security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c58d59eeb797d8b4c8e280cefedd392e09dedaa9
sigma-rules/detection_rules/etc/version.lock.json
T
github-actions[bot] fbddc2e659 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4601)
2025-04-08 18:25:47 +05:30

9247 lines
348 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 309,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "61224002fe2acb034c68f8a1ce071b7b5373f3cce6e3134e155cd51017a68e99",
"type": "query",
"version": 211
}
},
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "c20587a8ab6fd3eca1af36791ab72c6e93932909b75c936ce7ba54d78244a194",
"type": "query",
"version": 413
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "a3f03ff868732e2c9ba9624fd88f9418c595f1ef12ae71f0193e302499576927",
"type": "eql",
"version": 317
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "50b5e55ce013601693709a7c660557ea3650108abe9cad6b593f8e98f86e089f",
"type": "eql",
"version": 418
},
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
"rule_name": "System Binary Path File Permission Modification",
"sha256": "800161fc32e31a2c53bce733e3b236edb7b4db194e4178805bd0b9f007ad8667",
"type": "eql",
"version": 4
},
"00546494-5bb0-49d6-9220-5f3b4c12f26a": {
"rule_name": "Uncommon Destination Port Connection by Web Server",
"sha256": "5457fd6bcc9e6731474ebf879608ba2ee0b97dea2fb711d15e9192ddd9fc1297",
"type": "eql",
"version": 2
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "580e24ede83d9d5caf5d2812e63b7a214b0a252cab6fd2303b133d53aa72a62c",
"type": "query",
"version": 5
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Microsoft 365 User Restricted from Sending Email",
"sha256": "29e4d1aa622be675f168933ac81464217a9e07b6179b39d1d87d79855756f7da",
"type": "query",
"version": 208
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"rule_name": "AWS Redshift Cluster Creation",
"sha256": "1030abb7a5bf0cd851e8b2e89515373b2e37b97212c98a49acb7f02e2c88c5d0",
"type": "query",
"version": 208
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "d6d9184d00f5e29a67dd384df800ace05c44f046ceab5021a67e04994f29355e",
"type": "threshold",
"version": 11
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "4b5cf946fbef7291c316ea447ec618ab3eaad8c1c8c3910e19b73db021685c7f",
"type": "query",
"version": 4
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "8494ff1283354c75b42b8e02fd67f53e3922a7fb3314d8e0b31c331bb5ef8bee",
"type": "new_terms",
"version": 205
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "816f9c87c4ad112c1a2215eaeaa7bca5df7e9ca06d371dee4aa3eaf0f9126799",
"type": "eql",
"version": 210
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "f5df37e14f6d03c31aa51fd0dfb1be6bbf64ea621ef489f7024c395cdca98ae3",
"type": "new_terms",
"version": 205
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
"sha256": "0f737c2d74b7bce92e3a0801d7c621fad59f611b8a6318082360e8048e22c555",
"type": "eql",
"version": 8
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "a36779685ea9796fed29d14a8be92814d19e3434c8b02f25e9e345089c67934d",
"type": "eql",
"version": 310
},
"02b4420d-eda2-4529-9e46-4a60eccb7e2d": {
"min_stack_version": "8.18",
"rule_name": "Spike in Group Privilege Change Events",
"sha256": "692c1a36a0b2fca62209c78d246d9751cff9225601618f29cf6300448186f64c",
"type": "machine_learning",
"version": 2
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "13ae97b8af4d0537fafcc22211d1d0929e4c565a9500797a3271a72a0ad1fe21",
"type": "eql",
"version": 5
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "88989ab8b740f21291d5cc7e69d4e4b1e99d2e2c2b07bfd9148e3789d9d428fe",
"type": "query",
"version": 108
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
"sha256": "7bcaff443a1bb96f5e341100e2e292d84cc3903565ae92dacc25e3f748115458",
"type": "query",
"version": 208
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "0c4ec1d507c126ae6380607a6574c41a3294fab94558aedf901756ad1a8210ca",
"type": "threshold",
"version": 214
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "dedb6322eaab6573b8c3144956f65672b6718bffcef1b284a29a24a6c1e21ed7",
"type": "eql",
"version": 4
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "e83c935e6d617c47f77d10c89583b0853096f2dc9ed2a02f09b1e1a8f289f53c",
"type": "eql",
"version": 105
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509",
"type": "eql",
"version": 5
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "e580ba79337e7a10332fb5f88b115eef93b21f3ad2a279e74d1c75c108c03ef4",
"type": "threshold",
"version": 5
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS Cloudformation Stack Creation by User",
"sha256": "f3afdb8992d13d7f22885ad1e0830d137ffc255a0a80d26bf79fbd56875dd7ed",
"type": "new_terms",
"version": 3
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Modification of OpenSSH Binaries",
"sha256": "23e06d221c7444ec7356f1e438f068fdd7561ddf06abfc52e076cea7b2453742",
"type": "query",
"version": 112
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "cf668d4aa6fecbcdef0935a3a0a2934de783f8889d5a9b2511cd407c9af1f958",
"type": "eql",
"version": 204
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Azure AD Global Administrator Role Assigned",
"sha256": "6dc9cc0998b14bfbe9afd087f31a6485f561ce1941031c25c0ebe67129d750ee",
"type": "query",
"version": 104
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"rule_name": "User Added to the Admin Group",
"sha256": "fa37c68ac0e2dac03e2bea89416bc54be86337a2a494433118cf53e757b9b756",
"type": "eql",
"version": 3
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "8e32b2ab2c7b19aba6495e9a1f7ccfb476e051810bf71d14395a52b02cf78d01",
"type": "eql",
"version": 213
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "e59a4f1612f709c30206acad3e57ecf928410ed3de1df81f1a0c8a1e2573872f",
"type": "eql",
"version": 9
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "1b185733220ff9caa21528d5e9c9385b88e4e662503b6f232ca4c7c2e8c69543",
"type": "eql",
"version": 216
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "e8f35a18cddcdd49b3d91347a5c70e2a51d05cf3ff577cfe1317e5ad830b6fb6",
"type": "eql",
"version": 311
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"rule_name": "Tainted Kernel Module Load",
"sha256": "7565d48dda32b8434c9ee163a6f219cb0e18ecbc2df8ad08b6a933dc89d63a99",
"type": "query",
"version": 6
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "e809170c846e030385f3de5caa5cedccfc6d92d1a46ba046943464f3af0ecbe6",
"type": "query",
"version": 110
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands",
"sha256": "10184a224108b06df61c3d0d2c880f91505d4cdec8772497478bd39db7307c8b",
"type": "eql",
"version": 215
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"rule_name": "System Time Discovery",
"sha256": "c08df694acc199aab2599134c89faf185aa3b9843ebd59d3871557110ce96cca",
"type": "eql",
"version": 112
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
"sha256": "5c023e623140babdf6ede68353f42b35ff921b6735192982b81ebeb7fcd992ca",
"type": "machine_learning",
"version": 6
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "03dac45e9d58f06ea679b74e3b3277a04351c0ce66bf8069482691473b4f2b3c",
"type": "eql",
"version": 212
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "c3a66bff0aec6f69a09401c58eae78258cf395936a35af4a26adc8a2581afaa9",
"type": "eql",
"version": 103
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "2bba719a0e576ecd112997307f09e3253695db95b97c1aa854aca2fd941341a1",
"type": "eql",
"version": 216
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "c441eef96e09df129b5d295a431cf987d878660a826c992fab2e9b098ea7e80a",
"type": "query",
"version": 3
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "cab13a3b8e8bb3094085c9675cdcb0e8b30a99de7e5857bd251bd775945e05ad",
"type": "eql",
"version": 314
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "f85b8ec375ba51f72bf349c59e96fbc42aae11e18ad3000a107f058e5ae09967",
"type": "eql",
"version": 208
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "96411ec84d8a22f311e9dfd8a308527f7ece8ddc5d93b6f1a589b2498d5fd296",
"type": "threshold",
"version": 8
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "ea9a890a7fe00c858dbff2dcaf7ce164689b2a760206232a07b4e1b6e2e49fdb",
"type": "eql",
"version": 314
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "8b982a48d5b614c8b15f099db5dc29592c03a7dda769f4b6f37a43262cab59d4",
"type": "query",
"version": 108
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "51b3fcff118db9337bb227e874af08401e569b7c3d4cc48704a3d87f6fe3e065",
"type": "eql",
"version": 110
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "51a41c4aac90f94c8566c30ae35f53fa7e92bdce310d76694196a9461603d854",
"type": "eql",
"version": 109
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "3b6c16332f07445f1623cdd983660c678af46a02282901cd7e4548bc5e8f6b61",
"type": "query",
"version": 108
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"rule_name": "First Time Seen Removable Device",
"sha256": "58158655ad5ee76701bc013175713224a22632cdfec8aef97c7f2d0a62866b1c",
"type": "new_terms",
"version": 211
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "b827f2e748c6a934e1d8485b1b30d398c380449318a4c0ccb660fe7ec7c370d1",
"type": "eql",
"version": 6
},
"08be5599-3719-4bbd-8cbc-7e9cff556881": {
"min_stack_version": "8.18",
"rule_name": "Unusual Source IP for Windows Privileged Operations Detected",
"sha256": "1531c8ea5c0359c0e44734cd8ce85e2df0097dedc77369b52df369a116c76b6a",
"type": "machine_learning",
"version": 2
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "ca4f143a63dc861981246f6711f2fd64668c3322007338baa52d61c3dc116f59",
"type": "eql",
"version": 110
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Process Termination followed by Deletion",
"sha256": "2d9408275d396448c07bdfb1f83236719df9086f374689d0f914a1b4ad20c6a8",
"type": "eql",
"version": 112
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"rule_name": "Member Removed From GitHub Organization",
"sha256": "8f53e7a56bdf70f2f886fde7eb012430f3dc47311dc4839dcd4e13a971f7a0c2",
"type": "eql",
"version": 205
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"097ef0b8-fb21-4e45-ad89-d81666349c6a": {
"min_stack_version": "8.18",
"rule_name": "Spike in Special Logon Events",
"sha256": "e5cbe58d3441a34c3c34bd43f63ea661fb228746a99f49a1abdf6b3118e455a5",
"type": "machine_learning",
"version": 2
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "6364450fb2aecdc4012d73ae2948614a51e83777e3c025f72cbc74c1e9bd1805",
"type": "eql",
"version": 8
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
"sha256": "8cd8888e6c73f37afa5115c1817ea17ec9fc86809e3170f5be871b211af200a9",
"type": "query",
"version": 104
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9",
"type": "query",
"version": 105
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "5820311b6b905339e6e7494c92fb607d519388da3cb4d6a9251091cb9cfb4e7f",
"type": "query",
"version": 7
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "0ddaee290af65bcf40554862e10ff67308e93647adc7afe12dc754b47ff87c5d",
"type": "query",
"version": 210
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "f055bf9c9f46bb5ddda4c4276a883ffd6024359999ee8d080157febff142106f",
"type": "eql",
"version": 6
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
"sha256": "7acdebd225457bba9a49e92fda88457290b0a4323ccc699db59d6a7deb791d99",
"type": "machine_learning",
"version": 210
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"rule_name": "User account exposed to Kerberoasting",
"sha256": "23e9b0293cb471864143268d60458c9d4bc3bd9aa7fbacd265f63ceb2d0da00b",
"type": "query",
"version": 216
},
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
"rule_name": "Systemd Shell Execution During Boot",
"sha256": "fd18c9c6c7aa941df90f89ed1a9c7ce711852823005d936cbf0926a724ce28f0",
"type": "eql",
"version": 3
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"sha256": "71692e040436d9174c568ecdd7fee99e2238dca3004b1064b22b14837fac333d",
"type": "eql",
"version": 3
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "9e136032efd218dd3d868321979237b474048b661bd8d29202bcbf0fc2bd8a90",
"type": "eql",
"version": 109
},
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "0b8e14839af59782950606078d586099c236ad4832b5866199c8b25f21179e1c",
"type": "eql",
"version": 107
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
"sha256": "61ea829b342ba00cf456d88b1d191efa3365627823aa9e186cf912cff9381c06",
"type": "eql",
"version": 3
},
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
"rule_name": "Potential Hex Payload Execution",
"sha256": "546e88fb76a34d6809a3b5ddca9baea43697ceffe312b0801f4d9bc58f146b4f",
"type": "eql",
"version": 103
},
"0c3c80de-08c2-11f0-bd11-f661ea17fbcc": {
"rule_name": "Microsoft 365 Illicit Consent Grant via Registered Application",
"sha256": "b1abf541ce21e388774f94daea1199ce9f9c5005547a19a1184a244eec040e6f",
"type": "new_terms",
"version": 2
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "9507b5aae7440ff10ceb3f3e75dcc178e809320a084d56e616de90e14713d0d6",
"type": "threat_match",
"version": 8
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "0eabf2c1922aca9c19833edfeb8d4e44b1f19e91e7268d60e2aaa58d745b3a28",
"type": "query",
"version": 4
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"rule_name": "Peripheral Device Discovery",
"sha256": "ec8938c387a7fad2f2d2dd88203c65a8324f58a7d2a253b6c67202249e3d10ed",
"type": "eql",
"version": 313
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cbbb5e0-f93a-47fe-ab72-8213366c38f1": {
"min_stack_version": "8.18",
"rule_name": "High Command Line Entropy Detected for Privileged Commands",
"sha256": "83a6aa4d587186f7e7459ab0268171716a02c965c0c92d1744b1dc99976c0027",
"type": "machine_learning",
"version": 2
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "0d0084d44982bd3c5392b363044b94d1c083b4ff85c4da034a82be08872812d5",
"type": "esql",
"version": 5
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
"sha256": "53c2495dab68a903b247714477ea3a6e45b080cc7d0dcb6fe5e59566f261f71a",
"type": "query",
"version": 208
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "15e804addadde83664812796f8f9823a5c7ebff99e0beb27678162bd9c31e24b",
"type": "threshold",
"version": 4
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "ffd04e87aee986da407d0d658bd9815614ef6981fce9037febb5bb350236083e",
"type": "eql",
"version": 211
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "463ef7d320e65c159f5238f4f1a470d6eacefad355944921e52fa57b02b2a1ec",
"type": "eql",
"version": 112
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "06cd8ab4b8922f24d2b6151406f8680b95c67b7d415ccdab4ef61cfc5c80fda7",
"type": "esql",
"version": 2
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "daf0a4bda776448f0e5a9bafecc2cad167ab9438fe19e051cd757802ab3789f1",
"type": "new_terms",
"version": 205
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "SharePoint Malware File Upload",
"sha256": "ed3405f5b56fe59c60c0642ae8ac0b0dcd39acffdf9e624c0c9a653d49de4f7a",
"type": "query",
"version": 208
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token",
"sha256": "f6f434f76330ba923e4d55b62e92891d98a21706ca8bd0b47bd9811566a8c497",
"type": "esql",
"version": 1
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "2dabe858adb0fc478a32bd89bff8edad37facd56a470caf71d075248e4428730",
"type": "query",
"version": 106
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "f07233d63bf4d825b12ccdd87d4404f7aa673dca23c19c84c750defc35684e93",
"type": "eql",
"version": 213
},
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "bbe9ea4c3affbc897abdc5bee35a953dd120762ddc522b24e3adbe6db4ccb8c4",
"type": "query",
"version": 5
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "3b4e8f4226854ad401b0a80c3c62e9f815dfc511a954b5d10b759e40c8664c26",
"type": "eql",
"version": 117
},
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
"rule_name": "Polkit Policy Creation",
"sha256": "8685a856efa62f15d208e5985d9a909b3ce8e7901b24d3af710838b0b8bceb58",
"type": "eql",
"version": 104
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "5c909997193b58e4fe5aa8dfa168e55f80a7983c7763807965772b93a747603e",
"type": "eql",
"version": 106
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "cd6a57dae1f0a6f2aef7b0a32b1e2390e8b193822bd1deb4b29926ce0e0b0f0a",
"type": "query",
"version": 4
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "0d862dac4265ead3b5391ad1bd1e5d0a4a543f3a623c7f32b90e3ca5439dc4d7",
"type": "threshold",
"version": 312
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "563d192840988aa54ff3f5443a420766959ed2f847c498aaa874ced30892aa3e",
"type": "query",
"version": 108
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "0f3c2dfae1047bb5c03781a08efbad39b17fca0ce4526c7de945d492129413b2",
"type": "query",
"version": 3
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "39e5cc841cd09ae7c5e36388803e07223df11178a48684dc0be67ebdae2d51a3",
"type": "query",
"version": 208
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "4ace7976e6f126067761acfadd4f78cbfbd24d77db75f43f8892191f893aa9d9",
"type": "query",
"version": 4
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "c3505921b5362ff6d0a18da1373092d8c859469a7a4a09d3bef2c051a57e71de",
"type": "query",
"version": 106
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "024d892ef835aaee6b647e63eea1193ada7452b41dbcf08b535722061b98d474",
"type": "eql",
"version": 213
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "8eca10b1096b0d996b99e34222f360cf7edc642e520775bad9db89af704c7e2d",
"type": "eql",
"version": 314
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "f8ecafafb104111603d3d5386686c4906ae20044298adffa5cd6c47a347489ec",
"type": "query",
"version": 208
