security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2bf4cf0b2a4bbbe17d0b9ccf4c5560a151cd2049
sigma-rules/detection_rules/etc/version.lock.json
T
github-actions[bot] 2bf4cf0b2a Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4453)
2025-02-07 21:41:29 +05:30

15791 lines
557 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99",
"type": "query",
"version": 312
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "983f1980633f2fdeefc4b7d50b5e5662382880e65a27b51351387386cf225207",
"type": "query",
"version": 412
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7",
"type": "eql",
"version": 215
}
},
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74",
"type": "eql",
"version": 315
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "234ca1d03d9490f694e58e4e930034af44bc5607d0b3d9b618220e2c43f63709",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "System Shells via Services",
"sha256": "053a24a7c772b51aa6c4cacaaf2b60d644b999d648117254f85fb9550c02b7d1",
"type": "eql",
"version": 315
}
},
"rule_name": "System Shells via Services",
"sha256": "3c7e037d08a986cffce89446616f2c30c98c4f0c30ab9560f83af5f3f4ae76dc",
"type": "eql",
"version": 416
},
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
"rule_name": "System Binary Path File Permission Modification",
"sha256": "9e9b47bac87abaaf02aeaf05eedd8f1a653fc1029c4f02a0045c900af6fa03a6",
"type": "eql",
"version": 3
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "084af080fe0d6182cf5ea6c48b232167996f3eead720253e885568afa89e5afa",
"type": "query",
"version": 4
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "3d31dd5d0a8353000b212c5ffe3b14f5abe88a3f98db97488625321608bd20f0",
"type": "query",
"version": 207
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "1341375c3cccb30e7ed441439c386122fec8eca43759b591f42c42d2bd11083f",
"type": "query",
"version": 207
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "34e2dab204ed0dfc0784ed2fa9de784ec3368627b54a2052bb170264f47c7b05",
"type": "threshold",
"version": 9
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "8c608745f949a23f1981034b99641bc9f149c2fab5f595f6c8df610e22a011ad",
"type": "query",
"version": 3
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28",
"type": "new_terms",
"version": 204
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "810907d90a27aee361c0e4bdf4d0bfe79e58e47c2b9f7a8df4b14ad750f1aa8a",
"type": "eql",
"version": 108
}
},
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "dbcb6ee16e0332c0f9e3c35385be6f5264364abf46e4cfa8504e52f66afc3999",
"type": "eql",
"version": 208
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e",
"type": "new_terms",
"version": 204
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
"sha256": "1ac8ed3b1ca5fea1b2f1908042c00a316d4459af2220eb483569bcea820be9c1",
"type": "eql",
"version": 7
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "376189f0989a9c834ea9e807f1c31236301e528eec227aa389419a7e53aeabf0",
"type": "eql",
"version": 209
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "3e2498d141db920ce8fc17488acde7032ea81b42d39f7e26c4050febb32a3bec",
"type": "eql",
"version": 309
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "c09424400f8baab1bc7e15018527a7b26314073d02a79aac933a265ba32a2bf5",
"type": "eql",
"version": 3
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "a07d5178b0d63fe45832be7feae2eea146956b3b81baf2c247c23c39a4465af4",
"type": "query",
"version": 107
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "6914713f09336f9c3dd081ef53ac47488673b0d06d86d731eae0c68021783845",
"type": "query",
"version": 207
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1",
"type": "threshold",
"version": 112
}
},
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368",
"type": "threshold",
"version": 212
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c",
"type": "eql",
"version": 3
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "63da0c176cc07352e9a1cb9d92ededc8900ca1b1c6f6dfa5b1d8af6e158f55fa",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "bd5bbad719e965a90859b0a4bdedba465855590236e80fa2f05be1b1943c969e",
"type": "eql",
"version": 104
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"rule_name": "SSH Process Launched From Inside A Container",
"sha256": "f20d44b0d750d0c26fca0b620394312ba50e05209f19a2c8efe8a5779d97e899",
"type": "eql",
"version": 3
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "ae3ea0137d74ca472a7ba99931f0fb829c7b6419004e69b9a9a0ac88b87e0ebb",
"type": "threshold",
"version": 4
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS Cloudformation Stack Creation by User",
"sha256": "52da905207d1e7c88fc6422717c8a5e4a92dc36ee070a06fc4bcdbc3d90476d3",
"type": "new_terms",
"version": 2
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "3b26f04620990f0636c48d69c7dddb1091ac744f61ef4244cf1bf27d38677ecc",
"type": "query",
"version": 111
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "47373227a503f5fe1fde96d536e6a205fcac83b971b0dee087b3614cd96c814f",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "8d179fe06605d1b9a62c3cda5f232e20d6e98172b8c62bc1ac5e3c362f0caf83",
"type": "eql",
"version": 103
}
},
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "95d69d7ba9d1821cb7a31fc102eddbf4725f3512d45f8c1129cd08902c00b9da",
"type": "eql",
"version": 203
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "60c46c899a69ab28b32485227c01fb16cee84b26abd65893b8f900c888034338",
"type": "query",
"version": 103
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"rule_name": "User Added to the Admin Group",
"sha256": "605d63b5087ecb7c6b317b124502b5109f16a229ccb1a878d7f5c7f08940e119",
"type": "eql",
"version": 2
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "1ca8fdf09317fd36c70df03f3201b8274dda82e84f259811b7e392d1b5d8e6b4",
"type": "eql",
"version": 112
}
},
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "a219cd9773dc1fa8aa69881e4de1fb3c8b9b635a1c380a4782cf15cec90f8904",
"type": "eql",
"version": 212
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "8d613ba421aebd8dcbce56302f1c2d6a19b749085004adc1050a81aed090dcc5",
"type": "eql",
"version": 8
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add",
"type": "eql",
"version": 214
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "ccb2ff57c3244f25002537f1dc77486f9eafdcdbd670e3f6c41a50749f80121d",
"type": "eql",
"version": 210
}
},
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e",
"type": "eql",
"version": 310
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"rule_name": "Tainted Kernel Module Load",
"sha256": "6e6fcbbf2ea3332a110e3c68ebc52cde1b789a0370ce24f76e00a25d8c349bf6",
"type": "query",
"version": 5
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "c70d925a16e8a0ca54c52ed7ba79164ff5091150dc18e8f3096440d73fd87433",
"type": "query",
"version": 109
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 114
}
},
"rule_name": "Remote System Discovery Commands",
"sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06",
"type": "eql",
"version": 214
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "System Time Discovery",
"sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261",
"type": "eql",
"version": 10
}
},
"rule_name": "System Time Discovery",
"sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f",
"type": "eql",
"version": 110
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
"sha256": "1c0662f5b11e6019bfa3e32d36fedf5821114840e8aa8e424150ea7631c58079",
"type": "machine_learning",
"version": 5
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a",
"type": "eql",
"version": 9
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "042f24758999dd875c2a6d26e28f71851c30b509b0ea5f898455dd21afc4bc81",
"type": "eql",
"version": 109
}
},
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "dec496b372a0c9557658a4e9e0df8160dac454df7fd61ff83f0ab2d0eecfcbd1",
"type": "eql",
"version": 210
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "798d7634945767913aeab178e7df25c3696ac6e993cbaaaefe8030ea91fe0f4c",
"type": "eql",
"version": 2
}
},
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "cf3d305ea89fd7b2c84f8ed412f55d0c5180e021f2d107a517d501e85c15e038",
"type": "eql",
"version": 102
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "fe0b271cf1660d839ba9c04e3ae7c6a2ae6bfc5ba80b354d7aa2ebf8ba75db6b",
"type": "eql",
"version": 114
}
},
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "cb388e3a30c4e77292f3c6ffde5fabc2aa388f8affa6756cf70e1b8442d61a30",
"type": "eql",
"version": 214
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "40d0e6bf90bb885b5bedb92204b324ea0899096734b6a33c10fcbf76f6ae8266",
"type": "query",
"version": 3
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "75622c12c2b3910b87a6b069b747a11dd444908ee4ed676472e167c4347fb1b4",
"type": "eql",
"version": 211
}
},
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "69ba5e2f0de8ccc7766ab1484193e28e740b07a10fcb6f6f37899158d8f1dd24",
"type": "eql",
"version": 312
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "380c523049b8404ce0d831d93a39d8d6e334c2a51c94e3454920aa9b947d0d60",
"type": "eql",
"version": 107
}
},
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "3d9549ea279015b77bc82b2e69b630d2013529cbc37e51d1316381f1c8f34d54",
"type": "eql",
"version": 207
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5",
"type": "threshold",
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "09c2f36752a76180ee5f6c3d999fca9b4a594baf1e68da518828098d4a918b29",
"type": "eql",
"version": 10
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "7a1e221305122e11869857dfef01583fa3242e9353bbc3c58bd029ddc08ce349",
"type": "eql",
"version": 213
}
},
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "a02807e2dbf00fd418c04b345cf9bb599e756134d50cfc7ceb239d0db3e3d270",
"type": "eql",
"version": 313
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32",
"type": "query",
"version": 107
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "ae0e822932b3d3a4abbd15f6ff61bd9086207d22ea05cfc9cc59eeca918294b9",
"type": "eql",
"version": 109
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "2b0a0ede15789e0b7a7554ac68cafe6384e235975fcfec67debe968db0c4c318",
"type": "eql",
"version": 108
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "a01dd38408bbec2545a780590fb1551649acb6e25b7f9589b305b518dcfae70a",
"type": "query",
"version": 107
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "First Time Seen Removable Device",
"sha256": "f1ac8cf1be60a96de758a01dfbfd0a5b594450e5a38ceae29fc315267402c892",
"type": "new_terms",
"version": 10
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "First Time Seen Removable Device",
"sha256": "c14fec5bc1b916855cac0929b535c0865ae08136bf417b3ef52374ed88a27cc5",
"type": "new_terms",
"version": 110
}
},
"rule_name": "First Time Seen Removable Device",
"sha256": "70f7e9b02ae62752a1aa355c2bf0737861fcbe8f6d564b36f533e1c115925ed6",
"type": "new_terms",
"version": 210
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0",
"type": "eql",
"version": 5
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "0e3d828631e0a83196eea6787fc18de515f9e27764d93909572b5cc61b7ddc61",
"type": "eql",
"version": 109
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Process Termination followed by Deletion",
"sha256": "14b2c50279749311159d46204420c773d52555a562d83ce604a03fd9d9abaafb",
"type": "eql",
"version": 111
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
"version": 104
}
},
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7",
"type": "eql",
"version": 204
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "7040132674395ed77ee5b703d59cfbefe989b32ac76e3f85c8f03862f368df3e",
"type": "eql",
"version": 7
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "f6a45024261cb0b349f1b5e65afcbfd1cffe90e669fa3157bf60ea20538b5f44",
"type": "query",
"version": 103
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "7a47db16ef187e82ca162b4ddc7be98c559c56f60930c7f857b4998e456db762",
"type": "query",
"version": 104
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "d0ca847022a16689d65f980293f4e0fd6f57daf55cdf34dcf2d377d146f0757a",
"type": "query",
"version": 6
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "d48d0db0dcf2f0f427cffe2c1fc5c43f10abee34268e5d667453968fbde0f29d",
"type": "query",
"version": 209
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "2246ca718f9e4c68f8015278f6c338d481215cf44d109266c689582b268cd4b6",
"type": "eql",
"version": 5
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Anomalous Windows Process Creation",
"sha256": "e58901307b82a6b703f7a5b2767769ca7cbec1c80db040954fe646835f35d714",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Anomalous Windows Process Creation",
"sha256": "c0f120a64ff245f24b22572875fa394dbdc77cb4f3718153eba555eb889feac8",
"type": "machine_learning",
"version": 209
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "User account exposed to Kerberoasting",
"sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0",
"type": "query",
"version": 113
}
},
"rule_name": "User account exposed to Kerberoasting",
"sha256": "ebe574808b30bc1075a58cef2f874bdd05f42e8a24777f0a63b52a2120faa70c",
"type": "query",
"version": 214
},
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
"rule_name": "Systemd Shell Execution During Boot",
"sha256": "f38d9a3cb527fed3ad70ba4055716a8490606cb347a6813497bae630dd296758",
"type": "eql",
"version": 2
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"sha256": "4a8f1df0c1c99b704e5485fd658ff9569854ebb1e729a16996a835862cfe8f24",
"type": "eql",
"version": 2
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "91457268048c8d92e741bfd1d7bb5d54fe0d743c61407f7a0715f70c10dfa674",
"type": "eql",
"version": 7
}
},
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "7fc4e84759a2af54a9511e0a595038dfb7f5e4cded7427859e3081ac8d7ff641",
"type": "eql",
"version": 108
},
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 101,
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "7ffa76bdd42de95fc9de0514beb379f3022d2480038fc89512a38dc061cf24e9",
"type": "eql",
"version": 4
}
},
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "e00123eeed5a9592b8d966a72a4ad924189880c7010e544d25d5026d9accd309",
"type": "eql",
"version": 105
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
"sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286",
"type": "eql",
"version": 2
},
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Hex Payload Execution",
"sha256": "74f721a4c27361f235243b389dfdd0770212ed79d7fe1c2959e73c93b9edb754",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Hex Payload Execution",
"sha256": "60df1c7136646558bb4c4713cbfb9a5a4b107a9416be8a60fbf7700cbcb94ce3",
"type": "eql",
"version": 102
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "9507b5aae7440ff10ceb3f3e75dcc178e809320a084d56e616de90e14713d0d6",
"type": "threat_match",
"version": 8
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "8c9fd34f4f30b211e680a28ab5e00352770c9972db08cf8a11fd6809a97edbf9",
"type": "query",
"version": 3
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Peripheral Device Discovery",
"sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Peripheral Device Discovery",
"sha256": "e9e92aa8e1ad67d6a76c1d863117e5661cf826a76f886d086ccb881e82884a23",
"type": "eql",
"version": 210
}
},
"rule_name": "Peripheral Device Discovery",
"sha256": "5c9eb5418f67e5344018b20070d77c09629e1a8fd55f8bdf09e6f4d8e14b8d43",
"type": "eql",
"version": 311
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5",
"type": "esql",
"version": 5
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "c5b5703eecd7632b4ddb4091627b0ff3ab51fe21941d1f5b53297f00d72c4f4d",
"type": "query",
"version": 207
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b",
"type": "threshold",
"version": 4
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Nping Process Activity",
"sha256": "b83427252d66ff411238da7c5005c49740b023436dbc3bf58ba27c1ee3922248",
"type": "eql",
"version": 109
}
},
"rule_name": "Nping Process Activity",
"sha256": "1ecfdf114395bc4eb70a3fb066620a04c60f99884612e0f29066015950dbd8dc",
"type": "eql",
"version": 210
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4",
"type": "eql",
"version": 111
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7",
"type": "esql",
"version": 2
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce",
"type": "new_terms",
"version": 204
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "SharePoint Malware File Upload",
"sha256": "74965d932cbd9a720a97b2ceab342bba465997b95f0c655b95003fbbe6387365",
"type": "query",
"version": 207
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "59e29ccc3ac8165891a2e84b728fb276eaf024e4adc86f129eed888139ef37bc",
"type": "query",
"version": 105
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "MsBuild Making Network Connections",
"sha256": "7c639b668c0b9207254749cb4e45c08ed861a61d1b5e8b27147b3b664d0ae255",
"type": "eql",
"version": 111
}
},
"rule_name": "MsBuild Making Network Connections",
"sha256": "dcb595ba973117d787c324d67e3c1089fbb00fd94c18e02e68348da2cbca9297",
"type": "eql",
"version": 211
},
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
"min_stack_version": "8.14",
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "2ccd6e44765c01f2922e5dbfec21d3112b12ea481499e274cc65faed4937a76a",
"type": "query",
"version": 2
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "9d1acfe268c50abdd645663c36152672c58badfb78f109529fc5cf7392c38aca",
"type": "eql",
"version": 116
},
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Polkit Policy Creation",
"sha256": "44b43d02b93465a284ad02a34ec8aac120647331d3e94740777d0814d5113600",
"type": "eql",
"version": 3
}
},
"rule_name": "Polkit Policy Creation",
"sha256": "0afcc930436684dfdd61e2ef01cbc1adfa72ab7f84b9fd58280c94953ffdaae0",
"type": "eql",
"version": 103
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "79a36ec04c23d206b4a169e76b5d28d8f804a425556086fca9789d4fc8b188da",
"type": "eql",
"version": 4
}
},
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "4b9e8dd7f874cd95eb91b79ea9ff20499a9372b785b00b28508b0ce941af417e",
"type": "eql",
"version": 105
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "84214be4565dee7f618d414cd2599619e3b5a008b2e5acfb397c79d2c6020732",
"type": "query",
"version": 3
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47eb039775808da28b11790e0cc065e4a50d78e27c509b0d3658b680d0e8afa5",
"type": "threshold",
"version": 211
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "bbaf49b522cd5d40af2d47cba7e4b4171ca4727ca8719122a6cdbee63432dc73",
"type": "threshold",
"version": 311
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "76940df70c1484a0067d03c9147c59cb9cb88ff381bc232e981395b072fbcad0",
"type": "query",
"version": 107
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd",
"type": "query",
"version": 2
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "43d8180f7e5ee5ede17e49e4b51dde1ec237e4fd3684df5ed85afbbde690f390",
"type": "query",
"version": 207
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "7ad9cd5a7ed6933679d180d53ba468c0afbf17789887c8086eeabdbd30f751c8",
"type": "query",
"version": 3
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
"type": "query",
"version": 105
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "46d8b330ba652e23adf896e687f3e5366a624a5331876fc279966cc8b152cf65",
"type": "eql",
"version": 112
}
},
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "a2bdb54600ed5810827ddcde587fdd19f4abe4ac4f268242ea2b360c433b20ae",
"type": "eql",
"version": 212
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "a994d1f91f21add41bfa56ede5881e607b7400b4d3892076489853ee155f7fce",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "153cade6c2583d73aadcdb8e1f138fd04f15225a1d087281dfb8e0a38a94a08d",
"type": "eql",
"version": 213
}
},
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "89ff75015ccc7505d10b8e1dd68a6e00bc013390bb1d3c3261ebea0dee5a9cd8",
"type": "eql",
"version": 313
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "22b038a9d7ed9ae2bb66b4cb46bcfc5b0b5fd00d0c6512a3aa092001b5c12e80",
"type": "query",
"version": 207
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 113,
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "a7ec142dcda7675c77e9b876a21fdbc81216e3a996b187d8b9ce5fb6ee881abc",
"type": "query",
"version": 15
}
},
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "6b484742b765e528a93679109d41f88dab5fc43c020fe7354c920f488c850661",
"type": "query",
"version": 115
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967",
"type": "eql",
"version": 113
}
},
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e",
"type": "eql",
"version": 213
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "2e9c3df902a7e2af50b5f91cbc53f971eaac2d7c296180dc7140aa88c286406a",
"type": "query",
"version": 207
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "36f3d53e0e615d93af889f1a29da008db557f004f34ab0b3a14b5210f0aeee2f",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "5e43858136609068909a67bd2ffd833f974eeee7ae19cdb80a02ae08ad096d70",
"type": "machine_learning",
"version": 108
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17",
"type": "query",
"version": 2
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "b5585ef93c094d17af2ec93e821abae35166aff50db392c679bdfd4ad289691e",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "19af37acbf8a0f9774fb22c8fe43855471d07d04d9aa68dfaf95e90219bd65a0",
"type": "eql",
"version": 209
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "75734b3460dff650d8fb6adbbe456341d03756acefec419bdbe2f8dbb064b12b",
"type": "query",
"version": 204
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "7c44812095bd92d02344d24e68f59d1becb7a2912cb9f782309717e196302e80",
"type": "query",
"version": 205
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "272a96e698a6afe16c3181d064b9c894e77f51b3eaf866209b5dce7565d67d30",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "dee24546d469b37c7b76c8f8f173a6c83c366cb49c0b9576f370a0bd5511952c",
"type": "eql",
"version": 104
}
},
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "1a23f04cf58db376fd7b4ec19d06758a03d9ff61f0e7e73111cd6bdebc85966f",
"type": "eql",
"version": 204
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "98f99aa122e1e624b3e09c6ba6ef60f17fad0fb85c2a0312908fa83888d30adf",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "655e84527e938f302b438d0661911d1fc0c26eb040707b8dadc870b71b09621e",
"type": "eql",
"version": 214
}
},
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "e64945c3198ab598f7b7fbb252d2af8e1130443ca01fb4b04ab121f6bdea367e",
"type": "eql",
"version": 315
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "17d08d5a22a343108d957c179ce6094d0257d0d8b2579a4951119dda819508f6",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 410,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "9e89e81b01768e4420d38600625f002d5442c3b66d427dc5892345446d213aa6",
"type": "eql",
"version": 312
}
},
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "b0ccfcb313b2d42d0235a2596412d1178773cf4161732fd7ad768553a89a446b",
"type": "eql",
"version": 412
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "7a40d647d43e173b746b298d0619a6058cb05a2eb33d6e0a4e546788fa16634a",
"type": "eql",
"version": 2
}
},
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "8abcc3f4f205afae84358660b95a2527d10a1f5a33fb6aa904c0c1280d8b6805",
"type": "eql",
"version": 103
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
"sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59",
"type": "machine_learning",
"version": 105
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7",
"type": "threshold",
"version": 7
},
"8.13": {
"max_allowable_version": 206,
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853",
"type": "threshold",
"version": 107
}
},
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd",
"type": "threshold",
"version": 207
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
"sha256": "3ec2e506931ecd0b5ba1e027207e34901c5ac024f575d19242d7a03f5ee033f6",
"type": "eql",
"version": 9
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
"sha256": "6fbce9547774cb786e35438648ca5a236089ce43936066235b21a006520def25",
"type": "query",
"version": 103
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "05723d7fde940cd2cc2663a56ee79b455405ca9d1e1270db75b986c5ef72717c",
"type": "query",
"version": 105
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Office Test Registry Persistence",
"sha256": "3e44efbf96a359a35159414069ff36e12436779f48247e1ebb07a941605b448f",
"type": "eql",
"version": 4
}
},
"rule_name": "Office Test Registry Persistence",
"sha256": "ef730832a93503b501376aacb96760534cb31876eed560a014670d79b2d03b74",
"type": "eql",
"version": 104
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "fc2b301f6bbaa53417113b60b7a3c366d6f6c509954e72e27e9386b8b8585c28",
"type": "query",
"version": 204
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "c1c4d209cde3b94cd2f8c548ecdb34cb3fa679dd0b53e7fdede58f9d1556ead5",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "c8f114645f7f362fd704081bd1e07a79689640b1eff476ca39c731460729be8c",
"type": "eql",
"version": 212
}
},
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "9b84185dd52ac21aec4f2a8db1583492782012ec7a3cf59ce9987512ffb52e0f",
"type": "eql",
"version": 312
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2",
"type": "new_terms",
"version": 4
},
"8.14": {
"max_allowable_version": 203,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2",
"type": "new_terms",
"version": 105
}
},
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "b2723b3de15eaf38f608b269cd27119a720895d4cd72b126071f5f0dd90555ee",
"type": "new_terms",
"version": 205
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "f1e6f5c52e4c18b16f84c216103655718a11c24159fd88c9d53d7810f03b9fca",
"type": "query",
"version": 2
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "c942ba35d01b9cb9eebfce159f6c2ef894b5f93d7501c1f04fbfe4f029914e25",
"type": "eql",
"version": 4
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26",
"type": "eql",
"version": 112
}
},
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "14ea5e0fd126666fbc1f42f74fc27465bd18827b6a4a7aa6eb91a8a20c82dea1",
"type": "eql",
"version": 212
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "0cc6051b059f0a4c23d62a16a546d261c5bbbf67a3446bf0fb2712619334c81f",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "47c62d0707a97119096476193b3bbf9c24f7265594587011d87a5248a4d6a588",
"type": "eql",
"version": 214
}
},
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "affead342a3622a946986ec040beb993b0e5c27fe2442af4d4cdd70cce50f419",
"type": "eql",
"version": 315
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "0b2ebcc224d55592d6f4b75e83df6d80460d48ba25c8b07d71ddeb2e16fee539",
"type": "eql",
"version": 109
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"rule_name": "Potential Container Escape via Modified release_agent File",
"sha256": "6227f5574f6e391b1d85763a35113b7299b3d0a278820a3c90fe8d5758de412d",
"type": "eql",
"version": 2
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "ba45931cd861307121631371d3ceada4c31f8c0df2f03e06f91fc43499cafeab",
"type": "query",
"version": 103
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "File Creation Time Changed",
"sha256": "4b13b87a19503b754f0e1168a58053e72b7ab57ed3f6b4fa1e85ca983050228f",
"type": "eql",
"version": 6
}
},
"rule_name": "File Creation Time Changed",
"sha256": "a4b5224b6210e6ae22a3b2aae8187bd48cbb3c7b41926bda9a2a48c0528de974",
"type": "eql",
"version": 106
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "23b10e667366dd92f41808c9b01db2f62209ebea86cc67add8a43532a3341b74",
"type": "query",
"version": 107
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "ee11c9442b8e8b3ba41f33c3a39715ed346f2d770c4dc8cee36662b2214222d0",
"type": "query",
"version": 207
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4",
"type": "eql",
"version": 114
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671",
"type": "eql",
"version": 111
}
},
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "3a76496d25961498c7105d4962f1c5a68168264eadc61c4c51b20c602177f4d8",
"type": "eql",
"version": 211
},
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
"rule_name": "Persistence via a Windows Installer",
"sha256": "8ac49e7c12e9e26728ce584fffb95e858c0145cd1ff89099123834f39022652e",
"type": "eql",
"version": 2
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02",
"type": "esql",
"version": 4
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Username",
"sha256": "e9ed01e74760cd8f6b5436fa2bf1017b75f7981365876ee0443e0bab995a0f27",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Windows Username",
"sha256": "1e10d9ab500e362602268cac7c057d8f4200d268485ee4c70b1e1381d74f32a7",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Service",
"sha256": "a1c9cbff26b71eb5194648a9907fd39e1504c7662a8f217cd2e9c099f9e24767",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Service",
"sha256": "63fc4e38fc33fd24ef301efc7a52d2781085a9dd8465d14910b075c4ca6b5023",
"type": "machine_learning",
"version": 207
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Powershell Script",
"sha256": "fc63208d7b1218e72d90948342343c545aab84431421c2d3b6d81b1a925181a1",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Suspicious Powershell Script",
"sha256": "3bfa0053ceaa3a5923c2aeac1cbb923a448d65b83dda46cfc701cbcf37772899",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "219fa2a191fb555ae903516b407568cc9bbc7be95ca6f3fb302311ce94382f0f",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "b13eb00c757b1251104bf4c37b3a291ee5acc963ba34c008a8b6d8731a102b47",
"type": "machine_learning",
"version": 207
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Remote User",
"sha256": "c2ce8aa3cd6b41359d2374f00b781728b1d6990960574e1d27d013e9a33cda80",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Remote User",
"sha256": "6e49cc6ec8fa0f149019eeb0d99bc587779e02711c05c54762667fb21676de08",
"type": "machine_learning",
"version": 207
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "64deb3a7d35566d558e890c281946d23e332598949d863e7f3fbefa14896a901",
"type": "eql",
"version": 16
},
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
"min_stack_version": "8.13",
"rule_name": "Initramfs Extraction via CPIO",
"sha256": "e91def04da5452836c00e38e6652e095e4124c1820f2650c10e07cd01e3fc61b",
"type": "eql",
"version": 2
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "3b12641768e2a47b26428daf4f845ab28c7dd839b86550febd738e1e8586d6ff",
"type": "eql",
"version": 111
}
},
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "897127ce66b9d6ef35af246c068852d99e7af8df437c3e4d98baa466d779a8cf",
"type": "eql",
"version": 211
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "f20d9f97b235081744c25d793925b812e945e1e5e01719ce39cfcc0defb5b253",
"type": "machine_learning",
"version": 105
},
"181f6b23-3799-445e-9589-0018328a9e46": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "f368ae24273f75a97331eb4294db2df1c387c497dada5ace32520098feaef4f0",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "e90219da2c60953e27bc20e62830dafd75772d2db35bbd32f51b8d0a4c6dc954",
"type": "eql",
"version": 102
}
},
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "2e6ff66e9a80e9b1753f07eb7bd19334a9803978510c2c2154280ebcb66cb4c8",
"type": "eql",
"version": 202
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "300e205d2f05314cabd3ea5c9dc9fdc35ce1ee5211afd8f65d74a15e3ef0d8e2",
"type": "eql",
"version": 2
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "61f062813d6ebdebc0cc6698c7dcc7a975d9f3cacf7713f599fefb3a363a15bf",
"type": "query",
"version": 105
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "1f41f4ccb333df0f6e2e8c35cf140f6c0d2a9bcd69f6bcbe995c987bbe00a668",
"type": "threshold",
"version": 3
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "3624c2a233bea0d357eca3960733b5cd7bc6de43ac52d3c824553397d583e773",
"type": "machine_learning",
"version": 5
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "3e0bbc97f6625f0f5294307064489d5cde380528cf838db84c6d84498961b0bd",
"type": "eql",
"version": 7
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "d831a2c4ab5f21f7320a3fc66d048b0b77a969c59eab238e78a8e1ca5d3c7d59",
"type": "eql",
"version": 6
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "eb75ed2a02885be89ba411760bb066cdb4f58f77f25e138ab75b9eb72226030c",
"type": "new_terms",
"version": 2
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
"sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf",
"type": "esql",
"version": 3
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c",
"type": "machine_learning",
"version": 209
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "2a4b88bcda39f3627856cc76ad43b699768b3d1cabd2d7ed7335c991b0466857",
"type": "machine_learning",
"version": 5
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"rule_name": "Suspicious Network Tool Launched Inside A Container",
"sha256": "68a2c9ed8a46b384ecb2a355df2a4634cbf081463794ed6e93931901277da031",
"type": "eql",
"version": 3
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Azure Application Credential Modification",
"sha256": "f7362735f6b890396d8a39feb56c68597b92b95b75576e198efa44353fb980a4",
"type": "query",
"version": 103
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "62babd726ae5a985d3dd9add1aabacf93bb5c8787ad3486f8ca9d1ae675d7ec4",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "9826caa22a613e9fdde9bae7324fb6f400cce7a89819041bbb709563fe470c21",
"type": "eql",
"version": 212
}
},
"rule_name": "Execution of COM object via Xwizard",
"sha256": "414ae5d1c777554706e77fcf698fa405ce9159905c53e47449683ff8b606b8d6",
"type": "eql",
"version": 313
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
"type": "query",
"version": 209
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "User Account Creation",
"sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "User Account Creation",
"sha256": "0f3e13b35064dbdad29e0f2b80895fc844346955c595402ce66bd632d1e1e524",
"type": "eql",
"version": 210
}
},
"rule_name": "User Account Creation",
"sha256": "9af12b0253eeb5e99e162b69240851ba05f9a54cc8abecb25c973288e57cf7e5",
"type": "eql",
"version": 311
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"rule_name": "Process Created with a Duplicated Token",
"sha256": "34b078db5943919e82a752fb623100ecf49de4400eb5b5af0beb5dde7933f97f",
"type": "eql",
"version": 4
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "1bc65565de45f1eff32df65b75aff663321aa0ebe9f25ab4bf86a1069147f03e",
"type": "eql",
"version": 108
}
},
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "577e427fc64582ac236a077a7655689420ac05895657991b9b10c235df191853",
"type": "eql",
"version": 209
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "91601e89cb6509b662c58081c0bc8819adcf3c883bdc11c2819cd87ed1ce2996",
"type": "query",
"version": 207
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "7356e96ea1f088a2fd1b9412babba3ca73d9331aedf84b27f6fc8efe96edfc04",
"type": "eql",
"version": 12
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
"type": "eql",
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d",
"type": "query",
"version": 213
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
"sha256": "a216a3ce8647e67413fe83b87ca92054c13d98146ee4c740fbc79435459adb1e",
"type": "eql",
"version": 118
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "250fb7d71a7e245ddced159b3f88b246c5ab4e89708f3130c7b27c55c998a33a",
"type": "query",
"version": 103
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "New GitHub App Installed",
"sha256": "5409f401ac786bdadc45606d8d7f4b4c537367d93cf5555278d620c26f984168",
"type": "eql",
"version": 105
}
},
"rule_name": "New GitHub App Installed",
"sha256": "e00feec6890b2361d7a10a06e2e91c713d0f28c866005e9e1f72610f0dbea4eb",
"type": "eql",
"version": 205
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "ce97e8b346f6e7bba7e209a95c49253e1561ae4cc80a170c9ae2e23ae6f36dbb",
"type": "eql",
"version": 109
}
},
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "26cde5fd51100b2103cc8ebd9ffa4347f2529e861975e6d4b22770ff4e8f244a",
"type": "eql",
"version": 209
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d",
"type": "query",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d",
"type": "query",
"version": 107
}
},
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "7709f499f3a03dd5ce65351e23a1a9959dc5139e8f50d72015df6ce2b0a3233b",
"type": "query",
"version": 207
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "832c238b226f2b7fbbc201338e1d0dfe12a9a7ebf4a6263a1f038ab6019e0e6f",
"type": "eql",
"version": 111
}
},
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "ada7bae223693811f424b80ca156f7135da309f54f39186bed4f022974dda573",
"type": "eql",
"version": 211
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "16b6264718403929b906f7b79bfd533c83024fbc7acec96ca185dd3cf5d3eaa3",
"type": "query",
"version": 3
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
"type": "eql",
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc",
"type": "query",
"version": 109
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "94f7d66b79180d0ba45c617e24e4cb3a00c1489fb51b504d7aeffe8001d10959",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "c994e0389ac555c93a42a57df8ea2b97d510399c33eb3f11de809c2018c44686",
"type": "eql",
"version": 211
}
},
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "675020877e0f237ac091e0142a7db019267d1f73af9366cc520a9f7d27bac85e",
"type": "eql",
"version": 312
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "c0dac1892d3e83d5514d879ef3a350f6156b44bf4e67c8e1055de7ef2c6d1a8b",
