security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/detection_rules/etc/version.lock.json
T
github-actions[bot] 0b15511ef5 Lock versions for releases: 8.19,9.2,9.3,9.4 (#6044)
2026-05-04 21:29:14 +05:30

13037 lines
489 KiB
JSON
Raw Permalink Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "f2eff7fde63919cf5ce12fc0a43b396d4f946d0b91202749bb8e1959ba503cbd",
"type": "query",
"version": 416
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "9fa5bb58f3f3b4c55a18dcad65a001a8a4217afcc2ced7112a1e295bcb5a79a2",
"type": "eql",
"version": 321
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "2fa22b5ffca90b0b5dda594ac010099051455bf90a1290e366e75c3f6c31f353",
"type": "eql",
"version": 422
},
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
"rule_name": "System Binary Path File Permission Modification",
"sha256": "dba5d16fb893bdb86a173237b75117a8e000bca4f1a47a96d9492119f8beea74",
"type": "eql",
"version": 7
},
"00546494-5bb0-49d6-9220-5f3b4c12f26a": {
"rule_name": "Uncommon Destination Port Connection by Web Server",
"sha256": "7dc587f4807bf20137a0a7d3a415b2807d481a1dd245b423be1d9addca63dff9",
"type": "eql",
"version": 6
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "91b36ea21ef5f2334a76a399ad91075977d7b149b9bab8bad35c854914d62420",
"type": "query",
"version": 8
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email",
"sha256": "226cb4ca9b14010933649d9bac8285e8266edb900b2d835b38307bc6fb629385",
"type": "query",
"version": 213
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"rule_name": "Deprecated - AWS Redshift Cluster Creation",
"sha256": "f6e7e8c38698de53c1f503b5a483cd61fe060eba93c72f3d9d394148f9fb36ea",
"type": "query",
"version": 210
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c",
"type": "esql",
"version": 15
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416",
"type": "query",
"version": 5
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "076646ab6716181a2c6a88272c23d0eff028f4d43e05b1b9ba681c8fb13bb83b",
"type": "new_terms",
"version": 208
},
"02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": {
"rule_name": "AppArmor Policy Violation Detected",
"sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62",
"type": "eql",
"version": 1
},
"02275e05-57a1-46ab-a443-7fb444da6b28": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"sha256": "539f711b818d81795aaa0685de7d462dde5553ec579eb775fdcf8f69ab9227d5",
"type": "eql",
"version": 4
},
"022c37cd-5a4f-422b-8227-b136b7a23180": {
"rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"sha256": "71236804fae2460ed5d446795ca47484be4217066c02e16e29684c83d8c4d403",
"type": "new_terms",
"version": 3
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50",
"type": "eql",
"version": 211
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "ea027afabe0d5c7840b6fa74533bd16b107d9fe59b134747165b941da38827f8",
"type": "new_terms",
"version": 208
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
"sha256": "4aa9842670b9ebc492a4614e4317094998cf31227ac49598907aeb5bec61c692",
"type": "eql",
"version": 11
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "6089c2d9e1a728c906a10e30c7d3eca6eb9962492dde251a805ef9e7b97f8ee6",
"type": "eql",
"version": 312
},
"02b4420d-eda2-4529-9e46-4a60eccb7e2d": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Spike in Group Privilege Change Events",
"sha256": "f1b1c78251514ea08b82d81a68811dcf1756bde9a25d7f17adff4b6f612c523a",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Spike in Group Privilege Change Events",
"sha256": "d8194e445c87e8157a08b8aacf0fd3e0cafe76ef4c01be534907b1acb4c90108",
"type": "machine_learning",
"version": 105
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "8faa211ae2a7bcacb59c68e92a447cfd62919035dfe3259c39c0ee886be5ece8",
"type": "eql",
"version": 7
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "66859e52222069071bde2462f6cd971de312d63c6ca5da48abd9bde1d8a9986a",
"type": "eql",
"version": 111
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "M365 Exchange Email Safe Attachment Rule Disabled",
"sha256": "a13cc41b5296170dea0f9410986cbb6e32524cd0655f9b7dd0cde9738b7fe8ae",
"type": "query",
"version": 213
},
"03245b25-3849-4052-ab48-72de65a82c35": {
"rule_name": "GitHub Actions Unusual Bot Push to Repository",
"sha256": "8299a1ebfbcff5d084b1ffd256aaa5dbf5d7929e8b0a9037bc7d83792b927b4c",
"type": "new_terms",
"version": 3
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "65e29cfdd640c3d225586aceda29585c5bc3a9e76ff34a0764f403094b8c9ade",
"type": "threshold",
"version": 218
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "6f7728c25cb5067fe5f3da92b9e429591bee6ca7b05b0dc967ed772bfc19c1d4",
"type": "eql",
"version": 7
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "1955ce390a89fb19809e63ab7de3f8c5daa3aad4045bec36bcaa5b65779e457d",
"type": "eql",
"version": 108
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509",
"type": "eql",
"version": 5
},
"03b150d9-9280-4eb8-9906-38cfb6184666": {
"rule_name": "First Time Python Accessed Sensitive Credential Files",
"sha256": "aa5c2a00f56d00f3919acc63046fbd07594b643728777215c6faf15acefea5b8",
"type": "new_terms",
"version": 2
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "74510e92c414883b3395c16038036135ff8ab99e5598ed0fa19fdadd86e0b701",
"type": "threshold",
"version": 8
},
"03d856c2-7f74-4540-a530-e20af5e39789": {
"rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location",
"sha256": "074027b2bad9f1ac786fc520f793d1c3f48adbf4c5dee422b7ac017e8197672a",
"type": "eql",
"version": 3
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS CloudFormation Stack Creation",
"sha256": "5a13a67e1b4bf143cfe2a0d8d3447f6a60fc0715e8494ee228a0040708d817d9",
"type": "new_terms",
"version": 8
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Renaming of OpenSSH Binaries",
"sha256": "9ee995138cffed589e949a0c429e822f01d39ee3d4e57daa0b0130de809eae76",
"type": "query",
"version": 115
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"0428c618-27f5-4d94-99e6-b254585aba69": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 100,
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "c106d5b9496998b4af456df8d7df3c6ae1357af321309b4d51be2909f20ace09",
"type": "esql",
"version": 3
}
},
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "eafae5474516c5620352bbf6fdc4e5746adb3cf882352bad06a19d7dbfd26020",
"type": "esql",
"version": 104
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "dba859d27b151a923834b39a2c500f09b452ecd18fb17bc42fcedef488f957f8",
"type": "eql",
"version": 206
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Entra ID Global Administrator Role Assigned",
"sha256": "9e8ad446f3a34d36c690d2af3ab183e06ef27545b244ce0b4f700d573cb8c71d",
"type": "query",
"version": 108
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"rule_name": "User Added to the Admin Group",
"sha256": "b164ca59eecebcabe9bd4bbdc1c86c640f202a21e08e0a08cdfc824610ec9d98",
"type": "eql",
"version": 5
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"rule_name": "Suspicious Microsoft Antimalware Service Execution",
"sha256": "c4b43d411a14ed5441f18c7ac996e4d2ca17ce62a46155c9b8ef8a35e8e612f9",
"type": "eql",
"version": 219
},
"054853f3-2ce0-41f3-a6eb-4a4867f39cdc": {
"rule_name": "M365 Defender Alerts Signal",
"sha256": "b4a2a0cb67bf979baded41864bc6fa10883535dc419e6b6488ba8b1c8d0fb907",
"type": "query",
"version": 2
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "af7ccb91cc20e0406d5dbf0a368623b91dbe2fe0345075123197e22162c25280",
"type": "eql",
"version": 13
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "489f0b6d8e4c6a6b209771bd6fe6a15862f20fa603d6b726a5b1c1446bfb9099",
"type": "eql",
"version": 220
},
"05a50000-9886-4695-ad33-3f990dc142e2": {
"min_stack_version": "9.3",
"rule_name": "System Path File Creation and Execution Detected via Defend for Containers",
"sha256": "651ccae1e6baff5b1d018b9d02b49fa294970a75eddd6ad69ee73c7be6983531",
"type": "eql",
"version": 2
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "f750da59bfae7e417e2fef8122c3e5b7520f15e8610d3c66dd63557fa6504962",
"type": "eql",
"version": 313
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"rule_name": "Tainted Kernel Module Load",
"sha256": "d4df17e4c4a8b6081d4dc4c4682ee25d1ed06862635d77ea153047f150e1b1f7",
"type": "query",
"version": 10
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "aa3c02fb79c761a80f4964773218383ce6f2fa3d6edbb33b4228d9f58a4d7224",
"type": "eql",
"version": 114
},
"05f2b649-dc03-4e9a-8c4e-6762469e8249": {
"rule_name": "Suspicious AWS S3 Connection via Script Interpreter",
"sha256": "bdcf91c78e9c5c094fb384d21437ea44ff202ce66a874ddeb50bbd6be3ecd14f",
"type": "esql",
"version": 3
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands",
"sha256": "287d45f63f9e0a5633a9830bc210991eedc0daf0db72f995831d011600a3b750",
"type": "eql",
"version": 217
},
"064a2e08-25da-11f0-b1f1-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"sha256": "fbb58851e7b0642dbb3d884af38bac704a32fd6065228ae2d97cc8769bf6a93f",
"type": "query",
"version": 5
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"rule_name": "System Time Discovery",
"sha256": "3c5edef6420d3b719294df8da79f6f77b0e473d0d2f3bbd1fa89103aa8f53bcf",
"type": "eql",
"version": 114
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Unusual Remote File Size",
"sha256": "565ac2eb82e32aae378c10858021adb00856aa3fcca8dfff5921bec099323be0",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Unusual Remote File Size",
"sha256": "ea21c2579a2ea6d078cc251597362fa05d6ad0a2b65fc498d6c5059636d8b638",
"type": "machine_learning",
"version": 109
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "61186ac011e99a690ffc2ca0232ca0d4c1a56577cd1b882fc838f4adec3b1372",
"type": "eql",
"version": 215
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "6350e0d9141e53b3f2c4ecc5b9384512cd89637b34bb845ffedb10e893777303",
"type": "eql",
"version": 107
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "e0fc6fce12b37afcc2729cc67ce98534a81f241684b19f9763e9f1220fd3d190",
"type": "eql",
"version": 220
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd",
"type": "query",
"version": 4
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "b61bad8552dae17b256c73cb62eb7e5240586363ca2bdfae7dce74ffc35cb129",
"type": "eql",
"version": 318
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "5b3ad0cab15b804ec79acfddc6075930f20e13bdc9b7df71afa2bab6135aa015",
"type": "eql",
"version": 210
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072",
"type": "threshold",
"version": 9
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "e5ead4056278a234ee157310599f05d05e66fe7be04c4658c711e90a8fbfdd8e",
"type": "eql",
"version": 321
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "cf7654ebd4c213e045aaa2ad22109e5d4d8d75c557757a8402eabe3919da5acb",
"type": "query",
"version": 111
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "e0131321585947ebb113994bcb41271b69a40753710365ea30b2a1204ad5008d",
"type": "eql",
"version": 113
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Service Creation and Immediate Loading",
"sha256": "6e6a989495990c86ba5a6dc1a3178fbe5dc8a8e23542837ce40be022461703e9",
"type": "eql",
"version": 112
},
"083383af-b9a4-42b7-a463-29c40efe7797": {
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
"sha256": "df58a717def18bd6b87e4ee7c0b9b92e104cfaef8714f6029f3f4cc26a4c2f7a",
"type": "esql",
"version": 11
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "3e6315c69df778ac0ee943ef7672b9725a6c36ecdedf6c955d1609b9f0c936cc",
"type": "eql",
"version": 111
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"rule_name": "First Time Seen Removable Device",
"sha256": "8d49ac6a7e4266309a445287ddba7de4a7c3953b54030f6bb1b22a2579d6e607",
"type": "new_terms",
"version": 214
},
"0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": {
"rule_name": "Node.js Pre or Post-Install Script Execution",
"sha256": "f161b256265c51cd268982d28acc9d9220cc7c1aba15a8b036c39d9ae9253da3",
"type": "eql",
"version": 4
},
"08933236-b27a-49f6-b04a-a616983f04b9": {
"rule_name": "Alerts From Multiple Integrations by Destination Address",
"sha256": "d6accf93019b97c82298a163af364a097f31b22146454acba734fd8f76d90c6e",
"type": "esql",
"version": 3
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "ce8ca8f191f83b34e7b0a028117f3ed158af3ebc4c3f9d40a1614f01033cd93e",
"type": "eql",
"version": 8
},
"08be5599-3719-4bbd-8cbc-7e9cff556881": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Source IP for Windows Privileged Operations Detected",
"sha256": "bc44537711867484c6d568447d16aa07c2bebb17b8e8de3f9d5d4cd27b7877dc",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Source IP for Windows Privileged Operations Detected",
"sha256": "cba194c97b4198045ac48cbff7beb5cf8aa6cd337abe8b945d0e921ea725f96c",
"type": "machine_learning",
"version": 104
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4": {
"rule_name": "Attempt to Clear Logs via Journalctl",
"sha256": "dc61913b2bea0be5a6013cb04da91ce28b84fce2780a58eb7bcb8c1a871ba003",
"type": "eql",
"version": 2
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "89f5838ed3a10f58fb95b54bf3a065b1edfcbccc6e82ba7249e7714ec14af877",
"type": "eql",
"version": 113
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Deprecated - Process Termination followed by Deletion",
"sha256": "b732879b1c2fe0dc643e22be8c9dfc66ffd9b3362f8964d99df43ec8ce295335",
"type": "eql",
"version": 114
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9",
"type": "eql",
"version": 206
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"097ef0b8-fb21-4e45-ad89-d81666349c6a": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in Special Logon Events",
"sha256": "92d7807f355cf385d1fa15849d15c6fb322bf1b9dde07df1b9e0d92899819b0c",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in Special Logon Events",
"sha256": "af7d7f8466de0579c7532f0e4cc5b23f711bc0484f6e516cc0f3962f7e510a6c",
"type": "machine_learning",
"version": 104
},
"098bd5cc-fd55-438f-b354-7d6cd9856a08": {
"rule_name": "High Number of Closed Pull Requests by User",
"sha256": "f46d127ff65faf71c8a8b0f3fb5821e6deb79ff046965cbe27aa8f63f7229354",
"type": "esql",
"version": 4
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "21a80a8417bb2147dbcfad3bbd1dbac0c463712efa27f14464c0547f66e34582",
"type": "eql",
"version": 11
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted",
"sha256": "2d00df8fc7b00a913e0c182043c1a112d1b2690af2c81572f80ad04a284e5df0",
"type": "query",
"version": 108
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9",
"type": "query",
"version": 105
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "6a2860edb5ebe67b8ddbfd0633c2fc64f43eb9a1a0b6cb59f298b6e207944b51",
"type": "query",
"version": 9
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "62831c7e91ee7ce21ec1904ea276f67fc1771d890a541a18fba380632f6a8e04",
"type": "query",
"version": 213
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "dbae98880bf9a0c1e97107f8d4f2e8db844623eea45f77f379c744c955ea36dc",
"type": "eql",
"version": 10
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 311,
"rule_name": "Anomalous Windows Process Creation",
"sha256": "0d38cceb87101c739c8c402c9c084654ab8bea0da9d751f01e82deca56bdf848",
"type": "machine_learning",
"version": 212
}
},
"rule_name": "Anomalous Windows Process Creation",
"sha256": "4322d572dd7347e0c0b1fe18bb2c528d15656965e263d2d9209a6ccbe24facdd",
"type": "machine_learning",
"version": 312
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"rule_name": "User account exposed to Kerberoasting",
"sha256": "02414f778b92b4c687768c61989adb3f2b632c354674ecf7c580d1e549cdba9b",
"type": "query",
"version": 221
},
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
"rule_name": "Systemd Shell Execution During Boot",
"sha256": "09dffcc4e5124f18d47919fe93f50abaeb60d6834acf7ead306f212a6eba4afd",
"type": "eql",
"version": 6
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"sha256": "930b95c69bf6eea872d22434afefa58e36c3427fe3074d3010aa7531c87510b7",
"type": "eql",
"version": 7
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "7d77a4998b0ebb67b07e857ede2aade5168aa1ae3854965f321bbac0e38be89f",
"type": "eql",
"version": 113
},
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "438c321a47c109bde474d6eeb1ea633ec7f60705edf876aaaa4b0a8dfec1af2b",
"type": "eql",
"version": 112
},
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
"rule_name": "Elastic Defend and Network Security Alerts Correlation",
"sha256": "15b613d3ba0acece6a8253f34df9e3f8528ec9a65642dfb2585425a083f8b7a6",
"type": "esql",
"version": 7
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
"sha256": "eea37dd20530605c66b9747aec38cabb0194bce5bb2991f9b1744136a6c3cf26",
"type": "eql",
"version": 5
},
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
"rule_name": "Potential Hex Payload Execution via Common Utility",
"sha256": "93cd06950bf1b69b6bd8abd8923e82b0e7c578c6e93606cfcd6be0f5909f8bb7",
"type": "eql",
"version": 107
},
"0c3c80de-08c2-11f0-bd11-f661ea17fbcc": {
"rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User",
"sha256": "990caac706a81700f2a8457d690ca56ba943e899e776bb8e8d053ee4aa3d5d13",
"type": "new_terms",
"version": 8
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "de0fce0fbcce6580a6a0af3a9cbd36da077ec0b32571149301aaaf7e6b50bc35",
"type": "threat_match",
"version": 9
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb",
"type": "query",
"version": 5
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"rule_name": "Peripheral Device Discovery",
"sha256": "156bd381d564774d81e1860d26cfc6d4a84a75a320968e06ed2b550945efaa1c",
"type": "eql",
"version": 316
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cbbb5e0-f93a-47fe-ab72-8213366c38f1": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "High Command Line Entropy Detected for Privileged Commands",
"sha256": "2e7d5c4df33ef2238bbf97c9d32ff1f30b544cd024426fbf7b8f60efb7289ad8",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "High Command Line Entropy Detected for Privileged Commands",
"sha256": "e1065505966fda7f392ba493ac2b31b91e6f378c082d6704f3134ac39a389494",
"type": "machine_learning",
"version": 104
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "b8b8dd78b8c6c7dc7963683187e44adf10d7f96d6f8fb08ea9d8a6f1015f376b",
"type": "esql",
"version": 8
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated",
"sha256": "894f2eba51cb0eb9109b09f87d273ae20204ec8d8ff1a5d3cd366e6650808047",
"type": "new_terms",
"version": 214
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "39146bd0ad1fcffb736b85e308c42cb31f2e2d0059d03d59be148de54965d777",
"type": "esql",
"version": 9
},
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
"rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph",
"sha256": "51e32252c859489884ccd4518fe7dae46ab0cea3f05342fccdf9a5b466fc0e2c",
"type": "esql",
"version": 10
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "dd76e3f0f0d4cc6807c6afcd4c5894467e3047dd19959748a879badf05fd647a",
"type": "eql",
"version": 213
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "094356d1f51021f7425e8498fdaa9e5545042553ed50aaf071c39778fedad057",
"type": "eql",
"version": 114
},
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 204,
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "26ed2013c1d78f46c69814d77905908c7c0bb10e421da7bd59937e75d0f01fef",
"type": "esql",
"version": 107
}
},
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "77f473d39331e99c4f5139d471dc7043828fe6b9f3f0cddcf60878264857b71a",
"type": "esql",
"version": 208
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "6319c31a290d00e0983d81b1971155caa96f3687a61721f79286857c1bbbbab0",
"type": "esql",
"version": 5
},
"0e42f920-047d-4568-b961-2a50db6c4713": {
"rule_name": "Potential Persistence via Mandatory User Profile",
"sha256": "b8d61454cd6ec06100946627852de41f7198a191f70683750b03297e6247a441",
"type": "eql",
"version": 3
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "15cd22677a8340711fed0f7030ff28056951bba6f1f4f4c74dacd31c27371ef5",
"type": "new_terms",
"version": 208
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "M365 SharePoint Malware File Detected",
"sha256": "219149d921e9d74f4d05b7c228fa56ee3ae14df3a2c0373e981d498069bb89f4",
"type": "query",
"version": 213
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive/SharePoint Excessive File Downloads",
"sha256": "f8d745a83d271544f83eefd939f7a08615847df7c8b31a345065cbc06db50ccd",
"type": "esql",
"version": 9
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "a7de922125422835641adbae4ac03d3876d7db4b40c6a39e3039ef79757b5c0a",
"type": "query",
"version": 109
},
"0e67f4f1-f683-43c0-8d45-c3293cf31e5d": {
"rule_name": "Lateral Movement Alerts from a Newly Observed Source Address",
"sha256": "77726aac9ceb48e0f529980fb81396999b0c6688cf5bab0f232aa63d3a653918",
"type": "esql",
"version": 3
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "1d2f40489c68453c001300064c4191b3c1118961bcbf8f98ef0ae3d7af2a7f6a",
"type": "eql",
"version": 216
},
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7",
"type": "query",
"version": 6
}
},
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "ab3e71024a071b7fdfe5a78867ce7b97ee798a14a25a3ad4d5f93579c8d00be5",
"type": "esql",
"version": 107
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "0dd7907213fe1c2007ed13fc265447af5e1da11ec3932ac1bd234bac879ddd75",
"type": "eql",
"version": 120
},
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
"rule_name": "Polkit Policy Creation",
"sha256": "390e710ade2de69e142c5ee48c04471d137a80031e3679e2c9675a40dbc10e4e",
"type": "eql",
"version": 107
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "a0f0ae4b269a171b856191b76721c04753d2c3ed780decf03817b56e352235ee",
"type": "eql",
"version": 109
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c",
"type": "query",
"version": 5
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "877b148eb16e5925faa6420c7ce4e5af877518280357765cf8b26d314d4866a4",
"type": "threshold",
"version": 314
},
"0fb25791-d8d4-42ab-8fc7-4954642de85f": {
"rule_name": "Kubernetes Creation or Modification of Sensitive Role",
"sha256": "b9c97990e6ca915c311408c981892865fdd39e7032758dd0bf98eb9c14eb5af0",
"type": "esql",
"version": 3
},
"0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": {
"min_stack_version": "9.3",
"rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers",
"sha256": "99daa90cdf83d5fa31673dca3684a322c5b9b12882dbc2d4e82acfbc4a249401",
"type": "eql",
"version": 2
},
"0fe2290a-2664-4c9c-8263-b88904f12f0d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubernetes Sensitive Configuration File Activity",
"sha256": "0733fbd77e1dcbbf858340c7c49c0409b1c8d13fcbce786043e46d561f30f8e7",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubernetes Sensitive Configuration File Activity",
"sha256": "bfc840c4e0154ce1c816dc7e6d4b277b6a431df45094be45f5f6c0166ac02aa4",
"type": "eql",
"version": 103
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b",
"type": "eql",
"version": 110
},
"1004ad5b-6900-4d28-ab5b-472f02e1fdfb": {
"rule_name": "AWS SSM Inventory Reconnaissance by Rare User",
"sha256": "1531a1d1f980b959ce58e42c0fb6a88915457be59be0697a2a52c266a55d4f25",
"type": "new_terms",
"version": 3
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "65b7cb64433981f1907a05a2af586fe1deaa32e3e04f391a3b8be11d65cd67ef",
"type": "query",
"version": 5
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "7a9a8ca308fe9d2c8060cae7cf57cb65402bef0f911c86790a0d29b8e978c4b7",
"type": "eql",
"version": 211
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4",
"type": "query",
"version": 5
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "be1fc253ed58440f6af839e8e5f79978eba0a908da3adb6fa9713f774fb8a7c0",
"type": "query",
"version": 110
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "f9bf3e298b294a41bb1856889477dcec525ec04804459de0294f14714ad143eb",
"type": "eql",
"version": 219
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "1224c28727d499af370240ca8e5ed7432294872e5d5258d9eedba7a8d8b72bb1",
"type": "eql",
"version": 318
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "b78786276c865fe5602cfe809acdf9d0912624f137a0cf4049b4b5aefb497f84",
"type": "query",
"version": 213
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "a549668ec7559114b0115b356167686dc385ac990b386fb5e9f2b612c992357d",
"type": "query",
"version": 119
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "e2639febbe6e8a624a43a1a5782021cc15db735aef9129b0760de784416247ab",
"type": "eql",
"version": 217
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "66bfe584a46f9c27ec808d78ca7f975b9ce6104c3bd2991510676d76e7e38cb5",
"type": "query",
"version": 213
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 210,
"rule_name": "User Detected with Suspicious Windows Process(es)",
"sha256": "a96480b14fddea2a5966e37fb70b54db6e8ef69582f58b9ddd9e0845943ff7ac",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "User Detected with Suspicious Windows Process(es)",
"sha256": "f46f877d99943deae9fa5622e50247b35000bc4fa24fcdc5637f394a543ec995",
"type": "machine_learning",
"version": 211
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084",
"type": "query",
"version": 4
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"rule_name": "Suspicious Lsass Process Access",
"sha256": "13ea12c18b065bc285ea95a16119242a9882ef4c3103f521a1c701921ec69cd5",
"type": "eql",
"version": 212
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"sha256": "7c11440601de84729a35dfa170c057f749e1ed8943734cdad5d540f97f0900bf",
"type": "new_terms",
"version": 211
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "957cd8a8925cca175889fadff063ff73d18f178be083cbff70f868dfff58ad72",
"type": "query",
"version": 210
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "d32351494ff1b9ffd9ba55acf3ca09d761a8cc3d4944657b331a3e2cd0c2a611",
"type": "eql",
"version": 211
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "dff426ad89e3595df008b1e3eebe381001d991ed6f8556badc8cb7f03602384f",
"type": "eql",
"version": 321
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "a4cef089a97baa377ce98b7cb50c1a47a4a67b0f74e854692264582b8a57614e",
"type": "eql",
"version": 416
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "a9b1539d0e9db24ff1c2c89fbce7703a1e17089844275ce75a152f357dcffb33",
"type": "eql",
"version": 107
},
"138520d2-11ff-4288-a80e-a45b36dca4b1": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in Group Membership Events",
"sha256": "907893df220287d24f1906748b2da8456e68f29204e8cadd48187f98a98c5688",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in Group Membership Events",
"sha256": "6833917467dfd8d34a81995993907c41c52722e7afecb30ec5fec5641477c8f2",
"type": "machine_learning",
"version": 104
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Rare User Logon",
"sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Rare User Logon",
"sha256": "e7b1144434301dcf8d3c853460221fd971055d06b21eae12d6434b5e898d91e3",
"type": "machine_learning",
"version": 207
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"rule_name": "Potential Ransomware Behavior - Note Files by System",
"sha256": "a4773853ce1ea436c93f739ecc375ebc074829200e0ed449ee0e3bec0becb585",
"type": "esql",
"version": 215
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
"sha256": "526f288219500704dab7160a26e0af9e6dbb812dcf0e2b12895e0f2412792343",
"type": "eql",
"version": 13
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Entra ID External Guest User Invited",
"sha256": "3cc4581f69c27422b3f2353597665249059ba22ef323c49c2b97218a803eaac9",
"type": "query",
"version": 109
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "0ad5c2e271c9001326aa27dfc63f6c35a4138bc03e6a1e4db48aaeac803e30f6",
"type": "query",
"version": 111
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
"sha256": "6ae151273f3904946010828516f37ea7cb7152e34ac5eebb85174cd704f59d78",
"type": "eql",
"version": 109
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "b84822387863316ee7e038ffc13bbf210e9d66bdd21bc0c4cbc1806a7a261d09",
"type": "eql",
"version": 211
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "5fb9943cdf453b43370e6f92b8be06a5dfe213e2bcd3566aa2e2bd08e9d21e7b",
"type": "eql",
"version": 317
},
"14fa0285-fe78-4843-ac8e-f4b481f49da9": {
"rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application",
"sha256": "1d5cd26347a6790ae2294701743b179765b2d5f29842f30b7564687d387f8cc7",
"type": "query",
"version": 8
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "da0623d8382c2550dc8e2605907d304a97ce85101085e93eaae2be757ed6242f",
"type": "new_terms",
"version": 209
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "1e38ba5abce5df6e94d4f7ff4ef607302c6726044195ba8953854867fec17b60",
"type": "eql",
"version": 8
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "4f8dae1671164a15e104cf7087d42d6a879f2c0809501137ee183c0f3f3ee364",
"type": "eql",
"version": 7
},
"15606250-449d-46a8-aaff-4043e42aefb9": {
"rule_name": "Suspicious StartupItem Plist Creation",
"sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8",
"type": "eql",
"version": 1
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "7c14ff284718226ea6475885fa3d285019ef181a69705bed2afb9f25ce81b4fc",
"type": "eql",
"version": 216
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "62c79ce5bae7cf736a51c50a7e07508e4a50999a807161a4e0c68835b2a29780",
"type": "eql",
"version": 320
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "11df8567d6795588d2f0b1c35dd8ca813fcf809258461c5483790a459bdc1cc9",
"type": "eql",
"version": 113
},
"1600f9e2-5be6-4742-8593-1ba50cd94069": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Kubectl Permission Discovery",
"sha256": "c1da63bbab5facc4c4cb7cc3ec0cfef430b4733d91393d9b58441c092c54e0e5",
"type": "eql",
"version": 4
}
},
"rule_name": "Kubectl Permission Discovery",
"sha256": "88b8163bdbf4231ba333b88a4662e21abc05924a08f51847cda7ed108328e09c",
"type": "eql",
"version": 106
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential release_agent Container Escape Detected via Defend for Containers",
"sha256": "83cc6f40e6132026e20c447cd04f8cba5947105f81fe35a20b393a650d0ca896",
"type": "eql",
"version": 104
},
"1615230f-beb7-48d8-9b3f-6d10674703bf": {
"rule_name": "Suspicious SIP Check by macOS Application",
"sha256": "fa8c6092c9b9b8566ea7901262f4a9a3660b455e07ecb434fb833cdee30197d6",
"type": "eql",
"version": 2
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "090781ceb0f70e5c6d5854c34e2def7e8983a8c0fc34e614674ef24f4a9c74d9",
"type": "query",
"version": 108
},
"163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": {
"rule_name": "Potential CVE-2025-32463 Nsswitch File Creation",
"sha256": "811b20416cead7025ab23de710ac19ed81924cc270507221b356a395d5fd4940",
"type": "eql",
"version": 3
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"rule_name": "Potential Timestomp in Executable Files",
"sha256": "d412a6320c3b63e9d14e2897865c8df7a907154312cbc26891375687109ccfa0",
"type": "eql",
"version": 111
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "d044c2e031f6739d53c3387ad4e0c7f4e1617a0fad10f442fa29118f43b2a0e0",
"type": "eql",
"version": 112
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "a18672298cd92d568cb52d61601a039e39aa68213d8dc698fcdfa49d06280434",
"type": "query",
"version": 212
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "d4267bbb2896541227ff0042bb5fd07bf0d5d673472429d931cda1a80f41b666",
"type": "eql",
"version": 120
},
"16acac42-b2f9-4802-9290-d6c30914db6e": {
"rule_name": "AWS S3 Static Site JavaScript File Uploaded",
"sha256": "6b1835065de149596f5514acac7116d616ab69afd1ff4bd6c3187a13fe27493f",
"type": "esql",
"version": 8
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "e9d66fb58444a717fbb2b15ebf5f7ed7e2d888737fdf681a8537349fb9d7f291",
"type": "eql",
"version": 216
},
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
"rule_name": "Persistence via a Windows Installer",
"sha256": "96017fdffa7b8eafbd4630fac4ec0b8079bee2375bcd6ab550558ff48cf9bf1f",
"type": "eql",
"version": 7
},
"171a4981-9c1a-4a03-9028-21cff4b27b38": {
"rule_name": "Suspected Lateral Movement from Compromised Host",
"sha256": "48e0f928ed481c3e3c645ecfad961dfa891e8afe2e2b8ae94990745ace5522fb",
"type": "esql",
"version": 4
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "2eeb4a2916c11aeca4185ded593f86975317296adad1f32d19f4d5f39f380f53",
"type": "esql",
"version": 7
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows Username",
"sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows Username",
"sha256": "439a53c97f890e9069f64ade7995b100cf7c08ab3c4305b076c384db5cf6477d",
"type": "machine_learning",
"version": 310
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows Service",
"sha256": "3c42a7c62094acd7a9859c540f52484dd6a41d3d36d39aeadbc62492967e35ca",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows Service",
"sha256": "0eea7398ab7fbbc674a804b6fc2fb7f331e747e7c1a28927089d51e5254a48de",
"type": "machine_learning",
"version": 310
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 310,
"rule_name": "Suspicious Powershell Script",
"sha256": "ba7ac7109c4e1c1acc0a79dd47c42520c2d82b682f5630067a1d609b593859ce",
"type": "machine_learning",
"version": 211
}
},
"rule_name": "Suspicious Powershell Script",
"sha256": "815e86bb07efd5d73767e45677054f24f0b072412b4ba7210f195289eb9e9832",
"type": "machine_learning",
"version": 311
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "cec4b63c64124b03e92ef65aca7cf18b5a4de706c53935cf74d95cc70cd43693",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "ac8baea0b2fd71b85c09a46482ad8e3c79f0334488c25ee2018c79f274231c4c",
"type": "machine_learning",
"version": 310
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows Remote User",
"sha256": "96872a6f89cfe1e8ecc023430fc4349c49cb5b6ef9e4a833d422b6961741f481",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows Remote User",
"sha256": "c2541cadb2d1d9936e120b6daad7cae971b5d2ba79deb01bc3a044a885695f5b",
"type": "machine_learning",
"version": 310
},
"178770e0-5c20-4246-b430-e216a2888b23": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Spike in User Lifecycle Management Change Events",
"sha256": "ef456fac2be7a733d18054b513015e78327fb99ad44dacc99be79140341146a1",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Spike in User Lifecycle Management Change Events",
"sha256": "78e9dfe6280543b50244e70ade9ca9266f8f77531dcb55cdc872a95de1c944ae",
"type": "machine_learning",
"version": 105
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "4c1feb2d691a715844f24edbb5207bc35a4fdeee0d7314d708aeaba89adbbf0d",
"type": "eql",
"version": 20
},
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
"rule_name": "Initramfs Extraction via CPIO",
"sha256": "87ea53b4b70ebf750914ab208825d5c3c7161366d9b24c6267fb095279b01da7",
"type": "eql",
"version": 6
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "11eedb38f0535b593e7587c7ae9c0c9b1f11713712345cb14aa032c4251e687b",
"type": "eql",
"version": 218
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 208,
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "f645b86e534e62a3da7f7b898cd1b0ea974c51d162961a19206bd0f00a67e31f",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "65a861fcdfcd0c2366b569e4e3c8e7a599512fa2331ece1fb23f58ed93ff1b85",
"type": "machine_learning",
"version": 209
},
"181f6b23-3799-445e-9589-0018328a9e46": {
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "f5b07367a229e2cc48754deee2bffbec577230719548e1c91cb73bd36b064536",
"type": "eql",
"version": 210
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "b5bfa9c5bdbb2ac76c679d8e7c12aa4614561e8f0815a77d48fccf5feedd3a89",
"type": "eql",
"version": 7
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "acbdc60b1dddabc74eeaf2f73f1a26c51ced274c1226442b720a366f7bf37d2e",
"type": "query",
"version": 109
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "AWS Secrets Manager Rapid Secrets Retrieval",
"sha256": "800ebd4d1ef253c688e649cd84fca4d2da5b8896f3537ecaa252855132cd0cc6",
"type": "threshold",
"version": 8
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "4598c9aad50c787eadce4ce3b88adcfbc87b02c2ac5dcd9a6c3b39a445e3e6f4",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "12ba54701c9c9a48fe730d815cf85aa3e3e17eb721b01045f3015cf5f197813b",
"type": "machine_learning",
"version": 109
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "718358b1e1c35b97028b4230acd16b8d1f36c355982f8acbeef3d773809c1f86",
"type": "eql",
"version": 12
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "6e73ca10f3e881fa538c71a4fa49fa6d7dd2022afd6c94c19a3c9c2bc3a24e01",
"type": "eql",
"version": 10
},
"1955e925-6679-4535-9c1b-28ebf369f35f": {
"rule_name": "Suspicious File Creation via Pkg Install Script",
"sha256": "bf39e06d8e8bcb3450813ab5d58f0a03c28e5cf9893bdc6abcfef843e67f134b",
"type": "eql",
"version": 2
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "2e671c13c33cb02522db10a2ec30e4b58a107647589f9ff89a5f1b1259a43cb2",
"type": "new_terms",
"version": 6
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"sha256": "34009951e545cd9d705e6cac58d2af9dba570cc5dcec0e69c192d165f28be6d3",
"type": "esql",
"version": 10
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb",
"type": "machine_learning",
"version": 212
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "29db7dc93ab6eab4b8b87720dd8d95683b744f2e2137115f6f3e48c204792339",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "fe983ed864521ad6cf3fe4e5be5ab60aef58b86a53412d26c0425b6eb0d442b4",
"type": "machine_learning",
"version": 109
},
"19f3674c-f4a1-43bb-a89c-e4c6212275e0": {
"rule_name": "GitHub Exfiltration via High Number of Repository Clones by User",
"sha256": "d44f81cce81f9989e3da9c9690ce5f15e1d0f708db04fecc4fc46560c28e35ba",
"type": "esql",
"version": 4
},
"1a1046f4-9257-11f0-9a42-f661ea17fbce": {
"rule_name": "Azure RBAC Built-In Administrator Roles Assigned",
"sha256": "096328c92f192c547fa70269c2a8869a2b41ea46972ff0b85f91c484b81defcc",
"type": "query",
"version": 3
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"sha256": "52c8bf4b88a390a02c576926ab93066b84724ffbf8a8f2adfc8bfa9edf30f233",
"type": "eql",
"version": 105
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Entra ID Application Credential Modified",
"sha256": "d9a189bab2df94b4b6cd30d792e7891b84d4684c3d1f1b94e30aeb8769e60c62",
"type": "query",
"version": 109
},
"1a3d5b36-b995-4ace-9b85-8a0af429ccf6": {
"rule_name": "Newly Observed High Severity Detection Alert",
"sha256": "f7ccdf7bb05f6d8601a88fff8a0f0b2d1eef89acf10118fee5c63768ce9d3003",
"type": "esql",
"version": 6
},
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
"rule_name": "Potential System Tampering via File Modification",
"sha256": "8e542036316307cb533b6cf1cf8a04645ffae970672c7916e7185605a72e4be8",
"type": "eql",
"version": 4
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"rule_name": "Execution of COM object via Xwizard",
"sha256": "7aff4b19617d22e58a7bba7919b719dbbec4df85308564a1cd3fee9363798ae2",
"type": "eql",
"version": 320
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "a3d4e1675ec84b3af9163b6a3759711bce84c07ff080a118e7208d181665df7c",
"type": "query",
"version": 215
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
"sha256": "12119420da1871b99202f57ec10904ffc1deee90adab67e4719a1a7207bbc500",
"type": "eql",
"version": 317
},
"1ac027c2-8c60-4715-af73-927b9c219e20": {
"rule_name": "Windows Server Update Service Spawning Suspicious Processes",
"sha256": "0fa5a2a328ab55c39a78ae87ec88868fd59afbb127aeb9495fb2be890a7c8083",
"type": "eql",
"version": 3
},
"1aefed68-eecd-47cc-9044-4a394b60061d": {
"rule_name": "React2Shell Network Security Alert",
"sha256": "0bb3f9c7167e6586c90cc2a0d5c56d1239b7e0eccdfbdb6d4fb9e18757d982fe",
"type": "query",
"version": 2
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"rule_name": "Process Created with a Duplicated Token",
"sha256": "2f7562c182467d14f7652d3abb6608ddb866a662c35c85f285c8fd5b91f6f892",
"type": "eql",
"version": 7
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "a0a40875e83b365491356586b13f47638211dbab5eb725cd74e481088f4abf31",
"type": "eql",
"version": 212
},
"1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": {
"rule_name": "Remote Management Access Launch After MSI Install",
"sha256": "54c52e1583a70f0e58886c3834476d8a301420a103cebf085744e0b227eabe61",
"type": "eql",
"version": 4
},
"1b65429e-bd92-44c0-aff8-e8065869d860": {
"rule_name": "BPF Program Tampering via bpftool",
"sha256": "81a039d10521f44f4281d8544ffd0b16a9b3063f8ee87612d04ff43a2da6151a",
"type": "eql",
"version": 2
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted",
"sha256": "7bb163ffa02ead7013b9865823123774e06e0f2b67f15bd5f74d2502b70eedb1",
"type": "query",
"version": 210
},
"1bb329a5-2168-4da5-b7b9-d42a51deb6dd": {
"rule_name": "Correlated Alerts on Similar User Identities",
"sha256": "68998d6567c249cc78dcca6818615a5ba8e4f942205978f489fad037876e6b4b",
"type": "esql",
"version": 3
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "03f4a222aafafea3d3221e0582ccac9b11bbc82101504c84c7694b8ef873cda9",
"type": "eql",
"version": 16
},
"1c28becc-ec0b-4e6d-81a5-899d00348089": {
"rule_name": "Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket",
"sha256": "b9af69ebbbeff32bb2101e0acdf8c98dc60ca99cddc9b2ecbb16b47c394956d6",
"type": "eql",
"version": 1
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef",
"type": "eql",
"version": 4
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Entra ID Illicit Consent Grant via Registered Application",
"sha256": "fb04e2d9695cf1eb8eef84bae6c748979d9703934f64e06743e28b55e5168f56",
"type": "esql",
"version": 220
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
"sha256": "cf847fe5e118883f401f0194f9dc8736fb85d9bcbaf36d14d3a4d74b938ed6a8",
"type": "eql",
"version": 120
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created",
"sha256": "872670a07996ff3b1b618f205a314336501baae58b58b0b9eb4df5a182cbe3aa",
"type": "query",
"version": 109
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"rule_name": "New GitHub App Installed",
"sha256": "98cd8a087a11aa53e292618c8047442532a33dc329c2c7c7e264ad92008f574b",
"type": "eql",
"version": 209
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "2d10043a1aa6786aef98747241a102b2e31aae347ae8a451f5e468c9d52f7e35",
"type": "eql",
"version": 214
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "b205ced242cd1aea02d4b083ded2c9a8d7e55a6d6b9c2a0e4a62f113c2d1d709",
"type": "new_terms",
"version": 213
},
"1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": {
"rule_name": "Entra ID Domain Federation Configuration Change",
"sha256": "ad37538a2c191bb69fef32ecee94047d48237b5f045c30faa5d3cbba14fe1aec",
"type": "query",
"version": 3
},
"1d0027d4-6717-4a37-bad8-531d8e9fe53f": {
"rule_name": "Potential Hex Payload Execution via Command-Line",
"sha256": "73886707ccad198484d4c6cdde082d9ef78aea65c349fa08ea0430836e23f673",
"type": "eql",
"version": 5
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "e9575c364fc387c6707b5d37b4870192b76de5fab2e194b70bc4691ef96b498f",
"type": "eql",
"version": 216
},
"1d306bf0-7bcf-4acd-83fd-042f5711acc9": {
"rule_name": "Initial Access via File Upload Followed by GET Request",
"sha256": "2b398592c31c97af1985d6702aea4c8065619b220445521d5b75a1a48b3c1a47",
"type": "eql",
"version": 3
},
"1d485649-c486-4f1d-a99c-8d64795795ad": {
"rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt",
"sha256": "2756232f98fabdff059cfa55dc552f04e2c8c7042455b61eade3819dde3b4b3d",
