Justin Ibarra
1017 lines
40 KiB
JSON
1017 lines
40 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"rule_name": "Attempt to Modify Okta MFA Rule",
|
|
"sha256": "e7230e37b0012ca864c73d09e735e54bcbdc3f7cb939e0308820d699de482d15",
|
|
"version": 1
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "6d47bcc98a871cdd3e70fe35d093133b1c731a17ffb0c7ea03fd0d61fc00dc02",
|
|
"version": 4
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "c17a009f2b1b2146fcda7e2375a6560d89536bca1d9fcc52ad5c444b4bcfc179",
|
|
"version": 4
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "d88cc0ea7309e063e63b8241cc54e7e269ae1b33866dd3bf8f46c438d0d308d7",
|
|
"version": 3
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "8fd2873dee5de5a9b8d13d61c4e7ac8d9125a6a0f367bf64fea26470b8d96fda",
|
|
"version": 3
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "2057dea2544576064924167ac3c3a0cffb69623636a385120791a54725cd121b",
|
|
"version": 4
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Elastic Endpoint Security",
|
|
"sha256": "cf235efd02e861f1c87580d9fc3027c05d58c80ec19b8a4680b0cb9c4b794088",
|
|
"version": 3
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "1697d1e69b1cc81d4f3fe77471a9f843268be52e12f6b76679ff206cc44ba4b2",
|
|
"version": 2
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "182668d6e35a7cd6ee4f8c9d4c8254a38d117cae8f100783156fcb793fbe0fac",
|
|
"version": 4
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "fa80576323984a1cdbae7de84168b41ea9aa136a4d4eb5b1881c30927aa2d72e",
|
|
"version": 4
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "059dc81a07c9f3e03e8a0789bff2cb08a59001fdf8fe3a1cb0bcda6d3caa7bc1",
|
|
"version": 4
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "07e4c45585d14e41fadd1bb2f2d089924be88eeb447ed751d600b3ea06d118f2",
|
|
"version": 4
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "59632e186f6b83ff142f1be24f88219a64b9eba91582c6d1151737be05565348",
|
|
"version": 3
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "3168a7ff380f965f554d8554a6048500bc6d2e623012a637a69604d4dde5aec6",
|
|
"version": 4
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "8c8dd977effd5f405e825323debef05986b8e59e8aeffab769a5a17c56f90838",
|
|
"version": 4
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "dc63fd09b50ada3a1d9e17f321e591716802a15bc98ad7933fbf1e638c8a9485",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "36917b05e364e40334cb847ccadc8625146ce9be717185331ed0459dc974e552",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "e5ac3b3c6f68d19a432a54215a555c1d103dcb14a8c00cb60e8fcc4f0d6e652d",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "6787261e6c69ccc08f746484c360086764f048c64faabe20f7474007380f5f44",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "d7b106c8c4863604d0712ad08ccce72e50dc8137297f90ff7a000e0f0f8d113a",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "21f4744229d682e68489bed55ec395634a81783217b4f8356a49566e6f5e17d1",
|
|
"version": 2
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "223ca77fb5f7df75f08ae4253b6d99599ee46fbebe0843d4e3249b756afcc57e",
|
|
"version": 2
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "cfcaf312b57481ecdbc8178c56fa63218e84f8688117c0d7a4cefb1a56953ceb",
|
|
"version": 1
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "8c7e44ef3c20c8688412d06a94e63987aa6b2c1855b1fdb69a40b6e22d81f00c",
|
|
"version": 1
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "402a5e361bf78100cbd475dfe6d13b574e07edaa4fd6515e9c6ad9b2cb741ec4",
|
|
"version": 4
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "2e57557c9b3fcb6208d6c61b61fa0c76f5155884ab6f0ee01c7ddd1527283d13",
|
|
"version": 3
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Elastic Endpoint Security",
|
|
"sha256": "25dc927509d993054908f0797f8c848f5be07a1eadf4c754b95d6a8417aa8648",
|
|
"version": 3
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "72ab8004269800921494b64af09b7bc0e0aa4812c6502e014270e971b3b5c00c",
|
|
"version": 1
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "0ffb12553181b7aba190ba88d9e29ad6f0e6e41cb0b0c290dc111c8c5ebc463d",
|
|
"version": 5
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"rule_name": "Net command via SYSTEM account",
|
|
"sha256": "8b67949307e8e23b7ba787b251923997097cd417c90f07c137ff306f8ffeee58",
