Ross Wolf
1017 lines
40 KiB
JSON
1017 lines
40 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"rule_name": "Attempt to Modify Okta MFA Rule",
|
|
"sha256": "e7230e37b0012ca864c73d09e735e54bcbdc3f7cb939e0308820d699de482d15",
|
|
"version": 1
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "f68a9dce69186cf8572e292ecf08940d2147a15758ea95fdc2c7f088de2b90cf",
|
|
"version": 3
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "b5191f150c1ebb72435b3d9f7fa94f5899d19721c18e0bdaa29fd60fa8467bc7",
|
|
"version": 3
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "d0be61c3e42cf4bde25d38756c9c22b8a22823b69d30a865812f5df76e36694f",
|
|
"version": 2
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "8fd2873dee5de5a9b8d13d61c4e7ac8d9125a6a0f367bf64fea26470b8d96fda",
|
|
"version": 3
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "2057dea2544576064924167ac3c3a0cffb69623636a385120791a54725cd121b",
|
|
"version": 4
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"rule_name": "Malware - Detected - Elastic Endpoint Security",
|
|
"sha256": "cf235efd02e861f1c87580d9fc3027c05d58c80ec19b8a4680b0cb9c4b794088",
|
|
"version": 3
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "1697d1e69b1cc81d4f3fe77471a9f843268be52e12f6b76679ff206cc44ba4b2",
|
|
"version": 2
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "c85589b020359d809d3f65951b4cee3cc7c10da104effeeaa2fc920eed8ff4a6",
|
|
"version": 3
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "11cb63b795999bdd1ea0eb1d4cbf5c6b8d86c4945a480136eeaa80f9161fd522",
|
|
"version": 3
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "823211d2d9e7031bcc9ea0b8602b7e2dda7d6cf7b53dee522c071d8fd2a71d2a",
|
|
"version": 3
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "5b24e533677a2f73bf8b544ce6fbf607947458de6b8882958699b9598a3d4a60",
|
|
"version": 3
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "cbc8586826f96d5f656bee2ad503dd04e7969434458387de04f4064d8339fa9f",
|
|
"version": 2
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "3168a7ff380f965f554d8554a6048500bc6d2e623012a637a69604d4dde5aec6",
|
|
"version": 4
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "8c8dd977effd5f405e825323debef05986b8e59e8aeffab769a5a17c56f90838",
|
|
"version": 4
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "dc63fd09b50ada3a1d9e17f321e591716802a15bc98ad7933fbf1e638c8a9485",
|
|
"version": 1
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "36917b05e364e40334cb847ccadc8625146ce9be717185331ed0459dc974e552",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "e5ac3b3c6f68d19a432a54215a555c1d103dcb14a8c00cb60e8fcc4f0d6e652d",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "6787261e6c69ccc08f746484c360086764f048c64faabe20f7474007380f5f44",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "d7b106c8c4863604d0712ad08ccce72e50dc8137297f90ff7a000e0f0f8d113a",
|
|
"version": 2
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "21f4744229d682e68489bed55ec395634a81783217b4f8356a49566e6f5e17d1",
|
|
"version": 2
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "223ca77fb5f7df75f08ae4253b6d99599ee46fbebe0843d4e3249b756afcc57e",
|
|
"version": 2
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "cfcaf312b57481ecdbc8178c56fa63218e84f8688117c0d7a4cefb1a56953ceb",
|
|
"version": 1
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "8c7e44ef3c20c8688412d06a94e63987aa6b2c1855b1fdb69a40b6e22d81f00c",
|
|
"version": 1
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "74696927e06e5fe8c85631d79fbe1c3a4a6b4050e8a47bbe7c15189a0407a7fb",
|
|
"version": 3
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "7bb31e4849331d9eb2654a8dcc8e8f7e92932705a68217ddfeaf56def57a7e85",
|
|
"version": 2
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"rule_name": "Exploit - Detected - Elastic Endpoint Security",
