security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2c3dbfc039ec8d9a0e54ec78bc69f545ef3773b0
sigma-rules/detection_rules/etc/version.lock.json
T
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
2024-05-22 13:51:46 -05:00

10088 lines
362 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2",
"type": "query",
"version": 207
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "ac7d08baf88d495e5767d5845ee47e22b500b643e11ca7e806309d30e958a1fc",
"type": "eql",
"version": 112
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.3",
"rule_name": "System Shells via Services",
"sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71",
"type": "eql",
"version": 110
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "cfbc6ffe95e39937d68146e42f932947e2c3c96cc9a42ab296e12bc8c613f5f1",
"type": "query",
"version": 2
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "3801a06e2eb380734652847208adb12ceb5e1bb394da148a047b8a25afe3bc17",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f",
"type": "query",
"version": 206
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca",
"type": "query",
"version": 206
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "931bd95c0fff284b33e383dce3f3fccaf7b0c36b8b6b946b1c39ff5ded2aa8e1",
"type": "threshold",
"version": 5
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.6",
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10",
"type": "eql",
"version": 105
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 1
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"min_stack_version": "8.4",
"rule_name": "Process Created with an Elevated Token",
"sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db",
"type": "eql",
"version": 6
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "8f8844fda927ba3149c7d983e7f7619e33e5745f8b1f389c0e10f3b6ba852e0a",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac",
"type": "eql",
"version": 208
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "dafd8f85b8e37f96aaabd0405826cb232ac4c2f22571f2878d3a875a0e141da8",
"type": "eql",
"version": 1
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb",
"type": "query",
"version": 106
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "f0f075e54cb17ce304f0d93b12277a29c7b1454d8bec5c05615e31fc6ebee725",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573",
"type": "query",
"version": 206
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "5bb8f568879a496363f640b8866b46e0a39fe4e15005cab6f5af9eb499e3584d",
"type": "threshold",
"version": 109
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"min_stack_version": "8.3",
"rule_name": "Potential Memory Seeking Activity",
"sha256": "4fa0b41dabe97414e45d4ae961a4c4fd9c445bca04d51659e7251547e80fe258",
"type": "eql",
"version": 2
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8",
"type": "eql",
"version": 2
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"min_stack_version": "8.8",
"rule_name": "SSH Process Launched From Inside A Container",
"sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d",
"type": "eql",
"version": 2
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4",
"type": "threshold",
"version": 3
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"min_stack_version": "8.3",
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "ceef6d0c728c9575da9bd78da19050dc7e02eaee57eca642272639b91d863494",
"type": "query",
"version": 109
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"min_stack_version": "8.3",
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"min_stack_version": "8.3",
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9",
"type": "query",
"version": 102
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "08eeec4ed1f73497e06767edc13231268e1d647f7b29f0401175d1618d04affa",
"type": "eql",
"version": 110
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through Systemd-udevd",
"sha256": "f62fb7313ec0d7a280a370adae0caf8ba65410a71d6574ade7ab588a95963763",
"type": "new_terms",
"version": 3
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "a85b92effa53537c7a86f7871455c176bc2c48a6928248fa29dcf8a548677730",
"type": "eql",
"version": 110
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.3",
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
"type": "eql",
"version": 110
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Kernel Module Load",
"sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4",
"type": "query",
"version": 4
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754",
"type": "query",
"version": 108
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.3",
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
"type": "eql",
"version": 112
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.3",
"rule_name": "System Time Discovery",
"sha256": "c26f50ed371b312a315bf0bbbc399f65d446218ecd7f63e471538c0e145ea7c9",
"type": "eql",
"version": 7
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Size",
"sha256": "db958e84da3e58cefee53ec77d608ff51199a4e721318451ce091585bb908cc1",
"type": "machine_learning",
"version": 3
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "4e653f97afcad71acd94ddf79e5534455c79986773fc543839900cc60e129d88",
"type": "eql",
"version": 7
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c",
"type": "eql",
"version": 110
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.3",
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "4682c4aac80de38bf56894acd47cac808366a9f47329763291361bb23756d3a8",
"type": "eql",
"version": 110
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.3",
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "092ecb6ac6f1197744e2e114398553fa810674561481b66f9665c3ed95ff0017",
"type": "eql",
"version": 2
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5",
"type": "threshold",
"version": 7
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46",
"type": "eql",
"version": 8
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "4ec0b63c545009d7d16d34cd9b95f34edbcf4135f498aa77a805f544b07e6310",
"type": "query",
"version": 5
}
},
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "9df4d9a342110c032419b2564bf6376a9357291ca8b3ead073faf9e5214419e6",
"type": "query",
"version": 106
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Browser Child Process",
"sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be",
"type": "eql",
"version": 107
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"min_stack_version": "8.3",
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879",
"type": "eql",
"version": 106
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece",
"type": "query",
"version": 106
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Removable Device",
"sha256": "085b5157400c5090fec630066b9c606cb33fa8334b9c49babca8242399a11b91",
"type": "new_terms",
"version": 4
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"min_stack_version": "8.3",
"rule_name": "Windows Account or Group Discovery",
"sha256": "45048599d6d9175e13e297d71afbd3a7d4d80e6d6421abd188c563a5c862bfbb",
"type": "eql",
"version": 4
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993",
"type": "eql",
"version": 107
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
"rule_name": "Process Termination followed by Deletion",
"sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad",
"type": "eql",
"version": 109
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.3",
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
"version": 1
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"min_stack_version": "8.3",
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "bdc3b02c0073ad81ac689ad056327c1e74d84408ac65b51b4738e1fc7c3b5d13",
"type": "eql",
"version": 4
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"min_stack_version": "8.3",
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53",
"type": "query",
"version": 102
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"min_stack_version": "8.3",
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2",
"type": "query",
"version": 103
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "75554ce3cf2084385c71f589a49912d97a3565e845b92ef27fa2638bc05ac2ff",
"type": "query",
"version": 4
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 106
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Windows Process Creation",
"sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579",
"type": "machine_learning",
"version": 105
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.3",
"rule_name": "User account exposed to Kerberoasting",
"sha256": "830231e34039027f460477ed025efa9ef0a7efb45b9d97d43080f7d9deceeec3",
"type": "query",
"version": 109
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "d23957bdc3e4530971529039105978c60ef34d1dda87b408528c03a1d39da1ca",
"type": "eql",
"version": 5
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"min_stack_version": "8.3",
"rule_name": "Processes with Trailing Spaces",
"sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286",
"type": "eql",
"version": 2
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290",
"type": "threat_match",
"version": 6
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.3",
"rule_name": "Peripheral Device Discovery",
"sha256": "f01eac25f9c7d222bc6e12ea4b86f7b4a06d4b76608183e9be91aaf9671427b7",
"type": "eql",
"version": 109
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"min_stack_version": "8.5",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Indicator Match",
"sha256": "7d0bb73186b47e9fa99ec5b21fe2b862b5cbd6432100901fc476e30bced047a3",
"type": "threat_match",
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "b124621df90ec8e22a42cdf417ec79eeb7daa3d5e543cac43100cdb28f24f252",
"type": "esql",
"version": 1
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "2dfc5642c7eff9f946739bbe4289e5bd8fe6f4374a492ed1fc5215e7b6e721ff",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746",
"type": "query",
"version": 206
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"min_stack_version": "8.3",
"rule_name": "Multiple Alerts Involving a User",
"sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252",
"type": "threshold",
"version": 3
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"min_stack_version": "8.3",
"rule_name": "Nping Process Activity",
"sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec",
"type": "eql",
"version": 108
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "e6fecbbaa834a04e699f62857b0e60f7e8c9bb3cb40d033165265ace22ac1cbb",
"type": "eql",
"version": 110
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 1
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SharePoint Malware File Upload",
"sha256": "e32858e7a0449a506cfe595eabf2e1e82954cf683de287c05d0bf7295253c579",
"type": "query",
"version": 106
}
},
"rule_name": "SharePoint Malware File Upload",
"sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393",
"type": "query",
"version": 206
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Key Creation",
"sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b",
"type": "query",
"version": 104
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.3",
"rule_name": "MsBuild Making Network Connections",
"sha256": "c8013d923873ed418f022b29c77bb4c548a392af89e2a3cd747186d534386880",
"type": "eql",
"version": 109
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "RC Script Creation",
"sha256": "56ff748867dc738357a731cfd37b4ae44c954383780d616e3d9034aed76dd9e1",
"type": "eql",
"version": 6
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "6feb69680930d9a84dce295a56510b4938d7455565609a55b6f340a60f9eee5b",
"type": "new_terms",
"version": 110
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"min_stack_version": "8.3",
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147",
"type": "eql",
"version": 3
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "62abee660a99e58c72f6c4c79047fea8effc510ba10448a766fc3d03d4a36720",
"type": "threshold",
"version": 106
}
},
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735",
"type": "threshold",
"version": 208
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895",
"type": "query",
"version": 106
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"min_stack_version": "8.9",
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "aa8a7eac601e73065c58f11ee43537d79be77a14b5a766d34772f5b1cc74c2e9",
"type": "query",
"version": 1
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "WebProxy Settings Modification",
"sha256": "6a6fc5b28bc33810532d1d7a900fbf07ff13f612317d5e8518f9b19104567c0a",
"type": "query",
"version": 106
}
},
"rule_name": "WebProxy Settings Modification",
"sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af",
"type": "query",
"version": 206
},
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
"rule_name": "Abnormally Large DNS Response",
"sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721",
"type": "query",
"version": 105
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.3",
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "47fb83a4f1705416ad0ba2cf6d42e319617bf0e145a68f21652116832e770309",
"type": "eql",
"version": 110
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "94905ad569d414ab1a3c0037dcdb641498c790debb11ceeea8d3354c9b7acd76",
"type": "eql",
"version": 111
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Export",
"sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Export",
"sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c",
"type": "query",
"version": 206
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "049b0cbfdd71a4ec9ecdce8350842eb7d32d60c45681f6342878de029adf212a",
"type": "query",
"version": 11
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.3",
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "c0a79cd64ff9bae3ad1545d8a18809dd34644d93ed177bd5f4586a2bb2cb4dba",
"type": "eql",
"version": 112
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7",
"type": "query",
"version": 206
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "37bda4461229741fa959b9d762f3bf17c0d03378734fbc1a04cbe4563675bea6",
"type": "machine_learning",
"version": 4
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "c30f6e62697cdaf210db4d6f79d2686bc91e4427ee7bbaea3468482a88373d5c",
"type": "eql",
"version": 5
}
},
"rule_name": "Suspicious Lsass Process Access",
"sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554",
"type": "eql",
"version": 107
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "658882e3d31e0988978c24743e8f15fb3423fde5b395cbfc75a641548a291359",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec",
"type": "query",
"version": 203
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "00e261301692eeb8bc7453cbea5c4605ca9c6d2ae38199b35ad83ffd4a9d0c4b",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "e48fb5d94222f67fbea19233c7fea01163d00908c3844df80f9e36d5e87ad7b7",
"type": "query",
"version": 203
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.3",
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a",
"type": "eql",
"version": 3
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "07748a896518875c7361a26af5beac29e29097fd6ec0285208e2e88d7df4a538",
"type": "eql",
"version": 111
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471",
"type": "eql",
"version": 108
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"min_stack_version": "8.3",
"rule_name": "Rare User Logon",
"sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679",
"type": "machine_learning",
"version": 104
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.3",
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "c119669a028d3ccf727586836356bcd2113986db9358089ed57907330b748a73",
"type": "threshold",
"version": 1
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity",
"sha256": "e4aac0fcc25bbc7121134faf7852704142d562d2c72bf9973c69b0dfd8d6046c",
"type": "eql",
"version": 4
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"min_stack_version": "8.3",
"rule_name": "Azure External Guest User Invitation",
"sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1",
"type": "query",
"version": 102
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214",
"type": "query",
"version": 103
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.3",
"rule_name": "Office Test Registry Persistence",
"sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2",
"type": "eql",
"version": 3
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "3d39cfe20aef41ad7da949c25c18b33868177276c2c4ee9af234be4282e68392",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9",
"type": "query",
"version": 203
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "d3adc721588e0ae5b24bc4f24e2615b84100397158efd20f6fa50212746fb697",
"type": "eql",
"version": 109
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"min_stack_version": "8.3",
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4",
"type": "eql",
"version": 3
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "6bc3367c8bea5ce3680aa60ee8341e332dc12fe82786393e1b98fa8130a817c4",
"type": "query",
"version": 110
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "f31b60069f41b2547dfb226805c62256ec852c2b5ec5014524230d20ca42a646",
"type": "eql",
"version": 112
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0",
"type": "eql",
"version": 107
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified release_agent File",
"sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3",
"type": "eql",
"version": 1
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633",
"type": "query",
"version": 102
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.3",
"rule_name": "File Creation Time Changed",
"sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c",
"type": "eql",
"version": 5
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d",
"type": "query",
"version": 106
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Creation",
"sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Creation",
"sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1",
"type": "query",
"version": 206
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"min_stack_version": "8.3",
"rule_name": "Component Object Model Hijacking",
"sha256": "0895ba08cf37c96cf8d9fa25aa47f21883cbb621246244853ae74168e9818f08",
"type": "eql",
"version": 113
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.3",
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "59d27ffb2150faa1ebe4b4b332f29ed9b1a561166aa568c6b699a55de0aec81f",
"type": "query",
"version": 109
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "277c989e76a6733738b5108d8b11929cb28245277d6e555651e95d9817f2af48",
"type": "esql",
"version": 1
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Username",
"sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120",
"type": "machine_learning",
"version": 104
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Service",
"sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a",
"type": "machine_learning",
"version": 103
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Powershell Script",
"sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3",
"type": "machine_learning",
"version": 104
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5",
"type": "machine_learning",
"version": 103
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Remote User",
"sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9",
"type": "machine_learning",
"version": 103
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "a5967e9202be0f4e0df4d0f82dfd5f067e8bc9eea60585cbc5664b744761966d",
"type": "new_terms",
"version": 9
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "23f4030c21a08bb1eb019a328b8fe62aeea2683957f343f0399abdff84347b22",
"type": "eql",
"version": 109
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8",
"type": "machine_learning",
"version": 103
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Sink Modification",
"sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2",
"type": "query",
"version": 104
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "3e6623fdaad77b45863a2c6f198c7624d4b02fa0f1934011776802944a3348fb",
"type": "machine_learning",
"version": 3
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f",
"type": "eql",
"version": 4
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Rare AWS Error Code",
"sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Rare AWS Error Code",
"sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec",
"type": "machine_learning",
"version": 208
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "fc1329361d122f9fce2eca535c54dd0b8a1fee4f8d33775b225227e2d4084002",
"type": "machine_learning",
"version": 3
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Network Tool Launched Inside A Container",
"sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc",
"type": "eql",
"version": 2
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"min_stack_version": "8.3",
"rule_name": "Azure Application Credential Modification",
"sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a",
"type": "query",
"version": 102
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.3",
"rule_name": "Execution of COM object via Xwizard",
"sha256": "069735bb9cd4e472acbdcba371bd44bb50df1f225267d294773ac746e8ecc9e5",
"type": "eql",
"version": 109
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b",
"type": "query",
"version": 209
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.3",
"rule_name": "User Account Creation",
"sha256": "96534addae6874564d720b53fb0d2b7f621702dd58f3fdebb1d3c69a80f55abb",
"type": "eql",
"version": 109
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"min_stack_version": "8.4",
"rule_name": "Process Created with a Duplicated Token",
"sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802",
"type": "eql",
"version": 3
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"min_stack_version": "8.3",
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e",
"type": "eql",
"version": 107
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d",
"type": "query",
"version": 206
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"min_stack_version": "8.3",
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516",
"type": "eql",
"version": 11
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1",
"type": "eql",
"version": 2
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 211,
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "bf4b6f557cbd3c0c009d3f0aa39401b563a920b2ed64f0d20ef86c9a95fc5e45",
"type": "query",
"version": 112
}
},
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
"sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7",
"type": "query",
"version": 212
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation in /etc for Persistence",
"sha256": "dde38b44453671943b7ae6cb4d6fef20e85307ac3723a158fe57ee96d8b1f29d",
"type": "eql",
"version": 113
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce",
"type": "query",
"version": 102
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.3",
"rule_name": "New GitHub App Installed",
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
"type": "eql",
"version": 1
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a",
"type": "eql",
"version": 108
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54",
"type": "query",
"version": 2
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed",
"type": "eql",
"version": 110
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"min_stack_version": "8.3",
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433",
"type": "eql",
"version": 108
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "56bbf0cae42f67fdd41f149363a1891554948e2dbd182c1e0c9fed1a39f36100",
"type": "query",
"version": 6
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "b09a3222c4eab9324474c30ec5eddb3cd13c0f86e3b9776fc690aa77d8fe9e9d",
"type": "eql",
"version": 109
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"min_stack_version": "8.4",
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "eb4c56089e3f5a64944ea09016b315e24d78a78381989d1d29939502318b82f1",
"type": "eql",
"version": 6
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.3",
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
"type": "eql",
"version": 108
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "d83c19a46e9401aef5cd62ba06786de63e0ea6448479965630475a6b00667731",