|
|
"version": 3
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Elastic Endpoint Security",
|
|
"sha256": "56d0db57a57e386c8262f99e5165c8cd829b6da94536f62bf08353ab494394ed",
|
|
"version": 3
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "10a5ff3172ab7265ac7e29a3d64a77992312238f2c35037d3a723bbd26644eac",
|
|
"version": 4
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "3a00bcfef88df687e9f60af981f5e45b7f1d7275c637bf6d346c9a8424ed4aa2",
|
|
"version": 3
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "a2a3c2eb4e76f3161927f2f3708a7831c0254f05598cf174afe04e173b9b726e",
|
|
"version": 3
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "d639e962c341c024aaf84dc2d15fb964b80d6ffeb33446bfc689972ac0e74896",
|
|
"version": 3
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "91e9006ede6167bc0e1b0a606f1408741db7ac6ba5ade4a65e960cb6e1684069",
|
|
"version": 4
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "20851dcbbe8b5b2d488ec89f42ae0a34d28ca793f91c59c9a746a071063e4fd5",
|
|
"version": 4
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "f0b0e824fde388a4217c0ccb4c8168deaccf74e0576ff4a2748cb958b4ec1c09",
|
|
"version": 1
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "d52d770cacb099f8fc38d85ba230ecd94878c17fe3e6e9f79a0e55ea38f5c0a8",
|
|
"version": 3
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "d6cfb4698aec1b5cf0d032dc63a045734b6d2f64f1512eed04ec2830dae5edc5",
|
|
"version": 4
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "bc6bb14775383d504e21151c603c84cdb436c03b106b0e2a7b46d398143584a3",
|
|
"version": 1
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "6adcfe622ebb2e1205cc4a4dc2a3b058f995a21602721b04407ed751641ca206",
|
|
"version": 1
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "2ddb1724d79b9606e5fa60cef5a8ea1b4f61ca4586693d6fa9c74083bbb86402",
|
|
"version": 3
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "554c42dd3f30ca0140797069242d16be3fab75dd59fdd820054c6c4645dab00e",
|
|
"version": 1
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "6b771c1099456446df103f77a607770b53cd33f3cf21ef60fda8a8a7914961c3",
|
|
"version": 3
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "d73415ca5e745ebbd0cc4e1c6805a1a58bef4740666f14c827e50766c26476a1",
|
|
"version": 4
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Elastic Endpoint Security",
|
|
"sha256": "1de71bf0dca33368f44c2c020e159bcde7a48982e3979729a594b5a4bc190a9e",
|
|
"version": 3
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "76e7d9d43d610d2299dffac8d6ffde9648afd588f3c8f4df90ac370ffa416c57",
|
|
"version": 2
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "7fd31ec2dff167c29a32969ae7c2e83c12a7b473c5a6259d577ee2bf997be039",
|
|
"version": 1
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "1333a0ff14b05aff2b16fd4c2768af221d10df3e1a85059e66f3e7b0dc582d4e",
|
|
"version": 1
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "45aefd42ccd184d5d3015dc3a1cc5ec131a402884f578f40815213c71143722f",
|
|
"version": 2
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "3f96283628d73912878e47073e8094a219c6e8c260e6094055fe753e6ef903b7",
|
|
"version": 3
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "2625e3ebfa6328b4d7803a9390b136d4d8d944bcc71a0bbdc8c2c85717c967bd",
|
|
"version": 2
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endpoint Security",
|
|
"sha256": "bb1865e997d39d7c7d272d8b31538666e2a9600336304c4b558a4cfadb10c25e",
|
|
"version": 3
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "cbd3d898a80fdb3bd7c79c2f6486138e0d9d4577d34256136ccc8282a54d12ea",
|
|
"version": 4
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "a5208685993a30816029b70a8d51f0a5cda6dd19b6864c4dbfe86977b326f746",
|
|
"version": 2
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "cb6f8a29b6e8e22054ad733b4c8d1e4a3203a08cc8333c9c0ced2057dba9e71e",
|
|
"version": 3
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "7efb0cbeb8fdb7d49f6daeca8b7877ab7472b9bd0046e8e25596320bf7836d50",
|
|
"version": 4
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "8a44ca241191004ae1c7d535cfbc90116d4ef56e7f6941cc3e3cbb7303633791",
|
|
"version": 1
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "e091babf5f308e98b3f0d883ec8d4d6a7ead789f240e79b6c89b974ba77ac80f",