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "16d69eca18fb15a8a43e89044995911c2183249794b5bbea720f52b85d920453",
"type": "query",
"version": 116
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "262d7f402cc82ab3dc8719964c79516c51251189fec331a8102f742c287059a9",
"type": "eql",
"version": 214
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "4915043c102c8fb240b46df22c7be9ad6e1193caaa2201739f670dd1faf804c9",
"type": "query",
"version": 208
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"rule_name": "User Detected with Suspicious Windows Process(es)",
"sha256": "46b5c51c7e1498ea7fe24aa27b1b82dae307e6fd3bd10037647bb6c9aef54d74",
"type": "machine_learning",
"version": 109
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "4c8af566dc12380d8c8bdde5bb764ef21104857e1a18feccc4e7e790697dc196",
"type": "query",
"version": 3
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"rule_name": "Suspicious Lsass Process Access",
"sha256": "cd2216bcdd98468875349fa38b7f532129af98edfebab97e8cf9209ad349bdf0",
"type": "eql",
"version": 210
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review",
"sha256": "f00fb91c460844760a14a424f2a7b16defd598a0b0db46edcf810e9eccffe8ed",
"type": "query",
"version": 205
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "f2b30781046303cab11f86336bcf5b5079776a07eee2dbc6c2c2860e0ce7611b",
"type": "query",
"version": 206
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "a9c9c046892f5fb0ff23264d181cbc5ff316361b9e65e37d91d0e77e9489a6ce",
"type": "eql",
"version": 207
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "67edaed31f131f99127e73231843092b0f8c3f4435a869b2d97628428ecaa4b8",
"type": "eql",
"version": 317
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "cf051b91efef11632fd5138ed4b468cd2a6d7218394928a7d1d0f2f3885917b9",
"type": "eql",
"version": 413
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "31af95d5616973e58f6b1cd8f67e904ea113b08de501db6f1333f3a2d8f0add0",
"type": "eql",
"version": 104
},
"138520d2-11ff-4288-a80e-a45b36dca4b1": {
"min_stack_version": "8.18",
"rule_name": "Spike in Group Membership Events",
"sha256": "f7a1acc00197971798a07f9a57f898e0243b57560e884f046c8406641dc6cfb5",
"type": "machine_learning",
"version": 2
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
"sha256": "6e7eb9b4bd752f098bcd645324f69a21db1395c5c6b2e4d1b497506d1e753148",
"type": "machine_learning",
"version": 106
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "d4caebe0429481f647781c47fb6fbf6f2acd0c8c6c7810aa9b8ee1139d0dea82",
"type": "threshold",
"version": 208
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
"sha256": "7a975ed3dc65288e4c303da4e27b0d6b882309652f6a310d3b84f7e98292c8de",
"type": "eql",
"version": 10
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Azure External Guest User Invitation",
"sha256": "0478424148c82cc80be2a4c3bd562d27f5a2e0ff70d1ce5a54dfec70d218562d",
"type": "query",
"version": 104
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "de09f757cb1aec945488eafbb7e065534d9c04980737762bc29824449cc3a9a3",
"type": "query",
"version": 106
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
"sha256": "ed7a6cb08cabae8c1a90388b676bf157cf65988ba3adfbbb33a840e38d5661d6",
"type": "eql",
"version": 105
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "d2520144114404f1ff0d5ffd8144fa198385e2703ded4bbc297d0ff7dd32b8ac",
"type": "query",
"version": 205
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "50aad920ceff4fb344802b0b0ae5a50ed83c22ce8bcdcf5bf4b0574d90ab2480",
"type": "eql",
"version": 313
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 102,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "56af4b22ba4a30c2b5b78e2dcfb7357c29381c5d442a322e59257043cb4e98b2",
"type": "new_terms",
"version": 4
}
},
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "bfbaf5364aea83bdcfb248eaec9ff4bc5b79869e69d3640153dde2ec44fe5fd8",
"type": "new_terms",
"version": 206
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "0c35cd98e269aeccb1ed74605c7a4012bbb93356216b768d8427cb4a08f021c1",
"type": "query",
"version": 3
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "dcea415bbe180bd8af6d65459153f25d2bf47cb677fcc18734ec8c8310313434",
"type": "eql",
"version": 5
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "56d19f1c3427c2e6cdc28cce7bc0cbb1a0135b41f9ad5c077da491d2dce59d56",
"type": "eql",
"version": 214
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "0f592ba1359c8189505d2c04e26b4af4a9bcc6c17802bc124107e2446bc4993d",
"type": "eql",
"version": 317
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "7e70e7c0f9cdfe5141cd49f2488c7cf40d2bf09ac0df4885489b5687a818ff21",
"type": "eql",
"version": 110
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"type": "eql",
"version": 3
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "706ab7644989929072c7b79a3536784bb30bc3ddaac4b14f18e793ad9b2b155a",
"type": "query",
"version": 104
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"rule_name": "File Creation Time Changed",
"sha256": "8025c26f3babbd27f39b36f5184b957a35a582e428891b76638c3ed7be768467",
"type": "eql",
"version": 108
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "95cd57a0bd9a0873b27c948b06664f70dd51d1ec2068b6288ee0c419c23556fb",
"type": "query",
"version": 108
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "7b6cb0f9ddf09c93a05f289751d7d0a46f9faa3f09282d4db4c939c1dafd083c",
"type": "query",
"version": 208
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "7b7204e59553e9e1adfa425f3f37cb850a414ba85788c42a028f0a46e29987fd",
"type": "eql",
"version": 115
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "708bb4a068955fda30d125771a2fe5b09854a0935976a0c849929719ba7618f1",
"type": "eql",
"version": 213
},
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
"rule_name": "Persistence via a Windows Installer",
"sha256": "8a9ec8ee3a774b010cc3338a8c32af41ff0809bd26db8d829e9dff66edc12867",
"type": "eql",
"version": 3
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "6862e5d1dee36ec1dcdcd165a67f6c373cd83aaa5f0db1b63ac526b78d346e02",
"type": "esql",
"version": 4
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
"sha256": "d6e9247ec7d84885a9d611b1fda644b5f1948992c41a274f0bc533d976639ee1",
"type": "machine_learning",
"version": 209
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"rule_name": "Unusual Windows Service",
"sha256": "fc827f352d81955b34dcc45bfd02c0f855cf681088c3309f809c6de1b1cde244",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"rule_name": "Suspicious Powershell Script",
"sha256": "37408605a637abd30078b6b79c314c98bc1ee4d6bbdd4a50d376ec53f95496fb",
"type": "machine_learning",
"version": 209
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "4de457138a1e94113889935950e9652bc842e01dd7d514264d02171f29c2c316",
"type": "machine_learning",
"version": 208
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"rule_name": "Unusual Windows Remote User",
"sha256": "21aea41925792d39ecae9a498c18dad015599478e98badc8cbab3918004a275f",
"type": "machine_learning",
"version": 208
},
"178770e0-5c20-4246-b430-e216a2888b23": {
"min_stack_version": "8.18",
"rule_name": "Spike in User Lifecycle Management Change Events",
"sha256": "d466c889b6e2d39c7b207fd6aad26d98c2a23409e4a0666f5a69f5bab4957cfa",
"type": "machine_learning",
"version": 2
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "a41f68270991b59b52f0363bdd6c0ce6fc82a1c8c54ecc7e37df17d35e2567ae",
"type": "eql",
"version": 17
},
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
"rule_name": "Initramfs Extraction via CPIO",
"sha256": "f1fc4040cb437afd8efd9846673f0948ac10ed0943bfd03df6452248e14d3541",
"type": "eql",
"version": 3
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "b5d25e30ee7f01763bdf1ffb21ad80decb1fc1de1222bb8743748b32f9e05c48",
"type": "eql",
"version": 212
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "44ba78fdbdde42f840876ec470f21bd895aa916fa96dddf5019e5191859f03a7",
"type": "machine_learning",
"version": 106
},
"181f6b23-3799-445e-9589-0018328a9e46": {
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "ee2fca12283f8ab18d80155a456660b16896619e6cb899c70a59fdd9f53dcdf6",
"type": "eql",
"version": 204
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "b40f8ae44e59416d12ddebd6d44462f91415a7466cb953d4adc49c3dd84a01e3",
"type": "eql",
"version": 3
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "2b7ba8d15ffa49184943364fa698da84d500e6512dff041d48e761fcd9a184e5",
"type": "query",
"version": 106
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager",
"sha256": "dc1a22fc59476ff336b550e79841692a31cd1274f20e04a910fea3bab8c672ef",
"type": "threshold",
"version": 4
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "116d604b7267253862dbd46cc7732bab7453d2939bbc4e3cda3f2df1ea49e856",
"type": "machine_learning",
"version": 6
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "7f1034f49cad4bca7e90dab0969a711ce9459680c1cfba8aff62874e1468332f",
"type": "eql",
"version": 8
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "4f85bb1203309f2cba6c37653ececc282ccf2c1c93b5e8b01975c38d9bf3ea9d",
"type": "eql",
"version": 7
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "b6e81ad7feee565a92927f62b6017b47cb33e144f6842e0f3d0774b77fcef213",
"type": "new_terms",
"version": 3
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests",
"sha256": "33f648f8fa253d9d09a1f3594faf4499982de1fc6d268944164a5d4b08313bbf",
"type": "esql",
"version": 3
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "31486e8ba65dac1f3b90ff465c8e99d4a15fa22ad642c0d07a6f0510cb980994",
"type": "machine_learning",
"version": 210
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "1c15cf76c576203e014d26eb84b2646d812a43967079187b263f90aea27decdb",
"type": "machine_learning",
"version": 6
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"type": "eql",
"version": 4
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Azure Application Credential Modification",
"sha256": "0606e67eba3285d0957fb474ff1afbb4aaf3d2e5e7a1aa3d81e4360b8ccb8b36",
"type": "query",
"version": 104
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"rule_name": "Execution of COM object via Xwizard",
"sha256": "4b46dd6471b97a05f0cf636836374f3713f0de71bf80bb947ff8533746ac2dd2",
"type": "eql",
"version": 315
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "c0cf506b6d006d80c2227023cf48fbe7fe53df4eebbbbff92471c64db11625bd",
"type": "query",
"version": 210
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
"sha256": "afd5a73a55a93113aa9cb982a301e5886f4be9f4bab0eb7f81c51daf4525638e",
"type": "eql",
"version": 313
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"rule_name": "Process Created with a Duplicated Token",
"sha256": "497ec4070f9b7bf1a946f2cffacf029a486baaa133531ce0a9d06aa1601e34c7",
"type": "eql",
"version": 5
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "cc363313c03d823e463b50c4eba74b6a7d02f3793ee0ee844d5c4a2b9e5174b4",
"type": "eql",
"version": 210
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
"sha256": "76dc9e6d5e532193e952df5a9678c01c0a025114c07468e52d2666c1ca148eee",
"type": "query",
"version": 208
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "18748c0862efdd4beafcd285f7fb86a2e6b3e2d68f6b0e1585d1d41c79a8fae5",
"type": "eql",
"version": 13
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "b6b7a1acb79e3cfa92ae6dbd972f01f34291cce3e7dea99f8fe289748abbc1e0",
"type": "eql",
"version": 3
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Microsoft Entra ID Illicit Consent Grant via Registered Application",
"sha256": "e304dda34f50a34cd1e90cc75bfe630becd92789053a4987ed3172f762ed7206",
"type": "new_terms",
"version": 215
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
"sha256": "6f2e7d99514612ace49886dbe4679b9a1314d39e679707bff5ed8e24b0a24e1d",
"type": "eql",
"version": 119
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Rolebindings Created",
"sha256": "73b24a419b287f27c9786e63adb67f8fb43a042a73436a83b7f720c85be6fedd",
"type": "query",
"version": 104
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"rule_name": "New GitHub App Installed",
"sha256": "033da03ba6bcc9027e6573266d2fc03badb1ed3d5a1ed0aa495a57a23f05eedf",
"type": "eql",
"version": 206
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "25aee1babc29bb7fa246da20f300cabfe7f268a54910ae0593c5aaec995ce40a",
"type": "eql",
"version": 210
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 104,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "a6cd972bd4e61e4b5162bada4abcd0d49ddb1c1219971cdbffbb8efd8589444d",
"type": "query",
"version": 6
}
},
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "2a3d353252383d6e873229abf4a91f59ffc6984e4345aad77cc91476b3880f4e",
"type": "query",
"version": 208
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "05471dec421172bd0a2eabcdf4454017f3ddd79477330de791fd6da429b49a5f",
"type": "eql",
"version": 212
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "c396a65b2dce29cf56d5b600165d7fc46890e1db2a9b7e883340b7dc7aa1d75f",
"type": "query",
"version": 4
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "bcafc0e2e38941ec8997d3eda6ef2087192e5a72e9833e269491427ed8e1be46",
"type": "eql",
"version": 109
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "f2cdf8d87730e82ff6ce928ed936959687cf6bc62ee3f6128443edc6d22a1491",
"type": "query",
"version": 110
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "096c45cd85a9279e707a502f3a6fb3f1d17f7f87a4c8192edbc7a12224f35ad3",
"type": "eql",
"version": 314
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "d0f5100bb6cb1bb1b55d212dc2bb4a6da63e7f05f439d130a7eafc524cf3ed87",
"type": "eql",
"version": 10
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "c1ac2d818a1fbae8a60da275745d9d107afdee6f47d06629486cec82c190d953",
"type": "eql",
"version": 209
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "4b607258df5ba8b5d415eb411fa47637bd4e0116b15f80c41f08eae8346c6385",
"type": "eql",
"version": 107
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "722d66ddef341ca8d42547fb128df203bd35d8b09b4a7c1e6d56f179f968ee6d",
"type": "query",
"version": 211
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "5d33301671209f42db0f2e3b569f219f2bf6d6f785baba3334dd3129caaceb81",
"type": "query",
"version": 104
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"rule_name": "Creation of a DNS-Named Record",
"sha256": "37afa233fc2c9d30ecf40083db404064b857e7d645cfb69ece9d6fc3850cde46",
"type": "eql",
"version": 106
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "3b073ab0d143a185dce5ddda7ae408ab723a06e0222e76a3f2cf84d386a56403",
"type": "eql",
"version": 107
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "9eb608b08bc7d2d0bf6ec4457f430f28216a7439fa23a64eb50c0b0ec1063df6",
"type": "new_terms",
"version": 205
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
"sha256": "ae3d17abee43d308f690dcd4a1348901b95c080120f4f35521609a51140f7175",
"type": "machine_learning",
"version": 106
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "f9b06694d9a1acb836a95a3b3b88c9d7dbf6694328e01c89dd7da7adb7e5e5a0",
"type": "query",
"version": 114
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Signin Single Factor Console Login with Federated User",
"sha256": "67652ae55e23dcc67c6e395bd4b6354b74840c3c0ef81b0abe48e5f0fda50dc7",
"type": "esql",
"version": 3
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "8caa9784691156e9f70f312672d65357d7c2209ac243ae2befb1f39911161f33",
"type": "eql",
"version": 106
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "84b3367df89a2d4079d1bbc7e049e330439e0da8c729121ce82dcbd9584572f6",
"type": "esql",
"version": 2
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "79a7054fbab786df0fe148ad8bcd4430adfaff7be7312a1d43c737404a23f941",
"type": "machine_learning",
"version": 106
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "5bd5f497f9621f244e203644c676f18335eeae54a78f94382d24c1796c59ef65",
"type": "eql",
"version": 215
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "7c4db2799c89ee449c815b82891485079d5833e668c3397ab35496c6c65e1c04",
"type": "query",
"version": 105
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "4aa4f2900dfe2eeb1731f596a880f5ff08fb31a720c7c6e2964f38a3df7a35dc",
"type": "eql",
"version": 315
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "9207ed8664ffd8f78d149b2b93e5e74d7e37aeb81b63d796dbb92ce6f593129b",
"type": "eql",
"version": 106
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "2671aca56ddff77328b8efe78f8668bdeb8aaaf5ba6dff6afd7ebfb740a91134",
"type": "eql",
"version": 312
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "fb5501fb4b765e6fe89e17970a73b6bf57da2dfbd9441628cfbb792c96544ec7",
"type": "query",
"version": 208
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "baa9b46572223250e80f58c1ee04fb3164cc24f1ac0eb6e2bf5b7e05a46221dc",
"type": "eql",
"version": 211
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "4e735252e2a78246b652a18b5e1a5a500e5aa2fe85dbf7bfd0acefd0a8183ece",
"type": "eql",
"version": 204
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "b0d1c12556eb4b1dc21a62efff032263fc1861e0553c3d8261b2a8329b225614",
"type": "eql",
"version": 214
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"rule_name": "Mofcomp Activity",
"sha256": "5c93aa3273caf9d0ade048674d987a581f01ffea785a0ba2a6485b946c437272",
"type": "eql",
"version": 8
},
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
"rule_name": "SNS Topic Message Publish by Rare User",
"sha256": "26fb195d6c4e386857c06e00179d2a869a4d633acf1e2a1183a638389f57b558",
"type": "new_terms",
"version": 2
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "8e0bf441661ea2933b3db40f54201edb802f8eb393e9140b8a5af775461875a4",
