security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
059d7efa25adab2f2c43b87efca9bfaad887aaa7
sigma-rules/detection_rules/etc/version.lock.json
T
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30

13401 lines
478 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99",
"type": "query",
"version": 312
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "983f1980633f2fdeefc4b7d50b5e5662382880e65a27b51351387386cf225207",
"type": "query",
"version": 412
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "8cd037720adc468e6c21ea2add4914a716d1fa7f3ffb7542a3196bf05c40a420",
"type": "eql",
"version": 116
}
},
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "b3a3605004e2c4a6c948a89b070b0ee2a28e33958a603a1c06e4bcf9dfa1553d",
"type": "eql",
"version": 316
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "94047c055fb327e889a977deaf20ab8494f8d7c817d09a9039eecead9f00ec21",
"type": "eql",
"version": 113
}
},
"rule_name": "System Shells via Services",
"sha256": "c6c35ad0725cb2e48652c4674ae470c1adbbbdccbd396fa2c586f2edae14028e",
"type": "eql",
"version": 417
},
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
"rule_name": "System Binary Path File Permission Modification",
"sha256": "9e9b47bac87abaaf02aeaf05eedd8f1a653fc1029c4f02a0045c900af6fa03a6",
"type": "eql",
"version": 3
},
"00546494-5bb0-49d6-9220-5f3b4c12f26a": {
"rule_name": "Uncommon Destination Port Connection by Web Server",
"sha256": "5c43e4b67433d9c17dcf3ec0723c08adddc753da5e15b8db551590e207c5d0b1",
"type": "eql",
"version": 1
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa",
"type": "query",
"version": 4
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "3d31dd5d0a8353000b212c5ffe3b14f5abe88a3f98db97488625321608bd20f0",
"type": "query",
"version": 207
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "1341375c3cccb30e7ed441439c386122fec8eca43759b591f42c42d2bd11083f",
"type": "query",
"version": 207
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "5f3a83500924433610b33b689f87387a563f69eb5121b6ebac645d00b7944040",
"type": "threshold",
"version": 10
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "8c608745f949a23f1981034b99641bc9f149c2fab5f595f6c8df610e22a011ad",
"type": "query",
"version": 3
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28",
"type": "new_terms",
"version": 204
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a",
"type": "eql",
"version": 108
}
},
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "415830680cf9d50d3845dbb66278e1153b189e660304ba0a15ca8d3d5f47ed5d",
"type": "eql",
"version": 209
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e",
"type": "new_terms",
"version": 204
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
"sha256": "1ac8ed3b1ca5fea1b2f1908042c00a316d4459af2220eb483569bcea820be9c1",
"type": "eql",
"version": 7
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0",
"type": "eql",
"version": 209
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec",
"type": "eql",
"version": 309
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "8ddaecb1abd24bc5406103c8f6edc29cd35f7748ba01ecc725ade824b6e50cde",
"type": "eql",
"version": 4
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "a07d5178b0d63fe45832be7feae2eea146956b3b81baf2c247c23c39a4465af4",
"type": "query",
"version": 107
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "6914713f09336f9c3dd081ef53ac47488673b0d06d86d731eae0c68021783845",
"type": "query",
"version": 207
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "4c5ca4a33be28031ab32a084760e988f017a7edd84cc8c08f314f52d3873cb50",
"type": "threshold",
"version": 113
}
},
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "7bb30e533a5784e8b443498afc2acd04fa726e74eec86a301107c57c0e73a4fd",
"type": "threshold",
"version": 213
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c",
"type": "eql",
"version": 3
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "bd5bbad719e965a90859b0a4bdedba465855590236e80fa2f05be1b1943c969e",
"type": "eql",
"version": 104
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509",
"type": "eql",
"version": 5
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "ae3ea0137d74ca472a7ba99931f0fb829c7b6419004e69b9a9a0ac88b87e0ebb",
"type": "threshold",
"version": 4
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS Cloudformation Stack Creation by User",
"sha256": "52da905207d1e7c88fc6422717c8a5e4a92dc36ee070a06fc4bcdbc3d90476d3",
"type": "new_terms",
"version": 2
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "3b26f04620990f0636c48d69c7dddb1091ac744f61ef4244cf1bf27d38677ecc",
"type": "query",
"version": 111
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da",
"type": "eql",
"version": 203
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "60c46c899a69ab28b32485227c01fb16cee84b26abd65893b8f900c888034338",
"type": "query",
"version": 103
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"rule_name": "User Added to the Admin Group",
"sha256": "605d63b5087ecb7c6b317b124502b5109f16a229ccb1a878d7f5c7f08940e119",
"type": "eql",
"version": 2
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4",
"type": "eql",
"version": 112
}
},
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904",
"type": "eql",
"version": 212
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "8d613ba421aebd8dcbce56302f1c2d6a19b749085004adc1050a81aed090dcc5",
"type": "eql",
"version": 8
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "05e330c5bc7ed2ce8eebca407e464236f706e834abd2347c5e29222915cb9919",
"type": "eql",
"version": 115
}
},
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "3f61af7fb95a6f56f3d8b10f22c2543e1500a295cedb05240385a644cfb3960c",
"type": "eql",
"version": 215
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
"type": "eql",
"version": 110
}
},
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e",
"type": "eql",
"version": 310
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"rule_name": "Tainted Kernel Module Load",
"sha256": "6e6fcbbf2ea3332a110e3c68ebc52cde1b789a0370ce24f76e00a25d8c349bf6",
"type": "query",
"version": 5
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "c70d925a16e8a0ca54c52ed7ba79164ff5091150dc18e8f3096440d73fd87433",
"type": "query",
"version": 109
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 114
}
},
"rule_name": "Remote System Discovery Commands",
"sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06",
"type": "eql",
"version": 214
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "System Time Discovery",
"sha256": "33fe7970c008c5046403b819e98a65e6552a9579cc28562fe551e9ec75fcf0ef",
"type": "eql",
"version": 11
}
},
"rule_name": "System Time Discovery",
"sha256": "cf15b2bf8ac5ddd54fcb4f2ccedb51733cf85512ca197097fe3c7ab31f87755a",
"type": "eql",
"version": 111
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
"sha256": "1c0662f5b11e6019bfa3e32d36fedf5821114840e8aa8e424150ea7631c58079",
"type": "machine_learning",
"version": 5
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "d70040688d2d40faca05dc65ea89f7b7cb6dc34b2c978f2fc33e67f843a5c79f",
"type": "eql",
"version": 10
}
},
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "e7a8862a024f6ea8a346b16441845118d570aebb01a849748f0c3d313172edae",
"type": "eql",
"version": 211
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "cf3d305ea89fd7b2c84f8ed412f55d0c5180e021f2d107a517d501e85c15e038",
"type": "eql",
"version": 102
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "af64a92d30ef699c25bf08f37822770635ec2e44be940f17de9cf25ba519f602",
"type": "eql",
"version": 115
}
},
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "990f986bae1d4f295042fd090a380cd0d6f3d7b8850dd78cf6d5b4e2ffe7d8f0",
"type": "eql",
"version": 215
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "40d0e6bf90bb885b5bedb92204b324ea0899096734b6a33c10fcbf76f6ae8266",
"type": "query",
"version": 3
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "9f32696b9fa2e1510dd9d329776fa82b31d56c88665b21f900724188a3fb1f33",
"type": "eql",
"version": 112
}
},
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "36865a14b607cf48b5cdfcf52bd07a4c37c6a89038d1230ec983ac280ad050ce",
"type": "eql",
"version": 313
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "3d9549ea279015b77bc82b2e69b630d2013529cbc37e51d1316381f1c8f34d54",
"type": "eql",
"version": 207
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5",
"type": "threshold",
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29",
"type": "eql",
"version": 10
}
},
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270",
"type": "eql",
"version": 313
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32",
"type": "query",
"version": 107
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "ae0e822932b3d3a4abbd15f6ff61bd9086207d22ea05cfc9cc59eeca918294b9",
"type": "eql",
"version": 109
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "2b0a0ede15789e0b7a7554ac68cafe6384e235975fcfec67debe968db0c4c318",
"type": "eql",
"version": 108
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "a01dd38408bbec2545a780590fb1551649acb6e25b7f9589b305b518dcfae70a",
"type": "query",
"version": 107
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "First Time Seen Removable Device",
"sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892",
"type": "new_terms",
"version": 10
}
},
"rule_name": "First Time Seen Removable Device",
"sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6",
"type": "new_terms",
"version": 210
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0",
"type": "eql",
"version": 5
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "0e3d828631e0a83196eea6787fc18de515f9e27764d93909572b5cc61b7ddc61",
"type": "eql",
"version": 109
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Process Termination followed by Deletion",
"sha256": "14b2c50279749311159d46204420c773d52555a562d83ce604a03fd9d9abaafb",
"type": "eql",
"version": 111
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7",
"type": "eql",
"version": 204
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "7040132674395ed77ee5b703d59cfbefe989b32ac76e3f85c8f03862f368df3e",
"type": "eql",
"version": 7
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "f6a45024261cb0b349f1b5e65afcbfd1cffe90e669fa3157bf60ea20538b5f44",
"type": "query",
"version": 103
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "7a47db16ef187e82ca162b4ddc7be98c559c56f60930c7f857b4998e456db762",
"type": "query",
"version": 104
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "d0ca847022a16689d65f980293f4e0fd6f57daf55cdf34dcf2d377d146f0757a",
"type": "query",
"version": 6
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "d48d0db0dcf2f0f427cffe2c1fc5c43f10abee34268e5d667453968fbde0f29d",
"type": "query",
"version": 209
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "2246ca718f9e4c68f8015278f6c338d481215cf44d109266c689582b268cd4b6",
"type": "eql",
"version": 5
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Anomalous Windows Process Creation",
"sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Anomalous Windows Process Creation",
"sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8",
"type": "machine_learning",
"version": 209
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "User account exposed to Kerberoasting",
"sha256": "f4161c7c3cb1aa92b083eb597fae4114d218aee981cb01a13851e639a4dea970",
"type": "query",
"version": 114
}
},
"rule_name": "User account exposed to Kerberoasting",
"sha256": "ebd85ca66aad316c0f9ca0890392b1bf3c4c86c58b9b097f3079dd6dbc0a6dee",
"type": "query",
"version": 215
},
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
"rule_name": "Systemd Shell Execution During Boot",
"sha256": "f38d9a3cb527fed3ad70ba4055716a8490606cb347a6813497bae630dd296758",
"type": "eql",
"version": 2
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"sha256": "4a8f1df0c1c99b704e5485fd658ff9569854ebb1e729a16996a835862cfe8f24",
"type": "eql",
"version": 2
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "7fc4e84759a2af54a9511e0a595038dfb7f5e4cded7427859e3081ac8d7ff641",
"type": "eql",
"version": 108
},
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "651c708c609fb7785a9f1776142e6f473de4466714636ff521fc42e5e303c8f0",
"type": "eql",
"version": 5
}
},
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "f3895557013bb677c666836d9909116795173df120b18f2792b6aa20cbe69580",
"type": "eql",
"version": 106
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
"sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286",
"type": "eql",
"version": 2
},
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
"rule_name": "Potential Hex Payload Execution",
"sha256": "60df1c7136646558bb4c4713cbfb9a5a4b107a9416be8a60fbf7700cbcb94ce3",
"type": "eql",
"version": 102
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "9507b5aae7440ff10ceb3f3e75dcc178e809320a084d56e616de90e14713d0d6",
"type": "threat_match",
"version": 8
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "8c9fd34f4f30b211e680a28ab5e00352770c9972db08cf8a11fd6809a97edbf9",
"type": "query",
"version": 3
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Peripheral Device Discovery",
"sha256": "0ba61428f49133210022937f1edfd3ba9e42329cb91126ff0465644e23fc62ce",
"type": "eql",
"version": 112
}
},
"rule_name": "Peripheral Device Discovery",
"sha256": "61263ade531000457423d75f215e58ba78b6b5cfd11f5e95bf5fca9d5d77c526",
"type": "eql",
"version": 312
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5",
"type": "esql",
"version": 5
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "c5b5703eecd7632b4ddb4091627b0ff3ab51fe21941d1f5b53297f00d72c4f4d",
"type": "query",
"version": 207
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b",
"type": "threshold",
"version": 4
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "1ecfdf114395bc4eb70a3fb066620a04c60f99884612e0f29066015950dbd8dc",
"type": "eql",
"version": 210
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4",
"type": "eql",
"version": 111
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7",
"type": "esql",
"version": 2
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce",
"type": "new_terms",
"version": 204
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "SharePoint Malware File Upload",
"sha256": "74965d932cbd9a720a97b2ceab342bba465997b95f0c655b95003fbbe6387365",
"type": "query",
"version": 207
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
"sha256": "f6f434f76330ba923e4d55b62e92891d98a21706ca8bd0b47bd9811566a8c497",
"type": "esql",
"version": 1
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc",
"type": "query",
"version": 105
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "MsBuild Making Network Connections",
"sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255",
"type": "eql",
"version": 111
}
},
"rule_name": "MsBuild Making Network Connections",
"sha256": "1d7d425a4b556f2c948c50f0b1dfd888045fc7023dbe3fbad411dbb83d420c0e",
"type": "eql",
"version": 212
},
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
"min_stack_version": "8.14",
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "36d53d03849de22fb24be66156f15194ce07ace1ab38974701e6b69efe28551e",
"type": "query",
"version": 4
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "9d1acfe268c50abdd645663c36152672c58badfb78f109529fc5cf7392c38aca",
"type": "eql",
"version": 116
},
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
"rule_name": "Polkit Policy Creation",
"sha256": "0afcc930436684dfdd61e2ef01cbc1adfa72ab7f84b9fd58280c94953ffdaae0",
"type": "eql",
"version": 103
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "4b9e8dd7f874cd95eb91b79ea9ff20499a9372b785b00b28508b0ce941af417e",
"type": "eql",
"version": 105
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "84214be4565dee7f618d414cd2599619e3b5a008b2e5acfb397c79d2c6020732",
"type": "query",
"version": 3
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5",
"type": "threshold",
"version": 211
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73",
"type": "threshold",
"version": 311
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "76940df70c1484a0067d03c9147c59cb9cb88ff381bc232e981395b072fbcad0",
"type": "query",
"version": 107
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd",
"type": "query",
"version": 2
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "43d8180f7e5ee5ede17e49e4b51dde1ec237e4fd3684df5ed85afbbde690f390",
"type": "query",
"version": 207
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "7ad9cd5a7ed6933679d180d53ba468c0afbf17789887c8086eeabdbd30f751c8",
"type": "query",
"version": 3
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
"type": "query",
"version": 105
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65",
"type": "eql",
"version": 112
}
},
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae",
"type": "eql",
"version": 212
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce",
"type": "eql",
"version": 113
}
},
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8",
"type": "eql",
"version": 313
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "22b038a9d7ed9ae2bb66b4cb46bcfc5b0b5fd00d0c6512a3aa092001b5c12e80",
"type": "query",
"version": 207
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 113,
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc",
"type": "query",
"version": 15
}
},
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661",
"type": "query",
"version": 115
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e",
"type": "eql",
"version": 213
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "2e9c3df902a7e2af50b5f91cbc53f971eaac2d7c296180dc7140aa88c286406a",
"type": "query",
"version": 207
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70",
"type": "machine_learning",
"version": 108
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17",
"type": "query",
"version": 2
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0",
"type": "eql",
"version": 209
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "75734b3460dff650d8fb6adbbe456341d03756acefec419bdbe2f8dbb064b12b",
"type": "query",
"version": 204
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "7c44812095bd92d02344d24e68f59d1becb7a2912cb9f782309717e196302e80",
"type": "query",
"version": 205
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "6650390a0ab837875b873ec9ee59ab4afc35d94df7e4e550ab6e853cccd6b929",
"type": "eql",
"version": 206
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "8a50a6a6f107f05960872b508ca599e3ced73c94f3e91ba756d516d1fb627486",
"type": "eql",
"version": 115
}
},
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "f257b59519a3f70f969db80deb185a3cf39536af5b3c532c376b9108da677c08",
"type": "eql",
"version": 316
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6",
"type": "eql",
"version": 110
}
},
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b",
"type": "eql",
"version": 412
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "8abcc3f4f205afae84358660b95a2527d10a1f5a33fb6aa904c0c1280d8b6805",
"type": "eql",
"version": 103
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
"sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59",
"type": "machine_learning",
"version": 105
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7",
"type": "threshold",
"version": 7
}
},
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd",
"type": "threshold",
"version": 207
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
"sha256": "3ec2e506931ecd0b5ba1e027207e34901c5ac024f575d19242d7a03f5ee033f6",
"type": "eql",
"version": 9
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
"sha256": "6fbce9547774cb786e35438648ca5a236089ce43936066235b21a006520def25",
"type": "query",
"version": 103
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "05723d7fde940cd2cc2663a56ee79b455405ca9d1e1270db75b986c5ef72717c",
"type": "query",
"version": 105
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
"sha256": "ef730832a93503b501376aacb96760534cb31876eed560a014670d79b2d03b74",
"type": "eql",
"version": 104
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "fc2b301f6bbaa53417113b60b7a3c366d6f6c509954e72e27e9386b8b8585c28",
"type": "query",
"version": 204
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f",
"type": "eql",
"version": 312
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2",
"type": "new_terms",
"version": 4
},
"8.14": {
"max_allowable_version": 203,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2",
"type": "new_terms",
"version": 105
}
},
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "b2723b3de15eaf38f608b269cd27119a720895d4cd72b126071f5f0dd90555ee",
"type": "new_terms",
"version": 205
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "f1e6f5c52e4c18b16f84c216103655718a11c24159fd88c9d53d7810f03b9fca",
"type": "query",
"version": 2
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "c942ba35d01b9cb9eebfce159f6c2ef894b5f93d7501c1f04fbfe4f029914e25",
"type": "eql",
"version": 4
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "5590dc04999fc927242cf1926db4e2333087ea2de5e17c69677fa0ce42a76e5b",
"type": "eql",
"version": 113
}
},
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "48a21cf9c0af5dfe2bfe8c63b5a363ce108759818d65d6b3413ecbd1d0492b71",
"type": "eql",
"version": 213
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "59e37cb962abea6a86b2a9384e1f08d2d036cdf4ab29173bc0d6e344af013204",
"type": "eql",
"version": 115
}
},
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "ceac041df0548aca97242dafdaeb9c690d4d47ac4073a6393c65e651869946b4",
"type": "eql",
"version": 316
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "0b2ebcc224d55592d6f4b75e83df6d80460d48ba25c8b07d71ddeb2e16fee539",
"type": "eql",
"version": 109
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"type": "eql",
"version": 3
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "ba45931cd861307121631371d3ceada4c31f8c0df2f03e06f91fc43499cafeab",
"type": "query",
"version": 103
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "File Creation Time Changed",
"sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f",
"type": "eql",
"version": 6
}
},
"rule_name": "File Creation Time Changed",
"sha256": "96cb410b392f1a8774e854637ac35223c3f06af1886b4805a50b9337a05c3290",
"type": "eql",
"version": 107
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "23b10e667366dd92f41808c9b01db2f62209ebea86cc67add8a43532a3341b74",
"type": "query",
"version": 107
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "ee11c9442b8e8b3ba41f33c3a39715ed346f2d770c4dc8cee36662b2214222d0",
"type": "query",
"version": 207
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4",
"type": "eql",
"version": 114
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "3cc36b41be0eac9cd7741554fb1bd65a80c0a77275abb17d58fd202b42c25c6b",
"type": "eql",
"version": 112
}
},
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "f0b9ffa215ff2cbd2e2a889ada8e94883b25b009557f7f572ffacebd45b15863",
"type": "eql",
"version": 212
},
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
"rule_name": "Persistence via a Windows Installer",
"sha256": "8ac49e7c12e9e26728ce584fffb95e858c0145cd1ff89099123834f39022652e",
"type": "eql",
"version": 2
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02",
"type": "esql",
"version": 4
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Username",
"sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Windows Username",
"sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Service",
"sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Service",
"sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023",
"type": "machine_learning",
"version": 207
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Suspicious Powershell Script",
"sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Suspicious Powershell Script",
"sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47",
"type": "machine_learning",
"version": 207
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Remote User",
"sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Remote User",
"sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08",
"type": "machine_learning",
"version": 207
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "64deb3a7d35566d558e890c281946d23e332598949d863e7f3fbefa14896a901",
"type": "eql",
"version": 16
},
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
"rule_name": "Initramfs Extraction via CPIO",
"sha256": "e91def04da5452836c00e38e6652e095e4124c1820f2650c10e07cd01e3fc61b",
"type": "eql",
"version": 2
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff",
"type": "eql",
"version": 111
}
},
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf",
"type": "eql",
"version": 211
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "f20d9f97b235081744c25d793925b812e945e1e5e01719ce39cfcc0defb5b253",
"type": "machine_learning",
"version": 105
},
"181f6b23-3799-445e-9589-0018328a9e46": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "12f1a83fb96e68e2440fc75a664bb40ec93c873078e8e95f4e7ada4d552370dc",
"type": "eql",
"version": 3
}
},
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "35522252e970985ab70a0f4b89c64a7985895c75db81381345559495693ccc8e",
"type": "eql",
"version": 203
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "300e205d2f05314cabd3ea5c9dc9fdc35ce1ee5211afd8f65d74a15e3ef0d8e2",
"type": "eql",
"version": 2
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "61f062813d6ebdebc0cc6698c7dcc7a975d9f3cacf7713f599fefb3a363a15bf",
"type": "query",
"version": 105
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "1f41f4ccb333df0f6e2e8c35cf140f6c0d2a9bcd69f6bcbe995c987bbe00a668",
"type": "threshold",
"version": 3
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "3624c2a233bea0d357eca3960733b5cd7bc6de43ac52d3c824553397d583e773",
"type": "machine_learning",
"version": 5
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "3e0bbc97f6625f0f5294307064489d5cde380528cf838db84c6d84498961b0bd",
"type": "eql",
"version": 7
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "d831a2c4ab5f21f7320a3fc66d048b0b77a969c59eab238e78a8e1ca5d3c7d59",
"type": "eql",
"version": 6
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "eb75ed2a02885be89ba411760bb066cdb4f58f77f25e138ab75b9eb72226030c",
"type": "new_terms",
"version": 2
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
"sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf",
"type": "esql",
"version": 3
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c",
"type": "machine_learning",
"version": 209
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "2a4b88bcda39f3627856cc76ad43b699768b3d1cabd2d7ed7335c991b0466857",
"type": "machine_learning",
"version": 5
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"type": "eql",
"version": 4
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Azure Application Credential Modification",
"sha256": "f7362735f6b890396d8a39feb56c68597b92b95b75576e198efa44353fb980a4",
"type": "query",
"version": 103
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "f6391e8f5b0619d0a9d9c44f7eb9fd4ee84d804dce2a33222731c4d7f110975b",
"type": "eql",
"version": 113
}
},
"rule_name": "Execution of COM object via Xwizard",
"sha256": "c65c9419a9ac1a778ae51ad7d033bd3775009b43563844b80f984ff2f2f64e45",
"type": "eql",
"version": 314
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
"type": "query",
"version": 209
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "User Account Creation",
"sha256": "1046be8b577da52ec4ae4f06bcbf7ac7e32232c0e2d407916cb0474c8add7849",
"type": "eql",
"version": 112
}
},
"rule_name": "User Account Creation",
"sha256": "3b110982e7dcff42742a98ac233650c6dc58347d5faf2db2f46a849fb45b1bb2",
"type": "eql",
"version": 312
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"rule_name": "Process Created with a Duplicated Token",
"sha256": "34b078db5943919e82a752fb623100ecf49de4400eb5b5af0beb5dde7933f97f",
"type": "eql",
"version": 4
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "577e427fc64582ac236a077a7655689420ac05895657991b9b10c235df191853",
"type": "eql",
"version": 209
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "91601e89cb6509b662c58081c0bc8819adcf3c883bdc11c2819cd87ed1ce2996",
"type": "query",
"version": 207
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "7356e96ea1f088a2fd1b9412babba3ca73d9331aedf84b27f6fc8efe96edfc04",
"type": "eql",
"version": 12
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
"type": "eql",
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d",
"type": "query",
"version": 213
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
"sha256": "a216a3ce8647e67413fe83b87ca92054c13d98146ee4c740fbc79435459adb1e",
"type": "eql",
"version": 118
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "250fb7d71a7e245ddced159b3f88b246c5ab4e89708f3130c7b27c55c998a33a",
"type": "query",
"version": 103
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"rule_name": "New GitHub App Installed",
"sha256": "e00feec6890b2361d7a10a06e2e91c713d0f28c866005e9e1f72610f0dbea4eb",
"type": "eql",
"version": 205
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb",
"type": "eql",
"version": 109
}
},
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a",
"type": "eql",
"version": 209
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d",
"type": "query",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d",
"type": "query",
"version": 107
}
},
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "7709f499f3a03dd5ce65351e23a1a9959dc5139e8f50d72015df6ce2b0a3233b",
"type": "query",
"version": 207
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f",
"type": "eql",
"version": 111
}
},
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573",
"type": "eql",
"version": 211
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "16b6264718403929b906f7b79bfd533c83024fbc7acec96ca185dd3cf5d3eaa3",
"type": "query",
"version": 3
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
"type": "eql",
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc",
"type": "query",
"version": 109
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "56bbd2e4cd59a4c2cde86cbbbfcd9e0afc33c8305d71bab718500435d3a78c7e",
"type": "eql",
"version": 112
}
},
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "07df6892a87587ca8babc6706f4c0106779b8517b3fef2294f5eb30ea9491d7b",
"type": "eql",
"version": 313
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "8ec48ccef8861234829d698a6d82615fdf25beacab841fc91cc525636fdf4bd2",
"type": "eql",
"version": 9
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
"type": "eql",
"version": 108
}
},
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d",