|
|
"version": 5
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "a728aa2cc5aa9069c78ef89989e5894c8d1782ba5d85c9d5c0abb22fe6d9a6ad",
|
|
"version": 2
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "ffd826b4cd0c45b2193f022109c2ed58f54ee722f0f738845d2be2041529d780",
|
|
"version": 2
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "3a21e7de28af69f13df5929cdc14c7de727a99b6189fa33d4f60f3b55a42e433",
|
|
"version": 2
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "ecaccdda66ec525035e0abe4cc0c05cf1ca2bcb9ab42fc9b087d15e6df1af6b5",
|
|
"version": 3
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "8906bc996c13a315e04670626ece6862e0fac10a206fe365d567c09c4b0ae50c",
|
|
"version": 4
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "87396c542097d7e2dd7f971aaefce97ad2d44cfbdceb13bca458f983fe6fa8fd",
|
|
"version": 2
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "2137e4281cddedab4cdbdd8247616a3bee15fa285682d7b95633272a57c8e006",
|
|
"version": 4
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endpoint Security",
|
|
"sha256": "16d5323c26e28a90a60b9e855819cc6b97cbed9a1d2cc6888b5fa14fcf11bf15",
|
|
"version": 3
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "711209a022fc43f31489e05a3dd413ef7c89e4bc058376f1bb54c98896dfaf94",
|
|
"version": 4
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "068af758f1ff3e0d031c5cfe35020b6f0288b12dd9d66ddab288002e0b1e05e6",
|
|
"version": 1
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "9dfe20ded6d2881ef9ab368960f6232c28a7c20783b35ab2176cccff4ca8d19c",
|
|
"version": 3
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "9bc533bac9e9abefc27a1adafb40c6fd99c0e359e469e9577b1efbaabd3ce356",
|
|
"version": 1
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "e35d9a9c665928aa65a412aacdc9115351f3ce4a6d8c2588629b84e9243c341d",
|
|
"version": 4
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "87b5626a84518eec3d829cb474cb47532b10bb4a1d0b11d755c3682475d7cc3a",
|
|
"version": 4
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "548c73b1abd270a73ac51e0460895d3836f11ceadc8b19559a65c9618e20a118",
|
|
"version": 4
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "6ca827084277205952821ef76e28cc5a3c9e837fc0acc0342a32db5c67a428ee",
|
|
"version": 2
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"rule_name": "Attempt to Modify Okta Policy",
|
|
"sha256": "38bd3bfb4bc91af943ccb1720848358f178b6931d65b266edff08ce1c90a7e83",
|
|
"version": 1
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "77ac6c19df3acb42de629d1cf267c16b086d00055dea2bde9a72e06e78d9e015",
|
|
"version": 1
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "22d11f4013bd73e1e115211b366763fd0b11995dd815916c0cee80f0ccd78c1d",
|
|
"version": 4
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "80a86cc85576646b9db95dfa9f4924e52641cd4acc303129e4e8b774521f6126",
|
|
"version": 1
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "74b68b5a2a6e6fe020077c596b9b0a87a7c21bade893f197f92c92cf1ebd78c4",
|
|
"version": 1
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "228c4a9cc746a7de36dcd5f9b3cc9c86d0b06e7aef98059cecf0b2a0c7ed2c2d",
|
|
"version": 3
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "ee55403ad95ab22aa2ac5d8d7c388e92703b99eda4d7ea28da482b548bc47691",
|
|
"version": 1
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "7f79263265e25ce495fb3b557ca7cfee951dca089cbc14a5b192c917d0b7bb7d",
|
|
"version": 2
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "ea801143086d4558886f5c91f70433689952a90dcfd370c6d7f3366e23ef702d",
|
|
"version": 2
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "c45b8f43aaf392553bc8565a0ff6079f16dafaf1e4b6328bfb33aeda43aaaa77",
|
|
"version": 4
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "6acb7d97e42965a327c13fc188392ab14a08a40489ebbcd454e61a07c19a1650",
|
|
"version": 4
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "5467989f4ef94dd3c6b8df6b4b1e9609335c37474706889457433fca0f3c8682",
|
|
"version": 1
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"rule_name": "AWS Config Service Tampering",
|
|
"sha256": "4f59fbb90ee508242779e252ea128487f58bbe1ed925441ee1fc3a39b48dc112",
|
|
"version": 1