"type": "eql",
"version": 3
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"type": "query",
"version": 6
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 107
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"min_stack_version": "8.3",
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e",
"type": "query",
"version": 102
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.3",
"rule_name": "Creation of a DNS-Named Record",
"sha256": "9b97868151d1bdb1c5754a996d30cf988232f389c492b7f9132402adae176f75",
"type": "eql",
"version": 1
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.3",
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "411958937e7a1d399c000c3ee9bc6e256d0b92a5aea3474e468b84f5991e8bed",
"type": "eql",
"version": 3
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 1
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Sudo Activity",
"sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c",
"type": "machine_learning",
"version": 103
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.3",
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762",
"type": "query",
"version": 8
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "3e850845c9653b3956dd9ccfe15415b8f6399a899dd58c87a592f2ae81b921de",
"type": "eql",
"version": 2
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9",
"type": "machine_learning",
"version": 103
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "276423364d5b8bf0affee9f5efd056cba314fa27ef1d574a4ebe6f5b4e0e542e",
"type": "eql",
"version": 111
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2",
"type": "query",
"version": 103
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "5fd6637d01d25848657a37779415e23778a84ee81a913351ee2bbb54701fe88a",
"type": "eql",
"version": 110
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"min_stack_version": "8.3",
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "fa7e58294659262a26ba947cc59044854477a5a49edc98f0d6f896d91e1d9f6d",
"type": "eql",
"version": 2
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "a137b8929c8afb05318cec2dac421d5e03d1bba700cb7978151e0429bb7a6e53",
"type": "eql",
"version": 110
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297",
"type": "query",
"version": 206
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Access of Stored Browser Credentials",
"sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563",
"type": "eql",
"version": 107
}
},
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "adddb3826db0faf4df285ffe2b662f510557180d3576a19d570b65606facbd90",
"type": "eql",
"version": 207
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982",
"type": "eql",
"version": 2
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "407aa36a170976cc90021ba2e2b10b9d211b7142cb685d4fcdede10a65073287",
"type": "eql",
"version": 110
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"min_stack_version": "8.3",
"rule_name": "Mofcomp Activity",
"sha256": "a7bd50e06e9eecee6eb4de339db9e9e7ffc5b08ce32a9bc2a119b2aa4f2fdf45",
"type": "eql",
"version": 2
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Child",
"sha256": "cda609fdc97eb250f4f9c03ad3abf9c6760ae78ab03cc3f8fad23789f6ca8ade",
"type": "eql",
"version": 2
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "8b83d7d20910ac09b5cd9f7b2e96a38f9b03f38f314ecf1f779637906818161b",
"type": "new_terms",
"version": 3
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.3",
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "9252233dd00ddb80533d2b70ccda0987fc97cab21f4fe935dcb0806e07dc9354",
"type": "eql",
"version": 7
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "8e07f35dbd0f747e519638ad9464ab2502ac2d84b6db85f092155081cf57f23c",
"type": "query",
"version": 104
}
},
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "093ec92b83608b188904a800b2dc5dc20b93d5e0b11e10e6da27f754f44a18e0",
"type": "new_terms",
"version": 205
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"min_stack_version": "8.3",
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7",
"type": "eql",
"version": 108
},
"227dc608-e558-43d9-b521-150772250bae": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17",
"type": "query",
"version": 106
}
},
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629",
"type": "query",
"version": 207
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604",
"type": "query",
"version": 104
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Load via insmod",
"sha256": "3327b2f3c9c739028f181cd20b7cf3e768c7eae5f4363b478ef982fee21b8eb2",
"type": "eql",
"version": 109
},
"2377946d-0f01-4957-8812-6878985f515d": {
"min_stack_version": "8.9",
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"min_stack_version": "8.6",
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "b160874aab9501cba7d0344a3fcb2181a25f3d7a5067a23804bc3f8abb705dd1",
"type": "new_terms",
"version": 1
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.3",
"rule_name": "New GitHub Owner Added",
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
"type": "eql",
"version": 3
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.3",
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "dcf5239bdf937bd790a721fc5c7fceea3af8c5377ce0b466359a5ebb23a57ed6",
"type": "eql",
"version": 108
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "cbf8a4fc5c8f2ee86365483602e84f800fbd791c3e29fe467f20a6333d47dfc3",
"type": "query",
"version": 1
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5",
"type": "eql",
"version": 4
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"min_stack_version": "8.6",
"rule_name": "Network Activity Detected via Kworker",
"sha256": "6169ab76be1ab1b6d165bc6e91e309957523da07f42cfa74c0b2eabc0fff457b",
"type": "new_terms",
"version": 4
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c",
"type": "query",
"version": 1
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "412a8490a6178fe02adf3eb8d88b4b119d8af57a0e8583ca4a61a6504c554ab5",
"type": "eql",
"version": 5
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"min_stack_version": "8.3",
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534",
"type": "query",
"version": 102
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800",
"type": "eql",
"version": 111
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"min_stack_version": "8.3",
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517",
"type": "eql",
"version": 7
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7",
"type": "query",
"version": 105
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "ab30e15051fb603800f933ba9b3f6539ac75a662fd2dfcbe66c8f7121c7608a9",
"type": "threshold",
"version": 107
}
},
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "a8e968ab16236593316417aca2763610f442cfa6d00fe3c5a4a453085fc7f633",
"type": "threshold",
"version": 207
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"type": "query",
"version": 5
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "a3c97823d3b6940c64c3cd69101e314c8bf84a5c63e6f3ac1358259b034546cd",
"type": "query",
"version": 105
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "b84e6128363d24d3503b13f1a618bc430f08140f5a82611c3c3e4f3a5271d2b5",
"type": "eql",
"version": 4
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "fbfde864c7e1f31e7fcfef374c9517e890a58223969f83a4c15fee6afb623353",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e",
"type": "query",
"version": 206
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.3",
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b",
"type": "eql",
"version": 109
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Modification",
"sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf",
"type": "query",
"version": 104
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "94685626f0a0ed06951084baeb71eae9ec250c07e2ccd46be608e1f1321d5726",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56",
"type": "query",
"version": 206
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.3",
"rule_name": "Account Password Reset Remotely",
"sha256": "b3b4c980cf7d25e52dfb1d1cc53500ac0a87c2b13922dccaf6b9de0b389532e7",
"type": "eql",
"version": 114
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"min_stack_version": "8.13",
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "65f2ba3cdd922a26ebd11dc207df001dc6debc22457618e24e8b3862b80dd36e",
"type": "esql",
"version": 1
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.3",
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
"type": "eql",
"version": 111
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"min_stack_version": "8.3",
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d",
"type": "query",
"version": 103
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"min_stack_version": "8.11",
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2",
"type": "eql",
"version": 2
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "70ed05b5053d1ac43542f1f8ffef64b0cfb2cb35c0a94eb8be86882438034320",
"type": "eql",
"version": 5
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"min_stack_version": "8.6",
"rule_name": "Shell Configuration Modification",
"sha256": "1082bfbb3e988caa2fc49527f3dcd4024a4657a591fb5edc4d08e2ba311ca62c",
"type": "new_terms",
"version": 1
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Group Configuration Change Detection",
"sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c",
"type": "query",
"version": 206
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "f64dc97be4c992f52e4ecf99c9d964a2d99544bea2d8d33d80ba5e96d62d8f80",
"type": "eql",
"version": 112
},
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.3",
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc",
"type": "eql",
"version": 111
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3",
"type": "eql",
"version": 108
},
"8.6": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"type": "new_terms",
"version": 211
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "69aa12515cb5a6a884d8fcd0056daadf549285264513b506832693885dae1db6",
"type": "new_terms",
"version": 311
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1",
"type": "query",
"version": 1
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342",
"type": "new_terms",
"version": 1
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux SSH X11 Forwarding",
"sha256": "359e41830e4fd4bfc9775176917b335b3c9188c05a983a056b52e796d20b6fd7",
"type": "eql",
"version": 3
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "8bfe7f061ea6409e5ec8657a58cc81d8fd705e930ef358d31347a1ee67035391",
"type": "eql",
"version": 6
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "bd95cc69164fae41e991e31ae5435c01f2785e2c361dafea62766db0b0f66a10",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "2704808ccae32f5b44395171db755258b7e7a248df4bab32a33cddb2ac181df0",
"type": "query",
"version": 203
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Grep",
"sha256": "7f6bc06878f5c089508b21b556ed4a227c059d655b54717af4863db317dd6504",
"type": "eql",
"version": 6
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.3",
"rule_name": "Adobe Hijack Persistence",
"sha256": "8cf9629ff73512110d78ffdd80f59c0e6d033ca48831d47133dee6dd51cb185d",
"type": "eql",
"version": 111
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "df6ed2953eabd8c292df3200fc51dd9222b2c0c3fd5b9174f66efb61a28bcd5b",
"type": "eql",
"version": 110
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "de455f667043e9cf42dd5fe4ac1a588f29bf04c9e5ac3c78bf84f5849ae48494",
"type": "eql",
"version": 109
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Enumeration of Kernel Modules",
"sha256": "b3bad6443210cec62c090d0872efcafedb7565ac5fed882aa46afab6073c4e08",
"type": "eql",
"version": 105
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "4f8354117b7013f27de2b6338d831ecebb494b5dd5dc310f3d36de2e9df3e46e",
"type": "new_terms",
"version": 209
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "9aa09b7a6367bc4d21531ae1e5860ac4f0f89b9a2331c0c63032d8fa85c753e5",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328",
"type": "eql",
"version": 211
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c",
"type": "eql",
"version": 3
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "6aafdc4d1c33f41d82f7a067cce68c407f9cc905aa5f0bcee8e8a3626f89a88e",
"type": "threshold",
"version": 107
}
},
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46",
"type": "threshold",
"version": 207
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.3",
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "469f29380de3612562dd52d96cf08b2590670a1f0ed5c09882c3caa6420fc78f",
"type": "eql",
"version": 8
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.3",
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "a23203b35000455d7e15f08f4aa4523ffb4cf37e6277c5ad2afff5dfb75f06d4",
"type": "eql",
"version": 110
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "81ff8ad3429868b3ae4e62b20cdf7861c5912ea5ea56a373eb053a9ba8cafb2d",
"type": "query",
"version": 110
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.3",
"rule_name": "Accessing Outlook Data Files",
"sha256": "d2e5a15c87b68da8ded83c3f04fd1cc0b2f38a858d9d58825ea43aa5b4d13c9d",
"type": "eql",
"version": 2
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc",
"type": "threshold",
"version": 1
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174",
"type": "query",
"version": 104
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "04e25e2a367da2d230efdd2c089caf2310ebc0b4555468d52654ae40cd73624f",
"type": "eql",
"version": 110
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
"type": "query",
"version": 110
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "8780262dbf51119a57e1482fdc257e16b74e0e78063f08f70039f0e84bd8e10e",
"type": "eql",
"version": 109
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93",
"type": "eql",
"version": 2
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"min_stack_version": "8.3",
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813",
"type": "eql",
"version": 109
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.3",
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "c25dfc5c295e5fe0ef6c4bd03401308cc79d8069474d9a66e34a91f53a75d793",
"type": "eql",
"version": 111
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"min_stack_version": "8.9",
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Creation",
"sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e",
"type": "query",
"version": 104
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"min_stack_version": "8.5",
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea",
"type": "eql",
"version": 8
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection via Sudo Binary",
"sha256": "7c7f71f10f08bbfa8f116046faf6e9487e82a654dc7c8ff4155bbb67fb267058",
"type": "eql",
"version": 2
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "edb96a30a9a4b522b0f24c47e6c9e97132020bca3d111e9f0fb2478062ca5c46",
"type": "query",
"version": 101
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"min_stack_version": "8.3",
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446",
"type": "query",
"version": 104
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.3",
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c",
"type": "eql",
"version": 112
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0",
"type": "query",
"version": 104
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"min_stack_version": "8.6",
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "2037bc6827adab74cd7f5d34cc9724885806f9d8b3ca6aad279ca53096b8b6f6",
"type": "eql",
"version": 1
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"min_stack_version": "8.3",
"rule_name": "Azure Network Watcher Deletion",
"sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a",
"type": "query",
"version": 102
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"min_stack_version": "8.3",
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea",
"type": "query",
"version": 103
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.3",
"rule_name": "Program Files Directory Masquerading",
"sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa",
"type": "eql",
"version": 109
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3",
"type": "eql",
"version": 111
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM User Addition to Group",
"sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM User Addition to Group",
"sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46",
"type": "query",
"version": 209
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"min_stack_version": "8.5",
"rule_name": "ESXI Discovery via Find",
"sha256": "65285808d7e3a2abc4e4eafa9288e8e9c5d82f2dc7fd8f2cf160f7c224988f04",
"type": "eql",
"version": 6
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via PowerShell",
"sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976",
"type": "eql",
"version": 110
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "8.8",
"rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6",
"type": "eql",
"version": 1
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repository Deleted",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"type": "eql",
"version": 2
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"min_stack_version": "8.3",
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1",
"type": "query",
"version": 104
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"min_stack_version": "8.3",
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934",
"type": "query",
"version": 106
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
"rule_name": "Port Forwarding Rule Addition",
"sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd",
"type": "eql",
"version": 110
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "67a35f156241abf955e83450c9f9e4de70743aa2b982ae6e96fe95b1734847ac",
"type": "machine_learning",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "1984aac08fb341387ffbc60fed85f41724c02408e79a0837eebfaff0eea168c3",
"type": "eql",
"version": 111
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"min_stack_version": "8.3",
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82",
"type": "machine_learning",
"version": 103
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e",
"type": "eql",
"version": 109
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "dd157344f60c0f8cdf534de6a25fd8ec70ae6b174250971f224102c56b1ed3d2",
"type": "eql",
"version": 107
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"min_stack_version": "8.9",
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "9fa7888003d814e16febe8363b55e5c5d98fbebc187b1134b988a70bfa227457",
"type": "machine_learning",
"version": 3
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious File Edit",
"sha256": "ad661308418ae98d99acfbe93160fc7b79bd560af7e212b8b2d582ca93665254",
"type": "eql",
"version": 4
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Creation",
"sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Creation",
"sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0",
"type": "query",
"version": 206
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a",
"type": "query",
"version": 105
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Execution via System Manager",
"sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Execution via System Manager",
"sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e",
"type": "query",
"version": 209
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598",
"type": "eql",
"version": 106
}
},
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916",
"type": "eql",
"version": 206
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2",
"type": "query",
"version": 107
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b",
"type": "query",
"version": 207
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Certutil",
"sha256": "6f47f5ed6240c55d50a34719a69f8cc06e2e1a96b3d7dbf8caed23d34f6fb612",
"type": "eql",
"version": 111
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "5b889bbfa953251d11d08f3f3b13847eb4b5f05777c8cc9d80806943bc1e3d08",
"type": "eql",
"version": 107
}
},
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "3032a13d5103580a7a71c386fb3b0871d65a29e3b195d7c15ef594679579b277",
"type": "eql",
"version": 207
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f",
"type": "query",
"version": 102
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "External User Added to Google Workspace Group",
"sha256": "5b576006ba63579d8d410c1b6a505b7129e0e534887b142f08e9778bab82d1a1",
"type": "eql",
"version": 2
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee",
"type": "query",
"version": 206
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"min_stack_version": "8.3",
"rule_name": "Downloaded Shortcut Files",
"sha256": "a78fe7706bba28d2e8916c6285d2aa614ab127534029912e8e9ad9ab133792dc",
"type": "eql",
"version": 2
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3",
"type": "eql",
"version": 107
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.3",
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035",
"type": "eql",
"version": 110
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "b774f07509146c401d27897d918bded4c1725c4bf5e8b457e9a749116e912d1f",
"type": "eql",
"version": 8
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3",
"type": "query",
"version": 104
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"min_stack_version": "8.3",
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d",
"type": "query",
"version": 103
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 1
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"min_stack_version": "8.3",
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442",
"type": "query",
"version": 103
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f",
"type": "eql",
"version": 110
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.3",
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "9b7f98ccce2835bb0f4a66f0d771402a60aa80c0516f3c461f25258464d92dde",
"type": "eql",
"version": 112
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9",
"type": "machine_learning",
"version": 103
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.3",
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "b8cf058fc04d31b542a9af0b67afca6876cd61ca3cbae997f11f1750d0e5c24c",
"type": "eql",
"version": 1
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"type": "query",
"version": 5
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "afa86911efb5e954ddd5ac66e6ff98a64832328ccdd43ef5c3a5c73ec1172297",
"type": "query",
"version": 105
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262",
"type": "query",
"version": 209
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"min_stack_version": "8.9",
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "e0f94b4cfe4ca344a1904651585a27509c31993709b1767adc5d92d1e020eb62",
"type": "machine_learning",
"version": 3
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "2a6df6ecfdcec0cacd6cd3fbe669354f173ae5e52c45c067290621e97758d904",
"type": "eql",
"version": 6
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load",
"sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc",
"type": "eql",
"version": 4
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Emond Child Process",
"sha256": "7d78dc70f6217f921486f43f26839cb0fe33c9dcd5bfc983e0a3117ce260f1db",
"type": "eql",
"version": 106
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684",
"type": "eql",
"version": 3
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "f7be2ac3e9aac82f91122e2416bba98480072d50a299c9fb593ea60bf876b8d8",
"type": "eql",
"version": 110
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "ef3b36cfe9937ac9e94d85f43e7c8d1eb725f6edec2353a6c3df2745f5d06fbb",
"type": "eql",
"version": 107
}
},
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
"type": "eql",
"version": 208
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "6f5fb726f163898f2ca5b0b8de75a346cda8451de239adb986ada4f3128b4c67",
"type": "threshold",
"version": 107
}
},
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "3ee6a597bfe462c8b9132d7ca83768025a28634b18c009db462cb0c3bd7bfe39",
"type": "threshold",
"version": 207
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"min_stack_version": "8.3",