"type": "eql",
"version": 3
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "92e8e6bf07d93b94bbeb7d1af6d2bd2f62f69c4dd3bedc34becebc0961db80c8",
"type": "query",
"version": 9
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348",
"type": "eql",
"version": 110
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "398b3d88b1753b2d476720085736b2bdfe86fb195e47981a3e582f66397ced53",
"type": "query",
"version": 114
},
"1dc56174-5d02-4ca4-af92-e391f096fb21": {
"min_stack_version": "9.3",
"rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"sha256": "de7edeb410f5b8a1e8dbb092cbe4d087a133a7ba1c66545920a487874a383294",
"type": "eql",
"version": 2
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "280c95cf73f0b4d05908dee4ef63654696f4b55a5040e86f1f69d1455aab9cd4",
"type": "eql",
"version": 318
},
"1dd99dbf-b98d-4956-876b-f13bc0ce017f": {
"rule_name": "Alerts From Multiple Integrations by User Name",
"sha256": "5b591df265379ba718a43e0d8ae57ae7b2e96d60ea25cc141bb89faa9fffa7bf",
"type": "esql",
"version": 3
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "bdf02d8405b38f96f1a6314cda5e1200914160197006090f7af12146810ca2cb",
"type": "eql",
"version": 12
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader",
"sha256": "3caf1dd70a817330534a0dc7cdc46d615214890e6f3d34081977f33977018794",
"type": "eql",
"version": 211
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "d77702d18de0a8d0365973764069a898ec115292a1894c24062e7aed54979fd4",
"type": "eql",
"version": 109
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"rule_name": "Deprecated - PowerShell Script with Discovery Capabilities",
"sha256": "ad1bd87d23f66d5a3239115816acbcf857fffb8361fd598d3abda318487378fa",
"type": "query",
"version": 215
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "a36ca67a74f87b67b969d3970684fafaf17f731179188925f02cc6e2db6c3dd7",
"type": "query",
"version": 107
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"rule_name": "Creation of a DNS-Named Record",
"sha256": "f122d418e9dafbe14b2ca383cd8a6184aaa9aaaca6d46160e742e081b941bc9b",
"type": "eql",
"version": 109
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "2f32979d0c4c70576ae719941f88e9b734de6ca0b68d8cbca27176d73ca4769d",
"type": "eql",
"version": 109
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "b6df387d7eea51849c454c9111255872e0f17716467e7f7dcb96324b0a100070",
"type": "new_terms",
"version": 208
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Sudo Activity",
"sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Sudo Activity",
"sha256": "c191e024e62f5ec95b39f7a502aecbea41301bd8a555cbe351ce2d88a3dc354d",
"type": "machine_learning",
"version": 207
},
"1eb74889-18c5-4f78-8010-d8aceb7a9ef4": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 100,
"rule_name": "Spike in Azure Activity Logs Failed Messages",
"sha256": "9c8b0e80daf7cb337ca4cb7707c9b96e69b175935a5fa7b55707c9270f9a0653",
"type": "machine_learning",
"version": 1
}
},
"rule_name": "Spike in Azure Activity Logs Failed Messages",
"sha256": "b55cf9442601c13334ddbdf9f1c6553c1ee36c6be64b33cc9c2d312f36a43c55",
"type": "machine_learning",
"version": 101
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "5f229ee4fa489867da43771533ebd54f07045dbf3c671e4edec7850f6e2ff04d",
"type": "query",
"version": 118
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Sign-In Console Login with Federated User",
"sha256": "55d45ab5f5631b527067817a7d2c2d4fd25f4b7740b19d7ed6684b84c9d198b6",
"type": "query",
"version": 7
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "6ef4ba72caea4308333e21e9748b0103bd5465ca8e8de00cb44982b38ddc73a8",
"type": "eql",
"version": 108
},
"1f56f548-94ec-4678-b1ed-b1a14cca4e3a": {
"rule_name": "File Creation in World-Writable Directory by Unusual Process",
"sha256": "4bf3288a105dbff9ff1d8025c12a892327a0c7a5062427686efbbb056082eacc",
"type": "new_terms",
"version": 1
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "b7c5e8e2683c1a9405ab334ea64b6abd11051146461d97a00a006a8a114ac5e3",
"type": "esql",
"version": 12
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "1a0a985a78e282cb73680c64ef0fd7dd1b06b6888ac9aa29908324720ffd8a52",
"type": "machine_learning",
"version": 207
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "ce63eff5ee6329ed0d754e18e681e094db4edd4554e6c5857c4a7e4eec55a7f3",
"type": "eql",
"version": 220
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "320ecccc98bfef326d6dc0f0054a1f42fc866f1bbcd92d8f3fd1352271653f0d",
"type": "query",
"version": 106
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "718eb4049a2a7d326275953bcb81b6108f6af2f80cf5681605b01c2156773965",
"type": "eql",
"version": 319
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "b71bdcfb747a7c25b0a7ecef37b73f89cfd4936ff7b67f399a7d47694f1c4992",
"type": "eql",
"version": 109
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "da1e0288bfbf5cf9a5a637c2ff71e7b786124de06dafdd88afc745cf802cfbec",
"type": "eql",
"version": 317
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "00192d120763a8e01464c5ce0165c7c8c09fd5dc69b8913668ae9889fe86e6ce",
"type": "query",
"version": 212
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "e46abdd536b397307dd73b4a20f4296b0141a10a86a9c252ecc461420fea502d",
"type": "eql",
"version": 214
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "acfa894d6162e141d87059ad8f6bf9ab526faf4bb7d294c1c9559d4a696d8c5a",
"type": "eql",
"version": 209
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "95ec166b973e8fa95beb4a3ed8c8005380916540f7218d2b4fcddf1f761a8e97",
"type": "new_terms",
"version": 217
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"rule_name": "Mofcomp Activity",
"sha256": "c0049f673475e17a60c9243c445c9cc0740541dd02cedb0ad8ad2af6aa0ec463",
"type": "eql",
"version": 11
},
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
"rule_name": "AWS SNS Topic Message Publish by Rare User",
"sha256": "3e08ddf0b5b1afd3391ad3417aeab29ba5b82004dfea27700df13240aa6f2c1e",
"type": "new_terms",
"version": 6
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "ffbef35f2979f9b0815d176123110cf20185f13031b14a773f5d555d5a5f67ef",
"type": "eql",
"version": 9
},
"214d4e03-90b0-4813-9ab6-672b47158590": {
"rule_name": "New GitHub Personal Access Token (PAT) Added",
"sha256": "59d60ae7f69e0ad09fed8b4f0d81aa233cb1aa5f95a2c4dbc67893e48c9c6a68",
"type": "eql",
"version": 3
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "8b75d9e37c1f4a0c2bf887e72a428e276adafb073c14a72aa32d6df0f17e18d9",
"type": "new_terms",
"version": 11
},
"21c3536f-b674-43db-9bfc-dcf4cf9dcc37": {
"rule_name": "GitHub Secret Scanning Disabled",
"sha256": "aff570e0cf948f93e3441a9f2e00aef71fc0bf2aa0b96863c7c05b6589ebb7d6",
"type": "eql",
"version": 2
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "2e948782f65666ac3d10796a6baf18110e533c7911ec87b4302958666ded5115",
"type": "eql",
"version": 113
},
"220d92c6-479d-4a49-9cc0-3a29756dad0c": {
"rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"sha256": "b8ea3be7fe37d1a71bbceeadb9717e70b488e7256446ad679f347b464e34524c",
"type": "esql",
"version": 2
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Activity",
"sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d",
"type": "new_terms",
"version": 210
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "Deprecated - SUNBURST Command and Control Activity",
"sha256": "e436ded1c2bcdb723f2a841740b8072959feceb4095c0086697c55e444763575",
"type": "eql",
"version": 112
},
"227cf26a-88d1-4bcb-bf4c-925e5875abcf": {
"min_stack_version": "9.3",
"rule_name": "Encoded Payload Detected via Defend for Containers",
"sha256": "c22125aa8d5fbba0e2e7ab1379a82385d8164c305089fc053ca1bf31ed58b2e0",
"type": "eql",
"version": 3
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "94bf56921f7182099d52dfb0db8b4469fc67827685348c0e306268756187ba80",
"type": "query",
"version": 214
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "86d21d741eff46da2d15b7f31b033ed32ecda99a9f660857b2f751ee059c149f",
"type": "query",
"version": 109
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"rule_name": "Kernel Module Load via Built-in Utility",
"sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d",
"type": "eql",
"version": 216
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"2388c687-cb2c-4b7b-be8f-6864a2385048": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
"sha256": "5b3192389352616bc5f12a2b226e1c3c6eab2403648dc902fbaf3666238b8eac",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
"sha256": "6e24466e654e56308b329e2e506d4a36f3cb93890c9cc863c6f54618cdb177da",
"type": "eql",
"version": 104
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "082bad18b8416bb5ccd1d0cfce8b0e590878f8eda05813006131e35463194383",
"type": "new_terms",
"version": 8
},
"23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": {
"rule_name": "Potential SAP NetWeaver Exploitation",
"sha256": "9592413691f94b0e392e5b6b6d96b45087aef7dcc204902cbee6f54c88ca0e31",
"type": "eql",
"version": 2
},
"23cd4ba2-344e-41bf-bcda-655bea43fdbc": {
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "bad7dfbcf30e7a80ff8bf2b11b59f66510afc25bcebc9113d7ba02700a792c86",
"type": "eql",
"version": 4
},
"23e5407a-b696-4433-9297-087645f2726c": {
"rule_name": "Potential NTLM Relay Attack against a Computer Account",
"sha256": "f0d7a8f00c28cdc603cdf2f3a222453dc87d3c585871a04289e06d7d65e12363",
"type": "eql",
"version": 2
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"rule_name": "Potential Okta Brute Force (Device Token Rotation)",
"sha256": "1dca7f7a9f133b30aeaaf0bcefe7bfa30c7c6d26fa4a0ac58e4bf6ab5ca714f6",
"type": "esql",
"version": 212
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
"sha256": "33174dde2dcb90f51dc8b556bf7b9e4042559084fa221d4dc8f0b0d6bda99a8d",
"type": "eql",
"version": 211
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "b2b0a82c5bf29922f290efc7dac94e8b576668840052c3300bbdb37b55f1cf21",
"type": "eql",
"version": 314
},
"25368123-b7b8-4344-9fd4-df28051b4c6e": {
"rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon",
"sha256": "fe6a9526f2f3cde09ceb6ad2abb75b5c041b596c4c3efb072057e5d8d206557b",
"type": "new_terms",
"version": 3
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "c0142afe736323db7e77ec68ca8df2377a389d488407ec0a48f004f811012543",
"type": "query",
"version": 109
},
"2572f7e0-7647-4c68-a42b-d3b1973deaae": {
"min_stack_version": "9.3",
"rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers",
"sha256": "f2f4d0bdad8b894fb254412c4e67385b007af2d2a3c4fdd609962b64f4ddc830",
"type": "eql",
"version": 2
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "d6a2ecf476cd2454fdbff39ec56abf5546147359689e2d4c4d2b1b13eec7d813",
"type": "eql",
"version": 110
},
"25a4207c-5c05-4680-904c-6e3411b275fa": {
"rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree",
"sha256": "7454d14373817e95309e9422997b9eb330ec75601215a6d4c0eb4b5c0d237ec6",
"type": "esql",
"version": 2
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "6f4eff66f0c65aba4c175641ec53bd362c571ddcc98a36f91f1357b1e7f21817",
"type": "new_terms",
"version": 10
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "a4325d7530e0e1c4d8606448e0fda6086c035e0c00e8a6941f16716a7b0c4be9",
"type": "query",
"version": 7
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "b4310f1d499651a51101aa441f2d2dbfa9526781e8c3572a6f390ee7b104c96e",
"type": "query",
"version": 211
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "847b0b60963ff676ec04a3851fcf67da0046389d6b3d572ab197169471c02e4c",
"type": "eql",
"version": 11
},
"263481c8-1e9b-492e-912d-d1760707f810": {
"rule_name": "Potential Computer Account NTLM Relay Activity",
"sha256": "c6466b3359e6b53e8f7baa6dc0c0a8268893292d2e8c70cf97aaf503f935e4f2",
"type": "eql",
"version": 110
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Storage Container Access Level Modified",
"sha256": "17ad4439d8cff6eb09caa234542cd8b06c1f9431660b61500250cfac88379a95",
"type": "query",
"version": 108
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "8e6edb115aadbbe0288142ede56a886b171f90f427e56805c3b403b92787d9b0",
"type": "query",
"version": 8
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "da7097593202235ef983f56eee56fedd61251f27a847e34946215f5895b4d5be",
"type": "eql",
"version": 318
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "eb93685370370e45763a4c643fb482b438ac57fbe5bb1cae4f02da532dec3ddc",
"type": "esql",
"version": 5
},
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
"sha256": "fa8068ba6208f9c013cda667f737b51fae6f5b52b978165e1b76c35f0acd0ee1",
"type": "new_terms",
"version": 6
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "8c951a0906470270b43bc3293a9d807368a4febdfe1c96dcf7585c87d42f40b0",
"type": "eql",
"version": 106
},
"26a989d2-010e-4dae-b46b-689d03cc22b3": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers",
"sha256": "83c6cdeb9a06541ccba897ff5fded24c63515255d7a617a83ba2b1150425e39a",
"type": "eql",
"version": 2
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d",
"type": "eql",
"version": 11
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Entra ID High Risk User Sign-in Heuristic",
"sha256": "f2967ce4210d92868dcbb7f81ec19ec93006bdf594453cbf93086d8fb02edd22",
"type": "query",
"version": 110
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "M365 Identity User Brute Force Attempted",
"sha256": "ebb4f079a3090c488a142f1c993638ab122995c8ec1213052b508848e1fc433d",
"type": "esql",
"version": 418
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e528a3c860f8f8de6eb7bceeebeefd1cf6ab283b09db3f9bc9ece6beb6fa532a",
"type": "query",
"version": 213
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "cc0c2851cb9e2e1facc925729c2f7cca24af0ac04d12a8ebdbe16870cdb540a3",
"type": "eql",
"version": 110
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "M365 Exchange Mail Flow Transport Rule Modified",
"sha256": "58f1574c18c76838ab7233c8367023b61bc2ee9fe19c6de7f38cfd9a9f760b08",
"type": "query",
"version": 213
},
"27569131-560e-441e-b556-0b9180af3332": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Privilege Type assigned to a User",
"sha256": "6a4a1e539a2599e9b91ee64a6ae3f7c41201c686d380a2965e9e9117ab3860be",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Privilege Type assigned to a User",
"sha256": "07ea6892290d7a3ab379ca9ae743312e7ac639accd3a42b44ef6d882debc7788",
"type": "machine_learning",
"version": 104
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "c46e02d9df71ee1e22ed5ac8f5ba1d5afab07283bd6ea70286a84474f4017c06",
"type": "eql",
"version": 215
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "bb286cf8785e506f2b849cf456c03c150eef1646b3cba7375baf550e2adbbe61",
"type": "query",
"version": 109
},
"279e272a-91d9-4780-878c-bfcac76e6e31": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Process Execution Detected via Defend for Containers",
"sha256": "f59668d5789c20ac3063485cf2e2475dee1cca5257adcd26dd6792bd6a9611aa",
"type": "eql",
"version": 3
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Deprecated - M365 Teams External Access Enabled",
"sha256": "bc0c0b0a6a0f4f1cdef846be5717cc774ae8cfcf0c777765f28656c16ed58484",
"type": "query",
"version": 214
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "7b6619e4799f5c51aac53ea894d15478f84f6ed434bf2f15f94fdf0570761aa1",
"type": "eql",
"version": 222
},
"283683eb-f2ce-40a5-be16-fa931cb5f504": {
"rule_name": "Newly Observed Palo Alto Network Alert",
"sha256": "6950c8ed18d7697993f1a1159f6bc0a7eb141aaff4f0243575894da36997a1b8",
"type": "esql",
"version": 3
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "b8cf9700d169c0901439e2d0562728548640e7e876af9ac5968766217cb1f804",
"type": "esql",
"version": 6
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "27990b18c9a88be12901538e00f7518df2e6955d7e6825b3e6c043688e68414d",
"type": "eql",
"version": 216
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "710295c0aea28068ca3f8bab2bfe3bcca0afc8af88682411cbf523f6847963c1",
"type": "query",
"version": 106
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "7dc5f160fa3c93691ca733218c01f5481e0fe164bd1f9b1f0beb35a7763ec43d",
"type": "new_terms",
"version": 9
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "40709b37a372f451eb19142e62244babb6f19d932ff23febe70379c94e8fd0e6",
"type": "eql",
"version": 7
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "08cd9c8ade957eb4b22e7e97107ab12ebabd91467a861afb99e3b6a377becb68",
"type": "eql",
"version": 111
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "46f7be3e59656893dfb3bcec2a1f30e7e118a703b4c52bfa1c61fee7207354ef",
"type": "eql",
"version": 112
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation",
"sha256": "c58523c3504b477306897ad712fc266a3409aef8c601706b879c32f1efb654b3",
"type": "eql",
"version": 11
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "a2e0780759a02c4f019ded2450fbab0521f281a7495b1d6381ce9a065acc3db6",
"type": "query",
"version": 214
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "3333bf53f4e1d4f703ad2bfc61439dbf9db3d734bd3557e083a8d6496bbde552",
"type": "eql",
"version": 322
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "83deebbdaf1d541ffa89b232ca76266b2cca871eb9b318fcc95ed6841e4c8d1b",
"type": "new_terms",
"version": 423
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4cacb8f8a73738c053cb1f103e94a0cc342a31b5e595c2d0c90538fa08e8238b",
"type": "new_terms",
"version": 421
},
"29531d20-0e80-41d4-9ec6-d6b58e4a475c": {
"rule_name": "Alerts in Different ATT&CK Tactics by Host",
"sha256": "c5405c7e3f88cfc2000c94b4c7b8d38c9d2a26b546e452f9ed097e0da1aaa240",
"type": "esql",
"version": 5
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "bb3f43e51cf57903cac31eea9b1da4e3c0c5398f11a673b5e3fd5770b25477f4",
"type": "query",
"version": 210
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "d91da4e45de36496cea35cbe616336e3d2d5f81928397cd7a1301eb440e154ce",
"type": "new_terms",
"version": 3
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "e4c869cb3edc72947fd52af59a07d158d9df906cfd5b80d6dcca840734074fe7",
"type": "eql",
"version": 109
},
"2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": {
"rule_name": "Microsoft Graph Request User Impersonation by Unusual Client",
"sha256": "c79bf8bb0d94aaff02709efc88bdd456c06752b9e7d41a5a34bd1eeb99eed3f1",
"type": "new_terms",
"version": 8
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "bb5d868d2632e7b5a662737cfdddf49f0aa78a0d0dda0cad6b4104330cad37ec",
"type": "eql",
"version": 13
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume",
"sha256": "dffee6f1f33580e6cf14dd782f8158c3b7c55b5f30b1db84f04f44d575386b26",
"type": "query",
"version": 210
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"rule_name": "ESXI Discovery via Grep",
"sha256": "37999a3afa79aa321127ff14e5839d96e719daa04d68b38cc7f79924c59a8982",
"type": "eql",
"version": 113
},
"2b9a3b7a-0891-4a89-abbe-dca753c403cd": {
"rule_name": "Multi-Cloud CLI Token and Credential Access Commands",
"sha256": "61952dce699974e95e7f7709554d81d3e2ab7e7bee7a9126f8a648e53b3da84f",
"type": "esql",
"version": 1
},
"2bca4fcd-5228-4472-9071-148903a31057": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Host Name for Windows Privileged Operations Detected",
"sha256": "7fd9eda6eca11a59a902ae98e5e67013d23113287786c76e64be97d2beaa5b20",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Host Name for Windows Privileged Operations Detected",
"sha256": "b87efefef846486cad6bc17aa7c220a3833b848d4ca87f09c1f5defda9cb428d",
"type": "machine_learning",
"version": 104
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Deprecated - Adobe Hijack Persistence",
"sha256": "d554c3a9b2cbb27ce03d73fe4c984d648404006ad784e24039acee69e3f2b78f",
"type": "eql",
"version": 421
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "a0709d688ae05f8fc435bd8ca93dda11365bc4a4a944b23ff637780dac62b701",
"type": "eql",
"version": 319
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "8d94d7fb85ae6118469b64123048223e518e64558377b9e2e140fdf98ece2a16",
"type": "eql",
"version": 218
},
"2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": {
"rule_name": "Newly Observed FortiGate Alert",
"sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff",
"type": "esql",
"version": 3
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation",
"sha256": "1e6f9b0c45ad9cd728e02a922586c3466a5968c751c337ffefe09be52489aeeb",
"type": "eql",
"version": 208
},
"2c74e26b-dfe3-4644-b62b-d0482f124210": {
"rule_name": "Delegated Managed Service Account Modification by an Unusual User",
"sha256": "4cb49f08cf5c89365a0f424c80e59095940ef6ec6a67224688a28f1c883212b3",
"type": "new_terms",
"version": 3
},
"2d05fefd-40ba-43ae-af0c-3c25e86b54f1": {
"rule_name": "BPF Program or Map Load via bpftool",
"sha256": "b89854776ad866f757ee1469315dad87cb628a427e71fe40f741a0aaf4c53d5e",
"type": "eql",
"version": 2
},
"2d3c27d5-d133-4152-8102-8d051619ec4a": {
"rule_name": "Potential Okta Password Spray (Multi-Source)",
"sha256": "0b3754763f9388a104514203cdb27b710d8d0b5bd654671deb494bdd5568496a",
"type": "esql",
"version": 3
},
"2d58f67c-156e-480a-a6eb-a698fd8197ff": {
"rule_name": "Potential Kerberos Relay Attack against a Computer Account",
"sha256": "9535ca2df0f4875a40fddd9343363a41368fc737d08a1ae532dccc3fbb98f4ff",
"type": "eql",
"version": 3
},
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
"sha256": "4e77deaa22c866faec27c5fd6a98680db898f41a0261f412455fa88396d28afa",
"type": "eql",
"version": 210
},
"2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
"sha256": "18afa7b414ac8a132c2035e7223b544aa80b53a5f72a0209b98f390f3de16805",
"type": "esql",
"version": 8
},
"9.0": {
"max_allowable_version": 205,
"rule_name": "Microsoft Entra ID Excessive Account Lockouts Detected",
"sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842",
"type": "threshold",
"version": 106
},
"9.1": {
"max_allowable_version": 305,
"rule_name": "Entra ID Excessive Account Lockouts Detected",
"sha256": "e22015b3cd61c71a94b4ee9413e7fd3b109b10fae88dcaf1da276ffa0b846144",
"type": "threshold",
"version": 206
}
},
"rule_name": "Entra ID Excessive Account Lockouts Detected",
"sha256": "f5a1ec4caef511f8190ed9a710be895fecebe6b72f29b03da749e5e4dea0b10b",
"type": "threshold",
"version": 306
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Unusual Kernel Module Enumeration",
"sha256": "08ee164b5d1ce75b39808742849277e8261cb5961e4beed4e5b5884da7e12ccd",
"type": "new_terms",
"version": 215
},
"2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"sha256": "2038641850ec7f59a724389fa9c574dc5e7afde97a91a20ad4e700087c05d191",
"type": "esql",
"version": 3
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "58b8a1746c1b88f41ce38c583a0eb3520a1689f8a019913516571f21b3c095fa",
"type": "eql",
"version": 316
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"rule_name": "Potential THC Tool Downloaded",
"sha256": "2fdf4a036c7f0d6c3aa8e7d60e6415e5dce3b059e32369e04f6f992f75d652cf",
"type": "eql",
"version": 109
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "M365 Identity Unusual SSO Authentication Errors for User",
"sha256": "dfbe6f2be34fc93b6ac0c780444a2c505c8154462a23a5c434332da089103385",
"type": "new_terms",
"version": 215
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "0e40b02258f08b8dd3d44d58c4d7ea172b3879f29c4811844a892121c0fed325",
"type": "eql",
"version": 217
},
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
"rule_name": "Potential File Transfer via Curl for Windows",
"sha256": "4d04954b58f65d7b8123c4875c6283eb3f8855e6fdbb706299800c4893aede50",
"type": "eql",
"version": 8
},
"2e08f34c-691c-497e-87de-5d794a1b2a53": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual GCP Event for a User",
"sha256": "f2c101f62195e21efa9dd47975b9bb08fe09f90a69be64d4d45a731682b74628",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual GCP Event for a User",
"sha256": "dc4770ad5a8fc4f77f6dc6d6459c0bc5cd738459a7a2d9d13172cce489ef203b",
"type": "machine_learning",
"version": 102
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed Automation Script Interpreter",
"sha256": "3412a61dea3f79000826b1ee35082aa9044c9d26e298c59e772d420c3d4fa016",
"type": "eql",
"version": 219
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "1f1201ba99d2842ffbcad3d15b1dcb747040fe2b58cd03c3b0438ef39413824f",
"type": "query",
"version": 219
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"rule_name": "Accessing Outlook Data Files",
"sha256": "049befdbf6cac7da7b115ab1a497a5d04ad6940c94e04cc89ac097e309c67f89",
"type": "eql",
"version": 109
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "4abe9b19327d050b9a6b99c9ba1b465c25650d2afc82f39672d95f6cf38625d6",
"type": "esql",
"version": 311
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "7619ad084d53e74be8904ed88f92cefa4efb0957e3a99624a5146a7d5e735580",
"type": "query",
"version": 107
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "73af61a045f616fc8d49c6765d5eed3fa39a1a7197390d2e632a01efb216cac7",
"type": "eql",
"version": 316
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "99ac9ef863cee31dd240561777099c022934a3cf76997d70d1b0f0b1414e32e2",
"type": "query",
"version": 217
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "83c3b8bb65af1b682a4e4e22bda3b0c8c4a7a01490b7e1a9add4b5b211590631",
"type": "eql",
"version": 217
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "f6b06ba2f41bccdff7861549bc087a2e1fae2ef2c4959ad2911665a2c04a9887",
"type": "eql",
"version": 8
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "b9b13ab82fce4582270516eb4103335c297e09ba1fb18b9305104084893f8432",
"type": "eql",
"version": 113
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "20024501f2158ecc1863a29ac71a7d5452d113ceaf3da322ec0b480574f1f462",
"type": "eql",
"version": 219
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "b7443e73c34b63ea64aef8d2a73cdda1561793b4fc5ae82d1e23eddb58d45ed8",
"type": "query",
"version": 109
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "45bc415cfbe47728cd85f5beb1db8210f3b2d2d740e54e02b7f5fc7ef97b9cad",
"type": "eql",
"version": 8
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91",
"type": "eql",
"version": 112
},
"30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": {
"rule_name": "Suspicious File Made Executable via Chmod Inside A Container",
"sha256": "9fc179c299f0a00f746636e748563c34ee24c5ec85c28140a77bf0831f50e7b9",
"type": "eql",
"version": 4
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"rule_name": "Deprecated - Network Connection via Sudo Binary",
"sha256": "0ccc424fd1a44356e97f8bb93e682d73a8d500ff088b5a4122bc69de9ccbbe9a",
"type": "eql",
"version": 8
},
"30f9d940-7d55-4fff-a8b9-4715d20eb204": {
"rule_name": "Windows Script Execution from Archive",
"sha256": "67a5e91404e6ae67e3f18a6dcfdac04ab77bc9dc55998558cbd6060067d8b9ab",
"type": "eql",
"version": 4
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "9096aa293720333cac0af019ee0209adf832956537108d1a8d905ba213834be7",
"type": "new_terms",
"version": 9
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID",
"sha256": "6b100f429a57364a288437713e9bea4c94889faec043b71341c4c389c7dbb3ac",
"type": "query",
"version": 106
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "1aeda613e850b7c88717372baca0f5d05f2847c871014efca3813d4fe1a5f47f",
"type": "query",
"version": 107
},
"314557e1-a642-4dbc-af43-321bc04b6618": {
"rule_name": "M365 Security Compliance Admin Signal",
"sha256": "90ffab6d1e834727e5298c1c2a328ad9bf215065fe05525952503f932988d826",
"type": "query",
"version": 2
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "6bf5894df0dfec715bb0d2d840a008738c24d0e87bf6b877bbbb0407365e7668",
"type": "eql",
"version": 322
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "4ad2ee73bd7cdbe3735b30d3a6b59541b724d90a3fd64c19100f94bb7f778ed6",
"type": "query",
"version": 109
},
"32144184-7bfa-4541-9c3f-b65f16d24df9": {
"rule_name": "Potential Web Shell ASPX File Creation",
"sha256": "620c207c86f94a7f5fa5ac75c072ca7504ecdc374a9a45ffaa54cfafe6ac449a",
"type": "eql",
"version": 4
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "07e7e04210b862e96b27eee443227c6a1fbed5882d062ae1d78886a0a1d0da3e",
"type": "esql",
"version": 5
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "230128099a762e79453143aa42805708865110bb5debd68d2c3c1aa35a550290",
"type": "eql",
"version": 9
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure VNet Network Watcher Deleted",
"sha256": "a11689594efe1a3ce6bc4114c4104ae80acfd08c3f4d742549b9ff40fc94afb5",
"type": "query",
"version": 109
},
"3278313c-d6cd-4d49-aa24-644e1da6623c": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Spike in Group Application Assignment Change Events",
"sha256": "08b6d34feb24bfb3ef7b5cd94e07f722386374274b2d87f3277e125ddef5ec78",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Spike in Group Application Assignment Change Events",
"sha256": "881770a8cf25c413c1ddb170eab543e5879b4573f6dd9fd8a4f758493bbba738",
"type": "machine_learning",
"version": 105
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "2d2ccd5ca54ed008472b8563442cef7bcbcfcca9773cf6cde8664d01bbf84c78",
"type": "query",
"version": 110
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "62c090223fc384970eab9eccabb23b4fe6793807b12491b26d209885275a6838",
"type": "eql",
"version": 321
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "M365 Identity Login from Atypical Travel Location",
"sha256": "7d14aa41f43ff8c51804c5c8a5cd1605804b771df672a36172980974cf2f77a4",
"type": "new_terms",
"version": 10
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "2b1d36af98d52e7c651c30532ec344b2145caeebab5862029eebf1639017c1e6",
"type": "eql",
"version": 422
},
"32f95776-6498-4f3c-a90c-d4f6083e3901": {
"min_stack_version": "9.2",
"previous": {
"9.1": {
"max_allowable_version": 102,
"rule_name": "Potential Masquerading as Svchost",
"sha256": "4f6ac75ddc2b31218e382f6dbfe04ffc27077d66ebf97c24740e7c9d12cb028d",
"type": "esql",
"version": 3
}
},
"rule_name": "Potential Masquerading as Svchost",
"sha256": "0ae3b4874845b5b362efeaabd67d839e505a3c44968966093c21c4555b3d02d5",
"type": "esql",
"version": 104
},
"3302835b-0049-4004-a325-660b1fba1f67": {
"rule_name": "Directory Creation in /bin directory",
"sha256": "ced597d9501b078532ec2d68b3248faa95d307cc6fe32bbf812094b1072877b2",
"type": "eql",
"version": 107
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "8740915ad9d3542a4b6dad50ca626d2efd14c8e2fa9e2dde5944d3f5fa80fa3e",
"type": "query",
"version": 215
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
"sha256": "a71d83b3ee92c09090ce8fd23ebd63f59231a2edccb9bd6886660caebecd03aa",
"type": "eql",
"version": 113
},
"33c27b4e-8ec6-406f-b8e5-345dc024aa97": {
"rule_name": "Kubernetes Events Deleted",
"sha256": "18095b5a2473c932c2b35399552cbb87b2b648148c1ffed71425d9c909e8016d",
"type": "eql",
"version": 3
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "ba3fdfb67c7a505e71feb3c1bb53052fa31ed7aeb2b5b9c5f1951cec0c9d3f92",
"type": "eql",
"version": 116
},
"33ff31e9-3872-4944-8394-81dae76c12d9": {
"min_stack_version": "9.3",
"rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers",
"sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba",
"type": "eql",
"version": 1
},
"341c6e18-9ef1-437e-bf18-b513f3ae2130": {
"rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution",
"sha256": "8d52f8c87d55bec0b5f01ab261889d2ac07ff3c6a7eb1cbed03398fb111be726",
"type": "eql",
"version": 3
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"type": "eql",
"version": 3
}
},
"rule_name": "Dynamic Linker Modification Detected via Defend for Containers",
"sha256": "42eccedf47d0083269869acb142a647cebd64cd97a02f2693448c5df83b68fc3",
"type": "eql",
"version": 104
},
"344e6c7d-ceb0-4f20-ba04-7c75569a7e38": {
"min_stack_version": "9.3",
"rule_name": "Elastic Defend Alert from Package Manager Install Ancestry",
"sha256": "82907c28a7b19202ba4090391333c6d139af03fbe541d603fd674434a6748c6a",
"type": "esql",
"version": 2
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"rule_name": "GitHub Repository Deleted",
"sha256": "9dbead37db4773f09b4ed758283f61fe7e4562772482b18e75416654a8fe2c4c",
"type": "eql",
"version": 207
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
"sha256": "8ab449b25259296b7454c26d1a88b78d5c22b67f6c82f767508ffb494c3f8b15",
"type": "new_terms",
"version": 7
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "98c05891ac1d062019fd7be22d345704b8cce6b75f1ae4ec8d9787e51f40a22b",
"type": "query",
"version": 113
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "a1843f580774fd27510d03b658a031fe4440da62ef0c574ddbe795d7f77b20e2",
"type": "eql",
"version": 111
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "3ced595dce2cd24c4727be69b9fa601479fd2f2f80457f720c694e678a28b875",
"type": "eql",
"version": 419
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 107,
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "2849aafc536aac7e9741f20e297b001e5b980e2a6a4c77bb1ca6c76b0719472c",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "bff333b259468a39c107b211f1ba6331060aa97c23f5486f3654fce8a3dd4361",
"type": "machine_learning",
"version": 108
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"sha256": "07c165d99fb8e82989dfd95f7c238c2624bf70169acdf0a73405eb1cb4353b39",
"type": "esql",
"version": 111
},
"35c029c3-090e-4a25-b613-0b8099970fc1": {
"rule_name": "File System Debugger Launched Inside a Container",
"sha256": "898841494b2ae4193ff42978ce0f1807a55816bb416aadf5c4e073b0fc9b51bc",
"type": "eql",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "e3d3be616bcb1a086a207ba505b838f699ef299089fdeaab832fca7e48b4df09",
"type": "eql",
"version": 322
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "7f796d399910edf9f262f06a682761ddce112875ea599e8027c80503e3a0f50d",
"type": "machine_learning",
"version": 109
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"36188365-f88f-4f70-8c1d-0b9554186b9c": {
"rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs",
"sha256": "57d3c6aff18828252ee65176a27549f6eee324fd1ce7552e0823c3f487c57852",
"type": "esql",
"version": 9
},
"36755b43-a1f9-4f2c-9b61-6b240dd0e164": {
"rule_name": "Executable File Download via Wget",
"sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf",
"type": "eql",
"version": 1
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "976ac418b90849b5394d30625f9e55b98b84485146dec6f035af51f5458f7378",
"type": "eql",
"version": 115
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "ec3c0ff47791363712d7c0adefdd532d6e0641f4f5981d2cb44732d9deaa5e8d",
"type": "eql",
"version": 314
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "43a13415ff8ef4d8e01e998e3ea19435f75aeaefaf99754435b96099dd0c2468",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "1345a788253e2c63d8198472d6d8d2321ce9775b581b4897330441bc864b31eb",
"type": "machine_learning",
"version": 109
},
"37148ae6-c6ec-4fe4-88b1-02f40aed93a9": {
"rule_name": "Command Obfuscation via Unicode Modifier Letters",
"sha256": "45fa53855ae8537315bde347efa3cf473c4337ad0ebf67a01599501247d6c287",
"type": "eql",
"version": 3
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"rule_name": "Potential Suspicious File Edit",
"sha256": "bc478d05a000303ff85de650bc9b7604b2b57a7444f80337b05fca226b44d9a1",
"type": "eql",
"version": 110
},
"375132c6-25d5-11f0-8745-f661ea17fbcd": {
"rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)",
"sha256": "771ca76a55853827aa9d3ea8bd44a66201d54913b3bc91e9e331a2dbdf94e5e7",
"type": "esql",
"version": 9
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "Deprecated - AWS RDS Security Group Creation",
"sha256": "c9f89048a7e0698840505d8e2efd51acbecd8bb0b26cd134a6653247dba5faa1",
"type": "query",
"version": 210
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Entra ID High Risk Sign-in",
"sha256": "dd4b0b5074d56377ff3963b0e687dbe6e92954a3604dd00a66f4749fcff3c16b",
"type": "query",
"version": 111
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
"sha256": "b88228a38401d3cfaf88a020153942655bee03db41be8d1b12f2d0468b9a694a",
"type": "new_terms",
"version": 216
},
"37cb6756-8892-4af3-a6bd-ddc56db0069d": {
"rule_name": "Disabling Lsa Protection via Registry Modification",
"sha256": "c647076f76477dd2aa512614840acda934b1f94328c2a08ba9db4111d921b1c2",
"type": "eql",
"version": 7
},
"37cca4d4-92ab-4a33-a4f8-44a7a380ccda": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in User Account Management Events",
"sha256": "903df4e7a7b2f1df89ca4373c8cb64f4d3823204bf9d85dbdde3b79ab34a955f",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in User Account Management Events",
"sha256": "8f1c726255a1e3944db11d55a3907a360b2e08797aa0a0789c2980987625af7f",
"type": "machine_learning",
"version": 104
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b96238524f55ee991b4d048d01069616a1e1cd0bf41dd07a5f82e5c52387cb95",
"type": "eql",
"version": 211
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "d497cf9ebba367ccc27ffa60c83adad1b1c4ca123ed732867ca75c61a9e34383",
"type": "query",
"version": 415
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
"sha256": "5e7901e98b0caf7d6571576af6676f95d6a1f8af52f4b9f99a6b7ffe6c6ea881",
"type": "eql",
"version": 219
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with Osascript",
"sha256": "82a7a287cd5ac7dcb591e035ffdecd15f555737bed999611a2fc015ac0aeeb4e",
"type": "eql",
"version": 215
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "M365 Identity Login from Impossible Travel Location",
"sha256": "f77d1c2a0262340c0ead77d4fb93456b8c670c291ca6d8a2dd95dbdcd6c73fac",
"type": "threshold",
"version": 9
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "Entra ID User Added as Service Principal Owner",
"sha256": "8391a444b3933bf47281a3af89558637258d16499151f4d19fb9bd5010de3f72",
"type": "query",
"version": 109
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "1d4f576cece46f98cac0186d4b7686f927c4329e6bf393a9cbd159dbfb4770d9",
"type": "eql",
"version": 7
},
"39029450-8e2d-4034-81b0-15af8e4e3a4e": {
"min_stack_version": "9.3",
"rule_name": "Nsenter Execution with Target Flag Inside Container",
"sha256": "012976abca9dfba1327ea6926edf0cf40d0126e26937b9ba13570d2367d1af56",
"type": "eql",
"version": 1
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "fd463b53155f11c4465a2ebddd880793fb50c8d7cbb164ae7e172dae791842f3",
"type": "query",
"version": 213
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
"sha256": "0cd2d8329df50935d117f1e8f8cbd8a6b749d5098aea10fb2ce8095fd4b8e0ce",
"type": "eql",
"version": 7
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "ea50abca6b44953d8810e58b35a4ab0f2e456efc1ccb2adb65d1840d162060f7",
"type": "esql",
"version": 8
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "d1265b8223c6c20063ff460b62984e6ca6f864de6a66513d32508de2ade0d0bb",
"type": "eql",
"version": 314
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "ba955d67667f012e2b16b7f60f9d67344026b1c6964d11f2dd1da09cd04fa97e",
"type": "eql",
"version": 8
},
"3a01e5c6-ce01-46d7-ac9f-52dc349695fb": {
"rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request",
"sha256": "7f2bf812108252f0c2cec448e9f10dfff725021983a612df901b4dd4d36b49c7",
"type": "eql",
"version": 3
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "046338d3b95b4b4a22498cb8fdd538e20619623197e2a583d8477e82f2f07c9c",
"type": "eql",
"version": 316
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "5131b9101ab93a6759d129fbfc00a0aee661266e47e4be8ba38766b1a8d3f4af",
"type": "eql",
"version": 14
},
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9",
"type": "threat_match",
"version": 107
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": {
"rule_name": "WDAC Policy File by an Unusual Process",
"sha256": "bd13988291b5cb72058e02ddbb6ad4616961a1b28e358601ef15c1d62837d8e6",
"type": "eql",
"version": 7
},
"3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": {
"rule_name": "External IP Address Discovery via Curl",
"sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172",
"type": "eql",
"version": 1
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "6c9b9155e809656088fdd932c9134a2986d4809c75cadec68224554ef6c76397",
"type": "query",
"version": 111
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure VNet Full Network Packet Capture Enabled",
"sha256": "e200432935afd9d703887c7f3ef678e67887553e91570a46e0f59f266667eb62",
"type": "query",
"version": 110
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "9b60a36c69eb59819eabf8baff81ce0f4d7f7c8663d59efc062d57990122d231",
"type": "new_terms",
"version": 207
},
"3aff6ab1-18bd-427e-9d4c-c5732110c261": {
"rule_name": "Suspicious Kernel Feature Activity",
"sha256": "e15b8360b5fa96f7f261912197ae09404a3268f8229561e6bcc3f39b7d56448b",
"type": "eql",
"version": 5
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5",
"type": "query",
"version": 105
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "ad8c4fc9a44c93f4c1ca79d8954e509b790c3bd3199a8ea3bcdc21e55aee6a8d",
"type": "eql",
"version": 418
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "9354b45311be9fe16a9acb746a33c1bd4a40f927d7efdef1f097f9708c29702d",
"type": "eql",
"version": 321
},
"3c216ace-2633-4911-9aac-b61d4dc320e8": {
"rule_name": "SSH Authorized Keys File Deletion",
"sha256": "8ccc9ffefdcb3516217cb8bcec790571ad1559f608b2eb380758df09de98a993",
"type": "eql",
"version": 6
},
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
"rule_name": "AWS SNS Topic Created by Rare User",
"sha256": "3216757a897e26e81d8b37469ca11d9cd83cf3bde8bc78df45c871a1e4051459",
"type": "new_terms",
"version": 6
},
"3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": {
"rule_name": "AWS GuardDuty Member Account Manipulation",
"sha256": "a40514c715a70b1163a1e1f528f68857ffc2122ec3f68c23b33c12e87aee77c9",
"type": "query",
"version": 2
},
"3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Potential Impersonation Attempt via Kubectl",
"sha256": "dc9f92addd41a67185697f22d88c67575a47eac0b95a555df193cccb4ce93367",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Impersonation Attempt via Kubectl",
"sha256": "6f05c685fff2f027e142e25e5d1e4228ecf4ff2b4714298055101681504880f5",
"type": "eql",
"version": 104
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 208,
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "49f89efa536ef4c93f890a07191660e00b3ad881b52b10096aa23ba941d850e7",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "21ab8bdde2ddb498cb6c6edcdfd953b4b9690ca4b6075b3281943bbb160799e3",
"type": "machine_learning",
"version": 209
},
"3c82bf84-5941-495b-ac41-0302f28e1a90": {
"rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification",
"sha256": "f137913826f4dfb346b155061fef745d733d9ac84ad693ed6646cd5fa68123b8",
"type": "eql",
"version": 3
},
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
"rule_name": "Kernel Seeking Activity",
"sha256": "b6ed31a8880a5bf50d74e9dcc03e8b2cb2a5102bcb585e66bfe54222fb8eb4d7",
"type": "eql",
"version": 7
},
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
"rule_name": "Unusual Pkexec Execution",
"sha256": "fe48ab4d99dcee0d5c5d78d13fd52a051728cc3f40f8e2da36a99717430d3944",
"type": "new_terms",
"version": 107
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "31c5efd3e2588f4bbb9204805340a6f348a20c46d009ce4e27c99b2576368bbb",
"type": "eql",
"version": 210
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68",
"type": "query",
"version": 211
},
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
"rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"sha256": "00f3734aeadad18ecaa1bb530c67b46dd2d9a77276365492a19c14fc174dea3a",
"type": "esql",
"version": 6
},