|
|
"sha256": "25dc927509d993054908f0797f8c848f5be07a1eadf4c754b95d6a8417aa8648",
|
|
"version": 3
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "72ab8004269800921494b64af09b7bc0e0aa4812c6502e014270e971b3b5c00c",
|
|
"version": 1
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "4bfbdc1a0d610ccb336a4816910e33f31ab91509561cfd36f9796e0a3ac975fc",
|
|
"version": 4
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"rule_name": "Net command via SYSTEM account",
|
|
"sha256": "ea63231f092eb92bb5af6281ae6a75d533362eff9969622f300b444469215456",
|
|
"version": 2
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"rule_name": "Exploit - Prevented - Elastic Endpoint Security",
|
|
"sha256": "56d0db57a57e386c8262f99e5165c8cd829b6da94536f62bf08353ab494394ed",
|
|
"version": 3
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "05564512fe328ac4a4fcfffe78ae6a65ea0d787a48aceaf575edae53c7f95d0f",
|
|
"version": 3
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "d599196e0f60c0f8dffb2d1fca21196e2c6ddf937531106b6bb8e633bfcc3333",
|
|
"version": 2
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "c374f6e74954bf81a5cbbe653d457c42b7f23208449b56ac24281d0d6a1e91db",
|
|
"version": 2
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "92fb6101c53b13f0bf3405f410860ce804f3ba778e06f566431dcda90fe894ba",
|
|
"version": 2
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "91e9006ede6167bc0e1b0a606f1408741db7ac6ba5ade4a65e960cb6e1684069",
|
|
"version": 4
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "582776dd04e5cd8c0f07883b793d2cb8e663233686cd8261b144e394e5bc00b3",
|
|
"version": 3
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "f0b0e824fde388a4217c0ccb4c8168deaccf74e0576ff4a2748cb958b4ec1c09",
|
|
"version": 1
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "d52d770cacb099f8fc38d85ba230ecd94878c17fe3e6e9f79a0e55ea38f5c0a8",
|
|
"version": 3
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "7ce5606939cea6e45c7659bde7b679c0c33a164a9cecae385eb2a89379b7bcde",
|
|
"version": 3
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "bc6bb14775383d504e21151c603c84cdb436c03b106b0e2a7b46d398143584a3",
|
|
"version": 1
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "6adcfe622ebb2e1205cc4a4dc2a3b058f995a21602721b04407ed751641ca206",
|
|
"version": 1
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "9d456ed87d910cb6ebb86be154c58f80a7e4a011f8f55ddc2ff451f3efc23fe9",
|
|
"version": 2
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "554c42dd3f30ca0140797069242d16be3fab75dd59fdd820054c6c4645dab00e",
|
|
"version": 1
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "10a09743e9baaae69190eabcc1d7f6fc61ff8da5e7ff5a79208b7b25f2c05473",
|
|
"version": 2
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "d73415ca5e745ebbd0cc4e1c6805a1a58bef4740666f14c827e50766c26476a1",
|
|
"version": 4
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"rule_name": "Malware - Prevented - Elastic Endpoint Security",
|
|
"sha256": "1de71bf0dca33368f44c2c020e159bcde7a48982e3979729a594b5a4bc190a9e",
|
|
"version": 3
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "76e7d9d43d610d2299dffac8d6ffde9648afd588f3c8f4df90ac370ffa416c57",
|
|
"version": 2
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "7fd31ec2dff167c29a32969ae7c2e83c12a7b473c5a6259d577ee2bf997be039",
|
|
"version": 1
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "1333a0ff14b05aff2b16fd4c2768af221d10df3e1a85059e66f3e7b0dc582d4e",
|
|
"version": 1
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "45aefd42ccd184d5d3015dc3a1cc5ec131a402884f578f40815213c71143722f",
|
|
"version": 2
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "3f96283628d73912878e47073e8094a219c6e8c260e6094055fe753e6ef903b7",
|
|
"version": 3