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a",
"type": "query",
"version": 102
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "506ac5257e3fbd5947ce89f51b4a1154eea0e4245f3b8d26f1579ed36d7de792",
"type": "eql",
"version": 5
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d",
"type": "eql",
"version": 110
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07",
"type": "eql",
"version": 3
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"min_stack_version": "8.9",
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "2d41f9c292e0cfb545738b9fefb92890c35a74f559c525d8882ff69abb589281",
"type": "machine_learning",
"version": 3
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a User",
"sha256": "605a890392cba9a22d8ca7c2285cf0fe0e562dfeccb201126b50540f02b6567b",
"type": "machine_learning",
"version": 4
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.3",
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 1
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.3",
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "ff437c6e2c47619b352ee9e1a2afc7a9efc07196a586924803b1daaf14e3c9d6",
"type": "eql",
"version": 108
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Modprobe File Event",
"sha256": "57d346776e2d53dc371be91bf8eee48d1a5551497057024f0cba657e1b22f6d0",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Modprobe File Event",
"sha256": "2a6caaea58f921647c925b776c5a3263205f0e14402adfb96fe9784742822f0c",
"type": "new_terms",
"version": 107
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"min_stack_version": "8.3",
"rule_name": "Unix Socket Connection",
"sha256": "3205e8361a1f086b49b3af871c969ed11481015e0dff4ac8a9a0d72db9843e22",
"type": "eql",
"version": 2
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "aa2506ef37c17be2ee06aaebfabb669748b8247f50e0664debb0e789db74ca71",
"type": "eql",
"version": 111
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 1
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"min_stack_version": "8.3",
"rule_name": "EggShell Backdoor Execution",
"sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb",
"type": "query",
"version": 103
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a",
"type": "query",
"version": 106
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"min_stack_version": "8.10",
"rule_name": "Mount Launched Inside a Privileged Container",
"sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d",
"type": "eql",
"version": 1
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "8.8",
"rule_name": "Interactive Exec Command Launched Against A Running Container",
"sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063",
"type": "eql",
"version": 2
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621",
"type": "threshold",
"version": 108
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3",
"type": "threshold",
"version": 208
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.3",
"rule_name": "Process Creation via Secondary Logon",
"sha256": "02389fa2b314a4c1b09a7516f22580f4b91f255f5f87e61cad90039acb6a26b0",
"type": "eql",
"version": 9
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"min_stack_version": "8.3",
"rule_name": "Unusual Login Activity",
"sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c",
"type": "machine_learning",
"version": 103
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"min_stack_version": "8.3",
"rule_name": "Linux User Added to Privileged Group",
"sha256": "3d53c3cf46875865535f808e7c6c2ef22a6d516d653fd23e37c8faaf4d477438",
"type": "eql",
"version": 6
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.3",
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "83d79f7e35b069d84ce239901a6f3aaabd224e0494355f02c61e2650de4099c6",
"type": "eql",
"version": 110
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Path Activity",
"sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e",
"type": "machine_learning",
"version": 104
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "d9597f07d834346b49d0ec5d44b690415e313ac8d159ee72e5fa8335fd7e85fb",
"type": "eql",
"version": 3
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.3",
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "24ee5dd513d2411aadcf6700b279d44bb0d803d6514f3d920e7071076e34d242",
"type": "eql",
"version": 10
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "98d3f47b38a2e490eb32fe435fb1a3cdc74636dabc5fe7a97b731551b87ec8cd",
"type": "query",
"version": 1
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a",
"type": "query",
"version": 103
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.3",
"rule_name": "Windows Event Logs Cleared",
"sha256": "fc09cce15ed08c912228c02d8c8a913febbcfde1263a2410a281a5b780cbc1bd",
"type": "query",
"version": 108
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.3",
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "b3b214a87a2d7efdda2a6e79454b84fdbae8dbfdb3834d1b51bdc0524f4e0b41",
"type": "eql",
"version": 111
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.3",
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "f28a8d21784231d74baa3c2c1bc50c52047b904b90baf5f454eff45f52d1ca07",
"type": "eql",
"version": 111
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.3",
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "532a6ef376ad303e213a6c18952dbfd541118f748ed30402beff2be0870e927f",
"type": "eql",
"version": 109
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For a Linux Host",
"sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782",
"type": "machine_learning",
"version": 104
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "cd769b23546bc7c66a492fb80d7c336f31823e527982f3185a9ad7b4c3686ee1",
"type": "new_terms",
"version": 9
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
"rule_name": "Sensitive Files Compression Inside A Container",
"sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939",
"type": "eql",
"version": 2
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "78feac62454588684cd56fc409cf666bba314b8537b67f5c8c1ee01afada874f",
"type": "eql",
"version": 110
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"min_stack_version": "8.3",
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a",
"type": "eql",
"version": 106
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "daa833de111fdd82adf05f6795ee87754f8dd5a0631fdc3857995779eeb0743e",
"type": "eql",
"version": 109
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"min_stack_version": "8.8",
"previous": {
"8.6": {
"max_allowable_version": 104,
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "fadad966a91f932ed17c91f28dccd142d23d55cd4ae7ea7c57bdd1571b0c95ea",
"type": "new_terms",
"version": 5
}
},
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "25daf6eb0539fcc0694b22088a27dd0f67fcba06669cc69450e34b994cc642ea",
"type": "new_terms",
"version": 105
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "d2d12619cc88da5d442a1f223e4ccf1cdb06d037c5ab3440a7814cb9d6b11736",
"type": "eql",
"version": 8
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "9ab25d365ce5c55e8b3447548326215241c5e3e269772cfda3d53460a796bd70",
"type": "eql",
"version": 9
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312",
"type": "eql",
"version": 107
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6",
"type": "query",
"version": 106
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc",
"type": "eql",
"version": 3
},
"493834ca-f861-414c-8602-150d5505b777": {
"min_stack_version": "8.3",
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0",
"type": "threshold",
"version": 101
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "13db3c2d1fc38751e03a07125ee9720d077032ecc780b0474951dcffa438ece8",
"type": "eql",
"version": 6
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "e61b1bbcf81ae0a39c5740592307709fdd354ac9c7ca1cff724f403f2683e67e",
"type": "query",
"version": 5
}
},
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "458d45e2d4ec3ad54e104516c1bf827f241392740f457d0b358ed439cea466f4",
"type": "query",
"version": 106
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"min_stack_version": "8.6",
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.3",
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "3760e37b4f14a48147ffb42a0e6ac8615c7a41564dcffc483719244adf4aac52",
"type": "eql",
"version": 4
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"min_stack_version": "8.3",
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "42113dd49a2b2df45e90301ac64feac172a5fe2d5ae21baddb22e62943b28082",
"type": "query",
"version": 105
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea",
"type": "eql",
"version": 5
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"min_stack_version": "8.3",
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "0ddba68a65a560e542542a531d9b0222a706b62e38442f5afb342b989f8d70fa",
"type": "eql",
"version": 1
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "b071ea55c3cd817e5aec99970cd493053e2b94783f1aafb56e89004674a69b22",
"type": "eql",
"version": 110
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "8.8",
"rule_name": "Container Workload Protection",
"sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24",
"type": "query",
"version": 4
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"min_stack_version": "8.3",
"rule_name": "ProxyChains Activity",
"sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3",
"type": "eql",
"version": 4
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "3659127431f2145c49922aa110bbe7be12f4776825ee1a24f2409945b3f414f0",
"type": "machine_learning",
"version": 3
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45",
"type": "eql",
"version": 109
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
"type": "query",
"version": 9
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "8cdb4afadd73272dc07ee9b31b8a8f1e2ab6d9ba07e75a228d827eb5cedf236e",
"type": "eql",
"version": 6
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "09c72f469d0aca040785500480c6c4086070ace209803e2f0b4f1d79de394a3f",
"type": "threshold",
"version": 106
}
},
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1",
"type": "threshold",
"version": 207
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba",
"type": "query",
"version": 106
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "8bf850df70b51fc76b714e18cd7a173376cb3f8b205d59d19bf4656ff704fada",
"type": "eql",
"version": 112
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.3",
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "8ed9b11012b3ceb54e839102d8ba6f90c8bc6f8e9c7d2069f8c01d504d8b13ce",
"type": "eql",
"version": 10
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "5c74f520f2356f579a86fc666a87af41bd62c8e52f1edc1521b9f7bd58b3f461",
"type": "eql",
"version": 8
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "46dc5171e6385fc71511dfe5c62bbfb3d211317614112565e2dbd8a177803a7b",
"type": "eql",
"version": 111
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Script Object Execution",
"sha256": "604ff31b37bb88ec61794d51e66317597ae32e1b24ffcd6bc110afddaf9259ed",
"type": "eql",
"version": 107
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8",
"type": "query",
"version": 106
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd",
"type": "query",
"version": 206
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"min_stack_version": "8.13",
"rule_name": "Unusual High Confidence Misconduct Blocks Detected",
"sha256": "809afd6116ccf0d6766b68605bfab88cb8d1b2c472a38b8dff1b7cf128110b94",
"type": "esql",
"version": 1
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.3",
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "7e36c4f41ffd47e55fb0504fb3dee66108c384d0a06ec60f2c6de1e2b5d702ef",
"type": "eql",
"version": 109
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca",
"type": "threshold",
"version": 2
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
"sha256": "e7f81d69a9300bde47134faf67e74e663bf52d62682494acfafebc8afa114273",
"type": "eql",
"version": 4
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"min_stack_version": "8.3",
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "997601d0253b1c3fc65712c6e0e2784ffba03a5f7b3926a5cf5e183aea3006d7",
"type": "eql",
"version": 2
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1",
"type": "eql",
"version": 108
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "a5c1852e0f0b5d54d522bc9d34146368b3966050fdbb0b514ad8a5c883a865c3",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87",
"type": "query",
"version": 206
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Sink Deletion",
"sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827",
"type": "query",
"version": 104
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"min_stack_version": "8.3",
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa",
"type": "query",
"version": 2
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a",
"type": "eql",
"version": 108
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325",
"type": "eql",
"version": 7
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce",
"type": "query",
"version": 206
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "1bda048bcd9c1bf57b4b123d710a6c78eb505e8a06f8d13ced365be3a3abfa5d",
"type": "eql",
"version": 112
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"min_stack_version": "8.3",
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7",
"type": "eql",
"version": 1
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
"type": "eql",
"version": 109
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Activity",
"sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7",
"type": "machine_learning",
"version": 103
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab",
"type": "eql",
"version": 106
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "f88c3c6d45fbe0bb6e1869423ab9e7667f5019abcead82c85039f1775a2b37ca",
"type": "new_terms",
"version": 8
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990",
"type": "query",
"version": 206
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"min_stack_version": "8.3",
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2",
"type": "query",
"version": 102
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"min_stack_version": "8.10",
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "ff6da7f331dcfa0385d733fe7af34367b7a5772236336e8196677506dc53fa02",
"type": "query",
"version": 4
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "e67568b9c981e928c8780997ad8a1ad3532c6816c7ba4e0eaf9b8b18c5f3923b",
"type": "eql",
"version": 110
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.3",
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "5932e2f55f6f1e70ca53785865b24d7c502633270fe5df05d898167c0c36ab43",
"type": "eql",
"version": 3
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.3",
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "62ae21bef70ecd1965d7f2e666f067077780c120bcbef93083911dea04b33b17",
"type": "eql",
"version": 107
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"type": "query",
"version": 8
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 108
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.3",
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "c432bc081898b9f4cbbf9aca1bfde2c778015db0534e78dddccc213f25c9ed59",
"type": "eql",
"version": 109
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.3",
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "522f9edf21b4768c2f43e0e448fb38e2603d76177730b764dd66e50b145aa56c",
"type": "query",
"version": 108
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.3",
"rule_name": "PsExec Network Connection",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
"type": "eql",
"version": 109
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"min_stack_version": "8.3",
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "ef9f5b3f0202dcd4e752c19f9ee8c807b55c72c653b8e1fa0399b2a0408c8753",
"type": "eql",
"version": 1
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "60181e72437ae398200e9082d83f05217fb1a24754604f6147a583f83048b853",
"type": "machine_learning",
"version": 4
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870",
"type": "eql",
"version": 1
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.3",
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "aac24b839c4f5e1399effca0ee9a8800cd8ceebd4467a9a2785fab8cf4ae6576",
"type": "query",
"version": 104
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Admin Group Account Addition",
"sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4",
"type": "query",
"version": 106
}
},
"rule_name": "Potential Admin Group Account Addition",
"sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9",
"type": "query",
"version": 206
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb",
"type": "eql",
"version": 107
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"min_stack_version": "8.3",
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a",
"type": "query",
"version": 104
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell PSReflect Script",
"sha256": "feeee2403f399c6d729c001a0178272237732cb46fe4d292f1b595d7910f782b",
"type": "query",
"version": 210
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Execution of an Unsigned Service",
"sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc",
"type": "eql",
"version": 2
}
},
"rule_name": "Execution of an Unsigned Service",
"sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9",
"type": "new_terms",
"version": 105
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"min_stack_version": "8.3",
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06",
"type": "query",
"version": 104
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234",
"type": "query",
"version": 103
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"min_stack_version": "8.3",
"rule_name": "Azure Virtual Network Device Modified or Deleted",
"sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762",
"type": "query",
"version": 102
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.3",
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
"type": "query",
"version": 108
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.3",
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "8529bac526d51a184db69b13d9f15bf676bc2b0c6152f40ae73019f4dc20c408",
"type": "eql",
"version": 3
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.3",
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "abc7e66357468013a69f39627f5e9976245ba741d55515881174e59942bf5edc",
"type": "eql",
"version": 111
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.3",
"rule_name": "RDP Enabled via Registry",
"sha256": "509028755d9bbaaabe41c984eebff548de67f107f346e42b1b4ee27cd12d5fdb",
"type": "eql",
"version": 111
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"min_stack_version": "8.3",
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff",
"type": "query",
"version": 103
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"min_stack_version": "8.3",
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "09b2312a59b33f13a4be41c88d7b5a3177bc1c158c0fa3c8118d4f33d7ccfe08",
"type": "eql",
"version": 108
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13",
"type": "eql",
"version": 111
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"min_stack_version": "8.3",
"rule_name": "File or Directory Deletion Command",
"sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a",
"type": "eql",
"version": 3
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "6f1117902fd841998a715673511a3831fe99e7a953113854fd094e8aaf57d935",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef",
"type": "query",
"version": 206
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "AWS CloudTrail Log Created",
"sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26",
"type": "query",
"version": 106
}
},
"rule_name": "AWS CloudTrail Log Created",
"sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7",
"type": "query",
"version": 207
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225",
"type": "machine_learning",
"version": 104
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4",
"type": "eql",
"version": 109
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Java",
"sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1",
"type": "eql",
"version": 8
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"min_stack_version": "8.3",
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc",
"type": "eql",
"version": 2
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058",
"type": "query",
"version": 106
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
"type": "eql",
"version": 109
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2",
"type": "query",
"version": 108
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"min_stack_version": "8.3",
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "9374dc2038bb7999021a8e926287cd2cda2bd1abfa06f2f01d0af8be01679b40",
"type": "eql",
"version": 5
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"min_stack_version": "8.3",
"rule_name": "Suspicious which Enumeration",
"sha256": "ffbcf6b936ee4ef4c9b312ca9bb5da9d942f9a8680301b5f0debf394ad42c5fa",
"type": "eql",
"version": 5
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "bd50fb4c4b5ec6a4ebd52c50a505e5dc1fe75637d51ad57a0f0e79dff682aea5",
"type": "eql",
"version": 4
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "2e72ae9c5ca64669617999cec691b8f282cbf159464363b5d821bdddd4edd5d3",
"type": "eql",
"version": 108
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0",
"type": "query",
"version": 206
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"min_stack_version": "8.11",
"rule_name": "Process Capability Enumeration",
"sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a",
"type": "eql",
"version": 2
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0",
"type": "query",
"version": 1
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.4",
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "efaf2b94fb44203864342cbbad263757cf61dfe7c9be647fe038694e810170f4",
"type": "new_terms",
"version": 10
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"min_stack_version": "8.3",
"rule_name": "Segfault Detected",
"sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8",
"type": "query",
"version": 1
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"min_stack_version": "8.6",
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "eba0d9a274b902396a98f70bf3464b3faba30514532b52d48f11de4f46572076",
"type": "eql",
"version": 6
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380",
"type": "machine_learning",
"version": 103
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4",
"type": "eql",
"version": 7
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.3",
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "63aa403181709c3d123a628bdd843aacbbc3fff0eca0f17fccf30788068d58ef",
"type": "eql",
"version": 108
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.3",
"rule_name": "User Added to Privileged Group",
"sha256": "b33d6cc34a4b101cc79bc0c7f84cb361bcd02e5318b2295a57ebf4505ef0824d",
"type": "eql",
"version": 109
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.3",
"rule_name": "Persistence via PowerShell profile",
"sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60",
"type": "eql",
"version": 9
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8",
"type": "eql",
"version": 107
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "4051d22fd7d1721a31073f7a8b1173bdced88d11e883da07bafb67030c11d4fd",
"type": "eql",
"version": 108
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906",
"type": "eql",
"version": 106
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "ddbea6e8e6fead49ee6b7eb17b83de0996fdabfef882164c7f04a134f1438293",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "90ed7cc03c1d2f50cb22cde81cefe5234690d44b19be19c4b0029735fa3e4f3a",
"type": "query",
"version": 106
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "4e4a262b9c4e5ab8a6ad524df85e1f6b13bdcae8c45ccea1db5bb31e2acd028f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838",
"type": "query",
"version": 206
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"min_stack_version": "8.13",
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "929a9ca39ab9fb396533d10f723899fbaf9225968c94ae0f32e20a189d2c7827",