"3dc4e312-346b-4a10-b05f-450e1eeab91c": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Compromised User Triage by User",
"sha256": "08654fdc3bd24c49261ae772ea553f821ca9fe8bd83696f6e95b510b590b2b61",
"type": "esql",
"version": 6
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Rare Protocol Subscription by User",
"sha256": "32680ca1127f1b7e76119a007029e178da00282028a5aa539ca6d3520f448c0f",
"type": "new_terms",
"version": 10
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "781c416727462ac0e014347828b7c261ba04967713972c298db7516882f130ba",
"type": "query",
"version": 215
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "e4d464262beeebfad9dbb0a00d42af6ae0790919218e2677dd0e4f96f907e872",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "81349653c7bef22cf29580e3ace788925cb5a9d8b543e05fb97f9a36da0e0796",
"type": "machine_learning",
"version": 109
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "d63e463099820ef415fca37e369392f17e227ba4229ff8aa8e48ff9dac348e8b",
"type": "eql",
"version": 213
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"rule_name": "Kernel Driver Load",
"sha256": "0a649a755936c4b5da4883d2cb39416fee6ed20ff38954671bfa71ebcf3d8581",
"type": "eql",
"version": 8
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "c586b75e397cda63031abb53a78c714e80a8a1dfb2d133d0e35827dcba2a6902",
"type": "eql",
"version": 113
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "5dc58754cc4f82d45abfe4dc812f1a4e4823e795adf94e534fd630f2b61d6105",
"type": "eql",
"version": 8
},
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "fc8e3c202ef830d2941a6ad711b2144582b8312d846d1a75ced12e2f63f22a80",
"type": "new_terms",
"version": 7
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "5e02c2bd1ee78f88b93c1695389467410310dd135d79cefc434fec6d0bb3b114",
"type": "eql",
"version": 318
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "eac8a62ca1cd0d0965dc5352545dc9eb7341fceab8cbfa3a9d801b1534511f08",
"type": "eql",
"version": 312
},
"3ee526ce-1f26-45dd-9358-c23100d1121f": {
"rule_name": "Linux Audio Recording Activity Detected",
"sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5",
"type": "new_terms",
"version": 2
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
"type": "threshold",
"version": 208
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "149a70bdcd76cf9bf067b2539841f715ee8df3aa2773e8f4505c24ecda648101",
"type": "query",
"version": 106
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "94be773db4ae46451aaa962d086a75466bbd8d1a8f6afdd666d19cf0b51bdcde",
"type": "eql",
"version": 12
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "d0213728bd6f84baef92aa0cfd3502dddef5d9b975a87ca21fabbded914ca935",
"type": "eql",
"version": 116
},
"3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": {
"rule_name": "Potential Data Exfiltration via Rclone",
"sha256": "654c6762675bbe2e86e2cdc5f2883647739cb1d40a8231cdd3156fd69752ad41",
"type": "eql",
"version": 4
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b",
"type": "new_terms",
"version": 7
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "570ebb0e5a2ce71626cfe8f38f75326e77521db306168f490e68636c672152e5",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "88291719875740ebfe930f0d6526a42e8de7f03c6c6eb67af3bfaa96b77b400d",
"type": "machine_learning",
"version": 109
},
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
"rule_name": "Command Execution via ForFiles",
"sha256": "02b65a2a6c93487298996a9bfedaedb4d1436598cb4267292ef241ebc36be63e",
"type": "eql",
"version": 7
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"rule_name": "Entra ID MFA TOTP Brute Force Attempted",
"sha256": "0c901fa65426f1462fb80e4ca2d1faf929654f311d89f202a3280dc35c9ab403",
"type": "esql",
"version": 9
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "719051601ba7f4bc360e488b3f96c381ddee61bc0d99d586137c39964715592e",
"type": "eql",
"version": 108
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 210,
"rule_name": "Unusual Process Spawned by a User",
"sha256": "4c17db59f36b3743d92068c1a5b88c0bbc0e7109294544f30d95ee11f6d5d083",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "Unusual Process Spawned by a User",
"sha256": "cb675206bfdfdbd51d00586a43ad5ab1b7a4b7cf9df4e553b7a9d967e5f1d711",
"type": "machine_learning",
"version": 211
},
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
"rule_name": "Potential Azure OpenAI Model Theft",
"sha256": "95545a1f85bdb02d2df6d31c2bd4f9fc0c6ad61f606abc56c7b749ec0823064c",
"type": "esql",
"version": 5
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
"sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a",
"type": "eql",
"version": 206
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "8672a0625e04b58e7bbe56de0f48ddd08dee74082cfb85e5dc0eb2a5fe9209a2",
"type": "eql",
"version": 318
},
"40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": {
"rule_name": "New GitHub Self Hosted Action Runner",
"sha256": "8bc6935db6bda5ca9d6adfaf7c46a30e9041e429a474d22fb9bea08e8129f9e2",
"type": "new_terms",
"version": 4
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "07ed14815a1ee29d7a2ff5875f8b1a3077e662274428187236ecfb4fc4c0cb80",
"type": "new_terms",
"version": 112
},
"40e60816-5122-11f0-9caa-f661ea17fbcd": {
"rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected",
"sha256": "e79dc5d558b08aa2d6a5ac711b6839d68982ebf44258c71d341bd4fa6f8a122c",
"type": "eql",
"version": 5
},
"40fe11c2-376e-11f0-9a82-f661ea17fbcd": {
"rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created",
"sha256": "070959c714f7a09d058737cad7ec89cc9e40d1ead7af7e3e6b3448b52335f045",
"type": "new_terms",
"version": 5
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"rule_name": "Unix Socket Connection",
"sha256": "50405e170ddbf72168eb26b96b10d0ddeef2da2ea25dbc04fd4820ec47ce4aef",
"type": "eql",
"version": 109
},
"41554afd-d839-4cc2-b185-170ac01cbefc": {
"rule_name": "AWS Sensitive IAM Operations Performed via CloudShell",
"sha256": "f35e27ff8f1f926289ec4c5333d1a66e6a4b7bb6e3d244d9024e2e87f621ec0d",
"type": "query",
"version": 3
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "ecc40ef6f1887e2552a67ac50b893a78045aa90c933ed8ef9dba6dbc5db45679",
"type": "eql",
"version": 319
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a44f29bc649117953df7644b522fe34d02e04792ce1995c96d63aefa46581be4",
"type": "new_terms",
"version": 207
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "Deprecated - EggShell Backdoor Execution",
"sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb",
"type": "query",
"version": 107
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "a194f601c0396232cfc2cf076aec26674df35dbebda99b88ba26210ab1342940",
"type": "eql",
"version": 10
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "5117bb1a4b1e01d38cf252aea6b1d85875d355d76d43d8355a82c5e6c8b94ec8",
"type": "eql",
"version": 111
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"type": "eql",
"version": 3
}
},
"rule_name": "Mount Execution Detected via Defend for Containers",
"sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6",
"type": "eql",
"version": 103
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"type": "eql",
"version": 4
}
},
"rule_name": "Interactive Exec Into Container Detected via Defend for Containers",
"sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3",
"type": "eql",
"version": 104
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Unusual Login via System User",
"sha256": "5b2247172cc6a9ec4fb03f5f3bb198e0ebbe37e546e0742e0a78510f59e8ba6e",
"type": "new_terms",
"version": 7
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Potential Okta Password Spray (Single Source)",
"sha256": "d564134d98af7a3d81f0386dc3680e01e1259752b63bdb4657a1220d9d26a3c2",
"type": "esql",
"version": 418
},
"42c97e6e-60c3-11f0-832a-f661ea17fbcd": {
"rule_name": "Entra ID External Authentication Methods (EAM) Modified",
"sha256": "1a5cfbafaa947d1a30a0e36172836401d4ae9185aa8bc05e1c51245e1adeb397",
"type": "new_terms",
"version": 4
},
"42de0740-8ed8-4b8b-995c-635b56a8bbf4": {
"min_stack_version": "9.3",
"rule_name": "Kubelet Certificate File Access Detected via Defend for Containers",
"sha256": "5607487040f92b7d283e36023a5fe5282bf400d31b48f4dbf1eb2ebc42106dca",
"type": "eql",
"version": 2
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"rule_name": "Process Creation via Secondary Logon",
"sha256": "dbeba92d4f831b5f36a5a0d99766eb50182c1b60eade9a6452880f4ceb9db0d0",
"type": "eql",
"version": 116
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Login Activity",
"sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Login Activity",
"sha256": "ceada163683a969ff0c09eeb47c2a6548ed0c5540c6489baaba37e1279299e79",
"type": "machine_learning",
"version": 207
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "4087c9d1fa0fbd63a5994e714de0043354219e1486a90d369e6f9568db609f9b",
"type": "eql",
"version": 114
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "faa296ace7afe520ea4ef4a8f94e73bdaabf18a3fdff2491b9411910a92c7b26",
"type": "eql",
"version": 316
},
"444c8fad-874f-4f59-b0ea-cf26cea478bd": {
"min_stack_version": "9.2",
"rule_name": "AWS Account Discovery By Rare User",
"sha256": "ca6ee51c94c13583db988064c27811dd1667e2ed0c6f855641192291f42480b9",
"type": "new_terms",
"version": 2
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows Path Activity",
"sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows Path Activity",
"sha256": "9521887c113dba587810eda8d843fae683aa907a35cb28d192ad2af4fea6f05c",
"type": "machine_learning",
"version": 310
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656",
"type": "eql",
"version": 7
},
"44cb1d8a-1922-4fc0-a00f-36c1caf57393": {
"rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888",
"sha256": "2914fe3d40dd1b622e50c819001ef6f6841a9ab90204059631fee0d078b93a01",
"type": "eql",
"version": 2
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326",
"type": "eql",
"version": 116
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted",
"sha256": "bdcca3f4e0bc64249b3b8122881ea1261a2d6730802c955c30624c65a57f137f",
"type": "query",
"version": 8
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "821304ada86cb1f6baa0400b3df6da59d8cddb153c4eaf0cdbd47ac7b8559261",
"type": "query",
"version": 106
},
"4577d441-0c05-4bfb-9068-39a0cb855269": {
"min_stack_version": "9.4",
"rule_name": "Rare Powershell Script",
"sha256": "9c0511f7439e1c00c5d8282719bc8a3a3264846f0c2da4f4f9ee4cdcf7ec335f",
"type": "machine_learning",
"version": 1
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "e7c9e715dfc5202e3726e02eb0845d9ebc862820f8d6f38bbc831db9a30afacf",
"type": "eql",
"version": 8
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439",
"type": "query",
"version": 216
},
"45d099b4-a12e-4913-951c-0129f73efb41": {
"min_stack_version": "9.2",
"rule_name": "Web Server Potential Remote File Inclusion Activity",
"sha256": "eac6dd3f878185bf383aa944ce7171b5ac8f06bbac00216eda18a5633aaef77c",
"type": "esql",
"version": 5
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "0ccdfbb0e5e5ffd32a9233c3ddf4f8302da0fb0f0850ce2f8d4581d3fbb3b3e5",
"type": "eql",
"version": 220
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "564bb0d746bd663f81363cdf9ac732590b9f53cb2de5ba98a67f800fb3539a31",
"type": "eql",
"version": 321
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "930128205c02f5c7f26427faefeb2d4bab4bebdacf586a93b0aa5017bef1e78b",
"type": "eql",
"version": 318
},
"46b01bb5-cff2-4a00-9f87-c041d9eab554": {
"rule_name": "Browser Process Spawned from an Unusual Parent",
"sha256": "9b29139c1b7fd40c89143857a62a03aa09c8e7963ef54f650fff4224dc441f21",
"type": "eql",
"version": 4
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Process For a Linux Host",
"sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Process For a Linux Host",
"sha256": "e3f402cd3a598b9f2569f90d33ef2259c22ad46f3dc1bdc3c4c5b17eec84f8bf",
"type": "machine_learning",
"version": 208
},
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
"sha256": "5e4eae6eda373ea926bb58a7a366c5a8f2927a722bf046ea56b6c12f05a39d09",
"type": "esql",
"version": 6
},
"47403d72-3ee2-4752-a676-19dc8ff2b9d6": {
"rule_name": "AWS IAM OIDC Provider Created by Rare User",
"sha256": "2b8214da1cdbd0bc040957a0d7526d484399595432c8a33204adcf6632c40bc7",
"type": "new_terms",
"version": 3
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "a68393a005eedad66f216d14894d34d69d69ddf143cc9fa39a2f535685870c6b",
"type": "eql",
"version": 119
},
"47595dea-452b-4d37-b82d-6dd691325139": {
"rule_name": "Credential Access via TruffleHog Execution",
"sha256": "80cd369aeb6877b1db2b6c12d1783ea6a5d0a624fa9017500b34cad571cef398",
"type": "eql",
"version": 4
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive File Compression Detected via Defend for Containers",
"sha256": "731ba52a513156d8a87d316d77433a64170711f97dc7f177f3f719aea71b3314",
"type": "eql",
"version": 105
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "653a7ef1791236e63f96af404c6b02046875b405b8037d13ccb1a3e7998ba6fd",
"type": "eql",
"version": 107
},
"47661529-15ed-4848-93da-9fbded7a3a0e": {
"min_stack_version": "9.3",
"rule_name": "Chroot Execution Detected via Defend for Containers",
"sha256": "59db7a4c53b4f3ddb4207c6491c7bd8d81c264d0c04da5d8788ab834607b79d7",
"type": "eql",
"version": 2
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "a5af415e1f2c7a456ca9118e3e4597cc2b0b71a212a73a2fa72bda8e0830cac8",
"type": "eql",
"version": 218
},
"47e46d85-3963-44a0-b856-bccff48f8676": {
"rule_name": "DNS Request for IP Lookup Service via Unsigned Binary",
"sha256": "b77d74a3141da1892738e8c0d4fd55bcbe16d6888bb1c16ec266c429adf9d305",
"type": "eql",
"version": 1
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "938566ecdd4b7685b7907233ea57cfe0cb348a40ac06c7eb2716b07aab912725",
"type": "eql",
"version": 113
},
"47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": {
"rule_name": "Potential Database Dumping Activity",
"sha256": "aad1b6a1095cc1013ae935d6e8045119e05fe3ef4f5834c1f9127be2395959e7",
"type": "eql",
"version": 2
},
"483832a8-ffdd-4e11-8e96-e0224f7bda9b": {
"min_stack_version": "9.2",
"rule_name": "New USB Storage Device Mounted",
"sha256": "68046728274c9ab9c11bc0b39e461e49b9a9b9848f71d7011fe77d57ba59496e",
"type": "new_terms",
"version": 2
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "5a1aba147a9b9f814d2d1b09cd541b22ae6d611c7fd6f3188f5920edab8078c0",
"type": "eql",
"version": 318
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "M365 Exchange Mailbox Accessed by Unusual Client",
"sha256": "8a10e8db5467f33d67e8ed3dca2f5a1d079e9d210603960f09e9db3ea9d997c7",
"type": "new_terms",
"version": 113
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "e0d23e8a4ce93e59d053897dac95bd93ea4007fea82aa10026eb0f9cb6aa98c0",
"type": "eql",
"version": 15
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "13da83ae4ff6203a49a32508015f5afa1857f4551dfcaad34b06c929cf1e6a56",
"type": "esql",
"version": 119
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8",
"type": "eql",
"version": 111
},
"48e60a73-08e8-42aa-8f51-4ed92c64dbea": {
"rule_name": "Suspicious Microsoft HTML Application Child Process",
"sha256": "7c56c9e26607fba3339913474442ef3d7bfbf6293b5c99f54d2eb96881fade95",
"type": "eql",
"version": 4
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5",
"type": "eql",
"version": 110
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "f1c328ae4209f8dd970135e0448fcc4570c22a584600e6623a6e7b834d57b7a0",
"type": "eql",
"version": 8
},
"491651da-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint/OneDrive File Access via PowerShell",
"sha256": "85739e22b434b14be9315877943b9eb3b82ce63928b065f96cb4631cb598768c",
"type": "new_terms",
"version": 4
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "d94a4754a0bac94045cb963405493f79639e4750d53db7855347719f027c7a91",
"type": "esql",
"version": 107
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "9365957412d43c05676cc64a16e5849fea6369fb83f1f3bc6433834987b4d0c1",
"type": "eql",
"version": 114
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "6d87b2fabfb96262dab24abba760dd06624e339e6f6754d5b80da802c4fcc200",
"type": "query",
"version": 111
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"497a7091-0ebd-44d7-88c4-367ab4d4d852": {
"min_stack_version": "9.3",
"rule_name": "Web Server Exploitation Detected via Defend for Containers",
"sha256": "4f015b58f7cc44127fa2338b2af0178f6882ee823df52179f218821a49ec03e8",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7",
"type": "eql",
"version": 111
},
"498e4094-60e7-11f0-8847-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 8
},
"9.1": {
"max_allowable_version": 206,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 108
}
},
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "75ce697b7ebba19a90b13ad5c2a00f716b1136889ac57cf0454fb38d2abf3033",
"type": "esql",
"version": 209
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "36f98006e5bfa62be0b6fb497cac3f8e786c601b1856911576321711398ff937",
"type": "query",
"version": 109
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "ebb411cb6d8deec435be6983e89ff05cf986d078ea776de1c513732dad30a8a8",
"type": "eql",
"version": 111
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
"type": "eql",
"version": 2
},
"4ae94fc1-f08f-419f-b692-053d28219380": {
"rule_name": "Connection to Common Large Language Model Endpoints",
"sha256": "e3a857464bccee09ed43658511ac90b4b5e1ab9d35a7e6f562e8222fb1c31356",
"type": "eql",
"version": 6
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection - User Risk",
"sha256": "5df9119f737237a17d5b11d6333596ed6cccdcea1c3d4ddb2115cee9fdf15a27",
"type": "query",
"version": 4
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "712e9f27b5d709ea5f42c73b492a3eb4b4c9d9a749c11b25a0c40218cf62765a",
"type": "eql",
"version": 317
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"type": "query",
"version": 6
}
},
"rule_name": "Container Workload Protection",
"sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568",
"type": "query",
"version": 106
},
"4b74d3b0-416e-4099-b432-677e1cd098cc": {
"rule_name": "Container Management Utility Run Inside A Container",
"sha256": "4b1c24e5e2fb7b93b9cab43640dcb67a1a8d8023080af350342420b412d954a3",
"type": "eql",
"version": 5
},
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
"rule_name": "Kubernetes Forbidden Request from Unusual User Agent",
"sha256": "88773d78b14a1bcdf590ca88cafbe442d00a5a49f47b498e65a6ac6d4a767133",
"type": "new_terms",
"version": 6
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
"sha256": "68defaeb26fa351359ae0446628962b14803c4baeff4ee68daf60bf8947ef046",
"type": "eql",
"version": 110
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 107,
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "94ec426a8004fc2a8a6b335f60ddaa7ac6b2e50638d6e72f242b133e0121c3a1",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "1589cefc5200c7e7996d5300845a603f75f00b8ae38c6b4aaf586efc53f66089",
"type": "machine_learning",
"version": 108
},
"4bae6c34-57be-403a-a556-e48f9ecef0b7": {
"rule_name": "M365 Quarantine and Hygiene Signal",
"sha256": "f2d1e7436634073de94351647b98d9e406d09f11b6250cd96fef280126632366",
"type": "query",
"version": 2
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "ed8dcb92cfeba3e300ed4a8d4692886005db714dc1ec5c71e5b68c0da285cde6",
"type": "eql",
"version": 316
},
"4bd306f9-ee89-4083-91af-e61ed5c42b9a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"sha256": "2bd3b29bb1de58aceb5f105d638bee45273c848f3ee80c7cee83e90a04964ee5",
"type": "eql",
"version": 3
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "7836bbad444d51d5c8299aea810ea766e37ff1aaa90696ff4de74a6882d1fa3a",
"type": "new_terms",
"version": 7
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "53e870fdfb17df75e77e5625dad994b7014b21b3b90229e0436817acaa6aad78",
"type": "query",
"version": 116
},
"4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": {
"rule_name": "Azure Storage Account Blob Public Access Enabled",
"sha256": "3a0186ed0069a6b04d772c0376819879b9f3230c5f97929c81fa54bb2ba09635",
"type": "new_terms",
"version": 2
},
"4d169db7-0323-4157-9ad3-ea5ece9019c9": {
"rule_name": "Potential NetNTLMv1 Downgrade Attack",
"sha256": "66c44401346ad331eee974206935f1739356fbdfa1c05b5c43a96d00aa7cf0d2",
"type": "eql",
"version": 5
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "ed5b0ee6f9acc299b7d681c6c248927820ed37d3afde535bbf22d1f88c8a5d38",
"type": "eql",
"version": 113
},
"4d4cda2b-9aad-4702-a0a2-75952bd6a77c": {
"rule_name": "Docker Release File Creation",
"sha256": "fcf46bfd3250345e843693606f5fb82feefdc1be32b6a5f2b0f4a2ba0f09777d",
"type": "eql",
"version": 4
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "33007e4af04655ed7b7d38d9aa4047437e04c7a32a683fb1d94d0c6f9c0126bc",
"type": "threshold",
"version": 214
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "15628d00707d5cb8162b39822a54eaefbaba7cacec4fe61de572319ea4b25767",
"type": "eql",
"version": 111
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "2547fbd8709d4cf9e8f4bd0048a897e98859ec4f7ab564261d6a52e38f94d2ef",
"type": "eql",
"version": 320
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "18af43592e9ea1cab61766146cc9e4060b3d000eea41d6ed6b5e839350b3e422",
"type": "eql",
"version": 117
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "3141b56172d9325f7e292f8848a1c32a7d10bbe33ba9a2d6876e5a8895c80063",
"type": "eql",
"version": 115
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "fee10156d1f4a3f29bc42acbf1ad6ee3ba381b251d656d9705905328d11f7503",
"type": "new_terms",
"version": 319
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"rule_name": "Suspicious Script Object Execution",
"sha256": "8b925f4de064a926ab17d2911e80bf6947d6e864da4aad5afcebc3491a482ecb",
"type": "eql",
"version": 214
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "86ae4800d9e3322d8946ef71eadb796219d883ca2d8b3772316c430eff73718e",
"type": "query",
"version": 415
},
"4f2654e4-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint Search for Sensitive Content",
"sha256": "4bad672d48c22df5551ec3342e6f2c08bd9615a39c6c71edae46085f8673643c",
"type": "eql",
"version": 2
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "991d514239a7588fb6359ef0829150e5fba13a68886bf02602eff1ce014b7a26",
"type": "eql",
"version": 7
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "bbed7d005c3add1b1f91865e98385a1db6bab42d2c50a6f304be8f9987154da8",
"type": "esql",
"version": 9
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "e91467439c3544ac933948876d3564d3775402dbd9de32b4331e7677ff28d060",
"type": "eql",
"version": 319
},
"50742e15-c5ef-49c8-9a2d-31221d45af58": {
"rule_name": "Okta Successful Login After Credential Attack",
"sha256": "6dad6073685bd27507bd1019c4c661b33314e196d1df27fd1d6a4a26a3f6aa32",
"type": "esql",
"version": 3
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "9f970647e9f0660e49e6297139d0fac8dea160ad9a626410b76241e0e285dab4",
"type": "threshold",
"version": 212
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
"sha256": "38d2e2b85d115c468b86078187b4bf2e2692c83671f32a7800c8d87e8327865e",
"type": "new_terms",
"version": 6
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"rule_name": "Windows System Information Discovery",
"sha256": "3f5f4187427fe60250c06d4030358ca518b17592c87d264baef1d7091a731c6a",
"type": "eql",
"version": 112
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "00a937a6551df200e27af0c95020a908bd832f721000e682fd65f512541cc2c4",
"type": "eql",
"version": 108
},
"5134be90-42c1-4ac7-859c-4d82caaddbec": {
"rule_name": "Proxy Shell Execution via Busybox",
"sha256": "79b4ea149f88a2ee4fc8326864cadcd00ea7b142318e7e9100ab5c90dd688825",
"type": "eql",
"version": 1
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "f08796645892a9fa8f7c3b67c11e0245ae79f43f1da29dc7f672653ebf69815b",
"type": "eql",
"version": 418
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "M365 Exchange DKIM Signing Configuration Disabled",
"sha256": "859bc8f0ef5f23b602f35c59bea15f012d43ae8c80cebb03c3b3b94220e29cd1",
"type": "query",
"version": 213
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "511c2959e42c07c74fe71b4f3da197e85d2a1fb979e23918829861b69aa0bd04",
"type": "query",
"version": 109
},
"5188c68e-d3de-4e96-994d-9e242269446f": {
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "7b9b5cddfe539d530a81415222048a2f5018ed718b45baabb26fda249de04fbd",
"type": "eql",
"version": 209
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "a5c34d9923fd2894a45428381962c575b3377bb30cf355c2869e5344a4e04175",
"type": "query",
"version": 8
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "870d58a3e6ea8fe0f4085336bc6cbc3d947914097ba94babb4b5f15b0cda2444",
"type": "eql",
"version": 212
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "2bea7d2c25ab910e0d606af8c8c55279b47893c6895044b905d268f6bfc3a206",
"type": "eql",
"version": 11
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "0a394ab67c395bcdc27b3ad12d450d8ce316d1f4bb5eb00b82dc41ce9e6713d7",
"type": "query",
"version": 212
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "db0a78fa15e70e7486162d61b6f30566133d52e6433e0e9d7dc42ffbf6eeae48",
"type": "eql",
"version": 119
},
"527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": {
"min_stack_version": "9.3",
"rule_name": "Tool Installation Detected via Defend for Containers",
"sha256": "06b375e493f4b41424c0ca40c75d93d51a0530eaa4a352ee6d7853d70b04a0d3",
"type": "eql",
"version": 4
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "29634fdc3cfdb91140f35c87f79547edac1b9e106807a8cc21d7ee6b51912e87",
"type": "eql",
"version": 4
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "cde1e6487ebcc56f9050150c0378e2da7deff62ad47b9dab28c2794674535116",
"type": "eql",
"version": 214
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Linux Network Activity",
"sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Linux Network Activity",
"sha256": "c3933dcb86a4f1abdb07a73739d56f6fd50701e0ce42c766af4402e47f547ba6",
"type": "machine_learning",
"version": 208
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "06aa18b798246b990e22baa71af8b598ed63603682333c4694537075d56ce774",
"type": "eql",
"version": 112
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "9cf2ba4a67c472e0406c42262df0bb6ccddb11451ddcf29de0d5985842a08f96",
"type": "new_terms",
"version": 15
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System Deleted",
"sha256": "8cf6dfd14e01e720347865eb598fe80c73084a718b4f5703b63d214db4d68052",
"type": "query",
"version": 212
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deleted",
"sha256": "7ca60ba6ad3527a0ae4294e9191284da98a6981a9abccf9356442eafe415f24e",
"type": "new_terms",
"version": 109
},
"5378a829-30c2-435a-a0f2-e3d794bd6f80": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 100,
"rule_name": "Rare GCP Audit Failure Event Code",
"sha256": "68286b273629f0e76ab3ed11d530a7aa0bafc6f2fce33cc438cee7402360c949",
"type": "machine_learning",
"version": 1
}
},
"rule_name": "Rare GCP Audit Failure Event Code",
"sha256": "c5481b8a55bd8c39a4b9d76e1630bd8329b9339cb43e40347317861244b7db02",
"type": "machine_learning",
"version": 101
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "13ca397ec6553f6c993d68c532077536be213be3dee894a2609b0aaea9eade5e",
"type": "query",
"version": 10
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "792ed5fc6b0a36233bde6b5f3b81cb38c17352d64cb05bf7695a121087c373c2",
"type": "eql",
"version": 319
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "c082e3ac3a00dc4956ce3e96ea4ec33d0e3d82e54b0ccacc0ecbdcaea938c347",
"type": "eql",
"version": 110
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "cd48b0f1d4115b1444172db9c6f59b8c60c75583bf5c511ba0df9ea374aa84f5",
"type": "eql",
"version": 7
},
"54214c47-be7c-4f6b-8ef2-78832f9f8f42": {
"rule_name": "Network Connection to OAST Domain via Script Interpreter",
"sha256": "1203b6747b51b4832b4ebefe2903731584e77306aacc9f20d75fbf1cf7d1c66e",
"type": "eql",
"version": 2
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "04bf11d21b2237ee52b0b88167f0cfa4fc196dde2f4fbfda8b651395b6ef1329",
"type": "eql",
"version": 217
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "bb8801610e32224071dc341162073ded5df413ddf4c2cdcfb9b7e8442242b149",
"type": "query",
"version": 215
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "3cff6043bb08ad2cb24e8d37adc43a86a8670e3e4d63ab64da8590469e6d827d",
"type": "eql",
"version": 219
},
"55a372b9-f5b6-4069-a089-8637c00609a2": {
"rule_name": "First-Time FortiGate Administrator Login",
"sha256": "518282100295984ad22ded511e0efb7a009dbec8d0bbfe2c7fac69778163579b",
"type": "esql",
"version": 3
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "d9d7b7c944e438656c8d6c348d8acd34be6f45ef68c23cdc5c1e679c1eb476f2",
"type": "eql",
"version": 217
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
"sha256": "af8f8b17e077e18ee55fe944de4a17281aedb7f00d55333d69560c44623fcfd7",
"type": "eql",
"version": 214
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d",
"type": "eql",
"version": 4
},
"55f711c1-6b4d-4787-930d-c9317a885adf": {
"rule_name": "Suspicious Execution with NodeJS",
"sha256": "0988cafc07e2277a8687b5a89074a4ad787b1cc0ad5bf564bdacb5b7c95cfe94",
"type": "eql",
"version": 3
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 209,
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f",
"type": "machine_learning",
"version": 110
}
},
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "d1bc1e43d67b87351b3a10c4bd73b589d019f0eb8f4519a5fdd013f9c57732a8",
"type": "machine_learning",
"version": 210
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "9bc6208af462e05208a3ba998898d18819968882805d9c738507807be1b330c2",
"type": "eql",
"version": 210
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "8cf3c09ba2db0c7300a67369106a28725e2c5cc57e9c57d8cf14fe64d7a8c303",
"type": "query",
"version": 212
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "87db461459ea0a1c445b59dfa9d8e7368c2afc905f30243a589b82af51f8515d",
"type": "eql",
"version": 211
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4",
"type": "eql",
"version": 112
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "a41c9b731116a7c1e1a6c3aa9f43347ea30abb1eea8076c45c74804e6b07a048",
"type": "query",
"version": 109
},
"56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": {
"rule_name": "Windows Sandbox with Sensitive Configuration",
"sha256": "cb4b6f0adb8773383e682fe16570cbca4179d222ed197d04b3d89fa29926d486",
"type": "eql",
"version": 4
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "6c697a981e583ada22e4f514b9fe1cc69e210a0cd838679036eb1158118d1beb",
"type": "query",
"version": 317
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
"sha256": "98a1bb00cc5109dfee42a633f855fff9346d0648551bebc3d0863b1561b49aa2",
"type": "new_terms",
"version": 109
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "5df33e1e630173c386e4532fe8fccafa945c531cdaad3bf9f65a20605287464b",
"type": "query",
"version": 111
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b",
"type": "query",
"version": 105
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
"sha256": "914135ecccac7234592a2f0c768301fedcf43c6c78e8ec8977774bcd9ecb70aa",
"type": "query",
"version": 105
},
"5749282b-7524-4c9d-af9a-e2b3e814e5d4": {
"rule_name": "AWS Credentials Searched For Inside A Container",
"sha256": "b09e2c974cc1d80c0c75f3799dc517a1ba657bb18f02243743e329247980db61",
"type": "eql",
"version": 4
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "5c5ee438716479240dd176d2f4b269ac7093f03e6ceffde51b86912f8b8d4ee2",
"type": "query",
"version": 214
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "4944bbed621deeb513b94814d78fab8b15895a6fbf5a4b3c12e69c50f5a82be6",
"type": "eql",
"version": 109
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "971eb40543306c60de5695b0c5c5323b2de381b23f1e442ce30cb39d29eb2c97",
"type": "eql",
"version": 211
},
"57e118c1-19eb-4c20-93a6-8a6c30a5b48b": {
"rule_name": "Remote GitHub Actions Runner Registration",
"sha256": "8da226b40be571223b8382299f5497f08742a417a0afe756e9005488a6a3604a",
"type": "eql",
"version": 3
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Backup Deletion with Wbadmin",
"sha256": "ab7e97c915d3a23943a57f5610efdbf9dfa1c8b60f4a82155800f5eb754553dc",
"type": "eql",
"version": 320
},
"5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
"rule_name": "Unusual Web Config File Access",
"sha256": "d0e52d0a9d67db8bc963869c1db6a15171b3f593e995b5a08bc6bde2194de611",
"type": "new_terms",
"version": 4
},
"5889760c-9858-4b4b-879c-e299df493295": {
"rule_name": "Potential Okta Brute Force (Multi-Source)",
"sha256": "cdac32489551a612c6bdd1002c5f9beb3f39e4e418574f5d004a7307b21e02c3",
"type": "esql",
"version": 3
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "80ca9aa2214417366e41ffd82cd9a7232496f7791e47f1fe0b600d0b8425bf40",
"type": "eql",
"version": 317
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "c200789d227a9970276e70d96c3d7a3dda0bca9cc890d451341d5701dc772fa8",
"type": "query",
"version": 106
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "ac7bf2a46ba5a70e8f7adf24b3dff91fc99d215a6ead840ce7f034f27e013106",
"type": "eql",
"version": 113
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "54a500e176cc9745327edf4a986bbcad4894627acf87bc50f5727b26558cd775",
"type": "eql",
"version": 115
},
"590fc62d-7386-4c75-92b0-af4517018da1": {
"rule_name": "Unusual Process Modifying GenAI Configuration File",
"sha256": "4c8318ca5f58fb1f5df70040197b63e88f8b5f390e666cc85e3eac0c39129222",
"type": "new_terms",
"version": 6
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"rule_name": "File or Directory Deletion Command",
"sha256": "7742b4d700c05a6edae94904b1648746b5b85845c114eb60cbfc8fb84972171f",
"type": "eql",
"version": 7
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish",
"sha256": "52f073fe724020db891045530704a08c294fa95ee10247f3232467f93bd3fb85",
"type": "query",
"version": 213
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "820bd96ddd179512b9d5a0163bb9f14bab4331cc45be72aa7718ebace53c28c0",
"type": "query",
"version": 214
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "60849ad13847f09c4d9a8563601b9291916f289bea439f511a4171ec4a013351",
"type": "machine_learning",
"version": 208
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "4ee4a4ce4a9ac868a787a8fcadc3d1b7655e2840e1b76969a14ac4571928d40a",
"type": "new_terms",
"version": 9
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "d9cf4c038f53b5ebd1c30a304fb8870d6145d0785926200cf0374842c84220ff",
"type": "eql",
"version": 108
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "1f54949694e1a11f3a6cfb3b63ee8e578f5bf33cdb23bf40ea319d20845ff3d0",
"type": "eql",
"version": 314
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"rule_name": "Potential Reverse Shell via Java",
"sha256": "11037a250f68a1970df97139622a157e84807139f8126e5d9c7bc7cf56b3b77c",
"type": "eql",
"version": 13
},
"5a876e0d-d39a-49b9-8ad8-19c9b622203b": {
"rule_name": "Command Line Obfuscation via Whitespace Padding",
"sha256": "1bf4f552f7599807a7e15afba35b168d0ca331e3b70e945506eb527d1e088934",
"type": "esql",
"version": 4
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "3570dec854c263de8cdebc1855ebfe5f7ab4526fc849b9e3a925eca865cdb5c7",
"type": "eql",
"version": 6
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "8e98b708a9211e5d0ebef862842c54d085108d51b98842c091c5b26228dfa6ee",
"type": "eql",
"version": 108
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "633d6227e7b67c05c46dd509f2cd8d07f37e29fa580d76f692df49fea3e78ff7",
"type": "eql",
"version": 111
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "2cfbca1b129860895636735b8d15df004c74a582e3be5fc79d043ee9eb08bd50",
"type": "eql",
"version": 314
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "d3606ed659895f8c1cfdbff613629c196b862c209892b801f1b8370aaaf4277d",
"type": "eql",
"version": 114
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "600013f59808acf8e3fbcb916efe820a124db6b8d3605bf5fe031d1b729b358d",
"type": "eql",
"version": 11
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "dfef9c7a379453c311f0bfab1d39e33e823cd53ca0d1401b0c395667b781beb7",
"type": "eql",
"version": 112
},
"5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": {
"rule_name": "Successful SSH Authentication from Unusual User",
"sha256": "7be56f4b8d28507b68d83d793cca3e982deab0387b8e00b6117aafe109cb2bc3",
"type": "new_terms",
"version": 5
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2",
"type": "eql",
"version": 9
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation",
"sha256": "8a47a48d97d6455444a465225652850ef188dd562e9f8c43f6fc8781a717f891",
"type": "new_terms",
"version": 323
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"rule_name": "Boot File Copy",
"sha256": "9631f14860402dcf2e73a1613d08cf82bef87f7b793098b03b5ececfe9236c85",
"type": "eql",
"version": 5
},
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "027fc040e1e9e549efb1038c541a0965a6a625c7cfa7ac595dfc9747ffca5b09",
"type": "eql",
"version": 7
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "7e201a9f630b65ea3703f55383653c8c701324ea8334853c13efb45ddd45bb79",
"type": "query",
"version": 212
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
"sha256": "958cb09fe0453597f345b91d73f1f8cf88e769e76285da2a9029817841f976b0",
"type": "eql",
"version": 9
},
"5c495612-9992-49a7-afe3-0f647671fb60": {
"rule_name": "Successful SSH Authentication from Unusual IP Address",
"sha256": "1131f0ba1299b1673272bd63bc99e020893f13a54959cc573c19f06e3c6d27c0",
"type": "new_terms",
"version": 5
},
"5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "5b2188d09bbe293e3e5d684a0febaaeb6e8027038ba64aa70585fde1b3f59fdd",
"type": "eql",
"version": 3
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "4ab3780669514a3c38d185828e425d62f8005baf7e564cfe108f7922d0d02d72",
"type": "query",
"version": 108
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"rule_name": "First Time Seen Account Performing DCSync",
"sha256": "6efcf236f3f9c9963fb10ebd45d9b9de86581067dc5b3515bab1cdc720278271",
"type": "new_terms",
"version": 119
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
"sha256": "6ae08cb11476bde01a0bc5e23c18dbeb3c64c7f9f56cadc416776d004a3f3938",
"type": "query",
"version": 4
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "f60eb9f78e9b31ecc263168312144052efe7d3d67430d9e8e4bc68396f433f20",
"type": "eql",
"version": 106
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "499e822266c7a93e65eed7dd53f2d4762b9ede773ae711da386d2dd215831704",
"type": "eql",
"version": 12
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "e6d2c1bb66e9d94d5a0fc9e25fe3d8dd9a75eb35f100ed631a3df105e5748711",
"type": "machine_learning",
"version": 207
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "e1ae2e1cbed489a77754e6fab8a50f37f6de818e6fa2ca20d8096664e8add36c",
"type": "eql",
"version": 112
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "26553adf03310ab42539ce968440da4d62fc1fd18788e3d2f13aab321c9255db",
"type": "eql",
"version": 215
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group in Active Directory",
"sha256": "f804eba2756db8092e43ff3affebdb403dbdc631098bebd3cdaf6ba3829b043e",
"type": "eql",
"version": 217
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"rule_name": "Persistence via PowerShell profile",
"sha256": "bc50204842263093d6d6ad331922bf865f62b4a06b43ef3f9321955c32ad22ea",
"type": "eql",
"version": 215
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "e818c9edc963124f3fe4b690ac99f23981b4899d2ec0bbbffbb93c5590b8756b",
"type": "eql",
"version": 112
},
"5d1c962d-5d2a-48d4-bdcf-e980e3914947": {
"min_stack_version": "9.3",
"rule_name": "Forbidden Direct Interactive Kubernetes API Request",
"sha256": "d27959c1650287e616fb7b235e828792e56a049f59244ffc1d56ad66b4b99d32",
"type": "eql",
"version": 3
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "c06d312788de6b526b2eda5008ba2de688020524b0142b2a077d564b7141a2e8",
"type": "eql",
"version": 216
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "ce96526f1173cee77a4a1a49988e5b43cac66b19bc7f0e268d904961da06ddc3",
"type": "eql",
"version": 108
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "7a9ce14eef48ed766c137dbe638528f60bbfd889852e3b0e0251ed30b6ed4b98",
"type": "eql",
"version": 112
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "048a359ddaed92e5d025d84b05ee14e0aeb65e3c2f980eefac7cd3196a48085b",
"type": "query",
"version": 111
},
"5e23495f-09e2-4484-8235-bdb150d698c9": {
"rule_name": "Potential CVE-2025-33053 Exploitation",
"sha256": "d05a70b154a7b84b4788d0e7a9beb17cf0b147169da42a8f48bafb328c5e8403",
"type": "eql",
"version": 3
},
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
"rule_name": "Memory Swap Modification",
"sha256": "84ab5ac7a9d4da0254311ffb718735490af81e6cb6c191ead1f08277e7a520e9",
"type": "eql",
"version": 108
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Deprecated - M365 Teams Guest Access Enabled",
"sha256": "266a162de1fb161531696272816f4b94596b9e60e70a673859f3162efb4333e6",
"type": "query",
"version": 214
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5eac16ab-6d4f-427b-9715-f33e1b745fc7": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Process Detected for Privileged Commands by a User",
"sha256": "1d71fb265ec9c3ff73874aa4beadd56455b47e89abd56102a39fe0cc342da6af",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Process Detected for Privileged Commands by a User",
"sha256": "5ec3183a9be36f68aded429224d36cce68ddfb8a955fcc82adb868c3880f0b8c",
"type": "machine_learning",
"version": 104
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "b03598902c032a90bd8c08caf8f74055975dd2b075bd845d15f0d4093459f506",
"type": "threshold",
"version": 9
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "243733569b61c9258414f81794aa80af97b0ce2a578f54cb1fc3eb3b6ffc5deb",
"type": "eql",
"version": 209
},
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
"rule_name": "Potential Docker Escape via Nsenter",
"sha256": "9b1fac0383ed7d24fc3004e580cec7bd3f701dee9659155fe2a61132c4c6280e",
"type": "eql",
"version": 5
},
"5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": {
"rule_name": "NetSupport Manager Execution from an Unusual Path",
"sha256": "f49bf2a2ea1c32cc3ab338dd4e8f8b582091b3afe242ad98d6e048aed2256252",
"type": "eql",
"version": 3
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Compute VM Command Executed",
"sha256": "8adae74085d1b365f947e33813e55390fedd6e9a18b0a155e3bc3ca16f8b6bb3",
"type": "query",
"version": 108
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Entra ID Service Principal Created",
"sha256": "53b3bb3ed81272c5cd748118879a25c793a01b0a8bad0cf6cf57a42745b3ba2b",
"type": "query",
"version": 110
},
"60c814fc-7d06-11f0-b326-f661ea17fbcd": {
"rule_name": "M365 Threat Intelligence Signal",
"sha256": "c39e4b442c100c558bad0866d26a3af772db700ab66c684e39f81c52511c464e",
"type": "query",
"version": 4
},
"60da1bd7-c0b9-4ba2-b487-50a672274c04": {
"rule_name": "Discovery Command Output Written to Suspicious File",
"sha256": "272a08b491e9e0ed926f59f6e233f7e3a98e77d56dc61ce20e65ccc863a87d4e",
"type": "eql",
"version": 2
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Deprecated - M365 Exchange DLP Policy Deleted",
"sha256": "b61525284954c4fc0497d4722706527fd82f0c909a0d9d5d8436eb4eb64c73eb",
"type": "query",
"version": 214
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"rule_name": "Unusual Process Network Connection",