"type": "eql",
"version": 208
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "98f03ae22b61103956c3dcf4c477d3dd6c5da89a7c24f1e69a4a6f5f96573033",
"type": "eql",
"version": 106
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "7efabb7cc18356aa60fe4c271bef0144b303a454cd4203ec421a5a679a75572e",
"type": "query",
"version": 210
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "cacd567d5376f99af90e85da629e9cff9118851b3e35ce7448c89ba66e5c1407",
"type": "query",
"version": 103
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Creation of a DNS-Named Record",
"sha256": "4955aaefda636b2420e5116875b69def93dd7fd67397cb2a0322de00b946b0fc",
"type": "eql",
"version": 5
}
},
"rule_name": "Creation of a DNS-Named Record",
"sha256": "601853c2f6f8d5d47352dae612917238325b67762d8659f901e4a21c832d90f1",
"type": "eql",
"version": 105
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39",
"type": "eql",
"version": 6
}
},
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6",
"type": "eql",
"version": 106
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b",
"type": "new_terms",
"version": 204
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
"sha256": "72276af57d19261776e819edd8d905bd7c5374108d27e9728922200bc839ea34",
"type": "machine_learning",
"version": 105
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817",
"type": "query",
"version": 11
}
},
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "440ef66551ac7e38e741b7fefff772fab1e8807ba1d7129dacdf19a382fd06ad",
"type": "query",
"version": 113
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
"sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7",
"type": "esql",
"version": 3
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "c0c0dc9d02782e6a4e0945d5a4067d3508deaeed48634ba3aa3bce892de5a9c4",
"type": "eql",
"version": 5
}
},
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "d89337c9d0ba87570647603b26f42ac3171fd6d9640b10b178348bff7117b07e",
"type": "eql",
"version": 105
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "d9e8a7e51aa77ead7ce1ea1fea343c35fdb7aa4cc92450f6ebad5433afbc53de",
"type": "esql",
"version": 1
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "7e9aeb7a0920e68d445b655d2a0b447b01aa117624ddd9e02a8ad4840701900a",
"type": "machine_learning",
"version": 105
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36",
"type": "eql",
"version": 114
}
},
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f",
"type": "eql",
"version": 214
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "e43231e171e4e726c838f080bb14bcde8a580af0997b0177b568ebdfd462e290",
"type": "query",
"version": 104
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "acfdd598b6015547f15e05e3ee2dd61dec13a52e09ccef1f154e133678cb2e8a",
"type": "eql",
"version": 114
}
},
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "2c8e7933b55726a6bd967fa3c6e4ecaa207c4acd5574f5970995d8bc9b341746",
"type": "eql",
"version": 314
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "5349e739a994b977cd138844e8e7e85da55971fb9e45fb3131eb92be33d3f123",
"type": "eql",
"version": 105
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332",
"type": "eql",
"version": 111
}
},
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a",
"type": "eql",
"version": 311
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "25cdfe21fb209fb7941dd020fbcfbadef29f04aadf5eb0e226efda9c35351231",
"type": "query",
"version": 207
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "f2563e3a26b24e637c8ac73d1f8b2c0a4f7fde0d81cde5ee33392c65892d9ccb",
"type": "eql",
"version": 210
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982",
"type": "eql",
"version": 3
}
},
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c",
"type": "eql",
"version": 203
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "c71196cfccc34b4c3d768cc7220422fdaf2d6163c21dc2b1f3c8d1616a87dfb9",
"type": "eql",
"version": 113
}
},
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "72f43c85a5250cea55570cba448f42de38ff7b2fb9730edd8f6a78a7cc05fd4a",
"type": "eql",
"version": 213
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"rule_name": "Mofcomp Activity",
"sha256": "018833f79c00b6d515e06c22cbe67163ed3e39765697b70a83dbba6a933d13e3",
"type": "eql",
"version": 7
},
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
"rule_name": "SNS Topic Message Publish by Rare User",
"sha256": "ec62c61349b96117c332b5fadac825476aa3265486a5bbb85288ddab4964f423",
"type": "new_terms",
"version": 1
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "0f97f4ad5936052c4dd01aa0c3132de5f06f7a36be6192e1714f2732da113bc2",
"type": "eql",
"version": 5
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "83511d6659289dc4e5a568143d268908603bf739947cd0d971cfb051a85451b7",
"type": "new_terms",
"version": 7
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e",
"type": "eql",
"version": 9
}
},
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac",
"type": "eql",
"version": 109
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "3305c5a0f15096a7bb8b0818b40de617448029c1e701c89f35a611f31ddd9f0d",
"type": "new_terms",
"version": 207
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "8f0663314dfece6334c90619e9b9e2f5cee01e01b4768df72c1577b166910b24",
"type": "eql",
"version": 109
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "739bcd7a637855f9186eb263bcd8107c93d83f7790c1ea4fab07b69046503e46",
"type": "query",
"version": 208
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "496ed866c8272f94c11bfa2277bde15dbfa2efe47873a8ddbcbbe832eb805693",
"type": "query",
"version": 105
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"rule_name": "Kernel Module Load via insmod",
"sha256": "f32774ffb6275cc6e21892bde0346fec8649a7b12e62823bc9c28ecb5f7291b4",
"type": "eql",
"version": 212
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "6206107d6e66665a64ef46d0bcd7102570f88e6977651000f2609ad3cc6e8b4d",
"type": "new_terms",
"version": 4
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 104
}
},
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 204
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
"sha256": "a2e44a9352982f9a7fab91d7a6c0ed56fa52f09663f20c41c246407f643bb81a",
"type": "eql",
"version": 207
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90",
"type": "eql",
"version": 110
}
},
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5",
"type": "eql",
"version": 310
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c",
"type": "query",
"version": 5
}
},
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7",
"type": "query",
"version": 105
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "5539b5852223d4f71fb0ca5aca8622d8933016111d08f98d0bed0b9f804ddf7e",
"type": "eql",
"version": 106
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "74fc51f05798d86c079a4db56ebd754908e541d5391fb639a014358bf4da50f8",
"type": "new_terms",
"version": 7
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "299b97cbda715b5eeabc7800ef5fbdd230b83acfb8b38ff4d6c1f1e231fe8185",
"type": "query",
"version": 2
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935",
"type": "query",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935",
"type": "query",
"version": 107
}
},
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "3686340ff7f23094109815bb3ff499c3c9d5feb46b8ca8bf9dcc9059d295a28e",
"type": "query",
"version": 207
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "5ac2632c3e48650d883c521af7ddf3ee85933ed2b90dbb2a8785db3e62378ad5",
"type": "eql",
"version": 8
},
"263481c8-1e9b-492e-912d-d1760707f810": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "54a0ad6f86ecdf068b1aae65f14d158a4f15e61b09a082762d2bd3413455bd6d",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "2985960617b321f48dd8601a1a8803bca75bb670250579ab023076cccb62abbd",
"type": "eql",
"version": 105
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "9c1500534b794aa60add9daf3da3805ce5f70b117a900faf565c911764fdc73d",
"type": "query",
"version": 103
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "8b8ce9fd3c322d65ab9459337f4a67256c7d08be0426c6825699f4fcc4ca4659",
"type": "query",
"version": 2
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e",
"type": "eql",
"version": 112
}
},
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "8a1961e72e2bd40e50a0aa2d9798a0fddb3d6b24b4c0d0272eacefc88d9bb15c",
"type": "eql",
"version": 314
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171",
"type": "esql",
"version": 2
},
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
"sha256": "57a89e53c08841ce4215ee3302b31a874353bbf9ea14737e9788165df500f4d0",
"type": "new_terms",
"version": 1
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "aeeb4b372fbfd18ee0dfa78606413a606d6bc8e7bee480b01504cbe103fe8006",
"type": "eql",
"version": 102
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "bfaf73bd5525893100c9a0593503ec5113aa3f61db2953a685aebf429b142390",
"type": "eql",
"version": 8
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
"type": "query",
"version": 105
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59",
"type": "esql",
"version": 312
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "7968dcf6597d447a945c7445f46e60b9c60182148cddf51f04392d3a1650b46e",
"type": "query",
"version": 209
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "0940ad2254d8e550d0c01bf6a647edcd02990c8bbae6b9ca4b17522ae43f803d",
"type": "eql",
"version": 107
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "45a1f7ed44be930e88471db5a5342a95b57a72bc185ba59c55fe89e7400fc69f",
"type": "query",
"version": 207
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85",
"type": "eql",
"version": 110
}
},
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c",
"type": "eql",
"version": 210
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "56e2aa8538cb1bfc6628887e820d427e37754644260ff65a94d8b2cd6ea08aa2",
"type": "query",
"version": 105
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "72cefcbe9406dd477e621a600dab722c48420a443a88f1fe2afb43a0cf62af8e",
"type": "query",
"version": 207
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 215,
"rule_name": "Account Password Reset Remotely",
"sha256": "fb5aa2394d8110f0ee46049a6b1ecea7a58a015560ea9e83bc0a7189668b9a9e",
"type": "eql",
"version": 118
}
},
"rule_name": "Account Password Reset Remotely",
"sha256": "137bd2d87af18453725653508901c2d8ad9bbb67598c3aab9cb61849bdd9e991",
"type": "eql",
"version": 218
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46",
"type": "esql",
"version": 3
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
"type": "eql",
"version": 111
}
},
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4",
"type": "eql",
"version": 211
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "c5975ef9ab2cb8b6055ad6bcc0d785f845ed553b7efe8c2791515b7f349e860c",
"type": "query",
"version": 104
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "953a7ce35bfed2b2ce4beb94c883fdfa3e7d04f037d8ffa09fefc2a054676072",
"type": "new_terms",
"version": 2
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "ae10c2c01b91c5fc780ab3a9bbbfbc1435107aaee26f7bc8fec595151488c706",
"type": "eql",
"version": 4
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "84fc475479d15e3bc80b09e99dfac0c0b49c2a5edcfc3219f1ab09100b7d1555",
"type": "eql",
"version": 108
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"min_stack_version": "8.16",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1",
"type": "eql",
"version": 6
}
},
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "797faad25f8c06e7e0d08b4a64fc573c931a70e7298ba5e64dc73d3a765a59c6",
"type": "eql",
"version": 107
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "871b644ecad8dbcc497878dc7e8709971fb1b44536be0fa5cd97cfb75cec1082",
"type": "eql",
"version": 6
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "3094fc894dfd934d136e44472bb85b39b667d39ae1af5bbdecb0def1e9ee08b3",
"type": "query",
"version": 208
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "d0e818d0f2ad9ea6d298e000b8823c6f9fae9d4ba58fd7d4a769d192a825bb7d",
"type": "eql",
"version": 116
}
},
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "89b1b7dceaff3f36997ec337f2d8cef3fe495d208678da2825e4ed3ce0e5ea3e",
"type": "eql",
"version": 317
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28c64115f2234bf5d1fecf8825b0c7f3345d8785463039b6e20726ad83f4fae9",
"type": "eql",
"version": 113
}
},
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "69c08ef4a5f787e70fccfd3ec58af92bb9dc8c37e8c0371220c0a70bf79f5b7f",
"type": "eql",
"version": 417
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "74bf38098dbce95a0c1c95412e8fba9a3f5532a02c1838b1198a971eed59d253",
"type": "new_terms",
"version": 214
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "f4a3fd4093cb4ee803a7b1fde1a972683e35233b3065923dc59ac148914fd788",
"type": "new_terms",
"version": 417
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd",
"type": "query",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd",
"type": "query",
"version": 106
}
},
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "020aa41dcdc659d6c9cf5c0619429e17fc67a4ed3a229e63c3e2aa82ca64dc59",
"type": "query",
"version": 206
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4",
"type": "new_terms",
"version": 2
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "2b3d08f13e7043638c0bb3415d9ada4726d3dd2aa56b93a318ed3b135d0723d2",
"type": "eql",
"version": 106
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "842f9893108098c4b68db05cfdc942016d86cd6880aad8c93c94aca02133b0e5",
"type": "eql",
"version": 9
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "9ed50af9932a336e33eacff970ebcb3d99c94830b55744d32565828d68c683cc",
"type": "query",
"version": 205
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"rule_name": "ESXI Discovery via Grep",
"sha256": "8a0b201a019a813afef3eb6ad8931c76409acb49bfb1000a7e441fab4f19f9ba",
"type": "eql",
"version": 109
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c",
"type": "eql",
"version": 114
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8",
"type": "eql",
"version": 415
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "fda9500da0b3d309b22466c14a3b99bc7b486e029d19035500b51c712c4d337d",
"type": "eql",
"version": 113
}
},
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "e69123e81346af8a6014260f65776c0326786a0019351371eba62067fb23d7e9",
"type": "eql",
"version": 314
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64",
"type": "eql",
"version": 211
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Potential Foxmail Exploitation",
"sha256": "fa4198db44ca8125dc5157ed58f08cb85ded4ed4fdd90a197bd108a4788e7bb9",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Foxmail Exploitation",
"sha256": "91d807d619d392937f23f7570110f1a16024dea7638053710bbe2c380ba68794",
"type": "eql",
"version": 204
},
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
"sha256": "da7b8fc9196d2268f214a0e688fb4743c4aaac83e91d448cac7edb41ecb0cc4d",
"type": "eql",
"version": 3
}
},
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
"sha256": "3ddbfa8f343a66c1a88ceece0f1578b6413e48d8e9866070c72412b45e29c6d3",
"type": "eql",
"version": 203
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "52c116a646055bd0157cedd2d9977b1582266b6dd9b8f6d1911d2e72232ae161",
"type": "new_terms",
"version": 211
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8",
"type": "eql",
"version": 212
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6",
"type": "eql",
"version": 312
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "cd015724526c5fd95611fd542dcd3bf3ae7cf0f17b78feaf63025db570b62459",
"type": "eql",
"version": 105
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "8df93c4d2e8d8e22dc9b2519c322833798fd0dd6e0179688ad46849263b97038",
"type": "threshold",
"version": 208
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "a2a8c353c9789286a12acad9ac5ef3f78e625e7f76155b7f8fabe49323aa8e5c",
"type": "eql",
"version": 11
}
},
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "8791e7fb1a6be5e42e542ffbff43107f655cb9129d6d372da900d9d185d90c16",
"type": "eql",
"version": 212
},
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
"min_stack_version": "8.14",
"rule_name": "Potential File Transfer via Curl for Windows",
"sha256": "a4dac855d53d9474f8e5110cd803cc954889544153b5054d8a1d6efef103d335",
"type": "eql",
"version": 2
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08",
"type": "eql",
"version": 112
}
},
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942",
"type": "eql",
"version": 212
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029",
"type": "query",
"version": 113
}
},
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855",
"type": "query",
"version": 213
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Accessing Outlook Data Files",
"sha256": "e16b755ef96474eeeb8efab6ae108f1e9420b53cd1d79d3e822dc3215788f7a9",
"type": "eql",
"version": 6
}
},
"rule_name": "Accessing Outlook Data Files",
"sha256": "37fe2693dac2a707118e828ab9b2e21018b8028366804f4304ff2122f53d546b",
"type": "eql",
"version": 106
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48",
"type": "threshold",
"version": 2
},
"8.14": {
"max_allowable_version": 302,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 204
}
},
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 304
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "33aca0b923a70f6be45450125434d1f43b00df2f2b4c53db570c103caff35644",
"type": "query",
"version": 105
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478",
"type": "eql",
"version": 111
}
},
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2",
"type": "eql",
"version": 311
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
"type": "query",
"version": 112
}
},
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8",
"type": "query",
"version": 212
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "64eabeec581d6804bbb7ed7f4fd9a7792413294be3c0f6b2045dd0e0fe5d0c09",
"type": "eql",
"version": 212
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "6e7e3a5b5658ebe94a6acbd227efca852aa9553c7e58a257f13b2e46c357055c",
"type": "eql",
"version": 4
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "12a39f6d9969db63436c1a00acca99e9add307c1cd5027f78b8845251fab148b",
"type": "eql",
"version": 110
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 214,
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b",
"type": "eql",
"version": 115
}
},
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02",
"type": "eql",
"version": 215
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "bdc8c042341275de2dda2fbb2cfe8352f8fef57e17ade3f9a6a0f4a2f34f6f7b",
"type": "query",
"version": 105
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "501b384fc62d0114e489f893db676c77a67a7de686ed549cc96d28110a216431",
"type": "eql",
"version": 3
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "9f0737cd4b53c31a9412db6fe279689258d74cd0462413dbf350f2a1f520f5b9",
"type": "eql",
"version": 110
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"rule_name": "Network Connection via Sudo Binary",
"sha256": "a497b8c3ad9c185407effba08b476ec636ae48f34d72a78ebe4c33554301e425",
"type": "eql",
"version": 5
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "fde6148916cb146e840e4017c597cb865ed148dd9eb6ad32b27f527b18e30866",
"type": "new_terms",
"version": 4
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3",
"type": "query",
"version": 103
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "ee23f22e47ceddb6e8677a346d2b5a4af9d9f5da170c238a64f5c8851cb61903",
"type": "query",
"version": 105
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "26c302e48a82a4c71b95bbacfe998d079412e39f679f834e69fae5d875669849",
"type": "eql",
"version": 116
}
},
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "79da03cd16b3fe390ba1bcbf7210a4e75e1160924c4eaa555b1886746c2b8e38",
"type": "eql",
"version": 317
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "5f12891f87725569f26f55d846990b172e4b083945291b524995a0c2b39d1f88",
"type": "query",
"version": 105
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba",
"type": "esql",
"version": 2
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "81b1ef2dce9bdf05c543f720116a273b1b28f4fcc5f3f06993027b6c522d1613",
"type": "eql",
"version": 5
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
"sha256": "4361eedfbd069e79f89dc6fc2cb69959fa012d9333bb12fa3a7a48bdc1956047",
"type": "query",
"version": 103
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "4225710e2f58d4c9a39ab24e6e05d1553387f3bd659ccf97398b490b820df50b",
"type": "query",
"version": 105
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Program Files Directory Masquerading",
"sha256": "606536c8d6bfe0e947e3e259b6e852bc054d4d698047726f4d5c75b729bf55e1",
"type": "eql",
"version": 114
}
},
"rule_name": "Program Files Directory Masquerading",
"sha256": "16bc5626deef5e54395b10b7f90e3c0e85fffdc658d81ccd2d12a5cc6e59d03d",
"type": "eql",
"version": 314
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Login from Rare Location",
"sha256": "c839af879a5c765f5e319641da93e5418ac234abdb825d1d9f1df9d746f9e2e2",
"type": "new_terms",
"version": 3
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "0c5ba486bee0cc0f0fe8315f14137e5a0062539cbb92e1a748fe09f9371887c7",
"type": "eql",
"version": 113
}
},
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "b1e1ffa2ffa385597f3e15523743b90d7750dbd78db3790213585db3f9c79dc3",
"type": "eql",
"version": 417
},
"3302835b-0049-4004-a325-660b1fba1f67": {
"rule_name": "Directory Creation in /bin directory",
"sha256": "bb642177d5cb1e1bc0f9a0c4cf899a157c7980be76dc66f26d4ba3d13f82b8d6",
"type": "eql",
"version": 103
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
"type": "query",
"version": 209
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
"sha256": "ca86b5108a30b8e67c15162b0055562e937ab308d0406d129bc9ad4e2148f2e4",
"type": "eql",
"version": 109
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "2d6cac53a7d7baf61d489765382f2b2d431be53f846101569f7e49a35e59df98",
"type": "eql",
"version": 111
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"type": "eql",
"version": 3
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"rule_name": "GitHub Repository Deleted",
"sha256": "680ea8566ca2b5e114053f331458450f3a9fdbdcda67246619a56e3304d7d4bb",
"type": "eql",
"version": 204
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
"sha256": "0d6e63fdb711a79ed9a8236fbfa447b8dd9cd9c750fe206e4f69d544b4cb7127",
"type": "new_terms",
"version": 2
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "a93607d49470b41ab526136a54c50d0d65923b7af46008f570ecf780090ff342",
"type": "query",
"version": 107
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "93108f6db43019bf85a026b0e1a0283d1387d43696c8cbff0338ade95de87373",
"type": "query",
"version": 107
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
"type": "eql",
"version": 111
}
},
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19",
"type": "eql",
"version": 413
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "b78351582a7ddf68ad29828252540753accedab11361b21c3cb3cfdcd7ea6da0",
"type": "machine_learning",
"version": 5
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts",
"sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3",
"type": "esql",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "d1997aecd63bdf78d6a33f57d17ebd466ad6d7b59bc5c9eec9d99fa339cc883b",
"type": "eql",
"version": 115
}
},
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "63739523a9c101ce0f6304534a8a20f2b7177870efdfb4f8342beec9b6d01ca9",
"type": "eql",
"version": 316
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "cb3f4e2e92eeffed4bd1250dcc2811b1e4ee69877e3d14a107578a5b0d10fe24",
"type": "machine_learning",
"version": 105
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "f8a2d53db2c5e3651899228d2e535106845b0cdfa6f926feab75424975c566f9",
"type": "eql",
"version": 112
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239",
"type": "eql",
"version": 310
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "0375f50891da2c560d538d9af682bf73815c0e8097191a66c4b7ad3d2d9f85a0",
"type": "machine_learning",
"version": 5
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"rule_name": "Potential Suspicious File Edit",
"sha256": "31e966ef88fd66e843c9134cfc92578f0c0ef1ff0b8af97d7c96049d2a31ef5b",
"type": "eql",
"version": 107
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
"sha256": "2d9a2d2805620d5537bdc598986669726205be63bf72fd472e586860559f3c15",
"type": "query",
"version": 207
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
"type": "query",
"version": 105
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
"sha256": "713fd8c17945bb80c3b98f60f14f907c30c2a333641b4671b9a0c3ff0c5618f4",
"type": "new_terms",
"version": 211
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "07c83ef04668d1bdbd5e1cdf83b4d25f717a72d4984f78fbb7bf40d3c9973386",
"type": "eql",
"version": 208
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8",
"type": "query",
"version": 312
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "335b721089e14060d49efd5a24e91c1234579d86f289c8e2d55a68f139685424",
"type": "query",
"version": 412
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 214,
"rule_name": "Network Connection via Certutil",
"sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123",
"type": "eql",
"version": 116
}
},
"rule_name": "Network Connection via Certutil",
"sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e",
"type": "eql",
"version": 216
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "747ae073e6f03ec1932651971bc68d7027e59a836270303d10e85ed668e15563",
"type": "eql",
"version": 210
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations",
"sha256": "0300fec34ca31a5cea787eaded914a17bc72892cce35401a358a0cc6aa49fb1e",
"type": "threshold",
"version": 3
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "c794cb33079d83fd0ff1a98396f73fc84073e6498982afb0f9bc08d82db37dea",
"type": "query",
"version": 103
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc",
"type": "eql",
"version": 3
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "60c301aadbc57095fbb764f310effa2a4d569269d7b1baa6f08adde2b312328c",
"type": "query",
"version": 207
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
"sha256": "6c9bc695426f3a54fae927672294c7f2717d5cad3fcbfb5f08b482c14ca8939b",
"type": "eql",
"version": 4
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c",
"type": "esql",
"version": 4
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60",
"type": "eql",
"version": 108
}
},
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46",
"type": "eql",
"version": 308
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "e121d39bd55b1f521c46bde65369f4dc594bf36659e4f5ccc0716bc3a1179e46",
"type": "eql",
"version": 4
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "fc1b169b413a359de4934f4cdf8bca79458b0cd5efd1a93bba0b8a05aba10b7d",
"type": "eql",
"version": 112
}
},
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "b6849461e18e497a4263083d82b749167b7e60058fe7cf9b90db792dfedbc744",
"type": "eql",
"version": 312
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "e01f62982334437f828c2aa0c07b8867b2b9811b190a82c5b871d1f47226447d",
"type": "eql",
"version": 10
},
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "eea438035c9adcd9486112d776374a2097e248b2311e73e0feb0d239e6507a7c",
"type": "threat_match",
"version": 104
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": {
"min_stack_version": "8.14",
"rule_name": "WDAC Policy File by an Unusual Process",
"sha256": "640dfc022ddd5eeadf5bb3e60d197db1c475d8e6f2e672c0eb61b1c5390c98b8",
"type": "eql",
"version": 1
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6",
"type": "query",
"version": 106
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "136ba855c996285fe602c5a751d85e4d5597adabab876c0840fb892207d97fb7",
"type": "query",
"version": 104
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54",
"type": "new_terms",
"version": 204
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "f47e578ad81a99ac6ee1bd6045dddbe2ded14cc8f273b02f0f64ab04824557de",
"type": "query",
"version": 104
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d",
"type": "eql",
"version": 112
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1",
"type": "eql",
"version": 414
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "e7e2e6f51e3b146d38491ba00f4d5be16be218fd4df4c1722005f294e0748e60",
"type": "eql",
"version": 116
}
},
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "14fa291c0e479222e6175385f35702531994795946c66295ddec4f95b50845db",
"type": "eql",
"version": 317
},
"3c216ace-2633-4911-9aac-b61d4dc320e8": {
"rule_name": "SSH Authorized Keys File Deletion",
"sha256": "6a7e18a2fabb5285a089765d9d4c16de1592997eecb27bac79bf2be84bbd55d3",
"type": "eql",
"version": 1
},
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
"rule_name": "AWS SNS Topic Created by Rare User",
"sha256": "c43f75e8638f5a0adbbaa3444549c88d148284a440eada3b2984073e0d6a5f24",
"type": "new_terms",
"version": 1
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "c64036bdf9d9943178534e62dec4700829eb822cd497d08d1ac1d8f838d9d342",
"type": "machine_learning",
"version": 105
},
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
"rule_name": "Kernel Seeking Activity",
"sha256": "83cd6048f2f8d9427ced895179a1e5738b897021229fdedc39298f70b8fd527e",
"type": "eql",
"version": 3
},
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
"rule_name": "Unusual Pkexec Execution",
"sha256": "72cce527b0f0efd2f300fcd93f1c0273b4fd5476d6771008722109e0923882a1",
"type": "new_terms",
"version": 103
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "9a8b7d4f395146c067ba15784a025d26856d4595658268dfb01fcc8117120808",
"type": "eql",
"version": 5
}
},
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "7537070f3775a1dff89d78c8ef5ae633d97e6cd0a32180d83b000540270ab29c",
"type": "eql",
"version": 205
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb",
"type": "query",
"version": 208
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Email Subscription by Rare User",
"sha256": "751ec873aa2cdd759af5f845488173565785844485becbea7a597d5e5b5586bc",
"type": "new_terms",
"version": 3
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
"type": "query",
"version": 209
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "0c33ca9283c1c2552060c3b5000ec87d338048cd715f4e7be2d3fdefe8a28fc0",
"type": "machine_learning",
"version": 5
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "179cea119143b4ac449008db8f5bce05e743da299c57ecb9c2599d4ad223cefe",
