_version": "8.19"
|
|
},
|
|
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
|
|
"deprecation_date": "2024/02/22",
|
|
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
|
|
"stack_version": "8.3"
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"stack_version": "7.16"
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"deprecation_date": "2025/01/17",
|
|
"rule_name": "Deprecated - Suspicious JAVA Child Process",
|
|
"stack_version": "8.12"
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"stack_version": "7.16"
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"stack_version": "7.16"
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Superseded by Pluggable Authentication Module or Configuration Creation, a Linux-only higher-fidelity, lower-compute rule. See PR elastic/detection-rules#5421.",
|
|
"rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration",
|
|
"stack_version": "8.19"
|
|
},
|
|
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Linux BBR tuning: marked deprecated as a noisy rule with zero useful hits. See PR elastic/detection-rules#5514.",
|
|
"rule_name": "Deprecated - Creation of Kernel Module",
|
|
"stack_version": "8.19"
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the SSH command",
|
|
"stack_version": "7.16"
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"deprecation_date": "2025/07/16",
|
|
"rule_name": "Deprecated - AWS EC2 Snapshot Activity",
|
|
"stack_version": "8.18"
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"deprecation_date": "2023/02/16",
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"stack_version": "8.4"
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Superseded by Launch Service Creation and Immediate Loading, which covers LaunchDaemons and LaunchAgents via the newer Persistence event. See PR elastic/detection-rules#4547.",
|
|
"rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"stack_version": "8.19"
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"deprecation_date": "2020/10/30",
|
|
"rule_name": "Network Connection via Mshta",
|
|
"stack_version": "7.10.0"
|
|
},
|
|
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Linux BBR tuning: marked deprecated as a noisy rule with zero useful hits. See PR elastic/detection-rules#5514.",
|
|
"rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary",
|
|
"stack_version": "8.19"
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"deprecation_date": "2023/06/22",
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"stack_version": "8.3"
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"ac8805f6-1e08-406c-962e-3937057fa86f": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux DR Tuning - 2 batch without a rule-specific justification recorded in the PR. See PR elastic/detection-rules#5481.",
|
|
"rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server",
|
|
"stack_version": "8.19"
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"deprecation_date": "2025/11/21",
|
|
"deprecated_reason": "Overlaps with the broader AWS Successful Root Console Login rule; the broader rule covers all root logins and is retained. See PR elastic/detection-rules#5201.",
|
|
"rule_name": "Deprecated - AWS Root Login Without MFA",
|
|
"stack_version": "8.19"
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux cross-platform DR tuning batch. See PR elastic/detection-rules#5512.",
|
|
"rule_name": "Deprecated - Potential Non-Standard Port SSH connection",
|
|
"stack_version": "8.19"
|
|
},
|
|
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux discovery DR tuning batch. See PR elastic/detection-rules#5497.",
|
|
"rule_name": "Deprecated - Potential Pspy Process Monitoring Detected",
|
|
"stack_version": "8.19"
|
|
},
|
|
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Superseded by Suspicious Renaming of ESXI VMware Files, which now also detects index.html renames in /usr/lib/vmware/. See PR elastic/detection-rules#5494.",
|
|
"rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File",
|
|
"stack_version": "8.19"
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
|
|
"deprecation_date": "2025/07/16",
|
|
"rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
|
|
"stack_version": "8.18"
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Nmap Process Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"stack_version": "7.16"
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"deprecation_date": "2023/12/15",
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"stack_version": "8.3"
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "Socat Process Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux privilege-escalation DR tuning batch. See PR elastic/detection-rules#5511.",
|
|
"rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected",
|
|
"stack_version": "8.19"
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"deprecation_date": "2022/07/28",
|
|
"rule_name": "Strace Process Activity",
|
|
"stack_version": "7.16"
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"stack_version": "7.16"
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"deprecation_date": "2022/01/12",
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"stack_version": "8.0"
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"deprecation_date": "2023/07/04",
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"stack_version": "8.3"
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"stack_version": "7.16"
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"deprecation_date": "2022/08/02",
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"stack_version": "7.16"
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "CreateDBCluster is routine RDS lifecycle with no meaningful attack signal; high-value RDS threats (snapshot, export, exposure) are covered elsewhere. See PR elastic/detection-rules#5350.",
|
|
"rule_name": "Deprecated - AWS RDS Cluster Creation",
|
|
"stack_version": "8.19"
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "Replaced by AWS EC2 Export Task, which detects successful exports (higher signal than failed attempts). See PR elastic/detection-rules#5248.",
|
|
"rule_name": "Deprecated - AWS EC2 VM Export Failure",
|
|
"stack_version": "8.19"
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"deprecation_date": "2021/04/15",
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"stack_version": "7.14.0"
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"deprecation_date": "2023/07/31",
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"stack_version": "8.3"
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "StopDBInstance and StopDBCluster are routine admin operations with no meaningful attack signal. See PR elastic/detection-rules#5350.",
|
|
"rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage",
|
|
"stack_version": "8.19"
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"deprecation_date": "2026/01/16",
|
|
"deprecated_reason": "CreateDBInstance is routine RDS lifecycle with no meaningful attack signal; high-value RDS threats are covered elsewhere. See PR elastic/detection-rules#5350.",
|
|
"rule_name": "Deprecated - AWS RDS Instance Creation",
|
|
"stack_version": "8.19"
|
|
},
|
|
"f41296b4-9975-44d6-9486-514c6f635b2d": {
|
|
"deprecation_date": "2026/02/04",
|
|
"deprecated_reason": "Marked deprecated during the Linux execution DR tuning batch without a rule-specific justification recorded in the PR. See PR elastic/detection-rules#5504.",
|
|
"rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation",
|
|
"stack_version": "8.19"
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"stack_version": "7.16"
|
|
},
|
|
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
|
|
"deprecation_date": "2025/03/14",
|
|
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
|
|
"stack_version": "8.14"
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"deprecation_date": "2022/07/25",
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"stack_version": "7.16"
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"deprecation_date": "2022/05/09",
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"stack_version": "7.16"
|
|
}
|
|
}
|