"sha256": "20c0a63a1c617c1d92a564858fc23ec78f1cd2737c5ea492135d8d6d73d6cf20",
"type": "eql",
"version": 213
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"rule_name": "New User Added To GitHub Organization",
"sha256": "20989b28438ebb27b577cc7e27b4a8fddb5f0e786199089dbf791275399a39f7",
"type": "eql",
"version": 207
},
"616b8d00-05f8-11f1-8f33-f661ea17fbce": {
"rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client",
"sha256": "b8a0677840e2ac54c009dfc71b670853c992e15ab05a71bbbeed68c4b46d35e3",
"type": "new_terms",
"version": 3
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "89c4a7e78c150d6be51a0ac7825e8c185a6b6079831022b8ba59a2cfd77f7047",
"type": "eql",
"version": 108
},
"618a219d-a363-4ab1-ba30-870d7c22facd": {
"rule_name": "FortiGate FortiCloud SSO Login from Unusual Source",
"sha256": "1633c7aa0014d0a78d937ad7c074f29e3aae5b3ddaf38ce799a5141b9cdebaec",
"type": "esql",
"version": 4
},
"618bb351-00f0-467b-8956-8cace8b81f07": {
"rule_name": "AWS S3 Bucket Policy Added to Allow Public Access",
"sha256": "3add80c1e8b09bdfcf8f584070eca230034c9b21f79833ba3fe4693e6f61f11c",
"type": "eql",
"version": 3
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "be24ceae2afa9baef47813fd03666ea34a8f4036452bf224e709f3f059656acb",
"type": "query",
"version": 320
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "6383b77739e2749c866d9629ec58d853e848460e9543fa91f5fc5bdfb1ed81f9",
"type": "eql",
"version": 218
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "e0477a60892cad9da6b82baf80a54de4df04b8f72415f9f443b405c02849bc35",
"type": "threshold",
"version": 211
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "42257f22a246a40f1b6a636be55d328756204c2ab6229c57d6bed4129300b5df",
"type": "eql",
"version": 211
},
"627374ab-7080-4e4d-8316-bef1122444af": {
"rule_name": "Private Key Searching Activity",
"sha256": "79f110a532df654130e63c8b81f83d83d968d2789069f0c82d5fc5cd50e602da",
"type": "eql",
"version": 107
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "9b330c0df477e18fc4f7752d72e5b9bd2518f96989dc84c247943246459ff92c",
"type": "eql",
"version": 217
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "ed5ff57cbeb63400deadf4043db9a50648c79985b315214fa0826a98bc3f6839",
"type": "eql",
"version": 9
},
"62ba8542-1246-4647-9b84-98aa1bc0760a": {
"rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon",
"sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31",
"type": "eql",
"version": 1
},
"63153282-12da-415f-bad8-c60c9b36cbe3": {
"rule_name": "Process Backgrounded by Unusual Parent",
"sha256": "030fd3f59aba85e33e9013260fe60ecd2b7e4e805aece285791cb170737d59d9",
"type": "new_terms",
"version": 5
},
"632906c6-ba8f-44c0-8386-ec0bbc8518bf": {
"rule_name": "M365 SharePoint Site Sharing Policy Weakened",
"sha256": "df946fcbb376eb3a51b2e8299075494cccd95d5229b4b956537d4f162ce80731",
"type": "query",
"version": 3
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by Suspicious SSHD Child Process",
"sha256": "3b0351c806161fe08412397624b92f4f969afffbb96b21e055a0631d33614a4f",
"type": "eql",
"version": 9
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "e6322acdcf8bfdea43c886c81f1d74c7982802542e500006806f52c422a951b3",
"type": "query",
"version": 12
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent",
"sha256": "7de86c2aa0f76814053d0f5818bc392c8c2e59db281f8891357f87d0057dfc26",
"type": "new_terms",
"version": 12
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent",
"sha256": "298014d2796245f46bde784ce5a8c9a9bd75184e6d80bab634ae84b03fa3710c",
"type": "new_terms",
"version": 13
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "4fba1a906dc24aa562d7f26cec26c9dcda0607ed266e8b587cfddf5a6f683d29",
"type": "eql",
"version": 7
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "ba4096f48f3a66bf6278a94d26beb5dd78a438641db6fc511bf73d79bbe9986d",
"type": "eql",
"version": 213
},
"640f0535-f784-4010-b999-39db99d2daeb": {
"rule_name": "Potential Git CVE-2025-48384 Exploitation",
"sha256": "96a8f21a03b2eacdcb3c26f34ea7073e5fb7b7804eab2e552278f4b9a8524d75",
"type": "eql",
"version": 2
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation",
"sha256": "a3ad27a4e1aba1d93a8fcff149f1e5ae7d0563416aa19c3e8221f2661ddface0",
"type": "eql",
"version": 9
},
"642ce354-4252-4d43-80c9-6603f16571c1": {
"rule_name": "System Public IP Discovery via DNS Query",
"sha256": "dadbb6d434afb19f97ab0d84b81956da85c5714c7113d0f80e6e22d72df1407b",
"type": "eql",
"version": 3
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "cfbfe676b63f196bd4399206148f3a8920d108155f2abfa3c4bf59600cb422e0",
"type": "machine_learning",
"version": 207
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "c6de97f12a7345d14030b631a6baa062804944e85c22ece163742abc536d4b59",
"type": "eql",
"version": 112
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "7a4ee8a9aed27286d48b832645557e5b2b3be000c4b6d33e49f64977508ff9da",
"type": "eql",
"version": 12
},
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
"sha256": "db724e0530dad97417c3737f077e737a1dfdf44b5ae1d4621f68d2fba0a4c75d",
"type": "esql",
"version": 12
},
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
"rule_name": "Manual Memory Dumping via Proc Filesystem",
"sha256": "cc3d4c8b00317668d507150f4b0441132efe96a271f0e24182e1cf439f2bb036",
"type": "eql",
"version": 4
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "d8cda461562a61f7ce64ed7629a070991b408f4432d740fc350a331768e162f6",
"type": "eql",
"version": 206
},
"65613f5e-0d48-4b55-ad61-2fb9567cb1ad": {
"rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments",
"sha256": "0d9923c694d6f9e84a63f6978e5c542e08285a98fca12980503e9b9e6e4e7909",
"type": "new_terms",
"version": 5
},
"656739a8-2786-402b-8ee1-22e0762b63ba": {
"rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent",
"sha256": "b755ed320d3960e63c0cc92dbb2de8e1a6292117110a7f2412799824e5118874",
"type": "new_terms",
"version": 4
},
"65f28c4d-cfc8-4847-9cca-f2fb1e319151": {
"rule_name": "Unusual Web Server Command Execution",
"sha256": "3d0ea0342f221d21119aee57a595095918d0fd86ad7f58cee311309b90fd0800",
"type": "new_terms",
"version": 3
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "b25056edc655b86fef84b34e0ac3641910735b515a07aedaa5f68db48b4f6937",
"type": "query",
"version": 209
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1",
"type": "eql",
"version": 112
},
"66229f32-c460-410d-bc37-4b32322cd4bb": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"sha256": "42652c071cbc82b5d5b670ff8b27255c0e0da12b974caa887303d2f29b94ed4f",
"type": "eql",
"version": 3
},
"6631a759-4559-4c33-a392-13f146c8bcc4": {
"rule_name": "Potential Spike in Web Server Error Logs",
"sha256": "e61b3bdfbbae99ac498171b194cea724b8e328dca23b9288ceda1d39ac1355d0",
"type": "esql",
"version": 4
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "a7ac6a2e16d97312a1f7e3689e445d816e61c1b2556bd4fc7d7a784553b57be0",
"type": "eql",
"version": 12
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "c8b7ed1cedb954e68d572f77deae21770e0c4204727df0625f6c6f1e66411a6b",
"type": "new_terms",
"version": 210
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"rule_name": "WebServer Access Logs Deleted",
"sha256": "46b302e1052795242c5c6996364c7327c196bff092c53ab16033cb472970e7a3",
"type": "eql",
"version": 211
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "af55f3437d949d59400578ea1514295bd1960458ff28643620ab709ce16f75c9",
"type": "eql",
"version": 11
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "04483092ea7111ceb52a82ec96688eb7a5720d3ed3caf36c7e6e078b4713255c",
"type": "eql",
"version": 131
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"rule_name": "Linux Process Hooking via GDB",
"sha256": "766af4a5b4b8dee8f8ef9498c1f216ad14f6f4755a93fd323998698d1ea1eb05",
"type": "eql",
"version": 108
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "42588eba4cedbc1d14e04f7d2306290a2b24362be89e2d67847e34d5a2348eae",
"type": "eql",
"version": 212
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "a70d87036505f114e41a399e3573e388e43a05046ff89eea597353a7778de895",
"type": "query",
"version": 120
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "f71ab483864d71a48cf0507edbbd3dff6d995b6508879227e0b7e250970c8097",
"type": "query",
"version": 415
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added",
"sha256": "9e19b7471a462cb1508940d24058f3413af1a9726f051383aea06f04e4d56d76",
"type": "query",
"version": 213
},
"6756ee27-9152-479b-9b73-54b5bbda301c": {
"rule_name": "Rare Connection to WebDAV Target",
"sha256": "92dc23143cbc051ac463e1539ef050749a186cdfe3109f3ac86c9460ddd6f70b",
"type": "esql",
"version": 8
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "e6ecd90c1ffa19eca2a67af1b6c71e975b28190e2c7f1f5c14e41903155bbe1b",
"type": "query",
"version": 414
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "d4b68db35dd8a14409e6834fd97cc1e2a3b99967615f1f2270ae10e6d04dc2b3",
"type": "threshold",
"version": 118
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"rule_name": "Image File Execution Options Injection",
"sha256": "4abbdf2842ee1bcb6bdcb3f3b63039758c8b7295afb207b98f0304bc9077d56b",
"type": "eql",
"version": 315
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "M365 Exchange Federated Domain Created or Modified",
"sha256": "ff4eb2e457d5e3ebe7454a8eb3478eb11c7a177531c3ddd4ab3336c25709cc38",
"type": "query",
"version": 214
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "944fb024ccefc8bb13bca9d85069633c0bd5b285d5b4e1fc8045e2bc1b44d5b1",
"type": "query",
"version": 413
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "7f9baf27023307f44d511ff57ee099cdad40f2129fc367ca76d75a969c89d1a1",
"type": "eql",
"version": 317
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "beb7c099e4c87d3147444605e39e6fb2a85af130454c62d43ae6eba5307ce395",
"type": "query",
"version": 211
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "f7eb5ecf08a0a74de530a080fd2441011bc3c38249a554220b2e2d15494fb386",
"type": "eql",
"version": 212
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "ca809a6bd6c5e473da5a47132318262a0953bf2a6bf09e1a3bcf772bcdea2d77",
"type": "query",
"version": 215
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "f279475dc730bc14f2dfd1ac9bc7084af731d369aaac73cf5fc818804da8e062",
"type": "eql",
"version": 110
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720",
"type": "query",
"version": 3
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "1b42f6edf559e3d2b60263d34ea41d60e23f6ac770cfd98134dd27d88a284084",
"type": "eql",
"version": 214
},
"68e90a9b-0eab-425e-be3b-902b0cd1fe9c": {
"rule_name": "Suspicious Path Mounted",
"sha256": "c0ba7548cc496aae440498c2f64657c17215d4d8c1fc31821b516a0e55804eb3",
"type": "eql",
"version": 3
},
"6926b708-7964-425f-bed8-6e006379df08": {
"rule_name": "FortiGate SOCKS Traffic from an Unusual Process",
"sha256": "d649b848c5586e36017ccecc790367c99ca06795b3a429e69b524a3653d2bd55",
"type": "eql",
"version": 3
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "746b43837e7ae358433e6c7a94c73a422528fb56a1902ab5a8be4999867587d0",
"type": "query",
"version": 113
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "a9bc6c80faa8050ae1541d7eee9897b8fbdb2612cca00069af0033e33a4817b1",
"type": "esql",
"version": 13
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "9454ca1b21ce6bfe21d078e24b4f7889fa8857ff6d3aee43af4c4ffae0519891",
"type": "query",
"version": 8
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "afc10ab90f42c4075c81973e33977dfced66e7b5da2b5a85c40e181edfa63058",
"type": "eql",
"version": 316
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS Sign-In Root Password Recovery Requested",
"sha256": "7b5ac4f195b8c0bbcc320b3d13f89fa4e87ebc1dda5d046a05b109076ae52048",
"type": "query",
"version": 213
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "b5bf8c334323c23629142910af291aa50391c82eed1b8a9f7c51e8d40d09d95d",
"type": "eql",
"version": 106
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "AWS EC2 AMI Shared with Another Account",
"sha256": "38688952422703a3d3b321bdf3df09ef1d9a20fe5477a4b7a6bead6e6c13dcd7",
"type": "query",
"version": 7
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "f7c6d6964c3063f4a75d0ad2dd294083ed44eb61f6393e97482687d8b587d708",
"type": "eql",
"version": 315
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "0e421040f2de589edbc8b55db8ee6a3865f670eccc1b4c5e9cc39c27d5b2e377",
"type": "eql",
"version": 423
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "59a05181f1febc098b481acbd5cbd5725a57456d619a875909a207d3929c2b9c",
"type": "eql",
"version": 113
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "e113a73efc518c41b6df6bd67190ab672c30b13dbda77e7e3445ed9d8e54c13f",
"type": "esql",
"version": 12
},
"6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": {
"rule_name": "Suspicious Curl to Google App Script Endpoint",
"sha256": "25885ed63993320aa591be8ec7247e8cc1829c062e58638919cafebcf46b1d04",
"type": "eql",
"version": 2
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "b4b1d4f080ee2f9ae817ac8f03b7e3665f07014ce68c646701880b9ad6378f45",
"type": "new_terms",
"version": 214
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "411e56079688143dac201cc66fee2dd6b1e6a533df93203d4e3f5c056e6646be",
"type": "eql",
"version": 214
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"type": "eql",
"version": 4
}
},
"rule_name": "Container Management Utility Execution Detected via Defend for Containers",
"sha256": "914c8911ec926b779845b78a8a67ea55b68742b53eeed37aeece8e781654f707",
"type": "eql",
"version": 105
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "413515468916ea9977f82c881044a80545cce0cb54435a0b57493530e91809a5",
"type": "eql",
"version": 314
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"rule_name": "GitHub Repo Created",
"sha256": "53e7e459aac5ef6a3b6aa399a0afefb7b4ec4727ffc73d731a6b4344b0b83431",
"type": "eql",
"version": 207
},
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
"rule_name": "Suspicious Outlook Child Process",
"sha256": "24294021daf4daac36d25201ce441fdef000f6859d77838c88d1b4c620d1c902",
"type": "eql",
"version": 5
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 315,
"rule_name": "Unusual Process For a Windows Host",
"sha256": "c12d3d95f0d7c995800fde4303065b27add02c60576194f2f91d0515e2aa519c",
"type": "machine_learning",
"version": 216
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "9342a3ec46ad8d944851a0ed0e81e1916668c1c67eb353a745fdabb4ddd0d70e",
"type": "machine_learning",
"version": 316
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "52515d5e9039aa01279cbaea65ab4da9d7718f306506f0a16edabfcb918a1a7d",
"type": "eql",
"version": 9
},
"6da6f80f-fe41-4814-8010-453e6164bd40": {
"rule_name": "Suspicious Curl from macOS Application",
"sha256": "3b2cab38c63f83f8b75a1a46cc2952021ecb6c26c6c258ef2158796eb2b26a89",
"type": "eql",
"version": 2
},
"6ddb6c33-00ce-4acd-832a-24b251512023": {
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
"sha256": "eff0f62ddd3e0af974bfb14ab0530dd3f3a2a50d19bb8323fca26a786c9f7542",
"type": "esql",
"version": 12
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
"sha256": "0f941a4eec0eae5e8eafaea7a2a635dfc143067d98587953b98d26e0c1e891cd",
"type": "eql",
"version": 106
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"rule_name": "First Time Seen Remote Monitoring and Management Tool",
"sha256": "9ec7d753b697c54652c65201dc1dcd09e6fdc59686ea6113b73fc595265689fb",
"type": "new_terms",
"version": 117
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "dfa88fafc1898a28d3c0b60e028940c7c8bf94c78ffec613d0a7fb9d99618482",
"type": "eql",
"version": 6
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 310,
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac",
"type": "machine_learning",
"version": 211
}
},
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "1e7c0617e681eb446d4f478862986e4d1a36fd313f0832c4b7a9a09033adb6d9",
"type": "machine_learning",
"version": 311
},
"6e4f6446-67ca-11f0-a148-f661ea17fbcd": {
"rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)",
"sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9",
"type": "query",
"version": 1
},
"6e5189c4-d3a5-4114-8cb3-bd3a65713f19": {
"rule_name": "System and Network Configuration Check",
"sha256": "362706edae4c15e704ffd619c77917cdbb538f4a44606d6f6c6632301bb6750c",
"type": "eql",
"version": 2
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"rule_name": "AdminSDHolder Backdoor",
"sha256": "dc6bffc49011189309e7b9497e36f0d750f096ab012779a4e963c370a87370a0",
"type": "query",
"version": 215
},
"6e92a21a-58e7-449a-9cfd-9f563f59ac88": {
"rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host",
"sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26",
"type": "esql",
"version": 5
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "ab4fc675056ec570e1d0fcee0b5dade33ef3d33131e6bf6d225cffcf9d59ab10",
"type": "eql",
"version": 213
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "4f362555c866031271f8abb08e9f19566d14cb22bd946bed7430bca32e1d9ca1",
"type": "eql",
"version": 215
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
"sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5",
"type": "eql",
"version": 217
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6eb862bb-013d-4d4f-a14b-341433ca1a1f": {
"rule_name": "Unusual Exim4 Child Process",
"sha256": "7e0456ccada902df35ecfeda239bfbc50dfd31a0dc386834fb8f2ea91eb4039d",
"type": "new_terms",
"version": 4
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "97da24e60bffad5b475a89da7cb4210ecec866dcac2b9017ae9bc655d0a947be",
"type": "eql",
"version": 115
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "76b7e15f05c16a73302c84e24542e26b21f45b57610fde617b93be59af49017c",
"type": "eql",
"version": 108
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "87db5b1008a9782f6cdf83f6404d979b3324bcc547da1c4228118130307d4f8f",
"type": "new_terms",
"version": 212
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "50ac1ff7656d514815a0c4e4c39c449371e045968bc2d901f7d696b6bfaeceba",
"type": "query",
"version": 210
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"6fa0f15b-1926-419b-8de2-fce1429797ba": {
"rule_name": "Suspicious SeIncreaseBasePriorityPrivilege Use",
"sha256": "2dc11ea177c7c2f16472de6dbab833afbf3a072256b6d50918a81d0ff453de33",
"type": "query",
"version": 2
},
"6fa3abe3-9cd8-41de-951b-51ed8f710523": {
"rule_name": "Web Server Potential Spike in Error Response Codes",
"sha256": "27e2f30dca9a09abd668da24cbc5efaf03c1466422e00b09ec2d3c29f085da0e",
"type": "esql",
"version": 5
},
"6fb2280a-d91a-4e64-a97e-1332284d9391": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in Special Privilege Use Events",
"sha256": "9774db65e26243e3f10e5b6d0e36b4993c05c3829a7b6333476c120ac88fa3c7",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in Special Privilege Use Events",
"sha256": "838b61827d24324be69e2a9674684812960a9c05f5a20d8913051d9a8ae60821",
"type": "machine_learning",
"version": 104
},
"6fcb4fe4-ac74-449d-855b-2bbd5c51c476": {
"rule_name": "Multiple Vulnerabilities by Asset via Wiz",
"sha256": "0610ae726a3381c2a47b8847eccbe0161250a1617583d4adc8aa5389802803bc",
"type": "esql",
"version": 3
},
"70089609-c41a-438e-b132-5b3b43c5fc07": {
"rule_name": "Git Repository or File Download to Suspicious Directory",
"sha256": "cbf5324511ebf3d256beb8dd0237adcb4d5d5057979ca6751efcf7a7e11f8152",
"type": "eql",
"version": 4
},
"7020ff25-76d7-4a7d-b95b-266cf27d70e8": {
"rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container",
"sha256": "f71732f04d4bb9024781631a563a70bc613f39033a63805b0e4f5383ed9f5398",
"type": "new_terms",
"version": 3
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "ef329416e88fd93ee0e0517742245b288bd8c1cd49172672a51d8b93a6a83875",
"type": "query",
"version": 216
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "3fa1996d6fb2e966a0696cc5971c64d5a29c229f00cf24cf2ef9fa58cc3f261e",
"type": "query",
"version": 214
},
"70558fd5-6448-4c65-804a-8567ce02c3a2": {
"rule_name": "Google SecOps External Alerts",
"sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3",
"type": "query",
"version": 1
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50",
"type": "eql",
"version": 105
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "dc2e28cbbbea2af5186b2e45d7fa37497ae783a755934eea904b531ac9f88b16",
"type": "eql",
"version": 113
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209",
"type": "eql",
"version": 111
},
"713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
"rule_name": "AWS EC2 EBS Snapshot Access Removed",
"sha256": "98bb1d28c3cc0f6c239a56a9034dfea2bebed6256e2716dcf375e509c4de8ebd",
"type": "eql",
"version": 7
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "f6ead63e1234253e25aea1bb53b931f40995439f8381bf0772392858405f8080",
"type": "query",
"version": 12
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "48698d164ee9ef1e5911162525352f757091d4171f69f61e66b484e3292a3312",
"type": "new_terms",
"version": 215
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "9b65d29fa4cc5f9c11bea2a136e01f88ea77400beade01ab8c4bd36dbed7bb4d",
"type": "eql",
"version": 324
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "7c65898dade61844fe46d042846acb9ef9efc5f9db5d01aa35cdffc5e0069b05",
"type": "eql",
"version": 214
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "6f10456533b056d27a062e3cd7f1b222441c8c716455684202ebbc452087ad19",
"type": "eql",
"version": 8
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "0d241c897dd9c807d936d644c16d714e96efa6b0d3a0742664dc6a58b71cc197",
"type": "eql",
"version": 9
},
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
"rule_name": "Elastic Security External Alerts",
"sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee",
"type": "query",
"version": 2
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity",
"sha256": "d6f4b7bdab6bfe9124312ba384a8f64ac35e481f8ee848ed5a0e9ed15340afb2",
"type": "query",
"version": 215
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "9a4a0b4c3a7765a9f5aa08a40f32fe99e81d8e88a0251547e6e9c333931bdc14",
"type": "esql",
"version": 7
},
"7290be75-2e10-49ec-b387-d4ed55b920ff": {
"rule_name": "Suspicious Network Tool Launched Inside A Container",
"sha256": "c2ba7bc1f82579e203cf13c0276ae7a02175109e13c3b84aa194fb79ac1745b3",
"type": "eql",
"version": 4
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "f4492ee7450c2a4666b4a18506e59ba9cb9d94cc04f8edbcd923c1dfd1580dd5",
"type": "query",
"version": 415
},
"72c91fc0-4ac0-11f0-811f-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device",
"sha256": "1813453768a993697cc1479da5b1308872b3f2f780e62c10476e0809dca043f7",
"type": "new_terms",
"version": 3
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "527d4c975ef02b353316848967aa3a17c73dd08fb1948043078733d94aa336dd",
"type": "new_terms",
"version": 4
},
"7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": {
"rule_name": "Newly Observed Elastic Defend Behavior Alert",
"sha256": "991c0b527369d84cb5ee39d4b00d92c6f07f1ea690d1589e4b8a2324575ff59e",
"type": "esql",
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "1e8acd425801d27306a75395ad7553fa89218783a9d5978e7cc46f96b06ee580",
"type": "eql",
"version": 210
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "529e1dbda15b3376095352d027735777a2397abe273d5ddbb29f3d1bd7214944",
"type": "eql",
"version": 7
},
"73344d2d-9cfb-4daf-b3c5-1d40a8182b86": {
"rule_name": "AWS API Activity from Uncommon S3 Client by Rare User",
"sha256": "4613606a794054e2bcc448e1d406d42931e2fe1c4b16baf16da9c7202686428f",
"type": "new_terms",
"version": 3
},
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
"sha256": "77e205ee183f6c0e0cde587784b03809024a7e9b5cc57a8f974dd2ce582aaaef",
"type": "eql",
"version": 7
},
"737626a2-4dca-4195-8ecd-68ef96fd1bad": {
"min_stack_version": "9.3",
"rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"sha256": "eb5c59bba857613a7fb8d8110f1155d944972005c6f68ebc4ea9fec1a1a12df4",
"type": "eql",
"version": 2
},
"737b5532-cf2e-4d40-9209-d7aec9dd25d5": {
"rule_name": "Potential PowerShell Obfuscated Script via High Entropy",
"sha256": "5708605ae509a80e9e65f2dbe00db765afb07010b91d983c26301632cb269bf1",
"type": "query",
"version": 3
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "21a540abdca1fa56360f1f68e121ab1cc3feebfc055b9922cca7e2f49bfca3b0",
"type": "eql",
"version": 217
},
"74147312-ba03-4bea-91d1-040d54c1e8c3": {
"rule_name": "Microsoft Sentinel External Alerts",
"sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f",
"type": "query",
"version": 1
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "a9d6c1c782deeaef26911bdcca095460eb5de2281e53e7079c6db36ac880dd22",
"type": "eql",
"version": 211
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "ac721977de331da992d8c388a41ca573de3fa2661d93b6d29a41a90a9bc1d896",
"type": "machine_learning",
"version": 207
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual DNS Activity",
"sha256": "e1aabfdf1dee210cd9bc10313dc7768d22ebcda60d7349abe52426f526903db3",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual DNS Activity",
"sha256": "25d810e576a232cff1b05e8e1cafc5777193188de0f8be7a9f076a6512e89705",
"type": "machine_learning",
"version": 208
},
"74d31cb7-4a2c-44fe-9d1d-f375b9f3cb61": {
"rule_name": "Long Base64 Encoded Command via Scripting Interpreter",
"sha256": "dd5b413bc795678ac76282ad2b90729974c94632a7d245e19db1783c66b64d64",
"type": "esql",
"version": 1
},
"74e5241e-c1a1-4e70-844e-84ee3d73eb7d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubectl Workload and Cluster Discovery",
"sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubectl Workload and Cluster Discovery",
"sha256": "3fb59d0debefff5c213a62421bae47af81fdede0f7c3848bdfca03c7fd031d20",
"type": "eql",
"version": 103
},
"74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": {
"min_stack_version": "9.3",
"rule_name": "DNS Enumeration Detected via Defend for Containers",
"sha256": "c5699f232d2c200ebee161e0ddfb53f45756ab0e1b8961965e65a95f0993eee1",
"type": "eql",
"version": 2
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "e43ca4e552859a703fda789890e9beecc00906c3805250b4156acc7bc56b7cbc",
"type": "esql",
"version": 9
}
},
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "86a8f77e493766f2573af3fd44aa5355acd0aee0ec046bc6bee7f1022fea8ab1",
"type": "esql",
"version": 109
},
"751b0329-7295-4682-b9c7-4473b99add69": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Spike in Group Management Events",
"sha256": "46dbe1f415014fc4ff087fd37f1d098ed96134081a662bb61724fb2e6c4e779c",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Spike in Group Management Events",
"sha256": "6111ce5b8cc57029859f4d7d1f13628833682f103a77863112e446c6c0cc6f3e",
"type": "machine_learning",
"version": 105
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "9fc432aa9a279cced87c9fda16b8665d2628e1dab0015863865b7afb8f2a813a",
"type": "new_terms",
"version": 112
},
"75c53838-5dcd-11f0-829c-f661ea17fbcd": {
"rule_name": "Azure Key Vault Unusual Secret Key Usage",
"sha256": "697c251dced5fdee5d4b9057aa2f791ab784595cc2b812fc403b7fe96b202bb8",
"type": "new_terms",
"version": 4
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
"sha256": "69703b792212ac650f5366d9c9672d3727d599a31dc333a09e730b29acaff933",
"type": "eql",
"version": 6
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da",
"type": "query",
"version": 105
},
"75f9b95f-370b-4ff3-a84c-66d9ec0b84eb": {
"rule_name": "Nsenter to PID Namespace via Auditd",
"sha256": "f88c26dc7d5fb9ad8dc2e4c143876eed2b3cdafaa896df247ffb58aa20da89be",
"type": "query",
"version": 1
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "b1b0ac8a275f03a9e4f9266bdecc75a46d294a978807e76dfa46eff651b47ddf",
"type": "query",
"version": 108
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "3873bd6f2cb62ec83ea96f063ed37b195de67943416ef7620e3e8fc66c8a5cf5",
"type": "query",
"version": 210
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "99fbc0670843f40742c6738d7b65a175e21e572c0104971752b9a0481f21d03b",
"type": "eql",
"version": 119
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "fdaa141067192258d1fba1bc103d8e8971607fbf4b6aad9407dadd5afc396de9",
"type": "eql",
"version": 215
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "7a17f084e6192844b2f877437f8109cad8496af43a28efbf89b5d5b8a40ed209",
"type": "eql",
"version": 211
},
"76de17b9-af25-49a0-9378-02888b6bb3a2": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual Country for an Azure Activity Logs Event",
"sha256": "5e21adc950dc411f6f016793cc3e07955a770c3440428d18b0d8632c142e8c6e",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual Country for an Azure Activity Logs Event",
"sha256": "daad53aa4c99d2d19175b91467d915c42a7f126b889c1a81734f3a78d05f6575",
"type": "machine_learning",
"version": 102
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "60456e0811186e9f508af57452cb7f817f28f4cee61eda0f03c1f2c5b8a81d31",
"type": "eql",
"version": 15
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "01ae46d4f651856933ca7c8347ea064170f254722c3796b0dff3566bcd3e9e8c",
"type": "eql",
"version": 421
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "0144659d5bb4aa17f606b5607bc2c8f3c8aa5e81be4a31afa402a200ff25cc34",
"type": "eql",
"version": 321
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "c2d560f60f74a23d2e584cb249c922e56a552e5f3a1c99eda122d4d0bff70fc0",
"type": "esql",
"version": 12
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "Entra ID User Added as Registered Application Owner",
"sha256": "c60444bf7db1c5dbe2aaa41078d472a6d0f4989088577b2fd9de8fd099b0171d",
"type": "query",
"version": 109
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "b2f265c1c6f02ff0149022c18138a9ef408fa696e50c27e9d3445721816237f5",
"type": "new_terms",
"version": 9
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75",
"type": "query",
"version": 106
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "8cd906472fcb1e0eab241dcb4b3e15dc1d20c8b99da3affe9cb3b454b7b9eeb6",
"type": "threshold",
"version": 15
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "4ee525bb41e218ef13fb88f401ac12bc1f5f99fa86cac02a671bd02fc136b7a9",
"type": "eql",
"version": 108
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "89f593e9c2cc1086cf274ad161b75d49ea5f24797707c2ace2f1890b733afdb5",
"type": "query",
"version": 210
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified",
"sha256": "17c1e3c3e1f2363cca5097d1febb1c1fdfe1dbe7ec5c36f72b89312dc365a544",
"type": "query",
"version": 111
},
"78c6559d-47a7-4f30-91fe-7e2e983206c2": {
"rule_name": "Unusual Kubernetes Sensitive Workload Modification",
"sha256": "476c9475efcc39f0bfcb65ff6f40dba940e50eb387e43d16645a8701bb24bc15",
"type": "new_terms",
"version": 3
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89",
"type": "machine_learning",
"version": 212
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "2a433940966f2f0fe891fea3f39e6171fa12e90c3e5ad849e26484da381596f7",
"type": "eql",
"version": 315
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "fc36a81054625c5902ae6500e85e00b2a9fc03c2150826c8f62a33430d0202e3",
"type": "eql",
"version": 7
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "9ea32cdb4aba86e589f83ad01881254cc615057b09a596f8a1740009fe17a0ea",
"type": "eql",
"version": 12
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
"sha256": "9f0dd07e9624660f7c948faf37e93c69ecb2938712118952d7030e874b4d22cc",
"type": "eql",
"version": 7
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "560c80b54abbb9cafeb5763facbe1bfc1170340cdba87d2d26f437a953ebba55",
"type": "new_terms",
"version": 109
},
"79543b00-28a5-4461-81ac-644c4dc4012f": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "e952b2c22ea74d519101db31f240accb3c939550221f13dc5f35591267a4d717",
"type": "eql",
"version": 5
},
"9.0": {
"max_allowable_version": 203,
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263",
"type": "eql",
"version": 104
},
"9.1": {
"max_allowable_version": 305,
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "19f752a00fc030143b709c78f2366eede110a300af7bee98114e298c9bf5c22c",
"type": "eql",
"version": 206
}
},
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "b8466ad6bbac620f7b3c11957e157be4a1d5210c764eaefdf7289fda21a7f9d2",
"type": "eql",
"version": 307
},
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
"rule_name": "SSL Certificate Deletion",
"sha256": "5fbbd63d53cc0bd3f5bbee608b8d9827efa8a7109088607acffa178fec33e640",
"type": "eql",
"version": 105
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "3333d79d05ec9e15466500362c0268b37e40266434c27aabb9d73657780de11b",
"type": "eql",
"version": 9
},
"79e7291f-9e3b-4a4b-9823-800daa89c8f9": {
"rule_name": "Linux User Account Credential Modification",
"sha256": "795cea2132f0be536e09c042566c70bedbac1d9a32d7d90a6e8263771c4988b8",
"type": "eql",
"version": 5
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"rule_name": "Potential File Transfer via Certreq",
"sha256": "9cc0e6419c073ff3ff662d338732b39dfadec281284f8660850c09294746617a",
"type": "eql",
"version": 217
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "cb8b9a7be0c9d85f513c4b408bd065b0757c377d6e23ab723dc55a1741e20517",
"type": "query",
"version": 219
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "AWS First Occurrence of STS GetFederationToken Request by User",
"sha256": "e68fa16e0202bd0bc07a1d9c59cc6181f3add4f34d17e2e78a88be517363d37f",
"type": "new_terms",
"version": 7
},
"7ab5b02c-0026-4c71-b523-dd1e97e15477": {
"rule_name": "M365 AIR Investigation Signal",
"sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85",
"type": "query",
"version": 1
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "99fca949ae8edfb7afb964e72886e6e40bb9aa3611aba9a895220b6a5d0f2bba",
"type": "eql",
"version": 11
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via SSH Backdoor",
"sha256": "115b28ee0d196e28e67c341ab955d79013a022f4f7a4f1e7899195e22fb80d16",
"type": "eql",
"version": 11
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "Deprecated - AWS ElastiCache Security Group Created",
"sha256": "d73d32e46188296a20f50b9c74ae911374036b587ff978a813cffdc26e567c3d",
"type": "query",
"version": 210
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93",
"type": "eql",
"version": 216
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "132d0281d9ffb39716b5e09b2766d142277327f0aa62e243fc7be053cda4e360",
"type": "eql",
"version": 105
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "dd30b5f7a318ad5565b52afd773e5291c49e0651eeb6c859d4b29d254f2a8ef4",
"type": "eql",
"version": 312
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "86c142a7a15c278ed74582e86edcee7de433f554bb163446de4fa128c5a46b6a",
"type": "eql",
"version": 111
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "0f2225c0e5a72b8db9a421b84b3d7600a08c7515a0f9198c8171b5d44ec8a112",
"type": "eql",
"version": 9
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "ae791bdb776e660c7036a0cd0a7a5d8657ddacbac0fa524b8c3f09de72e8443b",
"type": "query",
"version": 111
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "e1aafa5f4d3337d194ce54fa78c294dd28edec70497f58d3cfefde65ee48e549",
"type": "eql",
"version": 107
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "79fdf63a5b07ec050f2e4bccf65b9edcd7fa0acde10d5690ad4573db1c639f17",
"type": "query",
"version": 109
},
"7d02c440-52a8-4854-ad3f-71af7fbb4fc6": {
"rule_name": "Alerts From Multiple Integrations by Source Address",
"sha256": "1b10a9f9c9fdd43c1e8e5a1457824e37efbddc0f82866117cf399d9e5831b8ae",
"type": "esql",
"version": 3
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "98b713e30dc1a5a360825e71125517e2765b46a0ac94fb83c2b75e0695d261c7",
"type": "query",
"version": 9
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7dc45430-7407-4790-b89e-c857c3f6bf23": {
"rule_name": "Potential Execution via FileFix Phishing Attack",
"sha256": "b0942940cb83f01e92f2566f95c101e49dd424f3a7121f93f6fc4199d90c588d",
"type": "eql",
"version": 3
},
"7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": {
"rule_name": "Entra ID Custom Domain Added or Verified",
"sha256": "62e7543d4496ac6e879f5717d0348eb2a77d4585482a48073792c0f094f57367",
"type": "query",
"version": 2
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843",
"type": "eql",
"version": 106
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "85bbf6cf0101b56ff21d6892fe6fb8895c06afbd4c9ab6bace4d8db07ede02ba",
"type": "eql",
"version": 7
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "d223ec9ab8f7b8c61d6100d7408999304a0de71fe37a9e8eb43cbc6b4a7ed459",
"type": "eql",
"version": 316
},
"7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b": {
"rule_name": "Kubernetes Secrets List Across Cluster or Sensitive Namespaces",
"sha256": "91f40a360d614d4e374653898a06a606f41d52979be1f57ce06ddb453217f93c",
"type": "query",
"version": 1
},
"7e5c0e5a-95a5-404e-a5b0-278d35dc3325": {
"rule_name": "AWS EC2 Stop, Start, and User Data Modification Correlation",
"sha256": "5085178d8ef62259fb3d7a651f12d9b8070eec2122578fbd32b611c1df0df882",
"type": "esql",
"version": 1
},
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
"sha256": "602390ce15528f3c17793e86c7683d855e54283b997afff2b59450a9133c229f",
"type": "eql",
"version": 5
},
"7eb54028-ca72-4eb7-8185-b6864572347db": {
"rule_name": "System File Ownership Change",
"sha256": "1e042eae7f87d61976c6c536ce63589d0e4f670101060411413e6cb718dd5017",
"type": "eql",
"version": 4
},
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
"rule_name": "Security File Access via Common Utilities",
"sha256": "dfd9d1738b7b47ca18ef97c110717eb2ebb80cd79bf43dcd58d9f5ca4f7dc466",
"type": "eql",
"version": 107
},
"7f3521dd-fb80-4548-a7eb-8db37b898dc2": {
"rule_name": "Potential Notepad Markdown RCE Exploitation",
"sha256": "cc73b75d6cfcb37cd8e753f3fd5b547f4507ecfb610651a20433dac419ada718",
"type": "eql",
"version": 4
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "37d093b58d917e0eb1a4d8f9b92723a63feff6e1f14d8f8be3cfa3f2b9b5fb6a",
"type": "eql",
"version": 214
},
"7f3a9c2e-1d4b-5e6f-8a9b-0c1d2e3f4a5b": {
"rule_name": "Potential Root Effective Shell from Non-Standard Path via Auditd",
"sha256": "d0f106dcb3ff6ae76fa7b71147a962b1e967aa7e742d48988008a8e178d54fa9",
"type": "query",
"version": 1
},
"7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": {
"rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation",
"sha256": "6cf3054443a5d4ce4ad838455a77599f465d2a6d1b7aac00f871e31970d212ad",
"type": "eql",
"version": 4
},
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
"rule_name": "Python Path File (pth) Creation",
"sha256": "5357e1bfb039ea8b93e129b2cdac2371d183c097a8351e7f1b28d086e81f487f",
"type": "eql",
"version": 7
},
"7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": {
"rule_name": "Web Server Potential SQL Injection Request",
"sha256": "30aa21ec0a72baf965a1cc4c73807f1dba317eeb02fee3d038e5f6869527cd9b",
"type": "eql",
"version": 3
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463",
"type": "new_terms",
"version": 105
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "11fb6ed836d3d13fda309a2ddebc6784355450f5e65c15241634917d7de7a449",
"type": "eql",
"version": 20
},
"7fc95782-4bd1-11f0-9838-f661ea17fbcd": {
"rule_name": "M365 Exchange Mailbox Items Accessed Excessively",
"sha256": "5712eee0f955297e794d9c01a9e2b82c4704a5f852b2a23492292651861f45ff",
"type": "query",
"version": 4
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "fc200a3dd1eacf187d77b981115f644d11a90ee47affcd553b303b26d9b02e9c",
"type": "eql",
"version": 12
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "5a2251601cf605cb63463e81b7f57bf842eb1dd019bcc6e1a5d05909114cea77",
"type": "new_terms",
"version": 111
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
"sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d",
"type": "eql",
"version": 6
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"rule_name": "Deprecated - Potential PowerShell Obfuscated Script",
"sha256": "fefa473559337a11c4edaefa3914f1b5e6809c26b04da1e9eb98f17f147f93a2",
"type": "query",
"version": 110
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "AWS SSM Session Started to EC2 Instance",
"sha256": "9ee1ebd6c05bbcb790468a9e8e11271e207a5620aa553dae437bbcb645fceeb7",
"type": "new_terms",
"version": 6
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "be4fcdd1b914e92f16ebb75fc86828552c9fc7abda2685ac63b28f7d9a3f2054",
"type": "eql",
"version": 108
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "99bf6df5902600b0c743678eb247b68b3d1fdec36e3c5d7f879c547fd0141726",
"type": "machine_learning",
"version": 213
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77",
"type": "query",
"version": 105
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Unusual Remote File Extension",
"sha256": "33a6b5894bf572fe38a6958bae8ae131abc5dc3bbc817b80fd113e9e3864b0ff",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Unusual Remote File Extension",
"sha256": "6abbaa944d0c5d273806bc58f6c8e79ceb52c0924dd195ee94aee3930230f16d",
"type": "machine_learning",
"version": 109
},
"8154d01d-04d1-4695-bcbb-95a1bb606355": {
"rule_name": "Gatekeeper Override and Execution",
"sha256": "991965250b10d42aec5d6ee76ab2fd8a361227d80eb667d76a4fa93528ded285",
"type": "eql",
"version": 2
},
"8167c5ae-3310-439a-8a58-be60f55023d2": {
"rule_name": "Suspicious Named Pipe Creation",
"sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3",
"type": "new_terms",
"version": 5
},
"81892f44-4946-4b27-95d3-1d8929b114a7": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual Azure Activity Logs Event for a User",
"sha256": "7c5faa919e74876e3f34492417b53d9f00eda55ae6d361c298363b9a310af609",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual Azure Activity Logs Event for a User",
"sha256": "0c6c500f67d15e6e004f30895284446912eed2946c7433eb1b2e43ac9cb1368d",
"type": "machine_learning",
"version": 102
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "b2573abd94d397aa342b54649a68d6dd61b1eab6fa2a85262d80622ade46a7e4",
"type": "eql",
"version": 317
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "7a4d5185d5e5d9b1908bab0d3aca30a9fd909de1e7ed5bd9973f17ea38c45131",
"type": "query",
"version": 320
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "19540fa8823bf220012c9be723cb349c87f01d6257c20b38423e67c4c11e70e2",
"type": "eql",
"version": 114
},
"8248323e-f888-4134-a26f-37a6362f7231": {
"min_stack_version": "9.3",
"rule_name": "DNS to Commonly Abused Web Services",
"sha256": "dbb5583417dd597c8f05b913273b53b8409710f3ae1eb6b9aa6e9eb4c83092fd",
"type": "eql",
"version": 1
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "5b5b70876d3001d659553913b8987b5454fa88d97ba664716d9d4d284a02725d",
"type": "eql",
"version": 213
},
"8293bf1f-8dd0-434e-b52a-1aa6ec101777": {
"rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files",
"sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479",
"type": "eql",
"version": 1
},
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
"rule_name": "Suspicious Path Invocation from Command Line",
"sha256": "277df1300e839607dcd3b2f0c822ad6033930c8c4c737859b4bc8f29cacd38e4",
"type": "new_terms",
"version": 7
},
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
"rule_name": "Manual Dracut Execution",
"sha256": "29c7059375d06cd1cc12a302f2333031ad5939f3b5d67b5793afadddfdaea7fd",
"type": "eql",
"version": 7
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "a2bb9648be410edc4f63b16588b57cd265841be85791537e0d4635d059306344",
"type": "esql",
"version": 14
},
"8383a8d0-008b-47a5-94e5-496629dc3590": {