"type": "esql",
"version": 1
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.3",
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "30c24a512438771d6de13cf9fbc3b909d451f6017b033ea015c1a99fc779f8b5",
"type": "eql",
"version": 1
},
"60884af6-f553-4a6c-af13-300047455491": {
"min_stack_version": "8.3",
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12",
"type": "query",
"version": 102
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"min_stack_version": "8.3",
"rule_name": "Azure Service Principal Addition",
"sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2",
"type": "query",
"version": 105
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "0886a8d4f32a069d4f64c2559bfc5d527f4a2d24045aab00ae97f1de9ad9efb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9",
"type": "query",
"version": 206
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Network Connection",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
"type": "eql",
"version": 108
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.3",
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 1
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.3",
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "371c92a53ff6fe2812871b685def6102afb58b89c536d718eb67344227d117d2",
"type": "eql",
"version": 3
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"type": "query",
"version": 113
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "8a06a6df25f7cd9d46fb890b91a35822e95e9ae636069608964018f12fa37d41",
"type": "query",
"version": 213
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "596066dff727c29d10294ff6d205113bf4bc37e185127d4586a4a53eb1ed9cb0",
"type": "eql",
"version": 110
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e",
"type": "threshold",
"version": 1
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e",
"type": "eql",
"version": 107
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640",
"type": "query",
"version": 108
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "cda94f2b58b70076662143a46548455aa8e987cf042b4b051776a276aa0c495f",
"type": "eql",
"version": 4
},
"63c05204-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab",
"type": "query",
"version": 6
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86",
"type": "query",
"version": 5
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd",
"type": "query",
"version": 6
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Signed Binary",
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
"type": "eql",
"version": 108
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096",
"type": "machine_learning",
"version": 104
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"min_stack_version": "8.3",
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012",
"type": "query",
"version": 106
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "602b297ae58effa807f0bca106916c4f1902c7fa8f5c62bfd282b5b65de72f7b",
"type": "eql",
"version": 5
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "c6cf6184bd1e4f3add0ac786022ed97b13163f8ef7278c905b94bcea8447509f",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e",
"type": "query",
"version": 203
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4",
"type": "eql",
"version": 107
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2",
"type": "eql",
"version": 6
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.3",
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977",
"type": "eql",
"version": 105
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a",
"type": "eql",
"version": 7
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "fd8374f717cf2af735052c2e6070cf34a2f345ffc0817d3633deedef52e54e18",
"type": "eql",
"version": 113
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"min_stack_version": "8.3",
"rule_name": "Linux Process Hooking via GDB",
"sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d",
"type": "eql",
"version": 3
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "e420ac04ef84bb4a8ad93985e785758ffd16b4e0b44d969bc6f749df31add04b",
"type": "eql",
"version": 206
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "9a207172558146d200bc0297376b645cc44023db1b7a8202a16c432936fad1ab",
"type": "query",
"version": 9
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede",
"type": "query",
"version": 206
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "cac04714049b7a004fe00585d8cc3e351f442896feb07e367f5e3406853f595d",
"type": "query",
"version": 106
}
},
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb",
"type": "query",
"version": 206
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de",
"type": "query",
"version": 206
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"min_stack_version": "8.3",
"rule_name": "High Number of Process Terminations",
"sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3",
"type": "threshold",
"version": 112
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.3",
"rule_name": "Image File Execution Options Injection",
"sha256": "413e961dc4797bf3701be20c749258009705733592d081c9b030aed6a7b8e75c",
"type": "eql",
"version": 107
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "New or Modified Federation Domain",
"sha256": "c12b7d94ddd9ac7a54891cd86831775b8622d2c0681fcaf612e2842bed646cf6",
"type": "query",
"version": 106
}
},
"rule_name": "New or Modified Federation Domain",
"sha256": "0fad0589541a8950f5f88b2a261cb0045389b6c80956518f1a66aad4d72394a8",
"type": "query",
"version": 206
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21",
"type": "query",
"version": 105
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8",
"type": "query",
"version": 205
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.3",
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "ca27a9f60eec10c769a8b530ccb040f0a6c4218b6af386a6daa5e6ffb6ca381f",
"type": "eql",
"version": 110
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "a8a7d4e956c4cd2733f3d5e26871a367b937a0944420b3eaaca82370b8246a55",
"type": "query",
"version": 105
}
},
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "6efdcc0936767be2538639bc2b7dfc028b4f7d02b590bbfac757314fcec9ce2a",
"type": "query",
"version": 206
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "9e2d92b09b248d78181d6b8283ed595c2560ea046d17365515a8e57f6cb1679c",
"type": "eql",
"version": 107
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399",
"type": "query",
"version": 209
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "307219345f44551ce020e8edcdc4a77f54cae4a0431f6fdd2dd7b9553c93519d",
"type": "eql",
"version": 1
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459",
"type": "eql",
"version": 109
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd",
"type": "query",
"version": 5
}
},
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e",
"type": "query",
"version": 106
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"min_stack_version": "8.5",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "32f01788e2000cbf97dfe76446aa173db05e8a73eac467ec634aec29072ba7e8",
"type": "threat_match",
"version": 105
}
},
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.3",
"rule_name": "Modification of Boot Configuration",
"sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525",
"type": "eql",
"version": 109
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df",
"type": "query",
"version": 206
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"min_stack_version": "8.9",
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "269a6ce9b13aedfce015a85a679e1a55ebf3974fdd7cb9b3c9f84411ed85cafc",
"type": "query",
"version": 1
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.3",
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d",
"type": "eql",
"version": 110
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.3",
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f",
"type": "eql",
"version": 111
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2",
"type": "eql",
"version": 7
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Sensitive Files Compression",
"sha256": "271c0de47099ee8a5e049d68bf4d49801b884b81f673df03edceab970daebe19",
"type": "query",
"version": 106
}
},
"rule_name": "Sensitive Files Compression",
"sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50",
"type": "new_terms",
"version": 208
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.3",
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "4a3308713c74898d9a52d894105c3a41556786008f169b725436c4dbc018ee99",
"type": "eql",
"version": 107
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"min_stack_version": "8.8",
"rule_name": "Container Management Utility Run Inside A Container",
"sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d",
"type": "eql",
"version": 2
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca",
"type": "eql",
"version": 108
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.3",
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 1
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For a Windows Host",
"sha256": "f65a12afc06498c72c6fe35834ef48f2c6cee057748963b300cae83e7a411f78",
"type": "machine_learning",
"version": 107
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"min_stack_version": "8.6",
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0",
"type": "eql",
"version": 4
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "296e88e08cfeb38dd5bfe7c3719ed7ce80f41022b51190abddbedacc66220afa",
"type": "new_terms",
"version": 5
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd",
"type": "machine_learning",
"version": 105
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.3",
"rule_name": "AdminSDHolder Backdoor",
"sha256": "53f33d98ecca40d46328a7ff7593743ac0f62aefad6854a203355d59f240ece1",
"type": "query",
"version": 106
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "6b4e00cd0749f89148010473d62893477290a0438ab07894e38b445ce10c7b3e",
"type": "eql",
"version": 107
}
},
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd",
"type": "eql",
"version": 207
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "f66c92e627ba4aabff1fb546ee38cbdf15e88ad11a4e5fc9059ba9be41db31f3",
"type": "eql",
"version": 108
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery using WMIC",
"sha256": "191d08e949cb9f57e2853a307b82f336896da072f4dea0054f301ee50bebfd89",
"type": "eql",
"version": 111
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8",
"type": "eql",
"version": 7
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f",
"type": "new_terms",
"version": 1
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Role Modified",
"sha256": "8917dd169608ea491ef3f4c15d53b08aa6747b200e3b62a4bc22da3afb71fc9a",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Role Modified",
"sha256": "cc27c5d907038ca85c5d0c991e541013163f6fccc0bf95c84ac0b4ed62175081",
"type": "query",
"version": 205
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9",
"type": "query",
"version": 209
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Config Resource Deletion",
"sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Config Resource Deletion",
"sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f",
"type": "query",
"version": 209
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "2b0a113e37d67649e6f11b5bf035ca1a3a6649ad4996a27b1e788651ae11b846",
"type": "eql",
"version": 2
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "db796cbae0d063b4f1a54079e8f00e82b333a78701059a9a9962630dd48cc857",
"type": "eql",
"version": 108
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47",
"type": "query",
"version": 106
},
"7164081a-3930-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "86bf8bc61640a49c610c81cef5cb6bd417d85a5160637971eb56c908af7a3bec",
"type": "query",
"version": 4
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "dc67793718c16d2d90d8be38bf310b0ce87c25f4e9c56a66f7a231b80d9922f0",
"type": "query",
"version": 107
}
},
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40",
"type": "new_terms",
"version": 209
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "a3fdba9254d6e0decace5b3bbe34f7365bdb09fb0ab62ce49b0058dc63af0cbc",
"type": "eql",
"version": 114
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.3",
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "e9a9062beb0713d366bd638f7cf733c19ec8aed20b8603b3b0d460618a78aaa2",
"type": "eql",
"version": 109
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2",
"type": "eql",
"version": 3
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "065cd0cc51b5457baa9bc37901045907810e07d074eef16982399654fae10302",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f",
"type": "query",
"version": 206
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354",
"type": "query",
"version": 206
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9",
"type": "new_terms",
"version": 2
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.3",
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578",
"type": "eql",
"version": 1
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "65d25ee5fe0482453ec857754eb6d2d3273c48bcef76cea6d9c3843f555d19eb",
"type": "eql",
"version": 111
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb",
"type": "query",
"version": 106
}
},
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e",
"type": "query",
"version": 206
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "8.3",
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c",
"type": "machine_learning",
"version": 104
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"min_stack_version": "8.3",
"rule_name": "Unusual DNS Activity",
"sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577",
"type": "machine_learning",
"version": 103
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Suspicious Sysctl File Event",
"sha256": "dc62f12237c63e7f170343cc5fcf2587a078f5af5e823d46e6545f8b11a01b90",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Sysctl File Event",
"sha256": "a98b507603e191d5d7b9018614f89020e94baf48aa9ab69666128517e8a282c8",
"type": "new_terms",
"version": 107
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"min_stack_version": "8.3",
"rule_name": "Service Disabled via Registry Modification",
"sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a",
"type": "eql",
"version": 3
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961",
"type": "query",
"version": 102
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "6dfec898ca5b57352a078ff6ea65a0452985eeac88bb6ca491399544d57be902",
"type": "query",
"version": 103
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "88a76082a0b05f8b848047174d1517f7746506e91ed2bb2d203255a52f38a8e2",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "beed3f7f4d2a86f155bd96e2903ded43fe8eb75d27f85650778e44bdf7e50982",
"type": "query",
"version": 203
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.3",
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "1ae31d3cb536669955d44bdf92b5c53dfd9868ad3ff5813fe8acee8502eecc41",
"type": "eql",
"version": 10
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa",
"type": "eql",
"version": 110
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb",
"type": "eql",
"version": 106
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953",
"type": "eql",
"version": 9
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33",
"type": "eql",
"version": 110
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.3",
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "8ad7865bb2ea255f74f4010cbc3df77b3480c3878500abf1c5ebf0b7c924a7cf",
"type": "eql",
"version": 111
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"min_stack_version": "8.3",
"rule_name": "User Added as Owner for Azure Application",
"sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26",
"type": "query",
"version": 102
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"min_stack_version": "8.6",
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "2b60afa9037795b630f1d33a76fcd68f49f3c1ccf9b0da8445765575a2508534",
"type": "new_terms",
"version": 2
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"min_stack_version": "8.3",
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d",
"type": "query",
"version": 104
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "a076fa96b47fb15ed66e6f90750fdc91ac7f7cf9e496f47150eba1253dcbc6db",
"type": "threshold",
"version": 5
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "7fa64b656ada94baa0a8d76c00231f99bfd63f0925722bdfeb6528ff90cdef76",
"type": "query",
"version": 104
}
},
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6",
"type": "query",
"version": 205
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"min_stack_version": "8.3",
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e",
"type": "query",
"version": 105
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Spike in AWS Error Messages",
"sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Spike in AWS Error Messages",
"sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2",
"type": "machine_learning",
"version": 208
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.3",
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0",
"type": "eql",
"version": 1
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "fc6be263784c700668a9eb4f67231f1786f1750bc929af29d6655989375915c0",
"type": "eql",
"version": 1
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "693613eaf1e2584a9bc56d598ff28225091c888aa886521384faf26f2cc43a45",
"type": "eql",
"version": 6
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"min_stack_version": "8.3",
"rule_name": "File Compressed or Archived into Common Format",
"sha256": "75b814ddab9122b2dde8034d1daadc9731ff977dce815207b7565aad49cda555",
"type": "eql",
"version": 4
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"min_stack_version": "8.3",
"rule_name": "Azure Key Vault Modified",
"sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87",
"type": "query",
"version": 103
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "a613c9495f4b8b1cd51df4eac684c578f26aceaa65e6d20faa875e280f3a0912",
"type": "eql",
"version": 4
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.3",
"rule_name": "Potential File Transfer via Certreq",
"sha256": "45f8eda9995222bc895d40fc9bab8fea41954def40702271c8a6b7af7bd09eef",
"type": "eql",
"version": 8
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.3",
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "696545e871e59971a9c77d60fb7f5cb25cbbec8a62cdf6fd167b9ec939efa675",
"type": "query",
"version": 108
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2",
"type": "eql",
"version": 5
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"min_stack_version": "8.3",
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "3b5e1d6fe931166937ac8b2540f9f001897d52336750147eef0f13925a5f0c39",
"type": "eql",
"version": 1
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4",
"type": "query",
"version": 206
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.3",
"rule_name": "Windows Network Enumeration",
"sha256": "76d42ebe68f574a31fb590b3d96321d2e8d048306a8159b2f0b36be83255e855",
"type": "eql",
"version": 111
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "cfb5125f0705e215f8dc00f7a38fe7454cf24077181b6b9c70068c7e46fbadb6",
"type": "eql",
"version": 106
}
},
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1",
"type": "eql",
"version": 208
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"min_stack_version": "8.3",
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "106aa939e4c87db6570ee327ed6ca3e7f889aca17a71e09044b0b8dc3bed815c",
"type": "eql",
"version": 105
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "b7f72377e6e5c62220a4932b83c0343a304f9e32c6f8df1a2320f97dc666d857",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "d876e552704f399012a35ef8ccd37653e6278d558e9904d895f023110f987c55",
"type": "query",
"version": 106
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Creation",
"sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c",
"type": "query",
"version": 104
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a",
"type": "eql",
"version": 2
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
"type": "eql",
"version": 109
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66",
"type": "eql",
"version": 1
}
},
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee",
"type": "new_terms",
"version": 102
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "c5bf7a856bf289f0687f5916c01098906650541047b786e7a120cd6ec3fbb948",
"type": "new_terms",
"version": 9
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "e8cbeafae45cf6592034b68de6f2166705890d49c7a6e5821b387dfa6c535dc9",
"type": "eql",
"version": 4
}
},
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "a673dd1c8988721179c42b0b788a1b229fce05298dfe5664b54ca535750e4587",
"type": "new_terms",
"version": 106
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process Extension",
"sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a",
"type": "eql",
"version": 4
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "237bea63ac52782481baf16b92d59c08e0e799105d378bec92197c4ad8fad8b4",
"type": "eql",
"version": 2
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual City For an AWS Command",
"sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual City For an AWS Command",
"sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199",
"type": "machine_learning",
"version": 208
},
"80c52164-c82a-402c-9964-852533d58be1": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be",
"type": "query",
"version": 103
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Extension",
"sha256": "e5eeb038f9aa39433fcea8c9410b24a6a1337512da397d2818fc96f5698f767b",
"type": "machine_learning",
"version": 3
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "93f0d3a27ec93093c91f59d6a1bcd1a34b1f007ff0304b857a730c1c6c35f186",
"type": "eql",
"version": 109
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"type": "query",
"version": 111
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "da93c9757e2bcf7faed59270b7d6ee09006cacaab0f5d201d13e988814868cf4",
"type": "query",
"version": 211
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.3",
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "b9eb095355ecc02a827ca56e41a3ccd5fd5fff3c57c2f1a1e16e0f32082bcd46",
"type": "eql",
"version": 7
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.11",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a",
"type": "eql",
"version": 107
}
},
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a",
"type": "eql",
"version": 207
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "7951c32071a4f27cf235f88d6d4af14655a24aca293681878a970dc3e3973c1f",
"type": "eql",
"version": 6
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9",
"type": "query",
"version": 102
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "1814e77d691d41da88a1ba4c922ef445c031e653b86b5dd166f99cba587157f1",
"type": "eql",
"version": 7
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "ca0cdbc0af36d4bf4a78a1a5f82fca391580b9507566dd67dd281c61cd510c7a",
"type": "new_terms",
"version": 2
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
"type": "query",
"version": 5
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"min_stack_version": "8.3",
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759",
"type": "eql",
"version": 3
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "7a9ce57d7b2a5c723facc456a26c549cb5acacc09fe4844360c1af34366c0744",
"type": "eql",
"version": 110
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32",
"type": "eql",
"version": 111
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "8fb4c5a6040d9edf0a32b6e6fd809d366eea096495438e323e148d684c871404",
"type": "new_terms",
"version": 210
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006",
"type": "query",
"version": 206
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9",
"type": "query",
"version": 206
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS IAM Group Deletion",
"sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS IAM Group Deletion",
"sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781",
"type": "query",
"version": 206
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"min_stack_version": "8.3",