"type": "eql",
"version": 9
}
},
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e",
"type": "eql",
"version": 208
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"rule_name": "Kernel Driver Load",
"sha256": "383925a7469fa24f12272515f90f29aa907b908a1f8cec676765b5c5cc5155d3",
"type": "eql",
"version": 5
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "cc6f26cacff5fe4dacddeb8cb12eb8a140c4db55aed0d450c18d7175dab3f260",
"type": "eql",
"version": 109
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "66d3c7048c18aeeae2d032d26dcdc294b41eb32679eb445839815f7fcf66e4a8",
"type": "eql",
"version": 4
},
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "36213518f2d51d0a8ca479b72244b5e7b65ac993cf744418fe69792d88c2f825",
"type": "eql",
"version": 1
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "abfd83fc5f72d9b12cc92cb190d7f4e9f759d7e1b048db54399447345f56c2f1",
"type": "eql",
"version": 113
}
},
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "1468f7e6e831e3af972a832a3504553bafb48b5b69afdfa59403fbbc96d1ad85",
"type": "eql",
"version": 314
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
"type": "eql",
"version": 208
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22",
"type": "eql",
"version": 308
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
"type": "threshold",
"version": 208
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "1a8ce0d911498f3340f7c6af2471615c1614881de45680175490600cd63fdad1",
"type": "query",
"version": 103
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "1d1f416f81da795677d9450e9bca8918c099440231a9d8129ff100cca36e03c3",
"type": "eql",
"version": 8
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "ac26f5075bc208ba1b094437f5908ca1879c9b0bd6c5ba6a85a2de0e3dee8f17",
"type": "eql",
"version": 112
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07",
"type": "eql",
"version": 3
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "19b368441d2d3df9e36cec3f78601af029ba7a4ad96080e8a8a260e0062e4014",
"type": "machine_learning",
"version": 5
},
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
"min_stack_version": "8.14",
"rule_name": "Command Execution via ForFiles",
"sha256": "30f1410a357c558927f5cce5f2d9674c0e66b3fcd0ccdfed460da52ae466ff4a",
"type": "eql",
"version": 2
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
"sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c",
"type": "esql",
"version": 2
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "9720e2ceb0deb64ad3773f7fb220ced4722d2586e68fffe60616480b49faf4c5",
"type": "eql",
"version": 104
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a User",
"sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a User",
"sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653",
"type": "machine_learning",
"version": 108
},
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
"rule_name": "Potential Azure OpenAI Model Theft",
"sha256": "30578c829bb5b7d12461cb21a6ff53be883d722a8abb7fd76096995c7d54f268",
"type": "esql",
"version": 1
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
"sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e",
"type": "eql",
"version": 204
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88",
"type": "eql",
"version": 112
}
},
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe",
"type": "eql",
"version": 311
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c",
"type": "new_terms",
"version": 108
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"rule_name": "Unix Socket Connection",
"sha256": "2352b712067a95cbd788c45281d87669b418cd69b48f3cb97e10284c5d8b2777",
"type": "eql",
"version": 106
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "78c5895b416222839fc4b6839d36612b1a0f0e27a9024d52f91607da235123e1",
"type": "eql",
"version": 114
}
},
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "311c4b3abd771bf6dbbf76f79d3b9fa882b6979c0298c1d842b6c8a780fa4117",
"type": "eql",
"version": 315
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952",
"type": "new_terms",
"version": 204
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
"sha256": "f97c48740ffa8df05329c651c9620651fc36b543d6cdf582bec60f4945539c70",
"type": "query",
"version": 104
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "f5901faceadcddad30aa0d48e7489446e561374f349a4bacaf544f9c5c418f6c",
"type": "esql",
"version": 4
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "777ea9757b7d3052124e6cc8d8748e0f0b03cc82e8c82535853132c99389a688",
"type": "query",
"version": 107
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"type": "eql",
"version": 3
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"type": "eql",
"version": 4
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Login via Unusual System User",
"sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a",
"type": "eql",
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a",
"type": "threshold",
"version": 313
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "7de53603ee4b0fe24f98d5eac198e89c58e92243d6a6e67795968369a9fff2a3",
"type": "threshold",
"version": 413
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Process Creation via Secondary Logon",
"sha256": "f79e046cbbec23da583f5a9a5ff0c2359af0a92b60efb6da01790d90fefb9cb9",
"type": "eql",
"version": 12
}
},
"rule_name": "Process Creation via Secondary Logon",
"sha256": "0f366e14695fce4131d2de09a7d46f8a0d1e897bd78444ef5ed8bbce30a30770",
"type": "eql",
"version": 112
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"rule_name": "Unusual Login Activity",
"sha256": "eb323bc47a138a26bc5bcd92f8c25da588ca83b5b8dd6a8e7203111d13961caa",
"type": "machine_learning",
"version": 105
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "dfd9d0ca4de23654268f056431b3427be368d9c063d5991111ed78363645dc4f",
"type": "eql",
"version": 110
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332",
"type": "eql",
"version": 112
}
},
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3",
"type": "eql",
"version": 312
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Path Activity",
"sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Windows Path Activity",
"sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80",
"type": "machine_learning",
"version": 208
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5",
"type": "eql",
"version": 4
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 110,
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "4ed1c92271f971ccdfb787166f5469edc64084f2b7ec98c1c9f03fa7103e1f23",
"type": "eql",
"version": 13
}
},
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "d952fa6126823aa4795c6d47b481559663ee4641dff520e86f387180decc8a2b",
"type": "eql",
"version": 113
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "bca21aeb358e7719e930c2792a3c5b1b899b86341952c8e0acf0f7a4fa84d36b",
"type": "query",
"version": 3
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "bc6f767d4be0de3156f54c606bcf218fc712696406e84ecd976a907d90c156bb",
"type": "query",
"version": 104
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "ed499f9d7399c1be4f54417888b74be031a5b50a48b1d7c68b8caf33c4e24d44",
"type": "eql",
"version": 3
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Windows Event Logs Cleared",
"sha256": "03df4c9ba83974ad56a692f1e48ad01c5afbc399f016252d9a8f5d25442ad9c5",
"type": "query",
"version": 112
}
},
"rule_name": "Windows Event Logs Cleared",
"sha256": "b2877be463d6d3476c7945fcff9d4b10cbba5ff4847f04b747a59dad96a73e1b",
"type": "query",
"version": 212
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060",
"type": "eql",
"version": 113
}
},
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2",
"type": "eql",
"version": 214
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "500d6f2d6faa250fea7e87e78ccb4ffc1ac323562a22fb542e4733f33c5e1d59",
"type": "eql",
"version": 115
}
},
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "d1654db54f8a2c7e763a7c7d1fb20d71cf19355115ae479352db7b977682a0a7",
"type": "eql",
"version": 316
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "9738558986f5eefce14d8f415a984acc7980e6eaf9211b61fbccbcf8814b2e06",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "cbae5504e94c8d135be970e202b61d75493807ca03a926f3422e7f3913e1bddd",
"type": "eql",
"version": 313
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"rule_name": "Unusual Process For a Linux Host",
"sha256": "6cefd4c22a36577834d4d834fc5c1929fed830cef4703c1df262425f4f6b2cbb",
"type": "machine_learning",
"version": 106
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "f1873f6d75f651d8a741c68aeb9b215cc2750c45bc137afd9a6110af092219a1",
"type": "eql",
"version": 115
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"type": "eql",
"version": 4
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "eb912e24c46ec2f35d9be99c411eb107c6f6cd1ad27b962d4130668320e98388",
"type": "eql",
"version": 104
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "1715a0e265def59183c4652ae4742b17cc3578a5d1132831b499ce28f0c7c4a2",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "4fc3777d4378758cdba6f0626f707192e45e0bb4eabaa43407e35f914e7d6dcb",
"type": "eql",
"version": 213
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "c9df6be08711e9bd55271efaeed40617ea3dc66efb5a3c472e11ee4b7dffe73b",
"type": "eql",
"version": 109
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "60cb1aafa8d037f564143057fa316c87b326346f698ec418f9301fe073ccfc7c",
"type": "eql",
"version": 112
}
},
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "5be642a84f9f578e4f7ca280227774f6649786fd9f505fd832b741d7e28a6005",
"type": "eql",
"version": 313
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "a396e648dc8058d8a7af3f97d34c5784cc2e81b5a1e4616f31edc818a101ddc9",
"type": "new_terms",
"version": 108
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "60acdaeb7bdfa3879ac2b58f7e1f303bc1cb6ead52bc7e45ad1bd340aacd352a",
"type": "eql",
"version": 11
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "d3b2f8128fcad0de701a9aa48b9d8f5259837ff59505a81935bc2e5b6d3f3c38",
"type": "eql",
"version": 12
}
},
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "d2585f969107cc9ae78709ef7ed7d0086a142fd32b9378b3306633fb87466cc5",
"type": "eql",
"version": 112
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "52f6b93c3cc0d5c1fb4f6e6db6ed931e29c49ee0e908a1561e09af98dba2acad",
"type": "eql",
"version": 109
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "070bc3d77b85c97628a5f7626bba0e95d76cf34954f5db82e4abbdd323126b88",
"type": "query",
"version": 107
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "986c22f239fcc3d437e58dcb98df458a9d9435c5f561c9da3628425f6dcd591f",
"type": "eql",
"version": 4
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115",
"type": "threshold",
"version": 103
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "691cfec23b704e2589edfb62980284fec4ac438776a1a88edb7605ee5e54698f",
"type": "eql",
"version": 110
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562",
"type": "query",
"version": 107
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "d6a6479c0c7905bb1f2dd6b93ad2e973b02944bfa46b720e228d49bb15ccb7ec",
"type": "eql",
"version": 7
}
},
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "c6d9fdb39c7405bc9de7c5d374c70044f34ef32a788ca37046a79a6db321127f",
"type": "eql",
"version": 108
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "df02c5a18062b26bd791e0bc8b97a58b4d463df63e0d16dd6352edde4318c54c",
"type": "query",
"version": 107
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "6496b33df954b86a762df6202f068d413cf231e273ca8e1a2c0ceefa6e1d127a",
"type": "eql",
"version": 107
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
"type": "eql",
"version": 2
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "5f73d21d945760cc5f0e2e9e4f3a20183956cd20ac5963505a49fc7c29dd290a",
"type": "eql",
"version": 112
}
},
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "b8fb9ee22e08968e0dc38a4a7821aa9e0f623a492d275bc8d7f3e825532b5f56",
"type": "eql",
"version": 313
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"type": "query",
"version": 6
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
"sha256": "3ddce01b59f5987dd1a83755af79e6e993de5f67f97b960b4b2b544be9e1609a",
"type": "eql",
"version": 106
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "ed51342a669aca3acd05b70564dd2b6c9e0ff02f83266d5665ef6dca3851a6c7",
"type": "machine_learning",
"version": 5
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988",
"type": "eql",
"version": 110
}
},
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3",
"type": "eql",
"version": 311
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "1563951eaa26040f25dcd3eae36d9f46c9bdcf45a6f24398ce7a7fc4382da092",
"type": "new_terms",
"version": 2
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 110,
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
"type": "query",
"version": 11
}
},
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c",
"type": "query",
"version": 111
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "f8166b3c126f6350077c04381eff45f180452c93b70be54c18aa91ff15e512f0",
"type": "eql",
"version": 109
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "189ef68f8b1654ea9486b7831d9a69f4b42554453426d0d7531fe7052cd96756",
"type": "threshold",
"version": 208
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "37d2ef8b050dfdece62cbbe06bc676f8199d5b4f1fddca44de9748f463a2ad80",
"type": "query",
"version": 107
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "214f871b4ac72ba8d644b997c7991d4b88cfc32320409761af37fcb8717ce0a7",
"type": "eql",
"version": 114
}
},
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "449e14f8848eac71399cc23c1b6669e220569f25f071fa022f970e5fc8a87f9b",
"type": "eql",
"version": 315
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 110,
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "a850bf83897d0291d578f2f0ac69c11ed4288d5da688c63475e863bfc7edebc4",
"type": "eql",
"version": 13
}
},
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "751b70e5b7717328b4dd47712a45f968eae280094169a92ef83343b306e70e8d",
"type": "eql",
"version": 113
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "f680d6c8ee7249b89249a6710ce30801b2c982cef68f015538d7cfac8430cc94",
"type": "eql",
"version": 111
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "706691106e2a013f1cf173681567fcb4f84c44db8406ee24fd96b866d5d17888",
"type": "eql",
"version": 113
}
},
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "2f2d1d989113eef4a198eec72d1cba340c3aa89886d5461b653e7969b9e4a186",
"type": "eql",
"version": 314
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious Script Object Execution",
"sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Script Object Execution",
"sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb",
"type": "eql",
"version": 210
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63",
"type": "query",
"version": 311
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "d92cb4bcc5aadaea4dc0e6b7b35a1bf6e2ae910fa754432faf4dfb96696001be",
"type": "query",
"version": 411
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "30f4f5ada6d77e11118ecf139bb7106bc0df3031341b3e5ce0f55fd20221aa09",
"type": "eql",
"version": 3
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd",
"type": "esql",
"version": 6
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "9ff2cb9dd5ea847ba0e865edd15a145b5015f7bfd5601d9a07a3ad7c4aa13b0c",
"type": "eql",
"version": 114
}
},
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "43a1d4bda6d39e5c7941b832e24b922e10f38531c3c5d2b9b8f55bdfe0b0d99d",
"type": "eql",
"version": 315
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7",
"type": "threshold",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7",
"type": "threshold",
"version": 107
}
},
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "6a554290e7a84ccbd18f8a19971e557ac7a9838d92308436ae1252d215f09d94",
"type": "threshold",
"version": 207
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
"sha256": "16bcc4e20cbecdeda51970a7c080df121c8c49778592fd2b3384519d93b21280",
"type": "new_terms",
"version": 2
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Windows System Information Discovery",
"sha256": "17e4aea652e17a149717afe81d8d917e26f0dbd3d4cad9923c0e7cb71eac92e7",
"type": "eql",
"version": 9
}
},
"rule_name": "Windows System Information Discovery",
"sha256": "3fbcb0954df0fd52c7091bdf8c13448b46dcbafa7fd29d10fba35297879b48f5",
"type": "eql",
"version": 109
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "b33bbf177156fd682cccd98b3b5e214c494c17ac29770c3ef6e211cd2b8f26f9",
"type": "eql",
"version": 105
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161",
"type": "eql",
"version": 110
}
},
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f",
"type": "eql",
"version": 413
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "f5a4de0b0ac06eb1a69c2cb23b7f9d7b884a576168db1d956ef9ff6144c5756d",
"type": "query",
"version": 207
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "5d8877660ac02415a7e931d15a718cadb7de72da25f5bcdc79d9fd493d4c71f5",
"type": "query",
"version": 105
},
"5188c68e-d3de-4e96-994d-9e242269446f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034",
"type": "eql",
"version": 4
}
},
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb",
"type": "eql",
"version": 205
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "097a5bc6720f07acfae2d20f11d9a717f1fe350cf94d7145adaa481146c184df",
"type": "query",
"version": 3
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632",
"type": "eql",
"version": 109
}
},
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f",
"type": "eql",
"version": 209
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "1e7bfe4a829855d26e56d29a29a24edf68130b67fb19c38c807680c99f335d69",
"type": "eql",
"version": 8
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "0d18d9439a5628f8f0339e9c968f779926c27addbf3835666f0b4312115511b5",
"type": "query",
"version": 207
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "d68914fa075b88195665f82a00fa3b28e4743eed50f9e3588de8c565793841b1",
"type": "eql",
"version": 115
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
"type": "eql",
"version": 1
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
"type": "eql",
"version": 109
}
},
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734",
"type": "eql",
"version": 209
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"rule_name": "Unusual Linux Network Activity",
"sha256": "7705ae36b0bdaf932acba46ebafffb17e3e085213212f44314d4bcc79090bb04",
"type": "machine_learning",
"version": 105
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "a4364fe5d4b4e0e056536d4580cf884b56e49248ee1f3a84812426da1bcaf590",
"type": "eql",
"version": 108
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "dda8b86ee8d2dcee8026d296c9e5f313eaa3dc3d50eedfd6ae6e19c938486a92",
"type": "new_terms",
"version": 12
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "e6c6dd49909f5672bab0d1d27d7ea1b5661d81198a9568926b30ca91064fbe16",
"type": "query",
"version": 207
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "8227f6204aca346ad00f70681a540b2e14358f63b3415da0a722d3fe8c4bf796",
"type": "query",
"version": 103
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "9eafe3af498b5f504346bcbb44ddacf2157ebf9f7dc56a66e0f6512ccbcaa61e",
"type": "query",
"version": 7
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "33313501aab3ebd4c97177b9d2f9462691e4c62a10efc4c19fc3417517abfbcf",
"type": "eql",
"version": 113
}
},
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "dae0c8a08f768305b1aa9ad113a02db0438a7c0d22a4aa8088f1a3568300c6a6",
"type": "eql",
"version": 314
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "83eb2f905a505910e8693162369ba3f7e06a7c2f331aa002af5bb31379c6e46d",
"type": "eql",
"version": 7
}
},
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "9ef3f604c40a90763ae7818ac31b2169a1d0f2b10c955d5bb5df363016648099",
"type": "eql",
"version": 107
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "af9d57399895c1474ce02d98053dee54db65bf201345fb22036a0935476ec4bc",
"type": "eql",
"version": 2
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d",
"type": "eql",
"version": 112
}
},
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee",
"type": "eql",
"version": 213
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 9
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12",
"type": "query",
"version": 210
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545",
"type": "eql",
"version": 114
}
},
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4",
"type": "eql",
"version": 214
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "24bc059a551799ed770e0ee2992748c8016fcfa722ee640541fdedaa89f5f742",
"type": "eql",
"version": 113
}
},
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "b10f3813eb60fb8a4796ca8688b2974490c44a482dfe032445b15a89e06b3e21",
"type": "eql",
"version": 213
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "PsExec Network Connection",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
"type": "eql",
"version": 109
}
},
"rule_name": "PsExec Network Connection",
"sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5",
"type": "eql",
"version": 209
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6",
"type": "eql",
"version": 2
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3",
"type": "machine_learning",
"version": 108
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f",
"type": "eql",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f",
"type": "eql",
"version": 106
}
},
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "24cd1a2e88464e024bd2f2db03af2a5c5a1557c9233a84b3fa95a40d618a5b48",
"type": "eql",
"version": 207
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "844fb3c0e49c833039ab4433243235fa41c2d67fe700084b9c97c8c5d547ccf1",
"type": "query",
"version": 109
}
},
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "030111f201bee8e956cb3823673b4ed80b1ede153ea729464affed575da4b983",
"type": "query",
"version": 209
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "6f18cbdc2814670890459e8a1b80c7b8bfac998d71d67c250ffa5a3017a0a95e",
"type": "query",
"version": 207
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "a9bd29a0b1111a010696c79f5347c1e5e60dd3a903452b06964302229c7bfb2c",
"type": "eql",
"version": 109
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "50c3afa5e3c557336820b41946ef7d0889d9f7002f614b9bc7a0f6216fdb24de",
"type": "query",
"version": 105
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35",
"type": "query",
"version": 112
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7",
"type": "query",
"version": 314
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
"type": "new_terms",
"version": 105
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "5ee4cc1bef3bc0cbb466f51fc238d7ea3789de02607f24d664300a4cd08147f0",
"type": "query",
"version": 106
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "cef2f25973f7650fc0b3c4e6d49eb118a5216965cb85cee1568ac3a5e26bb119",
"type": "query",
"version": 104
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "398d5eb8f8ee0c1a9ca69806e64a8879579ab03f3e2f5a29a66c0da240018ab2",
"type": "query",
"version": 103
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell MiniDump Script",
"sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a",
"type": "query",
"version": 210
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb",
"type": "eql",
"version": 6
}
},
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932",
"type": "eql",
"version": 106
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8",
"type": "eql",
"version": 4
}
},
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8",
"type": "eql",
"version": 204
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "6165559b4653bf1ee1706a1331a547f918100b0ced5790793d5e5ba4d729ede0",
"type": "eql",
"version": 114
}
},
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "dbac24b6bdcc3636908b11a2fea993e83836aa3541740fc494bfcba3de51d345",
"type": "eql",
"version": 315
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "RDP Enabled via Registry",
"sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1",
"type": "eql",
"version": 112
}
},
"rule_name": "RDP Enabled via Registry",
"sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c",
"type": "eql",
"version": 312
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36",
"type": "query",
"version": 104
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40",
"type": "eql",
"version": 109
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "c2dfdcdc1b0d76b1a905b8e67a67d188594bb8b4665a8c1750ce8e92714325af",
"type": "eql",
"version": 112
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"rule_name": "File or Directory Deletion Command",
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
"type": "eql",
"version": 3
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "81b57999573c8fb4a7a366594f25ae06a0af08d40dce604d87d7a8f30dd943fa",
"type": "query",
"version": 207
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "57e2816be37db7fe8b97b74d890f5f1c173f9f98635f900fc0a239d93de116f9",
"type": "query",
"version": 208
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "62cd203498ed5ec9c26690e7c2c202cf2cdb234c9be6a775889f5d2458744366",
"type": "machine_learning",
"version": 106
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "c65dca5d2ab212399ddf5f197ae8f6b71543e67dc4c506edba0250e81a48ba75",
"type": "new_terms",
"version": 2
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "8396ecbd7798a0b4e17254a7e80dffd7b731859eb3d11dbb07f51ddbfdad095e",
"type": "eql",
"version": 103
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1",
"type": "eql",
"version": 110
}
},
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025",
"type": "eql",
"version": 310
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"rule_name": "Potential Reverse Shell via Java",
"sha256": "d34a8290b7fcc098f29ce0d6bb50b467f7bee1c71201258899338916a3019e66",
"type": "eql",
"version": 10
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "797af136476a4575466ea7dad526fda9d5328930d8f9985a260e5e1177223225",
"type": "eql",
"version": 2
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "135b3d3e2b3be70b8da8cfd2806556b9b14bc02f669d6789237a56b36d345398",
"type": "eql",
"version": 104
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "8a9322fcb0f59a2f5ade44ab323e0b057c6019500063a9e67db93eb954461718",
"type": "query",
"version": 107
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
"type": "eql",
"version": 109
}
},
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970",
"type": "eql",
"version": 309
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "6a40d4a3eb8956f0fa86900cd0f068813b708cf72355b20a006a4ae024884b63",
"type": "query",
"version": 109
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "91750adfc2612e0725d0e74eb5c05c29dec1b7871b12e1e2ec38f409cd0f1e08",
"type": "eql",
"version": 8
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "8c27bb4dfd65956ad41dd52d71f7c946aaf21e52ea1956d82fe54231ac8a17f1",
"type": "eql",
"version": 109
},
"5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": {
"rule_name": "Successful SSH Authentication from Unusual User",
"sha256": "40fa48cc277baa4a3bf1d1a7c0327ead2b79f87965fcfbf584cacd0e22728e2f",
"type": "new_terms",
"version": 1
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "54ef71a878f44875c6c8792e51f8923f0cf6fc9dec2a549fbb841a11d2161f25",
"type": "eql",
"version": 6
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00",
"type": "new_terms",
"version": 115
}
},
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b",
"type": "new_terms",
"version": 315
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"rule_name": "Boot File Copy",
"sha256": "24d0894ed6959d5f54396c957e8dcd3de231026e473c753ef10c5c033f991857",
"type": "eql",
"version": 2
},
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "505425e6327e3d05dcc6caf8246b1db4d9218e3e065c0571752e1a4d08415418",
"type": "eql",
"version": 1
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519",
"type": "query",
"version": 207
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
"sha256": "e030a36c06a00dbb591951c1c87280a6f2afc1b155d67ecb00fd451bd084cce6",
"type": "eql",
"version": 5
},
"5c495612-9992-49a7-afe3-0f647671fb60": {
"rule_name": "Successful SSH Authentication from Unusual IP Address",
"sha256": "f0dcd082877a3b41e9e087c850fc3181ea1567d69e335d54002b6dea98c19574",
"type": "new_terms",
"version": 1
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e",
"type": "query",
"version": 4
}
},
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02",
"type": "query",
"version": 104
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 112,
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "7183be4ca315578faaa377e9a60195ad188e37db8da8a104b351536251c77267",
"type": "new_terms",
"version": 14
}
},
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "fbe46096710062783651447c684d4a0479eccefab66ff761ebd9bfef6428eff8",
"type": "new_terms",
"version": 115
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
"type": "query",
"version": 1
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "23f889cc4747d5ad5d505549b4301b18abb715f10d21b48a1c87dbd95cef2f29",
"type": "eql",
"version": 102
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "dac377b1d7e688c590f3961e984193d99e548ddf1fa5d9298d724d251cfb7b4b",
"type": "eql",
"version": 8
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "6699f13d1830f5c9e67d20ffe8e3c35f4cabefe9e630339c8541bdbdff752085",
"type": "machine_learning",
"version": 105
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "c5995d0265ad4c7e35124856effd41c95caad3e3178a67f3c5bc6122df89e317",
"type": "eql",
"version": 109
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9",
"type": "eql",
"version": 110
}
},
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f",
"type": "eql",
"version": 210
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "User Added to Privileged Group",
"sha256": "70bef882918b9abe618227f6f577a2900d5d565d841c12e47a5347e679d614d3",
"type": "eql",
"version": 112
}
},
"rule_name": "User Added to Privileged Group",
"sha256": "ed8120399b57c0837fa2a1b39a25528509b6f5683cb379f1e4fa6e37f0133c19",
"type": "eql",
"version": 212
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Persistence via PowerShell profile",
"sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92",
"type": "eql",
"version": 10
}
},
"rule_name": "Persistence via PowerShell profile",
"sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5",
"type": "eql",
"version": 210
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "3bd77e64972d14a4d804669114ba09690953c6f7e3ecc837457651ea6a58dbf2",
"type": "eql",
"version": 109
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "9ea148fb05f1ad8bad2d0c5e98ede34ed27187dca9e159ef7197a3c8afe8882d",
"type": "eql",
"version": 211
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05",
"type": "eql",
"version": 4
}
},
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d",
"type": "eql",
"version": 104
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "cf8318ce83d960276ef1ade7a60d590ea666e5f242ecdabd0a9a6c7daeb32e1b",
"type": "eql",
"version": 108
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5",
"type": "query",
"version": 107
},
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
"rule_name": "Memory Swap Modification",
"sha256": "9b2b90fcdbd4c8d61fb415c8648a5fbb45acf0f721bc6639adae981cb9d9ce1c",
"type": "eql",
"version": 103
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "3ebdea07f4ef0b08b17227bc1a2482fdf6678f10abcacd02c0a85dfb400a1501",
"type": "query",
"version": 207
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862",
"type": "esql",
"version": 4
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "4d8ace1351c9ae35691f8b6021a49e99b73411ceef1141b2991a256639c06fc2",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "8fdd339fa138d8d7b032a8bc819f24702be2d259fc4e97147f80ae3ab81d8bae",
"type": "eql",
"version": 204
},
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
"rule_name": "Docker Escape via Nsenter",
"sha256": "453ade8392dd064ac66baaea865224304bffe2e8afac34c7811e8776d5989843",
"type": "eql",
"version": 2
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "75603330eba99f8199e1a118a71eca46d7c50d35b4cd605c1dfc199a15028b4b",
"type": "query",
"version": 103
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Azure Service Principal Addition",
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
"type": "query",
"version": 105
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "083349bd92f7b6c0a756f5a62567cd8c5a5bc5daadf1eece6de8e8e79978a41e",
"type": "query",
"version": 207
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Unusual Process Network Connection",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
"type": "eql",
"version": 108
}
},
"rule_name": "Unusual Process Network Connection",
"sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee",
"type": "eql",
"version": 208
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"rule_name": "New User Added To GitHub Organization",
"sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4",
"type": "eql",
"version": 204
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "132f771ca6058156fbc2c515ad591010a1372d2130f37e7a4b0526d53e0d792f",
"type": "eql",
"version": 6
}
},
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "1b2b6ec043b9c401900e0918a2fb67d9490780c167321cd5734b6bdd6147069d",
"type": "eql",
"version": 106
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
"type": "query",
"version": 114
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95",
"type": "query",
"version": 316
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "2df55d0ae697d20c47f22d5c616f9c06bb6c4c9fbac2aebb282caa3d9f7e4e1b",
"type": "eql",
"version": 113
}
},
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "d6c2af1422e393b85f9523ce6397c2b4b28e15dfb8af6ee48a91d496db20160e",
"type": "eql",
"version": 214
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5",
"type": "threshold",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df",
"type": "threshold",
"version": 107
}
},
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "12e0d0b72f404e2086dcd9c36311a6eeb68c65979ce775064dd5c6ea06953106",
"type": "threshold",
"version": 208
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a",
"type": "eql",
"version": 108
}
},
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775",
"type": "eql",
"version": 208
},
"627374ab-7080-4e4d-8316-bef1122444af": {
"rule_name": "Private Key Searching Activity",
"sha256": "ac4b591b30cbfb1cecd4fab9a4c521aa12bf95897eab976edf79d520b5eeedfc",
"type": "eql",
"version": 103
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "7d8a44d4634bce7a7e5cbf983f840157836ac6945cc140dda1a4f4a3b3b0717d",
"type": "query",
"version": 112
}
},
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "0a9b61cf366ce557e1ff625d9c47759506bc34f141b9ebf3602cf3e96b781ef0",
"type": "eql",
"version": 214
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "3a95ccdc273d7d2af093ab0c0445370fc790147be6d43d2a2edb2b9b3cdc82e0",
"type": "eql",
"version": 6
},
"63153282-12da-415f-bad8-c60c9b36cbe3": {
"rule_name": "Process Backgrounded by Unusual Parent",
"sha256": "208219618907f9af2a97a782d360496106265946d0d6b37aa5eb4369f2bd210a",
"type": "new_terms",
"version": 1
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by SSHD Child Process",
"sha256": "886e2ce498e9e513fd0cbb827b2670aecc14f0622b71977c7d5a5bbaa36f7faa",
"type": "eql",
"version": 5
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "53a873d39857e58ee6e4fc5b7399e895bb152e41c1ab935663837628267e4ec7",
"type": "query",
"version": 7
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "c8d9810184ef49e7246335b18a3ee60393d89ef7ce8f918026a59c34bcc38064",
"type": "query",
"version": 6
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "17099608b9a995ff056b49ffa5be61ac5b2aa1b25812fa9ca68294450e48a050",
"type": "query",
"version": 7
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "87515f0a24197442f6f6ca7b485c9863754def3667a803880b4481e5a084fdff",
"type": "eql",
"version": 3
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Signed Binary",
"sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Signed Binary",
"sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6",
"type": "eql",
"version": 209
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation or Modification",
"sha256": "14d6857ca9bf0ec373fc9399d4434a2ab8bdeb8dcf682ae5b097bdf43ba2f501",
"type": "eql",
"version": 4
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7",
"type": "machine_learning",
"version": 105
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "83a660084e9cace9aebc80260a7b32dde9583c295a54c288ca8cd2bde4522611",
"type": "query",
"version": 107
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "1af56461ac06d32d603787c924153d4f2d4a4db5112a2fd3ddf2d2ecfd214686",
"type": "eql",
"version": 8
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1",
"type": "eql",
"version": 2
}
},
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7",
"type": "eql",
"version": 202
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "5ba81546094d936ec84995fbcb3e17bf792328c2426d692c1d219cb256fba423",
"type": "query",
"version": 204
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "31e21bde793c13880466715c3089dbc5f61ad8f8d76e83c06f4081ca257d27d3",
"type": "eql",
"version": 109
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "e9b5bd05f304afdfc0d3dcad377c1c58b53eff1df8f63974f81a2a09fba0819e",
"type": "eql",
"version": 8
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4",
"type": "new_terms",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4",
"type": "new_terms",
"version": 106
}
},
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "b8bb1b1e0023c2ce2967ad5ecc17c016a9de356e9f27d2e9f33c5ba979e7801b",
"type": "new_terms",
"version": 206
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac",
"type": "eql",
"version": 108
}
},
"rule_name": "WebServer Access Logs Deleted",
"sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f",
"type": "eql",
"version": 208
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "f8282a2d5173fd7e6fde9595c6efa24f5ebe48767db9981ec5a6cadffcfcf341",
"type": "eql",
"version": 8
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "676676fdba05827386bf901a05e1f8335bbe5042bc52bc54c688eb0aac55b715",
"type": "eql",
"version": 117
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"rule_name": "Linux Process Hooking via GDB",
"sha256": "6124499edac0ee53fc52e4a4b588db2d5747ae4fb3770c91307fd25814704939",
"type": "eql",
"version": 105
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "e459e7757af9cf9495f5f49a390b8b7ed17f7d4152b90f74cbae4e4e70c21084",
"type": "eql",
"version": 209
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 112,
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "a2b0e85ea8b810a2ed22188f8d14303a6077c51b2edeaf8e5f5007a0c9644381",
"type": "query",
"version": 15
}
},
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "23fbdf47b000d9debd0a1f9c2fff328a61097abfdc687038b0f05997e55b3dca",
"type": "query",
"version": 115
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "79a56d12f5cfae0778882f6215f3767e744601b2d0f0183fa71a191bc5d9a8c4",
"type": "query",
"version": 411
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "f899b24ce14bb0d0e1c223537cd020b2b65c7b71ad97b87fd5359b89e6bd2e2b",
"type": "query",
"version": 207
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "33e8c27c30a851ee7f9d49ed14bb20f1cfb5d370320db326fbfffb9c7b855b63",
"type": "query",
"version": 411
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3",
"type": "threshold",
"version": 112
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Image File Execution Options Injection",
"sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd",
"type": "eql",
"version": 111
}
},
"rule_name": "Image File Execution Options Injection",
"sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69",
"type": "eql",
"version": 310
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "0c327149e5c49e9161bd8a1ef2fb8bbe117febb4c86c9efcaab8a6dc5890205a",
"type": "query",
"version": 208
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd",
"type": "query",
"version": 310
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "e40176c9634f6d0f324b5be9bf2cfae0370f3d8fc01188d10e54e5684d5fbbaf",
"type": "query",
"version": 410
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "fb1c6b89350f0562319e1eaccabc46a2a855fb936516da145a6c640de6692808",
"type": "eql",
"version": 113
}
},
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "78ed8e3ec78e07b57adeb31da14d9a43326b9262e57f55869c0c2faa91708238",
"type": "eql",
"version": 314
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643",
"type": "query",
"version": 207
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e",
"type": "eql",
"version": 109
}
},
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414",
"type": "eql",
"version": 209
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
"type": "query",
"version": 209
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "3f6e6dde427189d7e561da47cb689604201870715612cc80e8bc8f4247d1a7c6",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "40a07077d685e3bd7b6fb4cd8efdaeb95c30a8b4ecd82ce33d742d4269742948",
"type": "eql",
"version": 104
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31",
"type": "query",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564",
"type": "eql",
"version": 111
}
},
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8",
"type": "eql",
"version": 211
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "9111baa04124fb4545052164f1f94445a22b38269c10ddf9433bccd3112f7b0b",
"type": "query",
"version": 107
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d",
"type": "esql",
"version": 6
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "bd61c67f25dedf7bbc88efd6e7088a4f24faa27595c5ec46bfcbdfef30126b78",
"type": "query",
"version": 3
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Modification of Boot Configuration",
"sha256": "ccaafef97b4bdf8ae36b9c2337353a7b352d18f0aeb421cddbace9a8b130b15e",
"type": "eql",
"version": 112
}
},
"rule_name": "Modification of Boot Configuration",
"sha256": "319d1711a4cf9b2d08557794a1e701ac31b3fddfd811565218a3292242b453ac",
"type": "eql",
"version": 312
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "e2ba77f3b79dada7823d3ab325dc40c902b56e2272d29bc671c218bf23de24ff",
"type": "query",
"version": 207
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "a21ae8ad2d9a9aa7f634479e7b2fdea05a56714d0e14c6541044895377b4f628",
"type": "eql",
"version": 102
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "7f27abffb5aef9aadc163768a1f49184de75aebae83c4a7addfa275d9395699a",
"type": "query",
"version": 3
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff",
"type": "eql",
"version": 111
}
},
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf",
"type": "eql",
"version": 311
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "9c37ce484fd50f922517f40b9bd1a5a55b402537ccb8f7e8f0b06c3b83261bf7",
"type": "eql",
"version": 113
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "28e4dd54ff6cf9610c2e7f5c8963ff1fb97cfa3c8d66f651ac36754556828b43",
"type": "eql",
"version": 418
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "7ed5babe4ccddd47a42992b6b092c794c17adfe49c0418a399fb645487d38e68",
"type": "eql",
"version": 109
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "74d1c8ea528608283c391f89ec9ff4dde0f4b2322eaa210dd37ca0602055b311",
"type": "esql",
"version": 1
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c",
"type": "new_terms",
"version": 209
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "574bda4d46d48399ba9e29a6e639b33f8f103bb7c85f9e7c935581bb3c63ca37",
"type": "eql",
"version": 110
}
},
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "29d396b355d7151b61a62895b2862782dd3172ec6fc4a54b25fcdd98c3adb3c1",
"type": "eql",
"version": 210
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"type": "eql",
"version": 4
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39",
"type": "eql",
"version": 109
}
},
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5",
"type": "eql",
"version": 309
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"rule_name": "GitHub Repo Created",
"sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126",
"type": "eql",
"version": 204
},
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
"rule_name": "Suspicious Outlook Child Process",
"sha256": "ccbb9744b4a8108d543d3dfed5c57e1c0ef457154ba3e50c9637f165f3345b7b",
"type": "eql",
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Unusual Process For a Windows Host",
"sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0",
"type": "machine_learning",
"version": 112
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d",
"type": "machine_learning",
"version": 212
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "731a803c9a47cb0804d071217c48070afb14657b649da32fe8e6b1c19f24731f",
"type": "eql",
"version": 6
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
"sha256": "f253848012c90e8fdcf02df03d40dbb169248ea5c7555e85d439610392aa81ee",
"type": "eql",
"version": 103
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "3e70cb8e8c6dafe24f60de10cdfcbe05df8d323ef0caf42790714990ebee78c0",
"type": "new_terms",
"version": 9
}
},
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "5c822663f4adb4fbe774488dea9f1151737198a06f47eee9a57d3a0cb174fc52",
"type": "new_terms",
"version": 109
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "55651a72478c93e332ffd43ceed7bb57e098fd6549e20ff56ce66ede80a49a75",
"type": "eql",
"version": 2
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8",
"type": "machine_learning",
"version": 209
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "AdminSDHolder Backdoor",
"sha256": "43aaf38f234d7186a1f9dca4f91a364e5afa675e3cade497946daf63f3b20ada",
"type": "query",
"version": 112
}
},
"rule_name": "AdminSDHolder Backdoor",
"sha256": "6e6ec5cdbeea619a81df6a042f482c3b30c3e7c536872c640acea2464572e55d",
"type": "query",
"version": 212
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "b756d838cee35d2d74c87c1eb59757651ef01aea7dbb08271cf1d89133465583",
"type": "eql",
"version": 209
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3",
"type": "eql",
"version": 210
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Security Software Discovery using WMIC",
"sha256": "6d179ca370610d0b32e8d97afeb4610e7efea1ad82eefdd0c4d5eeca33d29549",
"type": "eql",
"version": 115
}
},
"rule_name": "Security Software Discovery using WMIC",
"sha256": "1eabbe231f6dd025a57eddc91f5f0ab86ba82b348af4ccf02cfd3cd114f7a38b",
"type": "eql",
"version": 215
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "a1f2cd2fc7257d7c204df51ffec3d086f341240896b38551b8acc005408ce357",
"type": "eql",
"version": 109
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "525d8781dc9e163d70a8889b89be269f79c5df5c44403c7e5d713b19ce001c82",
"type": "eql",
"version": 4
}
},
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "0bf67b434c4aa3cd9d1f354605959c5e1dffd1040f5cfa17fe20664cb2be546c",
"type": "eql",
"version": 104
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8",
"type": "new_terms",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8",
"type": "new_terms",
"version": 106
}
},
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "0168ef278b5ef3a471dd2b3d744d6a2a4c8e112b32f5c1af1e5c6c82a07c9a54",
"type": "new_terms",
"version": 207
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998",
"type": "query",
"version": 206
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "b2f7ce631f07fd56f2182a2d89e94a7b72a8f17e0957f25048b089de04c78dec",
"type": "query",
"version": 210
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
"type": "query",
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4",
"type": "eql",
"version": 103
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "fe89abe29a8070ab4e00e31a6d1cafde62515321d21198ba780381a9cc87d9b5",
"type": "eql",
"version": 110
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "6d5f8124605ee8d89f23173accb268a0822ca4c9d19c6ee69a82b72a054b8c85",
"type": "query",
"version": 107
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "cc0ed08e75b10ef23c81e0eaaeaa4a105adead987b36e625e56b5d3fd95293af",
"type": "query",
"version": 6
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "11a00101c170955ef44f1ca300cced85620dfde179c9eed8484b753c960993b4",
"type": "new_terms",
"version": 210
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 214,
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa",
"type": "eql",
"version": 116
}
},
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec",
"type": "eql",
"version": 316
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb",
"type": "eql",
"version": 211
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "609588d90dbd2835f5c9b04e8df9212c06789c253c51493efddb47a5ca0cc201",
"type": "eql",
"version": 5
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "53f2d959afe1859d602b087186c2f25fd816ce59109d230336260a9d4c9c2985",
"type": "query",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "eeedb6e75b8369f569e27869c6d1cfcc66b89f71b4869f6357e49a43538c980e",
"type": "query",
"version": 207
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59",
"type": "esql",
"version": 4
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "9a377a031cd4fb9cb9842837169396944442098d99de7fb295b107e286c332f6",
"type": "query",
"version": 411
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf",
"type": "new_terms",
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "172c7bb001f289281c519a30ba17e66fad2c3a149e5493bc5d33d6253730f818",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "06f872b67e1eb6c769298d8362435abcb5d3cbec2d6484e626e95d8d0eebaa6e",
"type": "eql",
"version": 205
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "b962ad63b2d98409b515c4dd3a06e95db517c9a7d1b13f171924c19dbaab563e",
"type": "eql",
"version": 3
},
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
"sha256": "be9bce91fdc93b4d4d344a66eeafad8e5ea7f5d9bd1b0fdea2aed5b7ba6844a8",
"type": "eql",
"version": 3
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044",
"type": "eql",
"version": 213
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "44bbbdabf96190f26bace4b98f5c51ae42d1a21d7d1da27237875fa98e94a949",
"type": "query",
"version": 207
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6",
"type": "machine_learning",
"version": 105
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"rule_name": "Unusual DNS Activity",
"sha256": "181dc50d849f55bfcf9764f49f182fed0798673d7fa5fbf72be7656432884240",
"type": "machine_learning",
"version": 105
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642",
"type": "esql",
"version": 2
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1",
"type": "new_terms",
"version": 108
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
"type": "eql",
"version": 3
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "35c6e99bb87ba74e8ad015a7294177cb02da7be90c3c3eaeafcfc7be552d06f8",
"type": "query",
"version": 103
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "6af358d3be4d9bb00ef30bfd0dbcf86a28d3137bb9860f1f4798f16b397ca98e",
"type": "query",
"version": 105
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "e909dade063ff13866c5e0f93e3c21f803087e12ab2fec4064af1a3dfa872729",
"type": "query",
"version": 205
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 111,
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "4d4b321e49dadb001df32d6acd71103bd41b71124f92b855ea4335c99dfa105a",
"type": "eql",
"version": 14
}
},
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "a481e442047e2b0adc22745dfd2fcc05baaec9637cbbde9e2dc5b3b8f7eb0c67",
"type": "eql",
"version": 114
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "1a48028da247ad699969d0714a5b03ca294e28d99adad7b3fb9ada639aca982c",
"type": "eql",
"version": 212
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff",
"type": "eql",
"version": 107
}
},
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "e1e295f294c6b07c1e080468d6318856c5ebf7271e5bac171df35c63b4086c15",
"type": "eql",
"version": 208
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "6a73b9f5864bb0ea366a745a9af576e7bfaf493b276693b044f5b5cd267ea68f",
"type": "eql",
"version": 11
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "bb7f0c41faf746a3298480bfc47800f229539f64b5ce87b3bf40574b2c3dca0a",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7b98f60a9095e9ab2e48250d69832e4648e68f34c1d3245986714e9962af987c",
"type": "eql",
"version": 417
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "e5462ca4e56f7f3ff1144cc8980d76abdfa350e122d9e02fdbc203194900825b",
"type": "eql",
"version": 115
}
},
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "92e73275ccad86dd30136bc621226630dc7342e41bd2362a9687ce807ef9be5d",
"type": "eql",
"version": 316
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "4afa072ed68e90305237cd0f8aa0ab67f7a60db42826cb74af1abf9bc161cfa2",
"type": "esql",
"version": 1
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
"sha256": "ade0c6d9a4d9740cdb0024f7c02cc8b73775f63d9be285e4692d87bf29938f72",
"type": "query",
"version": 103
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "4c034f3a9c42c12be6b1a00041754822d517d75f23ddab914c20222cab8ebc8b",
"type": "new_terms",
"version": 5
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "11fdb1469f92140db4557f4b11369477cd9bf511578238a7b6db0f4a8535243f",
"type": "query",
"version": 105
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "8a5ac1cfde0137bfe0b77af8bf27366b13743380010886e1e856396bd10d0f3a",
"type": "threshold",
"version": 11
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "b945c19be36ede477ceb6eb65ff7fa6d2271d7458820139d0bdd9ad8b8633143",
"type": "eql",
"version": 104
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47",
"type": "query",
"version": 206
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
"type": "query",
"version": 105
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e",
"type": "machine_learning",
"version": 209
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "beba3270fb78600264fbe41ac386fb2d7c7f6877563ed96e2b7ca2778bbd1b7f",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "efd692c82b20a2d4682c25d2683573ec65e8729402445a561baac25768ee5d1a",
"type": "eql",
"version": 309
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "72e26fad3c7116c755452d191ead805897c3c1d5c1bb5f815f437911da14931d",
"type": "eql",
"version": 4
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "74064ff365e610605f23b1e89523fbb13694d5231cd3738b21ab8cf30c6d0e2c",
"type": "eql",
"version": 8
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
"sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845",
"type": "eql",
"version": 6
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "26a1c9c9ec61e57e11380743c01f25a54a74cb7f580dde50a1a6d9d43e4f537e",
"type": "query",
"version": 104
},
"79543b00-28a5-4461-81ac-644c4dc4012f": {
"min_stack_version": "8.15",
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "20eefdd9ff8232ef3a1fa07f945114c672d29e8d82279caa606c62c8b01eece7",
"type": "eql",
"version": 3
},
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
"rule_name": "SSL Certificate Deletion",
"sha256": "7e7cc3077f9f831c4c0bf8d8d0cbdb3ab9244f904d9ecc9698a4a1790edb925d",
"type": "eql",
"version": 102
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2",
"type": "eql",
"version": 5
},
"79e7291f-9e3b-4a4b-9823-800daa89c8f9": {
"rule_name": "Linux User Account Credential Modification",
"sha256": "5a7f10051702f5e7d5df4a9ef87c46469937ea744d94bdaafe32fc0a69a892ee",
"type": "eql",
"version": 1
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Potential File Transfer via Certreq",
"sha256": "c1f7d50618580187b015a4aadd76a9e484eb5bb8ce8143e052cb8118a678c4d1",
"type": "eql",
"version": 11
}
},
"rule_name": "Potential File Transfer via Certreq",
"sha256": "0622888a853c207510e5f9385fd4b78d4d47616cd4c3bc8b7fdb9e5bbd0260b3",
"type": "eql",
"version": 212
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "42853b04a39893088bdb0ebf5c479305c2f34e5352c3ccfa65ef5146efc6e8a4",
"type": "query",
"version": 113
}
},
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "af8023c96394cc43f92cf51e13e0cacc0d93158f5241c62ad651a238d3c617c1",
"type": "query",
"version": 214
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "First Occurrence of STS GetFederationToken Request by User",
"sha256": "3e8f2ecf0b50b7db1d4294ac9f9a788f8bf8790151183901e7829cca9aea5f20",
"type": "new_terms",
"version": 2
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "820246c1236dd2cdd3601e1dd0c74c5f936f40ed580c2ac2884e7170b3df6d97",
"type": "eql",
"version": 7
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "f4ad3bfdce432ca539259b7d6fb645dbb26546156be5e35d397775fdb01408ba",
"type": "eql",
"version": 6
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "1ba40cb9f4c5c384f4d6b52a76eab02c45e14d33eb930cccf3fb1c329c7455f2",
"type": "query",
"version": 207
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Windows Network Enumeration",
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
"type": "eql",
"version": 114
}
},
"rule_name": "Windows Network Enumeration",
"sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f",
"type": "eql",
"version": 214
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"min_stack_version": "8.16",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28",
"type": "eql",
"version": 2
}
},
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "5760c0ff5525a18ed54b21f9e5b8b7b19658ed8831398454d1df210be1bbe591",
"type": "eql",
"version": 102
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de",
"type": "eql",
"version": 209
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08",
"type": "eql",
"version": 309
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "886f6f210debfa8b2263107d6bb45787db17443c3f09f62bb792e44159dfdcd0",
"type": "eql",
"version": 108
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "5640fd704ed05c227cd8de85371a84f00b0f3086b3a976bd99359b15b0b4d4ea",
"type": "eql",
"version": 5
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c",
"type": "query",
"version": 107
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "3aeeab0a9f9e1baa8c36a0d3aca397ac0be75278ca1a51b60022819bf9ea8cde",
"type": "eql",
"version": 103
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "30dc79af79c7ffd88c47ce8902032f7d4088dcc82f73f4da0070e14257270520",
"type": "query",
"version": 105
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "1382999f7d36996f9608126c6608707d9d695dcd3298755443448a1d81c27ead",
"type": "query",
"version": 3
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "5a08a86502f4db05eca4b25e854f8f9be1f852325a962075dea70815aacf6764",
"type": "eql",
"version": 104
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "b8c749e5ff7bf1d9f8abc6fb1344b7c34c95ed51c530c12986e3176da636d219",
"type": "eql",
"version": 4
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "1cc5185969e04329ea04aa4bf8d5d1e3a8d47fa9e0ac1f47e3012111ef6c91be",
"type": "eql",
"version": 6
}
},
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "1932d2c6a7574c3d3dcd32ba76e9193f88aa77d2be7e5591e0616b44a0172290",
"type": "eql",
"version": 309
},
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
"min_stack_version": "8.14",
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
"sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6",
"type": "eql",
"version": 1
},
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
"rule_name": "Security File Access via Common Utilities",
"sha256": "6ba9893d93ba8852cad33b67e46d3ffda3bb3282cf04264efb77ba683e837231",
"type": "eql",
"version": 103
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122",
"type": "eql",
"version": 210
},
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
"rule_name": "Python Path File (pth) Creation",
"sha256": "3e310759ffae8dd92e3b462c5c57e748a44ffeabbadd2510eda16addf05c84c7",
"type": "eql",
"version": 1
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
"type": "new_terms",
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "d28a5fbf12cd038860603dad3a3f927b893dc2a624963063025cbec73932a4e9",
"type": "eql",
"version": 16
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "c074c4066439731cdb1ca074f41712d8139ba7383e854e9990c3f5fef99a6a9e",
"type": "esql",
"version": 4
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a",
"type": "new_terms",
"version": 107
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
"type": "eql",
"version": 4
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879",
"type": "query",
"version": 4
}
},
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031",
"type": "query",
"version": 105
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "SSM Session Started to EC2 Instance",
"sha256": "d0cfe0f7d2abfcd56dc76d693aba0e8ff89281385360ae75a90446721d5e85c3",