"rule_name": "Web Server Discovery or Fuzzing Activity",
"sha256": "985bf66729f4fbb6875ca03651b5f088856495eb5e52ed0c62d9c950a63b5641",
"type": "esql",
"version": 5
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted",
"sha256": "886e69fd58d0b30bee105947d384e6ea7ca847b28e272a7a462e23162be0cbb7",
"type": "query",
"version": 108
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83bf249e-4348-47ba-9741-1202a09556ad": {
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "f37d18299f2b6ae378e9ebbda386f621a87953d1876e6a1d5d05d56a2a42375e",
"type": "eql",
"version": 214
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "e7181205724d4dd074ed7813ffe5b2b8d1e6b3d21158bb791df05b329db185d9",
"type": "eql",
"version": 115
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"sha256": "4ba4a6143b3e9c0796753566012abd8ce4d00f6dc4a07026f37ecdae32914447",
"type": "new_terms",
"version": 9
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script",
"sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5",
"type": "query",
"version": 110
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "e03a6361412c5e8705b679c6544081b684e4b0d563f052e0624e583983c7baec",
"type": "eql",
"version": 7
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "a68732ae9d35dba87c95fbec9aec936ab7565c1de5ba804a22841eadf018b195",
"type": "eql",
"version": 108
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "910ab24992b092b670b8f46bc6acd50d1ebd6641c4c0afbe68cb426c5c30f8bc",
"type": "eql",
"version": 219
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "574d715b6ce4b597ea59f0da4cbc28681d04fd706bffc3261faddca6bb433510",
"type": "eql",
"version": 114
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "b3fd7ce2686a4da739298c81e33a67dfa9c63b11eb3976fa0b8c45ac55facc8a",
"type": "new_terms",
"version": 217
},
"85d9c573-ad77-461b-8315-9a02a280b20b": {
"min_stack_version": "9.3",
"rule_name": "Process Killing Detected via Defend for Containers",
"sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d",
"type": "eql",
"version": 1
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
"sha256": "e2f5f510ca7a02c9742e8740fd5c6a609fdbff33b7d65d755b9a2a93ef2d248b",
"type": "esql",
"version": 11
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "10bbd6b833bdba66080b6ea0671751c89bbd7d3fc0518fa6f03c456539502df0",
"type": "esql",
"version": 12
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "941cacbf7dfc86fc7816d9a2c8584951737f2b4dcf09ad1841befdc1cfa1ffe5",
"type": "query",
"version": 212
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "Deprecated - AWS RDS Security Group Deletion",
"sha256": "38f7dc5b29c5986c717c1259d1a767564079165597fcf2388d0c68538bc9609a",
"type": "query",
"version": 210
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "3abaf9bcf2904f994396d8543bd3aaeef43a2e98d31e9eefa381b426864ee55a",
"type": "query",
"version": 212
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "af4d1639fa424646c1f9aea3aa4e17d4c520b08a657af139282fba725cfc76d9",
"type": "eql",
"version": 7
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7",
"type": "eql",
"version": 113
},
"871ea072-1b71-4def-b016-6278b505138d": {
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "4bbc068166c4cd467e8b63f0500aaddf001c6469a8ae6a620d661881570e619f",
"type": "eql",
"version": 220
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "e339c78401a6804c63a87a211a0a0487e1e57f189247c6bf1d912d29cfc286d6",
"type": "query",
"version": 9
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "5f457fe98b665b8a9e62cc644d1ab36295835009aa64a66b3ba48a3a15c0e423",
"type": "query",
"version": 213
},
"877cc04a-3320-411d-bbe9-53266fa5e107": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 100,
"rule_name": "Kubectl Network Configuration Modification",
"sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7",
"type": "eql",
"version": 1
}
},
"rule_name": "Kubectl Network Configuration Modification",
"sha256": "a1894306d2121d58ca0fbece2a5bf937c976bf968265df675e6644c2ee86bd99",
"type": "eql",
"version": 103
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac",
"type": "new_terms",
"version": 10
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "M365 Identity Global Administrator Role Assigned",
"sha256": "826d91fd08a94cba97478f637b721a622927885f74aa5e12a9c39555ba33dc67",
"type": "query",
"version": 215
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282",
"type": "eql",
"version": 113
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "15290009b50a0be19faab5d4bcf8b037b1133350ac236ed74d1fef9b7f28e36c",
"type": "eql",
"version": 112
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "79766485064b150c88c72e4318717a5ae5fbf67996a675b6a6fc90adc2bd6c35",
"type": "eql",
"version": 212
},
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "91e82c47e7296c7f031bd60c2e9a11cbad7708537f7897a41fc725b48242bcdb",
"type": "eql",
"version": 108
},
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
"rule_name": "Unusual File Creation by Web Server",
"sha256": "e571b65fc24fca4eca6d1be59574531c2d30099725b3b2636dfca04cf3dca1fd",
"type": "esql",
"version": 8
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"896a0a38-eaa0-42e9-be35-dfcc3e3e90ae": {
"rule_name": "FortiGate Overly Permissive Firewall Policy Created",
"sha256": "d1d718262a55ce4eb2f3109b52008bb31b4730548cc74c0bb2f88c2066874849",
"type": "eql",
"version": 2
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "997ff3e71d520c0732a123e1d0ad70cdd6bf378b08cb0676dcb3dc3b8be50005",
"type": "eql",
"version": 215
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Suspicious Command Prompt Network Connection",
"sha256": "78c4503367d09652a555301342470eda60e4bb0bbbdede4115675d26689da852",
"type": "eql",
"version": 215
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "dd084e812cce1783a6f9ba2487369dcde52524dd9ebbdf42cbb46fbc6775cb61",
"type": "eql",
"version": 111
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "85b2f05242ef2b243497149f4a9ced74f2092360b32956fbd76fa5877477b9ae",
"type": "eql",
"version": 11
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "bfbc2e038be0e058b013edc804ae3cbf9358bf4e7a5e60ec7708fd9335b00208",
"type": "eql",
"version": 213
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"rule_name": "GitHub PAT Access Revoked",
"sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf",
"type": "eql",
"version": 206
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "3cdc89e93768197c70d988777a765055e5d99d6ff147c94e5015d96650a4f6ce",
"type": "eql",
"version": 110
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "b1b9d970b94d1f0d33fee26a4679f1232d96921a54d9a4d0c247b861915dce0f",
"type": "eql",
"version": 214
},
"8a1db198-da6f-4500-b985-7fe2457300af": {
"rule_name": "Kubernetes Unusual Decision by User Agent",
"sha256": "87463c0ee2b94b85ef1a97b095d7804388e7ec85b856a29cf58045acff6110ef",
"type": "new_terms",
"version": 6
},
"8a556117-3f05-430e-b2eb-7df0100b4e3b": {
"rule_name": "FortiGate Administrator Login from Multiple IP Addresses",
"sha256": "9dcb51c768e95cbd73655d85347ee0163b46f11470f3d673caf5994a6cf16314",
"type": "esql",
"version": 3
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "9af183f0898497548e96c09ddfe9a51ebc3e65db6be58b64891ede967f7a09ff",
"type": "query",
"version": 415
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "df522ce5e98dfecebb085a50f07d0317c34618922825d910d3e36754b4d631b9",
"type": "esql",
"version": 12
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "500aa971acca151f7325aa6f5b1b35a36cd749170866c9f0f3f9a5d1061d008b",
"type": "eql",
"version": 110
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "0891db2139f619c3e12aa7ff813fb6c47c0b921921e10f68302d2cc5e09094fc",
"type": "eql",
"version": 315
},
"8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": {
"rule_name": "Azure Storage Account Keys Accessed by Privileged User",
"sha256": "ef60832a362b19da1ecb80f507f7097c504c401b7bfae720da603f222f294c0f",
"type": "new_terms",
"version": 2
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "155748dc2cb03082c198d49c5b3a63d68bcbb946ac0249b60cdd1c0ad240e967",
"type": "eql",
"version": 316
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted",
"sha256": "8e4798edae7eb2301c9219ac5243fe24e10cd947652efff3d972e522037a0d38",
"type": "query",
"version": 109
},
"8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": {
"rule_name": "Several Failed Protected Branch Force Pushes by User",
"sha256": "161df6cf4be2d2363710a4fe6c657d1b60e3e64c8b7438588f60e9f60d3528b5",
"type": "esql",
"version": 4
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "a116199798ce219c0aceb2948a7979d20498678ec9bb86abedd8ddb7e974d16b",
"type": "query",
"version": 110
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "115d29537b2bf7faefb1fac91860d7d62bba80d66b4344f46aadb922bd980abd",
"type": "eql",
"version": 319
},
"8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": {
"rule_name": "GitHub Private Repository Turned Public",
"sha256": "991c4ac5ed8d79ec82589e11ec67a2d11efbc523875013051b96457b55be274a",
"type": "eql",
"version": 2
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "4cf3598e184cd3c8984d8d33d2a1c2d9b9516554d1c903ef569a66889fe0c998",
"type": "eql",
"version": 112
},
"8c8df61f-ed2a-4832-87b8-ee30812606e0": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"sha256": "0adfd339ad27a6b8b76c80aedee937f94c4f97230a6eb989be7cc055dc705db6",
"type": "eql",
"version": 2
},
"8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Host Name for Okta Privileged Operations Detected",
"sha256": "8d6b03d8b977dac1e4f97975d2503c23388923c451ba2f613c2166c4691efcc8",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Host Name for Okta Privileged Operations Detected",
"sha256": "b1badadb630b67c0ce5e1097220bb27225d8f7c5aeafd602875395912a5854c2",
"type": "machine_learning",
"version": 104
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918",
"type": "query",
"version": 105
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "a96fb4b4b383179cc72cb5eae13d8db7519f05a462df336a7c09f4ff2348581e",
"type": "eql",
"version": 16
},
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
"rule_name": "RPM Package Installed by Unusual Parent Process",
"sha256": "fd3063980542ef2a702e17a3d1846cff65911774f84b6f95d92358d7c03f8e7b",
"type": "new_terms",
"version": 6
},
"8cd49fbc-a35a-4418-8688-133cc3a1e548": {
"rule_name": "Proxy Execution via Windows OpenSSH",
"sha256": "e08100fdb189d4a8d88e1b98e86124b022055743f5ea002e7c6e51addcb26261",
"type": "eql",
"version": 3
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "0bf06ca7dbd6bf33afe26f82f0a013a7c48a33b7aa69fe2114aa607308c21adb",
"type": "eql",
"version": 6
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"type": "eql",
"version": 5
}
},
"rule_name": "Interactive Shell Spawn Detected via Defend for Containers",
"sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5",
"type": "eql",
"version": 105
},
"8d4d0a23-19d3-4186-a6f1-6f0760d2e070": {
"rule_name": "Multiple External EDR Alerts by Host",
"sha256": "796c80711f75aa99686c41d6b4c990ca5897bf90204be59ed446c63bddbf82a9",
"type": "esql",
"version": 5
},
"8d696bd0-5756-11f0-8e3b-f661ea17fbcd": {
"rule_name": "Entra ID OAuth ROPC Grant Login Detected",
"sha256": "7c732e1ccfa76a9e4b864a9a5cc905c699b322c8fd19066eb9ae614ad50d1e82",
"type": "new_terms",
"version": 4
},
"8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": {
"rule_name": "Potential Data Exfiltration Through Wget",
"sha256": "3fd2b1b4a83e83cd6cc4d3b9171acbf2a8727daa0a182983a596c27976019c1c",
"type": "eql",
"version": 3
},
"8d9c4128-372a-11f0-9d8f-f661ea17fbcd": {
"rule_name": "Entra ID Elevated Access to User Access Administrator",
"sha256": "83c4b5a6c2d976377276bf4663925ff8f4c92cb2bd44e8d4ff715af6e89ca335",
"type": "new_terms",
"version": 5
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "b076e4e14884d25fba16f078694f7925272dd885b2e4091bc53e86bf8312b0fe",
"type": "eql",
"version": 213
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "4310e0e0dd6ef5d366aac17c4b8233b9ed3a2a2603d418aeb156e14b7ca3bc2d",
"type": "query",
"version": 108
},
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "753cd28018873970c400a8298c254ce1524a2b19087d022f3c34d946504e3669",
"type": "eql",
"version": 213
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d",
"type": "eql",
"version": 6
},
"8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": {
"rule_name": "Entra ID Actor Token User Impersonation Abuse",
"sha256": "3d44c73a3692bf5d2e82a05e5660e69202bc834886ad39fb4b6b3fe0211e845a",
"type": "esql",
"version": 6
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity",
"sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2",
"type": "eql",
"version": 108
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "File Transfer Utility Launched from Unusual Parent",
"sha256": "836b3c4bc02c3e85bb2f6eaa8fec7d019a33b393b55fb392dc33c9c865f2deb6",
"type": "esql",
"version": 12
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "79d2a9160017926198d637f08dc603fedbb7cd4fbd83d17b74b08580ee1474bd",
"type": "eql",
"version": 108
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "97d9b5554bd6133e3e4d7eab81bb0e47fff98c0f0126fc4f675c97058901bb29",
"type": "eql",
"version": 113
},
"8f8004e1-0783-485f-a3da-aca4362f74a7": {
"rule_name": "Linux User or Group Deletion",
"sha256": "9097975f7890b4d531b35ae33794bd65145b919c575d26e22fa95c26151a5f1c",
"type": "eql",
"version": 2
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "166e37431a08e33591ca315008ea56f76f0f709bf7e858c2dd2fe622cccd981e",
"type": "eql",
"version": 212
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "76199312383db1b95ac2268eaada459efb3d102690231973671f8a2c499dfde3",
"type": "query",
"version": 108
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"rule_name": "Hping Process Activity",
"sha256": "5452130912b7e1ab2aa128c84c0b21c6969d10067f9d01105f86b08e0a26dcab",
"type": "eql",
"version": 213
},
"9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": {
"rule_name": "GenAI Process Connection to Unusual Domain",
"sha256": "411e1e52013103268793186989a70512a23fff33bd76a04df70efccab5657b4f",
"type": "new_terms",
"version": 5
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS RDS DB Instance or Cluster Deleted",
"sha256": "01f5c53e0534cf3e8f1dbc49a95dffba600a0a04c5417d52cf36cd471cf5a624",
"type": "query",
"version": 212
},
"9056d577-4da5-47bf-8c94-6c0b1bb3f8a5": {
"rule_name": "Chroot Execution in Container Context on Linux",
"sha256": "1327e72d0dfdb1e0f8b9b5f3fefee53813631ef25ed39a9bbba78105ed320c11",
"type": "query",
"version": 1
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "09d9d01561eb71ac979bff7232ba219371801a51e963720cbb333052c30acf43",
"type": "eql",
"version": 106
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "3767b47364ab96c700f9ddf5ee8bf9636f68b00a9d5b36d8c98ee2483cd8cd65",
"type": "eql",
"version": 114
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "04c5ec27d3a9b03f4132d923b9bcf00154388d2360fe8789359516fccfc3187d",
"type": "threshold",
"version": 6
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"rule_name": "InstallUtil Activity",
"sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c",
"type": "eql",
"version": 107
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"90e4ceab-79a5-4f8e-879b-513cac7fcad9": {
"min_stack_version": "9.2",
"rule_name": "Web Server Local File Inclusion Activity",
"sha256": "03d1493423cf1eecb33f5c4bb9d629da961d04391cab206a3651b60855ddd1e8",
"type": "esql",
"version": 5
},
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
"rule_name": "Linux System Information Discovery via Getconf",
"sha256": "aa1f61fe8a16a44fd7569befb93e71d7bf94d8ade6285a0afabf70257ebdf9ec",
"type": "new_terms",
"version": 5
},
"90efea04-5675-11f0-8f80-f661ea17fbcd": {
"rule_name": "Entra ID Unusual Cloud Device Registration",
"sha256": "ef5f1f198548e65c9ed5cb95c3b011532c0de3d57edca67c59a6007529e93b0c",
"type": "eql",
"version": 5
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "b710a75749f1c2ca395821015bbfa00e3870d75a89785e4506f4029b9d54445c",
"type": "query",
"version": 109
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "b772aae4fecd07fc3fda61945a74f84d5f31d5e5371a490c75a2c1f5e39b21d9",
"type": "query",
"version": 212
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Web User Agent",
"sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Web User Agent",
"sha256": "cfcad42e56eaf65d1ad977504ea2a1122b7bec964cd4aa3c09f5aaa0983e206a",
"type": "machine_learning",
"version": 207
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Web Request",
"sha256": "c2a5dcf47a109617f2ae0c83a92116a8d4b1a8335b84b9c65d58ab3333ed2ea0",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Web Request",
"sha256": "6674d243b24f7dbdaa41751d1c4dc3244e6757de2c25baff5ebbd5d32e1422d5",
"type": "machine_learning",
"version": 208
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "DNS Tunneling",
"sha256": "f497eccc9233e8257ed6e93ccb53e711b11690bb288e1e79e9d3562fb7773c14",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "DNS Tunneling",
"sha256": "6d6bb3df7c940826fbc2cbff1da1ad41b1dd196c901b034d0f7f1bfe259397a0",
"type": "machine_learning",
"version": 208
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 102
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634",
"type": "query",
"version": 214
},
"929d0766-204b-11f0-9c1f-f661ea17fbcd": {
"rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application",
"sha256": "5b1525d9fb3e1d0b955b43b502826a19998607b96fce7d351b5f2a4b656a61fe",
"type": "query",
"version": 5
},
"92a36c98-b24a-4bf7-aac7-1eac71fa39cf": {
"rule_name": "First Time Python Spawned a Shell on Host",
"sha256": "be63d148ae752f2a10774f0a44d74f9d112e91c8757bb2b6821252b3481ce6c1",
"type": "new_terms",
"version": 2
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"rule_name": "A scheduled task was created",
"sha256": "7efafffc437abbe227a0503113191f580362de2d55f7d83279aa4718b2ad5227",
"type": "eql",
"version": 115
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "ba06cd9a60b678a177105f360eee0602b9dbae4dc739bd308111e4ccf706fe98",
"type": "eql",
"version": 111
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS STS Role Assumption by Service",
"sha256": "a7f3fb92910eb74a17595421262ef4c0c685a07e4e5512f18cdb96117b34f30b",
"type": "new_terms",
"version": 216
},
"93120a05-caf5-47f6-a305-e8abee463fb9": {
"rule_name": "Kubernetes Pod Creation Using Common Debug or Base Images",
"sha256": "75899e6bc8d17dbb87ecafbe4e9e56a1a465d8e7dffd767f9a24ac2d03860358",
"type": "new_terms",
"version": 1
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Activity",
"sha256": "bed251adfc37c827253140e4659e753a36a15717622a7081ab318cf765576578",
"type": "eql",
"version": 211
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "c55bac37daa9321802740fb410156e014f7560d5cc079d927f224956d090523e",
"type": "query",
"version": 213
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "b1ca64a473159cace9469b404e6e212f76b072963ef57f2082259313d45d3b85",
"type": "eql",
"version": 214
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Deprecated - Encoded Executable Stored in the Registry",
"sha256": "f68b4a5cc0a9b8ae595d15919b1ce6607fa1a1b6e08ef5f73c6b91d35996c7ac",
"type": "eql",
"version": 419
},
"93dd73f9-3e59-45be-b023-c681273baf81": {
"rule_name": "Linux Video Recording or Screenshot Activity Detected",
"sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b",
"type": "new_terms",
"version": 2
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "69b1e02d3a36de758cf981011b13ecfc3134cc52eeaa7686b2f2aef99248120e",
"type": "query",
"version": 210
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration",
"sha256": "1e54e18fae8c9afcee81de6f64a1d344e006e894e2357424bbdf76c9accceb1c",
"type": "new_terms",
"version": 208
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "36ac08934324e18a5d413160904562eb2048ebc1ec0386d2e5c65e183599afbb",
"type": "eql",
"version": 109
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Deprecated - Creation of Kernel Module",
"sha256": "f57e1a7d616beee44b8df1ddbe37efef07389ae2b99b7b1490801184286ed01d",
"type": "eql",
"version": 6
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "3507e4b16ab8077d5b8ded1a95748032027b442f316dbc78a0ac441986535426",
"type": "eql",
"version": 216
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Potential Okta Credential Stuffing (Single Source)",
"sha256": "c9bdd66f536436153709d92c363c2bfc9637912240daf7eb789913fb2a9f4efe",
"type": "esql",
"version": 211
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "e9260d441ee6bb2650fab753e31ab175e5b98418141b067ed6cd3a942bd81750",
"type": "query",
"version": 110
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "c0132ac1a7c0915024784aa3942547eb1ab31b0ca04f36d96800c8bd7ae1d279",
"type": "query",
"version": 110
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"rule_name": "D-Bus Service Created",
"sha256": "a18c513e885014629b1256650fe3ded14d233dc2ed783efca6ecb4b8af1946fa",
"type": "eql",
"version": 7
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "d806114e9175121535a78373c2f4f747985e6a90c11f6e960c3370037b71e866",
"type": "eql",
"version": 215
},
"9563dace-5822-11f0-b1d3-f661ea17fbcd": {
"rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client",
"sha256": "4062c9fbacade77b466ba4c8c18199e74c0d56a88a9eeef6fdc5d2d4494315d7",
"type": "new_terms",
"version": 5
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ac705fd1257ac37bcda167b715884142ebe726b87d21f9f82b2b0bbd48822ee4",
"type": "query",
"version": 214
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a266665d423c29eff07547ef4fd37eec7dc215b9f139f64484299c2a1bc49456",
"type": "esql",
"version": 211
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "7d65bad7fb01c9df8886dd57509eeb3dab22246cd5bdb3030a6770a70c26d822",
"type": "new_terms",
"version": 8
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"sha256": "8731c52d5893d47420bbb5a3b0149d7db6bfb0f0bb7297e2fd1c7cbbb03a5f01",
"type": "eql",
"version": 105
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
"sha256": "f924c739edb9ebd321df9baebfbf20c658b48cffa6bc33e56a3061d08f2160d1",
"type": "eql",
"version": 217
},
"96b2a03e-003b-11f0-8541-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Scan by Unusual User",
"sha256": "922c37a1cdb6f1cd90a88e213929b164bbb8346fecf5aaf2548d04f5c1200ffb",
"type": "new_terms",
"version": 6
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
"sha256": "6b1686cc7b6a837576f758cc91736ce0308787558a588f34d90d5cb568304455",
"type": "query",
"version": 414
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "fb6f0c3d4a4b1103cffd1214243faf16011837bf6185ed9dd364b4b00955967d",
"type": "eql",
"version": 17
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71",
"type": "eql",
"version": 212
},
"96f29282-ffcc-4ce7-834b-b17aee905568": {
"rule_name": "Potential Backdoor Execution Through PAM_EXEC",
"sha256": "132131e91bb5571399245226355bb06a9e2707dbe7eebedaa18d51a965601746",
"type": "eql",
"version": 4
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "3f327621ed0547019a5b5d0a878ab68f39d8bea7a021464559cbccee95018f77",
"type": "eql",
"version": 114
},
"9705b458-689a-4ec6-afe8-b4648d090612": {
"rule_name": "Unusual D-Bus Daemon Child Process",
"sha256": "32963455b75df93504e8d1002eaa12a8821f55aa19be3c4fee1115dc42f8708c",
"type": "eql",
"version": 6
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "M365 Exchange Anti-Phish Rule Modification",
"sha256": "5085f954d4ff259286c61446ad71512f3a21abc0c58e2e492aea0ccb050116d8",
"type": "query",
"version": 212
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "f2cc5c75a97f850533473a4b070a5de9e09cadd3e2d2ab3e3594bf7a4f0bd19c",
"type": "query",
"version": 109
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"type": "eql",
"version": 3
}
},
"rule_name": "DebugFS Execution Detected via Defend for Containers",
"sha256": "cb201a9e31aa49674cb68601b095f1fe2812900a8e7b104b8e5a35913c4cd69c",
"type": "eql",
"version": 104
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "5bf6380747f1cb95b184818ca866517ab8cd592d255de6dee340594eb30015d8",
"type": "esql",
"version": 12
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "101588c75ca495165b4a75b184b63ce8f2ecc204a09f8a1f687e32708adb06e5",
"type": "query",
"version": 214
},
"9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": {
"rule_name": "Potential HTTP Downgrade Attack",
"sha256": "332b2fd1b93728b75ec6644427e2c70a980d7b9e53a67f205181e14114d99b4f",
"type": "new_terms",
"version": 2
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications",
"sha256": "a44033692c37bed24ce3925b6ca42e5bd9fb6b47ee30ff08d20220ff77e28f9c",
"type": "eql",
"version": 419
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"rule_name": "Suspicious Zoom Child Process",
"sha256": "1a18715f4ab14be5a645089d5e96d2d98eaf64d7c8b4239d84d2d0c8b518fbfa",
"type": "eql",
"version": 423
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "34932396b727d338f36c36468067ccae5bda12c0704d2824ff90b34548bbe134",
"type": "eql",
"version": 13
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "d7a6f3d9e2ace9040d8e06757f2efc2c06486ff524feba35e5e3a743560622d6",
"type": "eql",
"version": 120
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "dafbd42605333aa135c1efb0261e9eb5359dffe444e4979a8dea91630c9e80ff",
"type": "eql",
"version": 9
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "cc8a4cc0fb13f05a7da5ab6cfb6cd3695172d812a45c53e6a907e9695ba46683",
"type": "eql",
"version": 7
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "d8b0db21eaf28b6c2ede7046c2a599db635f704533c740913838a7ef0b324a85",
"type": "eql",
"version": 107
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154",
"type": "eql",
"version": 107
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "9e0d0436cb2a69e6b72f3dc82fd928e79dd5ee95eaf0a59877b5e93864791dc7",
"type": "query",
"version": 109
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "M365 Exchange Management Group Role Assigned",
"sha256": "12f387e3566dfd84bdb25e5380d9df4277a814500ce2286d1b624994ca9552d8",
"type": "query",
"version": 213
},
"98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubectl Configuration Discovery",
"sha256": "f1ce3b64d18b203d2a5640f04f3f140a038e195d7d299e1891dcd2e4cd5b0c67",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubectl Configuration Discovery",
"sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10",
"type": "eql",
"version": 103
},
"98cfaa44-83f0-4aba-90c4-363fb9d51a75": {
"min_stack_version": "9.2",
"rule_name": "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts",
"sha256": "36a458a86040717891dffe0223608c244d185d931205bbeee4113444efced15a",
"type": "esql",
"version": 2
},
"98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": {
"rule_name": "M365 SharePoint Site Administrator Added",
"sha256": "dd4667aa3346d5aaf3c34b89d393074ecf11bf0188f022df8a39f52ad5c089a9",
"type": "query",
"version": 2
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "Deprecated - AWS EC2 Snapshot Activity",
"sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121",
"type": "query",
"version": 212
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612",
"type": "query",
"version": 105
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "Suspicious Installer Package Spawns Network Event",
"sha256": "10b68299303c79e2f3f73069791e5403b756335bc4d4d502987b6d7352fd276b",
"type": "eql",
"version": 113
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4",
"type": "eql",
"version": 116
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "97c6179e37d6a79ce2058fadfe181ef06473676782811c2c2c42619d9ef9d70f",
"type": "eql",
"version": 314
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
"sha256": "14fa79860f040a253d5c11c72158206f1e5d8427bf093ceea28e56c485e5deb0",
"type": "eql",
"version": 107
},
"99ac5005-8a9e-4625-a0af-5f7bb447204b": {
"rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"sha256": "a2d97fff1bd846c160d0686891ff780be940567b549646c42ea3501261c01f27",
"type": "eql",
"version": 3
},
"99c2b626-de44-4322-b1f9-157ca408c17e": {
"rule_name": "Web Server Spawned via Python",
"sha256": "310b1e61d9b41741178106b8ba4ed0c827b48f8a08a902c110a7820c4292770e",
"type": "eql",
"version": 106
},
"99c9af5a-67cf-11f0-b69e-f661ea17fbcd": {
"rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS",
"sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28",
"type": "query",
"version": 1
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Spike in Failed Logon Events",
"sha256": "258d2a4aff6f38a12e7faee6637ec4ac5c3e839daa6ead4587fd9871bbdc57ae",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in Failed Logon Events",
"sha256": "6c2a61bfd4d95da96708ad6dd4ffad62c9111f9ab7950b025deef83d487990df",
"type": "machine_learning",
"version": 208
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25",
"type": "query",
"version": 108
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c",
"type": "eql",
"version": 5
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "e8efbccb131f12cbf2af6152d092d09160eccb18d0bf83fc5d299a3bb5ed419a",
"type": "new_terms",
"version": 213
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"rule_name": "Suspicious Explorer Child Process",
"sha256": "df0048d2667b6c222cfdce393bfaed7e9c0b0ff9f393e1e2179394241e1acdf9",
"type": "eql",
"version": 315
},
"9a6f5d74-c7e7-4a8b-945e-462c102daee4": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubeconfig File Discovery",
"sha256": "308de3e9eb7308216c0635af6334abd3db7814ad46abf18c269f84d999abd623",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubeconfig File Discovery",
"sha256": "952491df2d553d81ac6123388594fb05d3495f6ad8592f77c734e2f8c1ec0938",
"type": "eql",
"version": 104
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "3810a0fccc9e811440eae244a951df04360e69e721dfcf8f30aa58e24469f983",
"type": "eql",
"version": 316
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "da64cc799df3d7b93ccb5ae04e3e099d02a697837a05f18e35f295b53e2747fb",
"type": "eql",
"version": 10
},
"9aeca498-1e3d-4496-9e12-6ef40047eb23": {
"rule_name": "Suspicious Shell Execution via Velociraptor",
"sha256": "6b99269e68808661c7b097b7da16cf8d7325e44f45bb3d3d2420dc40f42bcdd8",
"type": "eql",
"version": 4
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "8c4046c8e10aa286e834471735eccdfa372b1419bfbe3dfca6713b231951221e",
"type": "eql",
"version": 211
},
"9b35422b-9102-45a9-8610-2e0c22281c55": {
"rule_name": "SentinelOne Alert External Alerts",
"sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699",
"type": "query",
"version": 1
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "374c1fe670e524331c98bbb4ec7592c692b262eb48d79de575d8a792ab4a3eb2",
"type": "eql",
"version": 319
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "08b7cbc1fe957a8e96b47412dde3a48dee6dd1c2196e026c8300003adc915044",
"type": "eql",
"version": 10
},
"9c0f61fa-abf4-4b11-8d9d-5978c09182dd": {
"rule_name": "Potential Command Shell via NetCat",
"sha256": "e984f394b7db575dabb5ab5eae23ab9c57ebb2227b9f11c38f7cad14f9f9a7bb",
"type": "eql",
"version": 2
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
"sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc",
"type": "eql",
"version": 214
},
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
"rule_name": "Unusual Interactive Shell Launched from System User",
"sha256": "9ece81aaee4ed5b034cf8a085367eaccce1145402d65119600ff18fed390a0d4",
"type": "new_terms",
"version": 6
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "19de9f9fc0e3eecf2d6c781ee13ed518693898c4ae017773ae00935a3c0461b8",
"type": "eql",
"version": 115
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "0c85320dda4c263897f73786db5f64709cee15a949bdeb737af5e0699732c8d8",
"type": "eql",
"version": 7
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "b196224da05961cc60a8e23ab01d266096b0a93b7052944f664f549754b8f810",
"type": "eql",
"version": 315
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "81212b96cde03acf5a34ba614c8863dcc6824d7342a7a9bb0de627b78ae23a56",
"type": "new_terms",
"version": 318
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "a5a2120ba773b49b0c59e22922b4d05a1af99a127f4a6bdf1f9aee20e15bedcf",
"type": "eql",
"version": 319
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "c7e89da2a2aa3a6c364cad023a1d462109ad48931c034f3dbd9796b13a413f5a",
"type": "eql",
"version": 220
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "0982e8339b388a70826a63e397b5e247bacd15c4aa96fa2be11d965afd150e48",
"type": "eql",
"version": 214
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "42048d40cc9b676d20a7f287ad562321f8a39036183d95d04b769aebead1de85",
"type": "new_terms",
"version": 321
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "934d4f4f579d6487e86d38b573a7fedca4169097d8914b5859aedc7ba96931f5",
"type": "eql",
"version": 212
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "1f613942d9635e2ee4408f035335dc11248c2834c138baa4e331d1a0ec21274c",
"type": "eql",
"version": 111
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "f8d8912ae2d8039dc804a4fb2851251923c29ebace475dcf20f4bd3b87bcc4fa",
"type": "machine_learning",
"version": 207
},
"9d312839-339a-4e10-af2e-a49b15b15d13": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Common Utilities",
"sha256": "d0d094b1f3d2824d3f539e132c5573e5b8d9e94f113705086cb90fc35438b8dc",
"type": "eql",
"version": 3
},
"9d94d61b-9476-41ff-a8d3-3d24b4bb8158": {
"min_stack_version": "9.3",
"rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"sha256": "f8be6f477a2da1a7d940956c6dbc04076b17f5ab491021aaa8b623554c49eae5",
"type": "eql",
"version": 2
},
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Authentication Type",
"sha256": "c99ca37b4a4b58fb57cfc77836e72bbe603e86068b3ea86669df86ac64e69d76",
"type": "new_terms",
"version": 8
},
"9e5dbd3b-5e19-4648-a1cf-c2649c91b015": {
"min_stack_version": "9.3",
"rule_name": "Namespace Manipulation Using Unshare in a Container",
"sha256": "e432f9cf681f15c99f6ef764b574776af1db178c2e2367382ffb482750acf8f5",
"type": "eql",
"version": 1
},
"9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": {
"rule_name": "Potential Password Spraying Attack via SSH",
"sha256": "3cbe10aca00d7c1efe266e506d7f5a7d57600ad6207ecce6d61f2bb650737630",
"type": "esql",
"version": 3
},
"9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": {
"rule_name": "Potential SSH Password Grabbing via strace",
"sha256": "c9bef573b3f690c4d008b46914f0168b42c2944eb1945c737c89d8a76e6f4aa4",
"type": "eql",
"version": 3
},
"9ebd48ac-a0e2-430a-a219-fe072a50146b": {
"rule_name": "AWS CloudTrail Log Evasion",
"sha256": "b08fe11bdf17d81c9516472a841db7993c175996a06773032ef7b92282f89ebc",
"type": "query",
"version": 3
},
"9ed5d08f-aad6-4c03-838c-d686da887c2c": {
"rule_name": "Okta AiTM Session Cookie Replay",
"sha256": "39164513ba294600eae6f1e6a7d5ac56cf28a69c5d48983ffe6a3f7ce5639f99",
"type": "esql",
"version": 3
},
"9edd000e-cbd1-4d6a-be72-2197b5625a05": {
"rule_name": "Suricata and Elastic Defend Network Correlation",
"sha256": "2ab8e7a7800653b9e37968900393df0f9f2f5d33441573121f0280acbe34c2cd",
"type": "eql",
"version": 4
},
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
"sha256": "b33c684120dc6f9e6274cf518cc990c7730ed0e47045a4cb79d4cf11bb098b76",
"type": "esql",
"version": 10
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "22b08b978d2a7ffdaf6487814a21eac8a8b3882f05c0c72938e5ada70b2f223d",
"type": "eql",
"version": 9
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "de326157f887fe153178406c21d4c6d5b7083d7b37989d95fbe88cc3b47cf107",
"type": "eql",
"version": 216
},
"9f432a8b-9588-4550-838e-1f77285580d3": {
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
"sha256": "a51bf01a5df76390c908b50a4a9b7c3fb2cdad0ed9c8e0c55d50b16b67c240d7",
"type": "esql",
"version": 12
},
"9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f": {
"rule_name": "AWS IAM Long-Term Access Key First Seen from Source IP",
"sha256": "427dd26601fe597a174af7d832b94eb1a8f5786d002b426dd2946745d63601c8",
"type": "new_terms",
"version": 2
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "9c42ae537b615ded60d491c0690bcaa728c5fe70c54e4d67b5d0a21a63b88776",
"type": "new_terms",
"version": 221
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "d93040becd8bbf8f42f58453634aae7a7ea3e2544497b11c5ebe435f07c4b01b",
"type": "new_terms",
"version": 216
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "8795f294df2824f66b4130cdff5d174717d9981c7dd6f859e37bbcb28b3c398b",
"type": "new_terms",
"version": 319
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "Unusual Scheduled Task Update",
"sha256": "c67025ab0d89afff2e717de898cb55d5689c8aad67826167a03b0cd4c9bc284b",
"type": "new_terms",
"version": 118
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "e33dee9e1e0472fe7b4bb95a33a85484750138d145fa1fd68bad0ec533d1e2db",
"type": "eql",
"version": 9
},
"a0fbd7a9-1923-4e05-92df-b484168f17bc": {
"rule_name": "Sensitive File Access followed by Compression",
"sha256": "4229ab56c54c29e2fee1021f6509406944d50803d252c497dd310d99fed68335",
"type": "eql",
"version": 2
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "b7563d73159d22dee91b57c70d5c21d5a8a4e1bda6dac44d4d928cd855957b07",
"type": "query",
"version": 110
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "e62636c003eda020e0336d2bf353771df79401bc70067f267bf5059c2bce00dc",
"type": "eql",
"version": 212
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
"sha256": "5efdf2a253cb05a0a0e2d843c94d7196d97edc860d48285c4275b8aa17f1887f",
"type": "eql",
"version": 216
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "253c914e9293edebec6c7faf581b9cef1faa6bab72fc5ae1ce5284af5d7a0a04",
"type": "eql",
"version": 213
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "015324413a84362600add02b8df771116af2de4f119d3868ab9425704251e0d8",
"type": "eql",
"version": 215
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "5c9184b7bbce98b4980ceaaf2d6c8d70b16c21ace2d1ecb51d7c6cfb7050a0dc",
"type": "query",
"version": 109
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
"type": "threshold",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "1933279eb0a1f69eecd6e4e705790232b200372e83e832ecfb52e1319e301f5e",
"type": "eql",
"version": 112
},
"a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": {
"rule_name": "Azure Storage Account Deletion by Unusual User",
"sha256": "352c5821d7eca95826730550a43559e960148a7696f8b66ee023fbedc192978c",
"type": "new_terms",
"version": 2
},
"a1b2c3d4-e5f6-4789-a0b1-c2d3e4f5a6b7": {
"rule_name": "AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity",
"sha256": "c3bf694ddbb0183b499e816bed860e55e57086d6f8bee87f6eead524f76a96ff",
"type": "esql",
"version": 1
},
"a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": {
"rule_name": "Potential Account Takeover - Logon from New Source IP",
"sha256": "3eb049e7a57e256acae41fb8b3da9603ace0b0d8167ea059564a83f64cc7a5b2",
"type": "esql",
"version": 3
},
"a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": {
"rule_name": "Entra ID Protection Admin Confirmed Compromise",
"sha256": "54a26dec737e913d13398210e60b5e0765bc4f57976293f5c9666910f23ef99a",
"type": "query",
"version": 3
},
"a1b2c3d4-e5f6-7890-abcd-ef1234567890": {
"rule_name": "GenAI Process Connection to Suspicious Top Level Domain",
"sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea",
"type": "eql",
"version": 1
},
"a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": {
"rule_name": "Web Server Suspicious User Agent Requests",
"sha256": "f069dfa7e85bd95eea645793c221cb5329e75544f6b1b6646cc55a104a95ee7f",
"type": "esql",
"version": 5
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "d0040002c9b7c60e5e303893dd4a5ca29f8df89596c3191f76c6af9d7d2eaf06",
"type": "eql",
"version": 11
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "1094a50c56d7017e3b7cacacb46da4f3f742a1927fcbbd986b23e9f2cb7b8632",
"type": "eql",
"version": 317
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "8ee49a67c0bedcc25c790e6d57a0835f5748dc89b35eb4dd6c0736231edeace1",
"type": "new_terms",
"version": 6
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "6935a7b9fd5f67e312b06f45233bc7e9e6e832dc3f93a9c0b1f84cb7624bb384",
"type": "new_terms",
"version": 8
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "8ffc100a7b1d4ce6518d28c266f7b80ca1898c4505645909bdfea0f8f22ac297",
"type": "query",
"version": 112
},
"a2951930-dd35-438c-b10e-1bbdc5881cb4": {
"rule_name": "Kubernetes Cluster-Admin Role Binding Created",
"sha256": "e69d0cfdb03d64b04b04b0301086a748d32f13d2f828a3b71177061780ee9f68",
"type": "query",
"version": 2
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960",
"type": "query",
"version": 113
},
"a300dea6-e228-40e1-9123-a339e207378b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
"sha256": "553c6e6e65c43d5ee933841dbf34f7d9a9ea80e08e543900e277036686cbddfa",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
"sha256": "a296f2e27d0d4e3f4f6c7ab90fc49f8f4a0b4c14d49775288666a234e4b403b2",
"type": "machine_learning",
"version": 104
},
"a337c3f8-e264-4eb4-9998-22669ca52791": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3",
"type": "esql",
"version": 2
},
"a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
"rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"sha256": "38c9a1b455477aee830f90a89dae1d703f545c3d857cf4262153a23b2e0c80ba",
"type": "new_terms",
"version": 6
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
"sha256": "45e496a5db75cfaeacfff862a81984feb874e83dda47302b806b3018d6b902b8",
"type": "eql",
"version": 315
},
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
"sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed",
"type": "eql",
"version": 4
},
"a4b740e4-be17-4048-9aa4-1e6f42b455b1": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 100,
"rule_name": "Spike in GCP Audit Failed Messages",
"sha256": "640606acf483065052865e9a6e801d491b8afb375423dfb06058d87b0b54b602",
"type": "machine_learning",
"version": 1
}
},
"rule_name": "Spike in GCP Audit Failed Messages",
"sha256": "0293cbc3c1b896acdee5fb53bfe925958fc9d5ec773806a13d9e468e89a65005",
"type": "machine_learning",
"version": 101
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "494c2ead2012b6ac1746c05e790ae1b33e01a2c4944d8d5ceea9b180635be2eb",
"type": "eql",
"version": 114
},
"a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a": {
"rule_name": "Kubernetes Secret get or list with Suspicious User Agent",
"sha256": "e46a2fbbff2a97fc224bcfc204b6da19f6797f396c7f45d04837c9c0e237ffc6",
"type": "query",
"version": 1
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a4f7a295-aba1-4382-9c00-f7b02097acbc": {
"rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process",
"sha256": "787d2f5521dc4499fb6b01d857d4e2f1c96bb9acf94725a4dc16764d99962411",
"type": "eql",
"version": 2
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"type": "eql",
"version": 4
}
},
"rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers",
"sha256": "7e3bfec1c4781db2d7417c710ec2883216a3b33ff5bfd0292f1c72cf76b48f18",
"type": "eql",
"version": 105
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary",
"sha256": "ac4f1de021eef140be9defb824c7e9ee6b9253d4f74b46a48f745b35d636d7ee",
"type": "new_terms",
"version": 5
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "682586bdb044ed6ab9f2d86aa3803980638ce1756f871292eca8c0f20adae25e",
"type": "eql",
"version": 12