"type": "eql",
"version": 6
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "c3689f3fd539f2bfe1f40a969c2da87dd7c3a29173a6e14dff46c6cb09d12b28",
"type": "new_terms",
"version": 8
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "4840cc97ec4abbee5460abe5d900d92ce721428fc55f516b8a911ebb3ed2307a",
"type": "eql",
"version": 110
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Modification",
"sha256": "f10f6516773953f128a324f80c6f86288a3590f502707b10929775a26875ead5",
"type": "new_terms",
"version": 208
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "5c79684e305c93b8855c454e42d1ec39d0009b116b79fdf30910d1feacb0571b",
"type": "eql",
"version": 110
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "dc17d3be0177ce660e3069b441e2f3992bedfd21e74db5a401fface89779822b",
"type": "query",
"version": 209
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "2c5a2e21b4bdb4c581db0cfa5179fe783a62321e2e2ffd13b93cff8e7313b1dd",
"type": "query",
"version": 106
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"rule_name": "Kernel Module Load via insmod",
"sha256": "d64ad7e6a32647faa9b39e25e5ef1090e535cfb2da1a92dd8f2eb73e5f8cc05e",
"type": "eql",
"version": 213
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "fb5702335fefb3bf02ce0bbef9d60ed06d8c75a5f5a90c8b285d50ad427d5ddf",
"type": "new_terms",
"version": 5
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 102,
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 4
}
},
"rule_name": "High Number of Okta Device Token Cookies Generated for Authentication",
"sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47",
"type": "esql",
"version": 204
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
"sha256": "743a06d23466c62b648a1d4a5fe3d98ffd397019e63fc64ccb2aba90b143e2a9",
"type": "eql",
"version": 208
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "a9b8af3c80380b44c76490071bf92fe3d2e97a26722b7ec5843dd746d715b8b8",
"type": "eql",
"version": 311
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "fa62a3fac88d4dd23d023356ddcb84643a548f936291d030a2c415ea77c02f9b",
"type": "query",
"version": 106
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "3d1564c34461378f809dda92957c9c8fa1aae87d7c2d034d7c1b090de1885145",
"type": "eql",
"version": 107
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "e1578b4b545c5b689dddc8c075ecef31e20188050608ee5720297376782511d9",
"type": "new_terms",
"version": 8
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "4badb1a4d3636bf1058525c4993d63a558aa0a8d591f98bbafa93c9fc8fc1319",
"type": "query",
"version": 3
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 104,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "70f1f9059df5bd8fccefb340c09ead9f96478027b8a573ef31fed90b89e5e935",
"type": "query",
"version": 6
}
},
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "28804d84b2cc66a3a0455902412799c1ac3d4f6a046a8a26993b072c8f490e36",
"type": "query",
"version": 208
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "aeff88668dd292d892d3573fc5ec4988ea0ae9bea7edea5d05529a8865cd2388",
"type": "eql",
"version": 9
},
"263481c8-1e9b-492e-912d-d1760707f810": {
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "4820f5fda190db2608447f5356d919a9986a0110ded08d29c0c7ea2ec676f246",
"type": "eql",
"version": 106
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Container Access Level Modification",
"sha256": "12a15949af4c39efe03a88d3fc4edb55737676a5dcb3679dde2fbb826eacfd24",
"type": "query",
"version": 104
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "f9b68e3c101cb592b8a0c6891ea974cb9eb0169147faaa3e35abf74e5f06cd5a",
"type": "query",
"version": 3
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "b931a3d25114789053dfb216d2b0478e83fe30035f9274901dda5d573979f28c",
"type": "eql",
"version": 315
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "fe10ea745cf3203f237c4b8a40c63e9cb9d364c796bf52a2377425c3bd013171",
"type": "esql",
"version": 2
},
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
"sha256": "24c94c4808dc91078e934262fcfb9083b941cf53595ca93873d27843b91b05b9",
"type": "new_terms",
"version": 2
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "8e0a1191d558a091e71a1f9b0d01ec54ad438bd99bfea9fe279b6eb1028c245b",
"type": "eql",
"version": 103
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "4268d31b3e250506a3b421b2ad76d3008b95b0e2eca2cc188571620b4e4f8223",
"type": "eql",
"version": 9
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
"sha256": "65e85a729d7a3f5ca2436ff4c1c6e074081c31c68ec64454035d88c92fe2e1c0",
"type": "query",
"version": 106
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59",
"type": "esql",
"version": 312
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "3251b75a04b52bfd1a16dc72848bd8dfa7ae4429e5478325c93c4e28ef2f3b3e",
"type": "query",
"version": 210
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "36a90d5c419868d33490ae93841308be77277e01d2a56b06b8009bb7375a6cf6",
"type": "eql",
"version": 108
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
"sha256": "ad65c639c9282d4a84c57212c900694af16d952dbb3ac33afbd77718de3667fa",
"type": "query",
"version": 208
},
"27569131-560e-441e-b556-0b9180af3332": {
"min_stack_version": "8.18",
"rule_name": "Unusual Privilege Type assigned to a User",
"sha256": "76566a0b3d0522a2fab08c3a36c299ef8d8806114de8e1af33ad350102f9d27c",
"type": "machine_learning",
"version": 2
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "5abcc4a23a78dfc3c6121a547aa8b7f60f13d1e0eb13ffe84bffee3402eb87e5",
"type": "eql",
"version": 211
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "6f0e35c10120a48896bb215bf98a408ec499c4dd9b5ba7950885fc28e6933376",
"type": "query",
"version": 106
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Microsoft 365 Teams External Access Enabled",
"sha256": "78bafc98d7c5fe4308bb404a5b81469cfb311bbcd457db961fa39bd477a2c61b",
"type": "query",
"version": 208
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "2cc63514365ea19a6597d1a779d18286f8d089ec99085c90a6ead7d44057d268",
"type": "eql",
"version": 219
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "138552f6df8aee3e8ab2164631ef74888c7d0297c012bbd6ac9ea1c1a37ecc46",
"type": "esql",
"version": 3
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "6b3fa7dd62fb5ada56ab9663e0b8a2d42f0a8d40aad571361b1721b4046a17ec",
"type": "eql",
"version": 212
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "ea2ff866a53552d5f6b37d8fb6a24a980d6d123a4b964b5f369a83bf3fb5bbb6",
"type": "query",
"version": 105
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "b82e2f2ed2e33eb9449bacd336894fa333cdb0803b0631db99bcdae123d74c67",
"type": "new_terms",
"version": 3
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "4d9d91bff7cd3a9e6253b4646a0590556d450359008a5eaadbab871cc627a54e",
"type": "eql",
"version": 5
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "e16cea970ba4bcc3bbeca483cac76a1feb2fb95fa063ead468b038a6f42e9873",
"type": "eql",
"version": 109
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"min_stack_version": "8.16",
"previous": {
"8.14": {
"max_allowable_version": 104,
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "6ace4761c9708044d26fcf7337460b8479b0c47a4aad784406a4831f875a8ea1",
"type": "eql",
"version": 6
}
},
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "ac19f2fdac91549a8dda7914281d68603b4c274a139c37255a70669a67f0c1d5",
"type": "eql",
"version": 108
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation or Modification",
"sha256": "8c7a1bf5af61fdc14026657a72b34594acb99ea47239291ac85895e2651f1e0e",
"type": "eql",
"version": 7
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "57b2dc1864fb167910db77d02fff97458948e36ef21bf4d4c4b270f73ca83b67",
"type": "query",
"version": 209
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "9e111482e5157563264056da5b3666baf56d9097dfa585e2ca2853e10cd720dc",
"type": "eql",
"version": 318
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "9d504899405ab8edb97b379bebedf572403f11759bea65ed34bc493e907502bf",
"type": "eql",
"version": 418
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "7e2427e1271c47e2206d2500d6b507a8491c55ebcaac896f7e8b299b69e9efc0",
"type": "new_terms",
"version": 418
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 103,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ced824201a88878d9e9186b2e710aea0f3325e0e249c379f3b6cc276abb4e8dd",
"type": "query",
"version": 5
}
},
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "93ad1ad8beccc767fb9118b7b32be05c1f8ba7f4ce7dcdf94f85624d8d4a84fa",
"type": "query",
"version": 207
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "cb837753dc5b1e38c537d26af1c4c7ce8ac7211509bf369afa0654a9045f21e4",
"type": "new_terms",
"version": 2
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "9fcc6e6eea3618a03fca62772e89b82790e54f5f62797ee113a2d19c382258cc",
"type": "eql",
"version": 107
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "9c5fc44718257f07625e1166eb419c4395592908a49fcdbf935c53dc4e75d53d",
"type": "eql",
"version": 10
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
"sha256": "dfeb3736106927a156e733f7f8747a047c038f230a55845a58768a6369a5e3e2",
"type": "query",
"version": 206
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"rule_name": "ESXI Discovery via Grep",
"sha256": "a86c02c4a817d36c7f3ff829c30c9b2370f9fce7f238c332255c643a75ff2445",
"type": "eql",
"version": 110
},
"2bca4fcd-5228-4472-9071-148903a31057": {
"min_stack_version": "8.18",
"rule_name": "Unusual Host Name for Windows Privileged Operations Detected",
"sha256": "4d122f8f1f96f8fdf14f1a97ffad03f52ff19104426377a900afe529cfdd2305",
"type": "machine_learning",
"version": 2
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Adobe Hijack Persistence",
"sha256": "a64a63c2b1334323d6b2e5f25a1c265e7193e3a0a8b8958c8f2d23ecb98b9664",
"type": "eql",
"version": 416
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "7cc5ef0f9ed173efb3107f4a2d727fb9ff4254bad860feba370b71b53b424653",
"type": "eql",
"version": 315
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "5c7d0e0e36a19f9093caf705980f02c2a0bb491c02eae447a065224943be8a7a",
"type": "eql",
"version": 212
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation",
"sha256": "80cda71a2bc3a76c6e3bd1a8e70694b19e9a033a51f59971b957a4130f0623e5",
"type": "eql",
"version": 205
},
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
"sha256": "cec195ecb99306a72534d7e7521cfeb9a2d4d3acaa083686916d9bae57800dfd",
"type": "eql",
"version": 204
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Enumeration of Kernel Modules",
"sha256": "86ce7698b8fad44f5c4b78c7b53765967337adaaf9f312162769ffa3b79d71fe",
"type": "new_terms",
"version": 212
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "46d6b6d760e911d091a01701ab201f63be69908c73dc9ab4e4e1ad481b9e4af8",
"type": "eql",
"version": 313
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"rule_name": "Potential SSH-IT SSH Worm Downloaded",
"sha256": "23bf583e2feb9b8f6c9d4f35f66fdea61caa1a2d2a4d956dac12bd4ec9fac81d",
"type": "eql",
"version": 106
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
"sha256": "d0306e64bd3c65aa39cb2bdb1e37e7fe5868d4696a607fb47a385807de1f2437",
"type": "threshold",
"version": 209
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "3c073b5495eaf66836bedcfc9f6b9758e15ac3bad1481fb4e861cc7f30d104ff",
"type": "eql",
"version": 213
},
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
"rule_name": "Potential File Transfer via Curl for Windows",
"sha256": "1a0d8ddadabbb539a3eae57bf46a5a60b45abda76d1427fe07e021979f1e8e68",
"type": "eql",
"version": 3
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "c483aec9d6625be8936a62423470fcf3a2d241d9336e4ce6c9ac94d0d6eccc96",
"type": "eql",
"version": 213
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "39d4db89355dbd775fddd6dc57a96818362c31fb4e07597a65a8163b54a78a04",
"type": "query",
"version": 214
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"rule_name": "Accessing Outlook Data Files",
"sha256": "4e82e1f564687491fbb83a31d5b4272b6603d40ff48e65f5f4fc5105fd02b939",
"type": "eql",
"version": 107
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 100,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 3
}
},
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66",
"type": "esql",
"version": 304
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "33aca0b923a70f6be45450125434d1f43b00df2f2b4c53db570c103caff35644",
"type": "query",
"version": 105
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "e8f051eb44558952bcecc9d7f235bc5563b58b26164a33f5bb4dc036665c73d5",
"type": "eql",
"version": 312
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "31de043d1cd732e775149b43ff26172cddeeb44322ec37ae942a99614571d860",
"type": "query",
"version": 213
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "e31a51a76ed546320f82cecfb6bc198a5b3f344ef905f5e3c43bb6d580e4434c",
"type": "eql",
"version": 213
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "1822e615f8b6cd9ccba8226980aaa9ab83d1fea9eb0608c4e3a9ff7435b60ca7",
"type": "eql",
"version": 5
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "698a808aa15b4d66ec0a56d16de5a5f00fda54cf9ca1c4f9a175e4b733517850",
"type": "eql",
"version": 111
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "abb4c0ba6ea880cff86b60e2e288188caa668081bf20b5e5374f836d00f755bb",
"type": "eql",
"version": 216
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "25c92e02edc6460d9d39294cd07870fb0fa675e3e9236795739f4a4f58448699",
"type": "query",
"version": 106
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "01e2c613eb7762ef388bc29a3f3a695cb50dcd03396f14666bfac12c32bfe5ff",
"type": "eql",
"version": 4
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "8527bceb32594c7a8e2c45048b80bcd487f2a9b449979249a5f1b1c25666aebe",
"type": "eql",
"version": 111
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"rule_name": "Network Connection via Sudo Binary",
"sha256": "92eb37d8668e105e4d2a5f60201d8c19a8999000a35d6e5a2469d46be10d3da5",
"type": "eql",
"version": 6
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "75c2e730fe6fbeb39993a7c054f9a1f62de0d90a8c20e084d7fec9325988d738",
"type": "new_terms",
"version": 5
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Agent Spoofing - Mismatched Agent ID",
"sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3",
"type": "query",
"version": 103
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "ee23f22e47ceddb6e8677a346d2b5a4af9d9f5da170c238a64f5c8851cb61903",
"type": "query",
"version": 105
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "21e8b176aeca2f5406a84ae606b64ef503227027bb012cc0376fc618ca02b070",
"type": "eql",
"version": 318
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "444d517a9b5890ece56554bae1c80f9cf989ad9919bec40807644bc7a75cc310",
"type": "query",
"version": 106
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "fbc24d43876fb187d170bf7067f200bfc4a9dc9315138429cf73dd99f867b8ba",
"type": "esql",
"version": 2
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "2b00decf4786b15edbdf57d3d658b8397508294d89ad09800efe40e426704568",
"type": "eql",
"version": 6
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure Network Watcher Deletion",
"sha256": "6303595c0557d0a2c1bdcd100183e67f346f6a059754111fee987ef04b88628a",
"type": "query",
"version": 104
},
"3278313c-d6cd-4d49-aa24-644e1da6623c": {
"min_stack_version": "8.18",
"rule_name": "Spike in Group Application Assignment Change Events",
"sha256": "ba000a780422ecca33fc3d2bdebd7fd1b3946323c9364851babbfb05bff24798",
"type": "machine_learning",
"version": 2
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "40394cd02ee515c711a63559e34482888bc90301304b81ea4859ebd9a3e41e56",
"type": "query",
"version": 106
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "df4d87a09e053881953802fc4fa46fc877aa0ea0bf9e9bd6d3055809e5400c5e",
"type": "eql",
"version": 315
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Login from Rare Location",
"sha256": "bb98118b040265c123acd9ad84f72cf6a6b78092bddfbd6533b62d45a1251b66",
"type": "new_terms",
"version": 4
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "904cd102108c369a24d0887bc0220f55ff48e2e68d68f51e1a4ee5679700d72c",
"type": "eql",
"version": 418
},
"3302835b-0049-4004-a325-660b1fba1f67": {
"rule_name": "Directory Creation in /bin directory",
"sha256": "1d62a522fbd5243f9634294cee047e72f0bd7e8de2e2fc837d0c1c572c5befac",
"type": "eql",
"version": 104
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "9fa9b45d5cf8e8949605d99781620724e2fd28010614f957236f1bb5a892191e",
"type": "query",
"version": 210
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
"sha256": "64016260db97fc0a24b5561d293f27efd91e7df8904220c828bcf982b77abcae",
"type": "eql",
"version": 110
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "4e756d068c2e9ed120b6233fa877468317a79fd65872a1f792fe87d6f42be5ae",
"type": "eql",
"version": 112
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"type": "eql",
"version": 3
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"rule_name": "GitHub Repository Deleted",
"sha256": "b80f79376c610ff0a430bb85a81b55a0fbe3592022a303dae37c4f86207c151a",
"type": "eql",
"version": 205
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
"sha256": "2c35b4656d6c97c22d756d3cb8f79accc845a543338bf1178f5ed55e04b74b62",
"type": "new_terms",
"version": 3
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "8ff391d94daf4bd23c44706255d1e099259a3ba708d20fb059968cc6f8debcdb",
"type": "query",
"version": 108