"type": "eql",
"version": 8
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
"type": "eql",
"version": 108
}
},
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d",
"type": "eql",
"version": 208
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "aa02b181f4f9a4df3460586733ba1ae7481ed321e4ef4e2ed3b418030ef65bc9",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "98f03ae22b61103956c3dcf4c477d3dd6c5da89a7c24f1e69a4a6f5f96573033",
"type": "eql",
"version": 106
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "7efabb7cc18356aa60fe4c271bef0144b303a454cd4203ec421a5a679a75572e",
"type": "query",
"version": 210
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "cacd567d5376f99af90e85da629e9cff9118851b3e35ce7448c89ba66e5c1407",
"type": "query",
"version": 103
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Creation of a DNS-Named Record",
"sha256": "24a5cc160724e80ee85572da35813e258fcb55ef5b077894b4a649d8fbd6f1e9",
"type": "eql",
"version": 4
}
},
"rule_name": "Creation of a DNS-Named Record",
"sha256": "bd366149e20faa5b5e9ad60b298c1ad8f63002ee1451b7ee55e6c101547e6979",
"type": "eql",
"version": 104
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39",
"type": "eql",
"version": 6
}
},
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6",
"type": "eql",
"version": 106
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b",
"type": "new_terms",
"version": 204
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
"sha256": "72276af57d19261776e819edd8d905bd7c5374108d27e9728922200bc839ea34",
"type": "machine_learning",
"version": 105
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "021df20053fabc64b24430c7e4bdb3fa187c6f00b27139bffc24759c4e97b817",
"type": "query",
"version": 11
}
},
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "89dad03842e0833b63ac6d38d5cf8f2712f22e296b4390309b10f471ab78fc07",
"type": "query",
"version": 112
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
"sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7",
"type": "esql",
"version": 3
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8",
"type": "eql",
"version": 4
}
},
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa",
"type": "eql",
"version": 104
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "7e9aeb7a0920e68d445b655d2a0b447b01aa117624ddd9e02a8ad4840701900a",
"type": "machine_learning",
"version": 105
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "4fefe2cc790c9b5fd8afbd08cfd7bd28ee6f50dffd877ec1400d81c1659bcc36",
"type": "eql",
"version": 114
}
},
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "b8941a4bd23e47360ee8b1a98140c573efad95250ad8e4ff1315da0b83ee3d8f",
"type": "eql",
"version": 214
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "e43231e171e4e726c838f080bb14bcde8a580af0997b0177b568ebdfd462e290",
"type": "query",
"version": 104
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "6f9e237253c1d533e1dceaf4f673182fa86dcb4f04539ecb15a9f0dadb01047a",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "87f7a5cdc22d29da0c8cd7bc438e5e735e064c81584577cd34b46d510dccbe08",
"type": "eql",
"version": 212
}
},
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "b697c5f18da0dedf8adabf369e59016a5fd9e362cb43d0434c14e7f8b63d93b8",
"type": "eql",
"version": 313
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "c647d352170795fda0533a278e5c93824030a0e2391afb7d858ddf8fcef50ea3",
"type": "eql",
"version": 4
}
},
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "5349e739a994b977cd138844e8e7e85da55971fb9e45fb3131eb92be33d3f123",
"type": "eql",
"version": 105
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "1e793bac94cf744476de8ec10572545b6000ddfafffe37170ddb870c9b5c8d94",
"type": "eql",
"version": 211
}
},
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a",
"type": "eql",
"version": 311
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "25cdfe21fb209fb7941dd020fbcfbadef29f04aadf5eb0e226efda9c35351231",
"type": "query",
"version": 207
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "f2563e3a26b24e637c8ac73d1f8b2c0a4f7fde0d81cde5ee33392c65892d9ccb",
"type": "eql",
"version": 210
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "69246453362e5ca8115d5ebc4d54e31708b17fca42e8f1c3289e2f21e27e0982",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "b3cf96a675e8bce7a335b93a6cceb02c5a7c736ced121dac5662c305c9855738",
"type": "eql",
"version": 103
}
},
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "99ed70fd9f47a95ed1240f5cc52f747dee59633a0c745c4efa9ab0127865b48c",
"type": "eql",
"version": 203
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "633c67422491d16a2f3773ed98d16e1beb6d9369dcdf7edf264b8350e008ae33",
"type": "eql",
"version": 112
}
},
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "12383abd03ed18e19cc6e38a242cfe6ef50687fab36db30ce2d216216b538b16",
"type": "eql",
"version": 212
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"rule_name": "Mofcomp Activity",
"sha256": "43f37baa64cc4804bd89840d33aefed80888653d43e7e46330bfb4849e0880e3",
"type": "eql",
"version": 5
},
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
"rule_name": "SNS Topic Message Publish by Rare User",
"sha256": "ec62c61349b96117c332b5fadac825476aa3265486a5bbb85288ddab4964f423",
"type": "new_terms",
"version": 1
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "0f97f4ad5936052c4dd01aa0c3132de5f06f7a36be6192e1714f2732da113bc2",
"type": "eql",
"version": 5
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "ae4d37f61191761fb59911def2d9d39ebedf6f1dd02bd3d22bca816328750af3",
"type": "new_terms",
"version": 6
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "39e75f704730200ba6057b7687a63159e2080003d55f8b8e6217740e487ab59e",
"type": "eql",
"version": 9
}
},
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "7d93d723489d1f6a59e139b58489ea66daaaa5a601a1f03527f4e18f249bd3ac",
"type": "eql",
"version": 109
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "3305c5a0f15096a7bb8b0818b40de617448029c1e701c89f35a611f31ddd9f0d",
"type": "new_terms",
"version": 207
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "8f0663314dfece6334c90619e9b9e2f5cee01e01b4768df72c1577b166910b24",
"type": "eql",
"version": 109
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "739bcd7a637855f9186eb263bcd8107c93d83f7790c1ea4fab07b69046503e46",
"type": "query",
"version": 208
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "496ed866c8272f94c11bfa2277bde15dbfa2efe47873a8ddbcbbe832eb805693",
"type": "query",
"version": 105
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Kernel Module Load via insmod",
"sha256": "6d909c9373be54b6dc83f2c1d0b5416582fe6dbf4206daf4e496410ac5913aec",
"type": "eql",
"version": 111
}
},
"rule_name": "Kernel Module Load via insmod",
"sha256": "f32774ffb6275cc6e21892bde0346fec8649a7b12e62823bc9c28ecb5f7291b4",
"type": "eql",
"version": 212
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "6206107d6e66665a64ef46d0bcd7102570f88e6977651000f2609ad3cc6e8b4d",
"type": "new_terms",
"version": 4
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 104
}
},
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 204
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "New GitHub Owner Added",
"sha256": "002be9292a0806831cffe8f7c1ae8704f2aba19ded7a11964225cde1c263c851",
"type": "eql",
"version": 107
}
},
"rule_name": "New GitHub Owner Added",
"sha256": "a2e44a9352982f9a7fab91d7a6c0ed56fa52f09663f20c41c246407f643bb81a",
"type": "eql",
"version": 207
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "9a03061d1c7d42331e54fa8c990602900d110a67d95d1245e44eae86e42cdc90",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "9e4c99a01ff339552587a57d476760b6cdeec2634d2f26b6d801a2f3baeb0bd5",
"type": "eql",
"version": 210
}
},
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "77d41e72a8e9b4a7bbb7fab3c40167833d4e87d06b28d8e465774750ef5104b5",
"type": "eql",
"version": 310
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "099be59655d3f1d35382b882049816c2c0570633f5d119e1ae6285bf5d5a901c",
"type": "query",
"version": 5
}
},
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "75e4844865ebef904a98f31b4021a2423b98a9e56a10e931089cea0ea3821cc7",
"type": "query",
"version": 105
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "0fee3ba7e3d8302fa7bf7fe483672987cabfa3cd38c2e532907b1b788f7c8260",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "5539b5852223d4f71fb0ca5aca8622d8933016111d08f98d0bed0b9f804ddf7e",
"type": "eql",
"version": 106
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "74fc51f05798d86c079a4db56ebd754908e541d5391fb639a014358bf4da50f8",
"type": "new_terms",
"version": 7
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "299b97cbda715b5eeabc7800ef5fbdd230b83acfb8b38ff4d6c1f1e231fe8185",
"type": "query",
"version": 2
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935",
"type": "query",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935",
"type": "query",
"version": 107
}
},
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "3686340ff7f23094109815bb3ff499c3c9d5feb46b8ca8bf9dcc9059d295a28e",
"type": "query",
"version": 207
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "5ac2632c3e48650d883c521af7ddf3ee85933ed2b90dbb2a8785db3e62378ad5",
"type": "eql",
"version": 8
},
"263481c8-1e9b-492e-912d-d1760707f810": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "a91ee3996b61c4f76e5010d94738862b0c66cc3ab4c1ab802cc609b442a00947",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "0ed2079dc7c35c55a5dd08388ae09965a545b30ce73ae9974ab0d607832b6fac",
"type": "eql",
"version": 103
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "9c1500534b794aa60add9daf3da3805ce5f70b117a900faf565c911764fdc73d",
"type": "query",
"version": 103
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "8b8ce9fd3c322d65ab9459337f4a67256c7d08be0426c6825699f4fcc4ca4659",
"type": "query",
"version": 2
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "4cb0180da3ef6e0e18bd152032578629a162d39c81b679998254e1e96d7a7a1e",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "4daca120672fa56fe87a520d2babba093bc294cc504bef5119b188d48173faa7",
"type": "eql",
"version": 213
}
},
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "62371061d0455aa0c946f5512e06573f49e1e88b64995595af69a37cfc14651b",
"type": "eql",
"version": 313
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171",
"type": "esql",
"version": 2
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "5a94f36cb64d23ad01b8c1ffe0cbe7229007da049faf46d3b1076badcc0a3714",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "aeeb4b372fbfd18ee0dfa78606413a606d6bc8e7bee480b01504cbe103fe8006",
"type": "eql",
"version": 102
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "bfaf73bd5525893100c9a0593503ec5113aa3f61db2953a685aebf429b142390",
"type": "eql",
"version": 8
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
"type": "query",
"version": 105
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d41060acde6ba44c9fd538c2c2169114bcdd473a35332389b5cd82e9ebef2af9",
"type": "esql",
"version": 211
}
},
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59",
"type": "esql",
"version": 312
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "7968dcf6597d447a945c7445f46e60b9c60182148cddf51f04392d3a1650b46e",
"type": "query",
"version": 209
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "63d9ec6b0b8f754c3d04d1b8509f7978545110c21c7cd36b95629e33e8327e06",
"type": "eql",
"version": 6
}
},
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "0940ad2254d8e550d0c01bf6a647edcd02990c8bbae6b9ca4b17522ae43f803d",
"type": "eql",
"version": 107
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "45a1f7ed44be930e88471db5a5342a95b57a72bc185ba59c55fe89e7400fc69f",
"type": "query",
"version": 207
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "21c8229d021bc8b4ae787107ff45217ab56d52e249857ff17e0a4f51ef3c7f85",
"type": "eql",
"version": 110
}
},
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "5a0f9b9a7ffefc4f2658c7b3637872e4beedb55b3e26d5cc76e3bf45f89cba0c",
"type": "eql",
"version": 210
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "56e2aa8538cb1bfc6628887e820d427e37754644260ff65a94d8b2cd6ea08aa2",
"type": "query",
"version": 105
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "72cefcbe9406dd477e621a600dab722c48420a443a88f1fe2afb43a0cf62af8e",
"type": "query",
"version": 207
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 215,
"rule_name": "Account Password Reset Remotely",
"sha256": "4c5bf771c55b8c874282ea178599a0885a460a0a2f93008e1ce3b37eeca9ae40",
"type": "eql",
"version": 117
}
},
"rule_name": "Account Password Reset Remotely",
"sha256": "56605872558fe05e912719802d071ff5ecbb63e38f64a87c8e829ced69d9b961",
"type": "eql",
"version": 217
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"min_stack_version": "8.13",
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46",
"type": "esql",
"version": 3
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
"type": "eql",
"version": 111
}
},
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4",
"type": "eql",
"version": 211
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "c5975ef9ab2cb8b6055ad6bcc0d785f845ed553b7efe8c2791515b7f349e860c",
"type": "query",
"version": 104
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "953a7ce35bfed2b2ce4beb94c883fdfa3e7d04f037d8ffa09fefc2a054676072",
"type": "new_terms",
"version": 2
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "ae10c2c01b91c5fc780ab3a9bbbfbc1435107aaee26f7bc8fec595151488c706",
"type": "eql",
"version": 4
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "60350833224cc7d578b57e68377f5c6eec36459f3b1219b27857d2dfb83c1dcb",
"type": "eql",
"version": 7
}
},
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "84fc475479d15e3bc80b09e99dfac0c0b49c2a5edcfc3219f1ab09100b7d1555",
"type": "eql",
"version": 108
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"min_stack_version": "8.16",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1",
"type": "eql",
"version": 6
}
},
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "797faad25f8c06e7e0d08b4a64fc573c931a70e7298ba5e64dc73d3a765a59c6",
"type": "eql",
"version": 107
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "871b644ecad8dbcc497878dc7e8709971fb1b44536be0fa5cd97cfb75cec1082",
"type": "eql",
"version": 6
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "3094fc894dfd934d136e44472bb85b39b667d39ae1af5bbdecb0def1e9ee08b3",
"type": "query",
"version": 208
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "8fbc91f17e1079c6d25358d51370483f648279f3ad8e892d2a679df03c969ec2",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "d77ce672bc5fc2088fafb1b6633cb2f5955b7939b1d1302b5c2da31c8d336950",
"type": "eql",
"version": 215
}
},
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "d8fad9d3a7b3d3b175b9bfac15436fde23c180087fd9a61d05bbbdd70434ef3f",
"type": "eql",
"version": 316
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 414,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "a8eb3f78278925242ed765acb2a2d0e95ccd361a73e67ba655fb6137b82acfb7",
"type": "eql",
"version": 315
}
},
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "e685ec880f93003d916f83c558301d788cc0671883fab6eebc79fe744f7c4c2b",
"type": "eql",
"version": 416
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "ca1675b3254c032d02eb36a19399f23707b98c5db2ccfb585fd8047fe45e718c",
"type": "new_terms",
"version": 213
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "5ac18ed0a46ab76604bf76b574a4dd4d177cff97fabf4ba50cf58d2559cf6ba3",
"type": "new_terms",
"version": 416
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd",
"type": "query",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd",
"type": "query",
"version": 106
}
},
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "020aa41dcdc659d6c9cf5c0619429e17fc67a4ed3a229e63c3e2aa82ca64dc59",
"type": "query",
"version": 206
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4",
"type": "new_terms",
"version": 2
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "607bcf6166da9a0c07fa8208a598d656e9da82b719410a4b3861431a7ad23b41",
"type": "eql",
"version": 5
}
},
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "2b3d08f13e7043638c0bb3415d9ada4726d3dd2aa56b93a318ed3b135d0723d2",
"type": "eql",
"version": 106
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "842f9893108098c4b68db05cfdc942016d86cd6880aad8c93c94aca02133b0e5",
"type": "eql",
"version": 9
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "9ed50af9932a336e33eacff970ebcb3d99c94830b55744d32565828d68c683cc",
"type": "query",
"version": 205
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "ESXI Discovery via Grep",
"sha256": "0b220ddab575a1241b10575ba0fa022641bb5dd6d7b668a24f6e4e8e7795381c",
"type": "eql",
"version": 8
}
},
"rule_name": "ESXI Discovery via Grep",
"sha256": "8a0b201a019a813afef3eb6ad8931c76409acb49bfb1000a7e441fab4f19f9ba",
"type": "eql",
"version": 109
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "c39267858935a1708b5485ab0f15d8fec3c65af74dda3eabe1a645357b6ff54c",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "Adobe Hijack Persistence",
"sha256": "5d4eda2322ee604b41b05b508100d15e3d8230cf544f5e9685b20c82c9957fc4",
"type": "eql",
"version": 315
}
},
"rule_name": "Adobe Hijack Persistence",
"sha256": "e7b371bc3cb56880f4b66c8f8fe941a3dc804cf4d7a909203eb1aac36b2eb4e8",
"type": "eql",
"version": 415
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "035b963e8b20d330a6df9c8b7bf1ff3812c17492b17c6f32dea5100d031289e9",
"type": "eql",
"version": 212
}
},
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "ba6ccf2fd7102484bab3ab16542b8c07903d577a967904103c08bbfde581d055",
"type": "eql",
"version": 313
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "19459360acfaabbee9191b0bffc67924d652582ec4b24d908ab43e31ed2baf8f",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "ed9cc4c9d37caa1424d72d1771b8aaa477eee67588db0cf67131757668706a64",
"type": "eql",
"version": 211
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Foxmail Exploitation",
"sha256": "9f86eac400e2faa31c8268ac8e848b69881a1f1609f46197976260493af312d7",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Potential Foxmail Exploitation",
"sha256": "6d21068759a60e2fe7b6b07091cfa26e48f2b6c2a2cf16239f5aff16aa3e6819",
"type": "eql",
"version": 102
}
},
"rule_name": "Potential Foxmail Exploitation",
"sha256": "deaa9f94ff0d77ec297bbe56228d604d0ec8ff93168338d0fe56ea6586be9b37",
"type": "eql",
"version": 203
},
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
"sha256": "ca696785db9d072b73354981c190cb3612631aff9bfb21a7e71087839979c28f",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
"sha256": "db70fff6a4d8ac90ee2307787ac0d09653001e7019f4ef1014397d5d28e28264",
"type": "eql",
"version": 102
}
},
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
"sha256": "0f14291a9a4bfdb07c95473002beefcd90774b98afcf9d8e07c0e2c3ce47a9b2",
"type": "eql",
"version": 202
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "52c116a646055bd0157cedd2d9977b1582266b6dd9b8f6d1911d2e72232ae161",
"type": "new_terms",
"version": 211
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "6f9f6d3a9b1c3c10ee6f372c529e3043cf57abbe70e819991e61b39bd48cfac8",
"type": "eql",
"version": 212
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "9f2195a1ff14af308fa971db89cf85114f85149da9fab3f43237cc3cbb0a5bd6",
"type": "eql",
"version": 312
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "fc0687aaffa30b4402ffbb232a6609e8a832a677f70d6f87d826e0967cb6ae18",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "cd015724526c5fd95611fd542dcd3bf3ae7cf0f17b78feaf63025db570b62459",
"type": "eql",
"version": 105
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "8df93c4d2e8d8e22dc9b2519c322833798fd0dd6e0179688ad46849263b97038",
"type": "threshold",
"version": 208
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "a1f96c64b24f9a8b3741efd7057dd191f2cfe328e4418e21fa2861f4943345b0",
"type": "eql",
"version": 10
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "6f66a2c4f0eb285877ec1976337925c992b5644474d9a8292c702802bd961c34",
"type": "eql",
"version": 110
}
},
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "edaa7c97d52183cb2ff7b10553ab33fbdcfc197d78bc07cda7f29633f878e4e6",
"type": "eql",
"version": 211
},
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
"min_stack_version": "8.14",
"rule_name": "Potential File Transfer via Curl for Windows",
"sha256": "6557b61c306bf5be34401d54dd293dc893f43c1ecd05c5705ad94ca2967878ff",
"type": "eql",
"version": 1
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "3f92ade9c8cf46297f9846194909bde8477311035bce84de538a59154fab0a08",
"type": "eql",
"version": 112
}
},
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "ba2643e57a281cd68d1f699d40aa824bffb36faa4b50d6ee43eafdc67fbf0942",
"type": "eql",
"version": 212
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029",
"type": "query",
"version": 113
}
},
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855",
"type": "query",
"version": 213
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Accessing Outlook Data Files",
"sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473",
"type": "eql",
"version": 5
}
},
"rule_name": "Accessing Outlook Data Files",
"sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378",
"type": "eql",
"version": 105
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "154a54c158e1072b12c8c12e5c0b1a4efd33eeb055cc0a97dfbce0af0e73dc48",
"type": "threshold",
"version": 2
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 104
},
"8.14": {
"max_allowable_version": 302,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 204
}
},
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 304
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "33aca0b923a70f6be45450125434d1f43b00df2f2b4c53db570c103caff35644",
"type": "query",
"version": 105
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "a3f55a20eb34eb9f050c14ebec723bf8910a29329d76e98fee0fa59c90d5d247",
"type": "eql",
"version": 211
}
},
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2",
"type": "eql",
"version": 311
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
"type": "query",
"version": 112
}
},
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8",
"type": "query",
"version": 212
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "2ef044a4379ebf8587fd12c998257f558761c47509df7f0295893dd4bb6f34f3",
"type": "eql",
"version": 111
}
},
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "64eabeec581d6804bbb7ed7f4fd9a7792413294be3c0f6b2045dd0e0fe5d0c09",
"type": "eql",
"version": 212
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "6e7e3a5b5658ebe94a6acbd227efca852aa9553c7e58a257f13b2e46c357055c",
"type": "eql",
"version": 4
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "12a39f6d9969db63436c1a00acca99e9add307c1cd5027f78b8845251fab148b",
"type": "eql",
"version": 110
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b",
"type": "eql",
"version": 115
}
},
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02",
"type": "eql",
"version": 215
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "bdc8c042341275de2dda2fbb2cfe8352f8fef57e17ade3f9a6a0f4a2f34f6f7b",
"type": "query",
"version": 105
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "501b384fc62d0114e489f893db676c77a67a7de686ed549cc96d28110a216431",
"type": "eql",
"version": 3
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "087ddf9a38cc3a95ddd050c3af74a8205dcf16b78a267a1c40ecab0206895466",
"type": "eql",
"version": 9
}
},
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "9f0737cd4b53c31a9412db6fe279689258d74cd0462413dbf350f2a1f520f5b9",
"type": "eql",
"version": 110
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"rule_name": "Network Connection via Sudo Binary",
"sha256": "a497b8c3ad9c185407effba08b476ec636ae48f34d72a78ebe4c33554301e425",
"type": "eql",
"version": 5
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "fde6148916cb146e840e4017c597cb865ed148dd9eb6ad32b27f527b18e30866",
"type": "new_terms",
"version": 4
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3",
"type": "query",
"version": 103
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "ee23f22e47ceddb6e8677a346d2b5a4af9d9f5da170c238a64f5c8851cb61903",
"type": "query",
"version": 105
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "1d5b8b66ae45d9bcba982bcee8dc4994d4cedb7541738eda36dfb8de2accfb0c",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "27eb461382f469f2615f24a2887acc73df8bdfbe582d3d31d321bcefcaa5d201",
"type": "eql",
"version": 215
}
},
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "50e3fed73bd4705f76f78df40640d810c310f3acc21468d1246f910127187f4c",
"type": "eql",
"version": 316
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "5f12891f87725569f26f55d846990b172e4b083945291b524995a0c2b39d1f88",
"type": "query",
"version": 105
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba",
"type": "esql",
"version": 2
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "81b1ef2dce9bdf05c543f720116a273b1b28f4fcc5f3f06993027b6c522d1613",
"type": "eql",
"version": 5
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
"sha256": "4361eedfbd069e79f89dc6fc2cb69959fa012d9333bb12fa3a7a48bdc1956047",
"type": "query",
"version": 103
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "4225710e2f58d4c9a39ab24e6e05d1553387f3bd659ccf97398b490b820df50b",
"type": "query",
"version": 105
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Program Files Directory Masquerading",
"sha256": "17788893fc6510e7f611de6c1046d1c0a8ebb5937ac675d96d8555b98ed4b9c8",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Program Files Directory Masquerading",
"sha256": "dd7609c7ed75762383c65d441706b5cec4f6760974567894ea5e4b08fb80603f",
"type": "eql",
"version": 212
}
},
"rule_name": "Program Files Directory Masquerading",
"sha256": "5e2521c495505730bc747cae7beaef82e123e96c4fa6dfcc7530e8d63d3640a6",
"type": "eql",
"version": 313
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Login from Rare Location",
"sha256": "c839af879a5c765f5e319641da93e5418ac234abdb825d1d9f1df9d746f9e2e2",
"type": "new_terms",
"version": 3
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 414,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "52d170ebae7e61e5c4726ce76d29b5b2e9d7026e32a550e9d5012f02f0e50f8d",
"type": "eql",
"version": 315
}
},
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "647dc0c3fd2b8dffd212c282c77861aaa9c16dc0a23e442c48d168eb333f8ae7",
"type": "eql",
"version": 416
},
"3302835b-0049-4004-a325-660b1fba1f67": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Directory Creation in /bin directory",
"sha256": "e2fc0d10f43934c5dfad79a4f0f2618e38c52f91e897b1fbbaeb75b7d2ae0749",
"type": "eql",
"version": 2
}
},
"rule_name": "Directory Creation in /bin directory",
"sha256": "bb642177d5cb1e1bc0f9a0c4cf899a157c7980be76dc66f26d4ba3d13f82b8d6",
"type": "eql",
"version": 103
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
"type": "query",
"version": 209
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "ESXI Discovery via Find",
"sha256": "e945a579fb2d4bdd868c12f606098cd96cd82197b76142880a5deab1ab401ab5",
"type": "eql",
"version": 8
}
},
"rule_name": "ESXI Discovery via Find",
"sha256": "ca86b5108a30b8e67c15162b0055562e937ab308d0406d129bc9ad4e2148f2e4",
"type": "eql",
"version": 109
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "2d6cac53a7d7baf61d489765382f2b2d431be53f846101569f7e49a35e59df98",
"type": "eql",
"version": 111
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "8c1e8fd8134b90d32749366fb7d20b184a823a0e5e341af7b44f61679905bd6b",
"type": "eql",
"version": 2
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 202,
"rule_name": "GitHub Repository Deleted",
"sha256": "bbc9f533b703f0f2a2aec221e6c184c662bae31b89b8e01b2a7483f00fdbb84b",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub Repository Deleted",
"sha256": "680ea8566ca2b5e114053f331458450f3a9fdbdcda67246619a56e3304d7d4bb",
"type": "eql",
"version": 204
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
"sha256": "0d6e63fdb711a79ed9a8236fbfa447b8dd9cd9c750fe206e4f69d544b4cb7127",
"type": "new_terms",
"version": 2
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "a93607d49470b41ab526136a54c50d0d65923b7af46008f570ecf780090ff342",
"type": "query",
"version": 107
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "93108f6db43019bf85a026b0e1a0283d1387d43696c8cbff0338ade95de87373",
"type": "query",
"version": 107
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 412,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "a5d70c0995622fa1e034a975d14f87929c6bb6032e2a8b710c5619638eeddef7",
"type": "eql",
"version": 313
}
},
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19",
"type": "eql",
"version": 413
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "b78351582a7ddf68ad29828252540753accedab11361b21c3cb3cfdcd7ea6da0",
"type": "machine_learning",
"version": 5
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"min_stack_version": "8.13",
"rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts",
"sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3",
"type": "esql",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "fdf30a404fcf1f457a3530ba76e543daad00de78c6c30a18ca40f103beb6caf2",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "19bed7ae3eefe2b9f8d9f9cbd99efbff32206937e70a162d1491cd54c108c103",
"type": "eql",
"version": 214
}
},
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "8c2faa0a772b773b9aa59da52cd46c6984b6271a148639ba16b293ccddce14a5",
"type": "eql",
"version": 315
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "cb3f4e2e92eeffed4bd1250dcc2811b1e4ee69877e3d14a107578a5b0d10fe24",
"type": "machine_learning",
"version": 105
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "f8a2d53db2c5e3651899228d2e535106845b0cdfa6f926feab75424975c566f9",
"type": "eql",
"version": 112
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "e0de6aabadb9b3edc0355ae72df8fa446a91a842ef12b8ef6ec687e906c931f5",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "cd1475178a3952f625d34aa54ca62f9221babf15037db6ad279da8a14ec58ff7",
"type": "eql",
"version": 210
}
},
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "3cfd44cb623fa5f87fb2bc4b70fb4825b8c30cc422f5ca4959f8affa6a59c239",
"type": "eql",
"version": 310
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "0375f50891da2c560d538d9af682bf73815c0e8097191a66c4b7ad3d2d9f85a0",
"type": "machine_learning",
"version": 5
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Potential Suspicious File Edit",
"sha256": "85b4308a095fda0a1a41576379cf8ca6d2bcc3ddb4aaec2c851eb2c5f083e6f8",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Suspicious File Edit",
"sha256": "31e966ef88fd66e843c9134cfc92578f0c0ef1ff0b8af97d7c96049d2a31ef5b",
"type": "eql",
"version": 107
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
"sha256": "2d9a2d2805620d5537bdc598986669726205be63bf72fd472e586860559f3c15",
"type": "query",
"version": 207
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
"type": "query",
"version": 105
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
"sha256": "713fd8c17945bb80c3b98f60f14f907c30c2a333641b4671b9a0c3ff0c5618f4",
"type": "new_terms",
"version": 211
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "07c83ef04668d1bdbd5e1cdf83b4d25f717a72d4984f78fbb7bf40d3c9973386",
"type": "eql",
"version": 208
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8",
"type": "query",
"version": 312
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "335b721089e14060d49efd5a24e91c1234579d86f289c8e2d55a68f139685424",
"type": "query",
"version": 412
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Network Connection via Certutil",
"sha256": "3f6234c8ab1d36fc0aee41b20d47c226fdddafbf988fd7a990edd1967bb6c123",
"type": "eql",
"version": 116
}
},
"rule_name": "Network Connection via Certutil",
"sha256": "ee7de9f4e8ab3c5761b6312c919095c5cf492a9db5a0723c83799fc34b584f5e",
"type": "eql",
"version": 216
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "747ae073e6f03ec1932651971bc68d7027e59a836270303d10e85ed668e15563",
"type": "eql",
"version": 210
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations",
"sha256": "0300fec34ca31a5cea787eaded914a17bc72892cce35401a358a0cc6aa49fb1e",
"type": "threshold",
"version": 3
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "c794cb33079d83fd0ff1a98396f73fc84073e6498982afb0f9bc08d82db37dea",
"type": "query",
"version": 103
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc",
"type": "eql",
"version": 3
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "60c301aadbc57095fbb764f310effa2a4d569269d7b1baa6f08adde2b312328c",
"type": "query",
"version": 207
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
"sha256": "6c9bc695426f3a54fae927672294c7f2717d5cad3fcbfb5f08b482c14ca8939b",
"type": "eql",
"version": 4
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c",
"type": "esql",
"version": 4
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "b4336a223059e535a011019a1195afac85891381ddf49844a802db5e2b477d60",
"type": "eql",
"version": 108
},
"8.13": {
"max_allowable_version": 306,
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "6fea9ce2228537a8fdd8bed28be66ad7dda0b6cab23977c97c5c546f0d948fdd",
"type": "eql",
"version": 208
}
},
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "e8b70f2aab1ae0ee6ed818eb7bb5e7feb7fb75ac124680f6f0e9e79ae7395e46",
"type": "eql",
"version": 308
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "e121d39bd55b1f521c46bde65369f4dc594bf36659e4f5ccc0716bc3a1179e46",
"type": "eql",
"version": 4
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "d12e9ea8b95150ad9d1665a105aed34e99914c20b08bab4f9397c47f325e4c10",
"type": "eql",
"version": 211
}
},
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "d871f50940eccfb6ba880998b63207b59ad3a087325d70f116c2cd1933b25a2b",
"type": "eql",
"version": 311
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "e01f62982334437f828c2aa0c07b8867b2b9811b190a82c5b871d1f47226447d",
"type": "eql",
"version": 10
},
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1",
"type": "threat_match",
"version": 3
}
},
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "eea438035c9adcd9486112d776374a2097e248b2311e73e0feb0d239e6507a7c",
"type": "threat_match",
"version": 104
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "32d8adf51c1b7880e73d4cdb4e6b9e4a748807c35a66aea5866abec659490bd6",
"type": "query",
"version": 106
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "136ba855c996285fe602c5a751d85e4d5597adabab876c0840fb892207d97fb7",
"type": "query",
"version": 104
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54",
"type": "new_terms",
"version": 204
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "f47e578ad81a99ac6ee1bd6045dddbe2ded14cc8f273b02f0f64ab04824557de",
"type": "query",
"version": 104
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "9bd527185ec4c38596e49c3a7ad276daa080ef3cf609a464de4f59e21fc1080d",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 412,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "fbe869ca88d432de9d48ffbb12ee20f5a623aed0aab53eba99bd3e08daf687e4",
"type": "eql",
"version": 314
}
},
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "ae201f63b498ee9be3fb10b20daa1fefbe924dae1f8f7aecdfa986d172ae93e1",
"type": "eql",
"version": 414
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "9156d62db12466eaacc5c148af5205afdccba699bacc8d950d5d34aa5b2df532",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "dd1b2492ffdf8c527d2d87c4912e2cf19379fed1f522ba7e4db9fcee5d00d046",
"type": "eql",
"version": 215
}
},
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "d19835254ddf472acf6a543dbe42f0a508febba6db3f7f41149edfda7b57673b",
"type": "eql",
"version": 316
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "c64036bdf9d9943178534e62dec4700829eb822cd497d08d1ac1d8f838d9d342",
"type": "machine_learning",
"version": 105
},
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
"rule_name": "Kernel Seeking Activity",
"sha256": "83cd6048f2f8d9427ced895179a1e5738b897021229fdedc39298f70b8fd527e",
"type": "eql",
"version": 3
},
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Unusual Pkexec Execution",
"sha256": "39004fc8c21df3175d05b13e4a85cc34c55f385af7ce819312b04b1a4df1148c",
"type": "new_terms",
"version": 3
}
},
"rule_name": "Unusual Pkexec Execution",
"sha256": "72cce527b0f0efd2f300fcd93f1c0273b4fd5476d6771008722109e0923882a1",
"type": "new_terms",
"version": 103
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "2b9c1287e301ff5273bf46bd4bc28af19a2c2e647f220ca8e0852fb643de0ebc",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "cb777b967e2bef0af6adc011736d39ada2837c23d819ee51dde816731fa5a898",
"type": "eql",
"version": 103
}
},
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "f87fa55947db415ecfae1427203360803e4bb8d727b1e46383b1f6478f252bf5",
"type": "eql",
"version": 204
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb",
"type": "query",
"version": 208
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Email Subscription by Rare User",
"sha256": "0845930f3f6cca07e769a39389e06a1fea6d273cfaf4c9470cd1a04c34b9c947",
"type": "new_terms",
"version": 2
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
"type": "query",
"version": 209
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "0c33ca9283c1c2552060c3b5000ec87d338048cd715f4e7be2d3fdefe8a28fc0",
"type": "machine_learning",
"version": 5
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "c0609df66a0848dc19f078200819edba894a861449ad572c19d8eef041240566",