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 314,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "ce3fd44cac75566f4e140bffa3f637c3283d0882621b0b5f292369e185473e54",
"type": "new_terms",
"version": 216
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "527325250cfdd394de8beb2562d3f3d0b44210d85cdfb77b26cfbcbb2c56a852",
"type": "new_terms",
"version": 317
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Entra ID PowerShell Sign-in",
"sha256": "5d891782faacde7c072c3f8e3819b0e10c0932cbea16e27587b86081ee4e243e",
"type": "query",
"version": 110
},
"a6129187-c47b-48ab-a412-67a44836d918": {
"rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme",
"sha256": "34085bc10fd883d07e4593354c15c2b5a740f637f8f8a0dac8b18c02556d89dc",
"type": "esql",
"version": 2
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84",
"type": "threat_match",
"version": 9
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"rule_name": "Suspicious MS Office Child Process",
"sha256": "61beceda1e8d0cc9099934a9ad0a0bcae06126b1650941b03a8b4e36c8c1f191",
"type": "eql",
"version": 320
},
"a640ef5b-e1da-4b17-8391-468fdbd1b517": {
"rule_name": "Execution via GitHub Actions Runner",
"sha256": "ea34a8cd8b428ffac29baa616dc58a516e9d24a3ae30c3525c5fdf5478d1bc34",
"type": "eql",
"version": 3
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "6ce6628461a895263040879ad1dfccf958216ebc96b9c795d5b3ce688836c641",
"type": "eql",
"version": 7
},
"a68da7d6-7eab-45bd-97c5-93b469c0706e": {
"rule_name": "Shell History Clearing via Environment Variables",
"sha256": "947c4f4f578b77ec8de5b9313a87559740ab6d5272631cd859175d57e2c06c80",
"type": "eql",
"version": 1
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "0aef85561df73b765eb845f8de00dd44020df10da07314fb87273d339f48199e",
"type": "eql",
"version": 113
},
"a6d4e070-b9b9-4294-b028-d9e21ad47413": {
"rule_name": "Entra ID Protection User Alert and Device Registration",
"sha256": "310fb191964cd8a1481bfde5eabce117f3b6e1f1134007c7bb846f0d233c50c7",
"type": "eql",
"version": 4
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "High Mean of RDP Session Duration",
"sha256": "54d4c476c777d29b060e86d324c7eccca8db5647602b0b9efa9792822185c764",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "High Mean of RDP Session Duration",
"sha256": "0cf7caa172c255e31f5dcf206ca1101b180773c822559efef5ad87fde3d2d054",
"type": "machine_learning",
"version": 109
},
"a750bbcc-863f-41ef-9924-fd8224e23694": {
"min_stack_version": "9.3",
"rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"sha256": "31e7a49e77598252a554c7de32610e73a9bcd249edd8f11c4d792f3e14f2916d",
"type": "eql",
"version": 3
},
"a7577205-88a1-4a08-85d4-7b72a9a2e969": {
"min_stack_version": "9.2",
"rule_name": "AWS S3 Rapid Bucket Posture API Calls from a Single Principal",
"sha256": "b08945299b2979bc5b4cb397789d41998ee6fc5b71db51bfe41012ad68ba8e2b",
"type": "esql",
"version": 3
},
"a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": {
"rule_name": "Execution via OpenClaw Agent",
"sha256": "a9fb3ddbff42c0d57d6e0002f0d6155ea00cf381999b2af63577940aa8776c47",
"type": "eql",
"version": 4
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "9a80dda429d15a1d127b965b832c36ae3ecc37b8d11e618da12fd5c3d7c2d9db",
"type": "eql",
"version": 118
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "09188e85df6c935a817c69aff47b5bb33c503487e0fb04907d556b52211719f9",
"type": "eql",
"version": 317
},
"a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": {
"rule_name": "M365 Purview Security Compliance Signal",
"sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4",
"type": "query",
"version": 1
},
"a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": {
"rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User",
"sha256": "26c16152fd28558423e9c60d5393ad5482ec38ef5492aeb15ecfb8587231fddc",
"type": "eql",
"version": 3
},
"a80d96cd-1164-41b3-9852-ef58724be496": {
"rule_name": "Privileged Docker Container Creation",
"sha256": "a43c4cce90f10259b7f083ff5adbd8eca3f9cc3b122406f30ace77a409419d1b",
"type": "new_terms",
"version": 7
},
"a80ffc40-a256-475a-a86a-74361930cdb1": {
"rule_name": "AWS IAM SAML Provider Created",
"sha256": "8d2440f5b8111e88075595c64071b426a241d0e78819f05d6c66caeca7046f04",
"type": "query",
"version": 3
},
"a8256685-9736-465b-b159-f25a172d08e8": {
"rule_name": "Suspicious Curl to Jamf Endpoint",
"sha256": "c823ebf0672517c8ed1929f4379c1fac131417b4c0dca9ef94e1dea1560ad82a",
"type": "eql",
"version": 2
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker",
"sha256": "84fcc460d0f329b6494b2756d4cb004798d5c54d8f76ee6b19ac2b149fc59a3a",
"type": "query",
"version": 8
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338",
"type": "query",
"version": 105
},
"a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": {
"min_stack_version": "9.3",
"rule_name": "Kubectl Secrets Enumeration Across All Namespaces",
"sha256": "dd2e61c000cb7733d1035682841ea2bd21ce20c73dc2b64c291657550b304ab2",
"type": "eql",
"version": 1
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "f46594fa786a8d96dc492f49de6a09e7c4bf69b2f8f6bba7fc371fe01c0140c3",
"type": "new_terms",
"version": 6
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "b083c7c924a0947dc0048039147a36632af5a70ced0a58b91f8d089faa8cf44f",
"type": "eql",
"version": 9
},
"a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": {
"min_stack_version": "9.3",
"rule_name": "File Download Detected via Defend for Containers",
"sha256": "dd24216e43c8d2d97f235518778ef26185e2277d713a56fc385c92a5ed05305b",
"type": "eql",
"version": 3
},
"a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": {
"rule_name": "Newly Observed ScreenConnect Host Server",
"sha256": "42aea7c755e89c2bd3dc07f143d1900120f97192aa9e1d3400c34f98c42e26eb",
"type": "esql",
"version": 3
},
"a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": {
"rule_name": "Azure Storage Blob Retrieval via AzCopy",
"sha256": "4cafd5b1d72e9099750d39514142a06221336044dc6ab66d5df8acf39358c552",
"type": "new_terms",
"version": 3
},
"a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": {
"rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand",
"sha256": "55145a5b782b65b05f5834f544ec591950f607a59669ef53b3cf1cd0dfce7950",
"type": "esql",
"version": 4
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "High Variance in RDP Session Duration",
"sha256": "f9c8c7c261451895bad9202f8a232c6e4062e1d272ece1ec51d009c841579e71",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "High Variance in RDP Session Duration",
"sha256": "3f9e29581657650330798e93e0d4b843c0de67a256b30133da018e49aca461f2",
"type": "machine_learning",
"version": 109
},
"a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b": {
"rule_name": "AWS IAM Sensitive Operations via Lambda Execution Role",
"sha256": "722248fbd97f34880ac46f44b6881220135ab96b0ffbff1f45977226ab809dde",
"type": "query",
"version": 1
},
"a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Region Name for Okta Privileged Operations Detected",
"sha256": "bd9b1c164a07769ffeb8aeb475e7e3e4f8d0a0787d5e419ee1ca1e160d2149c9",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Region Name for Okta Privileged Operations Detected",
"sha256": "8a3a0a541278d7abc6675acd56413d6d3ec869a0bebfb0ef0bbb8f846c5adfc5",
"type": "machine_learning",
"version": 104
},
"a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": {
"rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt",
"sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe",
"type": "eql",
"version": 1
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "M365 Exchange Email Safe Link Policy Disabled",
"sha256": "6b995af6f7a66f483caeb7f4b0ed5e4fbce766890078ac36b73135b287bebc97",
"type": "query",
"version": 213
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "ab5be5778aeb2192c5a6b094c17c63ba6bec949da499eff193f5208975a9bf86",
"type": "query",
"version": 210
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "3b30278eb35bd453721b5e6a3709354920655bc529e57a4de4d76c5c1194a794",
"type": "eql",
"version": 215
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "165337503847ed379edc1c1e54e7503406682e6849717aa2668355066215f1c6",
"type": "query",
"version": 110
},
"aa1e007a-2997-4247-b048-dd9344742560": {
"rule_name": "Script Interpreter Connection to Non-Standard Port",
"sha256": "e45fd015a2a23f9dae370bf76c6835579ef979403f82f2256fcf2c71dadae0e8",
"type": "eql",
"version": 2
},
"aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in Group Lifecycle Change Events",
"sha256": "117615ae9f7bbcdf2f22d30db030b964809f545f13d82041ceafa1c2b45773da",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in Group Lifecycle Change Events",
"sha256": "65061d6e84d85ff3f20ca8420b9fb9f8bad47f3264055c2fd6c4347a74673750",
"type": "machine_learning",
"version": 104
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "08a46011d52f72f80b008709b145d97420698886ef6cd771ecba32a0ed3ac316",
"type": "query",
"version": 109
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "7633b03ab034572bab063198511ae4e111488b09f58f32812662c42da32b9762",
"type": "eql",
"version": 218
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "6044bf376ccf04ea41cce6830f9e16bb0e4e844f7476ebbddb782cf23d5f3dc4",
"type": "eql",
"version": 218
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "40212eadfc73ddc6d9f2fba89b444a4f0646b6c991c6f16e3b33e61216bb6cda",
"type": "eql",
"version": 6
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "e2a2498e73e3f61c27758713a85c042b5c136d49093f9f6e33faaf38267ece36",
"type": "threat_match",
"version": 10
},
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
"sha256": "27610c9d7787e7f52bb7ead9aef37e9fb044dd6430bbe3d6769401682fde8596",
"type": "eql",
"version": 6
},
"ab25369e-ea5e-46f1-9cd5-478a0a4a131a": {
"rule_name": "Multiple Elastic Defend Alerts by Agent",
"sha256": "ca36982b65f983afbd58ef8087bb1e67f1468ce5ff36888897cfda5e08b2e4f6",
"type": "esql",
"version": 2
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "800ec5ed633507891479b778135ca7c8a5269e65744649d1d8a0ea40408dc5d7",
"type": "eql",
"version": 123
},
"ab7795cc-0e0b-4f9d-a934-1f17a58f869a": {
"rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)",
"sha256": "9eb2c45dfa3291e5f9ceaf2caf261fbed05150c8688cdfc93f3c7731b5759f90",
"type": "eql",
"version": 3
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "8ccdf67f1d4b379fa6cc68be39217c56969856cc4f90870f049c0942c6268d93",
"type": "esql",
"version": 12
},
"ab9a334a-f2c3-4f49-879f-480de71020d3": {
"rule_name": "Unusual Library Load via Python",
"sha256": "7a0ef5b6fa33fef315d70305319e2f28b52ecf4bcd373708a98ffb1312146928",
"type": "eql",
"version": 2
},
"aba3bc11-e02f-4a03-8889-d86ea1a44f76": {
"rule_name": "Perl Outbound Network Connection",
"sha256": "1199004d18d11cefa9e43650db5c565969e006d67b5da5d7cb5ec77c33114b01",
"type": "eql",
"version": 2
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 309,
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "bb1a749f861f7459448bb4e1a2eb19dc2a26f353fb57634eed0ccea7218f3cff",
"type": "machine_learning",
"version": 210
}
},
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "9a73061513a45d35de86697c4b677a0b2e5dbc1f1d9a84b7f5d0d24234dda985",
"type": "machine_learning",
"version": 310
},
"abc7a2be-479e-428b-b0b3-1d22bda46dd9": {
"rule_name": "Google Calendar C2 via Script Interpreter",
"sha256": "cd3aac05b993742d0c467053b7548c79623f2da5a4d979c6abe448b797d3411c",
"type": "eql",
"version": 2
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "3458d345ab11b49c4e091f9cf2f1b6535e27e905407265f7ac9aef9dfb91564b",
"type": "query",
"version": 112
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f72e495d77718926a77986259bf53a198b1fd96ed96ead06aa95fc1b3bb9cd6d",
"type": "eql",
"version": 420
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "d613f940d2dddc9dad9333b8188f60d43dc30443a11f82c3821da4d4ac7cf4f7",
"type": "eql",
"version": 108
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "3453811ef45dfeac70ddf054126131c00f9dc9bc32ded269570d7ed0d3c660f1",
"type": "eql",
"version": 209
},
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "8d4e2f6cb5d21f8244e59e8c3b20856df8349b82ee18227dc9c8ee312213e81a",
"type": "eql",
"version": 105
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 312,
"rule_name": "Unusual AWS Command for a User",
"sha256": "6329bd421d92474b7b724414f883a3a46da0190498df4f628e370b759c237af3",
"type": "machine_learning",
"version": 213
}
},
"rule_name": "Unusual AWS Command for a User",
"sha256": "39f69f2d45fbc7e8dc0ec930f3b66d28754b3502bea0b2b1b8d0a8b7a229d199",
"type": "machine_learning",
"version": 313
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server",
"sha256": "17ae9656179a2b6fb7f79aea315027f19f3111acdcf84c547588963f22d80cda",
"type": "eql",
"version": 11
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "3f9b5483fae2eb0413c7c38ead3683419d62efc4ed179f45151f5383ccff6ef4",
"type": "query",
"version": 216
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "72223005ab05d709e4988e024d34920e78f0de89f73f36f865dace15179a2abc",
"type": "query",
"version": 211
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "5df363ed16d64f340d500cc7c16cf64ac44edbe112391910d8559bcf4cfeede5",
"type": "eql",
"version": 111
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "ad378adde9bbf820b6da8dd6764e50a48c987669c717ca222e023f1a01b17553",
"type": "threshold",
"version": 112
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "6e6fcdde0fee19516c1e5836d84451a1720fa05f69d37486795cb309731a5d0f",
"type": "eql",
"version": 315
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "b2f6c9bec79b6a35c9205b12fefba6eea6a3d58cc512e07f94ff0aedc61f79d0",
"type": "eql",
"version": 317
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "c7bbefa6cd24512e29b52401dd4e13dae67b32db59c469837cc5157d7fb8f7ad",
"type": "query",
"version": 210
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
"sha256": "8ee09f0722e3d4094b5116fcd3ccdf47c8466d3dedaf45a2bce8131e571a5590",
"type": "eql",
"version": 108
},
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Decline in host-based traffic",
"sha256": "d3443af533d8c9c71544393bbb3528bab9f2a4528d9d339f101e5d8628f1a384",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Decline in host-based traffic",
"sha256": "a9db6c29e8b8c460f4f349d40a9db66f98d86d48043a2c992b7cb77ae0d82c0c",
"type": "machine_learning",
"version": 105
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "51d7f733e3374dcbe3976ae51a6bc313af267acc5db56d25e523260a910d942b",
"type": "query",
"version": 217
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "7e0e9edcd353321915ab04263138fc1a2c2cd6827c51ba0fe5874b5472b53d0f",
"type": "eql",
"version": 111
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "750bf0616ef3c52e7f9c6631ec3e3cfea69beba6673151f2e6c6e12bd6e124ca",
"type": "eql",
"version": 111
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "9a8cd6f888fb568bcebde8a607523abff1e1b5f2093b48a188b2627cf7128d9f",
"type": "eql",
"version": 216
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "25f56d2f9491f0092ef37953f27c85ac8fb17360040a148f54492118de0a5e17",
"type": "eql",
"version": 14
},
"ae32268b-bfd0-4c35-b002-13461b5830ca": {
"rule_name": "AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN",
"sha256": "16982d441cf7c3bd9a76f4382a9c20f7c5a0b6c0d541357c5d9ee793ea06855f",
"type": "query",
"version": 1
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "6e872d7e24f0c0631132efe9f516b618480f9f40705f831a449c368918b4bb77",
"type": "eql",
"version": 111
},
"ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": {
"rule_name": "Suspicious React Server Child Process",
"sha256": "8fc6e17b6f87f1749ad3b2ec19e38059ad1d2b55818befec965af351912cd17d",
"type": "eql",
"version": 3
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "883090677565ee7aa2d93b1e7f79a7aa9d9ea846e70568a4cba3893649ac00bd",
"type": "eql",
"version": 211
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created by Previously Unknown Process",
"sha256": "178fb249bd43c2383b67d1411b9fb257d092c368cea0ac05d03be5b785d42606",
"type": "new_terms",
"version": 15
},
"aeebe561-c338-4118-9924-8cb4e478aa58": {
"rule_name": "CrowdStrike External Alerts",
"sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45",
"type": "query",
"version": 2
},
"af1e36fe-0abd-4463-b5ec-4e276dec0b26": {
"rule_name": "Linux Telegram API Request",
"sha256": "0a3c43255d3c95aedd0f97b4e22701b135b6b447294478eeb2109f17a773414d",
"type": "eql",
"version": 5
},
"af22d970-7106-45b4-b5e3-460d15333727": {
"rule_name": "Entra ID OAuth Device Code Grant by Unusual User",
"sha256": "4fc095fc9ea36c19a1fb10bbbbccdb154cdd62f352e4dae8ea2ae5159c322f82",
"type": "new_terms",
"version": 10
},
"af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": {
"rule_name": "Okta Alerts Following Unusual Proxy Authentication",
"sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514",
"type": "eql",
"version": 3
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "7d10e6efd142a09f199ae3461997c14ec7ea789aa43adcd41b7177e7664189c9",
"type": "eql",
"version": 10
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "29f6f4c86ee173e96f81e6df15192dbe3420e73d4bde62a8efc9a4a338676008",
"type": "eql",
"version": 213
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
"sha256": "c7ba64794076705bc9730b99d67877072cc6f9ae46d2bea1a55cc73dab2a3ebc",
"type": "eql",
"version": 12
},
"afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": {
"rule_name": "Curl Execution via Shell Profile",
"sha256": "90ee59b3a454a03021437f01fc2442fd3503fe941f69d4a9b7fda0d1ca4af237",
"type": "eql",
"version": 2
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "7f9907f21f21b24e6aac00e4e7706f5dbc9c8ab5891e9ece18d88f30aaec68da",
"type": "eql",
"version": 11
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "4fd7e132e755404d1ae3176095c943d11912cc430d74e29e24622bf7b9118cf2",
"type": "eql",
"version": 110
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "2de0c7e6afc5a090ed826fbef600250fcaf3386d0dea5229916795bef6153462",
"type": "eql",
"version": 111
},
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
"rule_name": "Potential Denial of Azure OpenAI ML Service",
"sha256": "d051b64ad0087c58738ea692d5e4f34df38958811cba31ac68d403b214bdfb77",
"type": "esql",
"version": 5
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"rule_name": "Netsh Helper DLL",
"sha256": "b7f6e527b15faa58aea7339a5470321f39e1884c6936aae54c724743a99b9b66",
"type": "eql",
"version": 208
},
"b07f0fba-0a78-11f0-8311-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Web Service",
"sha256": "8dee5585853fc2cc29d0a3fa86c34646de7bc439f3082c135445169f367d5ede",
"type": "new_terms",
"version": 6
},
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
"sha256": "e448d9b59d2f49b4c015b5980d16a6a35c92a493127292ce515a5a6d268491f6",
"type": "esql",
"version": 11
},
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubeconfig File Creation or Modification",
"sha256": "6a08ab8625a65609aa0bef37ef07d25179e617112666f1746d309fc4c5863570",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubeconfig File Creation or Modification",
"sha256": "c170db655cc983bc2f7399ca8f83b883daa93945d755cb705d587cfed18454bf",
"type": "eql",
"version": 104
},
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "a716f97119f1a7d01b1d42ed01f50aa1449a2b0330b185499e04caa530245f62",
"type": "eql",
"version": 106
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "e961ffee8a9b22251e73628ba1a1675421a7f04f8279b096b29fa3ec412f31c1",
"type": "esql",
"version": 7
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"rule_name": "Potential Network Share Discovery",
"sha256": "d7a2f1e37fdf49243ac43e4049ebc1395e41378971a27a1bbc4df975c9ac465a",
"type": "eql",
"version": 110
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b",
"type": "machine_learning",
"version": 108
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "9cbdcf3fafd22659be1b5e8eea827bb8893cc7512c49d88c46dd4cde92880ee2",
"type": "eql",
"version": 218
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion",
"sha256": "34ec15b2762501830ba72e2159a10d9fa8710df212375f979160411eb08ffcb5",
"type": "query",
"version": 213
},
"b29b7652-219f-468b-aa1f-5da7bcc24b03": {
"rule_name": "Potential Traffic Tunneling using QEMU",
"sha256": "3bed4972669528914c4056e133fe899c9b4d6e66d957bce8d06c418ce3f1a32e",
"type": "eql",
"version": 3
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "df2d7525dd2d1f86cbcda0b5d9da2f2a62195e24e8a9a26ea63b47ecc7a2a7d4",
"type": "eql",
"version": 214
},
"b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": {
"rule_name": "Azure Storage Account Deletions by User",
"sha256": "9f4fc0bbadb6f42109d9f6264472caa5cfbd9ae6935c6b3e0a098c00ede91f06",
"type": "threshold",
"version": 2
},
"b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": {
"rule_name": "Potential Account Takeover - Mixed Logon Types",
"sha256": "fec263f1a8e25a341fbc4d919058aefe36ed0aa33d27a7bef776cc039a301126",
"type": "esql",
"version": 3
},
"b2c3d4e5-f6a7-8901-bcde-f123456789ab": {
"rule_name": "GenAI Process Compiling or Generating Executables",
"sha256": "fcd00363e060ee80ac289741c1c9004fa4bbe11c759b50769070b13d5466008b",
"type": "eql",
"version": 3
},
"b2c3d4e5-f6a7-8901-bcde-f23456789012": {
"rule_name": "GenAI or MCP Server Child Process Execution",
"sha256": "26ee62ae8a201d334f1e43011a5acaa008ecb5e19c928b921faa25e0d95582b0",
"type": "eql",
"version": 3
},
"b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c": {
"rule_name": "AWS EC2 Role GetCallerIdentity from New Source AS Organization",
"sha256": "24583dae8dc1aba73158f2983e7c0a370cbddc64cdf80ad1a3ed2b84d9ea8870",
"type": "new_terms",
"version": 1
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux Username",
"sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux Username",
"sha256": "a673ca8052fc4de0d8f2386e8976429868d4129e24c96fe5d0352c5de423237f",
"type": "machine_learning",
"version": 207
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "ba3d38a0e3792f9fc94cbca598270b727fea2afd947bc1a201a93fd18ce7746b",
"type": "eql",
"version": 9
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "378bd1d2c1a58cde20ec32623670281d8a2167d171f8bfd09ec3a767c466ab03",
"type": "eql",
"version": 322
},
"b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": {
"rule_name": "Suspicious Python Shell Command Execution",
"sha256": "6cdfde87acbd94abc4aa15493236dc5cc3d5ba2b9477e6a84979cf1309c83e1f",
"type": "esql",
"version": 4
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "572bc27e692189379dafcde1361251f5e3e288eabd3bf6783395dc77d479a941",
"type": "eql",
"version": 216
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "aa4c16259c4ca94dffd3cb61e6cdba1aa20599065aaf7ae56a8a21eb1b08a65d",
"type": "eql",
"version": 111
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Usage",
"sha256": "b0f5631b927606bf9cd543de35f1eb1f4e1a5a5655e0dcc70fa9ef1b9dc1fd81",
"type": "query",
"version": 211
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"rule_name": "At.exe Command Lateral Movement",
"sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0",
"type": "eql",
"version": 108
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "09cc425582bd4ac3d390cbb63c58e980708b2e3f438f39b376f3f2a95b4a2346",
"type": "query",
"version": 415
},
"b4bd186b-69c6-45ad-8bef-5c35bbadeaef": {
"min_stack_version": "9.3",
"rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers",
"sha256": "ea1e6c16c05f513bef9a7fce9aea0e625892b08e71fb0657730605a640764afd",
"type": "eql",
"version": 2
},
"b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c": {
"rule_name": "Kubernetes Rapid Secret GET Activity Against Multiple Objects",
"sha256": "3116ce1fbded5e4cc884ac4a680158bc2822f8ed3e02e97ac4223252d5d278c3",
"type": "esql",
"version": 1
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "8184ab730ee2e991794ad836b1317d48d6b4ea0e58c4fc42fb00db88f9ca8bef",
"type": "eql",
"version": 10
},
"b53f1d73-150d-484d-8f02-222abeb5d5fa": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
"sha256": "df70d0745c16f105c5b28d1558cd717f10f40ed6dc2158b67f3455c357249582",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
"sha256": "5848bf5a4bd044df06ef95227df444a60c1471ca1bcb5523d37347327c87dc52",
"type": "eql",
"version": 104
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"rule_name": "Clearing Windows Console History",
"sha256": "ec49b73ddecb2a3d97ae0249883658375bafc409d58d3f59db1174f5aaeb3f85",
"type": "eql",
"version": 320
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "22aeae9e6e806d1a9e4216f3485b6f9bc573e3efebfcb756f488b3510e88378c",
"type": "eql",
"version": 317
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "0021061d622b59482f91129c9afd828047712d6ca62d4a338937389e67656e41",
"type": "new_terms",
"version": 8
},
"b625c9ad-16e5-4f16-8d38-3e9631952554": {
"rule_name": "AWS CloudShell Environment Created",
"sha256": "5c7433e67902ee4b52322b5abc5120bfc4053b3280ef95a2a30a852c97a66aaf",
"type": "query",
"version": 3
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "a72ebf831df03c21d401b9f11214fb6941e12203f4375308a7cf89f9a8d39865",
"type": "eql",
"version": 114
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "c8097fa09dce15e87aeff4ba80fdb83d373b329e1e3c1253d68ead481505686a",
"type": "eql",
"version": 215
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "05e08f6a48db8458789f9657614baed791232ae181993e95ccdf444a38300d81",
"type": "eql",
"version": 210
},
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "0a84161e37b3038a5efaae0ed7135d830767e9480bffeb05bdba6fb297f50e2c",
"type": "eql",
"version": 110
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "14d28d7f25487dce62c1587886b4b74480f9c2a4198f69e2e55470d4d623e08d",
"type": "query",
"version": 109
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "fc573fd91afba592e2599a9f648c7f7c87ba1b94a672fe37c1f1bc6f40fc905a",
"type": "query",
"version": 415
},
"b799720e-40d0-4dd6-9c9c-4f193a6ed643": {
"min_stack_version": "9.3",
"rule_name": "File Creation and Execution Detected via Defend for Containers",
"sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220",
"type": "eql",
"version": 1
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
"type": "threshold",
"version": 4
},
"b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": {
"rule_name": "FortiGate Configuration File Downloaded",
"sha256": "b65dfbbd01ddf09e8bd7de4c17e9af0caeda5f94219d9520352f4f63c62a2c71",
"type": "eql",
"version": 3
},
"b7f77c3c-1bcb-4afc-9ace-49357007947b": {
"rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike",
"sha256": "3fc38efdfb54c28bd83b93be278e07a0480084d972768a3dac3e6d6187408cb7",
"type": "esql",
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "d606a36377e206ed6b63e174f9aa93773b33099aaf113724d19e45c60c18555f",
"type": "query",
"version": 414
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b",
"type": "new_terms",
"version": 8
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "310b917a14e643bd8b9da746b930eca41250db760858b9591499e47052cc695e",
"type": "query",
"version": 113
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "372472e0e1be987ba5607f0b0985f7873818d79075d5d551094c911df93db55c",
"type": "eql",
"version": 418
},
"b84264aa-37a3-49f8-8bbc-60acbe9d4f86": {
"min_stack_version": "9.3",
"rule_name": "Tool Enumeration Detected via Defend for Containers",
"sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0",
"type": "eql",
"version": 1
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
"sha256": "8902326fd29e6491af0a64878eb8f4e07e31da66e984848dff33107dfc14dc6f",
"type": "eql",
"version": 212
},
"b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Recovery Services Resource Deleted",
"sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342",
"type": "query",
"version": 1
},
"b8c7d6e5-f4a3-4b2c-9d8e-7f6a5b4c3d2e": {
"rule_name": "AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure",
"sha256": "9ee4397ac53d88b12b6a16d40ab8c34703453f21aa536fd9946f4989fc31d8f7",
"type": "esql",
"version": 1
},
"b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": {
"rule_name": "Potential Credential Discovery via Recursive Grep",
"sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0",
"type": "esql",
"version": 1
},
"b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": {
"rule_name": "M365 Purview DLP Signal",
"sha256": "e3ef983c1782d0d31d55c56f099f438dbf0e1180aa4222c17d078488f0692878",
"type": "query",
"version": 2
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"rule_name": "Kirbi File Creation",
"sha256": "ecaa3fb532fa9adc94bdd4490159fd87d162a316b180bcc92f9911131f8bbaa3",
"type": "eql",
"version": 316
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "a458c8f1dd0880bd480c3221aa2fc1e68d92b55fb0a6899029388a4bc3ef00b2",
"type": "eql",
"version": 313
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "d0cc5c171239dbcb104a7489e747f4fa4712d1f0b9d0c7c2c40c266c6e44d456",
"type": "eql",
"version": 219
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
"sha256": "39ff2ecd53d1273176883da80f5c853cba5c7d5cffe7daac11a6b8735507dd0f",
"type": "eql",
"version": 6
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "58aea1cb23aecb61ecd0ad28ac516172a01ae3e42abf8d9fbb4ef879b389ee77",
"type": "threshold",
"version": 6
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "e1354aee6d1923e8a2981bf59472687a27e3af9e89fa81c9d248a652d6f15fce",
"type": "eql",
"version": 214
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "ccc20438dabf95f6714661407dca782bba70fc5acf468c799afa0997f7cfbd74",
"type": "eql",
"version": 116
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "5623b8facb7575ee89888665115a6288b762d8c7cae967408f985102c8808ddb",
"type": "eql",
"version": 317
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "dca11625c815b4157b45c06d2d04e7f72ef5ba0ecdd1fed7cc9cfd8e42cd42ac",
"type": "eql",
"version": 107
},
"b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": {
"rule_name": "Anomalous React Server Components Flight Data Patterns",
"sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232",
"type": "eql",
"version": 1
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 310,
"rule_name": "Unusual Windows Network Activity",
"sha256": "6dd4b33d728787835db1ae21a3cba7bf99af83a6470d46cbd1476d0dffaa9c59",
"type": "machine_learning",
"version": 211
}
},
"rule_name": "Unusual Windows Network Activity",
"sha256": "0833f86da12207c117de1da3165a8d471bbf136effa8f292075b2d66982d01cd",
"type": "machine_learning",
"version": 311
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "54a16034019a7ff529433229ee9420420463a6b64f855b1f8182e9c979f31d11",
"type": "new_terms",
"version": 6
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "881df1bf3e0d1bd5035f0163b4c6fbea98426fdad7f5e30cd133d408466dfd22",
"type": "eql",
"version": 8
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "6454e889c2cf1a148a8d04442b4e67982eff43b66dfcdbe6816253576c2ae7b6",
"type": "eql",
"version": 214
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "461b925e57497fdcaf88f08873d86a0fb8d0e9ea1252e6c241ef05fffd27a95d",
"type": "query",
"version": 8
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deleted",
"sha256": "4966f18990999e99b3a63b622da1f44cd27813206a0d44992e191ef7efd3f6d8",
"type": "query",
"version": 109
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "72ecee4d940e2c2157819f24ecedf8a8cb830b55105eac72e766fe6ced901463",
"type": "query",
"version": 213
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "M365 OneDrive Malware File Upload",
"sha256": "f04d6d39681c375512b7e813dc80c792d70026ba6d551afbfa7734b166ea15cd",
"type": "query",
"version": 213
},
"bba8c7d1-172b-435d-9034-02ed9289c628": {
"rule_name": "Potential Etherhiding C2 via Blockchain Connection",
"sha256": "adf13fd4f74075a1c4d807c951b541af172e2bded395dbbfe1ba42983acd3d22",
"type": "eql",
"version": 2
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce",
"type": "threshold",
"version": 14
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "M365 Teams Custom Application Interaction Enabled",
"sha256": "826ec6d81ce8b9a10f38fc995c045cd647df5d059bdac072fb532a9260900581",
"type": "query",
"version": 214
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "Deprecated - AWS Root Login Without MFA",
"sha256": "1f43dead85d0d3544a5c39d1e599b0413d8338a3bd86555c4c1259946d0a1686",
"type": "query",
"version": 212
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "37900dac2079159d4340059ef6567def876171c5672fdfc7278c6c8f0ca6fe79",
"type": "query",
"version": 108
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "e0ba4cc9f179a908179ae1b8fb08501b168e5dd989246796d70691f3f4eff7f0",
"type": "eql",
"version": 7
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52",
"type": "eql",
"version": 110
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Entra ID Conditional Access Policy (CAP) Modified",
"sha256": "988c323c28814045bd05e064128d2969aaebf8c51e11e47537a3e2aa3f0767d2",
"type": "new_terms",
"version": 110
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Deprecated - Potential Non-Standard Port SSH connection",
"sha256": "a62aee60a38df90f6eeb03a3e144acc5341673270c9a27db837e523ad4a145b5",
"type": "eql",
"version": 10
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
"sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5",
"type": "eql",
"version": 4
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "c37a8742cc3fe968d7ca34eae92c6bbf6d72f20a731a8e600078e0c76f998332",
"type": "query",
"version": 108
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "56d1f942df83d7f90dce141e8d61ea6c55751a210ce9f2acedfd94a2aea52eea",
"type": "query",
"version": 10
},
"bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": {
"rule_name": "Entra ID Protection Alerts for User Detected",
"sha256": "bf979378a73ec562baf65cabd933ec22b6c70d6c288387eed998e3836179e977",
"type": "eql",
"version": 5
},
"bd18f4a3-c4c6-43b9-a1e4-b05e09998110": {
"rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"sha256": "87629b7d4d5b9fc75f1a26d77b396e39a528483a25c72d1238b5ebf5271839b9",
"type": "eql",
"version": 4
},
"bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Spike in Privileged Command Execution by a User",
"sha256": "99ea8a26e2591f788b098171cdedaae4b59e16b257d990f96f5dc7fda4e3c272",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Spike in Privileged Command Execution by a User",
"sha256": "7279a20292c17acab33b638a44a567480719079cc6518fe2f59f35f86e1e2cd4",
"type": "machine_learning",
"version": 104
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "2b2c41d8349db184a3dfcf109c0e32f06a4e29eb8036f85956a55e479cedaf1c",
"type": "query",
"version": 219
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1",
"type": "eql",
"version": 109
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "f236da0018f3c95714b7f47d42df3c3389fcd252069efa50f02ee8bebb468f09",
"type": "eql",
"version": 214
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Deprecated - Potential Pspy Process Monitoring Detected",
"sha256": "17aa7bf5c9f4b42c826a680248a06f16bf511e1af4de7d8e86c3e23611e706be",
"type": "eql",
"version": 12
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "7eaec669020f14dddbe892f76fd4b204a602a2c3cd1cd4174098514f6abc7b6a",
"type": "eql",
"version": 215
},
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "caed468a427a737d9f364fbc48acbfd232a094fd7c94911ccb2b0d0c53acba07",
"type": "eql",
"version": 111
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 210,
"rule_name": "Host Detected with Suspicious Windows Process(es)",
"sha256": "78e88e33d9c078480535176d94c745523d1b5cdc53faa7f6dc0c4bb98f303dca",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "Host Detected with Suspicious Windows Process(es)",
"sha256": "65c718364c96010a79d85d5d5f9d03c5177768aef95e93280491ac2544384804",
"type": "machine_learning",
"version": 211
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Unusual Remote File Directory",
"sha256": "3b62f382cca1d5aa8845239afb457e39f5a035382660884911727b4dd5f91aba",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Unusual Remote File Directory",
"sha256": "a88cb06ef463fb2f2dd4327dd31c5d47692a0c11539c9e458a25c9f32b348668",
"type": "machine_learning",
"version": 109
},
"be70614d-4295-473c-a953-582aef41c865": {
"rule_name": "Potential Data Exfiltration Through Curl",
"sha256": "10a4816f54ea177fa9e3d1289e45f425f1497b53d4964f359dcd7a1cdd2e729d",
"type": "eql",
"version": 7
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "eb48a9a1d6f3695d16aabc2eac3cb9e8194fb43afd70c67b86f37958aff0734e",
"type": "eql",
"version": 318
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "4b30455cb83458f81769269a3dcfb5e5d22f50e9966e84c186dacdc5f9522ba9",
"type": "query",
"version": 214
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008",
"type": "new_terms",
"version": 8
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "e2736f2b927fe65d4fc0264b0645cba4262fbd1677b221588f935a637edb5e29",
"type": "machine_learning",
"version": 107
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "0b824a6c76d9e6ba990e3246a364639ed381da6595f7a64e4d7f87c5775b5c41",
"type": "eql",
"version": 219
},
"c0136397-f82a-45e5-9b9f-a3651d77e21a": {
"rule_name": "GenAI Process Accessing Sensitive Files",
"sha256": "7c9b692a829b9a52b6aad77ef0ca0d339f3a4ee67c3e4adddb2bafcc92231395",
"type": "eql",
"version": 7
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "0bd519abe65e56eef7207d3456911a0aaaeb511637bdc1491f081d31cf4b7bcc",
"type": "eql",
"version": 114
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "b6eebc798b4afada8d3bfa956f8703fcae15edef82c4f929e74945195f9edfee",
"type": "eql",
"version": 316
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "fc6421375be76d4d0aeb919f460c45ddcd0823a216c78aec752e89f1a089b287",
"type": "eql",
"version": 7
},
"c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
"rule_name": "Azure Key Vault Excessive Secret or Key Retrieved",
"sha256": "6a9647be6235ab05a6f7dfabd7f0d07837ac5d2715b017dd8a41615e3cbda393",
"type": "esql",
"version": 9
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b",
"type": "eql",
"version": 4
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615",
"type": "query",
"version": 105
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea",
"type": "query",
"version": 108
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File",
"sha256": "2c94180ce81703e6ed2e0d45922383a36583db9bd0d3e62b3068a2abf17b5cc6",
"type": "eql",
"version": 12
},
"c17ffbf9-595a-4c0b-a126-aacedb6dd179": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 100,
"rule_name": "Rare Azure Activity Logs Event Failures",
"sha256": "c7ab4512404f799560ec6c788cef728597921e7cd5a135d3d184b219d3352eea",
"type": "machine_learning",
"version": 1
}
},
"rule_name": "Rare Azure Activity Logs Event Failures",
"sha256": "e2a374e0c05a03580026cac6094e7fd3d00628dc2cf6965875239f25a04d15b0",
"type": "machine_learning",
"version": 101
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "ffae753e96e57c8e771abab86446ad7034e302f6824a3d98b89951e0504bc73c",
"type": "query",
"version": 213
},
"c18975f5-676c-4091-b626-81e8938aa2ee": {
"rule_name": "Potential RemoteMonologue Attack",
"sha256": "ca992e1b21d0fb0f0754149fd57b64002ad44fe7f9e500b94ef60dabd6554ff0",
"type": "eql",
"version": 7
},
"c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User",
"sha256": "2b8eebb4194717375909b29a3d0a794425d40404f5ccf9adf851172212ad6a63",
"type": "new_terms",
"version": 2
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "53db6d3be010ac57b9e40bf2d75485e498825d37934550bd8ab3cf91ba0d85e7",
"type": "new_terms",
"version": 8
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
"sha256": "bb336839fab870f4b8ceed4a37e64fa3808c9d4ec3557d5d7eb61cb308f89cab",
"type": "new_terms",
"version": 9
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "ee0bd1f86590675b1968e6c9acb3c60ff51ea57e2c22d45881495ae30a89caae",
"type": "eql",
"version": 107
},
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482",
"type": "eql",
"version": 7
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "fc40884b4f7c36580a2055b06ccce31e99c605042fc0bfad38e16a5124224c40",
"type": "eql",
"version": 319
},
"c28750fa-4092-11f0-aca6-f661ea17fbcd": {
"rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"sha256": "3bb7c14559704f363959d8ac1e158dcd85bbb01bd5c2d2cf2c3355b5257e5843",
"type": "eql",
"version": 3
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "3dc62da3e3d7eced397232fa5845611453226b59e213bd3c2165f786154ca80d",
"type": "machine_learning",
"version": 207
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "0e4561214fbcbee7b437528faea36307cf2255abd709788284dc2e7f5a740232",
"type": "eql",
"version": 113
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "3928140ff2c2daa2baa63a3c01524bc5693142c460ae8797ab4165dacfd176cb",
"type": "eql",
"version": 7
},
"c2a91e88-4f4b-4e1d-9c7b-8fde112a9403": {
"rule_name": "Kubernetes Multi-Resource Discovery",
"sha256": "ba3c836d664df993f5eb60a7daa1e03e7ba8979b31107abda39886337b6eb0fb",
"type": "esql",
"version": 1
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
"sha256": "67d1ef2cd2105b6cecf6813688a2ace55466bd1724113c42d7270a1b06b04c3f",
"type": "eql",
"version": 213
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "2ce243e8fc579af6ca9724a16a2f30f2190e9528ffef9972a75dcbfe94ce987e",
"type": "query",
"version": 106
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "f813eeef96588e7cc2eb90e1e91b32f2b9304bdb6c040357a4cf1ef6b41f0748",
"type": "new_terms",
"version": 7
},
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
"sha256": "7382f00fdf9d126382835eb8bee6dff6b8ee9806023856161c3f82b90b2ca17d",
"type": "query",
"version": 5
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "fe431606017738cc0bd512442d6aee9241821aa49a4476107d876e8521e564b3",
"type": "eql",
"version": 415
},
"c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": {
"rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group",
"sha256": "a1d9d307839b1e0d90287d6c6ed01a10b4b39429715cb89a1c24aa185ef4492a",
"type": "new_terms",
"version": 2
},
"c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": {
"rule_name": "Suspicious Execution from VS Code Extension",
"sha256": "0f323f54766502b2aad2e8d828583874f64015a7eeec98250bf8732f25af760a",
"type": "eql",
"version": 3
},
"c3d4e5f6-a7b8-9012-cdef-123456789abc": {
"rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"sha256": "0e3a9be309a444967ebb0ea0d972afde8a15a17b8b25372f908c366b1d81db60",
"type": "eql",
"version": 3
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "6a1e4a58107207bd64985edd80b630efbfb2c0257405b1e8eb91b08ce480f0eb",
"type": "eql",
"version": 108
},
"c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": {
"rule_name": "Multiple Remote Management Tool Vendors on Same Host",
"sha256": "a2a54475f704eefeffbf2dcbcf805691146faa7d3123844010c0c45770bd3871",
"type": "esql",
"version": 3
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "b2f5778133cc8aec0658f483a77022ff1900c12bf95be595d306fb72db8ed0e5",
"type": "eql",
"version": 317
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "6bacc434838270cd66c5fd783aca76bc1c83083165ba5a2b6dcff8bc6d8969a5",
"type": "eql",
"version": 313
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"rule_name": "Windows System Network Connections Discovery",
"sha256": "212aaec8993088800bd4d7f70a7332eaf7e5bc714183097e26fb19acf8ebc70e",
"type": "eql",
"version": 7
},
"c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": {
"min_stack_version": "9.3",
"rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host",