"type": "new_terms",
"version": 2
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "f3e0f53c321d7760c971547d90245085ba16e37bb4a6cbbb16a17e495f180f1d",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "cd00aafb325b718b74940c08fcc167b018b79db66f6d2ecb94b54f5fd3a55d1d",
"type": "eql",
"version": 105
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2",
"type": "machine_learning",
"version": 209
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "e29105d1b78b1286a5636c653ea518672e193131ac622f0f3ee2de7f1d5e5528",
"type": "query",
"version": 104
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"rule_name": "Unusual Remote File Extension",
"sha256": "f79f2ede08c18655e62fd70d2fdd42a914f43a74abd5019f7356324fbcd96f92",
"type": "machine_learning",
"version": 5
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc",
"type": "eql",
"version": 110
}
},
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81",
"type": "eql",
"version": 310
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6",
"type": "query",
"version": 315
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "f3147338285b65e5fc2727bb5e244417230a438c509b93732c76fc659df7a77e",
"type": "eql",
"version": 10
}
},
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "4e4089ee80c9f3fe5c661058d288082e4d02074f2e92640bf2a14b63fdec41a8",
"type": "eql",
"version": 110
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "2f5d6142cc013635d4920ad40fbfb096e1071868dd0938460579946ebaa120b8",
"type": "eql",
"version": 209
},
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
"rule_name": "Suspicious Path Invocation from Command Line",
"sha256": "c728415c613b2f36c5c323bb7c97a17891786e1986c6e4c9ea1b69e3d1500099",
"type": "new_terms",
"version": 2
},
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
"rule_name": "Manual Dracut Execution",
"sha256": "dbd9afc54fc7a771ed98faffa779d382c2b1962cedf84ec2dd45606550e37857",
"type": "eql",
"version": 3
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "04a9b7b77bc56377bc4686132f269a31dfa92ec833decf61aeb4cee3277ae5d6",
"type": "eql",
"version": 9
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "b04ed2cc0d2afeab9a1e5ce21f7ffe90acbd75940c93166660e2d41abaa39070",
"type": "query",
"version": 103
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83bf249e-4348-47ba-9741-1202a09556ad": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "d97f88a21e5ef203f235aaa22174e05b7a3af6d503f8955c63fbad955ab56a5b",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "bcd9044616fb4c41c855119819ab2ed72243d4d248199226a9d6287def186883",
"type": "eql",
"version": 204
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "549c19f864332988b6fb45817a74e1dab49339388224f5b36cdaf30d80d21bda",
"type": "eql",
"version": 111
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "01513b5293f4ae3276aacd57b67b38b4957f57cb9447cfc9e4f4e580411b6677",
"type": "new_terms",
"version": 4
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 7
}
},
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb",
"type": "query",
"version": 107
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "b00d2ec654af8f1f110f648f4094160b9ef9e812d8eb7980b94e0879c40ad211",
"type": "eql",
"version": 3
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "559158e7c30d5871bbf29e70aef9a1d8def80199a6ab18a0f76d1363c713891c",
"type": "eql",
"version": 105
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "ed8b2a515385353dbfff6d484b45000dd49af48e2b5abc8e44406fa955d7225e",
"type": "eql",
"version": 114
}
},
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "0aeabad8b6360ffeb8fa1b4e1f3b623d7b0ade5cde31301f7321c1463ec7fa9c",
"type": "eql",
"version": 215
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
"type": "eql",
"version": 111
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481",
"type": "new_terms",
"version": 211
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "3ca0053a517e206cbd88cae6c14ed9398b99f6ee5021cef8d89c40b9a66ba4f8",
"type": "esql",
"version": 1
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637",
"type": "query",
"version": 207
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "03916533d138f82d6ba43073f971d26e8c8fc154a5722bfb56b1bec42cb8f26f",
"type": "query",
"version": 207
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "aee9d293bce7b42db112f783b52ca95f4c163851cb39f56542873a0caeb9f9af",
"type": "query",
"version": 207
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "183f75eab447dce4523d4f25e514acf26cfbdf05b137fd5a3fd9eb1b968d86ee",
"type": "eql",
"version": 2
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78",
"type": "eql",
"version": 110
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "f8c272cacf74e41908905fbe517ec45ff817e7a6f81d7a2cc3997687c84ad708",
"type": "eql",
"version": 115
}
},
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "b50e5bd6eb867aa0c8f17a52fb8f577cdd31f5d5f75f4be9e1d462d4222d22e5",
"type": "eql",
"version": 216
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "d1b4160bab5ee676bf3eab50efcb4bff6b9ca03017813d404ac83b5d429c6e77",
"type": "query",
"version": 3
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "5cb776ec175c443858372adf34644ecc3edc4f4123ab3f91796ab08fa8d0d162",
"type": "query",
"version": 207
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "ca936e7322accdce60e6973d70b3e164506cb6fb04d87bbe28ee8f64c9eecff5",
"type": "new_terms",
"version": 6
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "23ada8e36279e7e1d4e063b07f108194166709b11de778959bc24e7eff2a55c4",
"type": "query",
"version": 207
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "8ac86f893c189972849c3353f5d53331a7a306c28b6f10c8bec469d634c86757",
"type": "eql",
"version": 110
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "67beebb88fd866d0c58a2785de107b2bf8f925d18bbbdd790906734f21a39f7b",
"type": "eql",
"version": 108
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9",
"type": "eql",
"version": 209
},
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "e247d1c92d0054f5c3a3d6aa1d7d50053e63ec57610f92bf623e1c665d5fef72",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "097ecbe7691d20f9769066582286b7b4cf5089fcc6870e7167267a94faf759d8",
"type": "eql",
"version": 105
},
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
"rule_name": "Unusual File Creation by Web Server",
"sha256": "8cae8e72cd21c891b3a56fb7489a1dd3047402b91600b8407a06bd207d353617",
"type": "esql",
"version": 1
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "14dc4752088817761b090bd9e818c960db21258c4ce1aff3ce6e86dbe199d127",
"type": "eql",
"version": 211
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Command Prompt Network Connection",
"sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc",
"type": "eql",
"version": 109
}
},
"rule_name": "Command Prompt Network Connection",
"sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d",
"type": "eql",
"version": 209
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "4eeb21145663f19873a7b259f2aedd9a858885571f911ca166304d52bf4a49d0",
"type": "query",
"version": 107
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "01e31da74d8f38ddf237a4320f398fef3afaf986bbf7a614926c91d52717f21a",
"type": "eql",
"version": 8
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a",
"type": "eql",
"version": 7
},
"8.14": {
"max_allowable_version": 206,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a",
"type": "eql",
"version": 108
}
},
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "d84240158ef05b04877fc81e2d2f50edb882cd77a53b137f7598c54e84ca5879",
"type": "eql",
"version": 208
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"rule_name": "GitHub PAT Access Revoked",
"sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5",
"type": "eql",
"version": 204
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "79396b5a9e555f97305570bb4e88f328ca55471768c325f8cbfdec62e20c30e5",
"type": "eql",
"version": 106
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755",
"type": "eql",
"version": 209
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "47bcd8271a1bc8780152afe19fa834ab97946e9cba47bcb65d819e92b6625fba",
"type": "query",
"version": 411
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "2eb13bc908da7bb2301a0f62d0860956cb7aa1d99d970bbb6e6d6b32dfc428ca",
"type": "esql",
"version": 1
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "f2b61c3ff7a9e998f71f19335af6dfe69db48ae9d7098fcf270a3dc44ec4fb48",
"type": "eql",
"version": 106
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5",
"type": "eql",
"version": 110
}
},
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d",
"type": "eql",
"version": 310
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "91cdd11fc144f89b569a54e7275f2028a431bf4b3f898c924be4ca038ed1e1db",
"type": "eql",
"version": 112
}
},
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "5e8971df8497f0c448f35992264db5351dcb8c2fd6a7a53ed18fea0eec89b727",
"type": "eql",
"version": 312
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "38bdbda8e1ba1c0aff2f02b3f46c2fc694a92e6a4dfc7244cc948c3e38dfc8ef",
"type": "query",
"version": 103
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "084b9ec33eedc1699c7dd2f8b5c81771300c6f944ca3fe5c5cfb7039b474cf43",
"type": "query",
"version": 105
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "911e718531c11fae196314f279f6f059a3a14dee38701be164c18c20a69be5a8",
"type": "eql",
"version": 113
}
},
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "867b10d1207fb72a4c80df7516090d981653a229fe0961a03d278b07a8e8b269",
"type": "eql",
"version": 314
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "dd976a4b62d0afc39c2d7af53056e456bfe88f3261cde76fa6df84e4948cafd0",
"type": "eql",
"version": 109
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "cf387e78a1d52b36974bd4933ef7d56730af702385f9a128c2d39cdbfe1334e7",
"type": "query",
"version": 104
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "fb77d08bdc9f8ec6a12b4b74458cdc27ffcecee0c8497e4268cd82cc72685eef",
"type": "eql",
"version": 12
},
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
"rule_name": "RPM Package Installed by Unusual Parent Process",
"sha256": "528868f65a9cb81c8c4c131dd0d3f9550a95750bf358c31cf275b4585365bead",
"type": "new_terms",
"version": 3
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
"type": "eql",
"version": 3
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"type": "eql",
"version": 5
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "5c75901a24944ea9bb7731dfa441ca4c2e49cba2cc2cf98c4bf84dc0fb10506d",
"type": "eql",
"version": 210
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "b8c3f70d8170292a5f9e3cacb2cee9106f06c4c8f11a83ade3fec287cbf5aa0d",
"type": "query",
"version": 103
},
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "cc8123040408a5a7b8824468814a4a6152edc5a53ce52f8d4a21411633b35e12",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "523a79457ebd120192055f51dd87edc16265da30254315d5d7fda6729362e1a1",
"type": "eql",
"version": 208
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8",
"type": "eql",
"version": 4
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Bitsadmin Activity",
"sha256": "96da24c5865af45e8f97dda18459a22901c821608d0882b14b8d21d20c5db1f3",
"type": "eql",
"version": 6
}
},
"rule_name": "Bitsadmin Activity",
"sha256": "b26871ba275b05a8a536baa79c0e3200e9624866b75d442ef29859ec0e3574f9",
"type": "eql",
"version": 106
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "Unusual File Transfer Utility Launched",
"sha256": "f8716bca394f674cd16c413cffed7862bb3e4038a525c750adf70d3d2406ed09",
"type": "esql",
"version": 1
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "b3f6fd62337753431592f0b819d7b43364bec6c27449bda2d19dedddedc22d07",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "4bc16ba3becb47c564ddf8155c01f3fb0d4c5ede2cb27e19c359d7d715b65a25",
"type": "eql",
"version": 105
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "d66c39f3899393daf54a7c7c7bda79a52b0733a1e71b07e84a34707b1f8806bb",
"type": "eql",
"version": 109
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49",
"type": "eql",
"version": 108
}
},
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42",
"type": "eql",
"version": 208
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "2f1fff6789d5ceaa58f36f5b239347b6b2b5b222f513b7cc186e20a943add449",
"type": "query",
"version": 105
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"rule_name": "Hping Process Activity",
"sha256": "fe079acfbd59f33d0829da92c4e2e587c3f846c53a875510463da0438f0c4a0b",
"type": "eql",
"version": 210
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "ca9ec7ec6260dfb4afd6121acdc3f0f01cf82233de4bd473e0a4832ea5cca846",
"type": "query",
"version": 207
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "df11460970a3eeb111f933ea0c48401c916e8f2f9ba35b1c8595a215b624242d",
"type": "eql",
"version": 102
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "fb943bd48a4626d7013516e753159b40fdaad0d3f64f572bd223b2716a934d3a",
"type": "eql",
"version": 110
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "8a707b2cfb834a2d23665ef675dd27767b712018c0644349a3554c04840138e3",
"type": "threshold",
"version": 1
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "InstallUtil Activity",
"sha256": "e5667b196187758d6237ff6bf5f23a6f6e1aeb96192193c9497c622982907440",
"type": "eql",
"version": 5
}
},
"rule_name": "InstallUtil Activity",
"sha256": "d3506c72c7907f32e455ea418eabeca0f6cba286dd09633a0ab16fa9b324c357",
"type": "eql",
"version": 105
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
"rule_name": "Linux System Information Discovery via Getconf",
"sha256": "68e536f0bf403b67ca5e6c131af272ded466e96597d6d4394eb00ccc60c05692",
"type": "eql",
"version": 1
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "139452a8b12f147a4c17f5b13922c44d88f841f111f7b4b06d4aebfd151c7061",
"type": "query",
"version": 105
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "eadf846c26261704cc3fd68f5b83bf44f04f3b41d1c3b6392df97969cd66a749",
"type": "query",
"version": 207
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
"sha256": "c52af5241e23b6ee752b9dc026a28a1aec7357c7f102ee305ad6447d3ea619b4",
"type": "machine_learning",
"version": 105
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"rule_name": "Unusual Web Request",
"sha256": "594a91f74bae3a825e91e973e29f5c443e2bdedb09b4e759c751c5a25aa63b43",
"type": "machine_learning",
"version": 105
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"rule_name": "DNS Tunneling",
"sha256": "1460c1764afdd458a0891c83634804634714ece5f9e22aac3ad9c6bb91cd4351",
"type": "machine_learning",
"version": 105
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 102
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4",
"type": "query",
"version": 210
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was created",
"sha256": "b1fa6b0fe20d2fd8ffedb8e8b14ef7d3b57c533ea32c88b2841028986b3bf6f7",
"type": "eql",
"version": 11
}
},
"rule_name": "A scheduled task was created",
"sha256": "249deafe81ed265426800418a9a92b7d725e73e8f846b33cbcc9f4055e6b220c",
"type": "eql",
"version": 111
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "b0a73c7ef98e6c64fd9209a4d9dd91fd447c52af2d20f698ea91c6b7221d922e",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "9e98be89300ce747f2919cfb437c25751c974c69e9de7111a7de7a59bc9c493e",
"type": "eql",
"version": 107
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS STS Role Assumption by Service",
"sha256": "dcc381b0ea011aaffc99fa2552210fb9bd8cfae3fcd9a246033831836d4f5f3b",
"type": "new_terms",
"version": 210
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "c31135dc17960a856d35663ed054d09eab76047d10a86f30f4cf5b8ec1a7abe0",
"type": "new_terms",
"version": 206
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
"type": "query",
"version": 209
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "55c655f3c81ec5fc6d674e2429a40bd0ea00235f4ce1935765a26941a143cde9",
"type": "eql",
"version": 211
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962",
"type": "eql",
"version": 110
}
},
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9",
"type": "eql",
"version": 412
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919",
"type": "query",
"version": 206
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "2915057dbeddaff7f8345d24e40dd53ec41319b7192a27d93e593ef5eee6a45c",
"type": "new_terms",
"version": 205
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "b5f2d2b732ed56124dc1f618c8aaa4a1b035b3af81246aca47b16d675c5888f0",
"type": "eql",
"version": 105
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
"type": "eql",
"version": 3
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "46c457a7a1a2443ebb06f362b2f728a3fa9ea4f0c6261d4bdc32a7de7e92ab6e",
"type": "eql",
"version": 12
}
},
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "3ca2f8aaffac020eba3dfe8981e8cac731522b3d81551575b2e84370c8c9c9e9",
"type": "eql",
"version": 212
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 104
}
},
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 204
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c",
"type": "query",
"version": 107
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2",
"type": "query",
"version": 5
}
},
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e",
"type": "query",
"version": 105
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"rule_name": "D-Bus Service Created",
"sha256": "f49342d2753a20175c2dbbc0a575357ee2a7bbc665af3267b73778f6270b6bcc",
"type": "eql",
"version": 2
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Remote Scheduled Task Creation",
"sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8",
"type": "eql",
"version": 110
}
},
"rule_name": "Remote Scheduled Task Creation",
"sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a",
"type": "eql",
"version": 210
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753",
"type": "query",
"version": 210
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 104
}
},
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 204
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "433032becb5c8020450493b9158692e4e8e93ce81f820b25705231f2942dd2bc",
"type": "new_terms",
"version": 2
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"type": "eql",
"version": 4
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
"sha256": "38909ad9aefb85b3686d7ce1ad51131ea6f34ac9a0f3636eff945237ca572566",
"type": "eql",
"version": 214
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "72dc3ad1b6b20812a65c1e7f6cc607abd7f61572f341de9e3914d9355437b4e5",
"type": "query",
"version": 410
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "d242e9b768158e113d5b497903704bcf3417ee47dc9240caed8322566a25a388",
"type": "eql",
"version": 13
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "c3a49d1a72ee8b083f42d9a80d3bcf96dad353cf2f1d2f4b1167a6236afc8780",
"type": "eql",
"version": 209
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "1a312776aa0b8db999e00c4e025deb6da554ec3738734de8d788a6e8c2d8b957",
"type": "eql",
"version": 10
}
},
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "fd2dab81de38537fa82851e66cba9cbe80121418b4151135a71506229f41bd19",
"type": "eql",
"version": 110
},
"9705b458-689a-4ec6-afe8-b4648d090612": {
"rule_name": "Unusual D-Bus Daemon Child Process",
"sha256": "047f6e5a12bc33a0db9822bfcc4d9532eb5bb20f261dc8d5d0a6b9d335db1175",
"type": "eql",
"version": 2
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "996edcf7b84f597c5b917b95706acfa718b8b78ac0fbaaa24a1c9a164374d32b",
"type": "query",
"version": 207
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "a68596e0c8c08057fe0d449a485c3024b5c19a131d0f8e73a91070d52b2aa5e3",
"type": "query",
"version": 105
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"type": "eql",
"version": 3
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "65425366319a1036000c5b118c93b8838f7357205eb7f98d09811cd3d417fdac",
"type": "esql",
"version": 1
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "15acaee88ae03f37d33254f0274ae68eeef32455fc96461fe20aefd88e49b24d",
"type": "query",
"version": 208
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 311,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1",
"type": "eql",
"version": 213
},
"8.14": {
"max_allowable_version": 412,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1",
"type": "eql",
"version": 314
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "31c83a49dd77cb7c92b81b820392ab0edaff0810927f55cfe52754a54a43a48a",
"type": "eql",
"version": 414
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "89aac019d039da3e9cc8d5a90ad24c527336df5dcb17667cd41e0bee861b36af",
"type": "eql",
"version": 114
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "8e2d7ddbc2af722c230fd0a23e1428cc5fb0493d0382e9e124410a5087628899",
"type": "eql",
"version": 418
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "d48ba745542ab8f019a9ce68e2eaab1e0710585d16c354744c59767f24e825ee",
"type": "eql",
"version": 8
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "814a1903fe60035acd9815188db701fecb3cd77f622205487cbb5dcdd5895034",
"type": "eql",
"version": 114
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "9af59876aae930d88fa37449a4e391434ac253a1a3a68a7f19aa8142681af396",
"type": "eql",
"version": 5
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "c07414c56696bd71465558933f65566b033635cd7cf42419eb70a7695eddf4ac",
"type": "eql",
"version": 3
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "701bf23c547307a946220bd3957b0adca6d9935dc5ddd0a2d59e97125e3cbd06",
"type": "eql",
"version": 104
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "8f278d6cccbc4ea629a93950010eaec7cf14434d52853ef5918623c532fa1fbf",
"type": "eql",
"version": 5
}
},
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "52f62bfbdb63f99ed6802e2dd419d04a89be011d0af0805d94a0e58280834400",
"type": "eql",
"version": 105
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "2df4707335bb89c170cda8fb27a189ca2e1da3b0a558637041354bc560f3c934",
"type": "query",
"version": 105
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "193707cacca422693c80b0f220dc512aceef3c53ab09b92a266c678eb5066f0a",
"type": "query",
"version": 207
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
"type": "query",
"version": 209
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "635f24d3547bdf9acf3c89fcf9ca0a208ab9c5728c280fb1ef000066cf7d0b15",
"type": "query",
"version": 104
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "bd112fd50317c61508bf7617e01f08695c64588de6801c39f7c6bb6155cdbebd",
"type": "eql",
"version": 109
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905",
"type": "eql",
"version": 11
}
},
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae",
"type": "eql",
"version": 111
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad",
"type": "eql",
"version": 211
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73",
"type": "eql",
"version": 311
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
"sha256": "265d70cfdc84fddd988dbe3b110c25de72fe374209a1e78e667c309c70c3b13e",
"type": "eql",
"version": 104
},
"99c2b626-de44-4322-b1f9-157ca408c17e": {
"rule_name": "Web Server Spawned via Python",
"sha256": "e40443f15069a79c93f3af2ef411178ce68866881149524dbc2a1822cecdc3ee",
"type": "eql",
"version": 103
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"rule_name": "Spike in Failed Logon Events",
"sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964",
"type": "machine_learning",
"version": 105
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "30950c93c8eddc61c365791e8c2b74e80d7890fcc2f73f740c5eb9d5481f3b4a",
"type": "query",
"version": 106
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51",
"type": "eql",
"version": 3
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "957303ee184b536fc22f9671dbb2ed19527c497f148615b01ab438db8d2d1748",
"type": "new_terms",
"version": 210
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious Explorer Child Process",
"sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Explorer Child Process",
"sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362",
"type": "eql",
"version": 310
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067",
"type": "eql",
"version": 111
}
},
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2",
"type": "eql",
"version": 311
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973",
"type": "esql",
"version": 5
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "17b30931a90a1e2a268c89b8ca1c50d33a9ad847cf40b03526748115fa47df6f",
"type": "eql",
"version": 207
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "1ca4124ab56004a70f6da7a9a4d37c4f17b4b6f6dae275a42b309b567ba942ab",
"type": "eql",
"version": 114
}
},
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "7813df08730563638f4d24c630eaa2b5dfa818903e6017334b38afc51984e497",
"type": "eql",
"version": 315
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "c58dfc5733f3e65bb9059316a9300d38db530be0527fd7e64e37af99dfd2d521",
"type": "eql",
"version": 6
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
"type": "eql",
"version": 110
}
},
"rule_name": "Hosts File Modified",
"sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b",
"type": "eql",
"version": 210
},
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
"rule_name": "Unusual Interactive Shell Launched from System User",
"sha256": "b351f332d2ee0c37576188cba134e30d7fc288887cfb5247b494162043ce2343",
"type": "new_terms",
"version": 2
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "16a3342d1003ae1b974b870f7a8388dbc7041f06704202c476621831405e4ad9",
"type": "eql",
"version": 11
}
},
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "13c9045416c8248f845b761d980512aab51c64c5413e295c18c59953eb5438e9",
"type": "eql",
"version": 111
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "a5aa8f87141efb58c5a9fc040430072979a81838fc6185b652fc5d08cae05ac5",
"type": "eql",
"version": 3
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926",
"type": "eql",
"version": 111
}
},
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692",
"type": "eql",
"version": 311
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948",
"type": "new_terms",
"version": 212
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "c42cd52eb73933b7ba7eb1c1c25bfca2e8215a4e3c8f773c16584bfd38174c1e",
"type": "new_terms",
"version": 313
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "3bd8a686c90d2b907e79cb8d81ba383c30178ea847082f7fe1759d803be174af",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "3c4a04e50ac49b7af2d68bbf893ab9bded4c25fdb56571258a632a4a4a0bc7cf",
"type": "eql",
"version": 314
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae",
"type": "eql",
"version": 214
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75",
"type": "eql",
"version": 211
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 313,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "fdb27be4ce2b9a135b03186611685488a9d4a989738c3edd28687e83b9f7e349",
"type": "new_terms",
"version": 216
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "0a3531614c20fc9734ed5511346286cf1814c660d2dd86e7ca61b414d1052ec7",
"type": "new_terms",
"version": 316
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf",
"type": "eql",
"version": 108
}
},
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "93adb711b7a1ad99c4215e7623c63eeeb35de931e53749d3abbbe7aeb344d334",
"type": "eql",
"version": 209
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "bb77fb9e3e5e133ea5abdc232b19de4477bc18cba743881e80f0c4be6ac96c42",
"type": "eql",
"version": 108
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "4ce9e353cd70a52c2d7d94beb8a05952a35ff6c117689d5ce2d9a7da5af011aa",
"type": "machine_learning",
"version": 105
},
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
"rule_name": "Azure Entra ID Rare Authentication Requirement for Principal User",
"sha256": "5d5c0a0d20bb041e22f4d97a3c49b1e687c2381e75e1b707e7e85c4bae6c4b5c",
"type": "new_terms",
"version": 1
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f",
"type": "eql",
"version": 3
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "41e4276d49f03093af17d2254ee773f8643d1c0aa8b8ac61d01ccefd7bdc22e8",
"type": "eql",
"version": 212
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 214,
"rule_name": "Potential Credential Access via DCSync",
"sha256": "b5ad0d7ace8669b1eea8d9a58c38cb027d236901af048b6f308e8b921b7fb4a0",
"type": "eql",
"version": 116
}
},
"rule_name": "Potential Credential Access via DCSync",
"sha256": "a931d7b18207e55bd0c94cf0011568c27d08e2cfafba8ce17542ec209e78e426",
"type": "eql",
"version": 217
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "5d7f431713626a4dcd90230cc90a452231a2f4f09ce222c8f023205f6921b8b3",
"type": "new_terms",
"version": 212
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "7b2b92f74b503fc18cf5ef70b93536fbb877f88952c072c944b062b3f8f647f7",
"type": "new_terms",
"version": 313
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was updated",
"sha256": "24db103856c5596c20cce21e7e92ea1d20a82b95691be3b31c7718f15984c193",
"type": "eql",
"version": 11
}
},
"rule_name": "A scheduled task was updated",
"sha256": "dd983fdaa73edf71a2cc567f3fa7189cb995df66ceb66751f6047036d45700ea",
"type": "eql",
"version": 111
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "fde760cc52775ecdc228f7f4fc26b42a1d1040d4732aa51f2942e21d16c00820",
"type": "eql",
"version": 5
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "2192b6dc1346c8016c7f7e18d0e4def61f38a7359cb4c665235f7c7a35d81646",
"type": "query",
"version": 106
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f",
"type": "eql",
"version": 108
}
},
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220",
"type": "eql",
"version": 208
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
"sha256": "6cf3281eed4a567e7fadf7e7a60a25d32be3683088852fd6cac2b340214c17d3",
"type": "eql",
"version": 211
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "5fa1a396391aee8e4f152b75cbd71a7944b0a4850e20e3496a5de3f463d46031",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "2e3cb26c1d0f253e34915465fd896789a7056d7faeafad6435baa712f4d4358c",
"type": "eql",
"version": 210
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375",
"type": "eql",
"version": 9
}
},
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f",
"type": "eql",
"version": 209
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "1c1a346a5c44ffafc16e7a28a4703248527b03dd10eea79fe823ceb5a035ce73",
"type": "query",
"version": 105
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