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "2625e3ebfa6328b4d7803a9390b136d4d8d944bcc71a0bbdc8c2c85717c967bd",
|
|
"version": 2
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endpoint Security",
|
|
"sha256": "bb1865e997d39d7c7d272d8b31538666e2a9600336304c4b558a4cfadb10c25e",
|
|
"version": 3
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "9cd83ec78d98435f5388ded75a9b1034f52da57884d1052801099e79f1087072",
|
|
"version": 3
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "a5208685993a30816029b70a8d51f0a5cda6dd19b6864c4dbfe86977b326f746",
|
|
"version": 2
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "637246c78b6fa0905bfc47ca942265bc7fc7daa16e544a1dad9aacd0d8932e89",
|
|
"version": 2
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "5b03dfdf92939205720bd9a2a6ba3fcac321ab46278a63cf862a9ca8881623a7",
|
|
"version": 3
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "8a44ca241191004ae1c7d535cfbc90116d4ef56e7f6941cc3e3cbb7303633791",
|
|
"version": 1
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "f92bcc8271ce1e1082d42f76466838e17a0e94800d8c667f36df7f5dc55a1f92",
|
|
"version": 4
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "a728aa2cc5aa9069c78ef89989e5894c8d1782ba5d85c9d5c0abb22fe6d9a6ad",
|
|
"version": 2
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "ffd826b4cd0c45b2193f022109c2ed58f54ee722f0f738845d2be2041529d780",
|
|
"version": 2
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "3a21e7de28af69f13df5929cdc14c7de727a99b6189fa33d4f60f3b55a42e433",
|
|
"version": 2
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "82ba007857d824bcb38916fca098f15f5bb777191a7403c8e31f860514664d6b",
|
|
"version": 2
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "b05123353ff4a1d27d4631d4bbc2f16860b755c4c32ec12dd65583f752866f43",
|
|
"version": 3
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "87396c542097d7e2dd7f971aaefce97ad2d44cfbdceb13bca458f983fe6fa8fd",
|
|
"version": 2
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "2137e4281cddedab4cdbdd8247616a3bee15fa285682d7b95633272a57c8e006",
|
|
"version": 4
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endpoint Security",
|
|
"sha256": "16d5323c26e28a90a60b9e855819cc6b97cbed9a1d2cc6888b5fa14fcf11bf15",
|
|
"version": 3
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "a2f23de5e7249c0e4e28212eca17fcf83fdbea776f898f3bc5c456d9b80deb43",
|
|
"version": 3
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "068af758f1ff3e0d031c5cfe35020b6f0288b12dd9d66ddab288002e0b1e05e6",
|
|
"version": 1
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "1de8ead775e787c3256447c82655c40866a9513c245d1223939e04cb9f9763cf",
|
|
"version": 2
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "9bc533bac9e9abefc27a1adafb40c6fd99c0e359e469e9577b1efbaabd3ce356",
|
|
"version": 1
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "1ad6e642d8c578f97d2569cc471059c7029ec1190e89c9dd0042c5a88906275b",
|
|
"version": 3
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "64a4c6687e8b28df55161028153804821cace7ea512cbabe778d559283d14a8d",
|
|
"version": 3
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "404f0a34bef511d70d8dd11f094e02aa8a3fe938bdfb3d4441c4dbf6ea1a2cd3",
|
|
"version": 3
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "6ca827084277205952821ef76e28cc5a3c9e837fc0acc0342a32db5c67a428ee",
|
|
"version": 2
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"rule_name": "Attempt to Modify Okta Policy",
|
|
"sha256": "38bd3bfb4bc91af943ccb1720848358f178b6931d65b266edff08ce1c90a7e83",
|
|
"version": 1
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "77ac6c19df3acb42de629d1cf267c16b086d00055dea2bde9a72e06e78d9e015",
|
|
"version": 1
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "22d11f4013bd73e1e115211b366763fd0b11995dd815916c0cee80f0ccd78c1d",