"rule_name": "Security Software Discovery via Grep",
"sha256": "de3ae123fbc7d0cb0596b3c5cc6467fdf51f545053665c4f5afdeb758983bc76",
"type": "eql",
"version": 109
},
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "6a87be3b93e4a75c3dbfeba82b7aaa420dd43f042ec1bc9641d5649f8f6850b5",
"type": "eql",
"version": 112
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339",
"type": "query",
"version": 206
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"min_stack_version": "8.6",
"rule_name": "Potential Suspicious Clipboard Activity Detected",
"sha256": "0177e89bdd890b3651f0d3bc7bb08aa7a71cc97d95e6f965d2131a132599a839",
"type": "new_terms",
"version": 4
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "bb6703bc49a5b12297b62e2aa1b7a9e5f01ce6108eabbd1d541ec655dd35ac50",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66",
"type": "query",
"version": 206
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "e1e70345125002f7b837c9c87a54b449497d0b8a5d4f32f30e24b28185445925",
"type": "eql",
"version": 107
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "28eba13edb2d9454c08d86938d6bf41ed614c2c32879ec8719cd571c0c9cbef5",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "3d49290bdfa2269196ce840768887b0c20588d07f406eef1f33e10c6117246e0",
"type": "new_terms",
"version": 105
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443",
"type": "eql",
"version": 108
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50",
"type": "eql",
"version": 110
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.3",
"rule_name": "Command Prompt Network Connection",
"sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271",
"type": "eql",
"version": 108
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b",
"type": "query",
"version": 106
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "6041852ef2da176bb02a69879e30441c9842802e2b5e06678aaca5653322cf32",
"type": "eql",
"version": 5
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c",
"type": "eql",
"version": 3
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.3",
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
"sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5",
"type": "query",
"version": 103
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3",
"type": "eql",
"version": 108
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b",
"type": "query",
"version": 206
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c0f26a306606e4329dc19352d7f927e70467ccc86747f18345aefcf194110e16",
"type": "eql",
"version": 105
}
},
"rule_name": "Suspicious JAVA Child Process",
"sha256": "c73d3fa21849f702bf7a08d4182ce1e62bbf2096eef54418fd5faf94e042da75",
"type": "new_terms",
"version": 208
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140",
"type": "eql",
"version": 4
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.3",
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298",
"type": "eql",
"version": 108
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.3",
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "78eb240c8eeeb4d9df8d9454ba4f91306bbffcdf8b395c3a62c87009f89504de",
"type": "eql",
"version": 109
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"min_stack_version": "8.3",
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9",
"type": "query",
"version": 102
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"min_stack_version": "8.3",
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b",
"type": "query",
"version": 103
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "a6ecf9a561d41bac0bb75fbf33f868dc71ed4fc5e07f914780fd73c29dcdb1ba",
"type": "eql",
"version": 110
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"min_stack_version": "8.3",
"rule_name": "Potential SharpRDP Behavior",
"sha256": "133e1acd35b1b06ce036bf672f04203863a4f2e1c535cc722321f198d71bffda",
"type": "eql",
"version": 106
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2",
"type": "query",
"version": 103
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"min_stack_version": "8.3",
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483",
"type": "eql",
"version": 11
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"min_stack_version": "8.3",
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0",
"type": "eql",
"version": 3
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "8.8",
"rule_name": "Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e",
"type": "eql",
"version": 2
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698",
"type": "eql",
"version": 108
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c",
"type": "query",
"version": 102
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"min_stack_version": "8.3",
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "e724d32f7d8923ac1608a48ba78404bda59c6db4b1475a392ad766f4e0853459",
"type": "eql",
"version": 3
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.3",
"rule_name": "Bitsadmin Activity",
"sha256": "39ca4c3ed7500f428501bf32d7b5361c687e94b712b9d7742406bb4c804bb53b",
"type": "eql",
"version": 2
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.3",
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "60451d80b47ef91bfe8095934b32b4899ae705a33e3df155894a58dc67c97ce6",
"type": "eql",
"version": 1
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"min_stack_version": "8.3",
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "bb44b0120653077a52d8fbfb935aa73998db23fe25b3c188024f3a96b09b8e4c",
"type": "eql",
"version": 106
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68",
"type": "eql",
"version": 107
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Deletion",
"sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb",
"type": "query",
"version": 104
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"min_stack_version": "8.3",
"rule_name": "Hping Process Activity",
"sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c",
"type": "eql",
"version": 108
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241",
"type": "query",
"version": 206
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3",
"type": "eql",
"version": 108
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Activity",
"sha256": "b3e654521bd77a07433f951786a8b37f3f4bb9ef9459f8cbfd080af927ebf5f9",
"type": "eql",
"version": 2
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79",
"type": "query",
"version": 104
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c",
"type": "query",
"version": 105
}
},
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1",
"type": "query",
"version": 206
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"min_stack_version": "8.3",
"rule_name": "Unusual Web User Agent",
"sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347",
"type": "machine_learning",
"version": 103
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Web Request",
"sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1",
"type": "machine_learning",
"version": 103
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"min_stack_version": "8.3",
"rule_name": "DNS Tunneling",
"sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea",
"type": "machine_learning",
"version": 103
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"min_stack_version": "8.3",
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9",
"type": "threshold",
"version": 1
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"type": "query",
"version": 8
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 108
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was created",
"sha256": "d54ac464d0549dec4468d4706dfce032e2e8bed176f5ece56f3c6430378aff76",
"type": "eql",
"version": 8
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.3",
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "1985305e54165a73be2bdfd8d6de615ed21edde213a17f11911f0a25cdd28c0c",
"type": "eql",
"version": 3
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
"sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860",
"type": "query",
"version": 206
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Sudoers File Modification",
"sha256": "61b18d5eee007e352b11ee5d0b8cd560ef127b7ca4a6704381e1b1f0bfe6e1ef",
"type": "query",
"version": 103
}
},
"rule_name": "Sudoers File Modification",
"sha256": "f4d948d4c06ecb8fae9ce5be98bc19d8200ccb0e271913c4b2c41c01a45233b2",
"type": "new_terms",
"version": 204
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3",
"type": "query",
"version": 108
}
},
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6",
"type": "query",
"version": 209
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.3",
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606",
"type": "eql",
"version": 110
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.3",
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851",
"type": "eql",
"version": 107
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "723578f77b081beb3b8a8da703208e1279aa15eba410de837d67b390c4334bbe",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "cab219f6e8b4ccaf91b7f6190f1d098c08ddc5b898d2e1566965ba6039a72657",
"type": "query",
"version": 205
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "db86c17797a8d52db5ea04999393ce5c37395cc6a46b34ec1cd0da3f02d0435f",
"type": "query",
"version": 104
}
},
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30",
"type": "new_terms",
"version": 204
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"min_stack_version": "8.3",
"rule_name": "Creation of Kernel Module",
"sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533",
"type": "eql",
"version": 3
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "31677cdb4cb00d90106a66e1b086ad61ada306117acf7b0af9e17d13a96b91f0",
"type": "eql",
"version": 8
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "0c7bcbc73caec8df64f6e5d9c2430357baaef7371ef1f47b25b5f5bd7f6edf7f",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1",
"type": "query",
"version": 106
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.3",
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "7675d578e4dd24bc57bd2bbf670bfc9415f87ba8a2f3ddf8e8a7c00d3641d5f6",
"type": "query",
"version": 1
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation",
"sha256": "efc5bf9425039882bd50862795a48859ffe194bee570ae43e2268a9fbea9fe80",
"type": "eql",
"version": 108
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
"type": "query",
"version": 108
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"min_stack_version": "8.8",
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9",
"type": "eql",
"version": 2
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"min_stack_version": "8.3",
"rule_name": "File made Immutable by Chattr",
"sha256": "c2d2cfe2f74f7c4a8901ab56d95245ba900ce8e18c828bf0a2ad894b6260731e",
"type": "eql",
"version": 111
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9",
"type": "query",
"version": 205
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "bc9916d1a1cd785c77d6f24073b3b607cdcefc196480e1f09e5e734866ac7fb1",
"type": "new_terms",
"version": 9
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "2860753d4532b37b174d6b8e3e1314b0a7a0b3f54b74a7899205e53bacbae0de",
"type": "eql",
"version": 107
}
},
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63",
"type": "eql",
"version": 207
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "a3cff32c0bdbd78533b034070c4a270116087312c08ff8511d9bfd520be44f36",
"type": "eql",
"version": 7
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "5e3900d8aa0de4868a0980ccd44983433b4f857bddf099cf73275a57e5145c8f",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6",
"type": "query",
"version": 206
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6",
"type": "query",
"version": 104
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"min_stack_version": "8.10",
"rule_name": "File System Debugger Launched Inside a Privileged Container",
"sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9",
"type": "eql",
"version": 1
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS SAML Activity",
"sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS SAML Activity",
"sha256": "37af41b152c5085758547bee67d9f0387f5f07fcba690c925338905f100cc43d",
"type": "query",
"version": 206
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4",
"type": "eql",
"version": 107
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed",
"type": "eql",
"version": 209
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976",
"type": "eql",
"version": 110
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39",
"type": "eql",
"version": 6
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"min_stack_version": "8.3",
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "361fc9bece9212d2816e83198a13e6951dc8e63c878162f552778218c8711684",
"type": "eql",
"version": 111
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "bca34a9cc93d913e9dd7b38378787f84bffb714c7a1ff0e76fe33c0b81cce627",
"type": "eql",
"version": 3
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.3",
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "1a205cf65c5d3958f5a75ef9944f9e7c7f8edc9dce54de95c5cc236303ed1416",
"type": "eql",
"version": 2
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff",
"type": "query",
"version": 104
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "a8d4e67d87194878313ca642bb0cfef0c9fc3750c6cf26a8b74eeac52d8a0c9e",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c",
"type": "query",
"version": 206
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e",
"type": "query",
"version": 108
}
},
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1",
"type": "query",
"version": 209
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"min_stack_version": "8.3",
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa",
"type": "query",
"version": 103
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584",
"type": "eql",
"version": 107
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "482926261657f74d6e44dd1fcdcd25df11184139e079a28e9558d172a94bc94f",
"type": "eql",
"version": 4
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "51227a6967396d84ff70c0b13a8a92fe16f45b0f6824b1cafb1b648ea5d5fddd",
"type": "eql",
"version": 106
}
},
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "2a6ab34b2777b1c0c5811839d0fb72b2778f887ef1ff8f877e8c2a1d8158a292",
"type": "eql",
"version": 209
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"min_stack_version": "8.3",
"rule_name": "Spike in Failed Logon Events",
"sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f",
"type": "machine_learning",
"version": 104
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"min_stack_version": "8.3",
"rule_name": "Endpoint Security",
"sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d",
"type": "query",
"version": 103
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"min_stack_version": "8.3",
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "6c6b0a4cca70f6f55c5b73ca65607b2b546521f99bef8c3eeec5a873a4cebdcf",
"type": "eql",
"version": 2
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "956ccfb72b0b0545eedcac7869c1de45bcdc05490d5bf7c07da51f94442f4cf8",
"type": "eql",
"version": 6
},
"8.4": {
"max_allowable_version": 207,
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "25484718086d5b02486408a92befb4c3f5ad9114ca059168686f84ada6efb1c0",
"type": "new_terms",
"version": 108
}
},
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "6d3b04cf53c9662f1a011b9b8d0b412aa1fb0f3bfe1771f6a1807b4bf76c1780",
"type": "new_terms",
"version": 208
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Explorer Child Process",
"sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7",
"type": "eql",
"version": 109
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.3",
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "70c14e4efec28255020d7227acf60ade921f89c6f4f6f20df7eefe9f083993ce",
"type": "eql",
"version": 109
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.3",
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
"type": "eql",
"version": 3
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "36be7f5bc34d95f4e0db0866f200db91e20c57104c47535e70c0579f42c47d7c",
"type": "eql",
"version": 111
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "09a5921aebc2dd2ccaa3c5f1ec3555fe6b3c42684ded88c5f19af5361d9b7bee",
"type": "eql",
"version": 2
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.3",
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
"type": "eql",
"version": 108
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "0f64c28a181949a1efa09b4f30225af7c831dc379510fde5484cb91ebbe9059e",
"type": "eql",
"version": 8
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"min_stack_version": "8.3",
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1",
"type": "eql",
"version": 2
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.3",
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057",
"type": "eql",
"version": 110
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "4ca64be8b81634872abafdfb31ec9ad8ac4825ceb19369bc47a5f59f0cd15968",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2",
"type": "eql",
"version": 105
}
},
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
"type": "new_terms",
"version": 209
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "c485e1358f4158ae03a14255b6d46e7c55467c0fadf17bb618b1ea57366ef1e1",
"type": "eql",
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "9821305b0eebf7cd0540a8a4af112f0cb88abf4dc3bbbe323ade7a203ccf4b08",
"type": "eql",
"version": 112
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5",
"type": "eql",
"version": 110
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d",
"type": "eql",
"version": 106
}
},
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "88f6d6c995a534b5becc1676681e9c43a25e4a30332448f195ec5ae641b8b870",
"type": "new_terms",
"version": 211
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.3",
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "91a18c0e34d966e4822caade08e77bf1677f953f76672f72c51ed95c86968438",
"type": "query",
"version": 106
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"min_stack_version": "8.3",
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8",
"type": "eql",
"version": 106
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5",
"type": "machine_learning",
"version": 103
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079",
"type": "eql",
"version": 110
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via DCSync",
"sha256": "d4d6d4838b5cf551986e8f7b4335f15eb0910a85ed8f40f695e52e1141147407",
"type": "eql",
"version": 113
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "6c93604ac3f7c4e56ba67f913a4b594887a31706b87f87c25ce6fe48e9608fc3",
"type": "eql",
"version": 106
}
},
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "bb48a554acead2212b1c7f843dc9352b7f546a24999c026f249e82bfb88acd46",
"type": "new_terms",
"version": 210
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Access Secret in Secrets Manager",
"sha256": "8a809b35c09aae82a1f066892fa5746325703203ff96d57019f0c0566dc602fe",
"type": "query",
"version": 106
},
"8.6": {
"max_allowable_version": 307,
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263",
"type": "new_terms",
"version": 208
}
},
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "378a46774155bf6146f1d357c4e693e994e2122c127ec368b79c9186c4eea17e",
"type": "new_terms",
"version": 310
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.3",
"rule_name": "A scheduled task was updated",
"sha256": "f72866c48ccae69c487c9485afbf8ca05fc67403d5bda38d738920206c830645",
"type": "eql",
"version": 8
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3",
"type": "eql",
"version": 3
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93",
"type": "query",
"version": 105
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.3",
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f",
"type": "eql",
"version": 107
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"min_stack_version": "8.3",
"rule_name": "File Deletion via Shred",
"sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48",
"type": "eql",
"version": 109
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.3",
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "90670896181f2ae7afdbd86f7ba48b393d39687df3d9ff84a3061265a8c90486",
"type": "eql",
"version": 106
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "45960ca284b367be8f1699088f866e56e2c72c2a5205c1c1ac4a309354ab6119",
"type": "eql",
"version": 7
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99",
"type": "query",
"version": 104
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"min_stack_version": "8.7",
"rule_name": "My First Rule",
"sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29",
"type": "threshold",
"version": 3
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "abc7a656bb0d4f63a1a6e01241d5070bd79d95767ddf50a96416c4cb1e21c0ea",
"type": "eql",
"version": 108
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"min_stack_version": "8.3",
"rule_name": "Linux Group Creation",
"sha256": "7fc88cc105fb44e6b06fe74f60102105a5d43b6174d0e52f9dafb31eda5b1bb7",
"type": "eql",
"version": 5
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.3",
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "6c0ebc416f6fb4c7549a97d6a862ad6d780640637db60c907841fa20c7c70d8a",
"type": "eql",
"version": 109
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "337d1765f1495c27d1a5daf28740c34409d3a57bbf7be559211000d47dd66469",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
"sha256": "89b0c47b77b31a2b7c84dfe6195e371e6678e7153a116dd44c14e22eae50b16c",
"type": "query",
"version": 106
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
"type": "query",
"version": 7
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.3",
"rule_name": "Execution via local SxS Shared Module",
"sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525",
"type": "eql",
"version": 108
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"min_stack_version": "8.3",
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "e99c94faaac0789d4c0eb4168bdc6ce7813ec01a2cecbf150147733d63850942",
"type": "eql",
"version": 108
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"min_stack_version": "8.8",
"rule_name": "Netcat Listener Established Inside A Container",
"sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146",
"type": "eql",
"version": 2
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"min_stack_version": "8.11",
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
"sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84",
"type": "new_terms",
"version": 2
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"min_stack_version": "8.6",
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "1576ee101633693a68c7a223bc0bf033bf243cde11d3831ca0ba638c6761c681",
"type": "eql",
"version": 6
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"min_stack_version": "8.3",
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df",
"type": "query",
"version": 209
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"min_stack_version": "8.3",
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372",
"type": "query",
"version": 105
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6",
"type": "threat_match",
"version": 6
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.3",
"rule_name": "Suspicious MS Office Child Process",
"sha256": "255c381e83fba4080d9c7a3ab7f1997d7a8cb5d664c64a8cd19f0be970ca8ae4",
"type": "eql",
"version": 112
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
"rule_name": "Emond Rules Creation or Modification",
"sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287",
"type": "eql",
"version": 107
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
"rule_name": "High Mean of RDP Session Duration",
"sha256": "22baca917bf8d8852f30384b7d4813aa7a370126e0338be3886963d94f2e6b8a",
"type": "machine_learning",
"version": 3
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "ee29d9d05c756fbec35c09510be9ed92564671e5159b5e4afe4d9c4ff65d31ef",
"type": "eql",
"version": 111
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.3",
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "09276f9e697db4a2e29daddbecd34ad8fae5dcd59a2a81e1f5ef2bcfe9c3ba02",
"type": "eql",
"version": 110