"type": "eql",
"version": 8
},
"8.13": {
"max_allowable_version": 206,
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "89a4b41e934b13c0e79392e7730805f3e18c7d8cb6c3121b8b54b69a1aef8450",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "c7ce8b4413d99ed660c419bd822448ecdb2bb29f85095afc3954b5b698f0510e",
"type": "eql",
"version": 208
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"rule_name": "Kernel Driver Load",
"sha256": "383925a7469fa24f12272515f90f29aa907b908a1f8cec676765b5c5cc5155d3",
"type": "eql",
"version": 5
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "cc6f26cacff5fe4dacddeb8cb12eb8a140c4db55aed0d450c18d7175dab3f260",
"type": "eql",
"version": 109
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "66d3c7048c18aeeae2d032d26dcdc294b41eb32679eb445839815f7fcf66e4a8",
"type": "eql",
"version": 4
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "5e547726d704a4301dc4615b98d9b7ad1f182d5cc3aedce53b9b6b8185aa41eb",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "5185ebda64142769dbcbdea022b195c73dfdfaa284fe60c4447cf57b4ce31119",
"type": "eql",
"version": 212
}
},
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "767b7b4563a4fb94ee651353066ae8d1b66db8074cbafea2af6ee54fa111fb1f",
"type": "eql",
"version": 313
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
"type": "eql",
"version": 208
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22",
"type": "eql",
"version": 308
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
"type": "threshold",
"version": 208
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "1a8ce0d911498f3340f7c6af2471615c1614881de45680175490600cd63fdad1",
"type": "query",
"version": 103
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "1d1f416f81da795677d9450e9bca8918c099440231a9d8129ff100cca36e03c3",
"type": "eql",
"version": 8
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "ac26f5075bc208ba1b094437f5908ca1879c9b0bd6c5ba6a85a2de0e3dee8f17",
"type": "eql",
"version": 112
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07",
"type": "eql",
"version": 3
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "19b368441d2d3df9e36cec3f78601af029ba7a4ad96080e8a8a260e0062e4014",
"type": "machine_learning",
"version": 5
},
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
"min_stack_version": "8.14",
"rule_name": "Command Execution via ForFiles",
"sha256": "a07d79ae3c7704e2254a7b3acfbb61cb39794537180723d6f351c719ecbba5e4",
"type": "eql",
"version": 1
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
"sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c",
"type": "esql",
"version": 2
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "fac0417f4ce9d3dd3a95c48c5bc2916286db6bc572c8a5e31160761ffae8cf56",
"type": "eql",
"version": 4
}
},
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "9720e2ceb0deb64ad3773f7fb220ced4722d2586e68fffe60616480b49faf4c5",
"type": "eql",
"version": 104
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a User",
"sha256": "224877a0c6c75c03df527910da6a040b10e978b5277a900b3a5ebd606e5dcebc",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a User",
"sha256": "c26260d1977bf5bdca1f886c44ec9eb78f3a2a3f006f7c578474c60debadf653",
"type": "machine_learning",
"version": 108
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub User Blocked From Organization",
"sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e",
"type": "eql",
"version": 204
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "f1c3d405ae61b94497a8a3b5ee7ad7b72dcadfec716c42f2975f6e18b624ec88",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "a73f4f5a3392e6fdcae94374c133aa55cd47a2a5f09dbd25ddec84a3f5d3f29f",
"type": "eql",
"version": 211
}
},
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "5e43f778807201218a8a3cd2b8d33600b9cad394bf1d10a1a6a2bb8219170ffe",
"type": "eql",
"version": 311
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c",
"type": "new_terms",
"version": 108
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Unix Socket Connection",
"sha256": "66104dc588552246b0806f00f248c812a63ff54ca038949740267b9b913b3ec0",
"type": "eql",
"version": 4
}
},
"rule_name": "Unix Socket Connection",
"sha256": "afdba8db5676ef375dc06883ea62a82b9410044f332d00db802aaaa84b3793e3",
"type": "eql",
"version": 105
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "eb0e17bd095fd38ddf2c2ed71f1364ac981fb062c0fae437dd381d62debc8747",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "158669641e518716cc54cccf172ae7f2a1640c5c56d8a13c1bfb3ec8b1099c39",
"type": "eql",
"version": 213
}
},
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "291b11e58bc1c7474e180f4367210eb8d6c53f5f2d722ba277a503097991353d",
"type": "eql",
"version": 314
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952",
"type": "new_terms",
"version": 204
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
"sha256": "f97c48740ffa8df05329c651c9620651fc36b543d6cdf582bec60f4945539c70",
"type": "query",
"version": 104
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "f5901faceadcddad30aa0d48e7489446e561374f349a4bacaf544f9c5c418f6c",
"type": "esql",
"version": 4
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "777ea9757b7d3052124e6cc8d8748e0f0b03cc82e8c82535853132c99389a688",
"type": "query",
"version": 107
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"rule_name": "Mount Launched Inside a Privileged Container",
"sha256": "b1264c8dba37013a036a37be5f2224231f056b698da7eacb55869127c98aa729",
"type": "eql",
"version": 2
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"rule_name": "Interactive Exec Command Launched Against A Running Container",
"sha256": "ccaeaaf1218304a670c49ca863e898fd726c57156474f56613921232d21d71a2",
"type": "eql",
"version": 3
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Login via Unusual System User",
"sha256": "98d6ad1428c6a1aa6239bfa75936d88f18749d6fb33d148792889108ee6f792a",
"type": "eql",
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a",
"type": "threshold",
"version": 313
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "7de53603ee4b0fe24f98d5eac198e89c58e92243d6a6e67795968369a9fff2a3",
"type": "threshold",
"version": 413
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Process Creation via Secondary Logon",
"sha256": "91d70e5b1107013dad8be7bae393bcca1047e1bba36313312bcf1ab8865abe14",
"type": "eql",
"version": 11
}
},
"rule_name": "Process Creation via Secondary Logon",
"sha256": "0a1002224da121ca30f21a8dd641d8128a10f7113c132713aafe7cb287e82fec",
"type": "eql",
"version": 111
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"rule_name": "Unusual Login Activity",
"sha256": "eb323bc47a138a26bc5bcd92f8c25da588ca83b5b8dd6a8e7203111d13961caa",
"type": "machine_learning",
"version": 105
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Linux User Added to Privileged Group",
"sha256": "9ea5cc7a7d60adf681ee39ab6a1c142f5864ce9d989756808a78d1d00b5e0a1f",
"type": "eql",
"version": 9
}
},
"rule_name": "Linux User Added to Privileged Group",
"sha256": "dfd9d0ca4de23654268f056431b3427be368d9c063d5991111ed78363645dc4f",
"type": "eql",
"version": 110
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "3093b3093e9dfac5593dd9dead91b15345100e95d1bca816d602302c4ad03332",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "83e9d41fa1688f6e43f49b8f90e227adc1faa9a2cac3db9e262c7d452e68bc6e",
"type": "eql",
"version": 212
}
},
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "c0608c95611f1a89e093cb3a0b2080c46a012ec91358883418506af1cd874eb3",
"type": "eql",
"version": 312
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Path Activity",
"sha256": "67bd807b50763f06dc6861bd1b4a7ad996afbb5766a7dc22bec1762999b6b281",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Windows Path Activity",
"sha256": "0c67162e07a41a693f97af4942752d9557c76b058a4fa0df6be8777647152a80",
"type": "machine_learning",
"version": 208
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5",
"type": "eql",
"version": 4
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "e05edd0663a23b3dc3d0dd5f2131a31dd196f6d5357755443093cbb8bf3ea29c",
"type": "eql",
"version": 12
}
},
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "5fe1ae3d15fd72cc199a3ad6e01a42350d17065a06bc1bb2e3dc03455fe8b873",
"type": "eql",
"version": 112
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "bca21aeb358e7719e930c2792a3c5b1b899b86341952c8e0acf0f7a4fa84d36b",
"type": "query",
"version": 3
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "bc6f767d4be0de3156f54c606bcf218fc712696406e84ecd976a907d90c156bb",
"type": "query",
"version": 104
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "ed499f9d7399c1be4f54417888b74be031a5b50a48b1d7c68b8caf33c4e24d44",
"type": "eql",
"version": 3
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Windows Event Logs Cleared",
"sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27",
"type": "query",
"version": 111
}
},
"rule_name": "Windows Event Logs Cleared",
"sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f",
"type": "query",
"version": 211
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060",
"type": "eql",
"version": 113
}
},
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2",
"type": "eql",
"version": 214
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "40e7e669f1d9642518565d307ffc5b75f32bc59dbc783bf57db3e2375b38c647",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "e08df69ea36b56a927183010b7fbfe8e60d6c949a5489a3cfc82b7e9f45a3af0",
"type": "eql",
"version": 214
}
},
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "7546574a8ca4d5b8c758c17fb1658b2b1abbed196bd8d2090721d8efac0ec65d",
"type": "eql",
"version": 315
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "9220e8499f32c72c36f2717e2499061f06a342f3e277f61283527351218c1329",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "a2c4ebd5c69128fb78c6779664f8db208871ddc836b4b5854a0cd479429cd1af",
"type": "eql",
"version": 211
}
},
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "3b0c27765337c2d89b8c6b82102d1f32fda82841806112bc4ac4d54c7d5ec5be",
"type": "eql",
"version": 312
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"rule_name": "Unusual Process For a Linux Host",
"sha256": "6cefd4c22a36577834d4d834fc5c1929fed830cef4703c1df262425f4f6b2cbb",
"type": "machine_learning",
"version": 106
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 112,
"rule_name": "System V Init Script Created",
"sha256": "c38ce796006c8f39b82f0922d30cc71ddfbe8de3d7e7fa13c58947169f07dab2",
"type": "eql",
"version": 14
}
},
"rule_name": "System V Init Script Created",
"sha256": "f1873f6d75f651d8a741c68aeb9b215cc2750c45bc137afd9a6110af092219a1",
"type": "eql",
"version": 115
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Sensitive Files Compression Inside A Container",
"sha256": "dc24c07ba236a3bb8628763095daaad91b96ba4e6d7905cb1ef854665513ea6c",
"type": "eql",
"version": 3
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "725b79909f3f199afec5b728eac38e0b2be9545c1c9fb3963576649af48a2e7a",
"type": "eql",
"version": 3
}
},
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "eb912e24c46ec2f35d9be99c411eb107c6f6cd1ad27b962d4130668320e98388",
"type": "eql",
"version": 104
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "de0bde89f44173a386cd38d4dd5c6e02a3fba6f877fd803f6e7e9108d609dc51",
"type": "eql",
"version": 212
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "c7d8db1796112e5e9d32eb1200a16f602a143d55b376da98b030dd7980b792b5",
"type": "eql",
"version": 108
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "cd78c0361c8ca0f7334582409bb0bd2d14c582ec978c231bc26932cbd1a614e2",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "a1ebcfed8cf45331acadbd7adebe5f1eb37206754cdedcbe980c8b27bf0fd178",
"type": "eql",
"version": 211
}
},
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "ed365c174fdf3dc7616909685c4dc4cafc7d521448ef6e96bb2b224ee25fdf54",
"type": "eql",
"version": 312
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "a396e648dc8058d8a7af3f97d34c5784cc2e81b5a1e4616f31edc818a101ddc9",
"type": "new_terms",
"version": 108
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "60acdaeb7bdfa3879ac2b58f7e1f303bc1cb6ead52bc7e45ad1bd340aacd352a",
"type": "eql",
"version": 11
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "787f60363fc9c42dd87f5774f5a6f219c201d492323d12dcfc3ec5d06acd4d02",
"type": "eql",
"version": 11
}
},
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "db4dd0177df2c0fbba77ba531c3f6f51c0724b44ea31fd2e84ca4cf2536f6b5f",
"type": "eql",
"version": 111
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "52f6b93c3cc0d5c1fb4f6e6db6ed931e29c49ee0e908a1561e09af98dba2acad",
"type": "eql",
"version": 109
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "070bc3d77b85c97628a5f7626bba0e95d76cf34954f5db82e4abbdd323126b88",
"type": "query",
"version": 107
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "986c22f239fcc3d437e58dcb98df458a9d9435c5f561c9da3628425f6dcd591f",
"type": "eql",
"version": 4
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115",
"type": "threshold",
"version": 103
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "e9fba7cb50d7c0edfe213e52665e64b9fbaf596bbc274d66c2677a16b6524e00",
"type": "eql",
"version": 9
}
},
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "691cfec23b704e2589edfb62980284fec4ac438776a1a88edb7605ee5e54698f",
"type": "eql",
"version": 110
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562",
"type": "query",
"version": 107
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1",
"type": "eql",
"version": 6
}
},
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "3b1deb0f2c414f72a2ff2c171c83290554600ba4b5b4b8dc7eabcfcc34a7bb19",
"type": "eql",
"version": 107
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "df02c5a18062b26bd791e0bc8b97a58b4d463df63e0d16dd6352edde4318c54c",
"type": "query",
"version": 107
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "2bfb9d1c293185db7cebfaf6649ecce4d26ca6bd6e8f6fb252e811960272d4e7",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "6496b33df954b86a762df6202f068d413cf231e273ca8e1a2c0ceefa6e1d127a",
"type": "eql",
"version": 107
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
"type": "eql",
"version": 2
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "e5e62d3b1a1f58eb079ca908f55105df68b2471d48e53122d47ec5b74afbb1cc",
"type": "eql",
"version": 211
}
},
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "b538b62cec3fc16a06ef51cdb6f2a711aa479c82326a61862a3ac9a90238e17a",
"type": "eql",
"version": 312
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"rule_name": "Container Workload Protection",
"sha256": "b58a5fb3b121b08852cc186827479ae739d8b155cf8c9d12dbd17fa70d9fd74c",
"type": "query",
"version": 5
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "ProxyChains Activity",
"sha256": "6d2bb84fbddf0c3a063f3b83fe3182017edbe19020c1e1dafc558ec07a767a0b",
"type": "eql",
"version": 5
}
},
"rule_name": "ProxyChains Activity",
"sha256": "3ddce01b59f5987dd1a83755af79e6e993de5f67f97b960b4b2b544be9e1609a",
"type": "eql",
"version": 106
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "ed51342a669aca3acd05b70564dd2b6c9e0ff02f83266d5665ef6dca3851a6c7",
"type": "machine_learning",
"version": 5
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "c6c357f72dda9ad192ec0f1297502bd068bf0cbdcc97ab58e49d86e7cfdde988",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "57c2b49691db8ebbed599f9985cf9d43545ea46a7e458dd4a28bd20f0f0476ca",
"type": "eql",
"version": 210
}
},
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "724c9eb77e876a0609dca7f377c3b888ee71c8ace7316e67235b6399e7dde6d3",
"type": "eql",
"version": 311
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "1563951eaa26040f25dcd3eae36d9f46c9bdcf45a6f24398ce7a7fc4382da092",
"type": "new_terms",
"version": 2
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
"type": "query",
"version": 11
}
},
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c",
"type": "query",
"version": 111
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "d477a1c1cf4b80c1c4b058813b66f4952e183bd224d21bd44d145c7845ff027f",
"type": "eql",
"version": 8
}
},
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "f8166b3c126f6350077c04381eff45f180452c93b70be54c18aa91ff15e512f0",
"type": "eql",
"version": 109
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "189ef68f8b1654ea9486b7831d9a69f4b42554453426d0d7531fe7052cd96756",
"type": "threshold",
"version": 208
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "37d2ef8b050dfdece62cbbe06bc676f8199d5b4f1fddca44de9748f463a2ad80",
"type": "query",
"version": 107
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "9ba7f7cc43f484c307334745f27743ee4979e2df65bd1bec89add2c10051d0d3",
"type": "eql",
"version": 213
}
},
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "982de592a7f2da640ff2a6006445d12e52090a1180b225e2f943c386641236c7",
"type": "eql",
"version": 314
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "f68db77a65c50c4489742ca308f8beef345bcd834e6782fd47c79d47c4cb7af9",
"type": "eql",
"version": 12
}
},
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "b8743c73288c176d82f7c326f655ad546ca945eaabe141bf1da60e5f045481a0",
"type": "eql",
"version": 112
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "26c209b252768d129ab5bccfb4006456a5cd64d7ed097dd81d513beb333d8d7e",
"type": "eql",
"version": 11
}
},
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "f680d6c8ee7249b89249a6710ce30801b2c982cef68f015538d7cfac8430cc94",
"type": "eql",
"version": 111
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "63a4cc656038a44374eeed199a47a67bcf261940a890689a6fe62a4fb2a51010",
"type": "eql",
"version": 212
}
},
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "8a21c3a283a81db1aaea226e6ea8bcd2fae151cba2095929d13d00d0ae28b537",
"type": "eql",
"version": 313
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Script Object Execution",
"sha256": "d03461949ea02ae5d1a9afa32408fcc350c90751725cecedddb19bc153f58ba7",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Script Object Execution",
"sha256": "21d6ca38910e536e9886d360bd1cfe63932e9d4036a7d6a26af4708806dfecdb",
"type": "eql",
"version": 210
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63",
"type": "query",
"version": 311
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "d92cb4bcc5aadaea4dc0e6b7b35a1bf6e2ae910fa754432faf4dfb96696001be",
"type": "query",
"version": 411
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "30f4f5ada6d77e11118ecf139bb7106bc0df3031341b3e5ce0f55fd20221aa09",
"type": "eql",
"version": 3
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd",
"type": "esql",
"version": 6
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "02b2a3c16d505ff7b41a860c6ba3587cf4376a57a4dfb1d8af17d0620d4dea7f",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "186e25b241af067c22b65d97a6746b5a72b63e2aad403893a00ef3b7d39b1982",
"type": "eql",
"version": 213
}
},
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "133dd8bfb660f0ac4114ee86831af289b29876b1e47d9868ae4380002e493545",
"type": "eql",
"version": 314
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7",
"type": "threshold",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7",
"type": "threshold",
"version": 107
}
},
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "6a554290e7a84ccbd18f8a19971e557ac7a9838d92308436ae1252d215f09d94",
"type": "threshold",
"version": 207
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
"sha256": "16bcc4e20cbecdeda51970a7c080df121c8c49778592fd2b3384519d93b21280",
"type": "new_terms",
"version": 2
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows System Information Discovery",
"sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155",
"type": "eql",
"version": 8
}
},
"rule_name": "Windows System Information Discovery",
"sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0",
"type": "eql",
"version": 108
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "48ab779e161fbd3bfc978ec8def0e6511023cebad2f6c5874cc71cd14d2da1d4",
"type": "eql",
"version": 4
}
},
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "b33bbf177156fd682cccd98b3b5e214c494c17ac29770c3ef6e211cd2b8f26f9",
"type": "eql",
"version": 105
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "13b9667f77ece11fa75c760717a7f1a7474e6cf3583c6d428b0b835bbb79c161",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 411,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "4605f205b084980b9052a6f82ff9ace18abaddddba5a0901b25ee42d0a048865",
"type": "eql",
"version": 313
}
},
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "a122de466303b9918efe6f15d1a658addad361829c6bf7d515d823a75eb19a2f",
"type": "eql",
"version": 413
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "f5a4de0b0ac06eb1a69c2cb23b7f9d7b884a576168db1d956ef9ff6144c5756d",
"type": "query",
"version": 207
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "5d8877660ac02415a7e931d15a718cadb7de72da25f5bcdc79d9fd493d4c71f5",
"type": "query",
"version": 105
},
"5188c68e-d3de-4e96-994d-9e242269446f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "0103f881f5ee4e7c9d82ed15157325d5b5a58d4e397d6367d4da02bbf8ce0034",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "f3deede5cd5976b88fba9f4fe5814c558ca142f46001382dd888e8f1294a9892",
"type": "eql",
"version": 104
}
},
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "2196b597b084d5ecbb13b0b17492f36f5b84dcca3a09a280a2e2d59035ac22bb",
"type": "eql",
"version": 205
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "097a5bc6720f07acfae2d20f11d9a717f1fe350cf94d7145adaa481146c184df",
"type": "query",
"version": 3
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "341be9c43bad17537b54fdc7f40f8c156c772443e30caf8193c825ef8ae6e632",
"type": "eql",
"version": 109
}
},
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "98bc7f7c240e76cd9d3ecb1a5633fb0d68e571ceffa5569f91e5702c53b02d8f",
"type": "eql",
"version": 209
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "1e7bfe4a829855d26e56d29a29a24edf68130b67fb19c38c807680c99f335d69",
"type": "eql",
"version": 8
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "0d18d9439a5628f8f0339e9c968f779926c27addbf3835666f0b4312115511b5",
"type": "query",
"version": 207
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "d68914fa075b88195665f82a00fa3b28e4743eed50f9e3588de8c565793841b1",
"type": "eql",
"version": 115
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
"type": "eql",
"version": 1
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
"type": "eql",
"version": 109
}
},
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734",
"type": "eql",
"version": 209
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"rule_name": "Unusual Linux Network Activity",
"sha256": "7705ae36b0bdaf932acba46ebafffb17e3e085213212f44314d4bcc79090bb04",
"type": "machine_learning",
"version": 105
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "a4364fe5d4b4e0e056536d4580cf884b56e49248ee1f3a84812426da1bcaf590",
"type": "eql",
"version": 108
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "dda8b86ee8d2dcee8026d296c9e5f313eaa3dc3d50eedfd6ae6e19c938486a92",
"type": "new_terms",
"version": 12
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "e6c6dd49909f5672bab0d1d27d7ea1b5661d81198a9568926b30ca91064fbe16",
"type": "query",
"version": 207
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "8227f6204aca346ad00f70681a540b2e14358f63b3415da0a722d3fe8c4bf796",
"type": "query",
"version": 103
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "9eafe3af498b5f504346bcbb44ddacf2157ebf9f7dc56a66e0f6512ccbcaa61e",
"type": "query",
"version": 7
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd",
"type": "eql",
"version": 212
}
},
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "f7c792ee12ea5e1c289da3010faa0241087a72374e2a07e9744490d2d732a0f6",
"type": "eql",
"version": 313
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b",
"type": "eql",
"version": 6
}
},
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a",
"type": "eql",
"version": 106
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "af9d57399895c1474ce02d98053dee54db65bf201345fb22036a0935476ec4bc",
"type": "eql",
"version": 2
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "44240eefb782b212aa0e92aa499c5c53a15dd47c2d5ccd8d5bbd7e730a2ced0d",
"type": "eql",
"version": 112
}
},
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "b7dac84100da5dd86f5b3db2e97a9c0d5bbc086be021a8d71d6801723d7317ee",
"type": "eql",
"version": 213
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 9
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12",
"type": "query",
"version": 210
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "c1d15e3f87d0c06656e38903de062e3f17bdbd3884c26fd330cb747036019545",
"type": "eql",
"version": 114
}
},
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "dccddc93820e882a05daa4e44e2f269398b302098bbe00d5c1571ffd86581be4",
"type": "eql",
"version": 214
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "339bd5dfcc9715aebb297d9e0f1c984616bf99c0dd887935f7b94a77c4b1889d",
"type": "eql",
"version": 112
}
},
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "d727778c418f5ff259d819e6c8c56cd07c2f086ea12d877c3379792b549ba948",
"type": "eql",
"version": 212
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "PsExec Network Connection",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
"type": "eql",
"version": 109
}
},
"rule_name": "PsExec Network Connection",
"sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5",
"type": "eql",
"version": 209
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6",
"type": "eql",
"version": 2
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "20041d45b1675b29ac029036acb9a791d296507da6fc2d342c22e8ae9d37add9",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "3910654eec2497e6c45f9eba623296d166de75f2bf26bf5f27f652de0fe602b3",
"type": "machine_learning",
"version": 108
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f",
"type": "eql",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f",
"type": "eql",
"version": 106
}
},
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "a19bb50cba9f9f404a82703239d5f7c37e59ce956e04da03adddfd9a4dfab224",
"type": "eql",
"version": 206
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "4a4e70e7f50105c48f29f32d7d234cfa9538813b06309ce72c3dcd4a7a21a3e2",
"type": "query",
"version": 108
}
},
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "2b4e8ce5e2579fc3644b048d0eefd8b6c9e8ae17c0eb9201191933d58be50dfa",
"type": "query",
"version": 208
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "6f18cbdc2814670890459e8a1b80c7b8bfac998d71d67c250ffa5a3017a0a95e",
"type": "query",
"version": 207
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "a9bd29a0b1111a010696c79f5347c1e5e60dd3a903452b06964302229c7bfb2c",
"type": "eql",
"version": 109
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "50c3afa5e3c557336820b41946ef7d0889d9f7002f614b9bc7a0f6216fdb24de",
"type": "query",
"version": 105
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "9075bac2c658f9cd09ae5480d64a0005ed4877f273b113b12c5c9d38098e5c35",
"type": "query",
"version": 112
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "60ce649f4376763aa71d2a2bbe3126251aafabb204c1bd51614fab34b09fccd7",
"type": "query",
"version": 314
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
"type": "new_terms",
"version": 105
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "5ee4cc1bef3bc0cbb466f51fc238d7ea3789de02607f24d664300a4cd08147f0",
"type": "query",
"version": 106
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "cef2f25973f7650fc0b3c4e6d49eb118a5216965cb85cee1568ac3a5e26bb119",
"type": "query",
"version": 104
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "398d5eb8f8ee0c1a9ca69806e64a8879579ab03f3e2f5a29a66c0da240018ab2",
"type": "query",
"version": 103
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell MiniDump Script",
"sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a",
"type": "query",
"version": 210
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb",
"type": "eql",
"version": 6
}
},
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932",
"type": "eql",
"version": 106
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "7d36f22f3ea3b4008813322aadd11c5d337d890ad99892df41b2e3154c755ed8",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "fdd70a684195301172c2093025954070437de67b7110b4c2fd82167df76f3b5d",
"type": "eql",
"version": 104
}
},
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "c1df3f0030e17676949facaed1368a9f13c67cca442f5b94af0920ed85092de8",
"type": "eql",
"version": 204
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "0a123f7c9ac032b20d904a897c3925725aba31f988722148f34fcec998d5ad9d",
"type": "eql",
"version": 213
}
},
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "ed7c60dc12bdfa2d20edceb1eae21c05458b5885ec3be1eff755ceba3fab866e",
"type": "eql",
"version": 314
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "RDP Enabled via Registry",
"sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "RDP Enabled via Registry",
"sha256": "ad5f6e2a7ed2a334c068a318cce1628f5eba03cc5188384b8936624810b633fa",
"type": "eql",
"version": 212
}
},
"rule_name": "RDP Enabled via Registry",
"sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c",
"type": "eql",
"version": 312
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36",
"type": "query",
"version": 104
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40",
"type": "eql",
"version": 109
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "c2dfdcdc1b0d76b1a905b8e67a67d188594bb8b4665a8c1750ce8e92714325af",
"type": "eql",
"version": 112
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"rule_name": "File or Directory Deletion Command",
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
"type": "eql",
"version": 3
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "81b57999573c8fb4a7a366594f25ae06a0af08d40dce604d87d7a8f30dd943fa",
"type": "query",
"version": 207
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "57e2816be37db7fe8b97b74d890f5f1c173f9f98635f900fc0a239d93de116f9",
"type": "query",
"version": 208
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "62cd203498ed5ec9c26690e7c2c202cf2cdb234c9be6a775889f5d2458744366",
"type": "machine_learning",
"version": 106
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "c65dca5d2ab212399ddf5f197ae8f6b71543e67dc4c506edba0250e81a48ba75",
"type": "new_terms",
"version": 2
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "8662d51b058ba0aaa8beb626fa104c2c7f6ee6f1970db79c6ab2615a567e699f",
"type": "eql",
"version": 2
}
},
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "8396ecbd7798a0b4e17254a7e80dffd7b731859eb3d11dbb07f51ddbfdad095e",
"type": "eql",
"version": 103
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "195101291410db100f83b2bbb0bb45a23a5d3c84f0b3cc59e3e80543531dd5e1",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "2213291fff0bb1ba56efbcc8b9b3bbeca328b89b52cf3e419b4fb6e70936dad0",
"type": "eql",
"version": 210
}
},
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "0803f03287c0303a478d35d524621cf58ec5e09afe472fe968a33d05b1f8e025",
"type": "eql",
"version": 310
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"rule_name": "Potential Reverse Shell via Java",
"sha256": "d34a8290b7fcc098f29ce0d6bb50b467f7bee1c71201258899338916a3019e66",
"type": "eql",
"version": 10
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "797af136476a4575466ea7dad526fda9d5328930d8f9985a260e5e1177223225",
"type": "eql",
"version": 2
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "bf4217022061a7456c301cffe1ab6dd6d9298a3c45e206c125c42667862de6e1",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "135b3d3e2b3be70b8da8cfd2806556b9b14bc02f669d6789237a56b36d345398",
"type": "eql",
"version": 104
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "8a9322fcb0f59a2f5ade44ab323e0b057c6019500063a9e67db93eb954461718",
"type": "query",
"version": 107
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "f758d94665be51996867211777d79e6aed92bf1caef03e695a48519325656443",
"type": "eql",
"version": 209
}
},
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970",
"type": "eql",
"version": 309
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "6a40d4a3eb8956f0fa86900cd0f068813b708cf72355b20a006a4ae024884b63",
"type": "query",
"version": 109
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "91750adfc2612e0725d0e74eb5c05c29dec1b7871b12e1e2ec38f409cd0f1e08",
"type": "eql",
"version": 8
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious which Enumeration",
"sha256": "81bdb21ca450212add8a85c321bb3987998e8f5dada389fbc8a46fa1d740581c",
"type": "eql",
"version": 8
}
},
"rule_name": "Suspicious which Enumeration",
"sha256": "8c27bb4dfd65956ad41dd52d71f7c946aaf21e52ea1956d82fe54231ac8a17f1",
"type": "eql",
"version": 109
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "54ef71a878f44875c6c8792e51f8923f0cf6fc9dec2a549fbb841a11d2161f25",
"type": "eql",
"version": 6
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "35874a6b3415659603a51352ab4aafe03d8e2d816f25c4f343115687e555aa00",
"type": "new_terms",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "5ca5d9dba9c3eda093b2a3b2260982c127108c3167436867c912cf29f5129f87",
"type": "new_terms",
"version": 215
}
},
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "4dcc839828bb5d7e479b5816322bbc8808ee054bc913c811cd9690d54c57ca6b",
"type": "new_terms",
"version": 315
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"min_stack_version": "8.13",
"rule_name": "Boot File Copy",
"sha256": "24d0894ed6959d5f54396c957e8dcd3de231026e473c753ef10c5c033f991857",
"type": "eql",
"version": 2
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "89f33201ad4d76858ce52afe371130935c8d2f202139ea266bd17c9ac2488519",
"type": "query",
"version": 207
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
"sha256": "e030a36c06a00dbb591951c1c87280a6f2afc1b155d67ecb00fd451bd084cce6",
"type": "eql",
"version": 5
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "5ae470e75de9bdbb84070a55c7cfbd9143654a72f9e9193782aea6145b12fd1e",
"type": "query",
"version": 4
}
},
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "d4ae42e3bddc23b1b5b75d60e725076a3baf37caeae03e0794a91fa47346aa02",
"type": "query",
"version": 104
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 112,
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106",
"type": "new_terms",
"version": 13
}
},
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "d4accae05fecc5956c2caf27bab5e9eb13b871713c8855c25c6a47bd44a0d2be",
"type": "new_terms",
"version": 114
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
"type": "query",
"version": 1
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "5236ec39f5b96c9f3b575a920dbd695b7473c5bafe7625e03799f60d559b28e9",
"type": "eql",
"version": 2
}
},
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "23f889cc4747d5ad5d505549b4301b18abb715f10d21b48a1c87dbd95cef2f29",
"type": "eql",
"version": 102
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "dac377b1d7e688c590f3961e984193d99e548ddf1fa5d9298d724d251cfb7b4b",
"type": "eql",
"version": 8
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "6699f13d1830f5c9e67d20ffe8e3c35f4cabefe9e630339c8541bdbdff752085",
"type": "machine_learning",
"version": 105
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "5be300eea96d7d3fff01d8e2f1ce70318e82a027159669467454f10cf243e208",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "c5995d0265ad4c7e35124856effd41c95caad3e3178a67f3c5bc6122df89e317",
"type": "eql",
"version": 109
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "881e17596c2ce4e314625942adb04235a12e70f19501ddbf53391bfe02dd03f9",
"type": "eql",
"version": 110
}
},
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "9861068f16d7c13e90230fde674392101cfe9ae5e74dbda9522097093911536f",
"type": "eql",
"version": 210
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "User Added to Privileged Group",
"sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de",
"type": "eql",
"version": 111
}
},
"rule_name": "User Added to Privileged Group",
"sha256": "249e80a94140cb17cb1bbbd22fcf7b01c9c149e0bb082822fc0cbec1322f4413",
"type": "eql",
"version": 211
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Persistence via PowerShell profile",
"sha256": "e2a9084a8e3062415cf21a33d22098b3e31cd354006e57075af67e820641af92",
"type": "eql",
"version": 10
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Persistence via PowerShell profile",
"sha256": "0383a8c5a6705916613f80d301ca0dea35cf7ff7cb13b719320e19c6dfeaffb4",
"type": "eql",
"version": 110
}
},
"rule_name": "Persistence via PowerShell profile",
"sha256": "0f950647d4f0916286902132be8dcaec3f65ee3132b998b43e7eeb93677cafe5",
"type": "eql",
"version": 210
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "3bd77e64972d14a4d804669114ba09690953c6f7e3ecc837457651ea6a58dbf2",
"type": "eql",
"version": 109
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "975967ec3e4989e05b906196e1492ea1f24ac1162211d54845e8c1f682036f71",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "3b3ccd623ad35abe21a31e6f429265fff80ee4bb1cb27b4ca7360e556282bea8",
"type": "eql",
"version": 210
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "8f2d6fb941f3e9f2fe599164f806804b1b09b4c08131d79eb3e7ecaab5034c05",
"type": "eql",
"version": 4
}
},
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "0e908a21b5f00f708db56a1f494aafbe52a203ae6f332d5e4e763103aa53e03d",
"type": "eql",
"version": 104