|
|
"version": 4
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "80a86cc85576646b9db95dfa9f4924e52641cd4acc303129e4e8b774521f6126",
|
|
"version": 1
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "74b68b5a2a6e6fe020077c596b9b0a87a7c21bade893f197f92c92cf1ebd78c4",
|
|
"version": 1
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "c9771d9c525e750a0017693621b03d3aef6a3ec5773461ed3a1661ab43f85b53",
|
|
"version": 2
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "ee55403ad95ab22aa2ac5d8d7c388e92703b99eda4d7ea28da482b548bc47691",
|
|
"version": 1
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "7f79263265e25ce495fb3b557ca7cfee951dca089cbc14a5b192c917d0b7bb7d",
|
|
"version": 2
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "ea801143086d4558886f5c91f70433689952a90dcfd370c6d7f3366e23ef702d",
|
|
"version": 2
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "c45b8f43aaf392553bc8565a0ff6079f16dafaf1e4b6328bfb33aeda43aaaa77",
|
|
"version": 4
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "6acb7d97e42965a327c13fc188392ab14a08a40489ebbcd454e61a07c19a1650",
|
|
"version": 4
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "5467989f4ef94dd3c6b8df6b4b1e9609335c37474706889457433fca0f3c8682",
|
|
"version": 1
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"rule_name": "AWS Config Service Tampering",
|
|
"sha256": "4f59fbb90ee508242779e252ea128487f58bbe1ed925441ee1fc3a39b48dc112",
|
|
"version": 1
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"rule_name": "Attempt to Reset MFA Factors for Okta User Account",
|
|
"sha256": "2b125723ee269c57de27fd76a9fa970f7cdbfcb1ab8c878565097f774df9fdd3",
|
|
"version": 1
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "edcd5b6adeaa24b39ed57d401844fda13b07a95bd82863ee3d74b5df04020b11",
|
|
"version": 3
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "2e83758195426759f474e25a59427e0e1c9f1784528e8d31bf861ade42da8186",
|
|
"version": 2
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "9277093d6875b1d2ae7dd347d3b7fa8db344c053a62bcc886a2290b86ee18518",
|
|
"version": 3
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endpoint Security",
|
|
"sha256": "930dc5d6fc719ed0536d6c32b959666a726625e72fe80c63beefecee2ff0f495",
|
|
"version": 3
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "878f2171b2ac7b514991f9b9c25af495905d25515ca2f2cde25b4fe84e3f93ed",
|
|
"version": 1
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "c2c87b8c43abfa894c8e9d4fae2a21a63ad5e6608775215ee4315901207fc51d",
|
|
"version": 3
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"rule_name": "Deletion of Bash Command Line History",
|
|
"sha256": "90b821385ca30c677f757792c1f20543e852cc3e84161b7c67418e0795598fc8",
|
|
"version": 1
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "83a2131189e58a38c4a31aa4e54751626eeb1cf80867c21dc344749a252c0db2",
|
|
"version": 4
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "1a5c7d4c0acf3ca14a00735df9852a9f66069139de940eb86ef9da409a93df32",
|
|
"version": 1
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"rule_name": "Process Injection - Detected - Elastic Endpoint Security",
|
|
"sha256": "ccca2ab5467bbbb8a8ccf1d6ca6a8396839f0f5daef67df9b45e2c709a9c7bb0",
|
|
"version": 3
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "80125097341af87cd48b9ad11105d466d5956ccc306450a562cfd0eb3ba33e5c",
|
|
"version": 3
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "44fc8a84430a247ef479cfc22f09af928395d1a68c162695bd2f1fe74ddb669b",
|
|
"version": 1
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "a2d9d722c68c041bb26d4bb85d7615765f7cd6dbf15ba8ad19ff9a0be2a18bc7",
|
|
"version": 1
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "d6e40340f9ba714197d88dc37469a496ef047131805e4bf2115c1cb498aaff2c",
|
|
"version": 4