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "dedd9c3cbc7712d5c42aa18c39d957eac5a7efb2aa2ffcb1625b1a5edb5bd368",
"type": "query",
"version": 108
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "4926f98869b83eed0749fd03bb819041c163ce6d653825756280739284bbed15",
"type": "eql",
"version": 414
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "5745d4bdbaefb2afa5997ac4f1df178eb8383d50e4a025ed14b41e29ae0d50fd",
"type": "machine_learning",
"version": 6
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts",
"sha256": "3f28423faced2b8aa0493681362683f095c9464aa5ecb67465ac44f2694aefc3",
"type": "esql",
"version": 3
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "27c29f3cb0b52ffb9e632f99d66f4afc5a8cb971f35e7b1a7c630bc3d4360ff2",
"type": "eql",
"version": 317
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "8ecd1cc7d4711726c346fbf557911e258cb22ae5e2971c8f4e953919c319f8e9",
"type": "machine_learning",
"version": 106
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "8602887b7551d8a25aac769e63eb91002a965a960bf39b3658b791a8d1cb5311",
"type": "eql",
"version": 113
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "fde742d42b6efd6852acb5e55600159d3922c7b82f96441b7d26fb82374273c5",
"type": "eql",
"version": 311
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "c3120b0aa2240885dccc58b847aa1a13db940c88dabc5183736cbd25fb06db73",
"type": "machine_learning",
"version": 6
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"rule_name": "Potential Suspicious File Edit",
"sha256": "0b51a4557c5ac6047bb099ea94d918d2ba802827845c1ba5442d7c056200932f",
"type": "eql",
"version": 108
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "AWS RDS Security Group Creation",
"sha256": "abe985b06bbb9ae251f19288b5dfa7877ca05a5b85f24a149bf15db0b4beeb87",
"type": "query",
"version": 208
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Azure Active Directory High Risk Sign-in",
"sha256": "5eb375d6c40080659d38aa82ca95b80a5c536af4fa63832ffa621e1257a5acd5",
"type": "query",
"version": 106
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
"sha256": "9bcb7007cf0d02f708253ff438ac25c883112b179595c431b585e3664f9c75cc",
"type": "new_terms",
"version": 212
},
"37cca4d4-92ab-4a33-a4f8-44a7a380ccda": {
"min_stack_version": "8.18",
"rule_name": "Spike in User Account Management Events",
"sha256": "091759a8144570c26dfdc9e2febd37e94c5d592a9b45bbc33349cad978920517",
"type": "machine_learning",
"version": 2
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "500c4ed910e97f966b0f4dba87a44a420e274aed0bfad646cc413bac73a50b31",
"type": "eql",
"version": 209
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 309,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "5e5251cb58730100b0cc28f80d6377c224454944d105b37cfddbc186d96993c8",
"type": "query",
"version": 211
}
},
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "636b073c33a8c19e7b92d2026cdda3d90db816f843e47016d4b0c9c593a083d6",
"type": "query",
"version": 413
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
"sha256": "715df2c7bd21ee0b3136f9dcaf88ee3aa30f53332aaf8b2190d4f9a36a0c4698",
"type": "eql",
"version": 217
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "dfb5498fb2b706a6ca8e4cccca9cf7e6cfdd62dfdcefb194147656a2889138b4",
"type": "eql",
"version": 211
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations",
"sha256": "2304d2d28c8f1c9879d7026dd1d98a702b7ae69d8bfdb09fa94f765121a081fe",
"type": "threshold",
"version": 4
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "User Added as Owner for Azure Service Principal",
"sha256": "51d3872acf4e8e572b20302878124ce1a07f99c4356703a2f4765c0acaa1e284",
"type": "query",
"version": 104
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "bef99a1a751c871a18d6c1f07ff62240e2794509e8b48a88b7975b86c86d371c",
"type": "eql",
"version": 4
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "999c9153b44458674251b88ead57fb6495c4925deff4464ab25f4b56c645edf2",
"type": "query",
"version": 208
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
"sha256": "147883e10ca4666bc9453f1dcf999d93504a2d613579832278c2d6b1b87748a5",
"type": "eql",
"version": 5
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "3baef76c046e4ec7eefef4ea4afd2a3ab5e3087df2e8501087fcd54235a0ea2c",
"type": "esql",
"version": 4
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "747a1a51a252be37327bffad23b60b5d2dd56806a092cd30894aaf661dd149c0",
"type": "eql",
"version": 309
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "f71b843e0cf218181a39793c506cfacc6bbe43b0cae4d011387d17df40cf6489",
"type": "eql",
"version": 5
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "7bad6ed215a7f269e1c96acd6ce625ff7debff4b9de20ca2e0c862be2badbe6f",
"type": "eql",
"version": 313
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "f61077a40c3f76617d26e5ab62884dd9a4a65522237373a4ddfb27f3f7c843b6",
"type": "eql",
"version": 11
},
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "d52a2f733baae3d047d493f476d6e3a0046e77a6624d979ee53a86b84c5ec7ab",
"type": "threat_match",
"version": 105
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": {
"rule_name": "WDAC Policy File by an Unusual Process",
"sha256": "a1836e838685773055977731cbf37f922b1c621ae39a7deb6b5de0b8fa0c08dc",
"type": "eql",
"version": 2
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "c3da64727ebbb6eb100c0f450ac54da7f9c271bcceb8944861f9a7cbd76f983d",
"type": "query",
"version": 107
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure Full Network Packet Capture Detected",
"sha256": "00e99b16e90e0481243974e38721a6c763a2eb79fc033ccc534dcc298749e9b2",
"type": "query",
"version": 105
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "1264b7ccb835d3b7b117a0b019b5766b8ef088e9325e571dbb83c327eabbc721",
"type": "new_terms",
"version": 205
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5",
"type": "query",
"version": 105
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "fed55cc64747d28c377c068a1e5e34c38de8d120d07a075be739341a756199bb",
"type": "eql",
"version": 415
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "4bae908c5a79fa32bd9121daafa8c84339d5bc3ada00d397b3f57c204b48b88d",
"type": "eql",
"version": 318
},
"3c216ace-2633-4911-9aac-b61d4dc320e8": {
"rule_name": "SSH Authorized Keys File Deletion",
"sha256": "a874e891f85cf777caa13cf5f487834bfbe3f4aec7b20bfa94f8355199410019",
"type": "eql",
"version": 2
},
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
"rule_name": "AWS SNS Topic Created by Rare User",
"sha256": "f4c1e27062195f25c391ca50e55165f2d469910345d8d3b59079bccf61c9c893",
"type": "new_terms",
"version": 2
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "11f9e258fca8b016bcc6e9d093bb216ce76b2e7e63a94029e9bd53c7ae53bcbf",
"type": "machine_learning",
"version": 106
},
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
"rule_name": "Kernel Seeking Activity",
"sha256": "ad00a1be909488985abecf7e45bb750e1bb8f509358a0f7115dcaa58f4541c78",
"type": "eql",
"version": 4
},
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
"rule_name": "Unusual Pkexec Execution",
"sha256": "2c019f5e4f614ae799830385754bea7fa60f424a28db6a1422fda653e175f054",
"type": "new_terms",
"version": 104
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "3c2170023555c5da90f51d4a85ef15c775c752d630f969063b3f7f9307d1cb9e",
"type": "eql",
"version": 206
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "fc715139a0d138e7ea48cbfe56feda5769267d2ecd173a83c3461f87f8fb4fde",
"type": "query",
"version": 209
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Email Subscription by Rare User",
"sha256": "ccb9ecb42f8c02bf5bc63795034c32402e71331da70efe089ca4834f6fceeb98",
"type": "new_terms",
"version": 4
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "4e43bfa9122b5eb72b4794253ba71abf38c351158ad95c8c230608228385dc18",
"type": "query",
"version": 210
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "224cc6433805fd2c3c57531603cb4dba7a52f6d1afcdc1fe9b263dab2fbe5214",
"type": "machine_learning",
"version": 6
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "1c1d9f823070989ca3d40d8b4b612a930c6aed9df95cbe7e46e7f70293d17b52",
"type": "eql",
"version": 209
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"rule_name": "Kernel Driver Load",
"sha256": "9623b7adf3b98086434947c34cf6bc971d698eec9d856b9e2e3ba07b870043a1",
"type": "eql",
"version": 6
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "e66456afa8b35058a74efb15de43268e0c91e60936eb36af937c5239634f93f6",
"type": "eql",
"version": 110
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "d1b745a651a514bb39e3a6973ebcf1c64718df7830ddc738ba9817bc69ae052f",
"type": "eql",
"version": 5
},
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "43a9d616b35b1deac391a3d369df69a2a21404497b1bb14e26dc1a53876078c0",
"type": "eql",
"version": 2
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "5d3d7dc34146f83a863fe7c55f8f1bc7d56a5e33b75e9d77562cf19b3bc7652e",
"type": "eql",
"version": 315
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "7c73017e6b329010f74f02bd06521eb0b0ed985c0d56b65794fd126aaa8ee9fa",
"type": "eql",
"version": 309
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
"type": "threshold",
"version": 208
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "45be023027bd57b9255faa87eaf79a9fb5567acab4a5b14551c9f3ef64f59692",
"type": "query",
"version": 104
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "c8050c8ee01c138b8d1d31e4e67f094b0f1f05df2ac073d4271dcac5a5037a57",
"type": "eql",
"version": 9
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "d59511ea25b0421138c4852c5dc6a049c2005bbb3dd874b22bd73356c4a93a79",
"type": "eql",
"version": 113
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "fe6627cf2f70956978fe5c9185b371a7f2ffed9843fbde9e265cfc1bee3d2d55",
"type": "eql",
"version": 4
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "8ba665f334b7165f166230e61a2c2ddf9e8be409c290a43e50b08ac186fa606f",
"type": "machine_learning",
"version": 6
},
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
"rule_name": "Command Execution via ForFiles",
"sha256": "d6605b494092cc1a6bfe11ebf5dda27d447d29406e53d40ca97c42f68b2066f4",
"type": "eql",
"version": 3
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"rule_name": "Azure Entra MFA TOTP Brute Force Attempts",
"sha256": "096663ac4f2f65728b65859267b7a5df52cae07f45541fc4df53d7d2c0162a1c",
"type": "esql",
"version": 2
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "4dd7bf7ab6a2635b73d5ba1143c6c2456ae81e5df1f9c63bbfdb61c0a7082900",
"type": "eql",
"version": 105
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"rule_name": "Unusual Process Spawned by a User",
"sha256": "fcd7c4ae47186abfb1c69e19a6282a77a8b85b66ba40f319e173bfc8601ae5ca",
"type": "machine_learning",
"version": 109
},
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
"rule_name": "Potential Azure OpenAI Model Theft",
"sha256": "ef195d098178a2dc0f66928ae6cf38dbf7eb1d7d847a573cb7236fb5b7a157aa",
"type": "esql",
"version": 2
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
"sha256": "adfa045eb620ff2149793c19ef28a5159dbc6863684609b61e4b3033b25441e3",
"type": "eql",
"version": 205
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "443e468971099009defe943f52c3f094cd47db9ee6858147f4aa55a5852df2d2",
"type": "eql",
"version": 312
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "f0d133f35bae4d0eca42ae34963c7af02c3203f4497b6bd6c6348e79e882f03b",
"type": "new_terms",
"version": 109
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"rule_name": "Unix Socket Connection",
"sha256": "5e00ab9e5faf69b3d397b086a6288dfaab171336d9624359bad5d1c154c41a23",
"type": "eql",
"version": 107
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "82cb328093e9d934161e638b4116a7be7eb6ed75b26cbef385901dd33f50beb8",
"type": "eql",
"version": 316
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "5115d1328e7c1cad8d8f61e9737f4ba77d8f99c696ff5a2c77008045ab0793ec",
"type": "new_terms",
"version": 205
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "EggShell Backdoor Execution",
"sha256": "bb47a186a7b2737b148006d3517c4eaac30b63cf92ce668687dd06dcc55c1f6b",
"type": "query",
"version": 105
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "8e761cae475d2ad1f1ccab98b9c8dbcb1ba6a2ed51cd309d4481595eaf355106",
"type": "esql",
"version": 5
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "bad7f35f80c24449fd1d672b897f45f737dc2ef3015ef109afbe4ad885e9a82e",
"type": "query",
"version": 108
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"type": "eql",
"version": 3
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"type": "eql",
"version": 4
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Login via Unusual System User",
"sha256": "1420e0204ed618ab159e076db635864980c6c67715ae408abfe2428d7a781d11",
"type": "eql",
"version": 3
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 310,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "f65119ef6918a244fc9d7e77a24da44f7c9571685cd9e6c587ea87d19951038a",
"type": "threshold",
"version": 212
}
},
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "22be760b417fb1850285434c5ec09d39560a75cdd2146d8a1ded5ef5c4a56d40",
"type": "threshold",
"version": 414
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"rule_name": "Process Creation via Secondary Logon",
"sha256": "6aeffa394b038e35cf613ccbd2f6b10d79664062acd3e3de4db7fa16a771d1c1",
"type": "eql",
"version": 113
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"rule_name": "Unusual Login Activity",
"sha256": "1d33b43f6c576bad7e11ae2aba3109cf1e7c811b7704ca80a5425cc45e67de44",
"type": "machine_learning",
"version": 106
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "65b93d1da578950c21d962ac5cb37219d48010477035589bb3066abe7ca75197",
"type": "eql",
"version": 111
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "784d8fb4b9098b300294e7a4a4cb53f3157509f32b91d8ed073071cd13d2bc69",
"type": "eql",
"version": 313
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"rule_name": "Unusual Windows Path Activity",
"sha256": "ebd6ec623104bfeae184c449cfc13dedcd496c3720d40df04259cff4d7b1956b",
"type": "machine_learning",
"version": 209
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "1acb02fcb35cff7d642b71057b912bb57e7f59e873a7edcd393c5e49dfe62511",
"type": "eql",
"version": 5
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "1b069620aa666c3998bacdf9ca0c7ca1f43e820531a625fbe8b6195d1f9b2241",
"type": "eql",
"version": 114
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "Route53 Resolver Query Log Configuration Deleted",
"sha256": "7f33a0d542dd4ea020b90ea0f18712b660bcbff8fc9c9ba59aad8da683734c5b",
"type": "query",
"version": 4
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "a9591128215a5ec0b9ebce85a74cbb8d346e601ad9c1a77447b066f0d77cee20",
"type": "query",
"version": 105
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "b2d760325f5d50c1a4eb1d8475f35e11755540be43e31cd4c1c1ada9c9c50098",
"type": "eql",
"version": 4
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "dd27d9d9d413267dbdea56e05ca06437f65c4fe198bfefb0d5afe45a4015bd17",
"type": "query",
"version": 213
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "edac65e6cd180125cc58c6f5ff6acf34538b971794289e520347777c94231755",
"type": "eql",
"version": 215
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "a1ef085183ddd7c3815f34aa5bf84ec03b2af32fccb8e1bd6d2c17d48f4244ea",
"type": "eql",
"version": 317
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "070a88e75e87679e11cb262cf7a4e5b87b8e97a5a0180ef265f702a3cfc6cfd6",
"type": "eql",
"version": 314
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"rule_name": "Unusual Process For a Linux Host",
"sha256": "4b345163c8996a76d03058794c9c829cd969f3a8926fb0d02c1d9aa9b80b7af8",
"type": "machine_learning",
"version": 107
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "524a7a6b89aa23e7e3b2dc3fabaf8d004d6704c16e042a80eec36bca2942e540",
"type": "eql",
"version": 116
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"type": "eql",
"version": 4
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "8abcf2f4cbb9068f2541e2248bcc6ad69f0524b008125979ccbd728203e1ddab",
"type": "eql",
"version": 105
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "079823798d75ae57671ea3b9890d247bb4e458b0bda3977bcdd310cd35c6433c",
"type": "eql",
"version": 214
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "bdd7ab476c31706f5785527f8be2fb5a0ef408b989228441b1dd7f6922858ca7",
"type": "eql",
"version": 110
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "dd671118de91a42c3ecf154d7bada232eba41d2cf55a51bf7487824b33756920",
"type": "eql",
"version": 314
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId",
"sha256": "a212ea59580afc614603150cba5a6a7460981bfd811e9b65304fe3aab8199c1c",
"type": "new_terms",
"version": 109
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "42071b823313deee2ce5961c0fd8d6d88d9ca7c85ef65a77e5edfc3c33dcf8f7",
"type": "eql",
"version": 12
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "c2b9660463cc7a32915e83a4c3554113d485167b13e404524e55b79f4cddd219",
"type": "eql",
"version": 113
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "0e717fe5521cb9c151bb4753596913972dffded766ae5b985c5f828424ecea12",
"type": "eql",
"version": 110
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "69eb97cebe9865e58affc58241a7ac807567a883ece049d07cafeca1395f04e8",
"type": "query",
"version": 108
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "ab04343de1c1ec9e086a1b917b5cb4afaf0e60d3bb6255eeb6af90ab1da38d46",
"type": "eql",
"version": 5
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "6144987feeea5f57fa67484e121452ca28b0a522c8ee105f48e14de7fd4ef115",