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "cf8318ce83d960276ef1ade7a60d590ea666e5f242ecdabd0a9a6c7daeb32e1b",
"type": "eql",
"version": 108
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5",
"type": "query",
"version": 107
},
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Memory Swap Modification",
"sha256": "d3233c88cf4a2b91daeca4e6247bb3758023b234d009f522b19223f87aeae20f",
"type": "eql",
"version": 2
}
},
"rule_name": "Memory Swap Modification",
"sha256": "9b2b90fcdbd4c8d61fb415c8648a5fbb45acf0f721bc6639adae981cb9d9ce1c",
"type": "eql",
"version": 103
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "3ebdea07f4ef0b08b17227bc1a2482fdf6678f10abcacd02c0a85dfb400a1501",
"type": "query",
"version": 207
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"min_stack_version": "8.13",
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862",
"type": "esql",
"version": 4
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "19a1d06007326123108f50fbfe0508ef28d7ef131ac3e5df567dbdc47aa6ff7a",
"type": "eql",
"version": 102
}
},
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "8a9e091c55b5692d8d0032f78a5e51ffa80b4380ff50f18e6b2b25ad5830ba41",
"type": "eql",
"version": 203
},
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
"rule_name": "Docker Escape via Nsenter",
"sha256": "453ade8392dd064ac66baaea865224304bffe2e8afac34c7811e8776d5989843",
"type": "eql",
"version": 2
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "75603330eba99f8199e1a118a71eca46d7c50d35b4cd605c1dfc199a15028b4b",
"type": "query",
"version": 103
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Azure Service Principal Addition",
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
"type": "query",
"version": 105
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "083349bd92f7b6c0a756f5a62567cd8c5a5bc5daadf1eece6de8e8e79978a41e",
"type": "query",
"version": 207
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Unusual Process Network Connection",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
"type": "eql",
"version": 108
}
},
"rule_name": "Unusual Process Network Connection",
"sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee",
"type": "eql",
"version": 208
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 104
}
},
"rule_name": "New User Added To GitHub Organization",
"sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4",
"type": "eql",
"version": 204
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "aa2c30439a09a0821ce30bb48e9a7ded35e0cd590c0acbca87390d10683bc5cc",
"type": "eql",
"version": 5
}
},
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "1813675633a8a8db3f036f1276035eb83d74c80d29e7e67aa2bf1099ab057778",
"type": "eql",
"version": 105
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
"type": "query",
"version": 114
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95",
"type": "query",
"version": 316
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7",
"type": "eql",
"version": 112
}
},
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "3b4775c89f9910cc69fdfc6e3ba815ed3da59f85eae5f23cfba94d923518152d",
"type": "eql",
"version": 213
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "f472608d534083bdf5f50a92951a81599a2b3dce40e413de960019aa9f7435f5",
"type": "threshold",
"version": 6
},
"8.14": {
"max_allowable_version": 205,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df",
"type": "threshold",
"version": 107
}
},
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "12e0d0b72f404e2086dcd9c36311a6eeb68c65979ce775064dd5c6ea06953106",
"type": "threshold",
"version": 208
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "facf2b369187ce8da1649950be8b3e38f3c4c1ec81f490fa646827baf5d2427a",
"type": "eql",
"version": 108
}
},
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "2b2a1dca315b2ba3e10a64bdd41f6a67b6cb64924ac2ef44668a7ec80657d775",
"type": "eql",
"version": 208
},
"627374ab-7080-4e4d-8316-bef1122444af": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Private Key Searching Activity",
"sha256": "d14cd033b213dd2aa22e191e4316a3e9399efede1e2a54e6b84c28fc98e43248",
"type": "eql",
"version": 2
}
},
"rule_name": "Private Key Searching Activity",
"sha256": "ac4b591b30cbfb1cecd4fab9a4c521aa12bf95897eab976edf79d520b5eeedfc",
"type": "eql",
"version": 103
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62",
"type": "query",
"version": 111
}
},
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "fbd13d6ec521fef8ffeaf94e8c126b6c3d610a7440b32fdbec53435987e3e9ea",
"type": "eql",
"version": 212
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "3a95ccdc273d7d2af093ab0c0445370fc790147be6d43d2a2edb2b9b3cdc82e0",
"type": "eql",
"version": 6
},
"63153282-12da-415f-bad8-c60c9b36cbe3": {
"min_stack_version": "8.13",
"rule_name": "Process Backgrounded by Unusual Parent",
"sha256": "208219618907f9af2a97a782d360496106265946d0d6b37aa5eb4369f2bd210a",
"type": "new_terms",
"version": 1
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by SSHD Child Process",
"sha256": "886e2ce498e9e513fd0cbb827b2670aecc14f0622b71977c7d5a5bbaa36f7faa",
"type": "eql",
"version": 5
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "53a873d39857e58ee6e4fc5b7399e895bb152e41c1ab935663837628267e4ec7",
"type": "query",
"version": 7
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "c8d9810184ef49e7246335b18a3ee60393d89ef7ce8f918026a59c34bcc38064",
"type": "query",
"version": 6
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "17099608b9a995ff056b49ffa5be61ac5b2aa1b25812fa9ca68294450e48a050",
"type": "query",
"version": 7
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "5fc949c2d8e00d3580f74fc9c2d044a0ed34182238f186e9c60e3f63df540d87",
"type": "eql",
"version": 2
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Signed Binary",
"sha256": "66192fcde84de1d9b0e809854015279f1016447b2e2de3d0f3f81aad88df91bf",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Signed Binary",
"sha256": "dbff3c36a4ce01428dd306c519a48b7816f503173ba63ff090c31c9719748cc6",
"type": "eql",
"version": 209
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation or Modification",
"sha256": "14d6857ca9bf0ec373fc9399d4434a2ab8bdeb8dcf682ae5b097bdf43ba2f501",
"type": "eql",
"version": 4
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7",
"type": "machine_learning",
"version": 105
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "83a660084e9cace9aebc80260a7b32dde9583c295a54c288ca8cd2bde4522611",
"type": "query",
"version": 107
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "1af56461ac06d32d603787c924153d4f2d4a4db5112a2fd3ddf2d2ecfd214686",
"type": "eql",
"version": 8
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "0dec5c209de4432366d522c8479caa203fc027282bbca7df21df60a9a9ff41e1",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "fae229cedfaca7b7e8f9a7e40a573cc0933889bf6fd0a9add01469c2f12bd0bd",
"type": "eql",
"version": 102
}
},
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "159c5871496b2240dc1edfc09db683fb7932c924589e736eb32c5a80fd21b0a7",
"type": "eql",
"version": 202
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "5ba81546094d936ec84995fbcb3e17bf792328c2426d692c1d219cb256fba423",
"type": "query",
"version": 204
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "31e21bde793c13880466715c3089dbc5f61ad8f8d76e83c06f4081ca257d27d3",
"type": "eql",
"version": 109
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "e9b5bd05f304afdfc0d3dcad377c1c58b53eff1df8f63974f81a2a09fba0819e",
"type": "eql",
"version": 8
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4",
"type": "new_terms",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4",
"type": "new_terms",
"version": 106
}
},
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "b8bb1b1e0023c2ce2967ad5ecc17c016a9de356e9f27d2e9f33c5ba979e7801b",
"type": "new_terms",
"version": 206
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d41e0a751de0eefc517ae323b3602930bdfa24fbf61b7c15235e4be117511ac",
"type": "eql",
"version": 108
}
},
"rule_name": "WebServer Access Logs Deleted",
"sha256": "c437c24eaca8d8d4b1fbd92c21ca0f8dd61115f3a64e0c02f1e23aa0e428060f",
"type": "eql",
"version": 208
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "f8282a2d5173fd7e6fde9595c6efa24f5ebe48767db9981ec5a6cadffcfcf341",
"type": "eql",
"version": 8
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "676676fdba05827386bf901a05e1f8335bbe5042bc52bc54c688eb0aac55b715",
"type": "eql",
"version": 117
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Linux Process Hooking via GDB",
"sha256": "d6069d2128de9e65240d1c2a03f27f397f632fbdb78102892e58b51e395c942a",
"type": "eql",
"version": 4
}
},
"rule_name": "Linux Process Hooking via GDB",
"sha256": "6124499edac0ee53fc52e4a4b588db2d5747ae4fb3770c91307fd25814704939",
"type": "eql",
"version": 105
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "e459e7757af9cf9495f5f49a390b8b7ed17f7d4152b90f74cbae4e4e70c21084",
"type": "eql",
"version": 209
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 112,
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "71980b7e4a7ca43713bfa72cd0160821533b13c24e3fa1d0e645a42eec4f8512",
"type": "query",
"version": 14
}
},
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "1b9b6777a50eef6af6496d2bc9338d04c6b74efbbc726b1cae58177d40ed8b92",
"type": "query",
"version": 114
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "79a56d12f5cfae0778882f6215f3767e744601b2d0f0183fa71a191bc5d9a8c4",
"type": "query",
"version": 411
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "f899b24ce14bb0d0e1c223537cd020b2b65c7b71ad97b87fd5359b89e6bd2e2b",
"type": "query",
"version": 207
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "33e8c27c30a851ee7f9d49ed14bb20f1cfb5d370320db326fbfffb9c7b855b63",
"type": "query",
"version": 411
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3",
"type": "threshold",
"version": 112
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Image File Execution Options Injection",
"sha256": "8107c66fd0a677b8966bf0f40409dfdac75050d7a2372a8e4ba10ce0350e6dfd",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Image File Execution Options Injection",
"sha256": "2eb29b66dbef8063acbd04479aaeb1f14fc4d5f7235afe9076fdfc86d199e837",
"type": "eql",
"version": 210
}
},
"rule_name": "Image File Execution Options Injection",
"sha256": "bebbfc9c058cfc51931d5709b857995da179d43ad8e786073c42d4d74c29ef69",
"type": "eql",
"version": 310
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "0c327149e5c49e9161bd8a1ef2fb8bbe117febb4c86c9efcaab8a6dc5890205a",
"type": "query",
"version": 208
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd",
"type": "query",
"version": 310
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "e40176c9634f6d0f324b5be9bf2cfae0370f3d8fc01188d10e54e5684d5fbbaf",
"type": "query",
"version": 410
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "d89ab2b28fdd4a4d0ad8ce943d5b320e1978c3ccde5d83d44424b7aa9e1bea55",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "6c476da86e9b4676c87675514ef346fe09280a8911de64c826ab5696fc9a515c",
"type": "eql",
"version": 212
}
},
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "eb1bb445ec3e2abbd15d674c1b44e5304446e52f281eb18ca65cb039745c82de",
"type": "eql",
"version": 313
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643",
"type": "query",
"version": 207
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "a55f600e7c4e20a4be4404040ef2bc40bd6288c5aa54fc3a6d52c192f117858e",
"type": "eql",
"version": 109
}
},
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "c0988d5971ae4b85ecac42dfbe57eb1514ddc1c13df5f2bba07ca1f2097e2414",
"type": "eql",
"version": 209
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
"type": "query",
"version": 209
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "5af182ae30ce25b660aec32433ead1ec5bb2caa3ebb06fc72801ac367d19014a",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "e7daf2e718a482222bdf0efce8b58bd0b54b5ad6697d3b9c492962fd802e79a8",
"type": "eql",
"version": 103
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31",
"type": "query",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "88f491fbc91172a9ce530e464d3e41d098720ae427782544b68895129cdc1564",
"type": "eql",
"version": 111
}
},
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "dd1cccfa31ef19b5a08923452387349ef94bd64771d07f0bea725ec4a9d462f8",
"type": "eql",
"version": 211
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "9111baa04124fb4545052164f1f94445a22b38269c10ddf9433bccd3112f7b0b",
"type": "query",
"version": 107
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d",
"type": "esql",
"version": 6
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "bd61c67f25dedf7bbc88efd6e7088a4f24faa27595c5ec46bfcbdfef30126b78",
"type": "query",
"version": 3
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Modification of Boot Configuration",
"sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Modification of Boot Configuration",
"sha256": "84b303918d680f78c54255bfee90e9c6b45ad43925858f14ee5a3670c8dec812",
"type": "eql",
"version": 210
}
},
"rule_name": "Modification of Boot Configuration",
"sha256": "191ff5cfc3df060d64cd80442331785e547236bc47cde601d473c2839019123c",
"type": "eql",
"version": 311
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "e2ba77f3b79dada7823d3ab325dc40c902b56e2272d29bc671c218bf23de24ff",
"type": "query",
"version": 207
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "f5fa9bfd7d9d2f03fb2e6f1b264a7b0f0f433bfb3953f27bed2afda53a7af098",
"type": "eql",
"version": 2
}
},
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "a21ae8ad2d9a9aa7f634479e7b2fdea05a56714d0e14c6541044895377b4f628",
"type": "eql",
"version": 102
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "7f27abffb5aef9aadc163768a1f49184de75aebae83c4a7addfa275d9395699a",
"type": "query",
"version": 3
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "5f2f1310bff01d3a4c1ca2605ab01c632f85b21d4078a06cb88c4ffeabc174ff",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "0b7fffd5409c0d916c6b441f0f6eb2c95550d8c5c9d74192d312b7ec442372ac",
"type": "eql",
"version": 211
}
},
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "f463a7fe6e3b83f613bbd5fe19c3341fc1281b264a8b32289a081c9e9f5748cf",
"type": "eql",
"version": 311
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 415,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce",
"type": "eql",
"version": 316
}
},
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "f630ebc0372153fafb100d4dba68e9a37b8c2997eead17632bd5df3bed2843b4",
"type": "eql",
"version": 417
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "1c1d57466f2540ce62774922d5711359a9650bd523baf98fa3d13d5c17151881",
"type": "eql",
"version": 8
}
},
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "7ed5babe4ccddd47a42992b6b092c794c17adfe49c0418a399fb645487d38e68",
"type": "eql",
"version": 109
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "09e49424ce202fe6c5b9e7f31510da79059a0617231c4c0022d2c1825ff55f8c",
"type": "new_terms",
"version": 209
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "35a97fde08022de5eb9913eb1b86dc35df3e225ffdf4871c7880402ab13a1c20",
"type": "eql",
"version": 109
}
},
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "60d1fc76b949a4e86b9d41bd1ed2f51acc26f54957efb24581f61db6c674ab23",
"type": "eql",
"version": 209
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"rule_name": "Container Management Utility Run Inside A Container",
"sha256": "d66c939dc799f05fd9549a603ff1d567af4287f8a2e3c0cde5dac918e7575c8e",
"type": "eql",
"version": 3
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "545b3d224a0f1f8ebeb0d9f6ca6077c60c57b650d6a3daa51b4a8b30de55da39",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "1b469660f4b28888121b5610c6034c3b0a309f63debe06bd347750f423362cf6",
"type": "eql",
"version": 209
}
},
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "7d551332f1288a1e8d53bccfab142a72143c5e61a950b05be6f4f8711ba883c5",
"type": "eql",
"version": 309
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub Repo Created",
"sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126",
"type": "eql",
"version": 204
},
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
"rule_name": "Suspicious Outlook Child Process",
"sha256": "ccbb9744b4a8108d543d3dfed5c57e1c0ef457154ba3e50c9637f165f3345b7b",
"type": "eql",
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Process For a Windows Host",
"sha256": "a84737464ef6658f7587d12e88f77356e079d797986616813ffb6be47e2abaa0",
"type": "machine_learning",
"version": 112
}
},
"rule_name": "Unusual Process For a Windows Host",
"sha256": "557a4432fcdb67fea0e8dd2558d19664cf507405b6db1317a0c399e9808e851d",
"type": "machine_learning",
"version": 212
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "731a803c9a47cb0804d071217c48070afb14657b649da32fe8e6b1c19f24731f",
"type": "eql",
"version": 6
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Root Certificate Installation",
"sha256": "f8f51e4211d34c59185c437d929b82051162d84c2c026d0a311fd0d6f40f2099",
"type": "eql",
"version": 3
}
},
"rule_name": "Root Certificate Installation",
"sha256": "f253848012c90e8fdcf02df03d40dbb169248ea5c7555e85d439610392aa81ee",
"type": "eql",
"version": 103
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6",
"type": "new_terms",
"version": 8
}
},
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9",
"type": "new_terms",
"version": 108
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "55651a72478c93e332ffd43ceed7bb57e098fd6549e20ff56ce66ede80a49a75",
"type": "eql",
"version": 2
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "aa536cbc660cc56dffc7bd3cbb4098aacc6c96df9edb4d4dbe8f33414448b4d3",
"type": "machine_learning",
"version": 109
}
},
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "f51d97afdd1733e5fc284af1e741adc641483e82eab7f5fefd10f0447b2654d8",
"type": "machine_learning",
"version": 209
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "AdminSDHolder Backdoor",
"sha256": "f665de1ecacdaa7b1c6b0556304063dac3048aada63e8f6ef7a725068e85f087",
"type": "query",
"version": 111
}
},
"rule_name": "AdminSDHolder Backdoor",
"sha256": "eae617d40bb78ff247049dfa080cc2aa3aa6f67036c79af83b3d0c573bb1375e",
"type": "query",
"version": 211
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "b756d838cee35d2d74c87c1eb59757651ef01aea7dbb08271cf1d89133465583",
"type": "eql",
"version": 209
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "736e277394bca054547364d6d99541019679fc36129d52d20115c635cea06701",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "8c0b8e6ae4907a14420c8dc8d06917470f29f360f9604118f6220115e981bef3",
"type": "eql",
"version": 210
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Security Software Discovery using WMIC",
"sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31",
"type": "eql",
"version": 114
}
},
"rule_name": "Security Software Discovery using WMIC",
"sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288",
"type": "eql",
"version": 214
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "eb944b67560451bef538d988be2f0fcfd42f4a6dce1a2f67fc23ef34d93692e8",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "a1f2cd2fc7257d7c204df51ffec3d086f341240896b38551b8acc005408ce357",
"type": "eql",
"version": 109
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "03eb5f7517e61382f1036b5beee21a7d1de836f457cada365be4b8aa39f93045",
"type": "eql",
"version": 3
}
},
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "5cf116ca583a54c21dd2db7e27f62fa234832620236dd9cf062d0599afa18a12",
"type": "eql",
"version": 103
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8",
"type": "new_terms",
"version": 5
},
"8.14": {
"max_allowable_version": 204,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8",
"type": "new_terms",
"version": 106
}
},
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4b4aaaf8565e177b55da43b3b76e40c256d8df646f804b5548be8f9f4eb95a02",
"type": "new_terms",
"version": 206
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998",
"type": "query",
"version": 206
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "b2f7ce631f07fd56f2182a2d89e94a7b72a8f17e0957f25048b089de04c78dec",
"type": "query",
"version": 210
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
"type": "query",
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4",
"type": "eql",
"version": 103
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "fe89abe29a8070ab4e00e31a6d1cafde62515321d21198ba780381a9cc87d9b5",
"type": "eql",
"version": 110
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "6d5f8124605ee8d89f23173accb268a0822ca4c9d19c6ee69a82b72a054b8c85",
"type": "query",
"version": 107
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "cc0ed08e75b10ef23c81e0eaaeaa4a105adead987b36e625e56b5d3fd95293af",
"type": "query",
"version": 6
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "11a00101c170955ef44f1ca300cced85620dfde179c9eed8484b753c960993b4",
"type": "new_terms",
"version": 210
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "021ab9fdaf96cad949b46c2810f09637e27d34d4870bb4544afe5e33d4fcc8fa",
"type": "eql",
"version": 116
},
"8.13": {
"max_allowable_version": 314,
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "b28951fe4ef7053b478f08929474a4220e85d70c52a9d83f2779447c8b6a5cfd",
"type": "eql",
"version": 216
}
},
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "25b753cd927ee68be264ce3804a09298ae399947fa04077161f80d8f6db87aec",
"type": "eql",
"version": 316
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "4465fa5b7551e881e3e5b66b1cfae96e4f8459191b87e2266b1fc1998c26d690",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "d39c0a65fabb51bbd9bbf21cda120d03b4b1891934c8d8298addd7d3585b1ccb",
"type": "eql",
"version": 211
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "609588d90dbd2835f5c9b04e8df9212c06789c253c51493efddb47a5ca0cc201",
"type": "eql",
"version": 5
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "53f2d959afe1859d602b087186c2f25fd816ce59109d230336260a9d4c9c2985",
"type": "query",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "eeedb6e75b8369f569e27869c6d1cfcc66b89f71b4869f6357e49a43538c980e",
"type": "query",
"version": 207
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59",
"type": "esql",
"version": 4
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "9a377a031cd4fb9cb9842837169396944442098d99de7fb295b107e286c332f6",
"type": "query",
"version": 411
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf",
"type": "new_terms",
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "14c220c965f94f3d24b674b86ed86d9a0e093a00d8bb6fc8eb670488981b443a",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "f6fa075f0e990cc2ced9697647d10fa16903bdde80c50a403c2f4bc7b78d7a0b",
"type": "eql",
"version": 104
}
},
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "e129818b4075375d23aede5312cbcac6b1a4b64ce749202fd8a924cdb2ed5a06",
"type": "eql",
"version": 204
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "b962ad63b2d98409b515c4dd3a06e95db517c9a7d1b13f171924c19dbaab563e",
"type": "eql",
"version": 3
},
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
"sha256": "be9bce91fdc93b4d4d344a66eeafad8e5ea7f5d9bd1b0fdea2aed5b7ba6844a8",
"type": "eql",
"version": 3
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "491014d84ab03e206e7acd9755d0269b2830a9b3f9c44913c29682c433c740a6",
"type": "eql",
"version": 113
}
},
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "46384078f361759cefe252f2ab0c88a0782b3c678d19dbdf8f572efaf67b2044",
"type": "eql",
"version": 213
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "44bbbdabf96190f26bace4b98f5c51ae42d1a21d7d1da27237875fa98e94a949",
"type": "query",
"version": 207
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6",
"type": "machine_learning",
"version": 105
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"rule_name": "Unusual DNS Activity",
"sha256": "181dc50d849f55bfcf9764f49f182fed0798673d7fa5fbf72be7656432884240",
"type": "machine_learning",
"version": 105
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"min_stack_version": "8.13",
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642",
"type": "esql",
"version": 2
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1",
"type": "new_terms",
"version": 108
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
"type": "eql",
"version": 3
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "35c6e99bb87ba74e8ad015a7294177cb02da7be90c3c3eaeafcfc7be552d06f8",
"type": "query",
"version": 103
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "6af358d3be4d9bb00ef30bfd0dbcf86a28d3137bb9860f1f4798f16b397ca98e",
"type": "query",
"version": 105
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "e909dade063ff13866c5e0f93e3c21f803087e12ab2fec4064af1a3dfa872729",
"type": "query",
"version": 205
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 111,
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "e27879646a752098196f7a4c79196676252e70f55aa7d52e91c8571fcf426996",
"type": "eql",
"version": 13
}
},
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "53ab74d6acf45ef59942b5dd19e0d71f5ca14ae4de1da8c6090b4507887d6e22",
"type": "eql",
"version": 113
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "d821f3e5a0bf1e2dedce1bdaf15fe58785f4e47e81a99103fd0c35cb62e5fbf2",
"type": "eql",
"version": 111
}
},
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "1a48028da247ad699969d0714a5b03ca294e28d99adad7b3fb9ada639aca982c",
"type": "eql",
"version": 212
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "d7ae7c609b2c09df86e03eb23c9f3d9c19a114f3e9e69d99121828e0555ea7ff",
"type": "eql",
"version": 107
}
},
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "79ae7e59e1d03bbcfec778070f91b178ec05f43c08636a10bbffb05ee2bca01a",
"type": "eql",
"version": 207
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "6a73b9f5864bb0ea366a745a9af576e7bfaf493b276693b044f5b5cd267ea68f",
"type": "eql",
"version": 11
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8",
"type": "eql",
"version": 315
}
},
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "3de8678662d78c511880c3dfa795b3d501c299cd3f22598f42b4c97f2d48685f",
"type": "eql",
"version": 416
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "d62e2b76d88602e0cdbf18894a79c5eb6e97d94b79daf465cf55f42a2afa7bb4",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "31b16b50f6ddada62eb767b0e6eb1ff02c6a155e2618729dbc807defff6abe0a",
"type": "eql",
"version": 214
}
},
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "82829ceebd92fbe5abb27cc5e4f5139731a0b337c7f1a8e09ed51ba9d883cc63",
"type": "eql",
"version": 315
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
"sha256": "ade0c6d9a4d9740cdb0024f7c02cc8b73775f63d9be285e4692d87bf29938f72",
"type": "query",
"version": 103
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "4c034f3a9c42c12be6b1a00041754822d517d75f23ddab914c20222cab8ebc8b",
"type": "new_terms",
"version": 5
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "11fdb1469f92140db4557f4b11369477cd9bf511578238a7b6db0f4a8535243f",
"type": "query",
"version": 105
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "4ceee9e70e8a80b75777d30ad1e8c71d873d3e5672bd2ab984e40111c6505c38",
"type": "threshold",
"version": 10
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "edc1dcf2de6b0222d78f62e7eac490f5069a3917f49022d78a3b84b59739ac14",
"type": "eql",
"version": 3
}
},
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "b945c19be36ede477ceb6eb65ff7fa6d2271d7458820139d0bdd9ad8b8633143",
"type": "eql",
"version": 104
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47",
"type": "query",
"version": 206
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
"type": "query",
"version": 105
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e",
"type": "machine_learning",
"version": 209
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "0005a9a8a6ef5e1175a1455632c00ea760e3a9af4094ad1ac870f68df926d254",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 304,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3ce0e176a839d12ad331e3842627d3025bbd3ab4ab14d6bd3cc4b7647b783d93",
"type": "eql",
"version": 207
}
},
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "d898e75beef6831e445cc1fc945041edc9b598e291f5ad76dc7bbe7b040eb79c",
"type": "eql",
"version": 308
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "b06fe72841e973c578410fa85cc532be47a7199c613e59e094aaefce1e311a48",
"type": "eql",
"version": 3
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "74064ff365e610605f23b1e89523fbb13694d5231cd3738b21ab8cf30c6d0e2c",
"type": "eql",
"version": 8
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
"sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845",
"type": "eql",
"version": 6
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "26a1c9c9ec61e57e11380743c01f25a54a74cb7f580dde50a1a6d9d43e4f537e",
"type": "query",
"version": 104
},
"79543b00-28a5-4461-81ac-644c4dc4012f": {
"min_stack_version": "8.15",
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "df935e831f7d3a8b986c24cc07232817bd2044240140b7536cd4bf61cb96811e",
"type": "eql",
"version": 2
},
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "SSL Certificate Deletion",
"sha256": "7c7dddf409d27c4336808578a23adad99b63a0ffdc3ca7a3651f429905241271",
"type": "eql",
"version": 2
}
},
"rule_name": "SSL Certificate Deletion",
"sha256": "7e7cc3077f9f831c4c0bf8d8d0cbdb3ab9244f904d9ecc9698a4a1790edb925d",
"type": "eql",
"version": 102
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2",
"type": "eql",
"version": 5
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Potential File Transfer via Certreq",
"sha256": "0ab2916bfd0a5de67b88a693cf85292e73b61538b72dbdc008f37e561b662f86",
"type": "eql",
"version": 10
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Potential File Transfer via Certreq",
"sha256": "f6cb3500aef0219e60d7a68529a59b0a83d53dc2a4be380f92e62fd0223d44b4",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential File Transfer via Certreq",
"sha256": "e1897e626658e3fe3b447488817112191c5a960deaee23c8b957ef58ee977d91",
"type": "eql",
"version": 211
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e",
"type": "query",
"version": 112
}
},
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "391c7298682fb3726536a7f552ccf9f49fd3d8d83acaf1ca3ba74e49aa91590a",
"type": "query",
"version": 213
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "First Occurrence of STS GetFederationToken Request by User",
"sha256": "3e8f2ecf0b50b7db1d4294ac9f9a788f8bf8790151183901e7829cca9aea5f20",
"type": "new_terms",
"version": 2
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "820246c1236dd2cdd3601e1dd0c74c5f936f40ed580c2ac2884e7170b3df6d97",
"type": "eql",
"version": 7
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "f4ad3bfdce432ca539259b7d6fb645dbb26546156be5e35d397775fdb01408ba",
"type": "eql",
"version": 6
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "1ba40cb9f4c5c384f4d6b52a76eab02c45e14d33eb930cccf3fb1c329c7455f2",
"type": "query",
"version": 207
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Windows Network Enumeration",
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
"type": "eql",
"version": 114
}
},
"rule_name": "Windows Network Enumeration",
"sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f",
"type": "eql",
"version": 214
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"min_stack_version": "8.16",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28",
"type": "eql",
"version": 2
}
},
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "5760c0ff5525a18ed54b21f9e5b8b7b19658ed8831398454d1df210be1bbe591",
"type": "eql",
"version": 102
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "9abb27e289a572393ecc8c26044e5a71196cc1d77d152f84fbee7138251de7de",
"type": "eql",
"version": 209
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "bb2e07eec501f5e296c694526b219607dca9e18bad1a4d862fd1cab9bac5fe08",
"type": "eql",
"version": 309
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "886f6f210debfa8b2263107d6bb45787db17443c3f09f62bb792e44159dfdcd0",
"type": "eql",
"version": 108
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "5640fd704ed05c227cd8de85371a84f00b0f3086b3a976bd99359b15b0b4d4ea",
"type": "eql",
"version": 5
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c",
"type": "query",
"version": 107
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Git Hook Child Process",
"sha256": "cbfd0389fa0ca95a4de245b02e374ee3f3a3981798ed207f5f5ceff7808d654b",
"type": "eql",
"version": 3
}
},
"rule_name": "Git Hook Child Process",
"sha256": "3aeeab0a9f9e1baa8c36a0d3aca397ac0be75278ca1a51b60022819bf9ea8cde",
"type": "eql",
"version": 103
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "30dc79af79c7ffd88c47ce8902032f7d4088dcc82f73f4da0070e14257270520",
"type": "query",
"version": 105
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "1382999f7d36996f9608126c6608707d9d695dcd3298755443448a1d81c27ead",
"type": "query",
"version": 3
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "7841db675589b43a0132206eb7b239ca46f3ac97ad9193dcf04937159707d691",
"type": "eql",
"version": 4
}
},
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "5a08a86502f4db05eca4b25e854f8f9be1f852325a962075dea70815aacf6764",
"type": "eql",
"version": 104
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "b8c749e5ff7bf1d9f8abc6fb1344b7c34c95ed51c530c12986e3176da636d219",
"type": "eql",
"version": 4
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "f4f3005ebf031857782967a3872088cf11afc078151a683045d3bf756aa415c0",
"type": "eql",
"version": 5
},
"8.13": {
"max_allowable_version": 304,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "da4714c9dcfb5d07b5b39b1939ecbfc5b46b7da8d7d77a91c9093ee2ee6e18e1",
"type": "eql",
"version": 207
}
},
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "647288a0f887d8f1f0552ecfef80652333f04873e5f925195d218507a369b28e",
"type": "eql",
"version": 308
},
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
"min_stack_version": "8.14",
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
"sha256": "e03b56ad3cc6e1d81845996b6bf137225573011b20ba352bde3cfbb18e4479f6",
"type": "eql",
"version": 1
},
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Security File Access via Common Utilities",
"sha256": "46ed777838914f516739b0d329e16d62457fc60aedd877440c7cc4022d7ed059",
"type": "eql",
"version": 2
}
},
"rule_name": "Security File Access via Common Utilities",
"sha256": "6ba9893d93ba8852cad33b67e46d3ffda3bb3282cf04264efb77ba683e837231",
"type": "eql",
"version": 103
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "1fcee1562ccb772f6a7729303e250ead257201a219aa8ffee182b66f784076d3",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "a12e4767a30ca28c3ddc986cf3c77848cd65ddfce15fd96b7577dab2afff5122",
"type": "eql",
"version": 210
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
"type": "new_terms",
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "d28a5fbf12cd038860603dad3a3f927b893dc2a624963063025cbec73932a4e9",
"type": "eql",
"version": 16
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "c074c4066439731cdb1ca074f41712d8139ba7383e854e9990c3f5fef99a6a9e",
"type": "esql",
"version": 4
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a",
"type": "new_terms",
"version": 107
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
"type": "eql",
"version": 4
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "1106414c1ef42b911e2c96ae0a545a86614b9a568aa9742419c22b0a71a0e879",
"type": "query",
"version": 4
}
},
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "f81754824afd09978cc7c486a795db468b2056bf7fad5883848582f85a47c031",
"type": "query",
"version": 105
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "SSM Session Started to EC2 Instance",
"sha256": "d0cfe0f7d2abfcd56dc76d693aba0e8ff89281385360ae75a90446721d5e85c3",
"type": "new_terms",
"version": 2
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608",
"type": "eql",
"version": 104
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2",
"type": "machine_learning",
"version": 209
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "e29105d1b78b1286a5636c653ea518672e193131ac622f0f3ee2de7f1d5e5528",
"type": "query",
"version": 104
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"rule_name": "Unusual Remote File Extension",
"sha256": "f79f2ede08c18655e62fd70d2fdd42a914f43a74abd5019f7356324fbcd96f92",
"type": "machine_learning",
"version": 5
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "fc4ff95d31809bdc72563ba4251142cb5a33e5239d3cb64a0b877a31f6ba05d4",
"type": "eql",
"version": 210
}
},
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81",
"type": "eql",
"version": 310
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "efc3d78e44e73f61be6817f00d4df5af584ce5e02e96ca5fb45a45d84d771116",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "446a5437935aff86d9b2c78df79189e0201a991a36436313898a59f7706245e6",
"type": "query",
"version": 315
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "6bf952805cab991d5963490e557576ee982dbb3d351e9a2b4b2a18092b5980c4",
"type": "eql",
"version": 9
}
},
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "e4459ed8785c0a590bfca408bc7e0bf79a7101cffb3c56690bac0f7cebb948fd",
"type": "eql",
"version": 109
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "2f5d6142cc013635d4920ad40fbfb096e1071868dd0938460579946ebaa120b8",
"type": "eql",
"version": 209
},
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
"rule_name": "Suspicious Path Invocation from Command Line",
"sha256": "c728415c613b2f36c5c323bb7c97a17891786e1986c6e4c9ea1b69e3d1500099",