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "84bf6f16be980111319510f8654f6b42ac0a4e73405b2f031c9d5b0633e71014",
|
|
"version": 3
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"rule_name": "Setuid Bit Set via chmod",
|
|
"sha256": "80d32998b1c5af4f744b6890f5b5d734fd59f208e072929836a823619660d6b5",
|
|
"version": 2
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "9c678e34d82a66ba6f1316d96ed990c1dc77274ba54f40714dd5397b5c19967f",
|
|
"version": 4
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"rule_name": "Ransomware - Detected - Elastic Endpoint Security",
|
|
"sha256": "8f1c885f6197487c9fbbf88b66c7080b7785add5683651bb2d3a16c887f4b157",
|
|
"version": 3
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "a981451a19485a25d6fe0c5a5c6760be1d66decf16a4989d48754e3b7add6ab6",
|
|
"version": 3
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"rule_name": "AWS RDS Cluster Deletion",
|
|
"sha256": "1859295025727023cc7909e4a23b6fbc105b7fa20780e197619e257d9c4f2373",
|
|
"version": 1
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "deaf75945036241126ef6fa3c886f67b82760f41f0db7de5ffccbbebd126dc25",
|
|
"version": 1
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "eb54cad9c20bbed0348cbdf81778221c5f78c4a893e520c84deff016d4b81328",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "993ea8037cc7f04431563a10c526803be22b8693a18b4a4628b46d11609632bd",
|
|
"version": 2
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "8b401f043c87d8012c04dbd86b0b419574a8cb18a2520bae9c606317845acce8",
|
|
"version": 2
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "d11b8d0bb029ec776940640f440bc35573b8d5a83f2306cc9365c36dd2110be7",
|
|
"version": 2
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"rule_name": "AWS EC2 Flow Log Deletion",
|
|
"sha256": "a07ac3fd787f6fa03fc452f068782d4a6750e76de83097551495865091307436",
|
|
"version": 1
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "1f857755423c0bed3d659452e148cd346fd059f7674b0e6eddaf58128a238ec6",
|
|
"version": 1
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "feb2b3549a08e130d7b06da043cae62e646e2199b3c31bb71aa7ff059c3a7b6e",
|
|
"version": 2
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "840005729165b8c2d84e64b83bbc337b7b34e2ee4298922e23c9ef304dc9fa71",
|
|
"version": 1
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"rule_name": "Process Injection - Prevented - Elastic Endpoint Security",
|
|
"sha256": "68a43b05df8c141fa36b6fbe9272b51f39f45f1ce41a5e8dab442fe379612b33",
|
|
"version": 3
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"rule_name": "Elastic Endpoint Security",
|
|
"sha256": "bf71c88346cdee0c29ed5ec74723e873a3d579784ce79dca1e96668c9525b2fd",
|
|
"version": 1
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "d752b66cbbeace2be75cbb9f537c2616a93f3afaeff642192cda616b2901b421",
|
|
"version": 3
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "2f83765c4911e648c0be0db638d9cc346965a71141933eac60f40861b9b7cd91",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "a21ff9b2f5134165746bb88ae1aee78d6bd955a455052c829ab18ccd9f06118f",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "6734ab6912ee86be6f5eff281217b5f9c95ac51596cd01d2f9359cc3b8de7758",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"rule_name": "Microsoft Build Engine Loading Windows Credential Libraries",
|
|
"sha256": "9aa85ddacb0b3441dfcb53ec6d5b5c5ce908c558a242c764bd3f44624f8153ee",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "2c2569ff1e94344e1f975de973207510adf013f3a1d023c86508e8a116014454",
|
|
"version": 2
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "11408d55fdfb3692af922f829dbb1ece3131f59b6486d9f5d27572beb172d862",
|
|
"version": 2
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "15ed502ec9c70e5b3fa1de7c99ec0877ac1907ece60779a324b8461956093012",