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"rule_name": "Attempt to Reset MFA Factors for Okta User Account",
|
|
"sha256": "2b125723ee269c57de27fd76a9fa970f7cdbfcb1ab8c878565097f774df9fdd3",
|
|
"version": 1
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "edcd5b6adeaa24b39ed57d401844fda13b07a95bd82863ee3d74b5df04020b11",
|
|
"version": 3
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "2e83758195426759f474e25a59427e0e1c9f1784528e8d31bf861ade42da8186",
|
|
"version": 2
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "9277093d6875b1d2ae7dd347d3b7fa8db344c053a62bcc886a2290b86ee18518",
|
|
"version": 3
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endpoint Security",
|
|
"sha256": "930dc5d6fc719ed0536d6c32b959666a726625e72fe80c63beefecee2ff0f495",
|
|
"version": 3
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "878f2171b2ac7b514991f9b9c25af495905d25515ca2f2cde25b4fe84e3f93ed",
|
|
"version": 1
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "ade46e96d842d8cbbf57a750750a9608f727e242b08491889ea63a07dffd4ca3",
|
|
"version": 4
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"rule_name": "Deletion of Bash Command Line History",
|
|
"sha256": "9d890cbfcc12c01039cba5c143d094316e061f0a4d5d3b08165cf2eac4abb643",
|
|
"version": 2
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "83a2131189e58a38c4a31aa4e54751626eeb1cf80867c21dc344749a252c0db2",
|
|
"version": 4
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "1a5c7d4c0acf3ca14a00735df9852a9f66069139de940eb86ef9da409a93df32",
|
|
"version": 1
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Elastic Endpoint Security",
|
|
"sha256": "ccca2ab5467bbbb8a8ccf1d6ca6a8396839f0f5daef67df9b45e2c709a9c7bb0",
|
|
"version": 3
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "7de69f7a4a1f9689fe091d5b70484d4392ad24039b3a80f47d39d322d4719e55",
|
|
"version": 4
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "44fc8a84430a247ef479cfc22f09af928395d1a68c162695bd2f1fe74ddb669b",
|
|
"version": 1
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "a2d9d722c68c041bb26d4bb85d7615765f7cd6dbf15ba8ad19ff9a0be2a18bc7",
|
|
"version": 1
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "d6e40340f9ba714197d88dc37469a496ef047131805e4bf2115c1cb498aaff2c",
|
|
"version": 4
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "920af03d75efd763b940e822bf4ba93d3f8fd8dde10e116f98e7d459096de622",
|
|
"version": 4
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "Setuid Bit Set via chmod",
|
|
"sha256": "af04c32620120d576ec2c15c7a49bb359b6c1c77490206e947ed86826020fa3a",
|
|
"version": 3
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "9c678e34d82a66ba6f1316d96ed990c1dc77274ba54f40714dd5397b5c19967f",
|
|
"version": 4
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Elastic Endpoint Security",
|
|
"sha256": "8f1c885f6197487c9fbbf88b66c7080b7785add5683651bb2d3a16c887f4b157",
|
|
"version": 3
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "983df73edf11df0faa699d91d23031739d932dc4134e634c5c886fd07c6d5a4f",
|
|
"version": 4
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"rule_name": "AWS RDS Cluster Deletion",
|
|
"sha256": "1859295025727023cc7909e4a23b6fbc105b7fa20780e197619e257d9c4f2373",
|
|
"version": 1
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "deaf75945036241126ef6fa3c886f67b82760f41f0db7de5ffccbbebd126dc25",
|
|
"version": 1
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "eb54cad9c20bbed0348cbdf81778221c5f78c4a893e520c84deff016d4b81328",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "993ea8037cc7f04431563a10c526803be22b8693a18b4a4628b46d11609632bd",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "8b401f043c87d8012c04dbd86b0b419574a8cb18a2520bae9c606317845acce8",
|
|
"version": 2
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "7d7d732303b9069da8939be0085b0b8f1fba316e25e4531e3d078f3ef0bab9c3",
|
|
"version": 3
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"rule_name": "AWS EC2 Flow Log Deletion",
|
|
"sha256": "a07ac3fd787f6fa03fc452f068782d4a6750e76de83097551495865091307436",
|
|
"version": 1
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "1f857755423c0bed3d659452e148cd346fd059f7674b0e6eddaf58128a238ec6",
|
|
"version": 1