"type": "new_terms",
"version": 2
},
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
"min_stack_version": "8.13",
"rule_name": "Manual Dracut Execution",
"sha256": "dbd9afc54fc7a771ed98faffa779d382c2b1962cedf84ec2dd45606550e37857",
"type": "eql",
"version": 3
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "04a9b7b77bc56377bc4686132f269a31dfa92ec833decf61aeb4cee3277ae5d6",
"type": "eql",
"version": 9
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "b04ed2cc0d2afeab9a1e5ce21f7ffe90acbd75940c93166660e2d41abaa39070",
"type": "query",
"version": 103
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83bf249e-4348-47ba-9741-1202a09556ad": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "81ca7480b1ca8ad4fd6c7cdddfb2622e9b14641cb9b0b612e22d6bca9e329179",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "13fd6f48996c900fb7a162c04e7b0e7ea52bd9bb0cf837a4edfb19ebb6c3e8c4",
"type": "eql",
"version": 102
}
},
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "8f162f40f9630207e21d4ce6a4025ddefcdfc01ac59158bc49c0ef854c20450c",
"type": "eql",
"version": 203
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "6662212297b3975808144113e634d7165b30280989ae8729d7cd570603f52193",
"type": "eql",
"version": 10
}
},
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "549c19f864332988b6fb45817a74e1dab49339388224f5b36cdaf30d80d21bda",
"type": "eql",
"version": 111
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "01513b5293f4ae3276aacd57b67b38b4957f57cb9447cfc9e4f4e580411b6677",
"type": "new_terms",
"version": 4
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 7
}
},
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb",
"type": "query",
"version": 107
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "b00d2ec654af8f1f110f648f4094160b9ef9e812d8eb7980b94e0879c40ad211",
"type": "eql",
"version": 3
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "5add5265cea65ff564e6f374b8d963ea6af326fbed8d8d0b3ad11829c55033e6",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "559158e7c30d5871bbf29e70aef9a1d8def80199a6ab18a0f76d1363c713891c",
"type": "eql",
"version": 105
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0",
"type": "eql",
"version": 113
}
},
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "d9c16cda743982a7c6cdbdb8dc28e0a6b4b32544874e6716412faa3814b400a7",
"type": "eql",
"version": 214
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
"type": "eql",
"version": 111
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481",
"type": "new_terms",
"version": 211
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "8c5a7758239101b15cc23eb4fb35a783f8e692ad99783c3801a074cdcd98e637",
"type": "query",
"version": 207
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "03916533d138f82d6ba43073f971d26e8c8fc154a5722bfb56b1bec42cb8f26f",
"type": "query",
"version": 207
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "aee9d293bce7b42db112f783b52ca95f4c163851cb39f56542873a0caeb9f9af",
"type": "query",
"version": 207
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"min_stack_version": "8.13",
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "183f75eab447dce4523d4f25e514acf26cfbdf05b137fd5a3fd9eb1b968d86ee",
"type": "eql",
"version": 2
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78",
"type": "eql",
"version": 110
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e",
"type": "eql",
"version": 114
}
},
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "a362b8b5e455f372dabfdad53f4b89385185d08f8e4cd581f2d4d3a13bc1a59b",
"type": "eql",
"version": 215
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "d1b4160bab5ee676bf3eab50efcb4bff6b9ca03017813d404ac83b5d429c6e77",
"type": "query",
"version": 3
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "5cb776ec175c443858372adf34644ecc3edc4f4123ab3f91796ab08fa8d0d162",
"type": "query",
"version": 207
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "ca936e7322accdce60e6973d70b3e164506cb6fb04d87bbe28ee8f64c9eecff5",
"type": "new_terms",
"version": 6
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "23ada8e36279e7e1d4e063b07f108194166709b11de778959bc24e7eff2a55c4",
"type": "query",
"version": 207
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "8ac86f893c189972849c3353f5d53331a7a306c28b6f10c8bec469d634c86757",
"type": "eql",
"version": 110
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "67beebb88fd866d0c58a2785de107b2bf8f925d18bbbdd790906734f21a39f7b",
"type": "eql",
"version": 108
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "8809aba8865764ab7fa1c657c37778c6657378dc4f2cfb4c6127be5e794149ed",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "53a213d8996a7876b24f56a45cbd4b7f95f660de24ee6058b95deef9899d84c9",
"type": "eql",
"version": 209
},
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "9bd93a579ae1a7bbd18dedf1ae6dad6e63793a9512980fd85c8ae941687b452d",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "81c8f8ed0970f15203496f9c2987f89c5c57a24edfbffac2587aeb52629ec0ce",
"type": "eql",
"version": 104
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "7120f5e967222b6743edb0bc495b3453b4d26dc1f63088bff68607f6220e8b59",
"type": "eql",
"version": 111
}
},
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "14dc4752088817761b090bd9e818c960db21258c4ce1aff3ce6e86dbe199d127",
"type": "eql",
"version": 211
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Command Prompt Network Connection",
"sha256": "95c1cb5499a597411e4e3b7103680f9d8fb49cf5fc8cb6f354b9483142545adc",
"type": "eql",
"version": 109
}
},
"rule_name": "Command Prompt Network Connection",
"sha256": "f36e46aabd03a9e82d6e55f6c98dcd0a0f0ae620cd00b0ba0f21e7518a759e2d",
"type": "eql",
"version": 209
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "4eeb21145663f19873a7b259f2aedd9a858885571f911ca166304d52bf4a49d0",
"type": "query",
"version": 107
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "01e31da74d8f38ddf237a4320f398fef3afaf986bbf7a614926c91d52717f21a",
"type": "eql",
"version": 8
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a",
"type": "eql",
"version": 7
},
"8.14": {
"max_allowable_version": 206,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a",
"type": "eql",
"version": 108
}
},
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "d84240158ef05b04877fc81e2d2f50edb882cd77a53b137f7598c54e84ca5879",
"type": "eql",
"version": 208
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 104
}
},
"rule_name": "GitHub PAT Access Revoked",
"sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5",
"type": "eql",
"version": 204
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "79396b5a9e555f97305570bb4e88f328ca55471768c325f8cbfdec62e20c30e5",
"type": "eql",
"version": 106
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "cd861b1c03ef17e10978c9c1e342be58e0362cd9eef31c85cb7b40568cf5fa52",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "ddcebc2310acf9c6471b9345d63edcd418123b3e163cca09175bc75defd47755",
"type": "eql",
"version": 209
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "47bcd8271a1bc8780152afe19fa834ab97946e9cba47bcb65d819e92b6625fba",
"type": "query",
"version": 411
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "2753a4670d4217cc050e838bf5a7f4843db23df0caa83fc1017d346297e4922f",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "f2b61c3ff7a9e998f71f19335af6dfe69db48ae9d7098fcf270a3dc44ec4fb48",
"type": "eql",
"version": 106
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "79486f56c33d6afd1cec4fbf8dc404d0f0e9fc38b19572051d537f800d601ed5",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "8706ffd6a46a7cdbd2b6400c609ec39bf1f1bf833ecccf2d71a38a9316b96ccd",
"type": "eql",
"version": 210
}
},
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "c15790a8f71b15dd684b959f65fa22034a2fafcf821c26c0a2771f727b0c088d",
"type": "eql",
"version": 310
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "0233b0c095271e86a61b4f41bb130007b740f4c4e75718f9ca731a3bc4f94511",
"type": "eql",
"version": 210
}
},
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "1b8dcfb849fbca85f3c0f9347e3081f3c8e4b4f6736756a7de5d88cc31652ce9",
"type": "eql",
"version": 311
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "38bdbda8e1ba1c0aff2f02b3f46c2fc694a92e6a4dfc7244cc948c3e38dfc8ef",
"type": "query",
"version": 103
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "084b9ec33eedc1699c7dd2f8b5c81771300c6f944ca3fe5c5cfb7039b474cf43",
"type": "query",
"version": 105
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8",
"type": "eql",
"version": 212
}
},
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "8e9cdfcc336ce2f5c05c2db76a514795e03b4b84ef65fb2ccd5d14b90a043f77",
"type": "eql",
"version": 313
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "dd976a4b62d0afc39c2d7af53056e456bfe88f3261cde76fa6df84e4948cafd0",
"type": "eql",
"version": 109
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "cf387e78a1d52b36974bd4933ef7d56730af702385f9a128c2d39cdbfe1334e7",
"type": "query",
"version": 104
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "fb77d08bdc9f8ec6a12b4b74458cdc27ffcecee0c8497e4268cd82cc72685eef",
"type": "eql",
"version": 12
},
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
"rule_name": "RPM Package Installed by Unusual Parent Process",
"sha256": "528868f65a9cb81c8c4c131dd0d3f9550a95750bf358c31cf275b4585365bead",
"type": "new_terms",
"version": 3
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
"type": "eql",
"version": 3
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "bee7fd95d7e5e74fcf59ac4cc197777031c190f90b069ddcbe97bbb18762e92c",
"type": "eql",
"version": 3
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "b3457a5fe20b9065c1d9ebd5a8629e04c5ec7633c1976306c1002925a7819bac",
"type": "eql",
"version": 109
}
},
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "5c75901a24944ea9bb7731dfa441ca4c2e49cba2cc2cf98c4bf84dc0fb10506d",
"type": "eql",
"version": 210
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "b8c3f70d8170292a5f9e3cacb2cee9106f06c4c8f11a83ade3fec287cbf5aa0d",
"type": "query",
"version": 103
},
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "0271ec3b7dbac27363d1768f6fb6633b1ab0c6eaf0382a21336ca11b2cc1f0b1",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 203,
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "1cef3e85f9ce38dcb49c69b0cde38dc80d5d7fe5c048432052116587f371866d",
"type": "eql",
"version": 105
}
},
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "3827103da350a27cb215e645399cf8761a45bbe50c525c2876fa8bcad9570533",
"type": "eql",
"version": 206
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8",
"type": "eql",
"version": 4
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Bitsadmin Activity",
"sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e",
"type": "eql",
"version": 5
}
},
"rule_name": "Bitsadmin Activity",
"sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86",
"type": "eql",
"version": 105
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "d9d7ef5d8a35b0d509f6c52f7e95a8741f5ffc80c671295bcb5b24651ae9e8b4",
"type": "eql",
"version": 4
}
},
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "4a2ba32e4ade2dda214d50545bdffa1d1d97099b107e173b18969c0cc6b4fc31",
"type": "eql",
"version": 104
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "d66c39f3899393daf54a7c7c7bda79a52b0733a1e71b07e84a34707b1f8806bb",
"type": "eql",
"version": 109
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "fcce93128b54c854991bf62a7016a112b1eae5e6fa8d95fc7f0ce183c1695e49",
"type": "eql",
"version": 108
}
},
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "c4aa90522a7d5aa3b88d0036b85d17990ea683e84e7567bc8c9393ae0bc21e42",
"type": "eql",
"version": 208
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "2f1fff6789d5ceaa58f36f5b239347b6b2b5b222f513b7cc186e20a943add449",
"type": "query",
"version": 105
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Hping Process Activity",
"sha256": "58160571062e081d702d11bf00b07b9ca2dc75b7463e22d6eb58eb8c00ac7ae2",
"type": "eql",
"version": 109
}
},
"rule_name": "Hping Process Activity",
"sha256": "fe079acfbd59f33d0829da92c4e2e587c3f846c53a875510463da0438f0c4a0b",
"type": "eql",
"version": 210
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "ca9ec7ec6260dfb4afd6121acdc3f0f01cf82233de4bd473e0a4832ea5cca846",
"type": "query",
"version": 207
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "4717868c8d8d29e5d6f9a575a34fa4d179d67b8a82e17f838845ba5c125ee114",
"type": "eql",
"version": 2
}
},
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "df11460970a3eeb111f933ea0c48401c916e8f2f9ba35b1c8595a215b624242d",
"type": "eql",
"version": 102
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "fb943bd48a4626d7013516e753159b40fdaad0d3f64f572bd223b2716a934d3a",
"type": "eql",
"version": 110
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "8a707b2cfb834a2d23665ef675dd27767b712018c0644349a3554c04840138e3",
"type": "threshold",
"version": 1
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "InstallUtil Activity",
"sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f",
"type": "eql",
"version": 4
}
},
"rule_name": "InstallUtil Activity",
"sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7",
"type": "eql",
"version": 104
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
"rule_name": "Linux System Information Discovery via Getconf",
"sha256": "68e536f0bf403b67ca5e6c131af272ded466e96597d6d4394eb00ccc60c05692",
"type": "eql",
"version": 1
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "139452a8b12f147a4c17f5b13922c44d88f841f111f7b4b06d4aebfd151c7061",
"type": "query",
"version": 105
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "eadf846c26261704cc3fd68f5b83bf44f04f3b41d1c3b6392df97969cd66a749",
"type": "query",
"version": 207
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
"sha256": "c52af5241e23b6ee752b9dc026a28a1aec7357c7f102ee305ad6447d3ea619b4",
"type": "machine_learning",
"version": 105
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"rule_name": "Unusual Web Request",
"sha256": "594a91f74bae3a825e91e973e29f5c443e2bdedb09b4e759c751c5a25aa63b43",
"type": "machine_learning",
"version": 105
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"rule_name": "DNS Tunneling",
"sha256": "1460c1764afdd458a0891c83634804634714ece5f9e22aac3ad9c6bb91cd4351",
"type": "machine_learning",
"version": 105
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 2
}
},
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 102
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4",
"type": "query",
"version": 210
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was created",
"sha256": "d6747d1290f1796ed4e4f87144b3b8399615d65f1fc3916ffb33b2060b900a5b",
"type": "eql",
"version": 10
}
},
"rule_name": "A scheduled task was created",
"sha256": "38d6ea55b4bc9a334bcda8a6cf1640203f0bb3b12a67a82301f1af5765c75412",
"type": "eql",
"version": 110
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "fa28cefe9751d4a0325f5ebbe3ea32294ce408c668b871efac8d0eb508456468",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "1e99903005310727ca5c0bc4cc21adb68f7c312b54bc690ac668324fec1d34fd",
"type": "eql",
"version": 105
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS STS Role Assumption by Service",
"sha256": "dcc381b0ea011aaffc99fa2552210fb9bd8cfae3fcd9a246033831836d4f5f3b",
"type": "new_terms",
"version": 210
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "c31135dc17960a856d35663ed054d09eab76047d10a86f30f4cf5b8ec1a7abe0",
"type": "new_terms",
"version": 206
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
"type": "query",
"version": 209
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "2ff5b58315d4aee44cd2bcec8d5026cc4e7770e3bb4d906ca2489e2385babf3f",
"type": "eql",
"version": 111
}
},
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "55c655f3c81ec5fc6d674e2429a40bd0ea00235f4ce1935765a26941a143cde9",
"type": "eql",
"version": 211
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "de92e4d989f9d5610e757c673fbdc4c456231b4ef81e7f4504698b6c264f9962",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 410,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d85365573dabbdc204f56fef122dd591e689ffd34004f20d74d2c47e2aa4ec5b",
"type": "eql",
"version": 312
}
},
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "35de6ffd8fbe84e6ab25ad60ed8b87c3a2cc1e96bff7daa9699c9e6123acbcc9",
"type": "eql",
"version": 412
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919",
"type": "query",
"version": 206
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "2915057dbeddaff7f8345d24e40dd53ec41319b7192a27d93e593ef5eee6a45c",
"type": "new_terms",
"version": 205
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "16145a1b22661ff2e88c9e1ba07836862628630beefcda649d52f876480530d4",
"type": "eql",
"version": 5
}
},
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "b5f2d2b732ed56124dc1f618c8aaa4a1b035b3af81246aca47b16d675c5888f0",
"type": "eql",
"version": 105
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
"type": "eql",
"version": 3
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "4fa63aacb71764801fa191bd2326696f937bd85aa84baa0883b51ec2b967b3b8",
"type": "eql",
"version": 11
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "1d785de785b00340684b4e0f441211c357cf2ee299f22b28f3bb5e2a3bdf1784",
"type": "eql",
"version": 110
}
},
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "10a993dd4620cab6a35f2dfbdfb89ca009ba18a7c60e6e10c93bc8954cacb6bd",
"type": "eql",
"version": 211
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 104
}
},
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 204
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c",
"type": "query",
"version": 107
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "30e9709aa596d9469d905ec6593683478b4eeb9a2d40edb724b0c2e5f1ba6bd2",
"type": "query",
"version": 5
}
},
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "d44b1b9ef878285d8dd07da49ecf77844b4892d271d1ebd4ac6631939dd3857e",
"type": "query",
"version": 105
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"min_stack_version": "8.13",
"rule_name": "D-Bus Service Created",
"sha256": "f49342d2753a20175c2dbbc0a575357ee2a7bbc665af3267b73778f6270b6bcc",
"type": "eql",
"version": 2
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Remote Scheduled Task Creation",
"sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8",
"type": "eql",
"version": 110
}
},
"rule_name": "Remote Scheduled Task Creation",
"sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a",
"type": "eql",
"version": 210
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753",
"type": "query",
"version": 210
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.13": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 4
},
"8.14": {
"max_allowable_version": 202,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 104
}
},
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 204
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "433032becb5c8020450493b9158692e4e8e93ce81f820b25705231f2942dd2bc",
"type": "new_terms",
"version": 2
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "79d1b7004319abbd6311a32bb7e63bdb9edf25beaba2503a2bb7fe596b63048a",
"type": "eql",
"version": 3
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "File made Immutable by Chattr",
"sha256": "61a885e5fd8caa58db1e46f7ac46a9212cb60f45987a57654e44fccf0044273d",
"type": "eql",
"version": 113
}
},
"rule_name": "File made Immutable by Chattr",
"sha256": "38909ad9aefb85b3686d7ce1ad51131ea6f34ac9a0f3636eff945237ca572566",
"type": "eql",
"version": 214
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "72dc3ad1b6b20812a65c1e7f6cc607abd7f61572f341de9e3914d9355437b4e5",
"type": "query",
"version": 410
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "d242e9b768158e113d5b497903704bcf3417ee47dc9240caed8322566a25a388",
"type": "eql",
"version": 13
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "c3a49d1a72ee8b083f42d9a80d3bcf96dad353cf2f1d2f4b1167a6236afc8780",
"type": "eql",
"version": 209
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "61c1a4427e02b605bc3f9c668f45b6c876d901b271b04e6d5ab681b96370ef3c",
"type": "eql",
"version": 9
}
},
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "a3103e7a211a1b85248f488f250216ebfa31f23d029f49d87340c7c74ebbf34a",
"type": "eql",
"version": 109
},
"9705b458-689a-4ec6-afe8-b4648d090612": {
"min_stack_version": "8.13",
"rule_name": "Unusual D-Bus Daemon Child Process",
"sha256": "047f6e5a12bc33a0db9822bfcc4d9532eb5bb20f261dc8d5d0a6b9d335db1175",
"type": "eql",
"version": 2
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "996edcf7b84f597c5b917b95706acfa718b8b78ac0fbaaa24a1c9a164374d32b",
"type": "query",
"version": 207
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "a68596e0c8c08057fe0d449a485c3024b5c19a131d0f8e73a91070d52b2aa5e3",
"type": "query",
"version": 105
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"rule_name": "File System Debugger Launched Inside a Privileged Container",
"sha256": "38153858d0ad809d23edde22212b8e76f0e17a2813aeb4b4b8144dd46c1dc699",
"type": "eql",
"version": 2
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "15acaee88ae03f37d33254f0274ae68eeef32455fc96461fe20aefd88e49b24d",
"type": "query",
"version": 208
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 311,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1",
"type": "eql",
"version": 213
},
"8.14": {
"max_allowable_version": 412,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1",
"type": "eql",
"version": 314
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "31c83a49dd77cb7c92b81b820392ab0edaff0810927f55cfe52754a54a43a48a",
"type": "eql",
"version": 414
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "9de7f3413eaf33a9a4c7ff77a174eab1cc42d1f3c3f4327567efe65ce7c7db7d",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 413,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "d2b8083ef96d8b40fa12bfc2f2ef8433f49b06144264a9bb5cf5d805f26f34e3",
"type": "eql",
"version": 316
}
},
"rule_name": "Suspicious Zoom Child Process",
"sha256": "75a2acd6fec4e5e9aa275a9b8af68eb1de804913337ede2bfbcd0420422bc0ff",
"type": "eql",
"version": 417
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "d48ba745542ab8f019a9ce68e2eaab1e0710585d16c354744c59767f24e825ee",
"type": "eql",
"version": 8
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "814a1903fe60035acd9815188db701fecb3cd77f622205487cbb5dcdd5895034",
"type": "eql",
"version": 114
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "9af59876aae930d88fa37449a4e391434ac253a1a3a68a7f19aa8142681af396",
"type": "eql",
"version": 5
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "c07414c56696bd71465558933f65566b033635cd7cf42419eb70a7695eddf4ac",
"type": "eql",
"version": 3
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "71605f19bbfc7c7d7b38c3c938e25db98327f11a8597bfc3707c0b7936fc407f",
"type": "eql",
"version": 3
}
},
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "701bf23c547307a946220bd3957b0adca6d9935dc5ddd0a2d59e97125e3cbd06",
"type": "eql",
"version": 104
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc",
"type": "eql",
"version": 4
}
},
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa",
"type": "eql",
"version": 104
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "2df4707335bb89c170cda8fb27a189ca2e1da3b0a558637041354bc560f3c934",
"type": "query",
"version": 105
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "193707cacca422693c80b0f220dc512aceef3c53ab09b92a266c678eb5066f0a",
"type": "query",
"version": 207
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
"type": "query",
"version": 209
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "635f24d3547bdf9acf3c89fcf9ca0a208ab9c5728c280fb1ef000066cf7d0b15",
"type": "query",
"version": 104
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "bd112fd50317c61508bf7617e01f08695c64588de6801c39f7c6bb6155cdbebd",
"type": "eql",
"version": 109
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "f9bab10027d4eaff5c7cadc5613cfdfe2caf71917f01c2298779b3693e458905",
"type": "eql",
"version": 11
}
},
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "aff8ce3c97b8657b94418ecea700cdbd08933e40dae51fc4cac6978e212ebbae",
"type": "eql",
"version": 111
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "d1a480f7832f8712d06096eb7dd3d5ff5ebd8c57a23ccb530abd85f8523c12ad",
"type": "eql",
"version": 211
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "c655401d4db3c1c8925fad88f4c58efa5897f96092a4eb5e5f39f19ee391aa73",
"type": "eql",
"version": 311
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Access Control List Modification via setfacl",
"sha256": "59b417d5b2a03bba13ec5f3948f8dea5787846aa669acafde0f1edf8f4c9179b",
"type": "eql",
"version": 3
}
},
"rule_name": "Access Control List Modification via setfacl",
"sha256": "265d70cfdc84fddd988dbe3b110c25de72fe374209a1e78e667c309c70c3b13e",
"type": "eql",
"version": 104
},
"99c2b626-de44-4322-b1f9-157ca408c17e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Web Server Spawned via Python",
"sha256": "590abb2de8685e9ba6ac1bb26b5ba6e6799b404bca1b24fed7d7e3c37f8f4452",
"type": "eql",
"version": 2
}
},
"rule_name": "Web Server Spawned via Python",
"sha256": "e40443f15069a79c93f3af2ef411178ce68866881149524dbc2a1822cecdc3ee",
"type": "eql",
"version": 103
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"rule_name": "Spike in Failed Logon Events",
"sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964",
"type": "machine_learning",
"version": 105
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"min_stack_version": "8.12",
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "30950c93c8eddc61c365791e8c2b74e80d7890fcc2f73f740c5eb9d5481f3b4a",
"type": "query",
"version": 106
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51",
"type": "eql",
"version": 3
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "957303ee184b536fc22f9671dbb2ed19527c497f148615b01ab438db8d2d1748",
"type": "new_terms",
"version": 210
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Explorer Child Process",
"sha256": "dd9f2215be389c33f7a237f9116f9ebfcdc92de051c6babfea314a2664c84bd0",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Suspicious Explorer Child Process",
"sha256": "a2a0a26741e33b91efa6e94308f5e4734607222ce87fffcf03ad1682e63fe624",
"type": "eql",
"version": 210
}
},
"rule_name": "Suspicious Explorer Child Process",
"sha256": "e26c452a699c5910201336b89c6df67ad2e167129b2cad1f19a687282dc07362",
"type": "eql",
"version": 310
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "a89728e7de28de1f41f89eae6884b7434dbd8f948cd682f6a0621a4cd7027067",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "bb878ddab8423add89b2fa6d67e8fb17d61aea08318d7adcc5f16859511228ec",
"type": "eql",
"version": 211
}
},
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "bb1dc73390bf4205bc5518949d88f85a8ab64938716323d47e6c8a36817c07a2",
"type": "eql",
"version": 311
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973",
"type": "esql",
"version": 5
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "161fe9bc03f0a9bd845c1f1a27a75b057d54285240798bac0af9d268896a8ec6",
"type": "eql",
"version": 107
}
},
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "17b30931a90a1e2a268c89b8ca1c50d33a9ad847cf40b03526748115fa47df6f",
"type": "eql",
"version": 207
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "034dbbe0e465dbc6001136495954743ac55334e869c7c26cc9a626641ff6aa1b",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "0912aa1b6bc991c999aa95627f0b21c7a306638eb24927bdceb97a8ff3299250",
"type": "eql",
"version": 213
}
},
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "a374edbd21cdd1d173a65c55d3d972a408a56b5c6350100b0dac8c36141ab105",
"type": "eql",
"version": 314
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "c58dfc5733f3e65bb9059316a9300d38db530be0527fd7e64e37af99dfd2d521",
"type": "eql",
"version": 6
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
"type": "eql",
"version": 110
}
},
"rule_name": "Hosts File Modified",
"sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b",
"type": "eql",
"version": 210
},
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
"rule_name": "Unusual Interactive Shell Launched from System User",
"sha256": "b351f332d2ee0c37576188cba134e30d7fc288887cfb5247b494162043ce2343",
"type": "new_terms",
"version": 2
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "3e15a597d73ad4a145c44b02a7b7c7cd1825b1cd4c5a3278a1c07008434f6a08",
"type": "eql",
"version": 10
}
},
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "dc1a5b32175347af1afd41737265cbb2862a8c64a10583b52fa85a49f73f1afa",
"type": "eql",
"version": 110
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "a5aa8f87141efb58c5a9fc040430072979a81838fc6185b652fc5d08cae05ac5",
"type": "eql",
"version": 3
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "97790052feabd6d8d92049481818933f920d5128b459958b23b4f454788e1926",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "b70867b53f9047d648a74ee785fbfb344461397ac17e24dfb7d85c50b80bd906",
"type": "eql",
"version": 211
}
},
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "d16970d52f5665857e15296e8ce24758baf698ceafc64a1ac5355b5c221c2692",
"type": "eql",
"version": 311
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "c6feee8b5f84305767251a5980243998d9d4ba2743ad9874895791e3fa10e948",
"type": "new_terms",
"version": 212
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "8781554bff624a0faedf21aec63a088525699563be1aa50547303cc3af235151",
"type": "new_terms",
"version": 312
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "bfab358531d2fb7cfa9b7a47b1508d37b00322f539ac43fa61530596a4eb2466",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "29e49c1b420b1f8b800a4ac388b31b3bdbd3de5b3d1bd4a25b3655c2879ec8ed",
"type": "eql",
"version": 212
}
},
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "3462d5554238a5314c72b9c3f0c56611fd6c922c4c7ee065d1ffc95969e14966",
"type": "eql",
"version": 313
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "1658b389087bc7cd6ee91ffc89a1714168b562dd44451d4c4d6f72702036b9a4",
"type": "eql",
"version": 114
}
},
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "ba5fd2330dd1b6032d2553050acd7351a5e7cd9c1f74152c0fc5a78d0732b6ae",
"type": "eql",
"version": 214
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "0bb18ca3b493310ba23b616de3d39cfba94773b53140eafec03abd781a5897c2",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "aef7f15ace1ec416d8e85249577e2301f49840b905843d141189269d3f904f75",
"type": "eql",
"version": 211
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 313,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "e084fdc2aeb3587b28f10bf09ec2903a8523537a67b3b1538f46727a736d16f8",
"type": "new_terms",
"version": 215
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "35156b3e9740e59353d84856c46b8780be71d93b456573600a2f5093cea01698",
"type": "new_terms",
"version": 315
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "6e08e0961e8712e3fa798614ceba20842f1fd9e78569f3efb5b0236bd2ffaadf",
"type": "eql",
"version": 108
}
},
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "926469208de2cc16311faa56f835813cb0da62cf3ee0ff79366e3c2572a11edf",
"type": "eql",
"version": 208
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "bb77fb9e3e5e133ea5abdc232b19de4477bc18cba743881e80f0c4be6ac96c42",
"type": "eql",
"version": 108
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "4ce9e353cd70a52c2d7d94beb8a05952a35ff6c117689d5ce2d9a7da5af011aa",
"type": "machine_learning",
"version": 105
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "aad06c86f00fc49143d2b0b6c0f3b27380ed7eff0b3cf20193f5338fc2ea0a9f",
"type": "eql",
"version": 3
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "3e4eea02a43d60f58a4be4bea2a88713ba7724676b52851025572c1bbe451d5d",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "41e4276d49f03093af17d2254ee773f8643d1c0aa8b8ac61d01ccefd7bdc22e8",
"type": "eql",
"version": 212
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Potential Credential Access via DCSync",
"sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921",
"type": "eql",
"version": 115
}
},
"rule_name": "Potential Credential Access via DCSync",
"sha256": "c827437febd6573bc72e13eee68be8b34803f97343b531bf5a4ac64899989cc7",
"type": "eql",
"version": 216
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "5d7f431713626a4dcd90230cc90a452231a2f4f09ce222c8f023205f6921b8b3",
"type": "new_terms",
"version": 212
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "7b2b92f74b503fc18cf5ef70b93536fbb877f88952c072c944b062b3f8f647f7",
"type": "new_terms",
"version": 313
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was updated",
"sha256": "73081f6875d6de77e1cfc1de7cd27bbd885b7f016546a3e004f06be2c614c254",
"type": "eql",
"version": 10
}
},
"rule_name": "A scheduled task was updated",
"sha256": "b4abe619c6873dbbf537a259fb41b785fd39c973534f78af8f41347c1f9a6834",
"type": "eql",
"version": 110
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "fde760cc52775ecdc228f7f4fc26b42a1d1040d4732aa51f2942e21d16c00820",
"type": "eql",
"version": 5
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "2192b6dc1346c8016c7f7e18d0e4def61f38a7359cb4c665235f7c7a35d81646",
"type": "query",
"version": 106
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "009c0f45c6d544d656f91b1a17dc4ca36d2fa5cda90732b95d8cc0840b82684f",
"type": "eql",
"version": 108
}
},
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "3826d8c2ea0005de5c96f492c5dd896a58db738ff754a638c848dacf6514d220",
"type": "eql",
"version": 208
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "File Deletion via Shred",
"sha256": "cb4768e9cc77383814b6bf126bda3c193dae302c4d755159f2ce1e4079e49733",
"type": "eql",
"version": 110
}
},
"rule_name": "File Deletion via Shred",
"sha256": "6cf3281eed4a567e7fadf7e7a60a25d32be3683088852fd6cac2b340214c17d3",
"type": "eql",
"version": 211
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "ff0cfb580ab3d4b49d481e29249862e6b6880e365188f6042d40d1b3773f1b70",
"type": "eql",
"version": 109
}
},
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "12d937324cbeaaa49e957871d3d23a99d065e3a5070e763111e10bcb6a0e9a92",
"type": "eql",
"version": 209
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "60b4da3686af1892886ef1568adc3da363b41fa02069a8ad5f02c1f13fc5e375",
"type": "eql",
"version": 9
},
"8.13": {
"max_allowable_version": 207,
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "a95daf1b60dd955c84fe99495d627e26da5f8c3071938bff985159d488d74b35",
"type": "eql",
"version": 109
}
},
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "ab452a27753833a9982fac9a2797499691153c3fcc51357315acc246796bce7f",
"type": "eql",
"version": 209
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "1c1a346a5c44ffafc16e7a28a4703248527b03dd10eea79fe823ceb5a035ce73",
"type": "query",
"version": 105
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
"type": "threshold",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3",
"type": "eql",
"version": 109
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "6318c4dff530e8b0d50c646549d60a859ca4d6d4881dbcc94e3b5c26620390ce",
"type": "eql",
"version": 7
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "06f788f98600e28f36873cfa890ce266317a1b101169c481fb3099d9c0e35eae",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "db4b51eff904ef0ef94f2e68fa3ac4e7e64a9bc8c6e03af8a426537789e233c8",
"type": "eql",
"version": 212
}
},
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "ad7b4900548730f045e3b58898846a5953e28138ddc81ea4b2cb5e8f7bc4f30c",
"type": "eql",
"version": 312
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "9e16a6d58c5f5a677f1cebc91183afdae5a7ecdfcce34207fcc6f62f65367152",
"type": "new_terms",
"version": 2
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "bfb7eddaa9656dc8832f4d1a089450b5b180a6620a1dd22d601c7bed17c286de",
"type": "new_terms",
"version": 2
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722",
"type": "query",
"version": 108
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
"type": "query",
"version": 9
}
},
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087",
"type": "query",
"version": 109
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Execution via local SxS Shared Module",
"sha256": "c70b5b61b3ea697efa1bbf34aede51b77d26f0af37f29414c403967c589fa37a",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "Execution via local SxS Shared Module",
"sha256": "7f90a2bcf9eeaff4a2dc027ec117964bf311dedcbc86cba03a8615c9780c68bc",
"type": "eql",
"version": 209
}
},
"rule_name": "Execution via local SxS Shared Module",
"sha256": "0411088910bff1036ccad0a0a7e3e47b669f970b76031d73843f1a6ee00aa168",
"type": "eql",
"version": 309
},
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
"sha256": "17e90233a68416b545e9ec60b945d558eea63b417eebcda8d046984ca667b87c",
"type": "eql",
"version": 2
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181",
"type": "eql",
"version": 109
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"rule_name": "Netcat Listener Established Inside A Container",
"sha256": "04ff1b708f21926ca8673e536f01751da5464d3c618e199dad5190935569c59e",
"type": "eql",
"version": 3
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
"sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84",
"type": "new_terms",
"version": 2
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "dd7935aa4635611792001b36012fecabe2d6bbb0b7a8cc2f80a706b7bfcf659b",
"type": "eql",
"version": 8