"type": "threshold",
"version": 103
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "4bb38735510e072973f80b2ca4d6101720a709bb1ffcf1af8a96b7572f319493",
"type": "eql",
"version": 111
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "5561c06a696c8f3318d406b0fd1838e90f58d30bf0e6606e83d6e53a9adf7fa6",
"type": "query",
"version": 108
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "52836212a2d260da0677a7941299da36be98664e8fd37fa50e4230f74cb50bf2",
"type": "eql",
"version": 109
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "df02c5a18062b26bd791e0bc8b97a58b4d463df63e0d16dd6352edde4318c54c",
"type": "query",
"version": 107
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "ebf57027560846533faa68621192dac9c60f890116b7ad0d1ad78daf713b2875",
"type": "eql",
"version": 108
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
"type": "eql",
"version": 2
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "386add74e2146d577e03569d8987736a4299bf5d4c358a932efc23eec21014bd",
"type": "eql",
"version": 314
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"type": "query",
"version": 6
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
"sha256": "ffa6fa721bd64651471693bcf4bd16054a021f5461e6bd90dead56cf5c1cd47b",
"type": "eql",
"version": 107
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "2bd70accd4d5dcbe74e67bd4c2462eba40ce971a6bb287bab60d4054aedd6dd4",
"type": "machine_learning",
"version": 6
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "d11a204b74fdeb2c1247d5b56f17147dd8b65fc830c6ccd2715a57215d1abccf",
"type": "eql",
"version": 312
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "5691873471287afa74cc80848bf008c5f62470086d5e8b5f31746e21b806bb95",
"type": "new_terms",
"version": 3
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "f3a3135a57c36b042393cf11de9420fa0c8118bd72805fc7469ed06a0c922881",
"type": "query",
"version": 112
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "7da8da26b9ff5d2e6fc21fbf81654955d50f12b01b084b8ed317b600da4101b9",
"type": "eql",
"version": 110
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "08df10789587218a9f2aaa17d90301d660b50ac0d5a84b7d60a1348e55cbe808",
"type": "threshold",
"version": 209
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "29454dcdf27a357a88b873870c65a2c94b03aef69fdb14d77eb939cef445a7f8",
"type": "query",
"version": 108
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "090f8ba9167ae24b14a27c89a8ef99cd86f74387f9270ef155af4fcb980f5d37",
"type": "eql",
"version": 316
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "e7ff7a8a0e59652a631264155562ad526ef971582fb47d794a0907199a888a41",
"type": "eql",
"version": 114
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "c5d36bfd31370e17a590a916f51a4a55c0550b4e9dc766e216fc12993232c344",
"type": "eql",
"version": 112
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "1e4f1735ab4a70a1a0817b7ac51448230e1fccec9211edb8c0b7957abeb6f7d2",
"type": "eql",
"version": 315
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"rule_name": "Suspicious Script Object Execution",
"sha256": "1a29bbc93779eefb34ed6e026c3928e826b5f0ac9e404e23d1ca778371a3b88b",
"type": "eql",
"version": 211
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "7c9a2609b0c927d2b54d9609d677f0379515475dbcb523900a3bab9c18910f63",
"type": "query",
"version": 210
}
},
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "dc8996879685c3c43a62287b6e47c81fb0bc3241554b7c380368925cb609383d",
"type": "query",
"version": 412
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "0b30fb21731d03c1fbb827c9416b5162cc24f48977c7cc10bfb8bbcf13e2b103",
"type": "eql",
"version": 4
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "c2e729e23f37d687504d5c86cb91f01a1d9363cd489f06a54723e557f02903cd",
"type": "esql",
"version": 6
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "6ad4010549a9af6f6b221c82950fc589c1ef6241ae9b5e6dbb3b62c28f6d5136",
"type": "eql",
"version": 316
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "3fd4abe84fade840ddabfa0b4a59937c3d0c030a1681cc96bef3b4c37db789f7",
"type": "threshold",
"version": 6
}
},
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "a3263a5442429acc1b25a37202e64af66da5b895678d0e645779808cd2f8d5c7",
"type": "threshold",
"version": 208
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
"sha256": "d16dc8e4c8ac6bac3e9973abcd5a929f647f8d3f83cc71107759bd160f2a5b9b",
"type": "new_terms",
"version": 3
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"rule_name": "Windows System Information Discovery",
"sha256": "cc07c6ef87665b278c50634e18c2631b46e175dd4c6fc3475082429e14f6d124",
"type": "eql",
"version": 110
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "73f72593911a824bf9f474a0fe78b775e7b80bf0a99d3ce3921fc928d1710b49",
"type": "eql",
"version": 106
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "cce173ee31cf29971ae004c1c2afe25f410d68f58daa4be714fd8463d7b3a2d3",
"type": "eql",
"version": 414
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
"sha256": "0d7760dfac795b398712304dee6bca9ac497932b8b85592b9692ddfad6d4348f",
"type": "query",
"version": 208
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "9100e2b7e720077aafa045787767ab56b8df11bd6bf78cfeb93f9780ac195e0d",
"type": "query",
"version": 106
},
"5188c68e-d3de-4e96-994d-9e242269446f": {
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "a704511861e0b96e95a8ef19eb8787d4bc4dcf4fe88beed50ea5b73834b70f9c",
"type": "eql",
"version": 206
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "7fd1d088c98825fcbd437ab2f437e5a12fa4d65c5d05609bf6bca73ce55d526a",
"type": "query",
"version": 4
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "2a69c016995d4b395c45c843d21e4396954c619921a53482e5455aae0cbbdb06",
"type": "eql",
"version": 210
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"rule_name": "Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "0e83a8899c7d67a1fdc5d6be2ad72adfedc9bc0a89ea04e43a6033fbbe5f76cf",
"type": "eql",
"version": 9
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "7ca243725bca36442b6c11d7e4dd0d81b7d4f4e5efd57b7af6697e61a7b244af",
"type": "query",
"version": 208
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "8d440a86669314004ff9a3b54eb5e457dff1c8755d55be05f468ecd140381235",
"type": "eql",
"version": 116
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "35a5484211da8f0687e9ff7a68f965172d10f4b121efc657a523ce0e9b3a1bff",
"type": "eql",
"version": 2
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "d26c79e581e6b7c97bc9a3bfdd9eb71f2be54aefa50763b665dc26e578ceb752",
"type": "eql",
"version": 210
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"rule_name": "Unusual Linux Network Activity",
"sha256": "747f7b15c1d2c688515d08554956a34927700435bc64256160920b8f4418d82a",
"type": "machine_learning",
"version": 106
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "4da91c0f9c410b7faed2c4bf521d6285907973f7ac07daec0e6d871d69199e4d",
"type": "eql",
"version": 109
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "8f420db22da434ead75707fa86f3a228b1fbaa644dc99ddbf57fae4e754ed3fb",
"type": "new_terms",
"version": 13
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System or Mount Deleted",
"sha256": "d1877077ebba4a061cf00dc8878e2c5faa1ead39b54c92750b2d172638ec5bc5",
"type": "query",
"version": 208
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deletion",
"sha256": "523bbd1fd0da8e73b2c3a2e7dafd4f50ffdd1996d8e853acf73e377a13db25bf",
"type": "query",
"version": 104
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "c38050081677e1fef12cf5e4891774268c9f3bab0b6eec41fbc9addcc3f8ad0d",
"type": "query",
"version": 8
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "989d656af2a7cae0a5c40f18a8ef7c375a3ab38c717901a5c03fa1e2907c3feb",
"type": "eql",
"version": 315
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "313ed3f946d625de448ea2a2558dbeef4e57f56eef87c1f33840d3024b19ef67",
"type": "eql",
"version": 108
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "0a0b4adff81510159724184176a240c1f49915111890c72fdb528a94ecc85956",
"type": "eql",
"version": 3
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "33aff5a5dbdf40c09777323589140e2d6b3246324468ae0afea47dcd15ac4ffa",
"type": "eql",
"version": 214
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "eb43898b40f868859dc0b7dbdf1cd88220d2f8f31570ece3d3fef43b83fcde48",
"type": "query",
"version": 211
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "5467332918c4a20cbac2a7d8ffe8762f3cc20bf03130f30d1249b2946966f0d7",
"type": "eql",
"version": 215
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "cf0c2fee3a0cd67ed59b810b60cc0548aab8b229e97754a29fecf0e91a5a96e0",
"type": "eql",
"version": 214
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
"sha256": "ebc7adabdd10f9bdb8a65c5498ea66459313865b324eb852230ce6878ae4beb4",
"type": "eql",
"version": 210
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "471839bf4798d023db9ae1ee115c090513f2898049229d75a07f6a59ff5f6071",
"type": "eql",
"version": 3
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "5645ef43d720db2f77ca06b00e8e2b7640a5d30ce70170996434a0864e0d2663",
"type": "machine_learning",
"version": 109
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 103,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "ec566f4e3388dd1ab9134b4f1fd960d63dab606c6ad5802edbbc41f539136c3f",
"type": "eql",
"version": 5
}
},
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "80cc2b25ba68f1c7b6eb7e108e7455c72ece4b63d0cfdd3775bc0a7a9995e115",
"type": "eql",
"version": 208
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "2fa80b00741ceda859cf03dcf379557efa939fd70cc63c7c9730b802c2569352",
"type": "query",
"version": 210
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "e06284802e2f652dade4251ee26be279b63c230144fa84d9b06a42c9c190769c",
"type": "query",
"version": 208
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "4552ea472655da2f7f3de3c916d8f2e1f844b79c8a1d0023acf141251203ab08",
"type": "eql",
"version": 110
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "552064e8ccb59fea38a54063c9a12f8f45fad7326c22a8ec007af7f1f747abac",
"type": "query",
"version": 106
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "7d65cb772d7833f8e8d1ccfb0113c318e49be46078237b6a60503d3de0f83d50",
"type": "query",
"version": 315
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
"sha256": "d507423d52c101f79911ac9a4d9a816e8514259a155969b5524a8c1a3ad4f7be",
"type": "new_terms",
"version": 106
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "c9cb88e4bd0585dc8a0715f878f7680ab47572e25c022a085b4c15de1d1872ea",
"type": "query",
"version": 107
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b",
"type": "query",
"version": 105
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
"sha256": "3bd9b9806211bae844f9347ed4eb988226cd963b3fe8cc76596faa1db1ae1d52",
"type": "query",
"version": 104
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "1cdf89702f0697b9beab963d62baea5ad000de479006ba84cdabff818dd622dc",
"type": "query",
"version": 211
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "0395ec676101a0b65b0e8c71830e3404fb11d713df56edfac7217299d254ec8a",
"type": "eql",
"version": 107
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "3d800d25ede9e201b1eb67e28c1ca88f34e874a8e41e61c4312a523270b18d39",
"type": "eql",
"version": 205
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "b966b5928c2ae3e6057e3b9055c50204a2c4e6f259216a86da3092adcaa38613",
"type": "eql",
"version": 316
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "b0a1a4a3b540be5cc831e650310e36457597b79bae02bffaa3958db0f01821e0",
"type": "eql",
"version": 313
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36",
"type": "query",
"version": 104
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "4a7ecfc0acc0b3314e2cb99443265c34fbbfb0c7265c129c2b57452feb77fa24",
"type": "eql",
"version": 110
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "45fd6eb0302259c40b7df9278aa55cda22b3c0a5a3281f571eccc49a13c5ae11",
"type": "eql",
"version": 113
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"rule_name": "File or Directory Deletion Command",
"sha256": "3814ddae55eecd6ccd1e6ded92e4399f2ba98fc0ec0163476933a69aa6f7e140",
"type": "eql",
"version": 4
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "O365 Email Reported by User as Malware or Phish",
"sha256": "8fd6df132395f02019a63751ff8b5f3326db07419de64b7ca6451c1c2646bc5a",
"type": "query",
"version": 208
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "983d0a5e4ac01af8b12347c79b4947ce5b9060a519135345b017b3e0b6a9a04b",
"type": "query",
"version": 209
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "3d694be2eaff2d6e3996bee8bf38811d409e34d92d79716a331b706e601ae02f",
"type": "machine_learning",
"version": 107
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "bb3edb6baa2522b16071a08dea8797cd6ed90448ce2cab7815409a8741e8d789",
"type": "new_terms",
"version": 3
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "136641d922ea81b41c2d4d980f302dd943c57993c1fae9eb51d4758eded9b880",
"type": "eql",
"version": 104
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "85533c18602ad1d1ea6c6b925d721d7ed7849d41856a90b848f7e6035eca13f8",
"type": "eql",
"version": 311
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"rule_name": "Potential Reverse Shell via Java",
"sha256": "324f05ff956b4ed13cf5efe7f9c144a90d31c5965164c75200e45f4bcb0ffacb",
"type": "eql",
"version": 11
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "b10c9dcd5e2e0c8f11e4eeefeeb39407f7dbefa973965f6fb28e3e0e452e1c5d",
"type": "eql",
"version": 3
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "8233f0d545eccf0a054d4f4a0e7e8087ab3b8f04fd3ed84fdde48735ff956d96",
"type": "eql",
"version": 105
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "385a13e8bb8ea7cf36a6d4e4359358e5ea0993d551cf6b7347577c755e504f3b",
"type": "query",
"version": 108
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "15fdadb012518197ee92f767fd9c0ed33cec48d502fe77bf16aaae7f877f74aa",
"type": "eql",
"version": 310
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "ae2a367bd0f05bef598e93c0b67f177939693c5cf852a8d959cbac4f09c90b3d",
"type": "query",
"version": 110
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "2555ff07654075cd2782774bb77957e33d6baa2b407ca04f05adf0de27fcd06b",
"type": "eql",
"version": 9
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "6c8c45c6688ca2ce03eea4a7273b4711f78be8463d55c615fd901c319a1a5cae",
"type": "eql",
"version": 110
},
"5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": {
"rule_name": "Successful SSH Authentication from Unusual User",
"sha256": "686aa62b03ad00075ae2590784e868db541f0c68b7f036db6e601b5ee7e366fc",
"type": "new_terms",
"version": 2
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "8aada95c6027eb049c8ef8eae925989f12a016a8c9b1c66b1245f18469260088",
"type": "eql",
"version": 7
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "ad3599437f6b6a09798ab143e5d2cc53345ee50743d23511022a25d828d7ccb5",
"type": "new_terms",
"version": 316
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"rule_name": "Boot File Copy",
"sha256": "b552d2a78e113741448435258be12572c7abc86e11608544941331ecc9d13f78",
"type": "eql",
"version": 3
},
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "9fcc2f0258d68ac025e1308b59250debf20e1032927c9e79f862548e8d877416",
"type": "eql",
"version": 2
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "b65dbc5c1b6a86fcb11fd26c0ce1715f92022815dde64b619dfa3188014a1b72",
"type": "query",
"version": 208
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
"sha256": "e5b326c8a0f31d672aa1c14a9ff16fd989f23fcb9a2011cb3bec13d1b792f905",
"type": "eql",
"version": 6
},
"5c495612-9992-49a7-afe3-0f647671fb60": {
"rule_name": "Successful SSH Authentication from Unusual IP Address",
"sha256": "078138cd9496f1183dcdcfad3dad8c3c172a4dcc17859b64109eb9fe681cb5b4",
"type": "new_terms",
"version": 2
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "a4945cf7c012f4d229f0adced1a4e683d95c469a694d4f0ac142ac40d9549d9b",
"type": "query",
"version": 105
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "32257f6514346a05dbcfecb5ab8374375d1a61bde89f35e9b543417dc9e86688",
"type": "new_terms",
"version": 116
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
"sha256": "364ec495241b74ef57f8c17608ee0355fab428420ec1d1f2fa6e1221e017e550",
"type": "query",
"version": 2
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "291e57801af57d2170b6267d50e11f9ba6d66956019ed39a7de7b7df55663d27",
"type": "eql",
"version": 103
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "2eaefc547f7e0d2f831383c6c2e75cccc07d1b329a6a0b8db1eddf86ca7ce725",
"type": "eql",
"version": 9
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "c2e7104a47c04957ed4c17bfda2f8b427f0abace6afc9048d1672b2d57f1b4c5",
"type": "machine_learning",
"version": 106
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "3e22e58509ead670900ef3b2cf1ec73386d426a7124d162da4acfab1f4ba07f7",
"type": "eql",
"version": 110
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "c27678790851c619276ba3a832135387bcdc13a105af478618ff8d0d2ab2e902",
"type": "eql",
"version": 211
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group",
"sha256": "9f46d8326f779f8f6c96f8ee4ba9b406efbe4f690c1ef2b8914e3db671c2c2b9",
"type": "eql",
"version": 213
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"rule_name": "Persistence via PowerShell profile",
"sha256": "1bef26641580680432e671a6677d22250fd7fb2baf3aaa774e71337baf84f4de",
"type": "eql",
"version": 211