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "b83f0cfa5bbb7f02fa48798def53d8b1a57fd8734d0d24e95e8ebe34444e5249",
|
|
"version": 3
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "840005729165b8c2d84e64b83bbc337b7b34e2ee4298922e23c9ef304dc9fa71",
|
|
"version": 1
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Elastic Endpoint Security",
|
|
"sha256": "68a43b05df8c141fa36b6fbe9272b51f39f45f1ce41a5e8dab442fe379612b33",
|
|
"version": 3
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"rule_name": "Elastic Endpoint Security",
|
|
"sha256": "bf71c88346cdee0c29ed5ec74723e873a3d579784ce79dca1e96668c9525b2fd",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "d752b66cbbeace2be75cbb9f537c2616a93f3afaeff642192cda616b2901b421",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "d6ebaa11d210241095adfa1bcc998743ab486836f893b87e044a8255829f52fb",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "2bbb3b9cbeead17b40f9663e52ec3b42f4b1d58dd645962c431d84b7ce149c90",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "c7b27e753ab08dc5bd3cab380b67f4b346279dbeddea2b55aa862747f335e56b",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
|
|
"sha256": "45fff1a065830305c07e41b12e2645e34ba7c10c5512268efd85d2e50ce4f833",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "0aefc28ef5fa42264e4082dd010644052873fc54ae3cb0b7bc3cbf5a882fe345",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "11408d55fdfb3692af922f829dbb1ece3131f59b6486d9f5d27572beb172d862",
|
|
"version": 2
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "a615c13125f279c6b25a34d110cf8d84f45e4bbce23e9ec63080952a04342760",
|
|
"version": 3
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "d642e98b3e076e633ca985b67690dc130e7e8dff683221673cdba5bbeaf5b584",
|
|
"version": 1
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "10ea375a05dd802cd9169b589070582864cac1a66a76de45d14c2b089c25e902",
|
|
"version": 3
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"version": 4
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "2ada6c757e1263e796387b4f8f3ad22df6208c7883e4cc040875dcd20a1f7171",
|
|
"version": 1
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "0f44750ec993f9fdde22d2e85e1679352f4d94c946293223c066533697a50f59",
|
|
"version": 4
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "04570e79c085d3cac740e046e3448362b8438d9a99c9b399168381945773cea2",
|
|
"version": 3
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "d191c76742500aaa9f0d3284ffa0c5fb620768826b7ed5ea0d2eea116d838d86",
|
|
"version": 3
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "c6224e1b5be58c085435d8673229f7e70e6bc87f1bd11ddb46bbb7f0cc435e7c",
|
|
"version": 3
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "ce52e2d02b90df1e3ca736fc26c70d3e2f2620a9db338e3c97c668081e6fc900",
|
|
"version": 1
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "0596288e875728453b19e654f4f6e52c3dc4fe48d69c52a04a8c18f5e05724f5",
|
|
"version": 4
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "Netcat Network Activity",
|
|
"sha256": "a86bc32201580a304e3177b759ade73e627c671d5e11853a88415f784b18d71b",
|
|
"version": 4
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"rule_name": "Local Scheduled Task Commands",
|
|
"sha256": "d6d29ecdfb8d8ac87743712066146346c70d2a2991a00def356c8ed4733871bf",
|
|
"version": 4
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "88b6fdcc1f81a38ae42c2cc4d883604e9f5acd4a58af5f48a0c48e398665b9a4",
|
|
"version": 4
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "d4821cc663dcd04faa0dee1bb378f9e34e9e1f909bf935443e1ce0fa4055726e",
|
|
"version": 2
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"rule_name": "Attempt to Delete Okta Policy",
|
|
"sha256": "01518daa44aeaab1e69ff8e839d09993ac3dff4bee42db07cc9f72061c7f450b",
|
|
"version": 1
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"rule_name": "Volume Shadow Copy Deletion via VssAdmin",
|
|
"sha256": "fc61426143133407bddabf689f0b5244aff16def118cbf470929b71174763637",
|
|
"version": 4
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"rule_name": "Attempt to Deactivate Okta Policy",
|
|
"sha256": "260673214731a4388538f29a28dd04e1c49db7f4e79b2e8a4a839ab169c24de8",
|
|
"version": 1
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"rule_name": "Administrator Privileges Assigned to Okta Group",