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88",
"type": "query",
"version": 102
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "3d43bb8629f6abf3044732ac8445f0e4aff8492b8f21845bf1d349e73ab15295",
"type": "eql",
"version": 3
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"min_stack_version": "8.9",
"rule_name": "High Variance in RDP Session Duration",
"sha256": "0c85e6c7047aef4143e8ed835f2d0fcafad301de7eb334082e04ff5a498e5539",
"type": "machine_learning",
"version": 3
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "6414cc66c7c80d4240492b269f8c591d61734d2cec368c51642c367fcb0a0fda",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2",
"type": "query",
"version": 206
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "6b7426c4610c0d99417b08152597279e42d5e7fb9b2a510913b106dddafe7abb",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "de0ced40cd29bb489ca1a27d785bb3d66ba4d0711f5d8d42268c9f8cab7c7df9",
"type": "query",
"version": 205
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "269e37223d35d504bd02023f1fc605e200979bbabb0ee082953950adaf35c4fd",
"type": "eql",
"version": 108
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"min_stack_version": "8.3",
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee",
"type": "query",
"version": 104
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f",
"type": "query",
"version": 104
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"min_stack_version": "8.3",
"rule_name": "System Log File Deletion",
"sha256": "88dcf75e81a5a91c9684e0298310a93c5b5106d24091836c69728729c85e6246",
"type": "eql",
"version": 110
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.3",
"rule_name": "Remotely Started Services via RPC",
"sha256": "e72234fda58c725e6bbfb3c02d000a1276fc1ff4868a63532863b43b2780d3f8",
"type": "eql",
"version": 112
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"min_stack_version": "8.3",
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3",
"type": "eql",
"version": 2
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe",
"type": "threat_match",
"version": 7
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "8f4c528243e4b7fe54e84e7f66324d47f06fa299e52a0069c9f5d1cdea337050",
"type": "eql",
"version": 111
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51",
"type": "machine_learning",
"version": 103
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Login Hook",
"sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9",
"type": "query",
"version": 108
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf",
"type": "eql",
"version": 112
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual AWS Command for a User",
"sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual AWS Command for a User",
"sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49",
"type": "machine_learning",
"version": 208
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"min_stack_version": "8.3",
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9",
"type": "eql",
"version": 6
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.3",
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21",
"type": "query",
"version": 108
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "9977bfb82687f6ee557f2f9474b1cac3eb4b8c16af795908ef9b4a20ab600653",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
"sha256": "dff7c67640bd01423d897e090d914f6661f2ccbd00d363315a58d011cac71b65",
"type": "query",
"version": 205
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"min_stack_version": "8.3",
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924",
"type": "eql",
"version": 106
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9",
"type": "threshold",
"version": 108
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a",
"type": "eql",
"version": 108
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "692d68785822926e449adf234c3a45035f0a8e73dd87386acac77931c9491543",
"type": "eql",
"version": 108
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "e28b9f491eae0c8a606f9d315389ac4a117e5d30674f8e4f4e1d3be16bc8d9c4",
"type": "query",
"version": 104
}
},
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "d1699c4738c1bd1387584e6a38c367c2f869b0045f7b6e2c635535f2dded6307",
"type": "query",
"version": 205
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d",
"type": "query",
"version": 110
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6",
"type": "query",
"version": 106
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"min_stack_version": "8.3",
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "9cbc1daea47fb821c72c3e512bbb09b857e9a4b44454631dfe45b495c8adc9fa",
"type": "eql",
"version": 2
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584",
"type": "eql",
"version": 110
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Communication App Child Process",
"sha256": "da78216a16bc023bec70850e08c999466fb372bf4f11fd44445aaed67089a16c",
"type": "eql",
"version": 4
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "80da89056385e4d385d191289e923d9442a852f1c96b7aeb235b36a9e4a0ca35",
"type": "eql",
"version": 3
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184",
"type": "eql",
"version": 5
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "d43a905984d229cdcd4e06eb6b7f44f165c335ebfb4840dde015f22b680c1f92",
"type": "new_terms",
"version": 7
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"min_stack_version": "8.3",
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123",
"type": "eql",
"version": 4
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
"rule_name": "Local Scheduled Task Creation",
"sha256": "5291c4a420b199ea0cda7c00ad93a5114d95d9fcd73a07e12060d164eb0601e6",
"type": "eql",
"version": 107
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"min_stack_version": "8.3",
"rule_name": "Network Activity Detected via cat",
"sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6",
"type": "eql",
"version": 6
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19",
"type": "eql",
"version": 5
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
"rule_name": "Timestomping using Touch Command",
"sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4",
"type": "eql",
"version": 106
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f",
"type": "query",
"version": 106
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.3",
"rule_name": "Netsh Helper DLL",
"sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9",
"type": "eql",
"version": 2
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"min_stack_version": "8.13",
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "6a40ebf3c73e6c53af80cb80bd9a27f9b1048603919e041e0c114c02154787a6",
"type": "esql",
"version": 1
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Share Discovery",
"sha256": "fda7288ed57e11d03d2af7b74755b704d96c32f3c69abe245de1378438bd144f",
"type": "eql",
"version": 3
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"min_stack_version": "8.3",
"rule_name": "Spike in Network Traffic",
"sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6",
"type": "machine_learning",
"version": 103
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "f9c74dae522f96b99ef91c8690d3294d5bb57ed3568290e9c6c2b4877c99bbd4",
"type": "eql",
"version": 111
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "0e2607bb68d167a217bd28be737c707eb6729cb8c449efd2f3c45064ba35fb07",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf",
"type": "query",
"version": 206
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b",
"type": "eql",
"version": 108
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Username",
"sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016",
"type": "machine_learning",
"version": 103
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "01e8d9f7974e3c66e2916edad7f04fe3fbd842ed064a7ac1067df9d6d61ecadf",
"type": "eql",
"version": 111
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "204caab60a2c4641de7b31aaedca2147bb76d02c5e8bae82907f04607536563e",
"type": "eql",
"version": 7
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900",
"type": "query",
"version": 106
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba",
"type": "query",
"version": 105
}
},
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670",
"type": "query",
"version": 206
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.3",
"rule_name": "At.exe Command Lateral Movement",
"sha256": "041e17a0cd55085d79466cf06aaa8ca81ef2b30a9e42291395534ce27ba0062a",
"type": "eql",
"version": 3
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6",
"type": "query",
"version": 206
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93",
"type": "eql",
"version": 5
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Console History",
"sha256": "0d87128fdfdcb58febe6605148de68b8ab413e129191227eca12360248a76681",
"type": "eql",
"version": 111
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "7a7554033f500cdd7964ffd328c581dfbdd9b26c040569d42581504a70e468d3",
"type": "eql",
"version": 111
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Elastic Agent Service Terminated",
"sha256": "8abfc44bc5f8a00effd8c97c81a841dcc2cbe6cd3e2da51a5b277f96c2baf671",
"type": "eql",
"version": 106
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "1e8be0b94b78d86bb0d30e6a4e6d28c81c9c5bdf2b9494ac9c0d7fb465491bae",
"type": "eql",
"version": 109
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.3",
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "e589053c5a7013b3bb2c3d76d1617fcdda617b6aa8dbfa31adf5e34b95f095d2",
"type": "eql",
"version": 1
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"min_stack_version": "8.3",
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09",
"type": "query",
"version": 103
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6",
"type": "query",
"version": 206
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"min_stack_version": "8.3",
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "3e26fdf6574102a4aa2b239c1e4420684c6f3527b1aca67cf62cc4b42858a6f4",
"type": "threshold",
"version": 2
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3",
"type": "query",
"version": 205
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"min_stack_version": "8.3",
"rule_name": "Linux System Information Discovery",
"sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61",
"type": "eql",
"version": 3
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "40c977b1f7dad3726a8f0c97749e00256994f75580fd498135538a04857e663d",
"type": "query",
"version": 5
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93",
"type": "eql",
"version": 108
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via MsXsl",
"sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266",
"type": "eql",
"version": 106
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.3",
"rule_name": "Kirbi File Creation",
"sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f",
"type": "eql",
"version": 5
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d",
"type": "eql",
"version": 109
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"min_stack_version": "8.3",
"rule_name": "Chkconfig Service Add",
"sha256": "762949859141699af6a491db1a4f5b059db590cbadd27aa2267653760c23d23d",
"type": "eql",
"version": 111
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"min_stack_version": "8.3",
"rule_name": "Discovery of Domain Groups",
"sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677",
"type": "eql",
"version": 2
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"min_stack_version": "8.3",
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c",
"type": "threshold",
"version": 4
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.3",
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "7e1d07811eee139eca2af001c453e529a605e642fafc1cadfeac9817862c3f0c",
"type": "query",
"version": 109
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "bbdba9f735a270571a5a0f1df636cdd573417d76ebf91c3ee006046ae88f685d",
"type": "eql",
"version": 110
},
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.3",
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "6cf76bf28c6818bd0c1e9cacc68a44909ca3c50f197b96e96bd34ffd2f935ec8",
"type": "eql",
"version": 109
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows Network Activity",
"sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad",
"type": "machine_learning",
"version": 103
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"min_stack_version": "8.3",
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844",
"type": "eql",
"version": 3
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671",
"type": "eql",
"version": 109
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"min_stack_version": "8.3",
"rule_name": "Azure Resource Group Deletion",
"sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576",
"type": "query",
"version": 102
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834",
"type": "query",
"version": 206
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "OneDrive Malware File Upload",
"sha256": "4f273dae13ee4bb9564a60c6771439fc10cd7f3357de2aa65839ff10d4cde814",
"type": "query",
"version": 106
}
},
"rule_name": "OneDrive Malware File Upload",
"sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa",
"type": "query",
"version": 206
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "8413e204b3d4d4145ea9cfe859daf5ecaf39fd776bf87f7090a82205de0b5b52",
"type": "threshold",
"version": 5
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "f4f0da241f45040111a47879928011d3b90da922010348154b5cb1c44d2f24ee",
"type": "query",
"version": 107
}
},
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3",
"type": "query",
"version": 207
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Root Login Without MFA",
"sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Root Login Without MFA",
"sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157",
"type": "query",
"version": 209
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"min_stack_version": "8.3",
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d",
"type": "query",
"version": 104
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"min_stack_version": "8.11",
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642",
"type": "eql",
"version": 2
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Root Certificate",
"sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972",
"type": "query",
"version": 106
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"min_stack_version": "8.3",
"rule_name": "Azure Conditional Access Policy Modified",
"sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c",
"type": "query",
"version": 102
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"min_stack_version": "8.3",
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "68365d0090a647d05f3396ace9d86f2c79f607bef610741ce9c4240ccfa0de26",
"type": "eql",
"version": 5
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"min_stack_version": "8.3",
"rule_name": "File and Directory Permissions Modification",
"sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139",
"type": "eql",
"version": 2
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"min_stack_version": "8.3",
"rule_name": "GCP Service Account Disabled",
"sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace",
"type": "query",
"version": 104
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "37e01c0b463876a5acee70bb565d205c8a2e8c5a7b3d99a24e16939f97360a9f",
"type": "query",
"version": 3
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Keylogging Script",
"sha256": "92008de004bfec5733b4d1f7cd48ddbe75ac79f7f3c92d54d71bd7f5447d260d",
"type": "query",
"version": 112
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.3",
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "f9a5163bfb60ec1ac26ac681518a193a85b03a87dac342a3579a7b2ae3628e0b",
"type": "eql",
"version": 2
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "6214fb2abc887c66d7d514ccfc914faf98cb9befe4cb35f2f58a0e300787eb5c",
"type": "eql",
"version": 106
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"min_stack_version": "8.3",
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "3ebba1b3c0653e611e5c1abc4e917c868371220b6fb55954eafa7a8d7c6cf5fe",
"type": "eql",
"version": 7
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.3",
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "c437d0e4938701b867702b775bb69d57f44e45a03be5d63d90f0dcde14ccbf39",
"type": "eql",
"version": 108
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "84baf4890842c179a0724a3835388a16dedfe1046dfd94a9b617aa56b37a7a2f",
"type": "machine_learning",
"version": 4
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"min_stack_version": "8.9",
"rule_name": "Unusual Remote File Directory",
"sha256": "f6b1ce1e97f8a9dd95bb99809d5d9a7bab6a0922fb0861afadc24970477e3b3f",
"type": "machine_learning",
"version": 3
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.3",
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "a22b02dc207eed11a68b3bf9569d0f06d0bfcc3b14a71b32fc505ee86b53aed4",
"type": "eql",
"version": 109
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Snapshot Restored",
"sha256": "867302d2c993c7e6bb06acb3bb9784e8de51117e6d0fdd1a5a8e040e24fab59f",
"type": "query",
"version": 206
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"min_stack_version": "8.3",
"rule_name": "System Owner/User Discovery Linux",
"sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df",
"type": "eql",
"version": 3
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "385716bc0770d6b023580d5b0a92a34581e351560a3bd43bd4ce2b3b01ef84c1",
"type": "machine_learning",
"version": 3
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.3",
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "630b95897e137de2d3ff315926d388d39ed6ad5c19948a8fe0cb4c564d32b99e",
"type": "eql",
"version": 111
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579",
"type": "eql",
"version": 107
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "8020f015d723e31af612bbc7e570f0f7a2bf57c3cc13447eb5bccd3e39385ca8",
"type": "eql",
"version": 109
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"min_stack_version": "8.3",
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c",
"type": "eql",
"version": 2
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3",
"type": "query",
"version": 103
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"min_stack_version": "8.5",
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa",
"type": "eql",
"version": 6
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63",
"type": "query",
"version": 206
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 100,
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "bb5c65b28dc087548516c6b186539ffc5f02db3440942a539777c49bd9e1e878",
"type": "eql",
"version": 1
}
},
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43",
"type": "eql",
"version": 102
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.3",
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "03334e1d43f8d53c06b92628435b5af954f2211ff41ff4ed7467bf8a8065cdef",
"type": "eql",
"version": 110
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d",
"type": "machine_learning",
"version": 103
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Folder Action Script",
"sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa",
"type": "eql",
"version": 107
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d",
"type": "eql",
"version": 2
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
"rule_name": "Mshta Making Network Connections",
"sha256": "7b3bec275d247d0cc1c4772be5f41fcfca282df6146f830777ed87b4c663f7e5",
"type": "eql",
"version": 107
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"min_stack_version": "8.3",
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5",
"type": "query",
"version": 103
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.3",
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156",
"type": "eql",
"version": 107
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"min_stack_version": "8.3",
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8",
"type": "eql",
"version": 104
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.3",
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "a814b9dc474566b81d9b80f83a1fbb21d506490be5d1a791c6a040402576193e",
"type": "eql",
"version": 109
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff",
"type": "eql",
"version": 107
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"min_stack_version": "8.3",
"rule_name": "Windows System Network Connections Discovery",
"sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4",
"type": "eql",
"version": 4
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.3",
"rule_name": "Attempted Private Key Access",
"sha256": "92447cf8bb6de4a626ecd420b9c64922484cb49f216d13292e833c1abdb4786c",
"type": "eql",
"version": 3
},
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification via sc.exe",
"sha256": "6d70ac346b080bca5ad2083c56ff66bd01f63204483b047353855e7898b39862",
"type": "eql",
"version": 3
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a",
"type": "eql",
"version": 109
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"min_stack_version": "8.3",
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276",
"type": "query",
"version": 104
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f",
"type": "eql",
"version": 108
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.3",
"rule_name": "Installation of Custom Shim Databases",
"sha256": "7ea702b1b6d7a8309d8d11e16505cb9ca2a3b1c906e7aeadacdefea24d0397b6",
"type": "eql",
"version": 108
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "a8e1a000f912f5f42f3894fdca0458d10666994f165781a4fbd5db031f5a6712",
"type": "eql",
"version": 110
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"min_stack_version": "8.3",
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f",
"type": "query",
"version": 102
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "3338fefccfc7c7d86404c1a054f09f2b43fdbeadba93b27dcfe7c04d6994303f",
"type": "eql",
"version": 112
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f",
"type": "query",
"version": 206
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32",
"type": "query",
"version": 205
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6",
"type": "eql",
"version": 107
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "e431240326e0ddb66017b695a15db0269ad7b4e5bde7cf37b10f01159fb9da19",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "276c33d57b4e3046ff3bf3eab838110627d9f8d9214a01036a62561084c6073a",
"type": "query",
"version": 203
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.3",
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "b865aba340d622e5f6840586849e814be1e565d1c59e1fcba5509683315c91cf",
"type": "eql",
"version": 110
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"min_stack_version": "8.3",
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61",
"type": "machine_learning",
"version": 104
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37",
"type": "query",
"version": 107
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67",
"type": "query",
"version": 103
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"min_stack_version": "8.3",
"rule_name": "Direct Outbound SMB Connection",
"sha256": "a30cf230b1215a2e0fd884167dfbb8fd92e5b63fa7a5cb2c9e9a8a306316de4d",
"type": "eql",
"version": 110
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"min_stack_version": "8.3",
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827",
"type": "eql",
"version": 105
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"min_stack_version": "8.3",
"rule_name": "Parent Process PID Spoofing",
"sha256": "43c26bdd413e7e6c52b50b9c579663b2ab48285b83a1f794fd636727baf21733",
"type": "eql",
"version": 106
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "a6ee22bb7fef22f21c9792186337bc557bd1aaba670d4de8d077fd7892d46ad2",
"type": "eql",
"version": 8
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "a3f4ddc31c6570250920dc60269e68ec6344884c88aba870fb9998c5c1fb5319",
"type": "eql",
"version": 110
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.3",
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "2326092f64de27cbf684cdd4130d6f8695d0a42277b02fff7ebcc62350e56411",