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "9b292d485484c3753314bef6df52ec945933baa8293f6967b3f4a326ef8daa1d",
"type": "new_terms",
"version": 210
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
"type": "query",
"version": 105
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "c061bcef15efcf1c65649493512805d27d383b262ef29f1ee14d2c941e88724e",
"type": "threat_match",
"version": 8
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious MS Office Child Process",
"sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Suspicious MS Office Child Process",
"sha256": "588a86512ac13842f4f3b0dfcf78a653ee96c402aca625c9db1f793666c9479d",
"type": "eql",
"version": 213
}
},
"rule_name": "Suspicious MS Office Child Process",
"sha256": "df103b761567aa84a163bf20bed5e548a1a13df931fa93006532bb57e57af65b",
"type": "eql",
"version": 314
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "b597402a792a29e82c02d56787dfb0088afb24fe4681fccf800ec8ff10a08a10",
"type": "eql",
"version": 2
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "3ca5c9a41990306c9c1425b02dec89fd7cf7f677abf7544f50a0a7f6d894e9f6",
"type": "eql",
"version": 109
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"rule_name": "High Mean of RDP Session Duration",
"sha256": "16d442bb0e68cceb100b590cd99c27126094ef873e1557bc0494c33f672351ba",
"type": "machine_learning",
"version": 5
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "1a8db1f12af5f8f6acda01d02bf1f7858b64b591e8cc97e80b1f821fd01b136b",
"type": "eql",
"version": 114
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "c96159806a102e910abdca6cdd017afdce8fcae45e565867bbd1f7b43abc431b",
"type": "eql",
"version": 211
}
},
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "4aaa0273cb33a2b9fccdcc176011775da2bcc37db98deab6d7b0fb2b9792a8b3",
"type": "eql",
"version": 312
},
"a80d96cd-1164-41b3-9852-ef58724be496": {
"rule_name": "Privileged Docker Container Creation",
"sha256": "04dfaf2e0ab843431c44a2508695e0793ee75aea13aa78ee94a7c26e31c27c5b",
"type": "new_terms",
"version": 3
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID Device Code Auth with Broker Client",
"sha256": "3b36ca3385b038425d51a7e5ed4106e263b270fcfb2b2b3f080d747370eb1bc4",
"type": "query",
"version": 2
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "7af20755d35869e009f843fef6fb3ad74173f1f9d745b649a798002ecd3fb640",
"type": "query",
"version": 103
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "7dc8a4e76f836a2dabc1f97682ff2a8788770c2df8b3c977a9a21e48600874bc",
"type": "new_terms",
"version": 2
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "9067b8538121e710f6bc88912dc5b959b87527aba3c8d4799197e2b1155bfafa",
"type": "eql",
"version": 5
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
"sha256": "b10636c16f0df07435893373776847351520e760d2923c0ac25814bba42a51c1",
"type": "machine_learning",
"version": 5
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "6388eaea93dbea69b2def246d3830353851466710a017a1b197cf97d811e445d",
"type": "query",
"version": 207
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0",
"type": "query",
"version": 206
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "521b0deac4fa27230216cb8daf48bee86c9bbef64c5b0dc90d5dbd5acbb31f0e",
"type": "eql",
"version": 110
}
},
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "3408526e0c0dac93e7765ada0f10c56843aec79f4e3c80ff93f5afb3ec32e96a",
"type": "eql",
"version": 210
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "c5e9563513ceff85a4cd305b620e50b46d0abdcd6b749995b72d1dfe43f137f2",
"type": "query",
"version": 106
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "05234b27bd38c05a4148c880399948bb9f659dc2409c560ff2c17735d399fdaf",
"type": "query",
"version": 105
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "System Log File Deletion",
"sha256": "9e7b2926bab16d0e65d0b84a1ec35d2ebfe3b10e1f219c4a9f7a8d87a9e5a132",
"type": "eql",
"version": 113
}
},
"rule_name": "System Log File Deletion",
"sha256": "af1173cc43f540a885c1fe5ff3ca083ca2e96ae5d484216e8cafe707ef9ef2b3",
"type": "eql",
"version": 214
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remotely Started Services via RPC",
"sha256": "c5ae21879f28fadb1daca353f3c354f8f96a89ebe15eb191af73bbe85a2e1b0f",
"type": "eql",
"version": 114
}
},
"rule_name": "Remotely Started Services via RPC",
"sha256": "470c7c8413962fc0f844e61a7bf6314d1a2eb8517d76b793b627d1ab6c0ee1cc",
"type": "eql",
"version": 214
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "b09c6bdf53c574bd6a13c29289040f6d39647434595c2ef5e908596c2f87e744",
"type": "eql",
"version": 3
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "dc906d8e338b0fba7e19f677e0f95691c4e1c94fab8b366f0f0fa007db2226e3",
"type": "threat_match",
"version": 9
},
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
"min_stack_version": "8.13",
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
"sha256": "6c9d7d72e70ba8fa7028586f7dd96f22a714aea37e9b6a748c48f4c2b84cf5bd",
"type": "eql",
"version": 2
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "78d447b3cd6a49ab7ac62b483ff04bd68e29310b28aacad89af526962847b961",
"type": "eql",
"version": 117
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"min_stack_version": "8.13",
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "c58bc9bcee72af710a07f880ed3df3eceef229e97454f6ad449273d078b06c4b",
"type": "esql",
"version": 3
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "83e5654634806cf836873526072beb4a411dbe215b4be002f799dc0eb0866d82",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "62b3cce8bb0d092c2759ebc4697ef92d744a740ec8e418ac7370a52052d0d04a",
"type": "machine_learning",
"version": 207
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "5b1015d4458273b2f101dd22674b7cc73970fd91015c91ed9c22fc5049ca1729",
"type": "query",
"version": 109
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "5a3182ca2012152d9bd5c912111d82b1f3214a893d6da8417d00cde83cc42f7b",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 414,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "9e5fa90d4dcc2b7ba457b5d5c1701304fd158e99a68fb7fddee7dee79f9b55f3",
"type": "eql",
"version": 316
}
},
"rule_name": "Suspicious WerFault Child Process",
"sha256": "2093382d45530ceba2ddf764b031af27fef9087e0b6f90f1e6cb535a04e5798b",
"type": "eql",
"version": 416
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Git Hook Created or Modified",
"sha256": "ec16be4f5fe86ad7212a2520875b8f40ee71728666d7085220d272f1e3929d89",
"type": "eql",
"version": 4
}
},
"rule_name": "Git Hook Created or Modified",
"sha256": "0c1a8c2bb10aaf8e8c9dc4c3c70b9fcafe1230ffe0687aa31e5909bf176ee7e9",
"type": "eql",
"version": 104
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "9e311415c8086b3934da0eeaa5ccac777e192f9c2c9953b705e3368c14fad664",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "981f0b0dbe49943a8536ee475f57749dedc4e10f1c32351e9ee5c122813eed48",
"type": "eql",
"version": 102
}
},
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "cf576e47d585c50b59b5886c7f0802f74deb1e56177dc7478d66d1e3a7379fa6",
"type": "eql",
"version": 202
},
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "f0b9a400aad8092fd6bd78cf6124173e5d87d3a8d40fb37af54e7611a60734de",
"type": "eql",
"version": 2
}
},
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "6d20396d3b2ba5db4a1fd80aca9c645d4b789dcb0d39161b5dfe9b1d4f1f216b",
"type": "eql",
"version": 102
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee",
"type": "machine_learning",
"version": 209
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "989c58058784588cd22c236d0cc58394fe67e6f8df10a6f446381d5f6301083e",
"type": "eql",
"version": 8
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "73aa4e201e1220c47c689009c0c24f4ef6a0dcdab57655d7f25c5525472d28b4",
"type": "query",
"version": 111
}
},
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e75ecddee03f0ecd4c9052ef2974471d669da03a7d25fd6c4c46ad39537304b6",
"type": "query",
"version": 211
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e",
"type": "query",
"version": 207
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "c893c9924f303a60bf8cafdffaf2cd627c6fdaae221bd7469fe25ef355839d32",
"type": "eql",
"version": 107
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "0634c4cc8994181d8d803e1f8a015b27a0287326c7bbe72e41f6caabaec65771",
"type": "threshold",
"version": 109
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "71cf5c81124dd45113bcb530642c295387bd2b68ee1236cb2a3e8e2f0f0aca2a",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "86ac334bd5ab8b6d729a0fd45b6134932f7b204b865b83dd786664d0984c3da3",
"type": "eql",
"version": 209
}
},
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "88a18ab3c5f799879b46bf994ced31f7d53b1188b29318f70d67e7f1fe7bc832",
"type": "eql",
"version": 310
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "be076a1dbd4f050fe7d76ce1b43d766bf6de4de026ea97dc7ed5bf45358d73cb",
"type": "eql",
"version": 209
}
},
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "c1a7cd36ec3ec749ea82e4039eaf388f2e5733806e0aa2d62166f97dbeeeda22",
"type": "eql",
"version": 310
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0",
"type": "query",
"version": 206
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Openssl Client or Server Activity",
"sha256": "8eb908bf23fa02ea31de0dcd624ff3541d1bc60c2389d04820670c32bd4b7244",
"type": "eql",
"version": 3
}
},
"rule_name": "Openssl Client or Server Activity",
"sha256": "075631e1ef46d21f816f96cd248fbd08db4840dda4f701989973b31ee3dc8dcb",
"type": "eql",
"version": 104
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "e36bc47e8ad58d550eb0511c38b7e7ebe9f68e088ec6215f78f7a2780d0f4e24",
"type": "query",
"version": 113
}
},
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "014ab6a9d47a402634c60580acfcdbc73e02eda99e30868cdb84bd27f75bfe59",
"type": "query",
"version": 213
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "fdb9bfb1476b606fed9fb9f5d813bd2649bbfeb1e82522dbab72f7f63e379c10",
"type": "query",
"version": 107
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "a1f733e8c14c8a8ddb91a5c919f8598d6578b992ab231ea6130ddff737d80b25",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "290226c3c245c0651561503b7e5851aa8176ccbb1907d504d82489d72d110b36",
"type": "eql",
"version": 106
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "883178d57a5f0e0cf1ea5d9e4c778051a895d0e41a27aea175cfeec0058c9573",
"type": "eql",
"version": 111
}
},
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "c88c77cee5c1ccbc6718afa7c168a3a9e42405d8647f11cde44e6f0355fd5399",
"type": "eql",
"version": 212
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "36e34a2abf002a55bb25f1d7c6333a2b2ab927c5e1e735f1ee9b1ab5e41b29aa",
"type": "eql",
"version": 7
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "cc84e69331853cce8fdc6642b517c1976575b91f66f2e049315267bc2bc1c035",
"type": "eql",
"version": 6
}
},
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "946a500a38cf03cc2200ba5c9f94b883db01f72d046965428ba893157a5c0fb1",
"type": "eql",
"version": 107
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "e98a3d6c4df8d691ad52d2e09453788cdd9059b5d1d1417f8c27adb82ad82604",
"type": "eql",
"version": 6
},
"8.13": {
"max_allowable_version": 204,
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6f87d083a88525ef7eb03a6d4dde91d57fecb67021008268bbe38eddcb8de46b",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6457c55cd14c40cf20aaa69545261b5acc6f52e94266a412cc7eae717c18f7d6",
"type": "eql",
"version": 206
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "baa6bc2ea280de9151fdfe8e52180a5e692bd39318a6d37a5177670803b9600f",
"type": "new_terms",
"version": 10
},
"af22d970-7106-45b4-b5e3-460d15333727": {
"rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol",
"sha256": "c873fc0c596cd973f1b742aac95e71e5cdd88437995ca1108204c81efb510ef3",
"type": "new_terms",
"version": 2
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "dd77a39284b7f0fa3cdc5ce8819ff01ed6f11bec568d524431c32708f700d5a5",
"type": "eql",
"version": 6
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Local Scheduled Task Creation",
"sha256": "153a680562c2db766ddc13960ff0b1b1d40590dbbf944177fdb07680c4695cbe",
"type": "eql",
"version": 109
}
},
"rule_name": "Local Scheduled Task Creation",
"sha256": "a9a640dba899a3c92c6a25fdfce9b2ce29774069d5e4b49e89209b64d0bd8431",
"type": "eql",
"version": 209
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
"sha256": "945c79177caedcb32dc2e02903d14ac7208bc61607529c0123e9e3e044a4d555",
"type": "eql",
"version": 8
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "fae9c44d21f8e3be93ff74c05bb6b9d9484396579b5e29cb81402bd3ee84fa2d",
"type": "eql",
"version": 7
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "f446d6a851c5fb5c1d8c57353f72923d40776727f9f1464155a7eb802e6a9d92",
"type": "eql",
"version": 107
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "c76e638ceb65578acea1d18f1415cffa579dd2b5922507665d774472de710a4f",
"type": "query",
"version": 107
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Netsh Helper DLL",
"sha256": "ae6521e56ff6823f52f0061b21556a43efe712f7fd43485bcc1e437849bb0c4d",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "Netsh Helper DLL",
"sha256": "f6a3950e6a53ae6b222eafb2db8745cb0c160be006a075c08b5fd6a0a7f9a7aa",
"type": "eql",
"version": 103
}
},
"rule_name": "Netsh Helper DLL",
"sha256": "8b1858525694ec6e7adb1eb4300cdd4ad1e6e4721418a4c30ff5567d37ed66f4",
"type": "eql",
"version": 203
},
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "6108a4f29f29a7a3de508648ab5fc9681b4307662435aa380267f50682002e00",
"type": "eql",
"version": 2
}
},
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "cf1573124222ea0894d4b604d5b227b43a2853f0b399f63d080624ef5a1144c8",
"type": "eql",
"version": 103
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"min_stack_version": "8.13",
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e",
"type": "esql",
"version": 4
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Network Share Discovery",
"sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Network Share Discovery",
"sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e",
"type": "eql",
"version": 106
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "b3411c6b99d0c79d2fe1c0df6b34fe5c2a9866107f061e8bc8b9c5ae08a66c80",
"type": "machine_learning",
"version": 105
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "0d0bd0de1c42b394ca6d718a32761db9128689309c818676ea02bd44009e6f48",
"type": "eql",
"version": 113
}
},
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "c8f3a33a1eda62ed530a6fc161bba9b0b5971ab42727c08f73a793be0b2199f8",
"type": "eql",
"version": 213
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "723230c66b898eb377542e469559e3654604ede32b8721af457c83afa144c4da",
"type": "query",
"version": 207
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "8eed8d54357b27cc75f72fb6d8bfbf8329b2bd2a0c09b43187d7132a3a6e195c",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "7399a81fb47d057bd4c83b8a488b4fe9e614fe9fbca03daa78018eac37dcc058",
"type": "eql",
"version": 209
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
"sha256": "2eb4c2399504f67ff666102ceed72f7d457d96362545c820950c951e0fa3c5db",
"type": "machine_learning",
"version": 105
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "b66f1e7d1ec9f7028453eabcbf79b0a385bcd2f7f051b6c42fc560f604bf3ebb",
"type": "eql",
"version": 3
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "788aa64f654d1ac9b8ffd4d72359798797fc89867374541a87bbe9a894fcf4e5",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "319f2d05d6abb9b5ba124cc01beac7e744ae47dc12b992b2bed1a9e23f17d27d",
"type": "eql",
"version": 214
}
},
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "36ec98bc6180df8ef468f9c0214119135f7e9048ef4758dc1373818fc33d81e2",
"type": "eql",
"version": 314
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "e8d26c789dc518e64dbc8a2ebc802ec86ad2ece06bdd9b24713721e87e4c3f2e",
"type": "eql",
"version": 10
},
"8.13": {
"max_allowable_version": 208,
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "8e1370bc732b7ca13a8a4398d2978e5fbce22c79d8ed69889d4271f8500f9347",
"type": "eql",
"version": 110
}
},
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "ada7de75fee9e8d288c51a4bea4856ecbad5060b978f2319b741a67989164c15",
"type": "eql",
"version": 211
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "bdd06953c595a6c37482e67037eb72fb0d5301b42a5f4343e549c01b8c7cbb52",
"type": "query",
"version": 107
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "2f8c1a57650a8885345541c39bf72fc1fb21b8a10ac375920f107bc8110e7c76",
"type": "query",
"version": 207
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "At.exe Command Lateral Movement",
"sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402",
"type": "eql",
"version": 5
}
},
"rule_name": "At.exe Command Lateral Movement",
"sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0",
"type": "eql",
"version": 105
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "7e95af47b812b851ff7c0d56818e3f8c2aa918a77fc10b771a33f6b34d47291d",
"type": "query",
"version": 411
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "d954b504b99dc10781bdb03b7b51829bd53063c410c19a509612b52841275d54",
"type": "eql",
"version": 7
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Clearing Windows Console History",
"sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Clearing Windows Console History",
"sha256": "2750851ffd550e98d2fa0f4b5654f051e62a2b807d18128b748c136fcfa2d9ce",
"type": "eql",
"version": 212
}
},
"rule_name": "Clearing Windows Console History",
"sha256": "4895530aff3222c2708c780f6046f091fe54c7f8ae320663a9e360501eaead98",
"type": "eql",
"version": 313
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "f507b4e773a9237e2f79ee6904335b27b7cde346688aeee533fbdf6dfc06bf52",
"type": "eql",
"version": 212
}
},
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "a23c2164fc398c84a3801c90a53f1caaa9b506aeb7e2200ced7b22100fbc25bf",
"type": "eql",
"version": 313
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "632c8e11b721e5ec61820d811a8007bab97cc61f20dcaac08301345e24d0651e",
"type": "new_terms",
"version": 4
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "fff06615434083388a264c460161ae05556bb720792b5e921a635a843dfd4739",
"type": "eql",
"version": 108
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "60fa1c1f92316dff5dbafafb8828c4493eb084e0a892fef14665afb65d337269",
"type": "eql",
"version": 111
}
},
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "972276704cff979323a1023ba183a94c4a7811ffb359898829ab87df4c85a032",
"type": "eql",
"version": 211
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "1f948ef193a4bd5afe3496e85933faafaa574a3999c3f5ebdb743dc559799312",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "668a4b5083f2e5cddf17ac87a8d72dea5459ecb274000056b4b1190cf8cc9bb5",
"type": "eql",
"version": 103
}
},
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "bb6f902b009039096c1412de2474ec0ac73ebe4aa60b042d2c63f0b0a7d3d2bf",
"type": "eql",
"version": 204
},
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "84cb2fa184205ec6c7b5ebef44c3cf43d7a24ecba9aec4c0f148e7a5973fe61e",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "ea54cd3fdb16046632a7a7a59ce1c225ff10aa9102c2044d0a293ea1b71c04d0",
"type": "eql",
"version": 103
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "cd16ad7a073247fc161d8c2ca330792ee681647ebcd1f37bb77fdc876df61cda",
"type": "query",
"version": 104
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "08c9c6276d365fc690a88084ebcbae48a7842785385a954b0ed862a4b2a174dc",
"type": "query",
"version": 411
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
"type": "threshold",
"version": 4
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5",
"type": "query",
"version": 310
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "e169dafee56e838f29e144fabeded937b7f9b89958e3b1bd0ecaf6001a8cab9f",
"type": "query",
"version": 410
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61",
"type": "eql",
"version": 3
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552",
"type": "query",
"version": 108
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "07495ad3087d7d941d4ac6b44ccb6b4afffd0b7a10b6cd91e41dc91e2c8bf5df",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 410,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "dbe3ce72ae96d9a388571dbaee69e57b2e0783bfb28d89c12682e731babdc79f",
"type": "eql",
"version": 312
}
},
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "f6b6199880ad069f381932ed419cc9eb6a89a0bdd3a8643c23bdf0f8ec1375b6",
"type": "eql",
"version": 413
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Network Connection via MsXsl",
"sha256": "6fa622d8cf25c559993ee681c4c59fe4875676f7a1e75fae7f9837ae73c39837",
"type": "eql",
"version": 107
}
},
"rule_name": "Network Connection via MsXsl",
"sha256": "1d3c54055176ee07cd35f819d276249cbef1c3a9d0f0f4e1baa830336b20aaf7",
"type": "eql",
"version": 207
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "c10cf18764bba367c5dc4f521024dc94ef68710285c6f90a067c4237780913a5",
"type": "eql",
"version": 8
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Kirbi File Creation",
"sha256": "e4040481f58c3fe815861e36ac5ce0ae5800f0c677fbfe8fb4f3b92a3ed843e3",
"type": "eql",
"version": 211
}
},
"rule_name": "Kirbi File Creation",
"sha256": "4657563a7e924aa8d3e22e93a3d7b63359d96a5f3fca0bcc8b2acf48620e8517",
"type": "eql",
"version": 312
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "58aa89bc163a9683f9b49afe3a23214fc5db86e93510a6cec8b716e16e93cbe1",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "cbcbee9fed32c048febce9bb94050b601d2a11f48b70199fced4a32261b24be1",
"type": "eql",
"version": 210
}
},
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "5279287a7c569096f588da6a81739ad2b52940bb1fde4b4cdfc5e18d4c91a8f7",
"type": "eql",
"version": 310
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Chkconfig Service Add",
"sha256": "86f0056ad335bea28f944aa15d086beedcd4cf45c699a155c5d200a3c5f35630",
"type": "eql",
"version": 114
}
},
"rule_name": "Chkconfig Service Add",
"sha256": "8be542194e5f7b449a76977f17589bb7036a11db9dd64f5714117a25453d652a",
"type": "eql",
"version": 215
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
"sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677",
"type": "eql",
"version": 2
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "19d1c906ae5392003ceb75e3b5029ddbf145381cfd2a57fe149af0c098078bcf",
"type": "threshold",
"version": 5
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233",
"type": "eql",
"version": 111
}
},
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "3acd9e9b9d59edb71bdeac456f55d8a99ada6edeb583af312a886c1c4701c997",
"type": "eql",
"version": 211
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "f57cf744c08b2c30cfaf68b8eab90b66771b4e188cc2fc6eb0f59f7e9a12ff6d",
"type": "eql",
"version": 113
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "30d3fcfb86a4c9e23c5563059dc2df4b75f106ceedf2a7f57f7731cb984430bc",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "021d6661e231a18c2c0c62fe88c1b3a16cf3dfa20e449e7d6c704c50f70616ce",
"type": "eql",
"version": 212
}
},
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "8448fdad37a26284d2c146a1c6f84be4345849b97567a3c0faf586e92b59aada",
"type": "eql",
"version": 312
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "19b3cd102fa17756195c9b9ed7ab06bb5a730f2d79302f0afa39106c89e7525e",
"type": "eql",
"version": 2
}
},
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "9e1dc7c6029f13f97226975ccefeaa350760e8b64f53830c0dc035cc458248e9",
"type": "eql",
"version": 103
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Network Activity",
"sha256": "cd715d2616e427081beaa901230dba625ab6c14e52d0571ae643a92f04c77435",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows Network Activity",
"sha256": "006889f0bed32a73ed4d97e42325e7b69cd13e35ed45d30f6b58a091b6f54973",
"type": "machine_learning",
"version": 207
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71",
"type": "esql",
"version": 2
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "33f5ec32f53d28ddc67a858bea818290a2defa25dbb7487eca3dc127a6b2c2e9",
"type": "eql",
"version": 4
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "998cfcfee5231e24bd5fb08c5921e0c9915f8d4b9db65d1b7daaa574cbf601af",
"type": "eql",
"version": 110
}
},
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "bf12d588236251e2feda39ddb4621aab72de0d06c0cc78366cfb8cde48293fc9",
"type": "eql",
"version": 210
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "5142cc67f154e6eca142e3365f66a98511c0ea7276fa784ece159df9c9204371",
"type": "query",
"version": 2
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deletion",
"sha256": "ee0a9985f47c61b4899e6db0ffb46a7ecbf7889137cbc89ba4af8a83b184591e",
"type": "query",
"version": 103
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "38ebab645d36ccdb700fab60ae741b7fc1fdcd857893d3f9a8bd8d8104af6e69",
"type": "query",
"version": 207
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "OneDrive Malware File Upload",
"sha256": "b6bae391783faf8fddf063267243569a829caea469887045e326ef63f991dada",
"type": "query",
"version": 207
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "0ffdbbf812a677f1dd016ce2e7d9d185f7c0273ae4a7874f2b06728137c60cb5",
"type": "threshold",
"version": 10
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "d2591be6119e7fd59bceea00f9241d1477bfca0672c2bddffa9aa118eba5e5a5",
"type": "query",
"version": 208
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "AWS Root Login Without MFA",
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
"type": "query",
"version": 209
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "0e92d2b35ccf8e91dbd05bb2cf976add13ed7c2ebe9e7b8f3a14e6ba4423ddfd",
"type": "query",
"version": 105
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "7251fa979518f7ad95fffc7dee8b43ef1241f223f154ca62644fd6a9a03d5d82",
"type": "eql",
"version": 4
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "ca00d2bc624c0e0eb4f4138104ba3f44baf33fe7d37ef8b693d45c8809e8f686",
"type": "query",
"version": 107
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Azure Conditional Access Policy Modified",
"sha256": "585daba14bfe511045ed1f9225e2c8ef3004686898d5598678574811ce335190",
"type": "query",
"version": 103
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "af251fd5a27dc1da60e95a6f5bd4dcf2a8651ea1becf053232e00e667f4eaac8",
"type": "eql",
"version": 7
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
"type": "eql",
"version": 2
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "e63ea7699aec49aa63199a96c6f12b53d541b10b9035007f16c27383a357cd39",
"type": "query",
"version": 105
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "4c0f453a7ee9fec7e8d4245344823941109f187ed0b227e6556e050122701cdf",
"type": "query",
"version": 6
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "PowerShell Keylogging Script",
"sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e",
"type": "query",
"version": 115
}
},
"rule_name": "PowerShell Keylogging Script",
"sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b",
"type": "query",
"version": 215
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a",
"type": "eql",
"version": 5
}
},
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "f2c6e76e5fa6fe5da59e415f4cc032e5aaf06f2c593e87a084a824ba80b62548",
"type": "eql",
"version": 106
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "e65486c1eace3f2cba2f77b32a8523d31ee20a81635805ba14e9344aff57dabc",
"type": "eql",
"version": 109
}
},
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "f993d429934670b2858130841325ed6efbed63e48d06218e4b98f59688c119b2",
"type": "eql",
"version": 209
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3631d09f36db2837c95c7275f4a50e82f4de95b0d0073c8f8e590b4962170e27",
"type": "eql",
"version": 9
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "c8d4db837c40680f29b2140e0f41995c0ce4aed2dbca551b70894be0abd9fd37",
"type": "eql",
"version": 110
}
},
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "2100b7b6c9f3ce481f1dcf4333c039e84300cc7aa056627d9862759994df042c",
"type": "eql",
"version": 210
},
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
"min_stack_version": "8.14",
"previous": {
"8.13": {
"max_allowable_version": 100,
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "128e25dc4dd9800c4db478e306a37b6768835a4ef62f53f680e0cdd502d7d9bc",
"type": "eql",
"version": 2
}
},
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "a97e98b65f9fd4cfb965319493b00bacc31ef7a46fb0a50e22baa11a6fba7ac7",
"type": "eql",
"version": 103
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "a2ccf5e3e960c49d64850d992659f30b31d2b4619143f6ace9586298ada41e55",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "9b8577a62bbfbbcec6a5aba3c11a4d4901222b6a7403c548c74dda4a01e5f84a",
"type": "machine_learning",
"version": 108
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
"sha256": "02fd93eaee629a0cd91484e1809579b28f142b07255c4e850b358d3255e40870",
"type": "machine_learning",
"version": 5
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "1bf926c25f9a52807b31c6c522765f3687f5c07aded267e5efb051935cd32426",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "50a2fccdd9f12b719de8bf5aa6575e9411a70beb5f69f0d624a2d57b94565894",
"type": "eql",
"version": 212
}
},
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "760c0bdbfa8e2d2cbd1b79da8d81f2bef5f54a26c29695209f466ed712a2ba4a",
"type": "eql",
"version": 313
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "5ed9f6f791ac753a0f0fa1e54b8d921e255e589b1e837cdbd454b8d4cd6703a5",
"type": "eql",
"version": 208
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df",
"type": "eql",
"version": 3
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "ea23ea39e92ba2c5aa62c8b58b895f5fc1b9ed7e1645e2d1ebdf6f94725f24de",
"type": "machine_learning",
"version": 5
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f",
"type": "eql",
"version": 113
}
},
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "68ed471fcd146543d06d0854313cc5aa6f1e0cd02ff5805bce530ea781ab8d55",
"type": "eql",
"version": 213
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "efccc933a855ee7479813c356075dc5067945c868f9705b24f4d1f0c726ee2d8",
"type": "eql",
"version": 109
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "7e6ca9dcd52afbbcb0b9a55e6aa6e2769fa1ec0eea2be911c612512a3d980c07",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "2c89d3ecf4ae5e9471d08131a67258ada5c25e166066700187f8fb376b224e4b",
"type": "eql",
"version": 211
}
},
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "b27fd36d7d58fc1103502201694ebb4f9711505eb7be212b1970a49aa4018803",
"type": "eql",
"version": 311
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa",
"type": "esql",
"version": 2
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
"type": "eql",
"version": 2
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "a4ff1c4f9d920c7e68294561498fe4fed983eb988fb9f5f2b48394a7deebc588",
"type": "query",
"version": 104
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2",
"type": "query",
"version": 3
}
},
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "c69692ff49a09d554d7fc41a0fd751809ead60f0421d0cbc79902c7dd1b8350e",
"type": "query",
"version": 104
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "78b79becec80ebf3f377fa653549e66e920fe229147831d6c1d1b2951472e9f3",
"type": "eql",
"version": 8
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "ae318338980158a5279e376699053252b367bd3ad4618eeec9bd5f9d18ca9749",
"type": "query",
"version": 207
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "09eddb777e0307dc89b213216a823e5738d30d3f32b0e08e3e15669b35ade078",
"type": "new_terms",
"version": 1
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
"sha256": "d6549a9282b2ef25313f167c7193896b02cb13efe287b26ba00e59de84647195",
"type": "new_terms",
"version": 3
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
"type": "eql",
"version": 102
},
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"sha256": "639384f73345b48b0a96eb16e0b3f8160d8573e672cdc7743e710a69b00c200a",
"type": "eql",
"version": 4
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "29903b3865bb0e5568138436f842ca97f4731359045b7bff776424130946cc06",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "69a7694bbee8a347e6b1f706a60da157e9a3f4ebef346e841475709ae3d55f67",
"type": "eql",
"version": 212
}
},
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "dab86b9d33245df07123dcaad409fafb00109831e1aaa7d92ab104baa5ac8f46",
"type": "eql",
"version": 313
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "8d8ee64704769447bf2d40b32ebb9e6d6425a52106d8fb1761fdbfe190f269a5",
"type": "machine_learning",
"version": 105
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "1e3d55ef91312f613f82e6c75780f14ca18d2bbefc4be9a309ed5bbfe21c3d15",
"type": "eql",
"version": 109
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "1dfc00c13d00b5a4452a22ec0f06ef4b2f0689891e18550018c35a8059f89e88",
"type": "eql",
"version": 4
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Mshta Making Network Connections",
"sha256": "1df29ad5d0ca0a28702b68944cb3950151ce264faeed1d0cac6cdc59be122b4b",
"type": "eql",
"version": 109
}
},
"rule_name": "Mshta Making Network Connections",
"sha256": "35ebb1787e73b188c74759108e7580f588b69fec28e602e40297dbe2e08a1709",
"type": "eql",
"version": 209
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "cadcbc3ef71a2fdf85c7b7666569914967f3b8045422bfb42a860c4aa73358ec",
"type": "query",
"version": 104
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "18af645751efdccc31b367d06c1f9221851668fc7dabdcc02e9be3bc6d1268f5",
"type": "new_terms",
"version": 4
},
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
"sha256": "783dba9bf2adf9672499975f28ca2c251157407146f529383f27229b8b03b597",
"type": "query",
"version": 1
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "2f351a320cf7736fa0382f0a514fc587d7a9a6e9df3e0fa798996b1378845e86",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 409,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "858019a92e6dbfe1af3a06f1d96710314aa12802e6db988f1f4a9c5bd6fbfe5a",
"type": "eql",
"version": 311
}
},
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "aadadca71e75e01e994ff9148f368bfd7b277c1ddfdae04d6f9ea3aecf1e2ce2",
"type": "eql",
"version": 411
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "280e239c6b53224a5351f5f23e4f4660518500fe9da555ca1218ac45abb6caf5",
"type": "eql",
"version": 105
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "bc1b90a1a5d02845a8233abdaaff8ca068f4d6ccb29b7d6e8df55c25ccc8190d",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "66d36844c67b648b4c4559b7763008bb43f79e6e5a69933731f037b434d1b553",
"type": "eql",
"version": 211
}
},
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "72af0267f6d68ef9e8303b0f95ca9b116c0ab53dec1fbb65653f47f1db386071",
"type": "eql",
"version": 312
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "04b3ecf212987b57bdaedbb14a301b6f913473e5abb301dc94b6371c56d73567",
"type": "eql",
"version": 108
},
"8.13": {
"max_allowable_version": 306,
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "3cde3fd44462edc279d64b412008d521638ddabb0029d151dc594348b04ed627",
"type": "eql",
"version": 208
}
},
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "1ad69e32d7a2cf3559f0ee82cc8620601c5d764ba5c054292e16e4f9e5953fbf",
"type": "eql",
"version": 308
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"rule_name": "Windows System Network Connections Discovery",
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
"type": "eql",
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Attempted Private Key Access",
"sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa",
"type": "eql",
"version": 6
}
},
"rule_name": "Attempted Private Key Access",
"sha256": "67111e4bc078ef2f52e3170b75a2068f4df825c1c368432e246b5473474ab975",
"type": "eql",
"version": 107
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Service Path Modification via sc.exe",
"sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32",
"type": "eql",
"version": 6
}
},
"rule_name": "Service Path Modification via sc.exe",
"sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa",
"type": "eql",
"version": 106
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "f23375e5d2e676c1e1abe448a171c858dc5ad2300e66ef5c599e7e8325cb3390",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "fc5dcf6dd48339a257eefaebdb911d38f7a3a6bfd632423bee74a204c7834344",
"type": "eql",
"version": 210
}
},
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "71cec7c47c2c7d46230f68fe874142b0c1e36dec0aa4bec9023d29d4c4f23a15",
"type": "eql",
"version": 310
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "ae48749a0c3d555094e1e400445796ffab2c7a22025f4ec856e582107747e9ce",
"type": "query",
"version": 105
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "7e9ee856f86f121f008eb8a3304b4955828d5b4d5333a47de3f36d478e0562e7",
"type": "eql",
"version": 109
}
},
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "0fc2faa2b6a15a4dcf2d5aa403a414c13d8d9f33fc943f74616e6d4f067d98a8",
"type": "eql",
"version": 209
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Installation of Custom Shim Databases",
"sha256": "e23bdb57b42ec1bbefbace5a408e8ede22db9bd8be59fae66e1ed6803db76173",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Installation of Custom Shim Databases",
"sha256": "5a38f511fb995bba2a90739bb1fb7a241b0db108f50e9c84fb52f75652a1ab64",
"type": "eql",
"version": 210
}
},
"rule_name": "Installation of Custom Shim Databases",