|
|
"sha256": "5632521575581aedea783c9b845524be2de4e8f1a5e1b52566dac7b3db62785a",
|
|
"version": 1
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "b82fc0de50c86b935980223c1fd582a618f509e526ba9d363771d0b5601b2628",
|
|
"version": 3
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"rule_name": "Creation of Hidden Files and Directories",
|
|
"sha256": "c9369962e142eda14a770259206ca03ba72a0d0b907996d25498e4e2ef847796",
|
|
"version": 2
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "8de6f1c5e4d700262cef0544529d3b788e0298c32283cc3f92e97968ce3b59f9",
|
|
"version": 2
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "60ae1b84baff1b57148144be22fb1fab68acc6c121388e267c0e06762d5fd1a2",
|
|
"version": 1
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "1b8d4953e6732a9a3ef60f7ee29e4a69a50750a56448334dc0bc0f06d6c1a3f7",
|
|
"version": 1
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endpoint Security",
|
|
"sha256": "b52ff8fc9a81095d6fab9fc74b1990c8e8882403fe6eaf33f035f0473ac86572",
|
|
"version": 3
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Elastic Endpoint Security",
|
|
"sha256": "17c3166c1f15f852bd7d969a0e07962377ffa92769690eada8f0ad5ee6460587",
|
|
"version": 3
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "15fd9d9b15627d4a9dd571999362b14fb2e86016cf6e27740af6c1f45f64db96",
|
|
"version": 3
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "26855945696ccd5efe39e4c6e0f53dc80d8af97b7a4b927790da064f4a7102e5",
|
|
"version": 4
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "0b3597c5c91897753305ee323198d7acfedf2098d69287ba2dfbce7676940576",
|
|
"version": 4
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "fae4636ddb0a185e2acbb41f8fea2f8510f6cf0ae61bbddd0218c63a74d5483b",
|
|
"version": 4
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "b82bf76e52898dfa29ff4736c2c989d575b0bf9c06fdb8bfcbf1ee737f41ccaf",
|
|
"version": 4
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security",
|
|
"sha256": "f8f63b01f7675b23489b6b8c06f68a5c02516706d5a92f2beb5c8425925fb51a",
|
|
"version": 3
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "b58371646e73225044b02876cefe65dfeb96a8be81b39da0cf93094af30c34e8",
|
|
"version": 3
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"rule_name": "Attempt to Deactivate Okta MFA Rule",
|
|
"sha256": "e2eab87ea117ee00a592cd37fb71d7b7a3dd98e5ddfae8372d241ccf867cc9f0",
|
|
"version": 1
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "a132753ad56c8475bdc9fb137b92fa594f6976a3697ac6e6a8c7536e14651290",
|
|
"version": 1
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "5dfa85cf3d23f692d8b5612ae518fda01ad11c2a9e4b3858f6f2eb79112332ac",
|
|
"version": 4
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "db63134024db06c912eac8f9cbb156a98ba56e576abec86baff108edc6a7a10b",
|
|
"version": 3
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"rule_name": "Attempt to Deactivate MFA for Okta User Account",
|
|
"sha256": "396f243a682ad551b4aab5079679f7e10b35f243e223c09d914003c38f2a68aa",
|
|
"version": 1
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "323b7718cfeb8ddb94d27961ac2f3d47767b5f6ae02f97da32f13c22e2726582",
|
|
"version": 3
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "1e199885d6b2ee9d5652ae342c7a56130596f14f4207396452c15db2d826c26f",
|
|
"version": 4
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "8bdc6cf7bf0a97f98345d321612263de58f0bd6d649cb98360a776b8af7dc37e",
|
|
"version": 3
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "2021499caa2a2176a0b86ac263f23a7518297480f0e0215dcc3a22895005edca",
|
|
"version": 1
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "2932086916e97a5920805f062c8461646c61448d36248aa6bf403133c86efa34",
|
|
"version": 4
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "0a50429de3280c10cd206152131fed4f9491b08502c8877352256f7965470a0f",
|
|
"version": 3
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "28fa30167bad1a2feb0868794e0cc3d05c54a6245e14b13d1f3323ef386f247f",
|
|
"version": 3
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "46878290e9bdd3e13049723afe9522c8b81af03e08648c90bba7782c1368b4dc",
|
|
"version": 1
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endpoint Security",
|
|