"type": "threshold",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3",
"type": "eql",
"version": 109
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "6318c4dff530e8b0d50c646549d60a859ca4d6d4881dbcc94e3b5c26620390ce",
"type": "eql",
"version": 7
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae",
"type": "eql",
"version": 112
}
},
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c",
"type": "eql",
"version": 312
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "9e16a6d58c5f5a677f1cebc91183afdae5a7ecdfcce34207fcc6f62f65367152",
"type": "new_terms",
"version": 2
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "bfb7eddaa9656dc8832f4d1a089450b5b180a6620a1dd22d601c7bed17c286de",
"type": "new_terms",
"version": 2
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722",
"type": "query",
"version": 108
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087",
"type": "query",
"version": 109
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Execution via local SxS Shared Module",
"sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a",
"type": "eql",
"version": 109
}
},
"rule_name": "Execution via local SxS Shared Module",
"sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168",
"type": "eql",
"version": 309
},
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
"sha256": "17e90233a68416b545e9ec60b945d558eea63b417eebcda8d046984ca667b87c",
"type": "eql",
"version": 2
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181",
"type": "eql",
"version": 109
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"type": "eql",
"version": 4
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
"sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84",
"type": "new_terms",
"version": 2
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "dd7935aa4635611792001b36012fecabe2d6bbb0b7a8cc2f80a706b7bfcf659b",
"type": "eql",
"version": 8
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "9b292d485484c3753314bef6df52ec945933baa8293f6967b3f4a326ef8daa1d",
"type": "new_terms",
"version": 210
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
"type": "query",
"version": 105
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "c061bcef15efcf1c65649493512805d27d383b262ef29f1ee14d2c941e88724e",
"type": "threat_match",
"version": 8
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Suspicious MS Office Child Process",
"sha256": "5c80f53958876a026ffb64b1eeee262e9fc7df01ceba845b9e2d9690744fc22a",
"type": "eql",
"version": 114
}
},
"rule_name": "Suspicious MS Office Child Process",
"sha256": "a68523228ec0fc453c23646ced21d0b57a3417cebc9b74d4232992adf3b96a38",
"type": "eql",
"version": 315
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "b597402a792a29e82c02d56787dfb0088afb24fe4681fccf800ec8ff10a08a10",
"type": "eql",
"version": 2
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "3ca5c9a41990306c9c1425b02dec89fd7cf7f677abf7544f50a0a7f6d894e9f6",
"type": "eql",
"version": 109
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"rule_name": "High Mean of RDP Session Duration",
"sha256": "16d442bb0e68cceb100b590cd99c27126094ef873e1557bc0494c33f672351ba",
"type": "machine_learning",
"version": 5
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "1a8db1f12af5f8f6acda01d02bf1f7858b64b591e8cc97e80b1f821fd01b136b",
"type": "eql",
"version": 114
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "f94eed7bd541165126c32c94597db40548996aafff6604d4461961c9daa182ee",
"type": "eql",
"version": 112
}
},
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "341a50ecd0f4ebb8543687abbf979227065c91bcd013a47d4f135107b26ecf89",
"type": "eql",
"version": 313
},
"a80d96cd-1164-41b3-9852-ef58724be496": {
"rule_name": "Privileged Docker Container Creation",
"sha256": "04dfaf2e0ab843431c44a2508695e0793ee75aea13aa78ee94a7c26e31c27c5b",
"type": "new_terms",
"version": 3
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID Device Code Auth with Broker Client",
"sha256": "3b36ca3385b038425d51a7e5ed4106e263b270fcfb2b2b3f080d747370eb1bc4",
"type": "query",
"version": 2
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "7af20755d35869e009f843fef6fb3ad74173f1f9d745b649a798002ecd3fb640",
"type": "query",
"version": 103
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "7dc8a4e76f836a2dabc1f97682ff2a8788770c2df8b3c977a9a21e48600874bc",
"type": "new_terms",
"version": 2
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "af6c29f7ca5a3acf5c0a9b81b9be7a3d630222ef6aaa8bd14ae44a6d9682248f",
"type": "eql",
"version": 6
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
"sha256": "b10636c16f0df07435893373776847351520e760d2923c0ac25814bba42a51c1",
"type": "machine_learning",
"version": 5
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "6388eaea93dbea69b2def246d3830353851466710a017a1b197cf97d811e445d",
"type": "query",
"version": 207
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0",
"type": "query",
"version": 206
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e",
"type": "eql",
"version": 110
}
},
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a",
"type": "eql",
"version": 210
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "c5e9563513ceff85a4cd305b620e50b46d0abdcd6b749995b72d1dfe43f137f2",
"type": "query",
"version": 106
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "05234b27bd38c05a4148c880399948bb9f659dc2409c560ff2c17735d399fdaf",
"type": "query",
"version": 105
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "af1173cc43f540a885c1fe5ff3ca083ca2e96ae5d484216e8cafe707ef9ef2b3",
"type": "eql",
"version": 214
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Remotely Started Services via RPC",
"sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f",
"type": "eql",
"version": 114
}
},
"rule_name": "Remotely Started Services via RPC",
"sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc",
"type": "eql",
"version": 214
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "b09c6bdf53c574bd6a13c29289040f6d39647434595c2ef5e908596c2f87e744",
"type": "eql",
"version": 3
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "dc906d8e338b0fba7e19f677e0f95691c4e1c94fab8b366f0f0fa007db2226e3",
"type": "threat_match",
"version": 9
},
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
"sha256": "6c9d7d72e70ba8fa7028586f7dd96f22a714aea37e9b6a748c48f4c2b84cf5bd",
"type": "eql",
"version": 2
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "78d447b3cd6a49ab7ac62b483ff04bd68e29310b28aacad89af526962847b961",
"type": "eql",
"version": 117
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "c58bc9bcee72af710a07f880ed3df3eceef229e97454f6ad449273d078b06c4b",
"type": "esql",
"version": 3
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a",
"type": "machine_learning",
"version": 207
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "5b1015d4458273b2f101dd22674b7cc73970fd91015c91ed9c22fc5049ca1729",
"type": "query",
"version": 109
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b",
"type": "eql",
"version": 114
}
},
"rule_name": "Suspicious WerFault Child Process",
"sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b",
"type": "eql",
"version": 416
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "0c1a8c2bb10aaf8e8c9dc4c3c70b9fcafe1230ffe0687aa31e5909bf176ee7e9",
"type": "eql",
"version": 104
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664",
"type": "eql",
"version": 2
}
},
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6",
"type": "eql",
"version": 202
},
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de",
"type": "eql",
"version": 2
}
},
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b",
"type": "eql",
"version": 102
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee",
"type": "machine_learning",
"version": 209
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "989c58058784588cd22c236d0cc58394fe67e6f8df10a6f446381d5f6301083e",
"type": "eql",
"version": 8
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4",
"type": "query",
"version": 111
}
},
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6",
"type": "query",
"version": 211
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e",
"type": "query",
"version": 207
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "c893c9924f303a60bf8cafdffaf2cd627c6fdaae221bd7469fe25ef355839d32",
"type": "eql",
"version": 107
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "0634c4cc8994181d8d803e1f8a015b27a0287326c7bbe72e41f6caabaec65771",
"type": "threshold",
"version": 109
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832",
"type": "eql",
"version": 310
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "ce99c263910efa69241137ea09accded8b37ab436213bd6a80d3c8736c01d957",
"type": "eql",
"version": 110
}
},
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "877b82511a776fabb258c7294666c134b9fe2720c4b3adb773f6332473caf911",
"type": "eql",
"version": 311
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0",
"type": "query",
"version": 206
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
"sha256": "075631e1ef46d21f816f96cd248fbd08db4840dda4f701989973b31ee3dc8dcb",
"type": "eql",
"version": 104
},
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
"rule_name": "Decline in host-based traffic",
"sha256": "0615c9d044eb7a81ca8254362ba850c6e3f29202d1fabfe3bc811b8b9149a05f",
"type": "machine_learning",
"version": 1
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24",
"type": "query",
"version": 113
}
},
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59",
"type": "query",
"version": 213
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "fdb9bfb1476b606fed9fb9f5d813bd2649bbfeb1e82522dbab72f7f63e379c10",
"type": "query",
"version": 107
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "290226c3c245c0651561503b7e5851aa8176ccbb1907d504d82489d72d110b36",
"type": "eql",
"version": 106
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "c88c77cee5c1ccbc6718afa7c168a3a9e42405d8647f11cde44e6f0355fd5399",
"type": "eql",
"version": 212
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "36e34a2abf002a55bb25f1d7c6333a2b2ab927c5e1e735f1ee9b1ab5e41b29aa",
"type": "eql",
"version": 7
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "946a500a38cf03cc2200ba5c9f94b883db01f72d046965428ba893157a5c0fb1",
"type": "eql",
"version": 107
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604",
"type": "eql",
"version": 6
}
},
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6",
"type": "eql",
"version": 206
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "baa6bc2ea280de9151fdfe8e52180a5e692bd39318a6d37a5177670803b9600f",
"type": "new_terms",
"version": 10
},
"af22d970-7106-45b4-b5e3-460d15333727": {
"rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol",
"sha256": "46f3600dac141091ef1e675e1b7fd1c5eb2710d472899b827c7cdb282a16771b",
"type": "new_terms",
"version": 3
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "dd77a39284b7f0fa3cdc5ce8819ff01ed6f11bec568d524431c32708f700d5a5",
"type": "eql",
"version": 6
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Local Scheduled Task Creation",
"sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe",
"type": "eql",
"version": 109
}
},
"rule_name": "Local Scheduled Task Creation",
"sha256": "1865a666788e5f1135f4e2809b5054429a200bcdac8bff00717593f7f3331386",
"type": "eql",
"version": 210
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
"sha256": "945c79177caedcb32dc2e02903d14ac7208bc61607529c0123e9e3e044a4d555",
"type": "eql",
"version": 8
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "fae9c44d21f8e3be93ff74c05bb6b9d9484396579b5e29cb81402bd3ee84fa2d",
"type": "eql",
"version": 7
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "f446d6a851c5fb5c1d8c57353f72923d40776727f9f1464155a7eb802e6a9d92",
"type": "eql",
"version": 107
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "c76e638ceb65578acea1d18f1415cffa579dd2b5922507665d774472de710a4f",
"type": "query",
"version": 107
},
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
"rule_name": "Potential Denial of Azure OpenAI ML Service",
"sha256": "e06e9851654f73dc96d981f25bb9fe7241126b9b028623c499bea1026e7e7bff",
"type": "esql",
"version": 1
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Netsh Helper DLL",
"sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d",
"type": "eql",
"version": 3
}
},
"rule_name": "Netsh Helper DLL",
"sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4",
"type": "eql",
"version": 203
},
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "cf1573124222ea0894d4b604d5b227b43a2853f0b399f63d080624ef5a1144c8",
"type": "eql",
"version": 103
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e",
"type": "esql",
"version": 4
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Potential Network Share Discovery",
"sha256": "e984a3d3d48ac2c527b8cc9639ad36794477d63017e31f65023ddef04404f01d",
"type": "eql",
"version": 7
}
},
"rule_name": "Potential Network Share Discovery",
"sha256": "a59215d5f80a3d3ca3e4611cfe0f4266d000c7ac58879ddd30ba94193e0ba79a",
"type": "eql",
"version": 107
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "b3411c6b99d0c79d2fe1c0df6b34fe5c2a9866107f061e8bc8b9c5ae08a66c80",
"type": "machine_learning",
"version": 105
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "c8f3a33a1eda62ed530a6fc161bba9b0b5971ab42727c08f73a793be0b2199f8",
"type": "eql",
"version": 213
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "723230c66b898eb377542e469559e3654604ede32b8721af457c83afa144c4da",
"type": "query",
"version": 207
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058",
"type": "eql",
"version": 209
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
"sha256": "2eb4c2399504f67ff666102ceed72f7d457d96362545c820950c951e0fa3c5db",
"type": "machine_learning",
"version": 105
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "b66f1e7d1ec9f7028453eabcbf79b0a385bcd2f7f051b6c42fc560f604bf3ebb",
"type": "eql",
"version": 3
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "bb3314617957ebc4e0040f77083a7b5191ad7d4aac12c6f8e24d76b9157acc0d",
"type": "eql",
"version": 116
}
},
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "7619c7c7851d86a7c00dd33358f2a195e219abc5a71877a14e1d058f089679dd",
"type": "eql",
"version": 315
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "827b2e6312c74d28a9c2c605507eb0ece093b284e60e26bfc9107c6733929d1b",
"type": "eql",
"version": 11
}
},
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "8747c38dc0c5c1f095c574509b9f5f8f8559565e457678aa2382014c1f360627",
"type": "eql",
"version": 212
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "bdd06953c595a6c37482e67037eb72fb0d5301b42a5f4343e549c01b8c7cbb52",
"type": "query",
"version": 107
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "2f8c1a57650a8885345541c39bf72fc1fb21b8a10ac375920f107bc8110e7c76",
"type": "query",
"version": 207
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "At.exe Command Lateral Movement",
"sha256": "a1aa72dc7cf218498b4bd3cb3adceb831db178df81c7bcd254159323dda53cc1",
"type": "eql",
"version": 6
}
},
"rule_name": "At.exe Command Lateral Movement",
"sha256": "7bdc29998a4df28f2c5f145fb8616a73d22bd40857000f5ff345f304a82ece97",
"type": "eql",
"version": 106
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "7e95af47b812b851ff7c0d56818e3f8c2aa918a77fc10b771a33f6b34d47291d",
"type": "query",
"version": 411
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "d954b504b99dc10781bdb03b7b51829bd53063c410c19a509612b52841275d54",
"type": "eql",
"version": 7
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Clearing Windows Console History",
"sha256": "d42b2a9e2f10c1fcdb5ef9f4e61976c421ed73777e0d9e8ce2cf19cd049ea169",
"type": "eql",
"version": 113
}
},
"rule_name": "Clearing Windows Console History",
"sha256": "2c520e669cc319fbcea530b0ae4bbdb5e0957465b447349c216ff5b15b51309c",
"type": "eql",
"version": 314
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "efddb07094d4112b3fe52e056949b21c437249bb7173dcd0184fef80a1591834",
"type": "eql",
"version": 113
}
},
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "05e2efb7276a733c2adf3681d0ffd4d02f6b6f275d68f93d23b7bab0f37be852",
"type": "eql",
"version": 314
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "632c8e11b721e5ec61820d811a8007bab97cc61f20dcaac08301345e24d0651e",
"type": "new_terms",
"version": 4
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "fff06615434083388a264c460161ae05556bb720792b5e921a635a843dfd4739",
"type": "eql",
"version": 108
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269",
"type": "eql",
"version": 111
}
},
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032",
"type": "eql",
"version": 211
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "4e3ae75a438564e128dbbe0d7dfbb9db97cbd49cea4ca9c060dffec9d64e974b",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "185217c47b57dc0e942f3d4acda3ec10d274848c91c1261ea8eadf3faec9e687",
"type": "eql",
"version": 205
},
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0",
"type": "eql",
"version": 103
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "cd16ad7a073247fc161d8c2ca330792ee681647ebcd1f37bb77fdc876df61cda",
"type": "query",
"version": 104
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "08c9c6276d365fc690a88084ebcbae48a7842785385a954b0ed862a4b2a174dc",
"type": "query",
"version": 411
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
"type": "threshold",
"version": 4
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5",
"type": "query",
"version": 310
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "e169dafee56e838f29e144fabeded937b7f9b89958e3b1bd0ecaf6001a8cab9f",
"type": "query",
"version": 410
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61",
"type": "eql",
"version": 3
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552",
"type": "query",
"version": 108
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df",
"type": "eql",
"version": 110
}
},
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6",
"type": "eql",
"version": 413
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Network Connection via MsXsl",
"sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837",
"type": "eql",
"version": 107
}
},
"rule_name": "Network Connection via MsXsl",
"sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7",
"type": "eql",
"version": 207
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5",
"type": "eql",
"version": 8
}
},
"rule_name": "Kirbi File Creation",
"sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517",
"type": "eql",
"version": 312
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1",
"type": "eql",
"version": 110
}
},
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7",
"type": "eql",
"version": 310
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "8be542194e5f7b449a76977f17589bb7036a11db9dd64f5714117a25453d652a",
"type": "eql",
"version": 215
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
"sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677",
"type": "eql",
"version": 2
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "19d1c906ae5392003ceb75e3b5029ddbf145381cfd2a57fe149af0c098078bcf",
"type": "threshold",
"version": 5
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "afa94a71cd99d31b1c816a7710f3e00e86c7854df6db0f251d9194ed981a82b7",
"type": "eql",
"version": 112
}
},
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "0dbd728ccdee18242ce73777503e932ab66219ba7271621060c5b98633ac1107",
"type": "eql",
"version": 212
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "f57cf744c08b2c30cfaf68b8eab90b66771b4e188cc2fc6eb0f59f7e9a12ff6d",
"type": "eql",
"version": 113
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc",
"type": "eql",
"version": 112
}
},
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada",
"type": "eql",
"version": 312
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "9e1dc7c6029f13f97226975ccefeaa350760e8b64f53830c0dc035cc458248e9",
"type": "eql",
"version": 103
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Network Activity",
"sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Network Activity",
"sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973",
"type": "machine_learning",
"version": 207
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71",
"type": "esql",
"version": 2
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "33f5ec32f53d28ddc67a858bea818290a2defa25dbb7487eca3dc127a6b2c2e9",
"type": "eql",
"version": 4
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9",
"type": "eql",
"version": 210
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "5142cc67f154e6eca142e3365f66a98511c0ea7276fa784ece159df9c9204371",
"type": "query",
"version": 2
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deletion",
"sha256": "ee0a9985f47c61b4899e6db0ffb46a7ecbf7889137cbc89ba4af8a83b184591e",
"type": "query",
"version": 103
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "38ebab645d36ccdb700fab60ae741b7fc1fdcd857893d3f9a8bd8d8104af6e69",
"type": "query",
"version": 207
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "OneDrive Malware File Upload",
"sha256": "b6bae391783faf8fddf063267243569a829caea469887045e326ef63f991dada",
"type": "query",
"version": 207
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "ca7cb850b228b5d6ab6ee6f7893e1bb49c6b1e24498299ac9177cafe74cf64bb",
"type": "threshold",
"version": 11
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "d2591be6119e7fd59bceea00f9241d1477bfca0672c2bddffa9aa118eba5e5a5",
"type": "query",
"version": 208
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "AWS Root Login Without MFA",
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
"type": "query",
"version": 209
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "0e92d2b35ccf8e91dbd05bb2cf976add13ed7c2ebe9e7b8f3a14e6ba4423ddfd",
"type": "query",
"version": 105
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "7251fa979518f7ad95fffc7dee8b43ef1241f223f154ca62644fd6a9a03d5d82",
"type": "eql",
"version": 4
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "ca00d2bc624c0e0eb4f4138104ba3f44baf33fe7d37ef8b693d45c8809e8f686",
"type": "query",
"version": 107
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Azure Conditional Access Policy Modified",
"sha256": "585daba14bfe511045ed1f9225e2c8ef3004686898d5598678574811ce335190",
"type": "query",
"version": 103
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "af251fd5a27dc1da60e95a6f5bd4dcf2a8651ea1becf053232e00e667f4eaac8",
"type": "eql",
"version": 7
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
"type": "eql",
"version": 2
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "e63ea7699aec49aa63199a96c6f12b53d541b10b9035007f16c27383a357cd39",
"type": "query",
"version": 105
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "4c0f453a7ee9fec7e8d4245344823941109f187ed0b227e6556e050122701cdf",
"type": "query",
"version": 6
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 214,
"rule_name": "PowerShell Keylogging Script",
"sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e",
"type": "query",
"version": 115
}
},
"rule_name": "PowerShell Keylogging Script",
"sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b",
"type": "query",
"version": 215
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "1a4b9e6b364c8dab7b70af95029c1837cef25faa14161bce57283c750b0f6c1b",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "e90bca644b9c4deecb5cb69654940894035152e5ce6d74f3c45b3193ff56aa8b",
"type": "eql",
"version": 107
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2",
"type": "eql",
"version": 209
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3631d09f36db2837c95c7275f4a50e82f4de95b0d0073c8f8e590b4962170e27",
"type": "eql",
"version": 9
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "ca3c535c19bcb70517a067c7f2fee45d4cda7183c15f51ff65edc5558f9180d4",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "c81455cfc1549f0c20acc4d63b70b45f4a82f73a2589aa193d0eae48dcbc4fd4",
"type": "eql",
"version": 211
},
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "b7d2b3d62bcd3f5f072a3d0eee1d7ffc41c8ab186328c6e58ec190d567786da5",
"type": "eql",
"version": 3
}
},
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "7fd0fad617863a3fa3b7d26140f49d61db07e3841a2112fde8231db1a9c55ae3",
"type": "eql",
"version": 105
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a",
"type": "machine_learning",
"version": 108
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
"sha256": "02fd93eaee629a0cd91484e1809579b28f142b07255c4e850b358d3255e40870",
"type": "machine_learning",
"version": 5
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "b92d79f08cb700838477ef425e6e82c0645fa7621fc8db3acfcacbe1b383f49c",
"type": "eql",
"version": 113
}
},
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "7b9b7c2ada7e7e5ed1ccf83734701f53aa579ce4df309fba3aacddb16a8eb9fa",
"type": "eql",
"version": 314
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "5ed9f6f791ac753a0f0fa1e54b8d921e255e589b1e837cdbd454b8d4cd6703a5",
"type": "eql",
"version": 208
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df",
"type": "eql",
"version": 3
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "ea23ea39e92ba2c5aa62c8b58b895f5fc1b9ed7e1645e2d1ebdf6f94725f24de",
"type": "machine_learning",
"version": 5
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f",
"type": "eql",
"version": 113
}
},
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "c192bb9bb98950970b96a09228a47f17bdfee85d936315b127f88960a07f9fa9",
"type": "eql",
"version": 214
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "efccc933a855ee7479813c356075dc5067945c868f9705b24f4d1f0c726ee2d8",
"type": "eql",
"version": 109
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07",
"type": "eql",
"version": 111
}
},
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803",
"type": "eql",
"version": 311
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa",
"type": "esql",
"version": 2
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
"type": "eql",
"version": 2
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "a4ff1c4f9d920c7e68294561498fe4fed983eb988fb9f5f2b48394a7deebc588",
"type": "query",
"version": 104
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2",
"type": "query",
"version": 3
}
},
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "c69692ff49a09d554d7fc41a0fd751809ead60f0421d0cbc79902c7dd1b8350e",
"type": "query",
"version": 104
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "78b79becec80ebf3f377fa653549e66e920fe229147831d6c1d1b2951472e9f3",
"type": "eql",
"version": 8
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "ae318338980158a5279e376699053252b367bd3ad4618eeec9bd5f9d18ca9749",
"type": "query",
"version": 207
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "09eddb777e0307dc89b213216a823e5738d30d3f32b0e08e3e15669b35ade078",
"type": "new_terms",
"version": 1
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
"sha256": "d6549a9282b2ef25313f167c7193896b02cb13efe287b26ba00e59de84647195",
"type": "new_terms",
"version": 3
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
"type": "eql",
"version": 102
},
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"sha256": "90eee60fa4fd3963cbc29c1f58b1675616c99e865e1ceacd168802b7df454d85",
"type": "eql",
"version": 5
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "fc1b233c930cf034d1c534a92b4ee42fffb15b398da01bad0b93741527b11b4d",
"type": "eql",
"version": 113
}
},
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "d68e0ca9ae67ed1ba16a2c62ee6dca41fa25ad178352a45fb29e08d0920c6c66",
"type": "eql",
"version": 314
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "8d8ee64704769447bf2d40b32ebb9e6d6425a52106d8fb1761fdbfe190f269a5",
"type": "machine_learning",
"version": 105
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "1e3d55ef91312f613f82e6c75780f14ca18d2bbefc4be9a309ed5bbfe21c3d15",
"type": "eql",
"version": 109
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "1dfc00c13d00b5a4452a22ec0f06ef4b2f0689891e18550018c35a8059f89e88",
"type": "eql",
"version": 4
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Mshta Making Network Connections",
"sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b",
"type": "eql",
"version": 109
}
},
"rule_name": "Mshta Making Network Connections",
"sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709",
"type": "eql",
"version": 209
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "cadcbc3ef71a2fdf85c7b7666569914967f3b8045422bfb42a860c4aa73358ec",
"type": "query",
"version": 104
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "18af645751efdccc31b367d06c1f9221851668fc7dabdcc02e9be3bc6d1268f5",
"type": "new_terms",
"version": 4
},
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
"sha256": "783dba9bf2adf9672499975f28ca2c251157407146f529383f27229b8b03b597",
"type": "query",
"version": 1
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86",
"type": "eql",
"version": 109
}
},
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2",
"type": "eql",
"version": 411
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "280e239c6b53224a5351f5f23e4f4660518500fe9da555ca1218ac45abb6caf5",
"type": "eql",
"version": 105
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "7da7deae7aaaaa19159214551ee72b6c0cf82a2eca4ae8edb3eaefe8aa0a69a8",
"type": "eql",
"version": 113
}
},
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "efd529afc416fb90d5b3370adef9ee8b8e42b1a423035ef86d017b22629b1de0",
"type": "eql",
"version": 313
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf",
"type": "eql",
"version": 308
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"rule_name": "Windows System Network Connections Discovery",
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
"type": "eql",
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Attempted Private Key Access",
"sha256": "ca0b00b33c8214c0a733b6e9ab2291c4a4e2bc92103a928da8778c792f66d428",
"type": "eql",
"version": 7
}
},
"rule_name": "Attempted Private Key Access",
"sha256": "e6610e9bc8709d63404f439099e2274b94e6feaf5c4d781d3cba8797f41bb218",
"type": "eql",
"version": 108
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "0a148e281a7113c56b07159b06c263d44a96451217b4ed1cfb60d2187f87efd7",
"type": "esql",
"version": 1
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Service Path Modification via sc.exe",
"sha256": "a2d3d1147504ad2b3c7930bba24c2055e523d84b2feeb737211417cb72d8eb56",
"type": "eql",
"version": 7
}
},
"rule_name": "Service Path Modification via sc.exe",
"sha256": "4b544e89f0c85e979ed5572561c0781ae88708e037117d8963541ef94eb070ec",
"type": "eql",