|
|
"version": 2
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "d642e98b3e076e633ca985b67690dc130e7e8dff683221673cdba5bbeaf5b584",
|
|
"version": 1
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "4f3f62c5999ec7b6e172437a4f359adc08bb68fc7a83c954c4f019b5d64a8664",
|
|
"version": 2
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "59d713111ca42fcac2769d8939303019253c300d5455524e3fff4446f24282ad",
|
|
"version": 3
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "2ada6c757e1263e796387b4f8f3ad22df6208c7883e4cc040875dcd20a1f7171",
|
|
"version": 1
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "63f8ff2b6aafc463ae4759cabe61f70564a50e3d77328cf40916ae99b7ea9813",
|
|
"version": 3
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "04570e79c085d3cac740e046e3448362b8438d9a99c9b399168381945773cea2",
|
|
"version": 3
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "c22e81459d98bd8fc47e911677c6ee40218253b7ec3bcb2e21c3d7e6116e7d4e",
|
|
"version": 2
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "c6224e1b5be58c085435d8673229f7e70e6bc87f1bd11ddb46bbb7f0cc435e7c",
|
|
"version": 3
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "ce52e2d02b90df1e3ca736fc26c70d3e2f2620a9db338e3c97c668081e6fc900",
|
|
"version": 1
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "0596288e875728453b19e654f4f6e52c3dc4fe48d69c52a04a8c18f5e05724f5",
|
|
"version": 4
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"rule_name": "Netcat Network Activity",
|
|
"sha256": "eb3f95d0ec4f799be133ce35a3b5365edbdf780a99a638023ef5aff1f64c5b1e",
|
|
"version": 3
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"rule_name": "Local Scheduled Task Commands",
|
|
"sha256": "5850b379eef292ad97ff952faf36cd85e8ce9f9c34e36b3f0efe0b844cde9c8f",
|
|
"version": 3
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "397a3304cb369f9f0567541e5bd84323c385ec834cb499a0e67d718f64006f52",
|
|
"version": 3
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "d4821cc663dcd04faa0dee1bb378f9e34e9e1f909bf935443e1ce0fa4055726e",
|
|
"version": 2
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"rule_name": "Attempt to Delete Okta Policy",
|
|
"sha256": "01518daa44aeaab1e69ff8e839d09993ac3dff4bee42db07cc9f72061c7f450b",
|
|
"version": 1
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"rule_name": "Volume Shadow Copy Deletion via VssAdmin",
|
|
"sha256": "9a89bb4616053a27b9da19b0e039f20b5b06eddb82c0254daa490038e565943f",
|
|
"version": 3
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"rule_name": "Attempt to Deactivate Okta Policy",
|
|
"sha256": "260673214731a4388538f29a28dd04e1c49db7f4e79b2e8a4a839ab169c24de8",
|
|
"version": 1
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"rule_name": "Administrator Privileges Assigned to Okta Group",
|
|
"sha256": "5632521575581aedea783c9b845524be2de4e8f1a5e1b52566dac7b3db62785a",
|
|
"version": 1
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "a6b35cd7c01efd9e3ff5f09556cfeae330c4c59d78c7d467cf32b8c376f93371",
|
|
"version": 2
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"rule_name": "Creation of Hidden Files and Directories",
|
|
"sha256": "0032ef35ec0d687bcb474eedb0e01318c6d305c658ec692cf78bfb9d1bf2e1dc",
|
|
"version": 1
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "8de6f1c5e4d700262cef0544529d3b788e0298c32283cc3f92e97968ce3b59f9",
|
|
"version": 2
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "60ae1b84baff1b57148144be22fb1fab68acc6c121388e267c0e06762d5fd1a2",
|
|
"version": 1
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "1b8d4953e6732a9a3ef60f7ee29e4a69a50750a56448334dc0bc0f06d6c1a3f7",
|
|
"version": 1
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endpoint Security",
|
|
"sha256": "b52ff8fc9a81095d6fab9fc74b1990c8e8882403fe6eaf33f035f0473ac86572",