"sha256": "2c5599ac23ed0959ec53b00503b7a05ee68b12c975a39d25047bac8e87254759",
|
|
"version": 3
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "4b8ef95da8429452dcf67363672f8a9e6c4e45bc80bd729ad5d3b3e60a550a7c",
|
|
"version": 4
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "865d4e9d7e291ee018c098eea8785ef6cbcd98368594eeadc7e66da52159931e",
|
|
"version": 1
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "d3b991ebc8647e62117b27fbc8ed1f9c22a7daddb565daa4d2e617d1c8cf71b6",
|
|
"version": 3
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "26f7ffcfddc4a817c1cedd32dc68cef4167749ada87584c1ab790d2b44a41485",
|
|
"version": 4
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "3ad5cf801bdf9baae1e7e2c260d90108d185fd7af724cee0475e4226835be0f9",
|
|
"version": 1
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "8dddae484d130d6bbcf5b88ba30b257f4ec4b0cf0e3eff8233822488c848ad9f",
|
|
"version": 3
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "b867fd994b9f5fd467ac4a9e93c3fc34069e8860d49828a39272f1bbb5c74baf",
|
|
"version": 1
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "8b0e8036c1a949ccbfd40fa57471a19b52d6a072a3362d40e55eecdf09515c5b",
|
|
"version": 3
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Endpoint Security",
|
|
"sha256": "ac0bba2fb5f0c96691cb486a49bd3993a4f2fec3e899ec3ab51facdd15f906ff",
|
|
"version": 3
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"rule_name": "Attempt to Modify Okta Network Zone",
|
|
"sha256": "7fa770db85902c74e76603da32e18846181911f67d3aa29d9e4331b83ad9dc09",
|
|
"version": 1
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "c0ddd4408b7df965bb399e1d9b23b5580467983f7f856378a42d9f8f9ab97db7",
|
|
"version": 4
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "9af51d68b03a227d373b1c687c6c411d1810e0afe7d93e0dba41008393ab92ed",
|
|
"version": 1
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"rule_name": "Local Service Commands",
|
|
"sha256": "7f40a97cad0ae6acde9832aff4deb5250d452c2c825f894a138ae9f0d86a4121",
|
|
"version": 4
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "9a3aa688f874a1f6a0757bfced4e6acf8ce786dc75b0d2b57acf118c2e474e55",
|
|
"version": 4
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "a1877bd26b03c15006c1206a4227d80d9e19fda78567256f62a5e4ff247cb899",
|
|
"version": 1
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"rule_name": "External Alerts",
|
|
"sha256": "e27190c2fc3f5863287bf24853e0e3f05363b8814fd229aee9411da4a51e094b",
|
|
"version": 1
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "3354f1c679152be687ac4eef73892612b5b488f0cfe4e0e2636dc3dfdfa45b6a",
|
|
"version": 3
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "d345cd2be573364d96bf551506fa83327d1a88f9d1d578ee730f8085ff5043ab",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "ec1977d61b17849139eebe7aa40136a25ee369eec4a85491150f818d24dc5b5e",
|
|
"version": 3
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "fbb250048e91b7b8df4a0555a9ddc8cf98009dbf2434019bf0e88839983dd332",
|
|
"version": 4
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "37d052555eb47692d5dd98ecf41af9de6d21b1526b7047c228a532e021ca04ca",
|
|
"version": 4
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "72de6ba3763bd235c252a332326af7b4cd7e670ac5322ae56ba59135b2c4d200",
|
|
"version": 1
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "5af9cbee41e50e97d7c51d898ea484b4dae244da1d45c8c49327cecffd0e55e3",
|
|
"version": 1
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"rule_name": "Network Connection via Regsvr",
|
|
"sha256": "01a7ea6c1cda22f3edc887d557916a5f27184cbb9c90dd7c09e36f3c68fd59f4",
|
|
"version": 4
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "6b269a2c7fb920ecb2cf5d7516b0ff7010c0eed637beac273fd2e40cf4df60d2",
|
|
"version": 1
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "7c77385566b7c159d8e598d80ebed2d23c64e6301e1ddd7b9305d8fbc2a294c1",
|
|
"version": 3
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"rule_name": "Encoding or Decoding Files via CertUtil",
|
|
"sha256": "d650ddaf396c9379540944aa0f084b0ef5802ec62367cb311ac6a4f0dd353d2d",
|
|
"version": 4
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "730e186178e67ceed90c1a70820a8ab14290ee86c749c73739fbff617f7da978",
|
|
"version": 4
|
|
}
|
|
} |