"type": "eql",
"version": 110
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "b8c86e533a37c36a2eaef8f1d48ca8aa5a24b6665dc2328de3b3cc5eb1d2ad51",
"type": "eql",
"version": 5
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3",
"type": "query",
"version": 103
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "fdddb91dc8eaf01e3cca5626ab5e3b2c4ef51e15a8544385057399574b3d9b3b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82",
"type": "query",
"version": 206
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"min_stack_version": "8.4",
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "6b71d73f704e96ab028ab9aa5fef9a3b487e35fe5cc322c1a118c9102720af9a",
"type": "eql",
"version": 8
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "6ab73acfdcd8636a87c0fd8b1342d5e96de8cbd74ed0e4f4dbb689c32a3cbffa",
"type": "eql",
"version": 108
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "b4f2c9fe5dcc43eb113d00600fc6a7ca5091c0957af96c084ee2d9a790aa3a2a",
"type": "new_terms",
"version": 213
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "a8e10bb292478990aa0c82694fcd3621b81383a8058b87a25449238641d59e3b",
"type": "query",
"version": 107
}
},
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "8a1f92b90737453373b48d24dd4dfd6e29615794a9ccaf5df7ba1a0ecf5d5e2a",
"type": "query",
"version": 207
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Calendar File Modification",
"sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da",
"type": "query",
"version": 106
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Enable the Root Account",
"sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d",
"type": "query",
"version": 106
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
"type": "threshold",
"version": 2
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "fe1015d6d9d15270cdedd676b577c3057d2552db4ce585e3c82437e7999cc037",
"type": "machine_learning",
"version": 3
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 103,
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "50eab7a58d52dc1eb0e8d8af2d5ca140762dfdf60970d1e7d5fcbf80aff362f4",
"type": "query",
"version": 5
}
},
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "98638b8378e232c3d8a54f3b4ec12fa3eae908ba56a658c7557b22c25766b823",
"type": "query",
"version": 106
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408",
"type": "query",
"version": 104
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999",
"type": "query",
"version": 107
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c",
"type": "query",
"version": 207
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"min_stack_version": "8.3",
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6",
"type": "query",
"version": 106
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f",
"type": "query",
"version": 206
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"min_stack_version": "8.3",
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793",
"type": "machine_learning",
"version": 103
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"min_stack_version": "8.3",
"rule_name": "Kernel Module Removal",
"sha256": "8e7fd75b780b1265825a7a783ea3000b983acf3ce3100a49edb797139b01e31f",
"type": "eql",
"version": 109
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"min_stack_version": "8.3",
"rule_name": "Downloaded URL Files",
"sha256": "1a31489f793c58d433963910d8327747a3e7824bf11685358836a38183e8aca0",
"type": "eql",
"version": 2
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
"sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7",
"type": "query",
"version": 106
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5",
"type": "eql",
"version": 207
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Okta User Session Impersonation",
"sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5",
"type": "query",
"version": 107
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7",
"type": "query",
"version": 207
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
"type": "query",
"version": 11
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
"type": "query",
"version": 111
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 1
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.3",
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "38c701cbddca58faa29370862beddbbc9839ee8f8ef4985c006e2f03acecfdb7",
"type": "eql",
"version": 109
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"min_stack_version": "8.3",
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967",
"type": "query",
"version": 105
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "c773965d1c83361d3745d38a93d9ac9380056a79a5f3d4ebff542d94a9a369ce",
"type": "query",
"version": 104
}
},
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "15e692b56a4792a0434440ea85ef264cbfb31e1ebd9bdc618a03987f928a53a1",
"type": "query",
"version": 205
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Activity by User",
"sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff",
"type": "new_terms",
"version": 1
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"min_stack_version": "8.3",
"rule_name": "Trap Signals Execution",
"sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4",
"type": "eql",
"version": 2
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.3",
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "1e5d776df1e502f5d444b1a1e6cdcfc3de4ad784a603e7e0f23aaed9eae2f766",
"type": "eql",
"version": 112
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"min_stack_version": "8.3",
"rule_name": "Archive File with Unusual Extension",
"sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3",
"type": "eql",
"version": 2
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"min_stack_version": "8.3",
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e",
"type": "eql",
"version": 9
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "8.8",
"rule_name": "AWS Credentials Searched For Inside A Container",
"sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e",
"type": "eql",
"version": 1
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.3",
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "4ec85ed3f6241a6015c998b91cdbbcf438629be2a40cdbfce1a173ebabd7c292",
"type": "eql",
"version": 110
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.3",
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "c8d1d7cc4181248cc8906dbc6d37aa62c162ed9bde92f7b4daf42b912e451197",
"type": "eql",
"version": 111
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"min_stack_version": "8.3",
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2",
"type": "eql",
"version": 5
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"min_stack_version": "8.3",
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce",
"type": "eql",
"version": 3
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"min_stack_version": "8.3",
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2",
"type": "query",
"version": 106
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "603191c9e9fe22a6f972c18bfb548360ab4f4b1378a58e8a4a24479548e8b1d0",
"type": "eql",
"version": 110
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.3",
"rule_name": "Clearing Windows Event Logs",
"sha256": "1c0780a844be282bd8fdfb0d608fa65473ba2d01d1a5be9e50e2e08039542576",
"type": "eql",
"version": 112
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.3",
"rule_name": "Remote Windows Service Installed",
"sha256": "63102ba4aec4aaab713fffceebe688d706bb41cdf8bcf23d4055467011cb9fb9",
"type": "eql",
"version": 6
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.3",
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "76b2081709ea9b401fc695d779a14dfa839fbd99eb19c8510b2ea6c5f7e7b4f4",
"type": "eql",
"version": 2
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd",
"type": "eql",
"version": 107
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7",
"type": "query",
"version": 105
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6",
"type": "query",
"version": 205
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"min_stack_version": "8.3",
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7",
"type": "query",
"version": 102
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f",
"type": "machine_learning",
"version": 103
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"min_stack_version": "8.3",
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041",
"type": "machine_learning",
"version": 103
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"min_stack_version": "8.3",
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06",
"type": "eql",
"version": 6
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924",
"type": "eql",
"version": 5
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"min_stack_version": "8.11",
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff",
"type": "eql",
"version": 3
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "42e3e1682134a7ed8c26d9a5ce2bcf4830d6a7af85268a0d2455a75e23119f6c",
"type": "eql",
"version": 106
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a",
"type": "query",
"version": 206
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.3",
"rule_name": "Service Command Lateral Movement",
"sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42",
"type": "eql",
"version": 107
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578",
"type": "query",
"version": 209
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"min_stack_version": "8.3",
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4",
"type": "query",
"version": 105
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.3",
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "e564b576c629a29ec8088864b78c7c81c8d46453cc5e038a33fdd24d4a3a2641",
"type": "eql",
"version": 10
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "3fa1ccf28083380bbb7d71135b1b5ab0753f90d5fde3ecdeda2cb4ffc6ae81aa",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91",
"type": "query",
"version": 206
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.3",
"rule_name": "Modification of WDigest Security Provider",
"sha256": "c7b2137213e37ccba915d2c30fa260188c065d8e939c56b72e4fd1f4001d72df",
"type": "eql",
"version": 109
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.3",
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "84b33e85f61fe174e8ec6980e6480028773e96980d267505f090cfa2d2460192",
"type": "eql",
"version": 111
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "4a8ffe50aa43eaf2654ac6a51517203a86c2951828434a1cb60bb435707c5a6b",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d",
"type": "query",
"version": 206
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Memory grep Activity",
"sha256": "b142483255de74b46aa32d1dd3a28f2821bb97997be6bae899e84c0d30fa9165",
"type": "eql",
"version": 2
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"min_stack_version": "8.7",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "SystemKey Access via Command Line",
"sha256": "48b8b3a40209f6422060e3de267b79054f2ad0313fc42c4cef21decadf490f4d",
"type": "query",
"version": 106
}
},
"rule_name": "SystemKey Access via Command Line",
"sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091",
"type": "query",
"version": 206
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541",
"type": "eql",
"version": 110
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"min_stack_version": "8.3",
"rule_name": "Azure Blob Permissions Modification",
"sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f",
"type": "query",
"version": 103
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"min_stack_version": "8.3",
"rule_name": "Spike in Logon Events",
"sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203",
"type": "machine_learning",
"version": 103
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"min_stack_version": "8.3",
"rule_name": "SMTP on Port 26/TCP",
"sha256": "8bf03857acd5416922cae6018a42266418009a83c60f4fa6388d0ac603af5f0b",
"type": "query",
"version": 104
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"min_stack_version": "8.3",
"rule_name": "Untrusted Driver Loaded",
"sha256": "9b90c86424390fccfc1959785af10eeade5e654612545617582dca1058cb17b8",
"type": "eql",
"version": 8
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53",
"type": "query",
"version": 108
}
},
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906",
"type": "query",
"version": 209
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1",
"type": "eql",
"version": 111
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.3",
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "9ebf3042fc83b25b6a39a0cc87927cefb341ebb08bcce8749b4e07166ba98d0d",
"type": "eql",
"version": 9
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "6ede570261a72bdcdf1e10f2f1fa1f9d331da8df7293f982df1b311120e88083",
"type": "query",
"version": 3
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694",
"type": "eql",
"version": 8
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.4",
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "fb420a72b427d67311f02098a93854b2a6bd5c733b6cbca4275ee920329b9b9e",
"type": "new_terms",
"version": 3
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"min_stack_version": "8.3",
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee",
"type": "query",
"version": 105
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.3",
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474",
"type": "eql",
"version": 3
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.3",
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "3bcb0230882be5c94ef22fde8ca625bfde5e40e20e1e545cf8a0f68d01c7e8f3",
"type": "eql",
"version": 6
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"min_stack_version": "8.3",
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65",
"type": "query",
"version": 103
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0",
"type": "eql",
"version": 5
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "abccbf694da0eb306df7f606501df6d3e19475e12fbcd106342e187528d0ecf7",
"type": "eql",
"version": 8
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.3",
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "2d9e1771d9606f5f38126860db0e8757d223c30ae4a1b3b93d60ac17b0127a99",
"type": "eql",
"version": 110
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "Unusual Country For an AWS Command",
"sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946",
"type": "machine_learning",
"version": 108
}
},
"rule_name": "Unusual Country For an AWS Command",
"sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561",
"type": "machine_learning",
"version": 208
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "6b58cc9b14a7fac5ea7f584782e3f3c7161f78158b1ce3fe3c33928ebba3d84d",
"type": "eql",
"version": 2
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "51ebf76d12a58d9db10b3a9d16c79ee0ae0672fa77f9fd0682b3796a7520351a",
"type": "eql",
"version": 7
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"min_stack_version": "8.3",
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.3",
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "6c3d142ca53ffc037b333b4699eb891e35c11d1ca95aa3ae6347fb173bc33735",
"type": "eql",
"version": 108
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "0a0a64ff02f4040cf251994361f673fa3c6618edb6d38387c8adf5f5749f4b5a",
"type": "eql",
"version": 110
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"min_stack_version": "8.3",
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977",
"type": "eql",
"version": 110
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Query Registry using Built-in Tools",
"sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd",
"type": "eql",
"version": 2
}
},
"rule_name": "Query Registry using Built-in Tools",
"sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd",
"type": "new_terms",
"version": 105
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"min_stack_version": "8.6",
"rule_name": "First Time Seen Driver Loaded",
"sha256": "7e66246ea00c9698fbfa57311793c02739cbad96d59bd88bbda9dbc752e4ac58",
"type": "new_terms",
"version": 7
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce",
"type": "machine_learning",
"version": 103
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Account Created",
"sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669",
"type": "query",
"version": 102
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"min_stack_version": "8.3",
"rule_name": "Dynamic Linker Copy",
"sha256": "abf419807a9782b1ea278f1682ee0d5be74e340e248aa42cb3303c3a41892725",
"type": "eql",
"version": 108
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 199,
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "8504c3a7241f7cfb70d23f3d06e6f6c5191c15f0ac37578efdc476c6230b04a6",
"type": "query",
"version": 101
}
},
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "b912b62e03d307861dc557cdbfc8fe17d54f7b8a394fee4ec9e46e4539393622",
"type": "query",
"version": 203
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"min_stack_version": "8.3",
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "6c482e61313171b3dc7b0d4085b1103871e12cb403c6fa1d2048781f9e805253",
"type": "eql",
"version": 1
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"min_stack_version": "8.3",
"rule_name": "Delayed Execution via Ping",
"sha256": "c6fa799b2b134a4e7c34302b0b8f543c54dd38aaba6bfa93b1933a3374e41c71",
"type": "eql",
"version": 2
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"min_stack_version": "8.3",
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0",
"type": "query",
"version": 102
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.3",
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "13d64c92f3533756a0657f2f8db2a099ab8cf25d1b5d1722dc5b880ec815bf34",
"type": "query",
"version": 107
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.3",
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "c1e96e42705eb2de534b4ce6fa40b16c522e2bb6f8f8a0f0ff6ea140ff22680b",
"type": "eql",
"version": 6
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0",
"type": "threshold",
"version": 108
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e",
"type": "threshold",
"version": 208
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"min_stack_version": "8.3",
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "da9fb3e751cf2aca3b76ff6969e48fb1e4f477f4832888b32a57290109f5982a",
"type": "eql",
"version": 4
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"min_stack_version": "7.16",
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"min_stack_version": "8.3",
"rule_name": "Azure Event Hub Deletion",
"sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7",
"type": "query",
"version": 102
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Created",
"sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Created",
"sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5",
"type": "query",
"version": 207
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Cluster Creation",
"sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Cluster Creation",
"sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6",
"type": "query",
"version": 206
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"min_stack_version": "8.3",
"rule_name": "Connection to External Network via Telnet",
"sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5",
"type": "eql",
"version": 107
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "2dfa5553eab948bb3ad46437fda2847c3d2d98e63aa80c10f1b8a179eb44b650",
"type": "machine_learning",
"version": 3
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9",
"type": "eql",
"version": 6
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"min_stack_version": "8.3",
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff",
"type": "machine_learning",
"version": 104
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.12",
"previous": {
"8.3": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"type": "query",
"version": 112
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "3cf8ff583ef123ebe0ef752da349e94652bcd203d089689bf6cfba36e727cc9d",
"type": "query",
"version": 212
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"min_stack_version": "8.11",
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "61ed477be4d1a7e3e10f7314a2bca872cc00a47a72fd2bf412db50d3ce3b81ec",
"type": "new_terms",
"version": 2
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS Management Console Root Login",
"sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89",
"type": "query",
"version": 108
}
},
"rule_name": "AWS Management Console Root Login",
"sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd",
"type": "query",
"version": 209
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"min_stack_version": "8.3",
"rule_name": "System Network Connections Discovery",
"sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1",
"type": "eql",
"version": 3
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.3",
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "3e63bc85075d9b743e6bf54268defc21c112e95ddb806edfb8a78a3ab78903bc",
"type": "eql",
"version": 7
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "bee7840c66166d2669fe2c9007db541d327d9ea4a3fdfda0b9c233e216e4a37d",
"type": "eql",
"version": 111
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"min_stack_version": "8.3",
"rule_name": "GCP IAM Role Deletion",
"sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe",
"type": "query",
"version": 104
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.3",
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "6cef2e899c6b4e9645a167a889392bdc93d93b0cdbefafa881495069c49f284e",
"type": "eql",
"version": 110
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525",
"type": "query",
"version": 206
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"min_stack_version": "8.3",
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462",
"type": "query",
"version": 103
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.3",
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e",
"type": "eql",
"version": 107
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"min_stack_version": "8.3",
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "20a809b0c9d105e502a250b3d41b6934687bf4d74fbbedd98cef83bdf6d2658b",
"type": "eql",
"version": 110
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "9a219e929d52b9d5fd2593524c043db217318eb6f540793dae2c595418f5dc02",
"type": "new_terms",
"version": 2
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6",
"type": "query",
"version": 206
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.3",
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "c47f1f706cc482c626dc8045250f798362338387db47fe387412408b6be3bae1",
"type": "eql",
"version": 105
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "f31d2b25f3d2f895e14eab6c7ec29719c97852d5f2f99b2fa9357b9637c2f510",
"type": "query",
"version": 110
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 202,
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "2c13a6fc437d2115e97e6e81a6d555601f5f93d05f444b9935bf76d94877c049",
"type": "query",
"version": 104
}
},
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "91e053deeef1fbe832a95085ef68f2122ba06d94e64114a2d0e61cf3f1d64d6f",
"type": "query",
"version": 205
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"min_stack_version": "8.3",
"rule_name": "Bash Shell Profile Modification",
"sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3",
"type": "query",
"version": 104
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
"rule_name": "Authorization Plugin Modification",
"sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e",
"type": "query",
"version": 107
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Possible Okta DoS Attack",
"sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391",
"type": "query",
"version": 105
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e",
"type": "query",
"version": 205
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51",
"type": "eql",
"version": 107
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e",
"type": "query",
"version": 104
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"min_stack_version": "8.3",