"sha256": "fc81aa909cb501f68b3d1b1b9a5221be71de1100519e486fe5065e5bcb504f44",
"type": "esql",
"version": 3
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access",
"sha256": "433198f3e83515be6a9fb2d81a58e55f395ca9b6c12755ce513c08a8eccdf886",
"type": "eql",
"version": 111
},
"c562a800-cf97-464e-9d6f-84db91e86e10": {
"rule_name": "Elastic Defend and Email Alerts Correlation",
"sha256": "1d45173532d147acd49f542150b35f7e6997ea1d1c48a6d1d776f8414cf10ed5",
"type": "esql",
"version": 4
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "2d14a4c5396bcc49e6fe161442552ba4adf549a8847239fa8ecdb52c67edeb8c",
"type": "esql",
"version": 11
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
"sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833",
"type": "eql",
"version": 109
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "7c840986983f33b226bd6ec8dbb5af504749920819a8f73fcf5c660ed9c2debe",
"type": "eql",
"version": 315
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "2c04fe383e0cbfd24a060a3f7df45e8a67ad83994225466b84eee7b04d91bcb4",
"type": "query",
"version": 109
},
"c595363f-52a6-49e1-9257-0e08ae043dbd": {
"rule_name": "Pod or Container Creation with Suspicious Command-Line",
"sha256": "6a5835653ce8a44460f7a6265334f5715cec34eef906940d610adfd93fef4883",
"type": "eql",
"version": 2
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "70e2670083262dede9e0ac99658ca19c7de178ec58e04799de51dd05c7de93a5",
"type": "eql",
"version": 214
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
"sha256": "c3c888b4c5012aed4c984e2bbe771206e5733964fdc51d7858755a9152742a52",
"type": "eql",
"version": 315
},
"c5da2519-160c-4cc9-bf69-b0223e99d0db": {
"rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt",
"sha256": "6b7e94971186501aac3530e4bee4b1247c1391d2aa9afe212581dacb76d121a5",
"type": "eql",
"version": 3
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "cf437520e3f654ae85ed65b5d0a9052889488f787bfefcf1a529f15710dd1037",
"type": "eql",
"version": 318
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "427f6a1dc62cfc31d666ea507e0534d2ccb1b1ab11ded936a7c642aca66c0ac2",
"type": "query",
"version": 107
},
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
"rule_name": "Initramfs Unpacking via unmkinitramfs",
"sha256": "670705faa3fa17cf9262d86f5f84c89d2b19a8d98e66695f0d696dd97dee6195",
"type": "eql",
"version": 6
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "fb2fe11496bbfc2388fa376d8b542bf097de5191513c3955377d9ab1235a6d06",
"type": "eql",
"version": 320
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49",
"type": "esql",
"version": 4
},
"c6b40f4c-c6a9-434e-adb8-989b0d06d005": {
"rule_name": "Suspicious Kerberos Authentication Ticket Request",
"sha256": "8736d228be608f8444c05b92524b70cad9521695df3889cb526d6ff03c7ca3d5",
"type": "eql",
"version": 4
},
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "98462394a43af08b12e31e4b72725b2ed44e614a442c664eefc4aa99c918bbf4",
"type": "new_terms",
"version": 7
}
},
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "900d6953f4a641966f554449d8d96bb0358a325597f719a61787949c359dcd23",
"type": "new_terms",
"version": 108
},
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
"rule_name": "Mount Launched Inside a Container",
"sha256": "4d00e7499220c3c3a60f9749322ef6e1454af67f7ae410f4f6d7c3f28dff5f95",
"type": "eql",
"version": 3
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "db008a5c21d6a79b33bf9ea050857ae15016c5c6e40839e50335eb211f5f1295",
"type": "query",
"version": 414
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "2e4dcf9c3c6df85922d74052995819ef82f67954d3d74e3ce29388cb2497151b",
"type": "query",
"version": 413
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
"sha256": "5abdcb56935324216ff8d42e978ebb491fbe54cafcc4d7fe8b3ac582d9ad5be1",
"type": "eql",
"version": 7
},
"c766bc56-fdca-11ef-b194-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Client",
"sha256": "2754c97acd73e4a1a90ee94002f7eb0e7e45f5d98ba148f2d48097b6cf7db360",
"type": "new_terms",
"version": 7
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "968760f56651ba90e6f5231336d0b45578d1163d2f2e90f692dffe853c7a96cf",
"type": "eql",
"version": 213
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "ce477162c8755daf91cd6ec21a989119639bc8eb2c0373f6e74309d5885da2ca",
"type": "query",
"version": 210
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"rule_name": "Unusual File Operation by dns.exe",
"sha256": "5e7a49ea7a36e33b0fee16211e255c693da22703192b2401d1fe49fe7ba2915f",
"type": "new_terms",
"version": 218
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "3400eb9c633145b2e7439c65f498db5bfb7dcafd680699d908e79e11eda2a0fd",
"type": "machine_learning",
"version": 110
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "c214ac68f9bcf286e1bb6d40a6982c5bb92697877f85be0a95fbf6efa738cd74",
"type": "eql",
"version": 112
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "10648d7de1f37e2c2263dd57fc51389dffef0106a8e191d1c6011101668c0d04",
"type": "new_terms",
"version": 111
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "748d8e74b57ecaf308003adab7aad2e238595a50ae2ad8ab015b3f5553d1e10c",
"type": "eql",
"version": 117
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "10971404f4a346079b0483d85790d52dc211b28704722b156c33bb04e4afd15d",
"type": "eql",
"version": 109
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "df65039d7edf82d347ef415b2522979d9e33f3f6c9dfccfe777461e024aaf91f",
"type": "eql",
"version": 111
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "5970502fee1978894616af37f79e879604513bcf66ed22247fb150855080e587",
"type": "eql",
"version": 15
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "0a734ad1795c3fce393559e4e4e0ef121722612a0ce4601020f58a7da3a813eb",
"type": "eql",
"version": 319
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "352973abc5de6aa343cb0a43ebacdc47da892f5ab3ceaee64421d64f9d3f85d1",
"type": "eql",
"version": 319
},
"c8e4f1a2-9b3d-4c5e-a6f7-8b9c0d1e2f3a": {
"rule_name": "AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization",
"sha256": "8a3498f14621e9a31ea7d7aba56abfba0a48df0847f409fdbc1aa98c97650e11",
"type": "new_terms",
"version": 1
},
"c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": {
"rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource",
"sha256": "bd1d6bba6db66e65f1767382604d9b24e1294f3a9ffa4af53d24e543b873f322",
"type": "new_terms",
"version": 4
},
"c8f4a2e1-9b3d-4c7e-8f2a-1d0e5b6c7a89": {
"rule_name": "Kubernetes RBAC Wildcard Elevation on Existing Role",
"sha256": "8be233686963dcee1e3681959cf8ee8ad11a290cf119c734323ac12993497b94",
"type": "esql",
"version": 1
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "cc426be014bfdaeb8153646d980d01ba3d006c7438be1bf1d22e0e29711ea1f6",
"type": "eql",
"version": 13
},
"c9636a6e-125e-11f1-9cd3-f661ea17fbce": {
"rule_name": "M365 Exchange MFA Notification Email Deleted or Moved",
"sha256": "094dc18b50795209d755efb3bdd0584e88c9ec87bae1488a08941d8589795aaf",
"type": "eql",
"version": 3
},
"c9847fe9-3bed-4e6b-b319-f9956d6dd02a": {
"rule_name": "Potential Remote Install via MsiExec",
"sha256": "1f8c37ec7d8732adc850d44f0551c23cc024a117e900d86c18eddc1e1f5037c1",
"type": "eql",
"version": 5
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f",
"type": "query",
"version": 105
},
"ca3bcacc-9285-4452-a742-5dae77538f61": {
"rule_name": "Polkit Version Discovery",
"sha256": "9057c8fc734774b49324b875ba5e83569cc77adb125c1abb70688ebfedcdbcc3",
"type": "eql",
"version": 7
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "M365 Exchange Malware Filter Rule Modified",
"sha256": "40e40f2b6cade21188d70b1cc6876d692ccaf50e173a15c2d7f5bc6e26d1448b",
"type": "query",
"version": 213
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "2f434bb2fbc6b983bdb724b37e5d80a5191ada3fb55aee8ae2afd61e994acbd9",
"type": "eql",
"version": 15
},
"caaa8b78-367c-11f0-beb8-f661ea17fbcd": {
"rule_name": "Entra ID User Reported Suspicious Activity",
"sha256": "942738b94399d43ced484e1f6170b1627d22e29e30946bf629ef8b2978c50837",
"type": "query",
"version": 6
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "7741096692f9fe425bdb8c608cb7b6d139ecb608252b6e1bc29bea7446dce8b8",
"type": "new_terms",
"version": 219
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "8c2d19d60ea0eca73775d4c700e75c6ce53042b1235213dee6ff1a31e37bb5b1",
"type": "query",
"version": 212
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e",
"type": "eql",
"version": 110
},
"cbbe0523-33f3-4420-b88d-5c940d9e72c1": {
"rule_name": "FortiGate Super Admin Account Creation",
"sha256": "d7217f55364d8322b66e8c599721d64499e35c2cfb070e0b4e9ec22e497896a1",
"type": "eql",
"version": 2
},
"cbda9a0e-2be4-4eaa-9571-8d6a503e9828": {
"rule_name": "Kubernetes Secret Access via Unusual User Agent",
"sha256": "5c721d5177cca18be2b221ec5d1a2c3dbecc53be6c90ecc978f09a0ae0be5672",
"type": "new_terms",
"version": 3
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "dc65243f14859cec0de10c90d31e854d1dfab19c45872d94ad5938971bf56fe6",
"type": "eql",
"version": 111
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "276e47f1c1a7661fdcc6d3c2b07f2989d6a5b3e39c40c0dfdf0fd3f7b8bc418b",
"type": "esql",
"version": 311
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "e2f7d9be525edcabce6a79ec3d4e29a0d63faf3b3ce5c662631e46deee74aeb8",
"type": "machine_learning",
"version": 107
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "7ec6f7bcf0fd4a713ff9c6ad38220d76e00bca8d333e36385bc55f3afc788495",
"type": "query",
"version": 111
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "0b14b06375574bc3460aa42b0883902a71dda721561cbc763b1346983d30439d",
"type": "query",
"version": 109
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "f78afd3ef31ec247c8f93c3bded0ef9093593d4a4242d2da616e845a91d47463",
"type": "query",
"version": 416
},
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
"rule_name": "Entra ID User Sign-in Brute Force Attempted",
"sha256": "504d60716fcab3c62c39017161592cd1f993a179ce83dd9c3d56a64b35a046c1",
"type": "esql",
"version": 9
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cccc9be5-d8b0-466e-8a37-617eae57351a": {
"rule_name": "M365 Entra ID Risk Detection Signal",
"sha256": "80306f186a6e389d65f795a639aa14cc2d0d5e9278ce95f2eadbef633acdebc2",
"type": "query",
"version": 2
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "1f05b381a736d947775748f47767925c574667300ceab8fba31733fe5f0f0fea",
"type": "query",
"version": 415
},
"cd24c340-b778-44bd-ab69-2f739bd70ce1": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"sha256": "e426cd61370f7a3337d24e8fa843cb3ff9bc78469f0b54ef7f2f20320130b2e9",
"type": "eql",
"version": 3
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "35c7e422c3df463c1657227267587350013b8a6f6625e624b528caddc9621936",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "d580170ce5f9b525d575b03481dc0cff351e862ea09c42f5d0d27f1e1567dc86",
"type": "machine_learning",
"version": 208
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "94cc28cf394367383a56845044b14d18c01451f0e54fcce503353ef789d7d0cc",
"type": "eql",
"version": 215
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
"sha256": "e7da9e328dc068e58d02c3588b1b8169288b6dc8641369ffef8fa2f3dd2a7da5",
"type": "eql",
"version": 9
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "d062e4cdfbd30c711e2dc526868a474e5bed707bf2cd718b1b73f589d6d63332",
"type": "eql",
"version": 419
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"rule_name": "Okta User Session Impersonation",
"sha256": "d1e454f298e77b0999edbb6252ad1bb10f84eff94a05ea0522b3bb3c02859802",
"type": "query",
"version": 416
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "4be76e64dd78a60dd653583d166ff23a96f61d81cc9540d321047abcbecc57ac",
"type": "query",
"version": 221
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification by Unusual Process",
"sha256": "fa212f11ff7dc31c458f4c5b4a44abf511bad5178eaab6a43dd2471e02b8de8b",
"type": "eql",
"version": 7
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "cb096a6dea392aedfc4158c3ea6faa4bbc4ba5dc20f240c5c486db678b44a67e",
"type": "new_terms",
"version": 208
},
"ce08cdb8-e6cb-46bb-a7cc-16d17547323f": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual City for an Azure Activity Logs Event",
"sha256": "30df431b2784b5a707dfdd493977ad52e071e6ea4ef199bc4a1474e010c0f823",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual City for an Azure Activity Logs Event",
"sha256": "e8a2532663bc99ed107bd3f71dfca99a418b5e691dd0c8311d997b2dcbcf37e7",
"type": "machine_learning",
"version": 102
},
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
"rule_name": "GRUB Configuration File Creation",
"sha256": "8171cdc003b23ecc74cd941913d99aa321de69230dc036f86df3e89ee88cc8a6",
"type": "eql",
"version": 6
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d05044b0347897f56e49915d07ac39e23e1ccd2ce9e72cc40f427e958b496251",
"type": "eql",
"version": 318
},
"ce73954b-a0a4-4f05-b67b-294c500dac77": {
"rule_name": "Kubernetes Service Account Secret Access",
"sha256": "f037b6877c9466fa03677ff27ac9dc757799db083eafb89b01048fb5fb2e5336",
"type": "eql",
"version": 4
},
"cebabc1e-1145-4e39-b04b-34d621ee1e2c": {
"min_stack_version": "9.3",
"rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers",
"sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d",
"type": "eql",
"version": 1
},
"cf2b8cf5-3364-4396-b551-42aae9b6d37e": {
"rule_name": "AWS SSM Session Manager Child Process Execution",
"sha256": "503d37331fe7187fb01b1d447fea2925952becaaadf1c18dccb8337fd23ad792",
"type": "query",
"version": 1
},
"cf307a5a-d503-44a4-8158-db196d99c9df": {
"rule_name": "Unusual Kill Signal",
"sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63",
"type": "eql",
"version": 2
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "1b90eba9a9e009732a4566d19620ff6a110c5d3ed75e1459e87850d2b6fa4d07",
"type": "query",
"version": 108
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "03ce40b74fdb6629caa18779e5369e9b7cb5144ddcc273d2708ffb29de856174",
"type": "query",
"version": 210
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Deprecated - Unusual Discovery Activity by User",
"sha256": "13f9e9049c5bddcdde9abfd3501c2925eb76c07771c5c7a4c2e3cc40842774e0",
"type": "new_terms",
"version": 3
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"rule_name": "Trap Signals Execution",
"sha256": "5d1c2a7fa37d485677c9525e57187ee14cae40657b6b37b87075a86b32fd53f2",
"type": "eql",
"version": 6
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "1cf0003b3ca2311e92a88d6dfe5f2172d9c346610169fa2fe67cca1dbb6e51da",
"type": "eql",
"version": 322
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
"sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb",
"type": "eql",
"version": 4
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "7ce775edec6e2b9fd8f1f5e9790a1455232f7e73618d25ead665bd65ef08c238",
"type": "eql",
"version": 116
},
"d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": {
"rule_name": "FortiGate Administrator Account Creation from Unusual Source",
"sha256": "7daf11e701fa16bab823faa10886c4ccaae4187b0fb8c0bd88c578e3fb308798",
"type": "new_terms",
"version": 2
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"type": "eql",
"version": 3
}
},
"rule_name": "Cloud Credential Search Detected via Defend for Containers",
"sha256": "152389ffbec21b8c6cf4900a221557e3cbba23580dac8dcec675d8f6d38962d7",
"type": "eql",
"version": 104
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "b4f7eba2bacf2674558ed2020f01ac7344ecff673f119c66d8bf69963e5bdcd2",
"type": "eql",
"version": 317
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "91f370c60039a671e72337449587aafc3949520d1bc4a0aad944f952d97292f6",
"type": "eql",
"version": 319
},
"d121f0a8-4875-11f0-bb2b-f661ea17fbcd": {
"rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker",
"sha256": "7b37bd4e071c45f94202000f79dbdb61c43277a88f56832e69af3e5209713192",
"type": "query",
"version": 4
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "5ce22bd1666f3e32e386cc8496062f37329380d440efdd91c6fe1802dc7323dc",
"type": "eql",
"version": 10
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "b8ef92cb19cb52e0bd7fb40cff7396636355fc683271c5bf1dbbd88a63e7753c",
"type": "eql",
"version": 6
},
"d19a2399-f8e2-4b10-80d8-a561ce9d24d1": {
"rule_name": "System Binary Symlink to Suspicious Location",
"sha256": "83f4835ace6e0cacb08b95892e3708076af8aa86de8a18edb56b641b451e2d61",
"type": "new_terms",
"version": 5
},
"d1b37c0b-4f8b-4cfb-9a1d-639bf8c028b7": {
"rule_name": "AWS Rare Source AS Organization Activity",
"sha256": "3aa90af79b03b53c743e4dcd0fd751c08cd550e2cc7cd3d6befd75fe1f03aa3c",
"type": "esql",
"version": 1
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "61f85c45874c50154a1dccbfdaa725b0313fe326ded94f01931dc0e5d05735c1",
"type": "eql",
"version": 8
},
"d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": {
"rule_name": "Curl or Wget Egress Network Connection via LoLBin",
"sha256": "ce203e6ef36a4f383860bdf870609761df68e02c57e8d531399a85f8423111d2",
"type": "eql",
"version": 2
},
"d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": {
"rule_name": "Privileged Container Creation with Host Directory Mount",
"sha256": "75d684bf84179e6a25e644ac7d2db82a2d829dfdf5935cebecd941e03db6bf7d",
"type": "eql",
"version": 2
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "762e4b15bacae2524f2eb4f6453f08cbabda5dc4ec577ed0a48d96b0f24b35df",
"type": "eql",
"version": 111
},
"d26331be-affe-46b2-bf4e-203d0e2d364c": {
"rule_name": "AppArmor Profile Compilation via apparmor_parser",
"sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366",
"type": "eql",
"version": 1
},
"d2703b82-f92c-4489-a4a7-62aa29a62542": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Region Name for Windows Privileged Operations Detected",
"sha256": "7d7f91e46122ecfa96e68cf202a12ce57732a41f839a42d4fb9c06d5e92c3f06",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Region Name for Windows Privileged Operations Detected",
"sha256": "0cedef065a88abd73d1662ab02552fdeee793d2ccf56f8eb78f729788dd786cf",
"type": "machine_learning",
"version": 104
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "d7a79c8c0bd79359418e9da37bf2de94c0807cd52386fb3373d97586dd42a0f4",
"type": "eql",
"version": 318
},
"d32f0c27-8edb-4bcf-975e-01696c961e08": {
"rule_name": "AppArmor Policy Interface Access",
"sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96",
"type": "eql",
"version": 1
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "5bc1c4710d8d050588cfa022146eb44a57881fee2248fe986267feba1f4b5e51",
"type": "eql",
"version": 322
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"rule_name": "Remote Windows Service Installed",
"sha256": "351040da536a8a222689ecf0d8ab1ba90a409e476f1222298de6b66d923d882d",
"type": "eql",
"version": 114
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98",
"type": "eql",
"version": 107
},
"d3b6222f-537e-4b84-956a-3ebae2dcf811": {
"rule_name": "Splunk External Alerts",
"sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922",
"type": "query",
"version": 1
},
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
"sha256": "5159602762205589013e36bbd555824dadecd1d06e4df9e447253d043ff44ff9",
"type": "esql",
"version": 11
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "dde2f1948e3783288c5dda0fd4b020d47ac4e2ebc6daebe917d4a373dac35ab9",
"type": "eql",
"version": 113
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "6bd7b6a580b9950f4a7a1d4911e00797056e57451d2c13d8236fa85a164dfcc6",
"type": "eql",
"version": 8
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "e0d1d6ba9b6ddf06ad72a0643f809d174cf9219b545d4dafb9b3c180160d2b19",
"type": "query",
"version": 413
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b",
"type": "query",
"version": 105
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 206,
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "573b1809a649fa13bd4353d662f89857a9fe492c5d4c9c5572453e947abb52da",
"type": "machine_learning",
"version": 207
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "c9833b1d069a636b244cc7e624faecf1e2964d7a6b4cf53d49455c51c3a33462",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "eb3d13a478da5da270de435f9b6c3ac9f2aaa9e410767a5c8d5872f74b1a0e79",
"type": "machine_learning",
"version": 208
},
"d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": {
"rule_name": "Azure Compute Snapshot Deletions by User",
"sha256": "0590c3ea783eef7a74ae9523153050ad013e39861a445e6d94296ba3c30fcb00",
"type": "threshold",
"version": 2
},
"d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": {
"min_stack_version": "9.3",
"rule_name": "Elastic Defend Alert from GenAI Utility or Descendant",
"sha256": "2f69f97c7af3342e8ab161cd591c78a70c34aaa5b8ac43abe43090bb0658f4c5",
"type": "esql",
"version": 2
},
"d4e8f0a1-2b3c-4d5e-a6f7-8b9c0d1e2f3a": {
"rule_name": "AWS IAM Customer Managed Policy Version Created or Default Version Set",
"sha256": "b358dbfbed4eaf573315c79ec108874c58ce7ac3db8f94f63f765622b36a20d4",
"type": "query",
"version": 1
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "12504527fe33d0f0d50bdee315c515557afbc1166edfdce8c68ddf82b11d3817",
"type": "eql",
"version": 112
},
"d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": {
"rule_name": "Kernel Module Load from Unusual Location",
"sha256": "42ab912e8f87151cc830318d80b8fcacef86ad752a051c7f3c2a5bafdcc76af5",
"type": "eql",
"version": 3
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "e033856be7ad362345e1ba2b993b90b1aaeec55773bbadf68127329c2ac3bed8",
"type": "eql",
"version": 11
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "39da3f93465e6657006f53771e217c4fc049da876a80117b4cd2e4d6ba155a2f",
"type": "eql",
"version": 8
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "072f511c23260ba660cacdaedd1876a631d69a1b695e05b41ea3ca3448285f51",
"type": "eql",
"version": 315
},
"d591d7af-399b-4888-b705-ae612690c48d": {
"rule_name": "Newly Observed High Severity Suricata Alert",
"sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626",
"type": "esql",
"version": 3
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "3086f8e9b0537db524ac52264f95c531385a9dd43a5942e444649fcad336c138",
"type": "query",
"version": 415
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"rule_name": "Service Command Lateral Movement",
"sha256": "f6e11ce06e76dae63a181eb541563bd9478e69b749f15e3a5ac84fdefd47e11d",
"type": "eql",
"version": 212
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "189ec619c7b3f1acbaf3ec85c31d1cdef910e9f4fb1e9eee4e320cf66524c3eb",
"type": "eql",
"version": 8
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "a46f7108d987f5867d7a89f6ebead05786233dab13864eafc0980d67d2bbb886",
"type": "query",
"version": 215
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "afdbda3dde84fa473ded32b17d3c9c5a7f31bc6f7d069c45b4bd2a449afcae34",
"type": "query",
"version": 110
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d6702168-2be6-4d7d-a549-9bff67733df3": {
"rule_name": "IBM QRadar External Alerts",
"sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365",
"type": "query",
"version": 1
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b",
"type": "eql",
"version": 118
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "M365 Exchange Anti-Phish Policy Deleted",
"sha256": "9511b82aeec35d19961ca08da3e0fe578cfd57551921a610cef015721b43bc6e",
"type": "query",
"version": 213
},
"d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": {
"rule_name": "Potential Protocol Tunneling via Cloudflared",
"sha256": "ce6454a80c785ff43356dc00ba0a798148f8a47cb228ba6ada6f7401d7741728",
"type": "eql",
"version": 4
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"rule_name": "Modification of WDigest Security Provider",
"sha256": "6e66c624263fb09663f0683aee91a1c75afb76f643f116aa5e9eb16e8a6915d5",
"type": "eql",
"version": 217
},
"d70c966f-c5ef-4228-9548-346593cd422d": {
"rule_name": "Unusual Process Connection to Docker or Containerd Socket",
"sha256": "7d3b65bfb9efed8938e8d51a738e97060eb210b496bc611a1795c93ec01ffe47",
"type": "query",
"version": 1
},
"d7182e12-df8f-4ecf-b8f8-7cc0adcec425": {
"rule_name": "Pbpaste Execution via Unusual Parent Process",
"sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9",
"type": "eql",
"version": 1
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "6c8f7e690fc992ad98b1a2c1101f2ba9ed50cca218d536e7c1884a8f52471e45",
"type": "eql",
"version": 319
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "M365 Exchange Malware Filter Policy Deleted",
"sha256": "3adaab0d509bfe15b688bc4f88053464321d610fa1ec88316130980d84582fb0",
"type": "query",
"version": 213
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"rule_name": "Suspicious Memory grep Activity",
"sha256": "bd02b6e884a029c82503af499237b283074d0ca5c44c925afc8f88dcd6162644",
"type": "eql",
"version": 109
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "0eb4e9b2e8d7ae7e32cea1ab9708d0e2c67a166339ae6128cf014faf53bb202b",
"type": "eql",
"version": 211
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "6903d7db95ea1e3cd259c3ce0b5ca1cea3642360c9cfae1b6e55c16f174b1c7d",
"type": "eql",
"version": 216
},
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
"rule_name": "Python Site or User Customize File Creation",
"sha256": "b1b0ab169ce762f2b928b00dbc60e869cc527620231972f6845fb6d33ec29a8b",
"type": "eql",
"version": 7
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Storage Permissions Modified",
"sha256": "ded822ec5092e708b8c124227dbc29b933f95ea146bf4d92834bc41105e150bf",
"type": "query",
"version": 110
},
"d7b57cbd-de03-4c3b-8278-daa1ee4a6772": {
"rule_name": "Suspicious Apple Mail Rule Plist Modification",
"sha256": "a0c45fe46654506f314348d84713c3f366b341eea449497c5470f69c930e5b6b",
"type": "eql",
"version": 2
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Spike in Logon Events",
"sha256": "317c0266782452758057ef761b442ef54ece9724de45c6cdbb81cc02870772b1",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in Logon Events",
"sha256": "c29b7f8eaa644ba59a41c217b164035424b0b42506ea6cae59993fbfea56b596",
"type": "machine_learning",
"version": 208
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "d525b40ecee5195fb6dd26c7e0a3b458d1002aa5d043016b236c48332cf0b40b",
"type": "query",
"version": 111
},
"d84a11c0-eb12-4e7d-8a0a-718e38351e29": {
"rule_name": "Potential Machine Account Relay Attack via SMB",
"sha256": "dd7dbcab64a1af066709c965e6e904bd1f93c69923a1cde4221dbe5b39ceea64",
"type": "eql",
"version": 4
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "521c26dd7b4a866375b12d8bf94fc96f58c4609c18d20e1af2bbb6737116b711",
"type": "eql",
"version": 13
},
"d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": {
"rule_name": "Potential REMCOS Trojan Execution",
"sha256": "9980c44f4485b07a1b435cab511bf5458e092b30640924be72d91e2438814535",
"type": "eql",
"version": 3
},
"d8f2a1b3-c4e5-6789-abcd-ef0123456789": {
"rule_name": "Ollama API Accessed from External Network",
"sha256": "e3733d532630c219d6614d21fb75e356d22f16ec0a9ff3f0f60224843ab8c594",
"type": "eql",
"version": 2
},
"d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Compute Restore Point Collections Deleted",
"sha256": "38554163bf5d4d1b147f9137f117e510d8f097d49b32da256957eb1ab28fe4f0",
"type": "threshold",
"version": 2
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "f45c32cad0da7a071d36e956585cc06c542c9a29b537439c503a699b2e8937d5",
"type": "query",
"version": 216
},
"d93e61db-82d6-4095-99aa-714988118064": {
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "b5b01fd3137c66953523e88ed94247e81d9efe10e2782519d665bfeeb5e77648",
"type": "eql",
"version": 209
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "f0818620cb57af36acddfe05cb87d184601a31dbe28ba5e8bd4f5e367bd4cd38",
"type": "eql",
"version": 318
},
"d9af2479-ad13-4471-a312-f586517f1243": {
"rule_name": "Curl or Wget Spawned via Node.js",
"sha256": "951ee0aea30e70bfde8e78165a1547a8b00bdc808aad4a313029de907d78bfc6",
"type": "eql",
"version": 6
},
"d9bfa475-270d-4b07-93cb-b1f49abe13da": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"sha256": "07b381c84cab6bd05cd985d2912671b0d45207acb284af1f93837b49a556c20c",
"type": "eql",
"version": 3
},
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
"rule_name": "Sensitive Files Compression Inside A Container",
"sha256": "9c333571d80d149931449ce4fe2f16cc2b89cb7d0b97e5360a06a35349eec9f6",
"type": "eql",
"version": 4
},
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "dc6aa3431de19bd229cf92b2a7fd92a72dc57231303e70f142c18278d1252d14",
"type": "eql",
"version": 208
},
"da0d4bae-33ee-11f0-a59f-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection",
"sha256": "0f39ccaeadc0c6cf3a2ee85643d96368b7334c7b492b8517a90569b012196537",
"type": "query",
"version": 2
},
"da0ebebe-5ad3-4277-95e7-889f5a69b959": {
"rule_name": "System Information Discovery via dmidecode from Parent Shell",
"sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b",
"type": "eql",
"version": 2
},
"da4f56b8-9bc5-4003-a46c-d23616fbc691": {
"rule_name": "PANW and Elastic Defend - Command and Control Correlation",
"sha256": "9c4cc881a8a05c1e645c6fe4391834b009ca46b5124f18c1b821ee66b634a942",
"type": "eql",
"version": 2
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "f176da9360e2f2c3e8860fe15eb235214bcd1dcb323c49fd9e72e96df1a1b1aa",
"type": "eql",
"version": 217
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "d887a9027105bdf4a170339cbb9e7012eb40383c6c65812c787c1f612543ae11",
"type": "query",
"version": 9
},
"da7f7a93-26e1-49ce-b336-963c6dc17c7b": {
"rule_name": "Multiple Machine Learning Alerts by Influencer Field",
"sha256": "261d3febfee5e90a2350910f92af7a263d627358d8f42ad07c4a9e339509fdb5",
"type": "esql",
"version": 3
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "674d5611f7c4e7c2d56833a0a0b8b8f7afb23a14664b0b58853854141dfebc4a",
"type": "eql",
"version": 117
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "c380424b1c7a8b15cd6c69f19e2aeb996b3c3fc438a6d4bf4b91a48d47e8f852",
"type": "new_terms",
"version": 111
},
"dacfbecd-7927-46a7-a8ba-feb65a2e990d": {
"rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"sha256": "7698bb07813a340c67e08c1e0d6c46f4495d8677699f8d9107e8b142f7ca07f9",
"type": "eql",
"version": 3
},
"daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": {
"rule_name": "Github Activity on a Private Repository from an Unusual IP",
"sha256": "cdc80e68084ebe217495f688541fa82a88b6d61c98e0db63dc780d2bdb4f097d",
"type": "new_terms",
"version": 3
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Entra ID MFA Disabled for User",
"sha256": "f6bdc31ea3c2eddf3ce464b3867eaec5b1aa65d326c6a8d9e15c3efe12d9debb",
"type": "query",
"version": 111
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "7bd11c1b9d14c0b64b5fc2d21036e0a4f3582a43c218da0a6826ca7aa6a33559",
"type": "eql",
"version": 210
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "c054d7bcf3340f3352424a90c89e9d0445764287f7293857c90eb806c386af43",
"type": "eql",
"version": 217
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119",
"type": "query",
"version": 105
},
"db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": {
"rule_name": "Entra ID Service Principal with Unusual Source ASN",
"sha256": "47e4c635bd2fc84b836711971b0d8c151eafaf5a921900bf220e58aea6fc9e00",
"type": "new_terms",
"version": 3
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "04a000054fd086fe35b3e52f9d3eb48095fbb9e0b2f9aacddf7ec8e892c6d415",
"type": "eql",
"version": 111
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"rule_name": "Git Hook Command Execution",
"sha256": "df35f25f9ccc47ef6da1162061e6426b9e9a36091db4987ef34c162d36beacfd",
"type": "eql",
"version": 108
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "7e94ec06da053b5379f26e7355e1de6a3ec95c67115e9537b7ace9a1e062ad88",
"type": "eql",
"version": 115
},
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
"rule_name": "Dracut Module Creation",
"sha256": "e7901044b018b0d51e7579987769d7d815f196e226c06f7802072f53c04388c1",
"type": "eql",
"version": 6
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "47d52567d1c3bae001db77709a1e8aff40f889ce53a7aaf7c9c0218fccf56010",
"type": "eql",
"version": 317
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f",
"type": "machine_learning",
"version": 212
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "ec304aa55d1d4f1641743ac7118be33facd1da2f08d730f7ba48d716f6a02747",
"type": "eql",
"version": 212
},
"dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual Country For a GCP Event",
"sha256": "c007ef6fbd3ab40348587d3c21a2cdd12d03971945ea59b220b0d84cf3b8d802",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual Country For a GCP Event",
"sha256": "e1b3ec7e1ad5085043b0e15521b9f164298bfc915884a6f8315a6e202ea53c00",
"type": "machine_learning",
"version": 102
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"rule_name": "Attempt to Install or Run Kali Linux via WSL",
"sha256": "b4dec363cc87b83e8de55fe91c72957864534614c92d32f07c9a2356c8ea2b41",
"type": "eql",
"version": 217
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "61c08b145f474da52f1ef04e85dcb57c8943bda0687f41fc8d07ac5da39fcb73",
"type": "eql",
"version": 9
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"dd983e79-22e8-44d1-9173-d57dba514cac": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Docker Socket Enumeration",
"sha256": "7138568f73259e78a31af51d2811c2a36244b38986fb20b48baf9928b692deaa",
"type": "eql",
"version": 4
}
},
"rule_name": "Docker Socket Enumeration",
"sha256": "3b20c039973e88cff852dc38dbf06dcab6f9f7dddf03fff3e2c9b9ea124a1b4a",
"type": "eql",
"version": 105
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "57fc4d41f585e9622767d73c6374d8b6d69d72f69433691499262a4bf492032c",
"type": "eql",
"version": 316
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "ae224b4b5bf9c3ce6f6db645cadbc8352cd2f23dad4cf4b8359ff9cb689618e3",
"type": "eql",
"version": 9
},
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
"rule_name": "File Creation in /var/log via Suspicious Process",
"sha256": "5f8ad4b3b68a18b84f5a900a3c5491e09f7b0f7e7080c501e059c8c08178977c",
"type": "new_terms",
"version": 5
},
"de67f85e-2d43-11f0-b8c9-f661ea17fbcc": {
"rule_name": "M365 Identity User Account Lockouts",
"sha256": "5e9c7aba985f7171c814ece90db1ada7159ce434f744a6aaedd5bb6ec9c1e41d",
"type": "esql",
"version": 9
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "7791d75c96deb296d5cba1980599b03dd2283e6d586e2f8a6e12acdd83d40bb5",
"type": "eql",
"version": 319
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "cc614eb9ec6ed03a159b5db0dbf49482ecd4ad3eff42784b233103ac0f8201a2",
"type": "eql",
"version": 216
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd",
"type": "new_terms",
"version": 108
},
"deee5856-25ba-438d-ae53-09d66f41b127": {
"rule_name": "AWS EC2 Export Task",
"sha256": "543ead44f26c16aa26bc746708c06f6531c20c28051bd501212c956b5a5e761c",
"type": "query",
"version": 4
},
"df0553c8-2296-45ef-b4dc-3b88c4c130a7": {
"rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners",
"sha256": "554697d96fc03f19bf3758bd9118b506f368879575889f932f4049755fd5e0bb",
"type": "eql",
"version": 2
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "a86e29ad36c65e20a6de39029ef2fd2b315fa075aa314ff2142a7f24e4da833a",
"type": "new_terms",
"version": 13
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 308,
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8",
"type": "machine_learning",
"version": 209
}
},
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "b583da4a2219e9b0c1ca1bbb77ab1d2d1fa46c5e8caddef587789c410db5b995",
"type": "machine_learning",
"version": 309
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "48fc5e51a731f7f4cd946c1dd4f14311045c44adaeefced003d70db94d583d69",
"type": "query",
"version": 107
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"rule_name": "Dynamic Linker Copy",
"sha256": "74975fc1c4e9c6ba277040431b9fdeb13dcda0d536146b120add215ed4d701df",
"type": "eql",
"version": 216
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "83dd265459b1aa87e352d134366f7a3ddb21c45e95d2c3239472e71faefe7530",
"type": "query",
"version": 210
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "e4dc1206fa6f829adfd9c13606980e85749ca4905cf5b656b4f4c60403d268c6",
"type": "eql",
"version": 9
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"df9c0e92-5dee-4f1d-a760-3a5c039e4382": {
"rule_name": "Detection Alert on a Process Exhibiting CPU Spike",
"sha256": "1c1c33cb7492423d273e6363aba2b89549219fb617f2f7249b70a650f68c8226",
"type": "esql",
"version": 4
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "fabd1d888ece7ed98e8dbde37327e15de97291c9b270edd70a6f55113489b9d4",
"type": "eql",
"version": 210
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "eda677d08740a19834e652dd899736788b11c6cd08b52433e01e03a32ff45778",
"type": "eql",
"version": 9
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure VNet Firewall Policy Deleted",
"sha256": "42fd83bb3ed5bb7a69511e4c90baba7006569871c9591996af8add54ba3f9535",
"type": "query",
"version": 108
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "60f2e83e2e758d10795f462a4227d514cbaf954e3f734e293bcd14b0923008d8",
"type": "eql",
"version": 213
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "e589be7d2f86dabb5960decd210508e1d28f819cda2df6b1bb9b7902a8b06c62",
"type": "eql",
"version": 114
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "834c73e30108eabb04f904e2f9fb59222b3e3be8401ea3dc2ee9e6d14a39e09e",
"type": "threshold",
"version": 417
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "009201c6e671258aeae2bedc88405596018aabb7b315facd99b1f46ae2585cd3",
"type": "eql",
"version": 111
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deleted",
"sha256": "c2a4134579286f6aa1a9ecb0c4e6b4e70eafff7901ea15b721a52a78df45774d",
"type": "query",
"version": 109
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS EC2 Route Table Created",
"sha256": "9b67864d91e23c630e30222f8b30ed291ee313d56d56ea5b11db2d831b11f177",
"type": "new_terms",
"version": 214
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "Deprecated - AWS RDS Cluster Creation",
"sha256": "fbb6042f3855329eb580ee709a18e2bb89dc13f2ec1b6a3ed538b69cdc0b5c50",
"type": "query",
"version": 210
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"rule_name": "Connection to External Network via Telnet",
"sha256": "531ef817962d765ea1d1873aaba42843ea3beaae12f70d493be1b6b58326b983",
"type": "eql",
"version": 213
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca",
"type": "machine_learning",
"version": 7
}
},
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "f99d7c4b92f8aa673ebfc37fc27f755a33e5229dfab0fe63a64aeef8a64e7a63",
"type": "machine_learning",
"version": 107
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "c6b59218f0bd6a67c42d0853ef8efecafa69decfbdb0aa5c7f7edfe917c74a92",
"type": "eql",
"version": 112
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "8b21616a77df814353badde453886243eb0d298bd177dfbd772563f9cc9a6229",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "c5424dd0ac4759274a714f7da569350b4c2f72b6cda74241734321138dd7a90c",
"type": "machine_learning",
"version": 208
},
"e26c0f76-2e80-445b-9e98-ab5532ccc46f": {
"rule_name": "Full Disk Access Permission Check",
"sha256": "e7bb1fd6bdeaf8d10f670322c516617a75eaaa78ba368b994860add677b7f488",
"type": "eql",
"version": 2
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "330e090e05d199d784a30dba2d9a2b95c747892566f0625825f70a6c9a46c893",
"type": "query",
"version": 322
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "fab7fa210a76157c989ee04aefd0795f455e6c208c1448b2998bc869fbc08430",
"type": "new_terms",
"version": 7
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "10d2ec7341493ccc024bc77312d038463740052c2544a13310264eb38ec7352a",
"type": "eql",
"version": 5
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "0f802b676e0147391d3eea1fc954cdbc66de1ad2fe46885703ab67114a37fe22",
"type": "query",
"version": 214
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "f40303a3b6fe56ee00bf1284cc98b8436149887e35ef2c1c694e84084ad8f79c",
"type": "new_terms",
"version": 8
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "04376f49d3990dd86495c5322be8f5874dcdbda9800cd52e23e796d938b71bff",
"type": "eql",
"version": 215
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "2a2acd0d225dd9d8108f917f710d14db75d681995fd899aa981695fd4099ed06",
"type": "eql",
"version": 219
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "320dce36d39b239293241a690b6787ec6882b7ecdc06c47d04b83e1b21d0242f",
"type": "query",
"version": 108
},
"e302e6c3-448c-4243-8d9b-d41da70db582": {
"rule_name": "Potential Data Splitting Detected",
"sha256": "70959d883cd0b3cf2e76630d3a39639178bb9c1f3664108165d1b139efff9d29",
"type": "eql",
"version": 107
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "060bd0e9905307e347187d0f7842f8203cb47e8722ab5137d88a4a17ee7fbf5a",
"type": "eql",
"version": 319
},
"e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": {
"rule_name": "FortiGate SSO Login Followed by Administrator Account Creation",
"sha256": "cae7737dc54b6466c847d786b61bf90bd201f9da376d07c052e4788915499dab",
"type": "eql",
"version": 3
},
"e3bd85e9-7aff-46eb-b60e-20dfc9020d98": {
"rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties",
"sha256": "a372e57ef0cef6f9c6715b56c0715f3e8ac8e1a4d65dc400f90aa6c3b39e9bfd",
"type": "esql",
"version": 8
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC",
"sha256": "3b98604c6f720ab440e9969e3346fc5362018681bd80872c3f4fb70111fa3f4c",
"type": "query",
"version": 213
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea",
"type": "query",
"version": 105
},
"e3c7a891-4b2d-4e8c-a1f0-9d8e7c6b5a4d": {
"rule_name": "AWS Discovery API Calls from VPN ASN for the First Time by Identity",
"sha256": "902d233527477d56bcbc2c834c105bf68b4b29cb533c1e1b99a2b114cf40f1c8",
"type": "new_terms",
"version": 1
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "e31a7dca3b6a465b5101c181f1b879b428da800176d02b1221220729aaf0d431",
"type": "eql",
"version": 211
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "KDE AutoStart Script or Desktop File Creation",
"sha256": "86251b2eca0b5f3acf7e5da5bfb34467b59c79339df8798d4a928e1e2efc6cad",
"type": "eql",
"version": 220
},
"e3f5a566-df31-40cc-987c-24bc4bb94ba5": {
"rule_name": "Persistence via a Hidden Plist Filename",
"sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e",
"type": "eql",
"version": 1
},
"e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": {
"rule_name": "SentinelOne Threat External Alerts",
"sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e",
"type": "query",
"version": 1
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "79becf1ff7996919b22b9cac49062931ff331b772499da8b3f52b527c7dfeb78",
"type": "new_terms",
"version": 111
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "bdb8ba5a49e48f7068f93d065fa8dae667a8f2b828e9d74eeb56ab6119ff210b",
"type": "query",
"version": 415
},
"e4c5d6e7-f8a9-4012-b3c4-d5e6f7a80912": {
"rule_name": "Sensitive Identity File Open by Suspicious Process via Auditd",
"sha256": "374ca4536093e555bbef4ff26ebe4be6c8bcbbab2c9b655caaecca14ce351224",
"type": "query",
"version": 1
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "a8d5740eabcbbb09f46fbfdeb0e4366b51fdccf32faeee210f7108501110e476",
"type": "eql",
"version": 213
},
"e4feea34-3b62-4c83-b77f-018fbef48c00": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "6c2fc392dbcba443e196542410750563e9e343c482f502df61fa7227e31fc2bb",