"version": 107
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15",
"type": "eql",
"version": 310
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "ae48749a0c3d555094e1e400445796ffab2c7a22025f4ec856e582107747e9ce",
"type": "query",
"version": 105
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7",
"type": "eql",
"version": 109
}
},
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8",
"type": "eql",
"version": 209
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Installation of Custom Shim Databases",
"sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173",
"type": "eql",
"version": 110
}
},
"rule_name": "Installation of Custom Shim Databases",
"sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9",
"type": "eql",
"version": 310
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "4daab056bff3e4d5ae1ad7c4643448ae6fa836f83f095a5cc615f506cad68e8c",
"type": "eql",
"version": 113
}
},
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "ecf12cfbacf7d550b987fe63d6114222e641aeb764b32e4823d6c7712bc2c185",
"type": "eql",
"version": 313
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "693843ef15d63ac5a1119459660ea9638b60f814907ca37f1dad377b7ee0e382",
"type": "query",
"version": 103
},
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
"rule_name": "Initramfs Unpacking via unmkinitramfs",
"sha256": "e0db18142f2246b20e8ced81755abfe720896bdb3f739e08b18c4aab3a6a9f43",
"type": "eql",
"version": 2
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "67e77129c5ce0eb04df88c0d64d4f387ef1de59bc03f8d9e7eb11e9c050cd0c0",
"type": "eql",
"version": 115
}
},
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "d63b7af246369d52debf0c9e1196c9abfa1b1d3b7b127b2cb53e0bcf7587d0d8",
"type": "eql",
"version": 316
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3",
"type": "esql",
"version": 3
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "16dde6466f20cbc871b8fc349b4b46bb900cb9e48a0fd8eff6d2b4d73115074c",
"type": "query",
"version": 411
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "7079d9fbf68d6f1ce6eb93ce13bf93d12eb165900aa50027e2212ef5af7dd8f5",
"type": "query",
"version": 410
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
"sha256": "ae093385db6c5f2043d8896e3231bad2eb9b222c41d58547015b4fea67e75a0a",
"type": "eql",
"version": 3
},
"c766bc56-fdca-11ef-b194-f661ea17fbcd": {
"rule_name": "Azure Entra ID Rare App ID for Principal Authentication",
"sha256": "7f59a80362f46d096681439f02d9aa46ace84ac2426f550b434733c6b1308ce6",
"type": "new_terms",
"version": 1
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860",
"type": "eql",
"version": 108
}
},
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c",
"type": "eql",
"version": 208
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "c02bd45f7127af6e3e516d36e39ddbf02d871d2d11196309d70a1b09b8e4d618",
"type": "query",
"version": 205
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6",
"type": "eql",
"version": 112
}
},
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a",
"type": "eql",
"version": 212
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "7e12650d2a7699b7d95e3bd4ed1a6ecf73e9dd59f940d81fea5fface3186e1a7",
"type": "machine_learning",
"version": 106
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "7b938e8a5930231c6667e1dfb87fafbc50238e0b6a32759a79dfff9a24132c45",
"type": "query",
"version": 108
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "9ee8e6d69ebda1834191eedfbf0049afb38007ac2ba4e7e9899fac953921aca5",
"type": "query",
"version": 105
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "0f889695cd8a152f7eee793851dc230ce7399798cd8ef6c49709ef3924b049f0",
"type": "eql",
"version": 114
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "ea18c1e7446051bed3554cc614f300bd88307747e1963a329a0971f9ec41562b",
"type": "eql",
"version": 106
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "0dc688321ac70be1762f4deffdd16b19f17b750ce8b9dd956b7aa04592517439",
"type": "eql",
"version": 108
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "97321613219e385f7acbb0881364252165707eac788a1480b73ddad510b2c2d4",
"type": "eql",
"version": 12
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8",
"type": "eql",
"version": 115
}
},
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589",
"type": "eql",
"version": 314
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "e9d9ba83d54f62f31234ba17fcc63773d044a09d7ccbdfb8a1a86e2031ae84a8",
"type": "eql",
"version": 114
}
},
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "5e0e2e0eaa91c13f7ba154969ad792a7747c7a6c7ba3ea9093aaaf1d4d0ded69",
"type": "eql",
"version": 314
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "5532545b1d0648dc1414555d4be90a43ffb80fef68bc1f2e63af6b28990b4556",
"type": "eql",
"version": 7
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "99ae1a62762bf7d0262c79b33658fa930f597568a1ae9fc8331c333dfc91bbe8",
"type": "query",
"version": 104
},
"ca3bcacc-9285-4452-a742-5dae77538f61": {
"rule_name": "Polkit Version Discovery",
"sha256": "1daa21e6f3922e8216a3796c9b65d303920190bb2ffd847324cb55eff3517452",
"type": "eql",
"version": 3
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "f9d687c9e6c694138baa5bac44dcc183c2cb70c69a7580e14fd4188c01bedbba",
"type": "query",
"version": 207
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "ea099bf7bf302aa4eb27d5adcc8c2e0187e538d3b042ad83abdfaf4e869b5e3f",
"type": "eql",
"version": 10
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "17830a8c24378fb8ea0b2c0fd6b002089e0761f86d47ae0af127d74ec05489a7",
"type": "new_terms",
"version": 215
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0",
"type": "query",
"version": 208
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "dbf5167ff460dda688296a49e1d5d48d5f1d0f19ca621f413100a1cbb02eedb5",
"type": "query",
"version": 107
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "b89a2b2d3038c777d4599aaebf7e06253ae8c022cdeee090402de4e373b22654",
"type": "query",
"version": 107
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 2
},
"8.14": {
"max_allowable_version": 303,
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 205
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 305
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "c81d5f537f0a2c406763b42d4ef5ef5a4bad745e4d41176ac84c5d34598e6c1e",
"type": "machine_learning",
"version": 5
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861",
"type": "query",
"version": 107
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "0f342ddaebb8be170f8947b26bbf9976454a9609a3fab69ef43946340d965b1f",
"type": "query",
"version": 105
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2",
"type": "query",
"version": 312
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "e077043096bb995208ae7655f2088f680ac0954e54eef38a732a21fbf54027d9",
"type": "query",
"version": 412
},
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
"rule_name": "Azure Entra ID Password Spraying (Non-Interactive SFA)",
"sha256": "6c701e58e1612d0491da0b3b77e57b49ef3688848d3a1110cfa3ed6f1210f903",
"type": "esql",
"version": 1
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d",
"type": "query",
"version": 311
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "690e620924cf220b5b56c70024faf4279be53fcb1832f317bd52fd6b70db9705",
"type": "query",
"version": 411
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "70003b5b25514505d843dd9aee62ca085795777f69e03784b7df399a89f5832f",
"type": "machine_learning",
"version": 105
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "838080c3b478f8de7d167a575f607f38e06a9411041e29d5a0f3c8be72f1f054",
"type": "eql",
"version": 212
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
"sha256": "4ea12333f42f437aa58e54d2644f3646936a8a5f93c6814a0ed2c67dff925da5",
"type": "eql",
"version": 4
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759",
"type": "eql",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759",
"type": "eql",
"version": 313
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "f642652974fc308178cf8b88483c24d61cae898a7b3b2f9e3254e4dcd182cb40",
"type": "eql",
"version": 413
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 309,
"rule_name": "Okta User Session Impersonation",
"sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Okta User Session Impersonation",
"sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde",
"type": "query",
"version": 312
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "3aa673f1c0c34cebfc6e3e55a3be648b570843086b6289d22c44ef3c70ff4f0d",
"type": "query",
"version": 412
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670",
"type": "query",
"version": 13
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015",
"type": "query",
"version": 214
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification by Unusual Process",
"sha256": "31811725296500b46a530f4167b50a90a1939a9a30ae575a5f1605db107c530c",
"type": "eql",
"version": 3
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14",
"type": "new_terms",
"version": 204
},
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
"rule_name": "GRUB Configuration File Creation",
"sha256": "cf29eec9c7946126d6e84a24c8c726e02c45cc182ef0dbc48dcb9b388761509a",
"type": "eql",
"version": 2
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "0d3af72ea1eb174dd4aa290ec7c8e3e240acb51358169eb0529e77b099a7dfca",
"type": "eql",
"version": 113
}
},
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d60cc4622721041fc7781551bd3d381428fc01276aa7e8a1055f90a75d27b878",
"type": "eql",
"version": 313
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "7917f89564301d83f5dcb2013db39240afa955863bc98f21a1016208a37ea998",
"type": "query",
"version": 106
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c",
"type": "query",
"version": 206
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Unusual Discovery Activity by User",
"sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230",
"type": "new_terms",
"version": 2
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"rule_name": "Trap Signals Execution",
"sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4",
"type": "eql",
"version": 2
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "4f9cf9d0307112c1578c481ffc975559438e8151e1dfaf9597d21d7a66cea7fa",
"type": "eql",
"version": 116
}
},
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "cb9333ce51666fab48bb330cb9fac7bda9376ec73b3a039aae1a81ad7a112a43",
"type": "eql",
"version": 316
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
"type": "eql",
"version": 2
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "e0b9b778b8c39963c3189778b579a80dba4ae66cc8cd73cf01120c8b0ffe0d27",
"type": "eql",
"version": 111
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"type": "eql",
"version": 3
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63",
"type": "eql",
"version": 112
}
},
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7",
"type": "eql",
"version": 312
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "29b901e2e2a500cc3e5930938d94b49c5b7f44fe6564aadc087f290832d6d74a",
"type": "eql",
"version": 114
}
},
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "8993357af0c7f71ea5a6211f75cf96089c4c9ec88913377fe9c9baf72aaf6e4f",
"type": "eql",
"version": 314
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "232255e1a27a32df53f7b03d4a328673ddafc73b3d701b901c20ab79e1b5e28a",
"type": "eql",
"version": 6
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
"type": "eql",
"version": 3
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "c4baae65ca422ef39a7b46b0def65701fd04eaaf1b938ab2d950984acde5db2a",
"type": "eql",
"version": 2
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "95008cbe23f1fc8380e8181c4dac5e28c0ed9c9315589761e18569e50c4cde9d",
"type": "query",
"version": 107
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7",
"type": "eql",
"version": 112
}
},
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab",
"type": "eql",
"version": 312
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Clearing Windows Event Logs",
"sha256": "43df104be9f108fd08b8d71599f09bd2a9e4f98e5df1e6d8b0c41786bf127629",
"type": "eql",
"version": 115
}
},
"rule_name": "Clearing Windows Event Logs",
"sha256": "400229c7fa25221d2fd2db218ffe282f8d4d597d85d9cf9cf783ce03e28a1159",
"type": "eql",
"version": 316
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Remote Windows Service Installed",
"sha256": "1f3ebacad2b755fcdf9e30e67395eb3ae6c0947abedc632542b5b4eb17039d93",
"type": "eql",
"version": 9
}
},
"rule_name": "Remote Windows Service Installed",
"sha256": "295c3ce74dc2067ec71ab0fff5dac7193d4fd70509c1e5281c190b6af90aefd1",
"type": "eql",
"version": 109
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "5a91c133bc777a7e2499b024f42ebe1be6983609c8f38e00a4d81924dc72acc8",
"type": "eql",
"version": 5
}
},
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "aa88ac4bf872c3c3928d2121657a6b88338d937fe1a3813231c8f20a5cf966c3",
"type": "eql",
"version": 105
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "d3c22e7edad44df7543bfb8c0d84839b41b82786b1de1ee5c05819890a61a13e",
"type": "eql",
"version": 109
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "01c816014f421370ac32bb6369f8a83bc036b4cc7a1f817e5f34eed99deaaa01",
"type": "eql",
"version": 2
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "90f5212b5d6f828360ef355e1f922212881b33016383d2d9c78719cd37ed1639",
"type": "query",
"version": 410
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "6ad7ede3c52ca6d191275bc53d5af195bd6c4bac16d37b2a0d2c8431ae4a33dd",
"type": "query",
"version": 103
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "589f094b4f15686c52f3a6b3e8d0b26b2f6bc93446f91d37f0deed5dacbc30ca",
"type": "machine_learning",
"version": 105
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "526a1d698d53c469d024aa72d1d2b07ea56ac34aa51fb0104c5f69fdce70948c",
"type": "machine_learning",
"version": 105
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "12f7f9d6ea55e9ff587c8130acae50e3081e10e1ee41b58149e1a4cb74d2eb85",
"type": "eql",
"version": 108
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "c72111177dc1c97186e853f7c03b41f573c7cfb81a533dc0f9156381a00a5cb5",
"type": "eql",
"version": 8
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "17e9577dfbf339f5aa680ffac330813882588c59f8cc0f4d73bdc1865b72df9f",
"type": "eql",
"version": 5
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002",
"type": "eql",
"version": 110
}
},
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62",
"type": "eql",
"version": 309
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "457f9745d44991b7dbff97c8032d25b5f3d5c631adb8dc0e909ea948b837ae41",
"type": "query",
"version": 411
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Service Command Lateral Movement",
"sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c",
"type": "eql",
"version": 108
}
},
"rule_name": "Service Command Lateral Movement",
"sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1",
"type": "eql",
"version": 208
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "6649690e0d48f4463fd9ea9af37d65f589e1c88723ac705b63965957e8021ebf",
"type": "eql",
"version": 4
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
"type": "query",
"version": 209
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "bdfafb9c68e9892fa7b9ca7598f201f97e7939ca8ca8c33ffc98baa5c1c46cdf",
"type": "query",
"version": 106
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 113,
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "272699ab944dda3fb2374c7f0cba8b4585ace10fee2a21b12b9c6215519c3c29",
"type": "eql",
"version": 15
}
},
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "a8b94f958358ecb558c04272526096c255c70adfcfc23e85dc392fb9523b761a",
"type": "eql",
"version": 116
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "64a63407de9de164073767409d81c4ad49dc544271236c164345d1a626d94c3a",
"type": "query",
"version": 207
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Modification of WDigest Security Provider",
"sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e",
"type": "eql",
"version": 111
}
},
"rule_name": "Modification of WDigest Security Provider",
"sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049",
"type": "eql",
"version": 211
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "cc15c76a2369027ba3e6633b87d7a3839f5365946de2dcfe4ec1b82a982e4641",
"type": "eql",
"version": 114
}
},
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "9f589cbf31fdc71f8e4c57f7cd8dc4956c30179ae4df20fba67d41e87e071ada",
"type": "eql",
"version": 315
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "641ef2451b1987a3e9cb28358fcfd308d956ef099cab89e13168b853db4d48c1",
"type": "query",
"version": 207
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"rule_name": "Suspicious Memory grep Activity",
"sha256": "b32fe770424c2bb1f42c024250666ed6908c7309fc3bb52716853793ca7deb49",
"type": "eql",
"version": 105
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "4c5994d232095f98e72abc6b0a4ff08477e6c845b50df9de6e6ae92745f25835",
"type": "query",
"version": 207
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "b9ec78f42bbee517ba762cc989682ed667042fa1dbbf00a51d635480508b7d19",
"type": "eql",
"version": 212
},
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
"rule_name": "Python Site or User Customize File Creation",
"sha256": "62541c951385c527fe469fdbc9ae9791a101d3286ff2a6b2524ee63951e31599",
"type": "eql",
"version": 1
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Permissions Modification",
"sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2",
"type": "query",
"version": 105
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"rule_name": "Spike in Logon Events",
"sha256": "e6d5824de70c85d84e7bf5a4158c0893db7265f5bf6a4310aadd7a4cc1806bde",
"type": "machine_learning",
"version": 105
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "dc4aaaebbe30ceb017d1b3100fec840afc7c916a2519037418a91ea060b581ea",
"type": "query",
"version": 106
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "9d627c046b1d969fa3cee29c64c2ede631bd7c2f11e2d5b0195467910718d443",
"type": "eql",
"version": 10
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "45efd7d53f83838ba357aa1bfb387f4c2489612adc924437d1f1953cf68c6d7f",
"type": "query",
"version": 210
},
"d93e61db-82d6-4095-99aa-714988118064": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "0ec890060837395012ad0a162820039feccc988f8395fc1078f45daf4bc7abb3",
"type": "eql",
"version": 4
}
},
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "2d9145c7d1b3795172c0ec1ad4721ccc4055fe6b14d51880f6dd59c2e1498e5d",
"type": "eql",
"version": 205
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "9b8ad5964185c38f5bff7a86e3f4cef521ba3f743dafbe475f84111b6c97c473",
"type": "eql",
"version": 113
}
},
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "1574ae43ff903032be7747f88500fcab7396be626f95da26921145560ab5d488",
"type": "eql",
"version": 314
},
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "fbe7d02b10b540aff7b825dc36b8716bf16c7de4668ecbad5001a3239c6c5166",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "bb3b92db48376983d30d61f54bdabb41250c33883d13ac5920d416e91b08a827",
"type": "eql",
"version": 203
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 110,
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19",
"type": "eql",
"version": 12
}
},
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03",
"type": "eql",
"version": 212
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "6f132baef5851efd00f760a31aa6cfdd4a68c0bd286f6abbf8cd245ebc635745",
"type": "query",
"version": 6
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "9a42aaff1236e24c34e84e08efd9a7e42009c0c63b347d4fe373822df560b886",
"type": "eql",
"version": 12
}
},
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "b047f4e0b3115a5cae6311130cf82c3c278d25ed4dd930e2f697a0d9d9e7f0d0",
"type": "eql",
"version": 112
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "6d19402e85f66e45583b1eeb0c1b22e5641e069db1d10342a0bde8f44b0fae5d",
"type": "new_terms",
"version": 8
}
},
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "7e22a1c442db7cad59d546607a489f1c7050f79fd38503b21f27303ba5241f7e",
"type": "new_terms",
"version": 108
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
"type": "query",
"version": 105
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc",
"type": "eql",
"version": 4
}
},
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6",
"type": "eql",
"version": 204
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "9aadc22b5ec9cea06ee0b9088f5ccbd36a3306d609eac169139751b082504d50",
"type": "eql",
"version": 9
}
},
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "029980f0576e49caacd25ad0de41f0b2408bc96f253c336d6cec15df9a3314ce",
"type": "eql",
"version": 210
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "d51a9914cc58576ea6fcc57df0fb35de299f08b8acf0ff37597124b12b9862db",
"type": "query",
"version": 104
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "8690b4f17180de2e5b04b89a6a896c3a137fe7ebdd13e6982bfeee9fb2b135b8",
"type": "eql",
"version": 107
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"rule_name": "Git Hook Command Execution",
"sha256": "3ad68272adbc2c5c4f5b945a065b67154c91b826cef8f120af822a44d62724e1",
"type": "eql",
"version": 103
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "99b4b4a9e64fa970794d90bd46d37e2ad1f23280ede41d8a8de1841b6caf8622",
"type": "eql",
"version": 111
},
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
"rule_name": "Dracut Module Creation",
"sha256": "af7a3f72ed7f24e50bc14f940937bc9cf2bc1f6872e1d672d463b5165d85d1dc",
"type": "eql",
"version": 2
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "976ac05caaa7708302cfafccd5edd0af529b333c3550b12e398506b43b82e625",
"type": "eql",
"version": 113
}
},
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "d4fcd570b5466abc21101a20f25749dd7c2c72e8392e316c2f2f7841c0b635b4",
"type": "eql",
"version": 314
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29",
"type": "machine_learning",
"version": 209
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "40d55e7663cb9633996f2dd6c03729438145e69e0239b0e638f5ee1a40d4281d",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "6a5c4edf3847efdf6dd62e8a6de3c4eb4741877eac727dd8af8aa473666167c2",
"type": "eql",
"version": 206
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "26b7b9e5fd76bd0fa239139c7322893447787d8462f784bd120a62794e64b358",
"type": "eql",
"version": 10
}
},
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "40b3e43ae452b8ba4364d1c4d0c6b7a79485a65182d891ec986426cc31129bd4",
"type": "eql",
"version": 211
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "3893d44e187bf13e2e0a5fffa35b36800a58de2f402432d79956113fb81f68dd",
"type": "eql",
"version": 5
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"dd983e79-22e8-44d1-9173-d57dba514cac": {
"rule_name": "Docker Socket Enumeration",
"sha256": "542d6fce1df6a18b8cd0f22e854d01e313ac186fa85f51d79f48e57ab1fb5682",
"type": "eql",
"version": 1
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75",
"type": "eql",
"version": 112
}
},
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135",
"type": "eql",
"version": 311
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939",
"type": "esql",
"version": 4
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "d8c2c36ac62b1821bf4164411d30ffcb97ae6b3ec8b2736dffe412305fa71633",
"type": "eql",
"version": 114
}
},
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "8a6ba13f0dda67fe805dbee6d884a1189538027f029d6401919c7a92c9ed24ab",
"type": "eql",
"version": 314
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "d096dd61e0fdd262df14f29f04e3818f84e1a5f4057cade79110ad3a929aac3c",
"type": "eql",
"version": 212
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "de848b5e9c4cb1dbf61d805263fb3e9d70aed03a3de0e18b44698957c53aa130",
"type": "new_terms",
"version": 106
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "6323546ce88a2062ab9b777768a0a4282ac1a74384c1f21449a3262202208011",
"type": "new_terms",
"version": 9
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae",
"type": "machine_learning",
"version": 207
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "8fc27e74bfd62fc69cfb08bc0944fb02643fbb3fd3e9b84ef1e6b06e36ccba3b",
"type": "query",
"version": 103
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"rule_name": "Dynamic Linker Copy",
"sha256": "f1a290ca66fac0299d00bfdb6b2303033c974c4a184dd32b9ae3e34b3b7ddc78",
"type": "eql",
"version": 211
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "ac73d656120d73f8776a9afbdc0c8a63ba9863321b9153d9529c67e61651a5a9",
"type": "query",
"version": 205
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc",
"type": "esql",
"version": 4
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034",
"type": "eql",
"version": 204
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "8b63af67b0b77e5d770c49f6e9a9216ab92f9f7aba27fe58b2f87b38dfd3b24e",
"type": "eql",
"version": 4
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "3145c97b2a0f8a3dbe953d706b20b0db89737e622460e8eb92f562e46316b78d",
"type": "query",
"version": 103
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "be3e036bd85d0139f9025316971ebdafff2b115de3d7e46ecf4a12fc2b17fb34",
"type": "eql",
"version": 110
}
},
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "cabb2f1ee545a8afab4bdfae8d8fbb983de8802e1eaec837f32286aad16a00e2",
"type": "eql",
"version": 210
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "71df05db291794ae655d563c9f6cc812bb3c8ebd1f3b076fb3103cc1a9af152b",
"type": "eql",
"version": 10
}
},
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "edb551d4e6634b6ecd115cc56d888b82abb68d7b87cc04db6f15ca884e5b3c91",
"type": "eql",
"version": 110
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5",
"type": "threshold",
"version": 313
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "0f1797f4458f41926c4fb9920e9bad30476efd48173d83db37c845ac553c2e1a",
"type": "threshold",
"version": 413
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "afd239148a789428e9afc33cc2ed4df601459622d6b114f719be62ef217f425a",
"type": "eql",
"version": 107
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
"sha256": "55c15bc0ab3e65a9e0dcb4e9babf915de29b34b26b842fe6ad70c153dbc50212",
"type": "query",
"version": 103
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS Route Table Created",
"sha256": "c76bc6e2331f0b9bbf3d8f05a6f363c267e1509a793f6949082fc196e12f1fc6",
"type": "query",
"version": 208
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "AWS RDS Cluster Creation",
"sha256": "7b5a2e8745804344d0c558af38ae871fb0c48a51a92c943f98830876bce353b4",
"type": "query",
"version": 207
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"rule_name": "Connection to External Network via Telnet",
"sha256": "9c4cb74b1de6b291bdd95cef6e4dc1db2fc043af96969f7a09811263b9866c96",
"type": "eql",
"version": 209
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "79e7d8b6c91ff85bfe18be26bfd2bbe3de8d62a447c19e86c2250d6f10e25dd6",
"type": "machine_learning",
"version": 5
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "b5f28770a0cb6cc57839bec21e0d78f890b72c023a9f2a1f56329aa86d0bdcf6",
"type": "eql",
"version": 108
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948",
"type": "machine_learning",
"version": 105
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc",
"type": "query",
"version": 114
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377",
"type": "query",
"version": 317
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45",
"type": "new_terms",
"version": 4
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "2190e84f9e7192e1648c8b1673576f046c4e03d475bb75045c7b9e2e12bae237",
"type": "eql",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
"type": "query",
"version": 209
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1",
"type": "eql",
"version": 3
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "59e0f66055f6ca2de75fc83f80895d38b0544cb232a27c17b5ad274d18842db7",
"type": "eql",
"version": 10
}
},
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "a3074187de9cbb825e91c16b2cf56280f48b19fbb58b6e294f6e007a3ebe7b47",
"type": "eql",
"version": 211
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b",
"type": "eql",
"version": 212
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "44411255b771a99faffe0685c0f5e63977818e21d073d24091ff91bd9aa33b51",
"type": "query",
"version": 105
},
"e302e6c3-448c-4243-8d9b-d41da70db582": {
"rule_name": "Potential Data Splitting Detected",
"sha256": "4cbc9c690c480e6a0c5458a4e2e93bcf347ef61202570333fb7b66342ba93b58",
"type": "eql",
"version": 103
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "820ccc16d8a4a8f7fc46cc17069ec359a736b3d3803d156ed511f05a771b7416",
"type": "eql",
"version": 114
}
},
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "02f5e8471f2ec0c5b618a104a190faf75c17cbac5c9d84ac619dd6dbc1ceaee5",
"type": "eql",
"version": 314
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "f2d736a544e71eb0be5118b7e11cc5ca78ef900a8f8d7225e8c0b03ad08c6587",
"type": "query",
"version": 207
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "6b3dadd40aa120848fae2bf405a3e564a4f8f1f135f3e43273c9a5990cce5592",
"type": "query",
"version": 104
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0",
"type": "eql",
"version": 108
}
},
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b",
"type": "eql",
"version": 208
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "465ac78f6958f74fff4f46a3ff16e69a49b534ccb7b037fa26cd2f352bd13690",
"type": "eql",
"version": 216
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "9041b77e8259e34d407916d77afca09bc12083780a68fa76b3ab0f545ec0a85b",
"type": "new_terms",
"version": 7
}
},
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "7f8cbe7c809f5f6439380cc95e39d43499010dcce8d9d9e5c86366cd832ca302",
"type": "new_terms",
"version": 107
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e7a1afdd3aed5b8990f25c5c3ebc89a3d4e1911e68296667f6b6e4cc13e21407",
"type": "query",
"version": 411
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "5c7d57bc4534a2a0e0954dc8aac857d465f5fe162da03efd1c900a9ac9680bcf",
"type": "eql",
"version": 108
}
},
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "a46f14f105c573fc3663af37227e949ac9d8ff5771cfe823163a5b5a839f60ba",
"type": "eql",
"version": 208
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "e4f8a8d92eb2a30728e395c24a0e1fefe6b75222d110fcf1b87cd80b2dccc30a",
"type": "query",
"version": 114
}
},
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "f7c403156a8b86200d6bd124b68887764d5362fc6b53b8468bccd221b4d9fe55",