|
|
"version": 3
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"rule_name": "Permission Theft - Detected - Elastic Endpoint Security",
|
|
"sha256": "17c3166c1f15f852bd7d969a0e07962377ffa92769690eada8f0ad5ee6460587",
|
|
"version": 3
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "dd84d55464f543307c27a7f776fafdb99ab36e58ad7a7d5cbe9dbd3bd4c39a33",
|
|
"version": 2
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "26855945696ccd5efe39e4c6e0f53dc80d8af97b7a4b927790da064f4a7102e5",
|
|
"version": 4
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "0b3597c5c91897753305ee323198d7acfedf2098d69287ba2dfbce7676940576",
|
|
"version": 4
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "f323552f1aa665fbffde188f19226fda514df98d5e174725d61cd0d413ed8130",
|
|
"version": 3
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "b0134afadd79015919a72fb3e6fa0f3994aca735609a71ab4aaa03c89c6ceee4",
|
|
"version": 3
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endpoint Security",
|
|
"sha256": "f8f63b01f7675b23489b6b8c06f68a5c02516706d5a92f2beb5c8425925fb51a",
|
|
"version": 3
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "b58371646e73225044b02876cefe65dfeb96a8be81b39da0cf93094af30c34e8",
|
|
"version": 3
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"rule_name": "Attempt to Deactivate Okta MFA Rule",
|
|
"sha256": "e2eab87ea117ee00a592cd37fb71d7b7a3dd98e5ddfae8372d241ccf867cc9f0",
|
|
"version": 1
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "a132753ad56c8475bdc9fb137b92fa594f6976a3697ac6e6a8c7536e14651290",
|
|
"version": 1
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "68d871126791b1040df2c53b6dc057432217be3b4376703b7cb81a2057344720",
|
|
"version": 3
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "f9fdcf439337f1fe71aa24215d02c09249e9cfb978f217d3edef60d6607d9403",
|
|
"version": 2
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"rule_name": "Attempt to Deactivate MFA for Okta User Account",
|
|
"sha256": "396f243a682ad551b4aab5079679f7e10b35f243e223c09d914003c38f2a68aa",
|
|
"version": 1
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "323b7718cfeb8ddb94d27961ac2f3d47767b5f6ae02f97da32f13c22e2726582",
|
|
"version": 3
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "6bf85d1d2f89adc041f3190145f1de20672f190727b302eaaf43268951d5e100",
|
|
"version": 3
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "8bdc6cf7bf0a97f98345d321612263de58f0bd6d649cb98360a776b8af7dc37e",
|
|
"version": 3
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "2021499caa2a2176a0b86ac263f23a7518297480f0e0215dcc3a22895005edca",
|
|
"version": 1
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "9d82b60fa077eab2c9bd133e9a3c4d56e2cf3f1ba86047b23540dc6b837266fb",
|
|
"version": 3
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "6e298f0f3fed486ae6f4eb0a4d93d8deebf1597264ec5ac5ed32c42d8616263a",
|
|
"version": 2
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "28fa30167bad1a2feb0868794e0cc3d05c54a6245e14b13d1f3323ef386f247f",
|
|
"version": 3
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "46878290e9bdd3e13049723afe9522c8b81af03e08648c90bba7782c1368b4dc",
|
|
"version": 1
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endpoint Security",
|
|
"sha256": "2c5599ac23ed0959ec53b00503b7a05ee68b12c975a39d25047bac8e87254759",
|
|
"version": 3
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "64fccc407b6b538dbab612c8a8040476660146645f1940b48a64a324c51e705b",
|
|
"version": 3
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "865d4e9d7e291ee018c098eea8785ef6cbcd98368594eeadc7e66da52159931e",
|
|
"version": 1
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "5f837c9e27f696b82b77dcb7d2c4a1a92142c2464451fc000104488ed8d65160",
|
|
"version": 2