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "3f05641565c9c3589cffe2565e66ee80a59e9530c03af2bfb90edaf8c0319b99",
"type": "eql",
"version": 110
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "8d02f7b3e3cdb4a68eccb8b4902740fc4b6b6cc80e626017b623d530c15745bb",
"type": "eql",
"version": 212
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "ee83db2b154abac2ba7e1c34404a432af47b527800505760197b6ab37e8ca69d",
"type": "eql",
"version": 105
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "f2849dbc38b3e9d369abe4a4bb01628a11289f4398627beacdf643f358f0a0db",
"type": "eql",
"version": 109
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "a53059e3110b31779fa331e2a7c87cb90588c3d15809045eb8066157aedeb8e8",
"type": "query",
"version": 108
},
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
"rule_name": "Memory Swap Modification",
"sha256": "d38345093a1a35f661b09b2d4f917c7a6778b6ed4328fa41dafd857c375dcdf0",
"type": "eql",
"version": 104
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
"sha256": "759c77f0b0e98e074935bac3a71acb4717c13cdb738eb3d977324da06ff19f7c",
"type": "query",
"version": 208
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5eac16ab-6d4f-427b-9715-f33e1b745fc7": {
"min_stack_version": "8.18",
"rule_name": "Unusual Process Detected for Privileged Commands by a User",
"sha256": "9d3e18ccb4f8aedb87d784b78e778fe6efd142110e8d7813188f68db71cb1cd8",
"type": "machine_learning",
"version": 2
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862",
"type": "esql",
"version": 4
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "38126a1ab4d00fdec05a14003e00b3b4d770f8b5e2bd2863f0ddde639fae896c",
"type": "eql",
"version": 205
},
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
"rule_name": "Docker Escape via Nsenter",
"sha256": "81f443c1c651a8a622b84f566310c318819904d1c4782ad6e6422c12e42aefa1",
"type": "eql",
"version": 3
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Command Execution on Virtual Machine",
"sha256": "56250f67c39b58a0b9d4adccf367a6b06f68f65fbbd6bd334150a6612562fb93",
"type": "query",
"version": 104
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Azure Service Principal Addition",
"sha256": "01cd9e45bd5a05aea9099c67847816a2a23d7b76a986d288bc67b2cc014d3a09",
"type": "query",
"version": 106
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
"sha256": "383588a0e9ed02bb43d50d15a099c4088d686f44341fc16205907099247d993a",
"type": "query",
"version": 208
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"rule_name": "Unusual Process Network Connection",
"sha256": "e679c2af22476b8572780f9fa6fd67aca3a9d598fbf710f4b5de686bf91aef11",
"type": "eql",
"version": 209
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"rule_name": "New User Added To GitHub Organization",
"sha256": "c109aefac08162736f1d0b056a29048580f89ee3661e69955f567d2c979d459c",
"type": "eql",
"version": 205
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "f47bd1cdb2e6f7e61d1df1c4a733a5dd2634244b432b27980719a82ad54a5ec8",
"type": "eql",
"version": 107
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "b258c3989f06692676a1d2dcf507b0454c6c4b7a4dab35a7fbf06c8fba260fbe",
"type": "query",
"version": 317
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "738a82e0d7e2b90c4c2cc86d4468cb1ee62d700fd71ed7d6c9d5b8271f41008a",
"type": "eql",
"version": 215
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "aee13957217142915e900a15702f1683ba54b1c488d13e92b73e3d8e866779df",
"type": "threshold",
"version": 7
}
},
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "57fa7b1a78c0c9221c6f6ee7e3460a6587dada722c790a97d2b5030e39a994c2",
"type": "threshold",
"version": 209
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "a02b89ce490f772951d8d25b2d2c03461924b2bd3d40b49c156af5bea19a74e4",
"type": "eql",
"version": 209
},
"627374ab-7080-4e4d-8316-bef1122444af": {
"rule_name": "Private Key Searching Activity",
"sha256": "a704c4896b6f6e960f8b9ed621ea772d85e5bba01e724a0ba88eed98b30a9ead",
"type": "eql",
"version": 104
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "8359664006bb4106b3b48e9ffadbffad8845d8337f6feaffd9924c692455c185",
"type": "eql",
"version": 215
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "a377a72935325989cb64821b5a77f4b0b182be65365d572c09d8408a2be20b6e",
"type": "eql",
"version": 7
},
"63153282-12da-415f-bad8-c60c9b36cbe3": {
"rule_name": "Process Backgrounded by Unusual Parent",
"sha256": "1dc6284567b86535a0b9ae52e43d907bac1d8fbefad60590e63efd2a1cce8515",
"type": "new_terms",
"version": 2
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by SSHD Child Process",
"sha256": "3be244371121f943af37ff324d033d1f254a292e42c239302390d38a71903363",
"type": "eql",
"version": 6
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "6cc2b85abc856ecee47f5783a273c635645df17b12213b53ed6c3f1a8908ac56",
"type": "query",
"version": 8
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request",
"sha256": "52a2463b1d63605d364727b453247677d56b890b037ca3e9e5bc6c33ae2818f0",
"type": "query",
"version": 7
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized",
"sha256": "2a0daaab9bdf286454187b2a496952f4e30b2ef4e7ce3346aefd3ee02016d3c3",
"type": "query",
"version": 8
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "cf9d8399e9c5bb19bf4116011edb8c7c502e5d0a3d0a9a453edc91325952fe8b",
"type": "eql",
"version": 4
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "a271624352a20c656822ce6fea06ac16aae587db844fade2aa7162a89946b0e2",
"type": "eql",
"version": 210
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation or Modification",
"sha256": "2badba4c6ee2a5d53d045080729daefbbe9563d69f7f39f8bfa011949d2437f5",
"type": "eql",
"version": 5
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "0571b544fa0c188c57a4a66ceaa2027d254a6b95c2ec70b7c1e13b67e53c8184",
"type": "machine_learning",
"version": 106
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "a52809d9c8de6114055feb73cbf0494b247f47d349d3a8cac59c90afe16ec706",
"type": "query",
"version": 108
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "88efdea101d047055d046a4c2f4e82b5e2993fd034067d8166b31c5296a02ce5",
"type": "eql",
"version": 9
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "0fd8277fd13e437bef5b06ed9dc8c2c4c1e8d4e8536c37a5d15b97a2b8064380",
"type": "eql",
"version": 203
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "4194d79d7b88afd047379a3a0c32ae60ef949be5855d8c7bf4bf212641a2f01c",
"type": "query",
"version": 205
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "879b82156e758ac37b39b235092ce173ea9630a0494e986ac367928295117585",
"type": "eql",
"version": 110
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "7c35dad62bc276f36db6ac5f034f7252ee7ca4b50e0ff79f7319395c87c7a1ed",
"type": "eql",
"version": 9
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 103,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "45313bcc54d11c7433f8c8ef41f60e3119084e324e71751db6bb9fb549a3f1b4",
"type": "new_terms",
"version": 5
}
},
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "e50d01a785d24c56f050e71a354ad6bf7852ccd41a8b6ccd6093e33134711415",
"type": "new_terms",
"version": 207
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"rule_name": "WebServer Access Logs Deleted",
"sha256": "5a1686bc2cc6942ae140fcf3e3bc0f91f3ab258bbb24333f809939cd1da9bcb8",
"type": "eql",
"version": 209
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "b0994e9c256bf82f2a7078ab55a453b58fc71faa62c0a86d816dc08e4d131781",
"type": "eql",
"version": 9
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "4d42de3a87ba4b62e9f4f96e2914f969030b34f816a9ce7a6631067ea0c049af",
"type": "eql",
"version": 118
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"rule_name": "Linux Process Hooking via GDB",
"sha256": "ac4cb8d5156cc212b1b3c5071a2f67fa640dea941eb2c22cecce2bcba1b14ba2",
"type": "eql",
"version": 106
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "747216e90616467615966da91395d0e97ccd1258e0edda5d0a9a7d24f3305963",
"type": "eql",
"version": 210
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "c8ba1211ab501d91fe710a8473f0ac5db715a20908234db80806feee1f85ad9e",
"type": "query",
"version": 116
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "5f3b2cab91a23497765bc0fae4150faf15cabcee773619d90db0cd3edbdb1473",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "6950bd8f7b5acdc4e6a0d84659b020683cafa75b85fc6ac9ccde53630234f7aa",
"type": "query",
"version": 412
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "O365 Mailbox Audit Logging Bypass",
"sha256": "294e15f295063610d40cfd1e622dde973cf5c5f1611c6ab08fa5e2ff501086af",
"type": "query",
"version": 208
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "2beaa220e872f7c47a050dd650ebe4576eafc89a94944115406a4f6b6692a213",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "0f2ad06c5cc77f391e7f55772e337bbd64cfc4afc226cd938178e6fc3324c4a4",
"type": "query",
"version": 412
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "ef3dc4ca8d694a3e195ed2c268459f97db0d14b129105b7163ad6e764e7e04bb",
"type": "threshold",
"version": 113
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"rule_name": "Image File Execution Options Injection",
"sha256": "c7688dd090cd661aff2eca66e51bf2059924445e3da00ba3eaad19f1c061e59f",
"type": "eql",
"version": 311
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "New or Modified Federation Domain",
"sha256": "0133c1530df620c9aede10d009ede3369cce8bcb1204b11d54a37c1a466b8eea",
"type": "query",
"version": 209
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "465ed6fbfaa4576c8e9945c4d9ae53d4c2bcee360bb998f6c0ba5454d2c5a4bd",
"type": "query",
"version": 209
}
},
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "3a219d0ce5a5da62f96d2914eb1d34ff1ba980d70a41dbcfc8b04a282000d17d",
"type": "query",
"version": 411
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "3a09700d17e19c201f0e3ba8acc141418765099deb01e591e615d4280fca7262",
"type": "eql",
"version": 315
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "9c9b0dcb71d009834f27304cc6cf025d237e74a08c9befa3ebda48198b0d10e6",
"type": "query",
"version": 208
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "72513a0933347d1c7e89cb1e2a706adbafbb12af6177d397f28a68f38eab5b5a",
"type": "eql",
"version": 210
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "8a32fc23531d6783c1480f82f26ae473c414bc0278a25af682ee2b2ecffed9cf",
"type": "query",
"version": 210
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "17bc9998b0f70ab57d41296d94019f935a49b000f51137c1a7d7c104202a3603",
"type": "eql",
"version": 105
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "cf37b596c252270ddd2a2494329499aa66e0ca8535a16193a6d9484df0e05bcd",
"type": "query",
"version": 2
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "c438188cbc6457b7529595899faa1f9a2ef7b878c99167b808fcfd90fb32bd63",
"type": "eql",
"version": 212
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "64661a308df7792c64723043449f28bd3737da218070222290ecbebd0274199e",
"type": "query",
"version": 108
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "6f69dc6e309b86b281bd3f02594a03d86ba15d5835011a2b37a7ce21f3da291d",
"type": "esql",
"version": 6
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "be500fa31ed2e7610f2ce0178de8068eacce05c94e0a8ad90763081b5b236672",
"type": "query",
"version": 4
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "c6f4d7b863441a362f028650028af15af18d0981ed99b1cd5e0977eac3d0cdad",
"type": "eql",
"version": 313
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS IAM Password Recovery Requested",
"sha256": "d60a19ee642774e337fe7e01fe60b153c7ea7410172e9f01a2bd44b682be61cc",
"type": "query",
"version": 208
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "b27ee0b532aeaf6fe5781c8e19b15537934d5d1029d478a5ca4a9d29f7454d13",
"type": "eql",
"version": 103
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "EC2 AMI Shared with Another Account",
"sha256": "78ab77a0fbb8da89dfaed837839fb98cfd3e5e86cb400c2f774af111d5c0f268",
"type": "query",
"version": 4
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "72d871ec67e3c3b32e2f684de33d2f752c0dea9523ff8d60673fa18c92e900d5",
"type": "eql",
"version": 312
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "23f0402b094673c301e72c02a64011bcde852ca02f4854bb2bc2b0001e7a3f06",
"type": "eql",
"version": 419
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "2b940da99af6da5be5cec8607cd2b873d1ce6703678423d42e945d9a6462bd14",
"type": "eql",
"version": 110
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "7967476aa84ae3f64d13f111ff48d8fb56543c10b1177eda3271bbeb2467aa51",
"type": "esql",
"version": 2
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "ad8a5ac685928ee7eee6e85214d3d063d5e14fc094e2cc49c48078b039164ebd",
"type": "new_terms",
"version": 210
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "443b465e9d1775bdcf67ca30ad1a296658aa22ed9e1b47d51c79f75d6832b4f0",
"type": "eql",
"version": 211
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"type": "eql",
"version": 4
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "3a137af954c38f57c3553ce3f09ae32bc19b9656395d6c5e9dca32c5107088c6",
"type": "eql",
"version": 310
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"rule_name": "GitHub Repo Created",
"sha256": "5f261d172d93059e4468c7b97f125cea4677fd6f21ecde0a3cafe70576fe1ddb",
"type": "eql",
"version": 205
},
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
"rule_name": "Suspicious Outlook Child Process",
"sha256": "e0bc727265268ef46ee066f8367ccd21b8719e47d6777ca2a4008e1a661682d2",
"type": "eql",
"version": 2
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "067e60e3529f76d85ec6ba2424a1fa84b62ceb591133efedcd7d4ac82dcc82ae",
"type": "machine_learning",
"version": 213
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "01afe621c7329469abd4feaa917adb2d5d0a5eaf0ff11b9d2c8ae2fe807b7a80",
"type": "eql",
"version": 7
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
"sha256": "54f7b6e9f92e4eeb503f11986ef9213fdc49dfbc0d6f7c11c86c27c15321e21a",
"type": "eql",
"version": 104
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "5e7c8abb091c2d0efea8248769d91217b27d7251c4eabd94800d3eaa077c1432",
"type": "new_terms",
"version": 110
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "4daa9b29985cd56c2946128b6b01d78e4ff1a4479b4c86c1b2c27d6f6607a7da",
"type": "eql",
"version": 3
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "fbcff6f8e5ef92b8b55c4140588b47b25447ec0dbc49f02591a2dde565e95fd4",
"type": "machine_learning",
"version": 210
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"rule_name": "AdminSDHolder Backdoor",
"sha256": "dae2c4e84e6a787a8e90de99d987e659ae7c8cfb794000bf19edb400a9b441b1",
"type": "query",
"version": 213
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "77271ff5eba5d2daaed091b8bca1b8bfae28621a3e5466ed5cf3111c5e3aea77",
"type": "eql",
"version": 210
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "d940200e0c151d91a754fb7828b3c5f481bfc7aa7d4816db02ea228444c20771",
"type": "eql",
"version": 211
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
"sha256": "e7d70f9ac91f599137dcc428f75ff33d330d18402c3bf351dc6c9bee16707568",
"type": "eql",
"version": 216
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "8ccf39f93ec5c4c2d2ed235f1f7854085ae2fcf0720454fdab2cfb000eca2153",
"type": "eql",
"version": 110
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "aaa6f00ffebf544af41202e0da877415c7b77ebdc9c62414788576d527a794fa",
"type": "eql",
"version": 105
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 103,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "8e24f0277992e974a8ec25803576d40f21206d6466ecaa82e2df16fab17d5dd8",
"type": "new_terms",
"version": 5
}
},
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "88b4b80ac12410a09500e544f1721f0bf6143c67a3625d651883e0fabe8400d7",
"type": "new_terms",
"version": 208
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "ca1e6a558605d764fdbf4e8db980533bc0e6dc82331708022fd6938aabc0fddf",
"type": "query",
"version": 207
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"6fb2280a-d91a-4e64-a97e-1332284d9391": {
"min_stack_version": "8.18",
"rule_name": "Spike in Special Privilege Use Events",
"sha256": "1eafe02f326e050fcc3f03f011397846e626e0936e3415961b6da6be1f9b98b3",
"type": "machine_learning",
"version": 2
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "0653484a9b2dfdcfd1436976861c2b7e03abad4c2c81865604a8305028992666",
"type": "query",
"version": 211
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "615ac11b076ba9cdc9fdc4d7582d013a3835c852641e645f0ac25f3a991fb873",
"type": "query",
"version": 210
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "e4fb276aff88c49e206d19472c720f5ee7ec8450150bb56f3470180c7d879362",
"type": "eql",
"version": 104
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "b9a6524804cf6d5732f4e9867f3247154b624d69175e7bf9ddee57f47e84a4e4",
"type": "eql",
"version": 111
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "d2634582e51b0855cbeeaa74c2dcc13599e2c9c8299f2ab08b4c2bf501fc5c5f",
"type": "query",
"version": 108
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "281303ece12ff1f4370db8c2a5a0354994d27dddd2b9dd52cdb5fd5d744e7541",
"type": "query",
"version": 7
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "ca02ffd0866a193feb0f2d36e4482955164efdf5c901159d836201aea415ce37",
"type": "new_terms",
"version": 211
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "8914c872080f13e7226e7ae7a230ad551ed66cf086101a3c78eff82aeebd7243",
"type": "eql",
"version": 317
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "fe807016f29322ec6db7ac1712a14b6a26382f83fd36351d350e3fb756aea7fc",