"sha256": "322920ea0c3accf1a5852f8ffd6d3e8861e45f262314f49ba54569768ea085f9",
"type": "eql",
"version": 310
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "234ab55015e205be9f494759489e7407d97a9587f61784858ec614d199b4599e",
"type": "eql",
"version": 211
}
},
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "e8f809976fd19dc1921f285ff28a22407baf1aac6f21a7d4d2b1377a3770de14",
"type": "eql",
"version": 312
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "693843ef15d63ac5a1119459660ea9638b60f814907ca37f1dad377b7ee0e382",
"type": "query",
"version": 103
},
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
"min_stack_version": "8.13",
"rule_name": "Initramfs Unpacking via unmkinitramfs",
"sha256": "e0db18142f2246b20e8ced81755abfe720896bdb3f739e08b18c4aab3a6a9f43",
"type": "eql",
"version": 2
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "264309c3db8c109a609e4940bae53e25b00cd85ca02cfd4adbf27f2113815950",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "3e854ebb07cef539caae7a12bdabdbe67a2d9931c64e2558b2fce09bcb270e12",
"type": "eql",
"version": 214
}
},
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "c4bcf943fd4ffed84dca06e325620fcd175c62a4953b6070d11085699584bb0f",
"type": "eql",
"version": 315
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"min_stack_version": "8.13",
"rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3",
"type": "esql",
"version": 3
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "16dde6466f20cbc871b8fc349b4b46bb900cb9e48a0fd8eff6d2b4d73115074c",
"type": "query",
"version": 411
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "7079d9fbf68d6f1ce6eb93ce13bf93d12eb165900aa50027e2212ef5af7dd8f5",
"type": "query",
"version": 410
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
"sha256": "ae093385db6c5f2043d8896e3231bad2eb9b222c41d58547015b4fea67e75a0a",
"type": "eql",
"version": 3
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "1cd890b963ab7a701f5a6c45943d20f22cb173ff36b6ca80955b13239be44860",
"type": "eql",
"version": 108
}
},
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "dad569a0e953afbb3adc4424aa091610da67d623add251f2f923f920cdba014c",
"type": "eql",
"version": 208
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "c02bd45f7127af6e3e516d36e39ddbf02d871d2d11196309d70a1b09b8e4d618",
"type": "query",
"version": 205
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "a3a91a39decef3a359f4dc95bc8be0401664ca49546b526ad694a3154ce425b6",
"type": "eql",
"version": 112
}
},
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "5055c42206d7d3df32f4241bed3b12ec940e263d0cf696d8de05ee4a4b71193a",
"type": "eql",
"version": 212
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "7e12650d2a7699b7d95e3bd4ed1a6ecf73e9dd59f940d81fea5fface3186e1a7",
"type": "machine_learning",
"version": 106
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "7b938e8a5930231c6667e1dfb87fafbc50238e0b6a32759a79dfff9a24132c45",
"type": "query",
"version": 108
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "9ee8e6d69ebda1834191eedfbf0049afb38007ac2ba4e7e9899fac953921aca5",
"type": "query",
"version": 105
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "0f889695cd8a152f7eee793851dc230ce7399798cd8ef6c49709ef3924b049f0",
"type": "eql",
"version": 114
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "ea18c1e7446051bed3554cc614f300bd88307747e1963a329a0971f9ec41562b",
"type": "eql",
"version": 106
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "0dc688321ac70be1762f4deffdd16b19f17b750ce8b9dd956b7aa04592517439",
"type": "eql",
"version": 108
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "97321613219e385f7acbb0881364252165707eac788a1480b73ddad510b2c2d4",
"type": "eql",
"version": 12
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "b02f2bf5fccfed2accfb810dd6c38be499cc9fd52c4d23309848eb8170f374a8",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "c33b3be4b6a67c4dae7fba0831280618a7986cfaaebd4795ec7543db5a63792b",
"type": "eql",
"version": 214
}
},
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "ef305abdbae7d8f1ecfb6ca40a4142dd81af12b9b5cdd154e063c7a98a5d8589",
"type": "eql",
"version": 314
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "d5e6366373a4f2a5a6d949519a1a95eb5bb692aeee5d81396c80291f549e176d",
"type": "eql",
"version": 212
}
},
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "83f572dcc38a77f73655b953ffcf03ce0b0b5d017a8528b7163012096212f4f7",
"type": "eql",
"version": 313
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "5532545b1d0648dc1414555d4be90a43ffb80fef68bc1f2e63af6b28990b4556",
"type": "eql",
"version": 7
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "99ae1a62762bf7d0262c79b33658fa930f597568a1ae9fc8331c333dfc91bbe8",
"type": "query",
"version": 104
},
"ca3bcacc-9285-4452-a742-5dae77538f61": {
"min_stack_version": "8.13",
"rule_name": "Polkit Version Discovery",
"sha256": "1daa21e6f3922e8216a3796c9b65d303920190bb2ffd847324cb55eff3517452",
"type": "eql",
"version": 3
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "f9d687c9e6c694138baa5bac44dcc183c2cb70c69a7580e14fd4188c01bedbba",
"type": "query",
"version": 207
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "ea099bf7bf302aa4eb27d5adcc8c2e0187e538d3b042ad83abdfaf4e869b5e3f",
"type": "eql",
"version": 10
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "17830a8c24378fb8ea0b2c0fd6b002089e0761f86d47ae0af127d74ec05489a7",
"type": "new_terms",
"version": 215
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0",
"type": "query",
"version": 208
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "dbf5167ff460dda688296a49e1d5d48d5f1d0f19ca621f413100a1cbb02eedb5",
"type": "query",
"version": 107
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "b89a2b2d3038c777d4599aaebf7e06253ae8c022cdeee090402de4e373b22654",
"type": "query",
"version": 107
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 2
},
"8.13": {
"max_allowable_version": 203,
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 105
},
"8.14": {
"max_allowable_version": 303,
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 205
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 305
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "c81d5f537f0a2c406763b42d4ef5ef5a4bad745e4d41176ac84c5d34598e6c1e",
"type": "machine_learning",
"version": 5
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861",
"type": "query",
"version": 107
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "0f342ddaebb8be170f8947b26bbf9976454a9609a3fab69ef43946340d965b1f",
"type": "query",
"version": 105
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2",
"type": "query",
"version": 312
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "e077043096bb995208ae7655f2088f680ac0954e54eef38a732a21fbf54027d9",
"type": "query",
"version": 412
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d",
"type": "query",
"version": 311
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "690e620924cf220b5b56c70024faf4279be53fcb1832f317bd52fd6b70db9705",
"type": "query",
"version": 411
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "70003b5b25514505d843dd9aee62ca085795777f69e03784b7df399a89f5832f",
"type": "machine_learning",
"version": 105
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Kernel Module Removal",
"sha256": "d72671bd3bab4e18d0837fc746481567bb678e23b73c20159cfbcaa361b9912c",
"type": "eql",
"version": 111
}
},
"rule_name": "Kernel Module Removal",
"sha256": "838080c3b478f8de7d167a575f607f38e06a9411041e29d5a0f3c8be72f1f054",
"type": "eql",
"version": 212
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
"sha256": "4ea12333f42f437aa58e54d2644f3646936a8a5f93c6814a0ed2c67dff925da5",
"type": "eql",
"version": 4
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759",
"type": "eql",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759",
"type": "eql",
"version": 313
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "f642652974fc308178cf8b88483c24d61cae898a7b3b2f9e3254e4dcd182cb40",
"type": "eql",
"version": 413
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Okta User Session Impersonation",
"sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde",
"type": "query",
"version": 211
},
"8.14": {
"max_allowable_version": 410,
"rule_name": "Okta User Session Impersonation",
"sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde",
"type": "query",
"version": 312
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "3aa673f1c0c34cebfc6e3e55a3be648b570843086b6289d22c44ef3c70ff4f0d",
"type": "query",
"version": 412
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "a02aef3d53b50e1841dd01ee25f506dc63a897f003265f8678ef3f82fa618670",
"type": "query",
"version": 13
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "ab4ec07b2bdd59f75529ab2b6f8e58098bad8f3f8a08c9e0b2261cf7500d3015",
"type": "query",
"version": 214
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification by Unusual Process",
"sha256": "31811725296500b46a530f4167b50a90a1939a9a30ae575a5f1605db107c530c",
"type": "eql",
"version": 3
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14",
"type": "new_terms",
"version": 204
},
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
"min_stack_version": "8.13",
"rule_name": "GRUB Configuration File Creation",
"sha256": "cf29eec9c7946126d6e84a24c8c726e02c45cc182ef0dbc48dcb9b388761509a",
"type": "eql",
"version": 2
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d6cd204299d4a7613c0652ab78b54b1b97f5c11b4f208fb0b5fb05d0f142656f",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "abd7f59b6a23d28908dddaf17edaa914939c9587f387ef557ca5faaff341abd2",
"type": "eql",
"version": 211
}
},
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "90451475ce48d53de51f8ef8c31ab01801580c163221def965e9ed6c9b7d3b3b",
"type": "eql",
"version": 312
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "7917f89564301d83f5dcb2013db39240afa955863bc98f21a1016208a37ea998",
"type": "query",
"version": 106
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c",
"type": "query",
"version": 206
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Unusual Discovery Activity by User",
"sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230",
"type": "new_terms",
"version": 2
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"rule_name": "Trap Signals Execution",
"sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4",
"type": "eql",
"version": 2
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "8db9e44ecf31d95be5241f20bf1dda7fee037f97daf672d1c60aa48ed16fa84a",
"type": "eql",
"version": 115
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "a54a9feef37567feb968c9bb2bbd6e0343c7c1a2371538b9d448e491e4870ce4",
"type": "eql",
"version": 215
}
},
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "627a9ee7b45a19df7b70233781fb7c76b129346cdb7286aeed83bdc9c87a7da6",
"type": "eql",
"version": 315
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
"type": "eql",
"version": 2
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "0f000268fdc695dfbee160cd34e2e1321d37c12eac2a69d832aef01d5306655d",
"type": "eql",
"version": 10
}
},
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "e0b9b778b8c39963c3189778b579a80dba4ae66cc8cd73cf01120c8b0ffe0d27",
"type": "eql",
"version": 111
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"rule_name": "AWS Credentials Searched For Inside A Container",
"sha256": "b3f0dfc6f24cc6c2787d62f56817932713a1a3feddb8a231273e9a0e3c66a88f",
"type": "eql",
"version": 2
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "4bb55e1f7ac32a17597deba9c24186c785abfcd6953b10305a596ff29a27dd63",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "c97fbd41a9b9ac3b79c7459e0bf3c636d1652d33043f7e530ccd2e038f258b18",
"type": "eql",
"version": 212
}
},
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "0d395b1f9a4f028fc752ec37396aaea0a8b3896f2ac3318fe2edbd6daae092f7",
"type": "eql",
"version": 312
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "37145c723b473d65d0bb500dc4e602e9be53c701bebccba958554a5992032cba",
"type": "eql",
"version": 212
}
},
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "3034865be9da254728b4d1468ec5c2ffa3dfc305f180a77e47c5b69a916508fa",
"type": "eql",
"version": 313
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "232255e1a27a32df53f7b03d4a328673ddafc73b3d701b901c20ab79e1b5e28a",
"type": "eql",
"version": 6
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
"type": "eql",
"version": 3
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "c4baae65ca422ef39a7b46b0def65701fd04eaaf1b938ab2d950984acde5db2a",
"type": "eql",
"version": 2
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "95008cbe23f1fc8380e8181c4dac5e28c0ed9c9315589761e18569e50c4cde9d",
"type": "query",
"version": 107
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "b4d0f51e31276b87a2d2f365694f02f3826550163ef41d500b69e5a188479123",
"type": "eql",
"version": 212
}
},
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab",
"type": "eql",
"version": 312
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Clearing Windows Event Logs",
"sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Clearing Windows Event Logs",
"sha256": "6d45b9b9acf8b31cca0f0c7d70ffd9e42c69b4f9ddbc0db1fa912fc154bf735a",
"type": "eql",
"version": 214
}
},
"rule_name": "Clearing Windows Event Logs",
"sha256": "10c1f03793fcb8bad9555616905d87289a0f11c3a96622a566e66223f9df88a3",
"type": "eql",
"version": 315
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Remote Windows Service Installed",
"sha256": "aa6cdcf93a49ab5e86235d0f4bef6b42dd410c7af99275ef526c0d215b127609",
"type": "eql",
"version": 8
}
},
"rule_name": "Remote Windows Service Installed",
"sha256": "ca8463464ebf568c419e1064f2ee75dca25cfbe1117c40f7af9a92a48acc6ac3",
"type": "eql",
"version": 108
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766",
"type": "eql",
"version": 4
}
},
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50",
"type": "eql",
"version": 104
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "d3c22e7edad44df7543bfb8c0d84839b41b82786b1de1ee5c05819890a61a13e",
"type": "eql",
"version": 109
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "01c816014f421370ac32bb6369f8a83bc036b4cc7a1f817e5f34eed99deaaa01",
"type": "eql",
"version": 2
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666",
"type": "query",
"version": 310
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "90f5212b5d6f828360ef355e1f922212881b33016383d2d9c78719cd37ed1639",
"type": "query",
"version": 410
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "6ad7ede3c52ca6d191275bc53d5af195bd6c4bac16d37b2a0d2c8431ae4a33dd",
"type": "query",
"version": 103
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "589f094b4f15686c52f3a6b3e8d0b26b2f6bc93446f91d37f0deed5dacbc30ca",
"type": "machine_learning",
"version": 105
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "526a1d698d53c469d024aa72d1d2b07ea56ac34aa51fb0104c5f69fdce70948c",
"type": "machine_learning",
"version": 105
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "3ac7fcb80411d506306b5e742ea93bc2592f558ea93ac74f82e98b6453cf1094",
"type": "eql",
"version": 7
}
},
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "12f7f9d6ea55e9ff587c8130acae50e3081e10e1ee41b58149e1a4cb74d2eb85",
"type": "eql",
"version": 108
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "c72111177dc1c97186e853f7c03b41f573c7cfb81a533dc0f9156381a00a5cb5",
"type": "eql",
"version": 8
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "17e9577dfbf339f5aa680ffac330813882588c59f8cc0f4d73bdc1865b72df9f",
"type": "eql",
"version": 5
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "517d28ddbcd9550ac85394cdac2cee0844bc448d4be9b4e4aa81be52e1275002",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "76d7e76f6c26a0e245b833dbed9be07a49f80004d68992ad351a789ab93f06d6",
"type": "eql",
"version": 209
}
},
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "60b8eec12452b573096d484a711a30dba4b444661e967528e029b47d6ee84f62",
"type": "eql",
"version": 309
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "457f9745d44991b7dbff97c8032d25b5f3d5c631adb8dc0e909ea948b837ae41",
"type": "query",
"version": 411
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Service Command Lateral Movement",
"sha256": "0d07056086afc2ae7fc3933f654811d9b31cbcf86939f52cea27261c807c0b8c",
"type": "eql",
"version": 108
}
},
"rule_name": "Service Command Lateral Movement",
"sha256": "e767e2798904e06d27a494fdecd4eec49bb912ec8b0c6940d3992927ef6354e1",
"type": "eql",
"version": 208
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "6649690e0d48f4463fd9ea9af37d65f589e1c88723ac705b63965957e8021ebf",
"type": "eql",
"version": 4
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
"type": "query",
"version": 209
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "bdfafb9c68e9892fa7b9ca7598f201f97e7939ca8ca8c33ffc98baa5c1c46cdf",
"type": "query",
"version": 106
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 113,
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e",
"type": "eql",
"version": 14
}
},
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "2a52d9f39f0bdb9a5b2e617864be31ade499082777e54548585639125a49dc8e",
"type": "eql",
"version": 115
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "64a63407de9de164073767409d81c4ad49dc544271236c164345d1a626d94c3a",
"type": "query",
"version": 207
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Modification of WDigest Security Provider",
"sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e",
"type": "eql",
"version": 111
}
},
"rule_name": "Modification of WDigest Security Provider",
"sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049",
"type": "eql",
"version": 211
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "eee49e97f8be4dd945fdd081627a3fa84151189394053407c767cc654b03f61a",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "636a5aa15d3dee30f441ac50911f29d0c8a99035e4b8d1e57294c5957baf6b73",
"type": "eql",
"version": 213
}
},
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "77f519e1c25064d73042352df755adbf55aaa3901bd4c338ef309863f9b8dbd2",
"type": "eql",
"version": 314
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "641ef2451b1987a3e9cb28358fcfd308d956ef099cab89e13168b853db4d48c1",
"type": "query",
"version": 207
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious Memory grep Activity",
"sha256": "be15becb96ba5f7d3bbfbb8d336acdd122a95f155d4235a4e3941eefa4d8fa70",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Memory grep Activity",
"sha256": "b32fe770424c2bb1f42c024250666ed6908c7309fc3bb52716853793ca7deb49",
"type": "eql",
"version": 105
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "4c5994d232095f98e72abc6b0a4ff08477e6c845b50df9de6e6ae92745f25835",
"type": "query",
"version": 207
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "aa0975e7620cba81ba4d6b2b9aa05da8913d3f309cb4803fbff2ac88f7d9a4e0",
"type": "eql",
"version": 111
}
},
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "b9ec78f42bbee517ba762cc989682ed667042fa1dbbf00a51d635480508b7d19",
"type": "eql",
"version": 212
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Permissions Modification",
"sha256": "b6f7d9e1c6d3053f849ee87cdd0567aa3e046fbf9c1400a060021426261838d2",
"type": "query",
"version": 105
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"rule_name": "Spike in Logon Events",
"sha256": "e6d5824de70c85d84e7bf5a4158c0893db7265f5bf6a4310aadd7a4cc1806bde",
"type": "machine_learning",
"version": 105
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "dc4aaaebbe30ceb017d1b3100fec840afc7c916a2519037418a91ea060b581ea",
"type": "query",
"version": 106
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "9d627c046b1d969fa3cee29c64c2ede631bd7c2f11e2d5b0195467910718d443",
"type": "eql",
"version": 10
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "45efd7d53f83838ba357aa1bfb387f4c2489612adc924437d1f1953cf68c6d7f",
"type": "query",
"version": 210
},
"d93e61db-82d6-4095-99aa-714988118064": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "a3662b99a5aeaba17b20017e4f74a5a700018221aa4f539eae6586749aef123b",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "6d5f2be14d23c96aec4e7d179a2f0102cb02ce3f198dc30016b6ea842a71fdb1",
"type": "eql",
"version": 103
}
},
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "432106a3b18e6a6c3983f2db37cc0d7c3d3a12ef2622c48805e23e67fc76576d",
"type": "eql",
"version": 204
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "b0c3e97ff9361dd6edacb9ed48e4b541387b984a265fa98d119adee51577458d",
"type": "eql",
"version": 212
}
},
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "21e3bb58844ec1cf781a8dc4fabc5dd00365515d481779308fbe721a11082c50",
"type": "eql",
"version": 313
},
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "f33fa3c2f6e59b87d777b60c36ca2f7b49b83e7d55fd70bda7b51c5164f2e484",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "6992b10f898c3dd9c58648107a909375f088a7cbe752dfa3e89ad95f36d12be6",
"type": "eql",
"version": 102
}
},
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "091d2119d9f9bd8b91745b62a2dcab088dd2631acb0cbf1eb5b855fa829ef778",
"type": "eql",
"version": 202
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "fc23e41a7d22a46223a5b1ed558336101405e6adad108127504e440c44d82a19",
"type": "eql",
"version": 12
},
"8.13": {
"max_allowable_version": 210,
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "9d490d625ede5483e6874408d935d1e8ae2e654bf38990bd8ec90cac8d61e7e4",
"type": "eql",
"version": 112
}
},
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "0ac7d1624e694cec67982400a822b5692087df342748f9d9b10eebc1de8ffe03",
"type": "eql",
"version": 212
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "6f132baef5851efd00f760a31aa6cfdd4a68c0bd286f6abbf8cd245ebc635745",
"type": "query",
"version": 6
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "0d596807e4224d804bdfe2e04ba7a55241ebcd35ec0c8329585b908e6a811d4c",
"type": "eql",
"version": 11
}
},
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "8c5a1b27f6a02621b57dc23c369f980d79cbceb34f18024d02dcf75ca46ae963",
"type": "eql",
"version": 111
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "6e675455e0691aa059267316b5c588a3be00378d5ffc8f0d62d327ea9cf9bf9b",
"type": "new_terms",
"version": 7
}
},
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "e40d42488b5d12045dd32b4d104b2128f4032fc3e2a66c9578576d8f75e093b3",
"type": "new_terms",
"version": 107
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
"type": "query",
"version": 105
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "f070b0885fd560dca726ee750baad0826feb31d8d40ccb087eb224a1ea7abfbc",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "042a48825a4fad14bc7163dd1ec03c4495809a3b597ef85c391fa358b2abf475",
"type": "eql",
"version": 104
}
},
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "6512a9d12fa4ef27519126e321762a291e72b255d30192405b4cb411001266c6",
"type": "eql",
"version": 204
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "1ec2b5f008f9e9bead822c864926d9183431f584d472eb22e8ff3ce2939b9c8c",
"type": "eql",
"version": 8
},
"8.13": {
"max_allowable_version": 206,
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "daf311a52ba5b293679091a760f4b56a52f62f96e0ab510ea01cd988baa19167",
"type": "eql",
"version": 108
}
},
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "20558f6e7908c8dea171a7635ec499e0ebeccbe62d14d7f06850636afc8283f6",
"type": "eql",
"version": 209
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "d51a9914cc58576ea6fcc57df0fb35de299f08b8acf0ff37597124b12b9862db",
"type": "query",
"version": 104
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "d4648bbfa3d971cafd0c2664cbb8da0fc57af62582278b2246e279b1c7dcaa2e",
"type": "eql",
"version": 6
}
},
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "8690b4f17180de2e5b04b89a6a896c3a137fe7ebdd13e6982bfeee9fb2b135b8",
"type": "eql",
"version": 107
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Git Hook Command Execution",
"sha256": "dd6719030d3fe2a0ee69963aabd0b10598548861f0ca6a7ce968eb283b8a96f0",
"type": "eql",
"version": 3
}
},
"rule_name": "Git Hook Command Execution",
"sha256": "3ad68272adbc2c5c4f5b945a065b67154c91b826cef8f120af822a44d62724e1",
"type": "eql",
"version": 103
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "e16de17547f45513cc6097ae2c1fafc3fb841a3d7cd4876355dfdce3bd42d171",
"type": "eql",
"version": 10
}
},
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "99b4b4a9e64fa970794d90bd46d37e2ad1f23280ede41d8a8de1841b6caf8622",
"type": "eql",
"version": 111
},
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
"min_stack_version": "8.13",
"rule_name": "Dracut Module Creation",
"sha256": "af7a3f72ed7f24e50bc14f940937bc9cf2bc1f6872e1d672d463b5165d85d1dc",
"type": "eql",
"version": 2
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db",
"type": "eql",
"version": 212
}
},
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "6c79aab936e1fe25141e3e984b8d2113e9aa91ff99605c1bfd90084361126379",
"type": "eql",
"version": 313
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29",
"type": "machine_learning",
"version": 209
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "6aecf0b6e2c4fdfeae54ec1cfaa51070bd371c150206b98a27cf2be01bbad3a0",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "e97febd5beb392ed445ad0e67d7a284e6d6588dd93baad573301b7714cff4c46",
"type": "eql",
"version": 104
}
},
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "ab1e64f0d5a84e58ddf9a0fdbe54ccd23b6eeda4909f99483374237a1c2c74c1",
"type": "eql",
"version": 205
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "8475f6c6b1206c9fd3c5085bb9b4677b0b6e931699d1763068961d84d8aa46a6",
"type": "eql",
"version": 9
},
"8.13": {
"max_allowable_version": 207,
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "c4104efeb172e0634cf59ac025d803d9d3171803756060c76e6bf8cfd3d88a90",
"type": "eql",
"version": 109
}
},
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "795b6a57e976d8a06dd804326ac7ea4f673753436de7405e506a7a6ea8d8974a",
"type": "eql",
"version": 210
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "3893d44e187bf13e2e0a5fffa35b36800a58de2f402432d79956113fb81f68dd",
"type": "eql",
"version": 5
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "84f5b0cc9b45784f5f3268b1f1cd252e3e460a30225570b04bd90ed819e7cd75",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "c53af1114c332c599481a0ff4eede6a5a9b7a2b80284a201c3c7c5c3ba9dae11",
"type": "eql",
"version": 211
}
},
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "e723d0b3254745f488ccac62bb67e6d2f069196659d17cf778fb42a524933135",
"type": "eql",
"version": 311
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939",
"type": "esql",
"version": 4
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "dc59f461ee6eaded59582a8d9d1665d294369cbd7cefb74b93fc69c65b3626e3",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "d48e91e2df3b46dddd47dc1f8381eccd2d4ea3654875665feb8871b7f7df2498",
"type": "eql",
"version": 213
}
},
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "0e4c1d925e33511a5ca1c1b97c6b325baac1871f6c4426d17058007044aadf6f",
"type": "eql",
"version": 313
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "2110c27e62d99781d5a1189a8ed1fe2d6a400568585a8e6573fb473f783f9761",
"type": "eql",
"version": 111
}
},
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "d096dd61e0fdd262df14f29f04e3818f84e1a5f4057cade79110ad3a929aac3c",
"type": "eql",
"version": 212
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "de848b5e9c4cb1dbf61d805263fb3e9d70aed03a3de0e18b44698957c53aa130",
"type": "new_terms",
"version": 106
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "6323546ce88a2062ab9b777768a0a4282ac1a74384c1f21449a3262202208011",
"type": "new_terms",
"version": 9
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "92bb89bd0e84c9232dcf024b09b211d04bf914a34e8ebcfcc2700c0f9f4154f6",
"type": "machine_learning",
"version": 107
}
},
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "e7e813348ed80c496689f948ecd7de5edfefb9f63b906114a57bb6798b9253ae",
"type": "machine_learning",
"version": 207
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "8fc27e74bfd62fc69cfb08bc0944fb02643fbb3fd3e9b84ef1e6b06e36ccba3b",
"type": "query",
"version": 103
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Dynamic Linker Copy",
"sha256": "c129b0c687239213e54f4f95219e0ba6f09ce259ad97d16efe4789c56b4c1205",
"type": "eql",
"version": 110
}
},
"rule_name": "Dynamic Linker Copy",
"sha256": "f1a290ca66fac0299d00bfdb6b2303033c974c4a184dd32b9ae3e34b3b7ddc78",
"type": "eql",
"version": 211
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "ac73d656120d73f8776a9afbdc0c8a63ba9863321b9153d9529c67e61651a5a9",
"type": "query",
"version": 205
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"min_stack_version": "8.13",
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc",
"type": "esql",
"version": 4
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "f14455fd6ea9bdc73123f4c69cb12843cfcbe7747b51b622198eb087bb953f08",
"type": "eql",
"version": 4
},
"8.13": {
"max_allowable_version": 202,
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "f7fcd4ec131f7e648b7fe8bb86887bfb768bd7bf3a006340a5e9fca5467205bd",
"type": "eql",
"version": 104
}
},
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "2b622d8bb5228a5ab103d2c5197eab64a8c1a0977cbc0594097fe979c66d2034",
"type": "eql",
"version": 204
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "8b63af67b0b77e5d770c49f6e9a9216ab92f9f7aba27fe58b2f87b38dfd3b24e",
"type": "eql",
"version": 4
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "3145c97b2a0f8a3dbe953d706b20b0db89737e622460e8eb92f562e46316b78d",
"type": "query",
"version": 103
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "d66a68b32ae569978a6ef6580b94f0b86b0f34b30ebec5e7173db7138003bce5",
"type": "eql",
"version": 109
}
},
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "93383cc44307548a071047b61fc0df04c3b9f6b286e64e7f6d26fcc4f6e1b84c",
"type": "eql",
"version": 209
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e",
"type": "eql",
"version": 9
}
},
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275",
"type": "eql",
"version": 109
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5",
"type": "threshold",
"version": 313
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "0f1797f4458f41926c4fb9920e9bad30476efd48173d83db37c845ac553c2e1a",
"type": "threshold",
"version": 413
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "6147022642131c87ac6702fa482fbae2afa75394591d2a12545a08d85336f5f2",
"type": "eql",
"version": 6
}
},
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "afd239148a789428e9afc33cc2ed4df601459622d6b114f719be62ef217f425a",
"type": "eql",
"version": 107
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
"sha256": "55c15bc0ab3e65a9e0dcb4e9babf915de29b34b26b842fe6ad70c153dbc50212",
"type": "query",
"version": 103
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS Route Table Created",
"sha256": "c76bc6e2331f0b9bbf3d8f05a6f363c267e1509a793f6949082fc196e12f1fc6",
"type": "query",
"version": 208
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "AWS RDS Cluster Creation",
"sha256": "7b5a2e8745804344d0c558af38ae871fb0c48a51a92c943f98830876bce353b4",
"type": "query",
"version": 207
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Connection to External Network via Telnet",
"sha256": "28c7ce83de51514d2b297b6590e71038a20120a59fd3f1b8f1693e98dc5c1d7d",
"type": "eql",
"version": 108
}
},
"rule_name": "Connection to External Network via Telnet",
"sha256": "9c4cb74b1de6b291bdd95cef6e4dc1db2fc043af96969f7a09811263b9866c96",
"type": "eql",
"version": 209
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "79e7d8b6c91ff85bfe18be26bfd2bbe3de8d62a447c19e86c2250d6f10e25dd6",
"type": "machine_learning",
"version": 5
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "2e1ea018087510cd48cb9978f295dfc7ae3df5e33ae6087605fe0c171ee6f7af",
"type": "eql",
"version": 7
}
},
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "b5f28770a0cb6cc57839bec21e0d78f890b72c023a9f2a1f56329aa86d0bdcf6",
"type": "eql",
"version": 108
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948",
"type": "machine_learning",
"version": 105
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "aceeffb1d2d30da61a5c975b4c978c1a8dd0687ddac7214c80ae21c9067eadfc",
"type": "query",
"version": 114
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "ed908ff078c5a2e7569fc9967c30cc040397ed9122a09287031c0a4e5d04e377",
"type": "query",
"version": 317
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45",
"type": "new_terms",
"version": 4
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "2190e84f9e7192e1648c8b1673576f046c4e03d475bb75045c7b9e2e12bae237",
"type": "eql",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
"type": "query",
"version": 209
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1",
"type": "eql",
"version": 3
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "8d70b76836720ce1d1bfc90c83ef511c63192ceba13afe89de6d4bd71db8d10c",
"type": "eql",
"version": 9
},
"8.13": {
"max_allowable_version": 207,
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "8c937a63efdd09c306a4b062fb0111216523fadb6b29f8ddd000fc831dffb3a3",
"type": "eql",
"version": 109
}
},
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "16d97ecf035e7b51f4cd64bf55a659d5b15dd93323fc78280d023922c5e1d00a",
"type": "eql",
"version": 210
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff",
"type": "eql",
"version": 112
}
},
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b",
"type": "eql",
"version": 212
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "44411255b771a99faffe0685c0f5e63977818e21d073d24091ff91bd9aa33b51",
"type": "query",
"version": 105
},
"e302e6c3-448c-4243-8d9b-d41da70db582": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Data Splitting Detected",
"sha256": "7b1c198e74d0e4f3d7b01f471cbcaf92ef595343883d73f4bcca641970102396",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Data Splitting Detected",
"sha256": "4cbc9c690c480e6a0c5458a4e2e93bcf347ef61202570333fb7b66342ba93b58",
"type": "eql",
"version": 103
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "c66a168ed3b1aa0efc9fd8a2c7f723b9b814fd5d0c3d2b6f04b437cf128a89ff",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "076f262b0c9c62805bd7d969fc2bc5a6e3ae9dcbfa5c30cc922041a3087b7a7f",
"type": "eql",
"version": 212
}
},
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "77d77852881da5c7de3250605cbf8440cfb6dae48e1b9b767e4aad194d02688d",
"type": "eql",
"version": 313
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "f2d736a544e71eb0be5118b7e11cc5ca78ef900a8f8d7225e8c0b03ad08c6587",
"type": "query",
"version": 207
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "6b3dadd40aa120848fae2bf405a3e564a4f8f1f135f3e43273c9a5990cce5592",
"type": "query",
"version": 104
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "15425280f466c2729b02c0af122c6c595b30165cd51c4f683fee546070d396a0",
"type": "eql",
"version": 108
}
},
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "151650631c31a43c201b4eaea3749b4f13790dd576c4420057b75b9cd51c740b",
"type": "eql",
"version": 208
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "3d6b19ea3b397ac9a3e1d4779f0bfbbbe891a2b9352cc8331b3d1b21b3492f86",
"type": "eql",
"version": 115
}
},
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "465ac78f6958f74fff4f46a3ff16e69a49b534ccb7b037fa26cd2f352bd13690",
"type": "eql",
"version": 216
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "15409282fc22300e62bdd9cfa9c3699264d000fb84da5ff6405ad81aaa842305",
"type": "new_terms",
"version": 6
}
},
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "e2d4147e9b55b1a927716d2a92ff1672ed2857f83721c419e597fac90cda2559",
"type": "new_terms",
"version": 106
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e7a1afdd3aed5b8990f25c5c3ebc89a3d4e1911e68296667f6b6e4cc13e21407",
"type": "query",
"version": 411
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "efce8f9ccb0652297ffed54f6d3ccb3c621da9704c8b1a147357fe1b2dec9780",
"type": "eql",
"version": 107
}
},
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "beac001dcd5095010c452fd5a86f0733003a76aa6c8e8f3de2c8d7abef8fa9e1",
"type": "eql",
"version": 207
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03",
"type": "query",
"version": 113
}
},
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "4f3219372b857ac80a9bfa981a981b8fca89e436d209e90b51d436bb7e8becbe",
"type": "eql",
"version": 214
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501",
"type": "query",
"version": 206
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "8893356dd5ca661718d8f5c32e3d5b4e2e31ced5866bad1aac12f2ae4b1837b8",
"type": "query",
"version": 105
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "abc854ad84c4df75f33b8a3ec0b322047c931d738de30da1996883afbdd7b799",
"type": "query",
"version": 108
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Possible Okta DoS Attack",
"sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Possible Okta DoS Attack",
"sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8",
"type": "query",
"version": 310
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "d31797a2a9ebd8114c915f01f1b7222689f61769135d5406738283834a175f72",
"type": "query",
"version": 410
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "021c60ecf962a5bbddbcccf61190972c6aedc8a3522201413fff29dce8e8c16f",
"type": "eql",
"version": 109
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "a33b86d48c3d3d62db7a1fa07ff45e3dd2ec92fa332099989635eeb934db5345",
"type": "query",