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62",
"type": "eql",
"version": 3
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.3",
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478",
"type": "eql",
"version": 107
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 104,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "bee333bfc8d77b96f009283d0b8dc93b5e2e38ef6b27b38b21daccf6fe50833a",
"type": "eql",
"version": 6
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20",
"type": "eql",
"version": 106
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"min_stack_version": "8.3",
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a",
"type": "eql",
"version": 1
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"min_stack_version": "8.3",
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8",
"type": "eql",
"version": 4
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.3",
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35",
"type": "eql",
"version": 1
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393",
"type": "eql",
"version": 8
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Route Table Modified or Deleted",
"sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112",
"type": "query",
"version": 207
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.3",
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "d821998e1160abb47ecede3b1c462e4239e82c189b4c1bb28462bb126a1b7765",
"type": "eql",
"version": 108
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.3",
"rule_name": "Installation of Security Support Provider",
"sha256": "7bacfc5c36b455bd387840ed3881384dccf76c4613c11307d4d5d00b45b71f4c",
"type": "eql",
"version": 108
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.3",
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006",
"type": "eql",
"version": 7
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"min_stack_version": "8.6",
"previous": {
"8.4": {
"max_allowable_version": 102,
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "3a05a24c654cdb42c8718f7cf97e55b13d9be01f97cfd17a78db8f616168fa80",
"type": "new_terms",
"version": 3
}
},
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "f180246dbfb2cb7f01f796113f0a1b305d91c244c4989aef63cfc341e4431f35",
"type": "new_terms",
"version": 105
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d",
"type": "threshold",
"version": 108
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce",
"type": "threshold",
"version": 208
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31",
"type": "query",
"version": 105
}
},
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c",
"type": "query",
"version": 206
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"min_stack_version": "8.9",
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "1e89013def66c292205e6328af1471ef4e60e7476f31abb7718f73d3602c3e91",
"type": "machine_learning",
"version": 3
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.3",
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f",
"type": "eql",
"version": 111
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"min_stack_version": "8.3",
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "d0a1dc56879cb56dc2747d8b68642dcb238491d808de81350698a3876b010d1e",
"type": "eql",
"version": 105
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"min_stack_version": "8.9",
"rule_name": "Spike in Remote File Transfers",
"sha256": "c2714b3ba5f14682e3de18a33b34ee32dd30f9b08a177f6d6ff9c79ced3ef5e1",
"type": "machine_learning",
"version": 3
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"min_stack_version": "8.3",
"rule_name": "Azure Automation Webhook Created",
"sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078",
"type": "query",
"version": 102
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.9",
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d8ff4bf9daa5791d5125e828242e6da12e755fe8e6594f543661711e82994cfd",
"type": "machine_learning",
"version": 4
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "b067b05efba5deb9be05f4eb293d71270aec223640f2d617f1a365f86c41524c",
"type": "threshold",
"version": 109
}
},
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3",
"type": "threshold",
"version": 210
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"min_stack_version": "8.3",
"rule_name": "Spike in Firewall Denies",
"sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a",
"type": "machine_learning",
"version": 103
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"min_stack_version": "8.3",
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "e33ef40e6926a8ebb9819b992a678c5cb30b5ca0ec2564ad888d213893eec80c",
"type": "eql",
"version": 2
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"min_stack_version": "8.3",
"rule_name": "External Alerts",
"sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6",
"type": "query",
"version": 103
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad",
"type": "query",
"version": 4
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
"type": "query",
"version": 111
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of SELinux",
"sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef",
"type": "eql",
"version": 110
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.3",
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98",
"type": "eql",
"version": 109
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.3",
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "d83d663dcda70e00a6ab21131eed87f0b8c368ce720e9af6b55cc3ed301826a8",
"type": "eql",
"version": 110
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.3",
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "8df3afe86977d9a2b2f2229f4f6d2fb5bb39898849f2d887050d754afba715a2",
"type": "eql",
"version": 110
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "8.8",
"rule_name": "File Made Executable via Chmod Inside A Container",
"sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54",
"type": "eql",
"version": 2
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "ccb7629ab98a47b76d488ad0234349226bd54d20ba68a72bfa6d504471d57576",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df",
"type": "query",
"version": 206
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"min_stack_version": "8.3",
"rule_name": "Executable File with Unusual Extension",
"sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509",
"type": "eql",
"version": 2
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58",
"type": "query",
"version": 206
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"min_stack_version": "8.3",
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c",
"type": "query",
"version": 102
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.3",
"rule_name": "AdFind Command Activity",
"sha256": "35efc8cf7bf58aeb31117f913287b60e74e904cbdce764bcd90b1a649e6318e1",
"type": "eql",
"version": 111
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973",
"type": "query",
"version": 106
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c",
"type": "query",
"version": 206
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.3",
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "6b7b9ccc19477616a522bddc2a00f166753629727474b6494a4460bfc09ec4f6",
"type": "eql",
"version": 112
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"min_stack_version": "8.3",
"rule_name": "Linux User Account Creation",
"sha256": "95cad73c0f9c90ae0aca50ad6528161624c9d694075e6761ef195da867643c08",
"type": "eql",
"version": 5
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 102,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932",
"type": "query",
"version": 3
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c",
"type": "query",
"version": 103
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "3b8d96d08eb433256b4fb0fd5206543e932d32caede2f0296b44a83ccf41868c",
"type": "eql",
"version": 108
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"min_stack_version": "8.3",
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662",
"type": "eql",
"version": 2
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc",
"type": "eql",
"version": 107
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
"rule_name": "BPF filter applied using TC",
"sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2",
"type": "eql",
"version": 108
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7",
"type": "eql",
"version": 7
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "8.8",
"rule_name": "Potential Container Escape via Modified notify_on_release File",
"sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04",
"type": "eql",
"version": 1
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.3",
"rule_name": "Whoami Process Activity",
"sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202",
"type": "eql",
"version": 111
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"min_stack_version": "8.9",
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "9512995e5dffd053732011c13901b6e07071c98fbf12ad540b632ebf940f2c32",
"type": "machine_learning",
"version": 3
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.3",
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe",
"type": "eql",
"version": 108
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"min_stack_version": "8.3",
"rule_name": "Suspicious HTML File Creation",
"sha256": "a8f8624488bd94c12376e0d7098fdf1714698d2df6e877311fded9ab584a043d",
"type": "eql",
"version": 107
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba",
"type": "query",
"version": 105
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395",
"type": "query",
"version": 205
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "5182f386430f01d4b91371a123d7323d6c786af55e661ca361224b7e1abaab5c",
"type": "eql",
"version": 108
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270",
"type": "query",
"version": 102
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"min_stack_version": "8.3",
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb",
"type": "query",
"version": 106
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7",
"type": "eql",
"version": 7
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "4c73b09f4b3001484895476ebe7fa98e28d4b4ade73a8bc8cae1bf26c22cf8af",
"type": "query",
"version": 2
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.3",
"rule_name": "Service Path Modification",
"sha256": "f6488872c8be23ecc9a4e3339d5de39339210c77856be3d05d90c00968a721c9",
"type": "eql",
"version": 2
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3",
"type": "eql",
"version": 108
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "b10534cda59c460de168c3b9fed3d8899465199770dd6c96f2e2d65358d3cb24",
"type": "eql",
"version": 109
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.3",
"rule_name": "SIP Provider Modification",
"sha256": "637b95af638d89775bd2f924af80375c6ff258c63b53785edfb3543db910cbbf",
"type": "eql",
"version": 107
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.3",
"rule_name": "LSASS Memory Dump Creation",
"sha256": "f75e7dbe109ab94981359e193e38bc31d50c60ac6258c2e42dd797649989a2f4",
"type": "eql",
"version": 109
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS RDS Instance Creation",
"sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5",
"type": "query",
"version": 105
}
},
"rule_name": "AWS RDS Instance Creation",
"sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166",
"type": "query",
"version": 206
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"min_stack_version": "8.4",
"rule_name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application",
"sha256": "bf31263ee7b3dd377aad879072d95f3cfa5f487f3db9f91e6d47822700c554c9",
"type": "eql",
"version": 4
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"min_stack_version": "8.9",
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "2c43c3f3a3eab3066a67fa00b1ecf370bbb5c1a7cc41898dabf2a4553b1630ea",
"type": "query",
"version": 3
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.3",
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e",
"type": "eql",
"version": 110
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"min_stack_version": "8.3",
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c",
"type": "threshold",
"version": 104
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "52931e3500fd41b92dd905637912dc28861b532e3bf11d6ab79f243237f9573c",
"type": "eql",
"version": 2
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471",
"type": "threat_match",
"version": 6
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"min_stack_version": "8.6",
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "422469c042fbbd783e6f8aca78c507ba139de7e0aa3e364406f12f16db6db808",
"type": "eql",
"version": 5
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc",
"type": "eql",
"version": 108
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.3",
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "3d559e86203735f531cbbe7a26f5e361236760068e41b0b421f0f5d59a3c5765",
"type": "query",
"version": 110
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"min_stack_version": "8.13",
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "ed5ccf8325568487fa6a05a27f41c8db181f2d419f3dd29514ecc2c7950669c3",
"type": "esql",
"version": 1
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc",
"type": "eql",
"version": 6
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.3",
"rule_name": "Windows Script Executing PowerShell",
"sha256": "708503003bcee46e11babb11f8aa31370e2b00f8819ad6b533d88ae777974577",
"type": "eql",
"version": 111
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"min_stack_version": "8.8",
"rule_name": "SSH Connection Established Inside A Running Container",
"sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7",
"type": "eql",
"version": 2
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.3",
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "a63046d792830722836c024689a5b5e9e1f3ac006e80e1445c1efa17bfbc98e5",
"type": "new_terms",
"version": 3
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.3",
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "e1128eff83337cf8df9523f584e2a5859c85e7d579d9655bb532de4714bd4124",
"type": "query",
"version": 4
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.3",
"rule_name": "WMIC Remote Command",
"sha256": "49fe04b88dc0dc6ee9776c88113935db33ecbc3c955ddb4b201acb6867022d7f",
"type": "eql",
"version": 4
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"min_stack_version": "8.3",
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "bec5a046d8ac67ff161d518d2ccf53b9138179dfc67759ad5f9078fdc14810a6",
"type": "eql",
"version": 5
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.9",
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "d6db5d4e54233628ba05c96ce487387f74b8d57d423cae36a1cfa4602ef0c312",
"type": "machine_learning",
"version": 4
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"min_stack_version": "8.3",
"rule_name": "Masquerading Space After Filename",
"sha256": "0bdfb6f39afe789ae9447ea9f33938a24d746c1017ac0646c9f1776272882e37",
"type": "eql",
"version": 6
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"min_stack_version": "8.3",
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135",
"type": "eql",
"version": 3
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.3",
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
"type": "eql",
"version": 110
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.3",
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "6b1d419bf9aa6949ee92ded6a11fd322e88da4c01130617ee0d215449c773841",
"type": "eql",
"version": 109
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b",
"type": "query",
"version": 106
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"min_stack_version": "8.3",
"rule_name": "System Hosts File Access",
"sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571",
"type": "eql",
"version": 3
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"min_stack_version": "8.3",
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103",
"type": "query",
"version": 102
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 207,
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd",
"type": "query",
"version": 108
}
},
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc",
"type": "query",
"version": 209
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "8.8",
"rule_name": "SSH Authorized Keys File Modified Inside a Container",
"sha256": "d08ada3a6198777da68c1ad854b2c989ea3c25a2cd89c68741c538de9a433237",
"type": "eql",
"version": 2
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.3",
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "a1bc8b73c4533f942aac0721b6a1345272ca6770fde9d130e8f62f115eb42177",
"type": "eql",
"version": 111
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"min_stack_version": "8.11",
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "39e51bf1355bc9d55908c45292191667d343c6e7e55bd924acc646c39149c813",
"type": "new_terms",
"version": 2
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec",
"type": "eql",
"version": 109
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87",
"type": "query",
"version": 106
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "78279bb6af6824e60ded36c81c6ef322b9ccaeb26c92549abc2921bf4227941b",
"type": "eql",
"version": 110
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 1
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"min_stack_version": "8.3",
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042",
"type": "machine_learning",
"version": 104
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"min_stack_version": "8.3",
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "5952fcaf652a5286441fc15039faeb8970ad18ef5832358bbc5385c6e09ed734",
"type": "eql",
"version": 7
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.3",
"rule_name": "Browser Extension Install",
"sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a",
"type": "eql",
"version": 2
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.3",
"rule_name": "Privileged Account Brute Force",
"sha256": "6b7871e9961be78c2d06f1cb08a639f6b4d3dcb022d16261b56fa3472f8f7d70",
"type": "eql",
"version": 9
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.10",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06",
"type": "query",
"version": 105
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392",
"type": "query",
"version": 205
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "3a766093b0d4f34997e59583bef56fb42b94ebe8b4d5d167f6f5123519f92525",
"type": "eql",
"version": 109
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"min_stack_version": "8.3",
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda",
"type": "eql",
"version": 7
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c",
"type": "eql",
"version": 7
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642",
"type": "eql",
"version": 9
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"min_stack_version": "8.3",
"rule_name": "Potential Disabling of AppArmor",
"sha256": "e1fc21035bd0018c82e188c8ebe6241aa878a214edaf3895b806621f5d82d2e3",
"type": "eql",
"version": 6
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"min_stack_version": "8.4",
"previous": {
"8.3": {
"max_allowable_version": 101,
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "44de9f686412f5ba599fbbf3c20d3d9a0e941c644469a473712133ff1293bf6d",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "1af8edb01a1cfb710c926f5d006909a5e7139b1a95763ed5fbc88147f1eab9bc",
"type": "eql",
"version": 104
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.3",
"rule_name": "Network Connection via Registration Utility",
"sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d",
"type": "eql",
"version": 108
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.8",
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
"type": "threshold",
"version": 1
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"min_stack_version": "8.9",
"previous": {
"8.3": {
"max_allowable_version": 204,
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4",
"type": "query",
"version": 105
}
},
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004",
"type": "query",
"version": 206
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.3",
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e",
"type": "eql",
"version": 109
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.8",
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 1
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.3",
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
"type": "eql",
"version": 1
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.3",
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "c6e0f3ed2de57cd525aed211c660fafb3d244519f29423756b1e01f95a1f7469",
"type": "eql",
"version": 110
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CertUtil Commands",
"sha256": "1eefd434526b2d048a615ba540bf83da7ee5150eae84ff517f5de3e7668c964b",
"type": "eql",
"version": 108
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 206,
"rule_name": "Svchost spawning Cmd",
"sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04",
"type": "eql",
"version": 107
}
},
"rule_name": "Svchost spawning Cmd",
"sha256": "6d152e1d87343af4204868f6661565208bc41bc7fa3b54d2431de77ade274f91",
"type": "new_terms",
"version": 212
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"min_stack_version": "8.3",
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d",
"type": "eql",
"version": 2
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"min_stack_version": "8.3",
"rule_name": "System Binary Copied and/or Moved to Suspicious Directory",
"sha256": "64a298cfd46dd919d8d6d349126b6a4a90347cf9eb7a23661803b528c1bd2828",
"type": "eql",
"version": 7
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "1ccbc020df7ccd578a04c6a962cba1a9eb01217fe0325d1ebb52cfcae454276e",
"type": "query",
"version": 4
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
"type": "query",
"version": 5
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.3",
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1049a012554fe790510c642962136afe7809f3cb6743d41c94d9064cb5cd0275",
"type": "eql",
"version": 110
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5",
"type": "eql",
"version": 4
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"min_stack_version": "8.3",
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87",
"type": "eql",
"version": 2
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.3",
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "0cb2724deeff775fe087f8fc28747011973bfa19b4924546d551ae231cf102e2",
"type": "eql",
"version": 107
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"min_stack_version": "8.3",
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055",
"type": "query",
"version": 103
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"min_stack_version": "8.9",
"rule_name": "Potential DGA Activity",
"sha256": "f1777c34722961e6332a58230876ae5519c4fc7e7a09d1450eb0038aeabe2640",
"type": "machine_learning",
"version": 3
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "8d0088142351af95023ec0cbec030e26da4de32891f90802ece09174e3446293",
"type": "new_terms",
"version": 9
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
"rule_name": "LSASS Process Access via Windows API",
"sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18",
"type": "eql",
"version": 7
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"min_stack_version": "8.8",
"previous": {
"8.3": {
"max_allowable_version": 205,
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "e247dbb68f81f5c55155bea1dd2a757717bdc740b8259a933165e5a612d3cdb7",
"type": "query",
"version": 106
}
},
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88",
"type": "query",
"version": 206
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.3",
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb",
"type": "eql",
"version": 1
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"min_stack_version": "8.3",
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
"type": "query",
"version": 104
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366",
"type": "eql",
"version": 5
}
}
Reference in New Issue View Git Blame Copy Permalink