"type": "eql",
"version": 212
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "6c277c7b478310c94b082e48579702ed2e95c29e43be7a7f417da3a33ae0f06d",
"type": "eql",
"version": 6
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "33768b68f40233990a2c708781ee94008a3911f0b3f008d8cc90654023c96856",
"type": "query",
"version": 4
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Microsoft 365 Potential ransomware activity",
"sha256": "b29502d819c200e2a97d893a7c8e9c33905d216f511e60c9c7a7c32bedbd6e07",
"type": "query",
"version": 208
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "f61560b78b79c873453bce1b3947231b6df1c967d0f2a49efefd56bbfb7bfc59",
"type": "esql",
"version": 4
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "ac791f5dd84722e6c346e3b3a523b739bbce0ddb484f53d49ed5d1a2ebfe7c7b",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "59c79dedfd242d711586bff0124ee2064cefcdd1dd91a6829ae259f94d6c06cc",
"type": "query",
"version": 412
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "4f3545b509cbd0e36f1170017de36ef566801ca5376fc194fef70bac179466cf",
"type": "new_terms",
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "e62d404bc72c4824ece19d8511b0774af5e3f8d76ee8ef1b2f3928574cc900e6",
"type": "eql",
"version": 206
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "c7b49a33aa48409ad6c0424ce6e0c390794bd4a8179469dcdbdb112ea343e424",
"type": "eql",
"version": 4
},
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
"sha256": "ff6883e922b3e8602e4f79eb77b1c57579dea418d7fb478a15a902fac384da02",
"type": "eql",
"version": 4
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "a30cefb24486c640f76ce19fc5ed7ded0f5c44ffd5c244797ef0fb908e20f63c",
"type": "eql",
"version": 214
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "d6aa1db723855233d67d799745af6f2ec942893699c7f7e61d2cdbe1d58350ca",
"type": "query",
"version": 208
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "b7dd9aaefda9d2db53abacafba3673397331abaf4429d8e497e3bab7a04a828f",
"type": "machine_learning",
"version": 106
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"rule_name": "Unusual DNS Activity",
"sha256": "96d1f6a34b0dd173e5d4a1d1610f7e0366e5002b73037aefd0398b409f826444",
"type": "machine_learning",
"version": 106
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "f5789d775fa4739d37c91b2704142e6834659dfa48c0b2678871113ce335b642",
"type": "esql",
"version": 2
},
"751b0329-7295-4682-b9c7-4473b99add69": {
"min_stack_version": "8.18",
"rule_name": "Spike in Group Management Events",
"sha256": "b7a9902b7df34c0dc5b0d478acba14cf7bf96f1d58e0fb914651add87b448271",
"type": "machine_learning",
"version": 2
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "3d2af2714bbbeffdb60e8adcb035569bb1838ae97167c33a6b5934c72eb45cd7",
"type": "new_terms",
"version": 109
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
"sha256": "839f6fa871a9122d800994ec195a366a033dc1c47d0c2faa230c053dedb9ff3b",
"type": "eql",
"version": 4
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "ed79288161fc61c0493229d4ef61581b57961151497197cb9dfeba0fef3ceaa5",
"type": "query",
"version": 104
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "5893d3b6d416bbaea60c835f5d985bd58e8c620090ecdf205311b2f6d9a38094",
"type": "query",
"version": 106
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "64ded02369fba876838cac0481196c8d9cc8904ed20dd83810c02a4a1a37d1bd",
"type": "query",
"version": 206
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "559eea3e8bea40d9b1a53f5ab721f08f67be0d8f066a2208764ef0b2a916e267",
"type": "eql",
"version": 115
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "e851da1e870b04fd2e2c93ba8968480d6a6da72d7d7ab2a2732906f0d54c7d30",
"type": "eql",
"version": 213
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "d8a0de297ed381f899d76b9479ecbf599ed174dcda4a43bed0f713e033a659e0",
"type": "eql",
"version": 209
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "e9164d9a3addb3121e4ca5d90bc89ea5138f38563f245bce1d756e8051b04859",
"type": "eql",
"version": 12
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "1e265cb3a45623a266be2849268ae6a90d41b760463bda4ac9d402bf37bac25c",
"type": "eql",
"version": 418
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "4506bec2fba03b7e296d1cfe622cf4ae6361b0775c5266a28bd97b9f9e39639d",
"type": "eql",
"version": 317
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "f45a4831bf232979f639aa281d66aa6c24296bd62c195d82ac33e60c0ed90396",
"type": "esql",
"version": 2
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "User Added as Owner for Azure Application",
"sha256": "85be635560cafa457b1b92fb43bb67f146eeca918a20a0227edd8b82a29ab9b2",
"type": "query",
"version": 104
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "50df0d37e6852de027590a950bb1fa6705582e113fff2c947ca6e46c6f05f1ba",
"type": "new_terms",
"version": 6
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75",
"type": "query",
"version": 106
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "304b4dd7a272d0668180f4e04c1ac07542af3a8d74a2e9209df0d02489344094",
"type": "threshold",
"version": 12
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "4dcc373ce46e6b39ab94875a341d6f3ba50f71ab86d16ead977d9515477b2b5b",
"type": "eql",
"version": 105
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "5114c722228fa0043eeb7be5ce1cf9bfe74bee67a796189a304f9cb09bcbcc6b",
"type": "query",
"version": 207
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Azure Privilege Identity Management Role Modified",
"sha256": "2ec23393e932080ccff2a71dcb2212fe759113e95a5446562b90cfd235f53b70",
"type": "query",
"version": 106
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "167ba5dd0652fbf7c01a401852ad561451add0357eb344a5baba7ee059b1c853",
"type": "machine_learning",
"version": 210
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "6db14fdf08ce5642e4ad011eb87a15c07d9cb7977ca6294949d675861217cf75",
"type": "eql",
"version": 310
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "c1ff4cc264a50ddd4081404f96f7dc5f0000709fc09b92873a78187eb5e275a9",
"type": "eql",
"version": 5
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "93e49af9c27b1d60bb9225751fe8b8c3885792d6917cfdc1cf3a3a4883a72e40",
"type": "eql",
"version": 9
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
"sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845",
"type": "eql",
"version": 6
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "c1456f2ae5cff29eaeb0cce0f377e6c29d60c08dceb6ef0afc098d386f09202b",
"type": "query",
"version": 105
},
"79543b00-28a5-4461-81ac-644c4dc4012f": {
"min_stack_version": "8.15",
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "9230aff8470d6cf4f90ca1386ed2eda9416b1028b41d3e3b69304f8d26829e19",
"type": "eql",
"version": 4
},
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
"rule_name": "SSL Certificate Deletion",
"sha256": "32617e4dff0abf7061ff3d2b4d12500a685f83056e066c6a47f25ab6d30b326d",
"type": "eql",
"version": 103
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "9c936fca43aca7ccb50bd035d2791f6f70a214b7617b0a294eb1b151c4739574",
"type": "eql",
"version": 6
},
"79e7291f-9e3b-4a4b-9823-800daa89c8f9": {
"rule_name": "Linux User Account Credential Modification",
"sha256": "3d5457a1e1848fa29d34ba094ffe10fe7c5cc76fe9d30413212320b7d5e6fa34",
"type": "eql",
"version": 2
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"rule_name": "Potential File Transfer via Certreq",
"sha256": "bfad2d109380cdd48c204972f334d2b5baf646e4258ebe335ba4f5734c384a4e",
"type": "eql",
"version": 213
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "aea6103c649566b86d760206b4068e6ae6fd79b7089c4263a54b78acb8b5dc98",
"type": "query",
"version": 215
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "First Occurrence of STS GetFederationToken Request by User",
"sha256": "08b3d81be405a8875a182e5712ae452f2544b88406a0ae4f500ab95d599fed83",
"type": "new_terms",
"version": 3
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "bec75e8c0b3603e490940cd351016ebe62d5642cd2cf65154c4b95ac771296ca",
"type": "eql",
"version": 8
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via XZBackdoor",
"sha256": "4fdefe2e1839f69559f9d5081c8716707b114961d7206f04b561f4f79885bf74",
"type": "eql",
"version": 7
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "AWS ElastiCache Security Group Created",
"sha256": "11de4d3f24aecd5be0810b17a9d812f9a561e27988545248c3dd3177f1a83ff7",
"type": "query",
"version": 208
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "6038a61b09d7ab5ae63c953af4d8f31d39a85a371b645b56e3e483c6acb1e662",
"type": "eql",
"version": 215
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"min_stack_version": "8.16",
"previous": {
"8.14": {
"max_allowable_version": 100,
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "7b361ea07b92064cb854e35573c5988af529ce6fb75a264cdd27ff53b0963e28",
"type": "eql",
"version": 2
}
},
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "0902da6be66888532d94492f7ee2b1d7342d177fe1e885f8aa7542bfef4090b7",
"type": "eql",
"version": 103
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "5186f9c952436a5f0bb6aacaf8f7c08b2976f1c005090f582fec7c0076c7164a",
"type": "eql",
"version": 310
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "d1fe9beb9ebec174ce52924ed1b92faa800b8807d35fcde8cd2396ebbfdaa7cf",
"type": "eql",
"version": 109
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "1360c941fad7af1801c29e638ae840a9c2c4e580b1fa0b1e562d81acaaa978c1",
"type": "eql",
"version": 6
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "29c432e2d1993b5efa3dfee20d7c2db770a3835d45a40f704bf323de6a761714",
"type": "query",
"version": 108
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "4e2958b093677ff51eaee56bae58af7d9fe3d0cd2fe7b1ca102b43b57bb03641",
"type": "eql",
"version": 104
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "4b20eeaa2284d852cf288f367b2f230f725faddd11d3406d2714351a10daccf0",
"type": "query",
"version": 106
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "57022ea1da2b0446eb5c7b6e7cb3ef945bfe0f3232722b6a2f9366463f82e078",
"type": "query",
"version": 4
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "00eb92066eb1b732c6da3bae74c73476af5253c9270617a9d09721d9ff939299",
"type": "eql",
"version": 105
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "d0fe3507f4ca2f87635d859a9f09da368cec3feea4269bcfadd9efdab60c1ce5",
"type": "eql",
"version": 5
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "ab7715f7413eee47a81f46fd1d8561666e98e2ac9f4e582b28bbb96481793f15",
"type": "eql",
"version": 310
},
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
"sha256": "6960188a6838e14ab0f61e0d8aca58f24b622db04e734c79f45d25cf7082abee",
"type": "eql",
"version": 2
},
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
"rule_name": "Security File Access via Common Utilities",
"sha256": "6a261351693f2910d304c01c16404bcf245cce50bd7b2fc16db067d603229705",
"type": "eql",
"version": 104
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "25326e4f5b59c32132e016015d5368e0009bd966467c2377e9d6c6bd0704b49f",
"type": "eql",
"version": 211
},
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
"rule_name": "Python Path File (pth) Creation",
"sha256": "a3dfb342b3a65658c9ccb56614c06b0d4a681d7a2fad12ae5d2b1e73c453b0c0",
"type": "eql",
"version": 2
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "087c0baee54995f4817d418eaf12e40aed48a6c1489cff2097589e685ae3936e",
"type": "new_terms",
"version": 103
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "82e10a4a6bac1753ba174c80bfd5a8e994361af1ab0bbba59d1283a50e198707",
"type": "eql",
"version": 17
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "2b48ff4f4ca95dc0932903ccf91fa825967498fd03466dca90f7da56b6c11cee",
"type": "esql",
"version": 5
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "57d4491fae853593003a39a34775596a99944046c1b5bbee0021f997071f58eb",
"type": "new_terms",
"version": 108
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
"sha256": "c4c7b35892175b1ea159f8b8be6770aaf3b8dd4f6f5893647dd4ca4e6b83a57d",
"type": "eql",
"version": 5
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "30b8ce25ea87f15dcf022a6645ac8027e2345d580dae994eb2acd48d58c4c848",
"type": "query",
"version": 106
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "SSM Session Started to EC2 Instance",
"sha256": "fd40b61bf6b4907f2a991f2c693116fb79417da2e7a87d5fb8fec41434892781",
"type": "new_terms",
"version": 3
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "f40275bbd5c9de4ff3e18f669408bcaac80b362c4c45af2c7cdc29e950f892a7",
"type": "eql",
"version": 106
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "df9afa3a2b87fde182c347d474373bf5d7593dfef33ffb3fafb1c304d023d73f",
"type": "machine_learning",
"version": 210
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77",
"type": "query",
"version": 105
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"rule_name": "Unusual Remote File Extension",
"sha256": "c50ae4bd7123f127cf196ea89207ea06d5d57cec07e2e45975639cc67ab042a8",
"type": "machine_learning",
"version": 6
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "14bd3d2b8fbe92a7cdc2797d6c3758500f627da32cf00ea2013aa7edbd3b55a5",
"type": "eql",
"version": 311
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "204836ecf090141a7ce6f22427cafcd072819be35558c18e9a57ac38aad60eb6",
"type": "query",
"version": 316
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "3860e39b905280b24b9ef60f00c3721e5c06e0fb47399462885ac26ffa7ea956",
"type": "eql",
"version": 111
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "7d7667ba59b9c301afebf1b3cb3e1ea6afeb26dffb350949dde55de93490daa5",
"type": "eql",
"version": 210
},
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
"rule_name": "Suspicious Path Invocation from Command Line",
"sha256": "02907aafba1faec5a22cc7b29979c38a9e8852e0522fe85eab86ff6b1757f9c8",
"type": "new_terms",
"version": 3
},
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
"rule_name": "Manual Dracut Execution",
"sha256": "c523faf1e2bf19eb5583982820e9dfc0d542a66c608a9c9d26b3e067594920fb",
"type": "eql",
"version": 4
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "1d083b3e9c0d4729d76becc5b9c35bd63b06ce34c8d1231cb9aca96b9091dd3f",
"type": "eql",
"version": 10
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Pods Deleted",
"sha256": "780c553e131f3efd3e7f8f4f5bae752918db0a7a8dcadd8a5d60b253e0f81191",
"type": "query",
"version": 104
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83bf249e-4348-47ba-9741-1202a09556ad": {
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "8d32414e17b60480401cde9e5641a08a4879461ce3a99ad077cbd55c592406d1",
"type": "eql",
"version": 205
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "a7718f54232363448d1e8ce1154fb5be10937c5e77273eaddc2c624c684d8735",
"type": "eql",
"version": 112
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role",
"sha256": "b637272fe03f96e017bdc06e73f45d6ded605eb115092cac29ad1df05a36f219",
"type": "new_terms",
"version": 5
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "0e4a0d1b1267db6de31046c4110ad9f3a234e98b3b8c8e4788ecd7152c14452d",
"type": "query",
"version": 108
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "3706ec2e66b25b792ae3b733db12df64acd74928b26924b84549ec2ef23e2807",
"type": "eql",
"version": 4
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "140969a34362916a883624269ed764399050254896cbada4f7f9ccb375b0b299",
"type": "eql",
"version": 106
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "edf42ed07ded615a3a46f30d30d60fa586248e7c52cb50d2eb9ce86524ae8a9e",
"type": "eql",
"version": 216
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "f5407d42946533acfbb89d76c769e45a45c0ce41f7ec6b56a3d23ba0ecbbdd0c",
"type": "eql",
"version": 112
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "ac46232cd8a07f592efe7c70698c277912d411706305744115ab22d393758ed3",
"type": "new_terms",
"version": 212
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "6cff007db5728eb2fa39503c634e1ec87b3fe96f1c6c546c006ff8f19db4dee5",
"type": "esql",
"version": 2
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "4dc7cf22fd4e2eb84f6fd206ad36b4ba60d5b1a1d8c539c37a77e4a60738a39d",
"type": "query",
"version": 208
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "AWS RDS Security Group Deletion",
"sha256": "695166b21481758a661706d6bb714f7bf41f23d7f08967b0c5eef7eb041ab8da",
"type": "query",
"version": 208
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "9825bb01f3241f6ac0aebdbc9eb43635073a874c0c1e278046aa47aeaca177da",
"type": "query",
"version": 208
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "f903ceb4dda2f336616823d20e50e202419cac9bfa5db9e8afc47a657099add3",
"type": "eql",
"version": 3
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "fa11500ca8e13a38f7d2124cc026cc19f4ffe978a306c701649dbea953f8e33b",
"type": "eql",
"version": 111
},
"871ea072-1b71-4def-b016-6278b505138d": {
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "9f6e228cf8f124d276d6d929c5e92310d193825381fa65dc597850cacf1b2cd3",
"type": "eql",
"version": 217
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "6bf9122ffed23311d0f4795c988cff5e5c854721c891c00a074621d9baf3d59b",
"type": "query",
"version": 4
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "a613710349ff1d084ae7070da260f7d30841bc61d2895c8c353ff06a9d5cb04c",
"type": "query",
"version": 208
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "d4b606516727e2779324cd41aeb9dad7e278700008ccfaeab6ca5e37c7a18a5a",
"type": "new_terms",
"version": 7
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