"type": "eql",
"version": 5
}
},
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "58839416fc9659a82bb183c3877b216b52626c83025ba5e2caffa9396998ce00",
"type": "eql",
"version": 106
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "23a60ea4249e0fcdf1f870c4a69bd461fdadf3f92058a07315813a7b88e72d3c",
"type": "eql",
"version": 219
},
"e516bf56-d51b-43e8-91ec-9e276331f433": {
"rule_name": "Network Activity to a Suspicious Top Level Domain",
"sha256": "7a5e47f5bd44607aa08a96e9f60e4b5e3e991f52a1a3e2ad835a3808872c2cbe",
"type": "eql",
"version": 4
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "a6c636f24c7cf63487a0db4ee93fdb305a9e7766647d78bc310af47ac06f4733",
"type": "query",
"version": 210
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e5d69377-f8cf-4e8f-8328-690822cd012a": {
"rule_name": "GitHub Authentication Token Access via Node.js",
"sha256": "6a417d5d405f2f5407cee4783101473ada9b188d889fb655c65694110b02a589",
"type": "eql",
"version": 4
},
"e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": {
"rule_name": "First Time Seen DNS Query to RMM Domain",
"sha256": "4572e3ea14df0faf4b8084faac4976128fcfc92c6bfc45ba262f2580675fd50c",
"type": "esql",
"version": 4
},
"e5f9a1b2-3c4d-4e6f-a7b8-9c0d1e2f3a4b": {
"rule_name": "AWS EC2 Instance Profile Associated with Running Instance",
"sha256": "226b26472af2c538610d1e0a15b1a952dd0fba90d63486b1e74c9a11f2ad4ea2",
"type": "query",
"version": 1
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e",
"type": "query",
"version": 108
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "17b73d3e39ffba68bb956e466370e9d6eaa7ebe30fc50598af1a624b1e18229c",
"type": "eql",
"version": 112
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"rule_name": "Possible Okta DoS Attack",
"sha256": "f9ff8587149b2afa762f584f9089d3731b0b31ba76799adcff06c4fb444ae831",
"type": "query",
"version": 414
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "048555dd2466b4a537ebc22441d66a2efefb466f5505a45d435f0319e2802734",
"type": "eql",
"version": 113
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "727bfa432760b50171e1894d8c8b244ab5ccfc62c5b925c757c41d179d78d45c",
"type": "query",
"version": 110
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22",
"type": "eql",
"version": 6
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "17d574e7c23e80225a66e3a65e6914c036850e0db1f4e6e732f50f3c24f8f160",
"type": "eql",
"version": 212
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "4b20d1a797938d4bf6c8b100b8530798861aa4c34bac581498f7f945caa17d5d",
"type": "eql",
"version": 313
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "a945f7bf00629ecb400737b7b14b28993acd3c43139ce6dd8fe3d023b380a938",
"type": "eql",
"version": 6
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "f0e1c5528f65f66b87d2190eb338e758a3f0d5b44557e8e747dbefac8ca09623",
"type": "eql",
"version": 7
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "e80bd4c0aced2a70668f8e19c3570f377d60d152d9baaa79c02cd9bf97d29419",
"type": "eql",
"version": 207
},
"e7856173-6489-449f-80ec-c1f5fcd7b87c": {
"rule_name": "Suspicious SUID Binary Execution",
"sha256": "6bd584f1d16f040129a26cae8109dcf87db5067d5f2c179e516e43aed9b929d3",
"type": "query",
"version": 1
},
"e7b2c3d4-5a6b-4e8f-9c0d-1a2b3e4f5a6b": {
"rule_name": "Curl or Wget Execution from Container Context",
"sha256": "8f366e09f9e245ce0ba56adb44531b854bedb456939e125c7f713d7d02b76cc1",
"type": "query",
"version": 1
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "a04dbcb36c1f1c440b37f7cae577b3ece10b72efdbfcddb813460c826ebc9310",
"type": "eql",
"version": 114
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS EC2 Route Table Modified or Deleted",
"sha256": "2205c6c53afda6b21954cb4f3f25c96fc5c6978dda5e38205c466147e8b8c8f4",
"type": "new_terms",
"version": 213
},
"e7e0588b-2b55-4f88-afd1-cf98e95e0f58": {
"rule_name": "Suspicious Outbound Network Connection via Unsigned Binary",
"sha256": "0cab3f24cd193b08178b94d7a007dffe133ccb4bce1d98ee99aeee1e030c00eb",
"type": "eql",
"version": 2
},
"e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": {
"rule_name": "Potential Protocol Tunneling via Yuze",
"sha256": "412e9aaeeb919c12903d28a97892e212d3f62b2429054811f7956dceb7871b7d",
"type": "eql",
"version": 4
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "9dadc34c752b9bc0928030b436c8dc050e4c931a424ac3abd0aabc8c86180945",
"type": "eql",
"version": 6
},
"e819b7eb-c2d4-4adc-b0c9-658aeb140450": {
"rule_name": "Lateral Movement Alerts from a Newly Observed User",
"sha256": "a3258f0d15c7c51105bf8854c5ce37f0d660fb5f008b73587d0eb4314de34c12",
"type": "esql",
"version": 3
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "d84f36a2afbc144fef44ad9e64b127adac38a0aa0a79935942cc31275e6af59f",
"type": "eql",
"version": 220
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
"sha256": "96b67730d8ffb341e813867e0276ae18c765a4a89c3710d2963454743335821a",
"type": "eql",
"version": 315
},
"e882e934-2aaa-11f0-8272-f661ea17fbcc": {
"rule_name": "Microsoft Graph Request Email Access by Unusual User and Client",
"sha256": "afb5abbe83d85e4bfc0c4355dcb0fcdc60a91012e0ee14f6f6fc77e177fcda7a",
"type": "new_terms",
"version": 6
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"rule_name": "Host File System Changes via Windows Subsystem for Linux",
"sha256": "d3e0d905b618b1535f2deed8102de10f9c45d79e7038e76eab62094063d444b0",
"type": "eql",
"version": 114
},
"e8b37f18-4804-4819-8602-4aba1169c9f4": {
"rule_name": "GitHub Actions Workflow Modification Blocked",
"sha256": "6938ae0fe092466ebe7a800629949a38ad4eb3da443917c54766b67839d2912d",
"type": "esql",
"version": 6
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "af263b39de7d96dc66778483b32a18131d2d78f294fccb516b20f02b3561d26a",
"type": "eql",
"version": 10
},
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Table Exported to S3",
"sha256": "e9c43384f812c32ac9f5ea58d4ce394b5a607f68a6941a3949ad2dd1c8c6ed49",
"type": "new_terms",
"version": 7
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "bed94ea17205b8c891d4ddb047a885b0302d991f1f9be008ba2c8dc7e4483618",
"type": "new_terms",
"version": 112
},
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
"sha256": "b59e0cbc56c4fb53787bc00632c6ceab167a0694f6b7fecc962d87dbbea24286",
"type": "esql",
"version": 13
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "bf0cca05ac39585a934fe378753788c53700f3e8756741b90086a08ec42e370c",
"type": "threshold",
"version": 417
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "Deprecated - AWS EC2 VM Export Failure",
"sha256": "7339232c396fb3ef53df007330bd3fdbe73aba02804975f4a767f59c658cb33f",
"type": "query",
"version": 210
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 107,
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "85e2742ed6e3a554393ca3c7c7b3462fbeb726e083b4f63bc562360141a1b8fa",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "5b22d537d80ab2e0d67e5b165b971868811ca16c1d70bb8c02f4909f50c8945d",
"type": "machine_learning",
"version": 108
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "d6c1aa3c45cbcc3f9d96b8f85efd889c870bb8993049a36ef372ca20e882d8c7",
"type": "eql",
"version": 318
},
"e9a3b2c1-d4f5-6789-0abc-def123456789": {
"rule_name": "Ollama DNS Query to Untrusted Domain",
"sha256": "5e3e4830d4541a4e622121b68abbd2dfd611a6127af90ffcc80d8a462369afc5",
"type": "eql",
"version": 2
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "baa994c1fe7f4dc602b62d56e07acb6a0e3752a04ab6347f182416d3ae2a0465",
"type": "eql",
"version": 111
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Spike in Remote File Transfers",
"sha256": "2f20bc8bdb8336b52144c14c8d650bf10d1c3cd7ac2005fda6d231be3ce129cd",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Spike in Remote File Transfers",
"sha256": "b5fc44379578795228550e1b83eaeb9e7e0126f4ed99201198f0cefb85c52110",
"type": "machine_learning",
"version": 109
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9fe3645-f588-43d6-99f5-437b3ef56f25": {
"rule_name": "AWS EC2 Serial Console Access Enabled",
"sha256": "50914bbf617175010dadedcd2ca391ecc37c172b7ed25599aa28b3f97dd1e043",
"type": "query",
"version": 3
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "7c465669f1e16c050c57c78eaf0a6374fc5a02a2a17346e81ea0e4e1ce2aef99",
"type": "query",
"version": 107
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 210,
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "cde5761fb379a2ebd52bded54373ddfa826286728ad4637aa03d845220da0c91",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "18f984692e2ec7a1945f11db130429aaea89ba4e32aa4187f2def7337275a873",
"type": "machine_learning",
"version": 211
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"sha256": "aa1c1625dd82eb24ec01c42ec65095f631d903642a4a3e7aed22ba4a1355b97f",
"type": "threshold",
"version": 216
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "43fbc760dbb9d213111df81edfb92ab4f4902eb6c46f5bdfe3b1f0e215a38432",
"type": "machine_learning",
"version": 109
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "0392cad4ebbd3925824fb6d7902f524c2bc25be9f9b7c642869fb070d18502d2",
"type": "eql",
"version": 10
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
"type": "query",
"version": 107
},
"eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": {
"rule_name": "Telnet Authentication Bypass via User Environment Variable",
"sha256": "addac13158f89b3addaf29024a1c49c9396a2f87bc029975ea1f19735fcb49ab",
"type": "eql",
"version": 3
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27",
"type": "query",
"version": 110
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "eaa7dc28c0ba71007f9a46582afef0a8096c44e0a86adce631ad580e33bc8acc",
"type": "query",
"version": 218
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69",
"type": "query",
"version": 5
},
"eb958cb3-dead-42b6-94ff-b9de6721fab2": {
"min_stack_version": "9.3",
"rule_name": "Curl SOCKS Proxy Detected via Defend for Containers",
"sha256": "b1f046cc6ad9e006048ddfcacca9aa967e5c89498422580dacd3eb6f803018d1",
"type": "eql",
"version": 2
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745",
"type": "eql",
"version": 215
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "faf606497245f3d7e09a8ae6abe6afb788c439573a1eae221c0786d44878c8a4",
"type": "eql",
"version": 418
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "15c46a24e64047ef68bd03a84b821a716b491971416ef9b02883d970c07d56c7",
"type": "eql",
"version": 318
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "bc67d00162d4bd5880558c09ba1388898c1594d83fe5d71927eaed1a8669f51e",
"type": "eql",
"version": 320
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"type": "eql",
"version": 4
}
},
"rule_name": "File Execution Permission Modification Detected via Defend for Containers",
"sha256": "4684363244e89ea872ffc5b25a90561dc40b3e284b58a2c4d394889bed620bf0",
"type": "eql",
"version": 107
},
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
"rule_name": "Kubernetes Forbidden Creation Request",
"sha256": "09dc580af4f250fb15a73dc047af068447edce0b410ee07b9845a39184a09496",
"type": "eql",
"version": 3
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "M365 Exchange Inbox Forwarding Rule Created",
"sha256": "b993745b45fbc5109fc2f625b7cc15b902271dfaf502d2d85d2fa5208f31de8b",
"type": "eql",
"version": 213
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "33d196de5eaecf3864a3bb8ee494aaa4ee44ed5a27f25e452bcf28fa226c22dc",
"type": "eql",
"version": 8
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
"sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d",
"type": "eql",
"version": 4
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage",
"sha256": "2eba03080f61dc66ae0a110e2c12eaf47e267f31eb5fea196cf483d6b9a64510",
"type": "query",
"version": 210
},
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation",
"sha256": "f29aab770fc7ef7708a96949b02b0e60282b7199951b302c2fdffbd1893bb9e9",
"type": "new_terms",
"version": 7
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Entra ID Global Administrator Role Assigned (PIM User)",
"sha256": "7cc31a789b7c74143fda38cba04d25c2603889e20c7dcd188f4ece32bf1d1426",
"type": "query",
"version": 109
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "5da6851210dd75f83e92706270154d54c07273e615cfe18134a17e7bf4ee3969",
"type": "eql",
"version": 319
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "703363f0e0174c2ee80e6f77652694e5162cc28d87e1c2e204dca58e5356c34c",
"type": "query",
"version": 414
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "2ad58626d16eda853776294192c4b7c37d50f48d4f20496bcdbc93e9f3d61f2e",
"type": "eql",
"version": 321
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "5560af4da75f6828cfd7b29908eba789035a6a7fb66d4380dc6d4acc5ff5a967",
"type": "eql",
"version": 10
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "6dbed41461451dc5040bb4d309300f105a9ff9e96c0e3dcf65baa67ffdd640af",
"type": "query",
"version": 312
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "680b0b509c4530e793e2e495bc660350fca76194950aca3d7499505c0eed9ade",
"type": "eql",
"version": 217
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6",
"type": "eql",
"version": 4
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"ee7726cc-babc-4885-988c-f915173ac0c0": {
"rule_name": "Suspicious Execution from a WebDav Share",
"sha256": "193a9582b8a88c80c2ec2d4d03cc840cba670833923fc58cb2815ed2e060ab0f",
"type": "eql",
"version": 3
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "7a0362350bccdcf49752c63e045a43a649ae3127354129648e3ebd3c78e2b713",
"type": "eql",
"version": 113
},
"eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubectl Apply Pod from URL",
"sha256": "548e6c3705fae441b48d6c6931d33d907796f823cd985983d79c6041af367472",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubectl Apply Pod from URL",
"sha256": "2871a014569f179baaf61a47aa3ed4dac8c9d1cdfcf046caa1f02877fa61f0fc",
"type": "eql",
"version": 103
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"rule_name": "BPF filter applied using TC",
"sha256": "a3ca2a4019b1f9b82a42cdaa30c22e6b21138566a0f076dff76cc58ed8d5d943",
"type": "eql",
"version": 215
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "8641c7f69ff921eb91354ab0425fd0d989f5bf8bdaea934338fa5e03118cab42",
"type": "eql",
"version": 113
},
"ef395dff-be12-4a6e-8919-d87d627c2174": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"sha256": "e9dbef389b92ca88b2b526127180bb1f77f872b82ed5506e5e3531967903bfa3",
"type": "eql",
"version": 5
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers",
"sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad",
"type": "eql",
"version": 103
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
"sha256": "1db39e102de230f0e5f11a6c3d8bc5633bbbb419481894a8935bb3421b5cf5c7",
"type": "eql",
"version": 219
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 107,
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "501b90c5679e6b9959a55999b1892814f6969d4a2aac60d17835f827a7cda0fd",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "71567755940d538c15fd90849caad5bf4ee4a89e0afd72f43b9ceac4f9ec3f1b",
"type": "machine_learning",
"version": 108
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "90d47b1e899493d89143f8cd27fabf5811ebff7fe3c0fc8cefd0ad0f234155d4",
"type": "eql",
"version": 214
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"rule_name": "Suspicious HTML File Creation",
"sha256": "8f7b437675b9cbd0e34995768cab78c83a9aaf0aa77c6029975fa1df36288295",
"type": "eql",
"version": 113
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"rule_name": "Okta User Assigned Administrator Role",
"sha256": "2fd1365685f9e79ac576991cdb849afc70a64f0b0a5704b845cb04f44a7892c1",
"type": "query",
"version": 415
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "086b4d37de07398af3828f86c06b19b7daa37d14b98d16b1236a284a3e119b99",
"type": "eql",
"version": 115
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified",
"sha256": "8b1cd77d90733f7dbd27b5fa93888a24d03bd9e802b97882331f8fd173e040cf",
"type": "query",
"version": 109
},
"f0cc239b-67fa-46fc-89d4-f861753a40f5": {
"rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source",
"sha256": "b018cb831bab9746612fb38c1c6080689b2ab4bb4ccfa34a88b794eb86e4b5a7",
"type": "esql",
"version": 7
},
"f0dbff4c-1aa7-4458-9ed5-ada472f64970": {
"rule_name": "dMSA Account Creation by an Unusual User",
"sha256": "09d110d157380492d4d0de9d37dff770be9757b6528fca4da3a5aa560b964348",
"type": "new_terms",
"version": 4
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "32ada2c4a68d705cc598de4bde5cc1be7e0516bae9dad176373243f9fc65c0c2",
"type": "eql",
"version": 111
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"rule_name": "Suspicious Child Execution via Web Server",
"sha256": "92e68a660ef180ceb453fee81c78a5fdc2c39b9351c923d2aca6901a11f0e360",
"type": "eql",
"version": 113
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "dbc36b11a558109353c290252cfc47fa5b88768748732ceb11ed91403dd76705",
"type": "eql",
"version": 106
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "fa20fb477b98059cdcedc8515e55e02f1f0f705253f61f5f68683154a52bf7c8",
"type": "query",
"version": 7
},
"f1f3070e-045c-4e03-ae58-d11d43d2ee51": {
"rule_name": "Manual Loading of a Suspicious Chromium Extension",
"sha256": "ef1b596dbcc21f0ff44dd908eee0347efe6248aa5bdf14b884c61df77b777949",
"type": "eql",
"version": 2
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "8ad36bf549c8e2d030b047008548086597c14917e95fb16824216d0b6e03fbc9",
"type": "eql",
"version": 9
},
"f20d1782-e783-4ed0-a0c4-946899a98a7c": {
"min_stack_version": "9.4",
"previous": {
"9.3": {
"max_allowable_version": 101,
"rule_name": "Unusual City For a GCP Event",
"sha256": "76586ab01cd08c0c90773f9fd6ddba36eb9b8ee0571614eca39f0de1bb442d29",
"type": "machine_learning",
"version": 2
}
},
"rule_name": "Unusual City For a GCP Event",
"sha256": "8eb28f90d5cd908568c9a395131d2080306c30096616c06ee1c3985dbdaa83f9",
"type": "machine_learning",
"version": 102
},
"f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Attack Chain Triage by Host",
"sha256": "c1f09b9398519eeca1ca5751ca9ef554c12bcecc242670114227526c401ca16f",
"type": "esql",
"version": 4
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification",
"sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca",
"type": "eql",
"version": 107
},
"f246e70e-5e20-4006-8460-d72b023d6adf": {
"min_stack_version": "9.3",
"rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"sha256": "3d7e318f67c97976127e145e374accefe76ed153e63466f41c6c788e5a1ba230",
"type": "eql",
"version": 2
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "45f3aba3743e27c3175dc85c3bb918ef1ddeb13d337dd61d81634e7b6d7ed1ce",
"type": "eql",
"version": 114
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "327423f201c4aefab10ca8e4a5e9604d884907651d4475cc37c199a277b289a8",
"type": "eql",
"version": 215
},
"f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789": {
"rule_name": "AWS STS GetFederationToken with AdministratorAccess in Request",
"sha256": "91174dba23bc43a851dead24976835e0676adbd66157638393d08f763e89f99e",
"type": "query",
"version": 1
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa",
"type": "query",
"version": 5
},
"f2c43e8c-ccf2-4eab-9e9a-e335da253773": {
"rule_name": "M365 Purview Insider Risk Signal",
"sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841",
"type": "query",
"version": 1
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "fb2f06600975682327919ea6da257a7190a1e93ff582838cf3175181d49386cd",
"type": "esql",
"version": 5
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
"sha256": "dd9efc0a3ffb4c20b6356fa5966046c6d5c8014667ba8d56f8028261e21cd508",
"type": "eql",
"version": 316
},
"f2e21713-1eac-4908-a782-1b49c7e9d53b": {
"rule_name": "Kubernetes Service Account Modified RBAC Objects",
"sha256": "970354cbf4c8525c8836fda8fdd3ab8f107769ab8b4d4a7c341afd376449a261",
"type": "query",
"version": 3
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
"sha256": "e67746f8ea85b9aebd84e067fe5be4217f8d5382337a0a23661ea8202ab92a64",
"type": "eql",
"version": 316
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "Deprecated - AWS RDS Instance Creation",
"sha256": "863ac4e46bb8284dfcebade9676b5ed0fb1c1ca7b91932266ea432c660e6b7c3",
"type": "query",
"version": 210
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "9d1a8b1da8853216b701b3b7ccea1089b6689b2a0de289b79746bd6a7db343f0",
"type": "eql",
"version": 13
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "e86a0477a7cb46e3ade238a3b3e865a455c9ce4830f4b82a07926f3c757e1546",
"type": "query",
"version": 9
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "79000745ecb9f28c29dc37aa11e735c6fd1e2071d72b6c828cdc06293ce6d97b",
"type": "eql",
"version": 218
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "0514c676be47b85dcf14f42d8d1cdf053122f7506f0b5eef242a105e5dfe4ed1",
"type": "threshold",
"version": 109
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "6a81be3e4096d5230ed6ddb6d5e9ed0624a4404f651a9aaaee9491b33a744050",
"type": "eql",
"version": 10
},
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
"sha256": "461cca8e6da44cb954ccd1568e0195772daa254860053359bea965b58e5b3560",
"type": "esql",
"version": 11
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
"sha256": "e0cd0eab0070a7deca66e3db5b6508709873263b818c68be1f560cd32e5ccbb1",
"type": "new_terms",
"version": 6
},
"f3ac6734-7e52-4a0d-90b7-6847bf4308f2": {
"rule_name": "Web Server Potential Command Injection Request",
"sha256": "5812c308169a8a574e71c2c86b2e0de69913521b67e5d655346bf0f7e65fb092",
"type": "esql",
"version": 6
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "155ff4eef509d2fc7fd1c2d2123e8343f5ccec6b90178d7647703aec30eacf8b",
"type": "threat_match",
"version": 9
},
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
"rule_name": "Remote Desktop File Opened from Suspicious Path",
"sha256": "8eb6f9850d1ca4101a9c31eef37742993dbb0a0b9ea08a5e1bd5e36338f86abe",
"type": "eql",
"version": 9
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation",
"sha256": "27658290df434832b404370cab3edf8183411d533f7a367cdc636a7c386590ed",
"type": "eql",
"version": 11
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "65c544d6e400d0909d79ad3a1e0f79b5cf5fcdd3fb01a1a073adc46c69aafb31",
"type": "eql",
"version": 313
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Pluggable Authentication Module or Configuration Creation",
"sha256": "4e7927ea9ee84da27a6bc1fc12f753e2d873328a3a1f8113354afe2c2889690e",
"type": "eql",
"version": 9
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal",
"sha256": "fae91cdc5143504077c9cc353440c3df9dc19a9fb86b257633e5cee480d0754f",
"type": "query",
"version": 219
},
"f4b857b3-faef-430d-b420-90be48647f00": {
"rule_name": "OpenSSL Password Hash Generation",
"sha256": "578fa837f0af51bf69c436d7ba2cc8d249f7fc6cfc00be5c25b0ba71b3069fa7",
"type": "eql",
"version": 6
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "f9eaf69ddd185f8b4c607c763db8ca5e3206d6599f48108b961d0a79fb572322",
"type": "esql",
"version": 7
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
"sha256": "2ecc5312b7dd25b04f1124d44fdcf991f2650e3684b81ba6910730dbb18db5b7",
"type": "new_terms",
"version": 7
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "6212d9d93c65c1e446bdeb51474d2abaded9566ccad6cbc8ef83ff0fed9163ac",
"type": "eql",
"version": 12
},
"f541ca3a-5752-11f0-b44b-f661ea17fbcd": {
"rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"sha256": "3f339217cd8eae50f29ce9fcb9124f0a7526f85b0ad85961b8583156f1823d6d",
"type": "query",
"version": 3
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"rule_name": "Windows Script Executing PowerShell",
"sha256": "f633d19c3abff0200df7cb8e9904664c8aac48f10ecf058e5eacbfc730a9c3d6",
"type": "eql",
"version": 317
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
"sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355",
"type": "eql",
"version": 4
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "7cba8d9dc86077834c99f4032ae1cfd0578a03e74b98f5af2a786a578f374476",
"type": "new_terms",
"version": 214
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "e2478afe8591053489cbda3bfcc55b4842a4119642e5d56d3ce788a9179b5c3f",
"type": "query",
"version": 111
},
"f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": {
"min_stack_version": "9.3",
"rule_name": "Kubelet Pod Discovery Detected via Defend for Containers",
"sha256": "7723c687b0c450f64a00cee36d7c3931bd7c021d6ff6833cf9c9271a2a5f42f7",
"type": "eql",
"version": 2
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"rule_name": "WMIC Remote Command",
"sha256": "0e72674c9e5b508cb58ff78ab6d5d918767df0ff88c1a86cec3981f283555247",
"type": "eql",
"version": 111
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "3000740cd69fe252c0029fb2309de620fe221dc6bdbb6873c6de6c6dec2414f9",
"type": "eql",
"version": 112
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 210,
"rule_name": "Parent Process Detected with Suspicious Windows Process(es)",
"sha256": "5e26435a6c6b152cc9c108374c72cd5a9f0766698e6eaf34ecfb75df00fb5d27",
"type": "machine_learning",
"version": 111
}
},
"rule_name": "Parent Process Detected with Suspicious Windows Process(es)",
"sha256": "6087543daca9986a612585855dcfc77d192fd4a1e20ab80710f3619022cc0cc8",
"type": "machine_learning",
"version": 211
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "b8a837130b3b5d74204a8537614a5612a561e68b829c89916fbf5f67d9505c72",
"type": "eql",
"version": 12
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371",
"type": "new_terms",
"version": 7
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "dbf7164e7bc3f1a792a0e2ee5a048cbda99b3aed0d7af7693f32134c4bdab517",
"type": "eql",
"version": 317
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "1dff4a3354ffb01188e7144a8483bb555136a03b278e0b3410d4233e5fd77d8b",
"type": "eql",
"version": 9
},
"f66a6869-d4c7-4d20-ab13-beefd03b63b4": {
"min_stack_version": "9.3",
"rule_name": "Environment Variable Enumeration Detected via Defend for Containers",
"sha256": "4940432d89d05102af4274afb80384ca2bda0d452e0521a1afc0879a5237b699",
"type": "eql",
"version": 2
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "3eecb4705dfa3aca68572467da4f1e62c4ff2fa7df0aefd85aca9094d24a9f29",
"type": "eql",
"version": 316
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "08ad8ed2e2ca485401fa0335d86ab975c721be7927df7d41f56076abb95d7db6",
"type": "eql",
"version": 111
},
"f6a0b2c3-4d5e-4f7a-8b9c-0d1e2f3a4b5c": {
"rule_name": "AWS KMS Key Policy Updated via PutKeyPolicy",
"sha256": "823e0533246b6570195a0c0456c4cbbe2a722ac375ce8f8b0c850026c5bdb314",
"type": "query",
"version": 1
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "95b168aaae5816d4dd8032d851a24980d140d4a9e0603b56f4fa88d79af15a4a",
"type": "new_terms",
"version": 8
}
},
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "c07fa7fae81922d04accf363a9e78642676d26e8aee182c0560cf0824f2ac45d",
"type": "new_terms",
"version": 109
},
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
"sha256": "e9712cbae119495bbc148f3c7ddb66a6c11d34127865165f2a9572d6ecdff0ba",
"type": "esql",
"version": 12
},
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"sha256": "55de9b4b300ea2acb263f1cc4cbed9585e7669be566e58e1fa22c6db3d9e7a9c",
"type": "query",
"version": 4
},
"f754e348-f36f-4510-8087-d7f29874cc12": {
"rule_name": "AWS Sign-In Token Created",
"sha256": "b4f3c7bb4e908abc5172e54beffa1e362454012ebbc480fe2d7ce71b7112cd71",
"type": "query",
"version": 2
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"rule_name": "System Hosts File Access",
"sha256": "e74aea796502decaa57c31bdfcbbb1fd65f68a826f3c3e1f3f6fdf7cb458fa3b",
"type": "eql",
"version": 7
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Entra ID Service Principal Credentials Created by Unusual User",
"sha256": "6e45ed34b41c65dea5f26b4fd76c9a2d93cd04c869ff1233f8c9f818ae8ea9fb",
"type": "new_terms",
"version": 110
},
"f770ce79-05fd-4d74-9866-1c5d66c9b34b": {
"rule_name": "Potential Malicious PowerShell Based on Alert Correlation",
"sha256": "16873d6b08a266ce4c13f00b9cccef6dd41c64d850c8a5f83b593c93662d037c",
"type": "esql",
"version": 5
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "79d4a35620619779083ee70524a8ef1682a27632b98289f7456caa69d6568239",
"type": "query",
"version": 214
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"type": "eql",
"version": 5
}
},
"rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers",
"sha256": "14f95ad2256fe5d602c0c02461a1ad0140159a49d4af60382a20a6d2511f1cfd",
"type": "eql",
"version": 106
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
"sha256": "0df65b003548a28c9f18c010d2dd59a06433f01121e7a155c496e0b44d3cb6c1",
"type": "new_terms",
"version": 6
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "27b911863a0e93338b177cb55bbbcb19a306892e7f2ec0d6e264e1ae71959810",
"type": "eql",
"version": 318
},
"f7c64a1b-9d00-4b92-9042-d3bb4196899a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Namespace Read Detected via Defend for Containers",
"sha256": "9f57c86383c5c1b1e2b9f7f6640f0c0651119f9ae170973ee430a1280981cecc",
"type": "eql",
"version": 3
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "273a68b602a7b719ceb9864ebcbbf2d46da699434458da9c37a16b290bdcd808",
"type": "new_terms",
"version": 8
},
"f7d588ba-e4b0-442e-879d-7ec39fbd69c5": {
"rule_name": "Potential SAP NetWeaver WebShell Creation",
"sha256": "1ec092ad267fde831ed0f6df37ec577f9d2275d7956117a0052e4eb35ee7068d",
"type": "eql",
"version": 2
},
"f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": {
"rule_name": "AWS Suspicious User Agent Fingerprint",
"sha256": "27d2eb5e6870d7c227dd3a411c07293fecb8f8f2f775777480a7dd0e02bc409d",
"type": "eql",
"version": 5
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "19fa275f01d141046af620130c54383997bbfb159cc343503bd148ff624abf21",
"type": "eql",
"version": 315
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4",
"type": "eql",
"version": 110
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "ab72bdf494ad1fe2b76321bce5c7385b100ac9456193bbd02076b9162c828500",
"type": "eql",
"version": 10
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "01d3cd8eb31e61543055122ffea2e86a0bf0f5be3388459c2f465a0301c572cb",
"type": "eql",
"version": 317
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b",
"type": "query",
"version": 5
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "8b8cfdc1b6e853232d72a002e0d118a07d7b24e93ac97350d75f63492b64600f",
"type": "query",
"version": 111
},
"f8a31c62-0d4e-4b9a-b7e1-6c2a9d4e8f10": {
"rule_name": "Kubernetes Secret get or list from Node or Pod Service Account",
"sha256": "c8c9c251cc5939d6149f56787247eac3841a1012d35b82125ec7fc7bb70ab005",
"type": "query",
"version": 1
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"rule_name": "Untrusted DLL Loaded by Azure AD Connect Authentication Agent",
"sha256": "1f3539efa4a2f15732756c9d225c458db94a94e3e76db2e5e75c56fc4ef25b98",
"type": "eql",
"version": 107
},
"f92171ed-a4d3-4baa-98f9-4df1652cb11b": {
"rule_name": "Potential Secret Scanning via Gitleaks",
"sha256": "4861674e448f597aa53a76a1d592c4eeeeb880c7a635868424b52dbd07885f11",
"type": "eql",
"version": 3
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "17321d3d74af2ddb12d9920ceb84fd2b8ca8e772fcb350e32526d5c46c5672c8",
"type": "new_terms",
"version": 208
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 207,
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "b6a7707b778a054c85270746ef3d0855539421ee3103f6c883ea68097524173b",
"type": "machine_learning",
"version": 208
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "8f1a587012787e08bd7b994c54b371e5ff8d27a2cf4b52b93f0541c8eeb0a2a5",
"type": "eql",
"version": 13
},
"f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": {
"rule_name": "Okta Admin Console Login Failure",
"sha256": "3677a7454991a183ca50685f05c67cfbb7ab40cf6d1228854c5bc90678c5ed52",
"type": "query",
"version": 2
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"rule_name": "Browser Extension Install",
"sha256": "db212e9bc4d6e1742a38a366ddb3b13939e0bbe4e792978053b32dc4fafbcd64",
"type": "eql",
"version": 210
},
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
"sha256": "38bd2f9e10713d14fe22bca802a8451930bea026c19babeddec2c1c26e14a9ab",
"type": "esql",
"version": 10
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Accounts Brute Force",
"sha256": "8afcd5fb546282c618329fe4b5405930b900d0c5f91b6a3894ab8f38df780dbd",
"type": "esql",
"version": 119
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "3f42d9f4d6c683fa8e24940e81e098732937f7c261ff50f3c743c37d18f8492d",
"type": "query",
"version": 413
},
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
"sha256": "9fc867fa956909614f0c374d0eef744aaa01a9f0bc9c8c4cb346e4abe5b2e9f0",
"type": "esql",
"version": 12
},
"f9de0949-94d8-441d-ae9a-8eb1e040acf2": {
"rule_name": "Newly Observed Process Exhibiting High CPU Usage",
"sha256": "ac67c25e692fc04e2eeae6c2c6c597c4c637f8d746afc513e7b9e0370b67cdf7",
"type": "esql",
"version": 2
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "703a7a28c0e9d60ac345d7ff3b528565b332ae1f6e8e959878c741327fbc0108",
"type": "eql",
"version": 320
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "9731338ba3f551d2349c7c13e09c98d974880b06e1b03a55ee03454295de4adb",
"type": "eql",
"version": 11
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "75eae6a378cd9de230df241678954eca014909ff202bd7530fd66caad62920c5",
"type": "eql",
"version": 13
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "339af3c6decf44171d39eb6af3fe6a811d9c725f06886ed9865a5eabd9310f8d",
"type": "eql",
"version": 321
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
"sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054",
"type": "eql",
"version": 113
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "e1b06ffe4e33874ed8e0700e601b69f3c9138637316c92d5c31067e7384a7006",
"type": "eql",
"version": 110
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
"sha256": "d3f5c7183ddff278c200bf2ed689942fb3e756bea5404573d607b22e0d90da44",
"type": "eql",
"version": 212
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "bf668bb17c3ea7604e554f63825a99d9153ff36affd8b4b9ebb087cba806ff0f",
"type": "threshold",
"version": 209
},
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
"rule_name": "Azure OpenAI Insecure Output Handling",
"sha256": "6d7efa2625569a818bc649d0e39b3174fdce1739aa2da7102b945a217e3912e6",
"type": "esql",
"version": 5
},
"fb3ca230-af4e-11f0-900d-f661ea17fbcc": {
"rule_name": "Okta Multiple OS Names Detected for a Single DT Hash",
"sha256": "e00405635f604093c0a8a65f92aa45f3a61a087ba4372ea7b1d6a2b5e06d486a",
"type": "threshold",
"version": 1
},
"fb542346-1624-4cf2-bcc7-c68abaab261b": {
"rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs",
"sha256": "b7658647fd18f717cf27e94dc7503078ad59c72e1477332c507001cd361c4b10",
"type": "eql",
"version": 2
},
"fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Group Name Accessed by a User",
"sha256": "910816869ac69e52dd49d7b50213a32f674a8abcca1169b8dae5d9d0ca26a27d",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Group Name Accessed by a User",
"sha256": "667f169cd9b1cccf4aea8c89b3535d32676adf3648fb6ec26bd809d1a57539e4",
"type": "machine_learning",
"version": 104
},
"fb8790fc-d485-45e2-8d6e-2fb813f4af95": {
"rule_name": "Dylib Injection via Process Environment Variables",
"sha256": "3da41c31ba94d685cd75f85322328359014c5be38f21ccf09593a68bf338b641",
"type": "eql",
"version": 2
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbad57ec-4442-48db-a34f-5ee907b44a22": {
"rule_name": "Potential Fake CAPTCHA Phishing Attack",
"sha256": "33d00e4c6fe087be1ef08b31b40a606e5e9c71ae3c9df80f964991477494d542",
"type": "eql",
"version": 3
},
"fbb10f1e-77cb-42f9-994e-5da17fc3fc15": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Unusual Source IP for Okta Privileged Operations Detected",
"sha256": "b6972d4f3235fe5015a16b59e32f209fef18168efd59112b1173e3341709c0b2",
"type": "machine_learning",
"version": 4
}
},
"rule_name": "Unusual Source IP for Okta Privileged Operations Detected",
"sha256": "2a0c28333cbc2b59a754048dac4ba1ba85e1e32f9407e91291bbe69a9abbcf5d",
"type": "machine_learning",
"version": 104
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "992873866168b6dc2174c2626fb35218105596756c2e0301459d4c664ae9ea8d",
"type": "query",
"version": 212
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
"sha256": "fd1e26f5a72a073b0f04248104e8a153e66925a0edbac78669638790918671c2",
"type": "query",
"version": 6
},
"fc552f49-8f1c-409b-90f8-6f5b9869b6c4": {
"rule_name": "Elastic Defend Alert Followed by Telemetry Loss",
"sha256": "67f6095aaaf71d37cb9ae1e5b587093cea6fa579d3654a9353068eb9b0edef4d",
"type": "eql",
"version": 3
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "b9b40ca0af3b9ae7237ee58b9db28fdb68df1dc944e6582fc0cf91ee188b4e5d",
"type": "eql",
"version": 315
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b75dda67fd9da77f1320ea7c94c736e499c45243b2d3a1f0775caeca732cf753",
"type": "new_terms",
"version": 208
},
"fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": {
"rule_name": "Proxy Execution via Console Window Host",
"sha256": "da23ef37ab245220584b0229ede378558147536d721124480c11f605078401a3",
"type": "eql",
"version": 4
},
"fcd2e4be-6ec4-482f-9222-6245367cd738": {
"rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration",
"sha256": "61bd95935880280101cb47357cfba9fda77a633cad787f7e0f4983dcf66fccf7",
"type": "eql",
"version": 4
},
"fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": {
"rule_name": "Threat Intel Email Indicator Match",
"sha256": "cfa8a4fcc12561cec5bb571ef7f143d87543fe860577aa1f11b2b284b2e7ecb2",
"type": "threat_match",
"version": 2
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "2d62847cab8c33a052e502836ad121caf86f64b238197c9a1b2938d4e27c5f5e",
"type": "eql",
"version": 8
},
"fd00769d-b18d-450a-a844-7a9f9c71995e": {
"rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount",
"sha256": "84051400b1ae5421cfb0710d08885fc6ccb194cced886576497e63909acfa9c9",
"type": "query",
"version": 2
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
"sha256": "eec1892d492dc25cab5480d300e33e9aac87bcbb4386d100cab35cb223d38ce6",
"type": "eql",
"version": 209
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "74a0ff1c1a288bfbe8134ef5390dc9c7a9081b9e769c155809243aa52e7bd168",
"type": "new_terms",
"version": 9
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "ef85670df7af1d67434ee4a084dae6785d63ea6fad1da9fed5bfefceaed92178",
"type": "eql",
"version": 319
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "33778ead57b302d2250b723cf23c47fec7f96b8dcff8dfd99fc8f806e4ed0484",
"type": "eql",
"version": 318
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
"sha256": "17b5ec1f17eb3bdc6ba867893df9d9201b1818c50d9896f84da7c3d4c94db588",
"type": "new_terms",
"version": 428
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47",
"type": "eql",
"version": 4
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "c20425759c10146a7e712fece38e597058b1970b880b8dc01d9683d931348140",
"type": "eql",
"version": 18
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "44814458fede28b8e96ffe4731862abd5077e5562e02d387ad816b812454f814",
"type": "query",
"version": 113
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "4f61d5a4d2aea076af8a4b48cd80ffa83a42e7c5bc8144c04f396ba5571cb1ac",
"type": "query",
"version": 112
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "49ad33faa96836050c4fe6962330a51b2947b18372a2c7614579d27da4012c4f",
"type": "eql",
"version": 320
},
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Spike in host-based traffic",
"sha256": "539f0007ba47959012c3d761d040a6d76269a8994675b2f51c844ca81e899ef4",
"type": "machine_learning",
"version": 5
}
},
"rule_name": "Spike in host-based traffic",
"sha256": "907d81f3a0d242ae72cb95a3525f28b646be7b2537e8437b213254a0e2ac1660",
"type": "machine_learning",
"version": 105
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "889fbc6f1fe7867a60c30e0988ce0a1ecca3b10ed4d68247409e0bbb156e228a",
"type": "eql",
"version": 11
},
"feba48f6-40ca-4d04-b41f-5dfa327de865": {
"rule_name": "Data Encrypted via OpenSSL Utility",
"sha256": "6d5bc57ab69832dcf1fceb1113c15bd50ef32043aeac5c753aa45d8ef84fb133",
"type": "eql",
"version": 2
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "e5501cb17cf5fe1cb22ce9ae6e8396575c212a05d10b7f191f96bde4173277f8",
"type": "eql",
"version": 5
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "51805a54ccba7e11dd5249f3383c0faa260594148db400d814d4112d22e5b4ae",
"type": "eql",
"version": 313
},
"fef62ecf-0260-4b71-848b-a8624b304828": {
"rule_name": "Potential Process Name Stomping with Prctl",
"sha256": "d2d8d9adc0b0a1e18a247c5c551721be0f8dae7e8136df787c2c7c7b44f86070",
"type": "eql",
"version": 6
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "b271213c5408f3105b6c293a194441c0a6ee0a8f56895b6c8b5d514a45f29206",
"type": "query",
"version": 108
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"min_stack_version": "9.4",
"previous": {
"8.19": {
"max_allowable_version": 108,
"rule_name": "Potential DGA Activity",
"sha256": "305c65ba2a0c6e6b8dd78bcd8fce09f2491e6ed7c1ad1c495e321db25ddd0c2e",
"type": "machine_learning",
"version": 9
}
},
"rule_name": "Potential DGA Activity",
"sha256": "1892ab19dfbba7c5209d5416fac24916cec60b288ae4bbe9f0dfcad7fbb548ad",
"type": "machine_learning",
"version": 109
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "911f2754934b26787ef6ce346dd060a5ff237c442db717002c7f6c6d0678ec96",
"type": "eql",
"version": 19
},
"ff18d24b-2ba6-4691-a17f-75c4380d0965": {
"rule_name": "Suspicious JavaScript Execution via Deno",
"sha256": "cb55c046d8dfe8230113d03f862c936b4cc6f55c682a4004ef707a95803af2f3",
"type": "eql",
"version": 3
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "b1c612a39634c76d3859749ffcf4a66830efa742e42ac76353710085e9a89c75",
"type": "eql",
"version": 8
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "2c61b250e1b3df4306e4f76d4df13c3f7cd624151ef683d9746e1b5640096676",
"type": "esql",
"version": 18
},
"ff46eb26-0684-4da3-9dd6-21032c9878e1": {
"rule_name": "Active Directory Discovery using AdExplorer",
"sha256": "e2bc14f1daa81650bb1547ff4439ba2e4f96fe3959eff2fe3d7e6aa1f47e84bd",
"type": "eql",
"version": 3
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "M365 Exchange Mail Flow Transport Rule Created",
"sha256": "3af2c69e8e417302ef11f5cad05379d42ead8135a8bb69dbf6e400195e16d2e0",
"type": "query",
"version": 213
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "156d6c92921c8a78a426d13399acfc82335279f41bb1ca1b3b514f78e2d95be0",
"type": "eql",
"version": 206
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "2d21b1f06254849904bc0f96312aaddd5dbde583bae425bbb2b4e8cd08c5977c",
"type": "query",
"version": 109
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "fd78dc142d1cddc2c1b468082eba4a5caf404e211bf2b2fb770e0bb2218f5810",
"type": "eql",
"version": 112
},
"ffa676dc-09b0-11f0-94ba-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Top Level Domain",
"sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce",
"type": "new_terms",
"version": 3
},
"ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": {
"rule_name": "Suspicious TCC Access Granted for User Folders",
"sha256": "d7c925205ac4209a78c8c60e52b5ad975f5ca3a956f42e12337fa8dfa1035e98",
"type": "esql",
"version": 3
}
}
Reference in New Issue View Git Blame Copy Permalink