"type": "eql",
"version": 215
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501",
"type": "query",
"version": 206
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "8893356dd5ca661718d8f5c32e3d5b4e2e31ced5866bad1aac12f2ae4b1837b8",
"type": "query",
"version": 105
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "abc854ad84c4df75f33b8a3ec0b322047c931d738de30da1996883afbdd7b799",
"type": "query",
"version": 108
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Possible Okta DoS Attack",
"sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Possible Okta DoS Attack",
"sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8",
"type": "query",
"version": 310
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "d31797a2a9ebd8114c915f01f1b7222689f61769135d5406738283834a175f72",
"type": "query",
"version": 410
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "021c60ecf962a5bbddbcccf61190972c6aedc8a3522201413fff29dce8e8c16f",
"type": "eql",
"version": 109
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "a33b86d48c3d3d62db7a1fa07ff45e3dd2ec92fa332099989635eeb934db5345",
"type": "query",
"version": 105
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "27987be0e2d175b6af6648f0f13ae6c921ecc1ef5198b7ec704a9e12b91cb3cf",
"type": "eql",
"version": 4
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 206,
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c",
"type": "eql",
"version": 108
}
},
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306",
"type": "eql",
"version": 208
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6",
"type": "eql",
"version": 107
},
"8.14": {
"max_allowable_version": 305,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164",
"type": "eql",
"version": 207
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "b11cb97ba4927fbd34141d3a5cc49333cbae82890c27eb7731e165ed71b3cdbc",
"type": "eql",
"version": 307
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "fc6696281aaff38aabf5ef6dfe7b56c731c027f5daa36aa8fa27db356d1836cf",
"type": "eql",
"version": 2
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
"type": "eql",
"version": 4
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb",
"type": "eql",
"version": 2
}
},
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360",
"type": "eql",
"version": 202
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "962391b35148784c37d51d9d75f577a0ae8c9c855443ec35d2e4dfb3c247e942",
"type": "eql",
"version": 110
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS EC2 Route Table Modified or Deleted",
"sha256": "e56e718a9723a794c9e062425a957d4e952f2a9984792aa9df06ea86c7310dda",
"type": "new_terms",
"version": 208
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "918d54c5a6647f2078e33a286ca77359e078e643772831ec0217ef3fc2478d8c",
"type": "eql",
"version": 3
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "e9a897b3d6e54d43b0c0b67f4ddcda48e4a01a450374c5953fbfc9e6a13c0568",
"type": "eql",
"version": 114
}
},
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "88531315d5644d775abd814a7f79203b41a18642843ce25dbd7516e740d6ed2a",
"type": "eql",
"version": 215
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Installation of Security Support Provider",
"sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a",
"type": "eql",
"version": 110
}
},
"rule_name": "Installation of Security Support Provider",
"sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe",
"type": "eql",
"version": 310
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02",
"type": "eql",
"version": 8
}
},
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e",
"type": "eql",
"version": 108
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "a666b794f171a1a2c008b39794d12cb837d0fee82e293f8dc6601f749a723645",
"type": "eql",
"version": 3
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "b54a9721e854b951bcffd517564dba55d3d9f5a1b13ff4bc738ee5aa7e4f9bc5",
"type": "new_terms",
"version": 108
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 310,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4",
"type": "threshold",
"version": 313
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "18719e990037ed4bcedb7040cb575b1b244fdea008bf902c36de0c0dc87262d9",
"type": "threshold",
"version": 413
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "0cc0882f3f4079767583e56fd8ac76f94fe773a3ad47b80a5c7ef1f07e5afcd2",
"type": "query",
"version": 207
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "b7a20dbebcf0f6ecd941a69b135191989886cb45781f0e23444e523bfaa03208",
"type": "machine_learning",
"version": 5
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb",
"type": "eql",
"version": 112
}
},
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421",
"type": "eql",
"version": 312
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "5b5c778062c60175f66184a03ec8cc58deaec9c8d47e50b7e62d75b592eb203e",
"type": "eql",
"version": 107
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"rule_name": "Spike in Remote File Transfers",
"sha256": "8d2b4cd0d07e0114cbfc97e7836712efaedb13d7941b49ba32df06344bed130f",
"type": "machine_learning",
"version": 5
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "ca8b561fa907119476109df0f7f86007194ffc80c3b614c4f69522d366f15e92",
"type": "query",
"version": 103
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910",
"type": "machine_learning",
"version": 108
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
"type": "threshold",
"version": 210
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "fc408da92fc5febf3e95b3e4466fadb5f9c59ff6f98e5b71c5ba830dbebc52f3",
"type": "machine_learning",
"version": 105
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "e564804b6774ca1351834c65234f778427f64a1a8a9c63f54c7bceb478ea41a1",
"type": "eql",
"version": 6
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "cfe3ec83261ca32ec7fa6c3ec8fe8c6d8b42361b74fc363e99795dcce182badb",
"type": "query",
"version": 104
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a",
"type": "query",
"version": 107
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8",
"type": "query",
"version": 213
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "1800ba797dd4735b90e918df5d02719c09d98850d2bfb0880d9fa80ff8b72f5b",
"type": "query",
"version": 3
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "e7211f890d92f3a7d930cfd4bc9d80fb4376b20adbbb602dd24721075ee45090",
"type": "eql",
"version": 212
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
"type": "eql",
"version": 110
}
},
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb",
"type": "eql",
"version": 412
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "3195012ac10b6acb9ebb4755275fdac561d8f506d8cef35b17fd47c2ab509787",
"type": "eql",
"version": 112
}
},
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "1a2121317ae7d1b300b92ea3307889c9851bd10a65e714b8f37ba6fbf52f179f",
"type": "eql",
"version": 313
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "076b7a80f89f6a6f1a3081a38ce953a5acf2175da6922f04cbe0f6d6a55b0356",
"type": "eql",
"version": 115
}
},
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "789d46c9447286758f21fbcf2f6f2d2c30de369ac38a78bbbd0d8a8518e422aa",
"type": "eql",
"version": 315
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"type": "eql",
"version": 4
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "4572e35abc9f3fb1f7be34775ed498cbbbca8890182cba8ca5beff3a53bf673f",
"type": "query",
"version": 207
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "b69c69c1bbacce025e21987b18df13452767d8102331304cd46d1f177fb8a602",
"type": "eql",
"version": 4
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
"type": "eql",
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "35c7505a4a7e2503e09a6d55f986977e180f79e72dfde6b46e17c48fff3342e3",
"type": "query",
"version": 207
},
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation",
"sha256": "25b7a11580eaa10f455ac93b195afb23108822c1ca8665f2f28fd2816ef1edf6",
"type": "new_terms",
"version": 1
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1",
"type": "query",
"version": 103
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "AdFind Command Activity",
"sha256": "d60af1f28f9f81685a9aa0c7a36a0cb1c35ba51859da6d4ebddbc8bb02ac9907",
"type": "eql",
"version": 114
}
},
"rule_name": "AdFind Command Activity",
"sha256": "b05a29a436ac542b88bb1e6c8d05c378015f4988803a39a6e5f4c0be47607513",
"type": "eql",
"version": 315
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "f254d125f5da752be3671f52f44af3671f6730739ac5e5fe785f8bd0f831b628",
"type": "query",
"version": 411
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "58dd0e1e34abe8443249ad67198996b183471f4fc2f883d57058fd29a584325c",
"type": "eql",
"version": 115
}
},
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "36fe3eb7700258bcd9214dcd215ae71c9a1def542f197f5e822450a297d327b9",
"type": "eql",
"version": 316
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "5147bc8232ad7a92a84e036bdd81d4fcbcc9ce09fe2b0a2697ae01769ec50e20",
"type": "eql",
"version": 7
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 205,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24",
"type": "query",
"version": 107
},
"8.14": {
"max_allowable_version": 306,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24",
"type": "query",
"version": 208
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "7ff673016488bafc9ac4a344918957eda1629b68b0dd51bdc773ce2f9ace05a3",
"type": "query",
"version": 308
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "5bc2e722e6fb7b61ce923befd4ce4b3a3d8fdacf1290dba7ec5ea911760c53e8",
"type": "eql",
"version": 111
}
},
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "e9bd712f3f743bd51f11e419a9ab89603ed0cf358d4fc912e877907e172a2080",
"type": "eql",
"version": 211
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
"type": "eql",
"version": 2
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "0a31cd84388698181bb0e4d15e98b40bea0da0c9be8c956e27580d00780e3893",
"type": "eql",
"version": 109
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"rule_name": "BPF filter applied using TC",
"sha256": "7ada39c6d2903cc362c1ded034828a6b929954050f650fa4d3d166b93f3ec78c",
"type": "eql",
"version": 211
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "5270c503b5846ad6b35fd79100b8270b2b26c8f6968c90d112b8f672cfe55507",
"type": "eql",
"version": 109
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"type": "eql",
"version": 3
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Whoami Process Activity",
"sha256": "b020b8f8487dff043ed4f8e013dc6aee3af6d55ecfbd53cb47b9537f140e9427",
"type": "eql",
"version": 114
}
},
"rule_name": "Whoami Process Activity",
"sha256": "311d843fda11fcbf852fdb41fc87dd280481e8bd3d0b7319527aba5059fe4954",
"type": "eql",
"version": 214
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "deb097d91aed42823bd3a3204774168f890ba2423ac4e4253b9d060f32f50e79",
"type": "machine_learning",
"version": 5
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b",
"type": "eql",
"version": 109
}
},
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651",
"type": "eql",
"version": 209
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"rule_name": "Suspicious HTML File Creation",
"sha256": "2d7643f5258ea00499f6a724d37680b18ea9e51cff76a508b397813d06cc2023",
"type": "eql",
"version": 109
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6",
"type": "query",
"version": 310
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "7dec7b69a9ae716233a2cc4ee0bf5ce3e8f108b425d0be073ef6d211e7eaeb3a",
"type": "query",
"version": 410
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "66dc553f0e5d998d6287bc5b3bb0efe2b016816411c35e13834d2fa558a64ad2",
"type": "eql",
"version": 111
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "dce40c891055fa59c868c0409223dc95efa62252fab387bc182bf9ad3f30eb55",
"type": "query",
"version": 103
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "ddd5f8f0b1dbde6fb7d9d9802b9190fa54d38d94c423afe4c859794d73da4720",
"type": "query",
"version": 107
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "3e3a90a47139a3dc0d1c763351373920dee8e161a176b916ccca2e6be16dfed7",
"type": "eql",
"version": 109
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "c7c1780ea2c3381899f8df2aca24d636619832fa7d0cc4a7637a1b519513a2b5",
"type": "eql",
"version": 102
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "53a99b49697dcd944871a7610cafdbf834659d68f5631056a35cc52f1c8e1aab",
"type": "query",
"version": 4
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "684a674daf52a0659d98f70c6854676100390d6c0cc41568e4450ec8568d1115",
"type": "eql",
"version": 3
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 104,
"rule_name": "Service Path Modification",
"sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599",
"type": "eql",
"version": 5
}
},
"rule_name": "Service Path Modification",
"sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091",
"type": "eql",
"version": 105
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "789001d17851c913e16d3c0cc68a245041a71e317aee771f954879787be2e107",
"type": "eql",
"version": 110
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "6779913c9f6aa81caa57d89b94072b01b0638454d4faaa9433f37e902cd65b5a",
"type": "eql",
"version": 211
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "6e2ffd6be5eec401665da9f328ea418437bc87ae39325fbda96eb3fefbeac4ac",
"type": "query",
"version": 3
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23",
"type": "esql",
"version": 2
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "SIP Provider Modification",
"sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238",
"type": "eql",
"version": 111
}
},
"rule_name": "SIP Provider Modification",
"sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681",
"type": "eql",
"version": 311
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Creation",
"sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2",
"type": "eql",
"version": 112
}
},
"rule_name": "LSASS Memory Dump Creation",
"sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720",
"type": "eql",
"version": 312
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "AWS RDS Instance Creation",
"sha256": "3bb082fe7f035d7f0edb310d42459b011a6ecb97c9b46e008e1c1434840e95a9",
"type": "query",
"version": 207
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "68842c4cfacadb832e1f45c3c1a25ccad99d8f7ce2309f64689ad93997eb9216",
"type": "eql",
"version": 8
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "84a652c9dcb5ab611cd8888bcb7def8d9e6ba1a10712c28017fe35cceb6d07de",
"type": "query",
"version": 6
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5",
"type": "eql",
"version": 111
}
},
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "0362f87f30104a3705ec25a5424fbfe8a39cde9dc0337cda33dfc8426b0522bb",
"type": "eql",
"version": 212
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "ee7bf6773bfbc573d11e5c0660564ca53d3a9b917ec5f64c87a3b7e9d4b86fa7",
"type": "threshold",
"version": 105
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "9ed35a351e57a72bfce5b7738b0f267bbd83cf55d98a20e89c2437107a1a6c21",
"type": "eql",
"version": 5
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
"sha256": "9d6d2a6025d89d9936130285a084379d1d31b9e3568db970acc29d05c1c6a7fb",
"type": "new_terms",
"version": 1
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057",
"type": "threat_match",
"version": 8
},
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
"min_stack_version": "8.14",
"rule_name": "Remote Desktop File Opened from Suspicious Path",
"sha256": "ee6f8d0f53cd74d79393a04a0a83fb95d10b020160092e227b0db1f484289f16",
"type": "eql",
"version": 3
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "997e81e732075c8530c62edcc3e0dbacfdc2a918bb79517ee27cc287a6c74b07",
"type": "eql",
"version": 8
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd",
"type": "eql",
"version": 109
}
},
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a",
"type": "eql",
"version": 309
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
"sha256": "6f77b4339b6982feae60ae38491e22c8bf8931801527efe93368ab2d675017c6",
"type": "eql",
"version": 4
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 212,
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "9c9490d04847aa87bb7ecf37a56631b96d3e56c1a3fb00b8c6b2fc5739161f46",
"type": "query",
"version": 114
}
},
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "bec893fc82f770985073646d905e8d123ff1994906b7c611522639f92f1361cb",
"type": "query",
"version": 215
},
"f4b857b3-faef-430d-b420-90be48647f00": {
"rule_name": "OpenSSL Password Hash Generation",
"sha256": "04b4c9ecf43e0acf3fa6b298371accc63a200e07eb118a4d5edc9430aaca263a",
"type": "eql",
"version": 2
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc",
"type": "esql",
"version": 4
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
"sha256": "aacfd52ed0aee2049e2ec00c2475153a185d83bbdd407232e9012a142292ac95",
"type": "new_terms",
"version": 3
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "1049a0ba43faccfc6c8219d7fbf5b81cd5c21f97a63be1f334d9b8b883e8d73a",
"type": "eql",
"version": 8
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Windows Script Executing PowerShell",
"sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c",
"type": "eql",
"version": 112
}
},
"rule_name": "Windows Script Executing PowerShell",
"sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c",
"type": "eql",
"version": 312
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
"sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355",
"type": "eql",
"version": 4
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 107,
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c",
"type": "new_terms",
"version": 9
}
},
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a",
"type": "new_terms",
"version": 209
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "7985f5aefba2ea64d65352cb9a8eafeb6764e30498ccb6d629242be6c5b979ab",
"type": "query",
"version": 8
}
},
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "f743162d208f76da7f2a978f2cb537ce0f8849dfe5a42af3ab46246b6bd8371b",
"type": "query",
"version": 108
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "WMIC Remote Command",
"sha256": "03ff2581fa827afb289f1ed2f6e5aaa30032940c26bdf3b8d440b729539d3e53",
"type": "eql",
"version": 8
}
},
"rule_name": "WMIC Remote Command",
"sha256": "733c3aee481bf3891f180a572bda3b7c68d7c19d1d7a3989c0def03ae9fe0933",
"type": "eql",
"version": 108
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "e41e3069e64db02d6742f75d9126315cfeee13e18851f97d1260e4fd6b35d76f",
"type": "eql",
"version": 108
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a",
"type": "machine_learning",
"version": 108
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "05d412610d0acf976c64885d739c2519d44630cc8036b7dba0c8533c92385d15",
"type": "eql",
"version": 8
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135",
"type": "eql",
"version": 3
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
"type": "eql",
"version": 110
}
},
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "af1f6d2bf1fa3cfb4d9c71f51f507b819781648a109443ee036b66be24aca5b9",
"type": "eql",
"version": 312
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "aa4abbe944c50eb6c464d33d4880bedbb1778ff5139693b5f95e1f81e54a05d4",
"type": "eql",
"version": 3
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "4b55ce8144feb04c19f2449fa5a4c724ce26861e85a8ff9d63ba91fc24c90ae9",
"type": "eql",
"version": 111
}
},
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "605f5f70bc621228a60d3f975abc644f00df34913b0b363cc8cec5d226e082c1",
"type": "eql",
"version": 312
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "076beef00e93e7c5cea8221f52feed6734107ad9cfb9a62a293d50a066132e1d",
"type": "query",
"version": 107
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "de4cb537409466e76a7f865cb93e0842a6fc8f04b9402caaa3b8f56928916711",
"type": "new_terms",
"version": 2
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"rule_name": "System Hosts File Access",
"sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571",
"type": "eql",
"version": 3
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "901f5b0b8cf2e223bd55f2b15863c0285e7df7dbae24b8ae528572bd52df13a6",
"type": "query",
"version": 103
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
"type": "query",
"version": 209
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"type": "eql",
"version": 5
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
"sha256": "135091eba79744ed7a55ef7e0825fb4a5189f443b6940d9f322b755d28b98d0f",
"type": "new_terms",
"version": 2
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c",
"type": "eql",
"version": 113
}
},
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944",
"type": "eql",
"version": 313
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "6a6d4fc7401921ef468189f6dbd0c74591dd1d15fcab4c0f5b4033610123be2c",
"type": "new_terms",
"version": 4
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3",
"type": "eql",
"version": 110
}
},
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913",
"type": "eql",
"version": 310
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "402f5404fef876bbbd2aba0a471857bb32c2a7c711af599817c9834d0db5c2be",
"type": "query",
"version": 107
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "12e7c55fee43e3358537c176334e6b7cd84b05d2c67c317c3fd90c4e662fb744",
"type": "eql",
"version": 5
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 211,
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd",
"type": "eql",
"version": 112
}
},
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc",
"type": "eql",
"version": 312
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "d1c898be638d5096dd716fa069d4f97939ae4f046843453bfc9ed889ab139d89",
"type": "query",
"version": 3
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 103,
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "29c2ae7b2d50ee5ef2f2bcf97f7765c9e3fd3285a0a90abc25a099698c75201d",
"type": "query",
"version": 6
}
},
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "6ba1bf053fdf699e3aec2f40f34fc6e5a4213ec85fc037f203b85e7f7e59a4d9",
"type": "query",
"version": 106
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99",
"type": "eql",
"version": 2
}
},
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "2e15e1eb9f168cbe35162f3f54f7fafe7bd69c93f20be54a0724c2a79542ebd7",
"type": "eql",
"version": 103
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737",
"type": "new_terms",
"version": 204
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "d11d9b7a7104ede9ec52c99b7a22fda51997f927c44ba71a8317a0870bf39b4d",
"type": "machine_learning",
"version": 106
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "a65eed2cc5b097a57b4e7baac0a286e05e9272a546e2fa4ef98c84b45efbaccc",
"type": "eql",
"version": 9
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Browser Extension Install",
"sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b",
"type": "eql",
"version": 3
}
},
"rule_name": "Browser Extension Install",
"sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687",
"type": "eql",
"version": 203
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 109,
"rule_name": "Privileged Account Brute Force",
"sha256": "47b50b29f44c12811728607a941a9e0e41788b4bf9a46e739700c9b40261cd5f",
"type": "eql",
"version": 12
}
},
"rule_name": "Privileged Account Brute Force",
"sha256": "ed7080268b9fbed899ea78e7e762a2895ae5e18afed44aa1df3c997525874bf6",
"type": "eql",
"version": 112
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 307,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47",
"type": "query",
"version": 310
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "9f8a0e0868d43b262c98653adb7bed57c23c2509b0fec88ebeb33b1a92853293",
"type": "query",
"version": 410
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "51e2f2e64af9db1e8aff099e445cf685c9af9929b2a4dc5c5e041d2cd8d6caa9",
"type": "eql",
"version": 114
}
},
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "f44d655cddfab574bad8ba3b58410fce4204c988aae453914b18474b396ea244",
"type": "eql",
"version": 314
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "c8d1d95ef6525a3da18e35d890b332565c8b7453a7c89f16c87080264772d9ac",
"type": "eql",
"version": 8
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "ede3e3c7248ecf6e1f840d2bdc7b319a96a0b3eb97e6051872ad5b77a370e616",
"type": "eql",
"version": 9
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1",
"type": "eql",
"version": 11
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065",
"type": "eql",
"version": 315
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
"sha256": "a7096f2d6c73fe27e1f80b1da2c040a60eb8eb8d159f2eb8af2f6bbb2cb3dcc2",
"type": "eql",
"version": 109
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd",
"type": "eql",
"version": 105
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Registration Utility",
"sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Registration Utility",
"sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad",
"type": "eql",
"version": 209
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "babeac41d262653f7ef7c8bddf78a7573fb7894ae7b8c2c9b3f48fc07ef6452c",
"type": "threshold",
"version": 205
},
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
"rule_name": "Azure OpenAI Insecure Output Handling",
"sha256": "5c688822ac431693ee2b4997dcf5f420f610ce923f4235bde962d0b0b5df90d7",
"type": "esql",
"version": 1
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "7953f99ece9b3629d330947f9c59294d7504c35d5eb9415e8410833f95063b4d",
"type": "query",
"version": 207
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
"sha256": "0463c0b25ecbc17c558c90dfd80f29d64776de9fba2451a8768448d09293b378",
"type": "query",
"version": 2
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce",
"type": "eql",
"version": 110
}
},
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841",
"type": "eql",
"version": 310
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010",
"type": "new_terms",
"version": 204
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "e492a1d379ef0524d4b531024a7edf8a09e7b8174850fd8fd2d8824d76499df7",
"type": "eql",
"version": 4
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
"sha256": "77d5e70dceb83e72c91dec0a125b56e67e4f66b20ca31374060260c91887c03d",
"type": "eql",
"version": 205
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "7c1af1a785726996f19edad02af0353a331e9ccd7a6095127460e2ee4da6beb0",
"type": "new_terms",
"version": 3
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 210,
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "1ddee753094159e636e994613c0a04ccd3e560927f3709a93fe7d8eff775b79e",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "ecad7f4f5f9d2d94f799155a9d4edf26afe515204c3d70ccf998bb5c38a05820",
"type": "eql",
"version": 314
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 209,
"rule_name": "Suspicious CertUtil Commands",
"sha256": "379008bb580fbcb724bd44937e0f2111250767511073c4d6fe5bf58915e22fa7",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious CertUtil Commands",
"sha256": "b78d113de0bcc2d10346ef3dcedc2bb6f2425ad39eb45da5c6599ebf70360488",
"type": "eql",
"version": 313
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 317,
"rule_name": "Svchost spawning Cmd",
"sha256": "a61a30ecc9514cb3b5eb1f9d31f97e104e4a51cffd65cbe67fad341835938bfe",
"type": "new_terms",
"version": 220
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "70083ab8bb26ab3862c4b0f8f287939374e513aa751728554cde9ac66f4f0565",
"type": "new_terms",
"version": 420
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
"type": "eql",
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "3f455b9a9fc20d9dca4d989e3236437d2b7c702d96e34fe01c0e21181bd9cc34",
"type": "eql",
"version": 14
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3",
"type": "query",
"version": 108
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b",
"type": "query",
"version": 107
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 213,
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65",
"type": "eql",
"version": 314
},
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
"rule_name": "Spike in host-based traffic",
"sha256": "baa59da5dcb208d63be6ca6420e0b62e2ca919aef3ddcb747743d03641a266e9",
"type": "machine_learning",
"version": 1
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84",
"type": "eql",
"version": 5
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
"type": "eql",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 207,
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329",
"type": "eql",
"version": 108
}
},
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56",
"type": "eql",
"version": 308
},
"fef62ecf-0260-4b71-848b-a8624b304828": {
"rule_name": "Potential Process Name Stomping with Prctl",
"sha256": "4f8d4f17d7899a44961b0ed15bd61e32234c08c800dddbae9b75aa238bf40541",
"type": "eql",
"version": 2
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "7c706cb36925b68e3326c38052f0bc6a5afdfc8ef02a33dc200e92fae09dbb2f",
"type": "query",
"version": 105
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "ef8f045d4a373ebb67741cef329ed0e2b3a356b64978bd6dcad9716fb2f3f592",
"type": "machine_learning",
"version": 6
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "2bb9047a12faecde8952e7f0bfe8c12187345c8e1016fdd19c1ebcfdb379f298",
"type": "eql",
"version": 15
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "cb20be6b7c6db1a5ba68b0ab829e75e5faad09e13d4ad4db8d1d303a36958a26",
"type": "query",
"version": 3
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "af8119ce553fafb567f949620657a037808e29169ff198277765c4f54f6aea09",
"type": "eql",
"version": 11
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "fd7869fa1dfb7814d85e599eddf43e2fe64eeff6d58e4bc655b81add4f748fe5",
"type": "query",
"version": 207
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b",
"type": "eql",
"version": 2
}
},
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673",
"type": "eql",
"version": 202
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "dbdeafa2e40515c24f4df798e5a2d653973541813b5f25cad1c52cf8e334f69f",
"type": "query",
"version": 105
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.16",
"previous": {
"8.13": {
"max_allowable_version": 106,
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "5d48f1579b67e658a9ebfd53af34e7acdd767d850d05135ee9de6568e1f9d791",
"type": "eql",
"version": 109
}
}
Reference in New Issue View Git Blame Copy Permalink