"version": 105
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "27987be0e2d175b6af6648f0f13ae6c921ecc1ef5198b7ec704a9e12b91cb3cf",
"type": "eql",
"version": 4
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "8e916c6e5e28236cf4e78bb6c9a7cb8991800d108c6dce8a147b6196ae27b89c",
"type": "eql",
"version": 108
}
},
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "745553dd4b4f167afb3f9d8aa2a73cb88e8a9984dbee97b741c011740ea72306",
"type": "eql",
"version": 208
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "0eb9b50416c959551b3b273ef5326ae8b96145ec4ea717bee0033ea99d133af6",
"type": "eql",
"version": 107
},
"8.14": {
"max_allowable_version": 305,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164",
"type": "eql",
"version": 207
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "b11cb97ba4927fbd34141d3a5cc49333cbae82890c27eb7731e165ed71b3cdbc",
"type": "eql",
"version": 307
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "fc6696281aaff38aabf5ef6dfe7b56c731c027f5daa36aa8fa27db356d1836cf",
"type": "eql",
"version": 2
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
"type": "eql",
"version": 4
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "0bea98ee6e9ce10eac166784de0d4aeceb2b4e690051357201bb91cffc7e5edb",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "5ff7838c257d23a22ac81dc996fa1bba6e80734971669cbf6c8f5bdfa6314f5f",
"type": "eql",
"version": 102
}
},
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "8b9fb79800f9757717537734e0e8fd81eb27c77c51f3bea4933b4026af77e360",
"type": "eql",
"version": 202
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "ecaad70591f430b71f38353b51514e955299f312f6299c043edbe78296d96c47",
"type": "eql",
"version": 9
}
},
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "962391b35148784c37d51d9d75f577a0ae8c9c855443ec35d2e4dfb3c247e942",
"type": "eql",
"version": 110
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS EC2 Route Table Modified or Deleted",
"sha256": "e56e718a9723a794c9e062425a957d4e952f2a9984792aa9df06ea86c7310dda",
"type": "new_terms",
"version": 208
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "918d54c5a6647f2078e33a286ca77359e078e643772831ec0217ef3fc2478d8c",
"type": "eql",
"version": 3
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "32055c8d4af293ff9a8be66666fca76693403db6496116430450aab41050d035",
"type": "eql",
"version": 113
}
},
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "90408a5fd78cdaf27de15d201a1c9a85a6ef0ded0315d91be4d71a8ad7f8ac51",
"type": "eql",
"version": 214
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Installation of Security Support Provider",
"sha256": "b539da6b7c1b1227bdb42936daceee9540ba7d0f3605ee4daa85bd0c836ac05a",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Installation of Security Support Provider",
"sha256": "4921dd59a49f0857c4a5a11360976efc71f083994125f28706e6071dc19c7473",
"type": "eql",
"version": 210
}
},
"rule_name": "Installation of Security Support Provider",
"sha256": "d3e972fca563427e3d76bb4395afc5f71c455501294696f9dc6df982b1d28abe",
"type": "eql",
"version": 310
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "e8fd6440c6d6d88986539c259693d1ee14c53bbebd9bce21eab23ced642d5c02",
"type": "eql",
"version": 8
}
},
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "a50076fcb40d588e056f081e1168588950939d6c95a97f2facfed56882ce6f9e",
"type": "eql",
"version": 108
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "a666b794f171a1a2c008b39794d12cb837d0fee82e293f8dc6601f749a723645",
"type": "eql",
"version": 3
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "b54a9721e854b951bcffd517564dba55d3d9f5a1b13ff4bc738ee5aa7e4f9bc5",
"type": "new_terms",
"version": 108
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4",
"type": "threshold",
"version": 212
},
"8.14": {
"max_allowable_version": 411,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4",
"type": "threshold",
"version": 313
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "18719e990037ed4bcedb7040cb575b1b244fdea008bf902c36de0c0dc87262d9",
"type": "threshold",
"version": 413
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "0cc0882f3f4079767583e56fd8ac76f94fe773a3ad47b80a5c7ef1f07e5afcd2",
"type": "query",
"version": 207
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "b7a20dbebcf0f6ecd941a69b135191989886cb45781f0e23444e523bfaa03208",
"type": "machine_learning",
"version": 5
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "6ef104d85ec9575226338908f304d5def68a7412883399913f6bb68378d6decb",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "5f4f414a3ae8185a194ee698b33f60372d7733ed66e23b8ef56fe4c06edb3dbc",
"type": "eql",
"version": 212
}
},
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "2ec2b40b6d719512b8aedec3c65efa2e1ce6b38aa2dfb387edf32b43516c9421",
"type": "eql",
"version": 312
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "5b5c778062c60175f66184a03ec8cc58deaec9c8d47e50b7e62d75b592eb203e",
"type": "eql",
"version": 107
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"rule_name": "Spike in Remote File Transfers",
"sha256": "8d2b4cd0d07e0114cbfc97e7836712efaedb13d7941b49ba32df06344bed130f",
"type": "machine_learning",
"version": 5
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "ca8b561fa907119476109df0f7f86007194ffc80c3b614c4f69522d366f15e92",
"type": "query",
"version": 103
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "9305b82ec96b801a1ce3d03306069610691b62051ca30252e654c38b624f7c55",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "263dc5090dd778a47400fbeb93a47512defec5bc3e78d7bdd173ab8dd1c95910",
"type": "machine_learning",
"version": 108
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
"type": "threshold",
"version": 210
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "fc408da92fc5febf3e95b3e4466fadb5f9c59ff6f98e5b71c5ba830dbebc52f3",
"type": "machine_learning",
"version": 105
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "e564804b6774ca1351834c65234f778427f64a1a8a9c63f54c7bceb478ea41a1",
"type": "eql",
"version": 6
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "cfe3ec83261ca32ec7fa6c3ec8fe8c6d8b42361b74fc363e99795dcce182badb",
"type": "query",
"version": 104
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "0df8fef46aadb6e55f99fcb160c20a7c50b5b97687a0ae824409284676656051",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "34b8cb6cbafa6c8284ce99c7c6cc95be28e2423a480b5e56d46de73e21ecb72a",
"type": "query",
"version": 107
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8",
"type": "query",
"version": 213
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "1800ba797dd4735b90e918df5d02719c09d98850d2bfb0880d9fa80ff8b72f5b",
"type": "query",
"version": 3
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Disabling of SELinux",
"sha256": "68bbdb25d3a0f0d088bd7072fdefec01a701b6549176297cee71b31463d90ffe",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential Disabling of SELinux",
"sha256": "e7211f890d92f3a7d930cfd4bc9d80fb4376b20adbbb602dd24721075ee45090",
"type": "eql",
"version": 212
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 411,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "68b70fb7a0759edb5d4057074ce39e0a9d16c36f7e65d6fdcdfb8e6872bfbbc7",
"type": "eql",
"version": 312
}
},
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb",
"type": "eql",
"version": 412
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "efe3336c2caa03ca5f2f4c180030a6988719173b020f4ef0b6328548942e1cc0",
"type": "eql",
"version": 211
}
},
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "93b513e8ce449023833b25afd4c092d6d39708e07c92d3169dd2fe80a10617d7",
"type": "eql",
"version": 312
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "59220b274ab98c211eafbd5205e41e943cadddbebe78776bd28a88a2b38d017b",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "dae2d05e8c9a23744a3d55ec56c1540501141276c8789e74c7e1aa33e787721d",
"type": "eql",
"version": 214
}
},
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "76b8d3439003b72e5e932ff9c74478b5688253f8092575aea6c69d58e043bcc5",
"type": "eql",
"version": 314
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "File Made Executable via Chmod Inside A Container",
"sha256": "c4678239b073c9e1c28fd96f625436ef8f93ab27e0b80d9d2da6d39d0ced459d",
"type": "eql",
"version": 3
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "4572e35abc9f3fb1f7be34775ed498cbbbca8890182cba8ca5beff3a53bf673f",
"type": "query",
"version": 207
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "b69c69c1bbacce025e21987b18df13452767d8102331304cd46d1f177fb8a602",
"type": "eql",
"version": 4
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
"type": "eql",
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "35c7505a4a7e2503e09a6d55f986977e180f79e72dfde6b46e17c48fff3342e3",
"type": "query",
"version": 207
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "31edfa8b99be2305a6bb1447799c69cf2f60e5a834ce4b064a4b4665bea80dd1",
"type": "query",
"version": 103
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "AdFind Command Activity",
"sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "AdFind Command Activity",
"sha256": "39ddeac69ba7e957dbde30dd6afb1b62daefa13143c99fcc1c9131251c2da3f1",
"type": "eql",
"version": 213
}
},
"rule_name": "AdFind Command Activity",
"sha256": "666a39201e6cd023560381806ba6b8b178ce2bc7596b8084f46b63bec57859a2",
"type": "eql",
"version": 314
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94",
"type": "query",
"version": 210
},
"8.14": {
"max_allowable_version": 409,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94",
"type": "query",
"version": 311
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "f254d125f5da752be3671f52f44af3671f6730739ac5e5fe785f8bd0f831b628",
"type": "query",
"version": 411
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "495c9c3c998abfebae7ebc1d58f5d3fbf791ad4eaf2718e83c11d65598b43fe3",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "3b0ac08f7d0c601b06e44b9edb38650af8ddbdc85f786151f275fa96f595fe72",
"type": "eql",
"version": 214
}
},
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "9a796bd4864dce9764f4ff2cbf3bd4ccb3217521e23209f69c4e18ecf9ad41d1",
"type": "eql",
"version": 315
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "5147bc8232ad7a92a84e036bdd81d4fcbcc9ce09fe2b0a2697ae01769ec50e20",
"type": "eql",
"version": 7
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24",
"type": "query",
"version": 107
},
"8.14": {
"max_allowable_version": 306,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24",
"type": "query",
"version": 208
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "7ff673016488bafc9ac4a344918957eda1629b68b0dd51bdc773ce2f9ace05a3",
"type": "query",
"version": 308
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "0c4cf82321253f33a4bf12dfa7306b7c39b7082304cab83766ef69126f83169e",
"type": "eql",
"version": 110
}
},
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "83d9b00ad3282d46a266bd3524f468f382c3f23737c05e7e9196acf838551cdf",
"type": "eql",
"version": 210
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
"type": "eql",
"version": 2
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "0a31cd84388698181bb0e4d15e98b40bea0da0c9be8c956e27580d00780e3893",
"type": "eql",
"version": 109
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "BPF filter applied using TC",
"sha256": "446f19bb2ea5d80c1e18160601ba2b38ea8e81328974575d0c5369662901dfac",
"type": "eql",
"version": 109
}
},
"rule_name": "BPF filter applied using TC",
"sha256": "66e0fd97291e83d09d35179d1e16d22ed0b573f12480ce579f2d06bc6de7b380",
"type": "eql",
"version": 210
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "f4ee5791bd579b8b6592dbca0af0c3eae7553a3f4d087397f873f3621c85d929",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "5270c503b5846ad6b35fd79100b8270b2b26c8f6968c90d112b8f672cfe55507",
"type": "eql",
"version": 109
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"rule_name": "Potential Container Escape via Modified notify_on_release File",
"sha256": "f08d245a0e30752adf439c2153063782f96520a044e2dda10798503db0580fcd",
"type": "eql",
"version": 2
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Whoami Process Activity",
"sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508",
"type": "eql",
"version": 113
}
},
"rule_name": "Whoami Process Activity",
"sha256": "214f8fb47c57ac54428d1979e50f4e691ccd265637670689bfab291afa11f712",
"type": "eql",
"version": 213
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "deb097d91aed42823bd3a3204774168f890ba2423ac4e4253b9d060f32f50e79",
"type": "machine_learning",
"version": 5
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "23beebafef0bf295f6aaf5f99044dc15f8db23dfc7a6f68d46c1cb7a9416c43b",
"type": "eql",
"version": 109
}
},
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "6f3bb7099a9a769fb898a67560799db56ad58c5624c016b1d46a98b1bd12e651",
"type": "eql",
"version": 209
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"rule_name": "Suspicious HTML File Creation",
"sha256": "2d7643f5258ea00499f6a724d37680b18ea9e51cff76a508b397813d06cc2023",
"type": "eql",
"version": 109
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6",
"type": "query",
"version": 310
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "7dec7b69a9ae716233a2cc4ee0bf5ce3e8f108b425d0be073ef6d211e7eaeb3a",
"type": "query",
"version": 410
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "66dc553f0e5d998d6287bc5b3bb0efe2b016816411c35e13834d2fa558a64ad2",
"type": "eql",
"version": 111
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "dce40c891055fa59c868c0409223dc95efa62252fab387bc182bf9ad3f30eb55",
"type": "query",
"version": 103
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "ddd5f8f0b1dbde6fb7d9d9802b9190fa54d38d94c423afe4c859794d73da4720",
"type": "query",
"version": 107
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "c678c2e4d480d9276b6bc7967e6eb21e4cac673058c59d4b70b8be8b00bbf699",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "3e3a90a47139a3dc0d1c763351373920dee8e161a176b916ccca2e6be16dfed7",
"type": "eql",
"version": 109
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "8104467acd6f82c9b69239d6bebc8750dcce6da3f4f4efbad4a57197063174ba",
"type": "eql",
"version": 2
}
},
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "c7c1780ea2c3381899f8df2aca24d636619832fa7d0cc4a7637a1b519513a2b5",
"type": "eql",
"version": 102
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "53a99b49697dcd944871a7610cafdbf834659d68f5631056a35cc52f1c8e1aab",
"type": "query",
"version": 4
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "684a674daf52a0659d98f70c6854676100390d6c0cc41568e4450ec8568d1115",
"type": "eql",
"version": 3
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Service Path Modification",
"sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599",
"type": "eql",
"version": 5
}
},
"rule_name": "Service Path Modification",
"sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091",
"type": "eql",
"version": 105
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "789001d17851c913e16d3c0cc68a245041a71e317aee771f954879787be2e107",
"type": "eql",
"version": 110
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "d34b536f30334984723914ab4d44bef45a48785b1ce33846ea6fa8169f40a9bf",
"type": "eql",
"version": 111
}
},
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "6779913c9f6aa81caa57d89b94072b01b0638454d4faaa9433f37e902cd65b5a",
"type": "eql",
"version": 211
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "6e2ffd6be5eec401665da9f328ea418437bc87ae39325fbda96eb3fefbeac4ac",
"type": "query",
"version": 3
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23",
"type": "esql",
"version": 2
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "SIP Provider Modification",
"sha256": "3171aedb786a6c4346ca2d6e875c736ea14d23e12331aeea3c994e5dca963238",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "SIP Provider Modification",
"sha256": "29662765828508b5d2ddf5905237089fde83513f4c34bd44c93f0e27849d77c3",
"type": "eql",
"version": 211
}
},
"rule_name": "SIP Provider Modification",
"sha256": "e0ac3c29d4a3e05055331a8c99eae6dec675fdf4637d6585c80557b3dc879681",
"type": "eql",
"version": 311
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Creation",
"sha256": "f8cbd6a379d828f24d80c53ac9f923bccfcf5f6db7532cf8567c55c09446dae2",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "LSASS Memory Dump Creation",
"sha256": "c0268c1e96cb8a7dfec0cb7f803ec42df015cf80a71719b1a544cc4285ed0087",
"type": "eql",
"version": 212
}
},
"rule_name": "LSASS Memory Dump Creation",
"sha256": "accf15ffd7f736c713d38e6f024889430d4031685a6588588249bb092332d720",
"type": "eql",
"version": 312
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "AWS RDS Instance Creation",
"sha256": "3bb082fe7f035d7f0edb310d42459b011a6ecb97c9b46e008e1c1434840e95a9",
"type": "query",
"version": 207
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58",
"type": "eql",
"version": 7
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "84a652c9dcb5ab611cd8888bcb7def8d9e6ba1a10712c28017fe35cceb6d07de",
"type": "query",
"version": 6
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "bf322fd08b8f2bfd47228ee56470b9301a500aa181f75f9594d50ed79033e3a5",
"type": "eql",
"version": 111
}
},
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "3ec45777f4c943a7de5082d971bee5996e5cf726ae6f42fc987b77c52f13bf8a",
"type": "eql",
"version": 211
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "ee7bf6773bfbc573d11e5c0660564ca53d3a9b917ec5f64c87a3b7e9d4b86fa7",
"type": "threshold",
"version": 105
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "9ed35a351e57a72bfce5b7738b0f267bbd83cf55d98a20e89c2437107a1a6c21",
"type": "eql",
"version": 5
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057",
"type": "threat_match",
"version": 8
},
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
"min_stack_version": "8.14",
"rule_name": "Remote Desktop File Opened from Suspicious Path",
"sha256": "903fd6d4ce8c22d0a4ed7c11940e77eca417f1bc8b231482bebb4e46f6aad27d",
"type": "eql",
"version": 2
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "997e81e732075c8530c62edcc3e0dbacfdc2a918bb79517ee27cc287a6c74b07",
"type": "eql",
"version": 8
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "d8fa297a02bd05755728ee6202070fef2ebc8f2f5ae3d46617d78034d80e24bd",
"type": "eql",
"version": 109
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "111139bb2a9a56c179012f91b0e217c614e1527fc3eb2a4b713943763e5a7a40",
"type": "eql",
"version": 209
}
},
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "67cc9ea0dae5af83aac83f80454998408a24eeb1e521ae441963e51278f54b7a",
"type": "eql",
"version": 309
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
"sha256": "6f77b4339b6982feae60ae38491e22c8bf8931801527efe93368ab2d675017c6",
"type": "eql",
"version": 4
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d",
"type": "query",
"version": 113
}
},
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "98da37735724187372bf1f311df3eb82e1dcc9d8792eb8c6faa5d20cd518c69d",
"type": "query",
"version": 214
},
"f4b857b3-faef-430d-b420-90be48647f00": {
"min_stack_version": "8.13",
"rule_name": "OpenSSL Password Hash Generation",
"sha256": "04b4c9ecf43e0acf3fa6b298371accc63a200e07eb118a4d5edc9430aaca263a",
"type": "eql",
"version": 2
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc",
"type": "esql",
"version": 4
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
"sha256": "aacfd52ed0aee2049e2ec00c2475153a185d83bbdd407232e9012a142292ac95",
"type": "new_terms",
"version": 3
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "1049a0ba43faccfc6c8219d7fbf5b81cd5c21f97a63be1f334d9b8b883e8d73a",
"type": "eql",
"version": 8
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Windows Script Executing PowerShell",
"sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Windows Script Executing PowerShell",
"sha256": "7d014986e6735e5f5b90c0790e404e69d4e5d64634f6935fb10a34ec72877e05",
"type": "eql",
"version": 212
}
},
"rule_name": "Windows Script Executing PowerShell",
"sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c",
"type": "eql",
"version": 312
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "SSH Connection Established Inside A Running Container",
"sha256": "9d8c510e4b95da8e5072e5d93be80f049c9f4ed253d40845f7ac67920ddf4158",
"type": "eql",
"version": 3
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "1a52a9efcabc5597110829afe735c6831cc9b2e64ed6169e8e81459e8669c83c",
"type": "new_terms",
"version": 9
},
"8.13": {
"max_allowable_version": 207,
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "0002a051fa57648d20e54eaded6c44a1f3bf1c307e7e8ec68200ff562fd22790",
"type": "new_terms",
"version": 109
}
},
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "b913881e92e1a38bf6737390fd81a1138292cbd48aa0fb8c2d3c85957650ad7a",
"type": "new_terms",
"version": 209
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531",
"type": "query",
"version": 7
}
},
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da",
"type": "query",
"version": 107
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "WMIC Remote Command",
"sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689",
"type": "eql",
"version": 7
}
},
"rule_name": "WMIC Remote Command",
"sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189",
"type": "eql",
"version": 107
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "3ae5e32591f980bca7b3064fb9a680b9329a75f4ddc4dc888391659a4c1f654f",
"type": "eql",
"version": 7
}
},
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "e41e3069e64db02d6742f75d9126315cfeee13e18851f97d1260e4fd6b35d76f",
"type": "eql",
"version": 108
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "a3bc6cca188a55aa33021f1b9c7d396bdde78a3350f1c4fabb974a4fcffa5ca4",
"type": "machine_learning",
"version": 8
}
},
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "b133ffedcacb83e511e320e25d6f4afc9f2d638fa12afbe470fab88a6009d07a",
"type": "machine_learning",
"version": 108
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "05d412610d0acf976c64885d739c2519d44630cc8036b7dba0c8533c92385d15",
"type": "eql",
"version": 8
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135",
"type": "eql",
"version": 3
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b83dd05aaef86c18fe47f7a8bdc6132a6c0d868069edcc7801fff9dcd7d10428",
"type": "eql",
"version": 210
}
},
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "94e0a975da6a20b8e5a7088399f5da7561593424d1eb70d66d5a542963808c79",
"type": "eql",
"version": 311
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "aa4abbe944c50eb6c464d33d4880bedbb1778ff5139693b5f95e1f81e54a05d4",
"type": "eql",
"version": 3
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "d3bf5930d646553b64fceb3142ba60e854e52fe3478bad4d52ce0a606395d9ee",
"type": "eql",
"version": 210
}
},
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "81b4cea2ac276f83aaf465ba9217bfeea8d6f63be702f6088801a22b09cb7b77",
"type": "eql",
"version": 311
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "076beef00e93e7c5cea8221f52feed6734107ad9cfb9a62a293d50a066132e1d",
"type": "query",
"version": 107
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "de4cb537409466e76a7f865cb93e0842a6fc8f04b9402caaa3b8f56928916711",
"type": "new_terms",
"version": 2
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"rule_name": "System Hosts File Access",
"sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571",
"type": "eql",
"version": 3
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "901f5b0b8cf2e223bd55f2b15863c0285e7df7dbae24b8ae528572bd52df13a6",
"type": "query",
"version": 103
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
"type": "query",
"version": 209
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
"sha256": "dbb02018892869ad01ea50413f348fb8681007ab55495ec2669108a301956156",
"type": "eql",
"version": 4
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
"sha256": "135091eba79744ed7a55ef7e0825fb4a5189f443b6940d9f322b755d28b98d0f",
"type": "new_terms",
"version": 2
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "3bb11d5684b0514f8d1a5326d1645b8787ea37ae7731db6df5e7d94945f6ef1c",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "4cbd3242743b94fc54ec1eff6658bdf2a9009dad93fccbc3354272cc5c10196e",
"type": "eql",
"version": 213
}
},
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "0265f205075afb8a44fcc9339b9b8e7819b11ee960a7fcadff4ef19c40407944",
"type": "eql",
"version": 313
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "6a6d4fc7401921ef468189f6dbd0c74591dd1d15fcab4c0f5b4033610123be2c",
"type": "new_terms",
"version": 4
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "e36c1fdb2b34568b5431017b6d35a86a116bc34c7b9af52fbfeaf4548233dac3",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "a577211254c57b0fba47713de661ab81bc197366995a8d14d939f8667dde3ffa",
"type": "eql",
"version": 210
}
},
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "fc3a25445b0ecc88878661c840092042b33a21a6b66a2307253219ea04c67913",
"type": "eql",
"version": 310
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "402f5404fef876bbbd2aba0a471857bb32c2a7c711af599817c9834d0db5c2be",
"type": "query",
"version": 107
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "12e7c55fee43e3358537c176334e6b7cd84b05d2c67c317c3fd90c4e662fb744",
"type": "eql",
"version": 5
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 311,
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "f2423851bfbeefbfcda2a745c74dc1370032a6f7cfe9efbc981454ee74130559",
"type": "eql",
"version": 212
}
},
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc",
"type": "eql",
"version": 312
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "d1c898be638d5096dd716fa069d4f97939ae4f046843453bfc9ed889ab139d89",
"type": "query",
"version": 3
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "de3cf59b7dd66998abe201a8eaf36dbba367e448780f8d30c428d89610b5c18f",
"type": "query",
"version": 5
}
},
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "bed1ed023c04637d3664efd5fbb73d3aa0cfea24257dfb18a925fea3d2cbef3f",
"type": "query",
"version": 105
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "e26f15abdf56aa1b61415ba7dc51da814455d36335a30451a9089c7e28074d99",
"type": "eql",
"version": 2
}
},
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "f38f93c88e156a79c010dfad2f862d22927fc7fef7c08ca2dfa59a780b3d8e9b",
"type": "eql",
"version": 102
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737",
"type": "new_terms",
"version": 204
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "d11d9b7a7104ede9ec52c99b7a22fda51997f927c44ba71a8317a0870bf39b4d",
"type": "machine_learning",
"version": 106
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "a65eed2cc5b097a57b4e7baac0a286e05e9272a546e2fa4ef98c84b45efbaccc",
"type": "eql",
"version": 9
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Browser Extension Install",
"sha256": "13264d82b596b30f4a39bca88800139df7d59f7e5714ac3294aecb8adb693f2b",
"type": "eql",
"version": 3
},
"8.13": {
"max_allowable_version": 201,
"rule_name": "Browser Extension Install",
"sha256": "2813c84680c133570b552af8010cab5df5b2cf9ce045b7cb05716d286729bcdf",
"type": "eql",
"version": 103
}
},
"rule_name": "Browser Extension Install",
"sha256": "420b3c2fb3cad25f5312065eb38e2944b8220eac1111dba2dd1088b95141b687",
"type": "eql",
"version": 203
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Privileged Account Brute Force",
"sha256": "a3e155da55738446b14a3519a8631b9d6a3f2a2420e7abea9743574cfa5a699f",
"type": "eql",
"version": 11
}
},
"rule_name": "Privileged Account Brute Force",
"sha256": "d609cef02e743a187baf0068f42fe95b28bef7bee1d26bb067e3d09188bf7281",
"type": "eql",
"version": 111
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.15",
"previous": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47",
"type": "query",
"version": 209
},
"8.14": {
"max_allowable_version": 408,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47",
"type": "query",
"version": 310
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "9f8a0e0868d43b262c98653adb7bed57c23c2509b0fec88ebeb33b1a92853293",
"type": "query",
"version": 410
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "38cd36c0e10b5e71de73e548f13243d29e06b1bab2ca10c74ae875da1606664d",
"type": "eql",
"version": 113
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "2ec223a448f81f94a8f428864b7dc4f7b173fb01a997740f6f29143c0496219c",
"type": "eql",
"version": 212
}
},
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "4300b10c7504d0440412581634a019e1a6e58f0db412301ee1b20b04516532bf",
"type": "eql",
"version": 313
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "c8d1d95ef6525a3da18e35d890b332565c8b7453a7c89f16c87080264772d9ac",
"type": "eql",
"version": 8
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "ede3e3c7248ecf6e1f840d2bdc7b319a96a0b3eb97e6051872ad5b77a370e616",
"type": "eql",
"version": 9
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "e416bd900c26017a9a2e60990ee7ae09ced3df13618bbbc45b29fb2340de74d1",
"type": "eql",
"version": 11
},
"8.13": {
"max_allowable_version": 312,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "34eeb28ee7412555964397a4969d1d55098b05a4107dd4330ea8ac5dd242d54e",
"type": "eql",
"version": 214
}
},
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "d4eaa3dfb8b078f3a464ad91d4dcd5424f2faf343c977d6dd7df44cc08e87065",
"type": "eql",
"version": 315
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Disabling of AppArmor",
"sha256": "dcc5486dac299e23f474eb39e2b40231213ec061f4460cc66cbd25bc8ea1b927",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Disabling of AppArmor",
"sha256": "a7096f2d6c73fe27e1f80b1da2c040a60eb8eb8d159f2eb8af2f6bbb2cb3dcc2",
"type": "eql",
"version": 109
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd",
"type": "eql",
"version": 105
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Registration Utility",
"sha256": "b4eed2ddeb40f2bbedc702c4789e5748c0f303fb263208a2bdcd2974c12346b5",
"type": "eql",
"version": 109
}
},
"rule_name": "Network Connection via Registration Utility",
"sha256": "c04bf7494ed4c20a8a87bbe9bb3f2876b8e92b7af292dfac1b2d2f847593dcad",
"type": "eql",
"version": 209
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "1b149111089ed10df74c8975a4801b321f429cbc00bddf77eebd2f154d5355e0",
"type": "threshold",
"version": 105
}
},
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "babeac41d262653f7ef7c8bddf78a7573fb7894ae7b8c2c9b3f48fc07ef6452c",
"type": "threshold",
"version": 205
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "7953f99ece9b3629d330947f9c59294d7504c35d5eb9415e8410833f95063b4d",
"type": "query",
"version": 207
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
"sha256": "0463c0b25ecbc17c558c90dfd80f29d64776de9fba2451a8768448d09293b378",
"type": "query",
"version": 2
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "59543020be10655d8e81766d6a80fb95792cda6820556f739905cb54943ddbce",
"type": "eql",
"version": 110
},
"8.13": {
"max_allowable_version": 308,
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "80e05f76dd4e8c2e94bdbd3924f85a5877d9ff5a47c410d308b96f7a1d390525",
"type": "eql",
"version": 210
}
},
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "afa60af2586a1e3458855aa64f4d3fbbfe063c3f35b3abc5a840d616f77d9841",
"type": "eql",
"version": 310
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 104
}
},
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010",
"type": "new_terms",
"version": 204
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "e492a1d379ef0524d4b531024a7edf8a09e7b8174850fd8fd2d8824d76499df7",
"type": "eql",
"version": 4
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.13",
"previous": {
"8.12": {
"max_allowable_version": 203,
"rule_name": "GitHub App Deleted",
"sha256": "c0689f3c0e7636572f0800557c0480309dbcf71e0107dc51b0ed362728a0c927",
"type": "eql",
"version": 105
}
},
"rule_name": "GitHub App Deleted",
"sha256": "77d5e70dceb83e72c91dec0a125b56e67e4f66b20ca31374060260c91887c03d",
"type": "eql",
"version": 205
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "7c1af1a785726996f19edad02af0353a331e9ccd7a6095127460e2ee4da6beb0",
"type": "new_terms",
"version": 3
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "fb02d9d052a80cb71ebc3d197b2737a8bb72f875dc6f26fcb777715dc8ea8007",
"type": "eql",
"version": 112
},
"8.13": {
"max_allowable_version": 310,
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "003cbead1025ca8c3bb1f33eddf4a98de00f555cb184077b194142cc838263b0",
"type": "eql",
"version": 212
}
},
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "8d5354802a1da8218bdca789c1118dd3c0e75072f015978e3ce65b239357204c",
"type": "eql",
"version": 313
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious CertUtil Commands",
"sha256": "13dd1c7c1c9bea325d7f705da1527335b7e0e12d8f5e7d942ed99c6b9d1a7a5d",
"type": "eql",
"version": 111
},
"8.13": {
"max_allowable_version": 309,
"rule_name": "Suspicious CertUtil Commands",
"sha256": "2ab5b41ea028baf2c8143494762615137f2d9daec219a470c3ac43a8dc70d0d5",
"type": "eql",
"version": 211
}
},
"rule_name": "Suspicious CertUtil Commands",
"sha256": "9e178f0e88993fc08a6e3bf41eaf0502281774f9ebbfe9477e09a20b55e8fc8f",
"type": "eql",
"version": 312
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 317,
"rule_name": "Svchost spawning Cmd",
"sha256": "fd2168d3b0db808329e092b89905660cf80f6a564f9e3218506dfba05e409c61",
"type": "new_terms",
"version": 219
},
"8.13": {
"max_allowable_version": 417,
"rule_name": "Svchost spawning Cmd",
"sha256": "89907452efa6d5a092c9819fec02d0a27a824e7e526e5a031f271cd0a9cce5be",
"type": "new_terms",
"version": 319
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "e648c831b55c6701ce80a615623526f8eb2024dd98dd5a6caaa49692191e85d8",
"type": "new_terms",
"version": 419
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
"type": "eql",
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "3f455b9a9fc20d9dca4d989e3236437d2b7c702d96e34fe01c0e21181bd9cc34",
"type": "eql",
"version": 14
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "87b8915f4df4e07283d519a5459b89600a2e9018c07136f10a454968ecec7522",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "21800d17e1a701df364ecf5e4dc921c47a9978bd53f4290052756476349613b3",
"type": "query",
"version": 108
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
"type": "query",
"version": 7
}
},
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b",
"type": "query",
"version": 107
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada",
"type": "eql",
"version": 114
},
"8.13": {
"max_allowable_version": 313,
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "7574ee875c1c9a825dfefa55b0b3b243f5cc25a3f4c7b2a4db8e22dd0cd9b2c5",
"type": "eql",
"version": 214
}
},
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65",
"type": "eql",
"version": 314
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "6d71e2f5b064aa990886b9f8855595def2146202b93e657c62c021e3bc852c84",
"type": "eql",
"version": 5
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
"type": "eql",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329",
"type": "eql",
"version": 108
},
"8.13": {
"max_allowable_version": 307,
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "02f53b9ca7444dd33ade4085a8403f9f14298ad57e5cad93a2ba6bb6c64fd758",
"type": "eql",
"version": 208
}
},
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56",
"type": "eql",
"version": 308
},
"fef62ecf-0260-4b71-848b-a8624b304828": {
"rule_name": "Potential Process Name Stomping with Prctl",
"sha256": "4f8d4f17d7899a44961b0ed15bd61e32234c08c800dddbae9b75aa238bf40541",
"type": "eql",
"version": 2
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "7c706cb36925b68e3326c38052f0bc6a5afdfc8ef02a33dc200e92fae09dbb2f",
"type": "query",
"version": 105
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "ef8f045d4a373ebb67741cef329ed0e2b3a356b64978bd6dcad9716fb2f3f592",
"type": "machine_learning",
"version": 6
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "2bb9047a12faecde8952e7f0bfe8c12187345c8e1016fdd19c1ebcfdb379f298",
"type": "eql",
"version": 15
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "cb20be6b7c6db1a5ba68b0ab829e75e5faad09e13d4ad4db8d1d303a36958a26",
"type": "query",
"version": 3
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "af8119ce553fafb567f949620657a037808e29169ff198277765c4f54f6aea09",
"type": "eql",
"version": 11
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "fd7869fa1dfb7814d85e599eddf43e2fe64eeff6d58e4bc655b81add4f748fe5",
"type": "query",
"version": 207
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.14",
"previous": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "142aa8456d0c3151257b8d40bb29b00d7880561940ea1366b6c850725a7fa90b",
"type": "eql",
"version": 2
},
"8.13": {
"max_allowable_version": 200,
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "593b01d8d7d60109ab9ad569f65be57c3c9e8efb4590d58f871e61d7ba6a8cfa",
"type": "eql",
"version": 102
}
},
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "1b182aabc1a25362770238d8e6fbd5d91def7ad420cbd29f0ec914985f603673",
"type": "eql",
"version": 202
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "dbdeafa2e40515c24f4df798e5a2d653973541813b5f25cad1c52cf8e334f69f",
"type": "query",
"version": 105
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.16",
"previous": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "5d48f1579b67e658a9ebfd53af34e7acdd767d850d05135ee9de6568e1f9d791",
"type": "eql",
"version": 109
}
}
Reference in New Issue View Git Blame Copy Permalink