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "88700a3ed7404230c3fdcfb911bf74ef67178524e736a46f09cd82435b4e825d",
|
|
"version": 3
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "3ad5cf801bdf9baae1e7e2c260d90108d185fd7af724cee0475e4226835be0f9",
|
|
"version": 1
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "1bdc0e8f97c88ad7d853ebb1870d959cd48583d54e72572f169a3fb35907e1aa",
|
|
"version": 2
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "b867fd994b9f5fd467ac4a9e93c3fc34069e8860d49828a39272f1bbb5c74baf",
|
|
"version": 1
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "8b0e8036c1a949ccbfd40fa57471a19b52d6a072a3362d40e55eecdf09515c5b",
|
|
"version": 3
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"rule_name": "Ransomware - Prevented - Elastic Endpoint Security",
|
|
"sha256": "ac0bba2fb5f0c96691cb486a49bd3993a4f2fec3e899ec3ab51facdd15f906ff",
|
|
"version": 3
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"rule_name": "Attempt to Modify Okta Network Zone",
|
|
"sha256": "7fa770db85902c74e76603da32e18846181911f67d3aa29d9e4331b83ad9dc09",
|
|
"version": 1
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "c0ddd4408b7df965bb399e1d9b23b5580467983f7f856378a42d9f8f9ab97db7",
|
|
"version": 4
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "9af51d68b03a227d373b1c687c6c411d1810e0afe7d93e0dba41008393ab92ed",
|
|
"version": 1
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"rule_name": "Local Service Commands",
|
|
"sha256": "09a14045036f6a30948b02a97ace4a3004863642b39f1d965fb7bc175fadff25",
|
|
"version": 3
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "9a3aa688f874a1f6a0757bfced4e6acf8ce786dc75b0d2b57acf118c2e474e55",
|
|
"version": 4
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "a1877bd26b03c15006c1206a4227d80d9e19fda78567256f62a5e4ff247cb899",
|
|
"version": 1
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"rule_name": "External Alerts",
|
|
"sha256": "e27190c2fc3f5863287bf24853e0e3f05363b8814fd229aee9411da4a51e094b",
|
|
"version": 1
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "8f7296c828ca1babc06b6d8f33006f235b006335b8e05dca5f6cd0dec669975f",
|
|
"version": 2
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "d345cd2be573364d96bf551506fa83327d1a88f9d1d578ee730f8085ff5043ab",
|
|
"version": 1
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "ec1977d61b17849139eebe7aa40136a25ee369eec4a85491150f818d24dc5b5e",
|
|
"version": 3
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "681ddd7b3337bb41f2496d94153c346d7e8e4fd2cab289c5c5168e3f5446d549",
|
|
"version": 3
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "9fc4f152c5dbe06bbbdf27a4d307abc2da1116b564acc79b30034913e3b12219",
|
|
"version": 3
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "72de6ba3763bd235c252a332326af7b4cd7e670ac5322ae56ba59135b2c4d200",
|
|
"version": 1
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "5af9cbee41e50e97d7c51d898ea484b4dae244da1d45c8c49327cecffd0e55e3",
|
|
"version": 1
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"rule_name": "Network Connection via Regsvr",
|
|
"sha256": "78487cacf86e895d025eabed659c5ffaa0ded038a19808d5d6bb5f70978fb014",
|
|
"version": 3
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "6b269a2c7fb920ecb2cf5d7516b0ff7010c0eed637beac273fd2e40cf4df60d2",
|
|
"version": 1
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "7c77385566b7c159d8e598d80ebed2d23c64e6301e1ddd7b9305d8fbc2a294c1",
|
|
"version": 3
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"rule_name": "Encoding or Decoding Files via CertUtil",
|
|
"sha256": "cd0e189f8420314a834c4916b9685304b8edc4259d275796ee0e06fb7df0338b",
|
|
"version": 3
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "53659b10280ff1cf084f6f27a95b3eae81c1e9e9e2cf0806e7eb61f14da0fc6d",
|
|
"version": 3
|
|
}
|
|
} |