"sha256": "38491f25fd85e2a9e6048987c53e587c6f8d8066f51cd6bc79308090df6acf48",
"type": "query",
"version": 208
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "4068b19fe7f360ec2bef8ccf67fb7e68cb5eb35527af0a15d7d3772034f3f12a",
"type": "eql",
"version": 111
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "90b72d8c701b10ef3de66af28431567e8e4477cdf260c26ed742f9daaf42047b",
"type": "eql",
"version": 109
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "9447123a8ce16d65128ff84905c2fd90fc68822ecfd54e1cf46db3104fc3dd31",
"type": "eql",
"version": 210
},
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "aed24b791d5423d77d9536cb51f7b9c08dcfd3f51ab23f72066f11b19cc2e4c9",
"type": "eql",
"version": 106
},
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
"rule_name": "Unusual File Creation by Web Server",
"sha256": "732a93ab6d6daa1086a63da134d506495a3cadea1735cb440c16b783d825a918",
"type": "esql",
"version": 2
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "4725b483d6e67ccf641c9f663db165031a69e6e893157adfe4156da5a175d9c1",
"type": "eql",
"version": 212
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Command Prompt Network Connection",
"sha256": "eb1483881589c4c843b93ecd9c5fdcdd72da99e3c5ff968763eb7d06c9b2aa1a",
"type": "eql",
"version": 210
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "dc64810b135b8a11de3cc4b6bc24b02a35e0ed34e775b6b5ddf207c556d277f4",
"type": "query",
"version": 108
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "780a3e06d58a2868f159b6864474a64288a824822df7a3bc9879930ced1ee193",
"type": "eql",
"version": 9
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 105,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "0a419be8ba1ef4b746cee1fe87e2a2459a10566938e2b5114a985c15c294088a",
"type": "eql",
"version": 7
}
},
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "95fb79b2b06097ba835e7dfbe9887ee507ce3e85d6d128c1e0709969d43b53f2",
"type": "eql",
"version": 209
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"rule_name": "GitHub PAT Access Revoked",
"sha256": "8a3478a230e32f84e1fb760252ec2c432637fecf6725b8fbc9b42235e18e82db",
"type": "eql",
"version": 205
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "a29965c488b35962be8692c73778a5245cefbee2ba37307889c9098eb1adca46",
"type": "eql",
"version": 107
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "9a5d09bf9a470a0d5eaeae1fd7ac463771a28cbb36dbd781c0ff1d346b14f01b",
"type": "eql",
"version": 210
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "8206b3e0f7284ae1caf2453d9befae81b545dea65fad93c30bf6b827be016118",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "426e0c59d207e407c04c445d9c2f45a5eda151130a48bafb2d4f770394196bb3",
"type": "query",
"version": 412
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "03f56b09a89aa6f20191897a7615dd8d4d56f49fa89d6eec7c97af44e87cff7e",
"type": "esql",
"version": 2
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "5cbe8414697eafe8668ced1dd361a8483b2dfff2bbb34a73570d5570f9035b7e",
"type": "eql",
"version": 107
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "3ba862ecc39b1bc5a3305c400db104a657f92b3c1579e826743143756a2aeac5",
"type": "eql",
"version": 311
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "71ad0cc6716e639f94a60f4fd135864e039d1e3674efb1a62561a857dd81056a",
"type": "eql",
"version": 313
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Events Deleted",
"sha256": "7afb5ec70e44fadcd6f05962257f1756ce430ed40253d9fa9cf83c376d852720",
"type": "query",
"version": 104
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "7b0f73277fafe2a7e9460563304174104d60a5a9be23f37a3e5cffe3a5403b73",
"type": "query",
"version": 106
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "8f780f6e71f099d01a9a350f50210462a3c72e8ece846715837ccf84e135ef6e",
"type": "eql",
"version": 315
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "6978be5503e498c6b5d974fe34047438d0b32373f29d1d3f087a89ecd455731e",
"type": "eql",
"version": 110
},
"8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": {
"min_stack_version": "8.18",
"rule_name": "Unusual Host Name for Okta Privileged Operations Detected",
"sha256": "e97adf35918df54588ba2afacde94427c96a6626eb362f042083fd429afc3847",
"type": "machine_learning",
"version": 2
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918",
"type": "query",
"version": 105
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "222d9f4f866f8205bdefa82e21a7e75345545d48eca0e16b85775d87d81f870d",
"type": "eql",
"version": 13
},
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
"rule_name": "RPM Package Installed by Unusual Parent Process",
"sha256": "ebf1fc23f66bd33cfb9f95903c1231ac7febba950f0cb65f9e4b72e01bfdea4e",
"type": "new_terms",
"version": 4
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "31d39495fda1da820b2ead7ceed083db3a4867aad910fa852cd3f86b672508ec",
"type": "eql",
"version": 4
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"type": "eql",
"version": 5
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "b46ce75d4b5285052780771d56a10d17495be23417da04a2e33f12cd699ab7d4",
"type": "eql",
"version": 211
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "d130fcde15618575db6ce21840f7e0cfca6bb8fe9f3ca2711cc6e724afc98805",
"type": "query",
"version": 104
},
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "6c590e22b3bf842a1c5ed864fcd7f17d3a1914754d773dfed217dece6604912e",
"type": "eql",
"version": 209
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "d3e96247267c80aca5541d7ea40db8cf0f759f4f72c481dd9018b6a4cdc6befa",
"type": "eql",
"version": 5
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity",
"sha256": "5a22500f4235f79358efc7e14a78c1cc2f9277528fb7f1b51a787876b6be357e",
"type": "eql",
"version": 107
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "Unusual File Transfer Utility Launched",
"sha256": "4a62370cfc587049f09fbea9187d079e3a0c9a468b837b32b3c9fecf24a445d3",
"type": "esql",
"version": 2
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "b1c08ef06553de49d280478f611fcbf2d0c5088849a6dfeccb0dcea88cd777cf",
"type": "eql",
"version": 106
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "f19a8ea4c823b71b9cad347564053ae295481396987d48c40285b765d71f5136",
"type": "eql",
"version": 110
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "bd6281ad9d5daa64d0e8bb01c18047d44555b88f41f0a59a268b8dcab935ee20",
"type": "eql",
"version": 209
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "3de6da90bd1ec62ae6b34bb6589136342b6316b5504619e8db31e83dacc47576",
"type": "query",
"version": 106
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"rule_name": "Hping Process Activity",
"sha256": "e230893b50456ded2a1b2e4710dd259802969dc215bbb43a721460915a741a10",
"type": "eql",
"version": 211
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS Deletion of RDS Instance or Cluster",
"sha256": "e383c2a951f0a85ad3bb25c169dac91f081fa39737cc969637938c47dcb87adf",
"type": "query",
"version": 208
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "dd350d040fe0e49fada71ba5b97c03c11bfce56c2f131fe618b11df799504de8",
"type": "eql",
"version": 103
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "a272f64a305b370066111000482c3a460baacdd2ba99ade9f5b564755ca3a3bd",
"type": "eql",
"version": 111
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "30230b4761c830e2c3fb248784d5e1ca5406bea3c656110bb3369128936aa5a3",
"type": "threshold",
"version": 2
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"rule_name": "InstallUtil Activity",
"sha256": "71e2f18922be0eb033a289e1e9d24b430e5f6321047b1a142ae472a2e78c63a2",
"type": "eql",
"version": 106
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
"rule_name": "Linux System Information Discovery via Getconf",
"sha256": "568a6aa17b76db8b4cc68b807a2d24db3e7cb5380b2801966b0229c1b5811e75",
"type": "eql",
"version": 2
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "a4f8df494d1db756cfb187ea70ea02cab4519a6db6a04aea1b0a8b0751fc36f2",
"type": "query",
"version": 106
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "05736cd01141801c41b014ac1f199a56c92f3969ab56f11c8b90aaf46242fb11",
"type": "query",
"version": 208
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
"sha256": "b78bf809101faf51650c503b4b05c3b28e79638af8853d4147c9328a8a6f1667",
"type": "machine_learning",
"version": 106
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"rule_name": "Unusual Web Request",
"sha256": "ab4823467da259c26bfa8130eb8eb5894add6ebea8a142ec2da1dc70be3ee403",
"type": "machine_learning",
"version": 106
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"rule_name": "DNS Tunneling",
"sha256": "774a5d8ea6b675aadff3d054ced850106b004b109c7e7ef49c38ab3cc972aef4",
"type": "machine_learning",
"version": 106
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 102
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "394b7f0854cc8051511cd71d604dc20a1d6dbcb4dc789490f3ed240b823ef4f0",
"type": "query",
"version": 211
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"rule_name": "A scheduled task was created",
"sha256": "85e1811330c72410c17851704dbe26c59f70067c705845ed3eae6b8ba5be292c",
"type": "eql",
"version": 112
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "e93565e0ef8d52552e56ec0fe44d871ca72f64cc3309368d673334585e009a14",
"type": "eql",
"version": 108
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS STS Role Assumption by Service",
"sha256": "f1157f9dc0a2cb2eb50d474cdb9e5a32c0600f71e362a5bf1301aadf800f7de9",
"type": "new_terms",
"version": 211
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Modification",
"sha256": "642e0aeb68ef89094230c8ad3a123f2b8690c39b6839fb16c211332af9b02014",
"type": "new_terms",
"version": 207
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "34e0322fec5484b8a4d1f8e590227163d0b4be5cad05b986658e21fdb088be02",
"type": "query",
"version": 210
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "aa9adc5952f0cfe6de1c19dd92591f7f512aa0c3ea942b60a9dd96acf370a9b1",
"type": "eql",
"version": 212
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "568251d32660f6ac5ab0bc50f9c487831bc480b7d3cc8451b90a2f2462baad2c",
"type": "eql",
"version": 413
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "35604d04285d0530134b6145050ee7e0491f8bb8701636083250e68acb1283e5",
"type": "query",
"version": 207
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Modification of Standard Authentication Module or Configuration",
"sha256": "b7fff2d590e63f71f45e72379fe8e5a6978373ec1a5507aa951489aa4a45b539",
"type": "new_terms",
"version": 206
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "972bf2c87a226e9eca32bdcec9a0e1831a5d2a2daa6cee8ec3bcd4a5142a20e6",
"type": "eql",
"version": 106
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Creation of Kernel Module",
"sha256": "d6120a5cee167490f241f052f292d2eb902750584dc5614e1c1de3cb5c04943c",
"type": "eql",
"version": 4
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "bb10cc4be5fdee49086851941a3077f1a296b74a1cdaa2159c5e843d5acb2fee",
"type": "eql",
"version": 213
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 4
}
},
"rule_name": "Multiple Okta User Authentication Events with Client Address",
"sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606",
"type": "esql",
"version": 204
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "0ab1df4b05b8c4f156f9ce6e9f585546883d3244918fa123455a5801b1b11947",
"type": "query",
"version": 108
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "b722ccbfa7ecaf20260ac487e76dc4f3a7610c780fb1376ed3b5d8e0335287fe",
"type": "query",
"version": 106
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"rule_name": "D-Bus Service Created",
"sha256": "5aef963f73d96df60417b5ddc69b1357a9bbeb134342841dc67a359cc2619079",
"type": "eql",
"version": 3
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "24e6101eefc878fdf6b6890b48c1e73d7e146a2be051e66dfeea360710f9627f",
"type": "eql",
"version": 211
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "add4de7f1a673948279ad565918605e1abec3d054ec1f8e2123d6138d5b8d18e",
"type": "query",
"version": 211
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 102,
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 4
}
},
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85",
"type": "esql",
"version": 204
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "f94cb36fb3032304a8a812b77b36345d6628249429f37175dedc7774c6308f96",
"type": "new_terms",
"version": 3
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"type": "eql",
"version": 4
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
"sha256": "8e9265eb725fbc9cbd78e2ddbaa06ef6c6c7d173b6a1a3692ac2f2ed04ca63f2",
"type": "eql",
"version": 215
},
"96b2a03e-003b-11f0-8541-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Scan by Unusual User",
"sha256": "aaf46542fbcb34571e8f78b9a8c92673d698c8b999185366bccdfc446c67eac7",
"type": "new_terms",
"version": 2
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "8b9151616759ad5ef0331c84d359b1fac9dd5625d8bccc8ccfc29b6edec463ec",
"type": "query",
"version": 209
}
},
"rule_name": "Attempt to Create Okta API Token",
"sha256": "489c9ae7c2fa3f0f141bfbc5ab7e7f5a37c532155de68b91f94844eda3b158cd",
"type": "query",
"version": 411
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "f5b2df6d2f50c42e4777d0b69b05dbad45f72fbe850047768826a54365938143",
"type": "eql",
"version": 14
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "2185ba74311252c304b4d98fbdf6dbd4505834ee6a3084cbafe02f5361646909",
"type": "eql",
"version": 210
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "a80f11dd293aec59405281a09f81510b50681e172e082bb17dbdbe01b2528c40",
"type": "eql",
"version": 111
},
"9705b458-689a-4ec6-afe8-b4648d090612": {
"rule_name": "Unusual D-Bus Daemon Child Process",
"sha256": "49d8afd10f60504213c82db2b422ded06f2e0b370b728b22dd25d90df9f8743e",
"type": "eql",
"version": 3
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
"sha256": "fcddc79a3bdc5f48f706865670a212c510fa7291c56bdf51b85d3d95d3e702b4",
"type": "query",
"version": 208
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "b54b02ac7c0cfd7285fbfdcbf9c14df8bad642933fd50be1c14c392f8378b821",
"type": "query",
"version": 106
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"type": "eql",
"version": 3
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "1dad36b18396f9a0d6d07cc7dbd269695ae3cc9faacf1c65028dcf44a834a95c",
"type": "esql",
"version": 2
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "5613fd191d38a8f826e650ea7bababb9333e46675b2e961e7cdb32aca9bcd0c2",
"type": "query",
"version": 209
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 311,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "c3895c292a7d6d01c0202991f5bd5c8286f59782f74ce2d31d2e5154428be6e1",
"type": "eql",
"version": 213
}
},
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "56de001290a7d0ff4af426ec57bb2465d9992c151f32674086eb6b0f0663b8b2",
"type": "eql",
"version": 415
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"rule_name": "Suspicious Zoom Child Process",
"sha256": "bc3f58b578de1bdc830726d2eae772aa81b012b7f6e6840b177bf70505d7021d",
"type": "eql",
"version": 419
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "96c8096d390a598ea2cb90ba8886ccccfa08f7558171199f173ece55a2d4d8fa",
"type": "eql",
"version": 9
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "530ddf6213cfd29631549bab034db0adf19a8bd5ca23ebe3f8658218a075adb3",
"type": "eql",
"version": 115
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "042fff441edf847d8d6b99db794f25bf1b17e794ff4c5a1bee971ac1dd253db7",
"type": "eql",
"version": 6
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "c34e876395c7b115a12a54f8e64f3bfb446708b8836422c7e59824a29d1618b4",
"type": "eql",
"version": 4
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "70a141bf6d5dd4b53dfb85baa6e3c0f1a03bd85460747cd99dbf7c43c9d0387a",
"type": "eql",
"version": 105
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "3c52d743c5f86369ebeddd7ebab239f60ed0b1a8075efd96efaaebec0f94c300",
"type": "eql",
"version": 106
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "e08728b9a4a250bf9f1af0851f942612177bc3f473665b575fe48b587e907d7d",
"type": "query",
"version": 106
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
"sha256": "0cc8b2c75c4f67088b466de8a02dc8b85b888d8e45c58172cb22fb4e90f9b649",
"type": "query",
"version": 208
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "AWS EC2 Snapshot Activity",
"sha256": "68b44f8cf342f499981d1f02153e0d1159445c3243578846f6febc69766647c5",
"type": "query",
"version": 210
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612",
"type": "query",
"version": 105
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "07be235c7dd98da00051b5297ff49ffcf55224865610cc49ef2ae80b4dac856d",
"type": "eql",
"version": 110
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "ff28e80159f9dff929b862a3b082b36bab422e4a397573be0ce8a7e3b8bcf4b0",
"type": "eql",
"version": 112
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "1c31c99f9ef70bbb05811088a045934e699ecb42b86d19a20925823553f5259d",
"type": "eql",
"version": 312
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
"sha256": "fec13f106027f80845d52095abdd5957c75f6156358719383c61a2c95e579b15",
"type": "eql",
"version": 105
},
"99c2b626-de44-4322-b1f9-157ca408c17e": {
"rule_name": "Web Server Spawned via Python",
"sha256": "40e5e54bb2c6ab594fd18eb0a9a771678ed5d2ac0a0ddb3334f253dd65635b35",
"type": "eql",
"version": 104
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"rule_name": "Spike in Failed Logon Events",
"sha256": "f9969960a5e08693c16fbcd7c0b6fd1f0cf16c81dc2d48af48902028919019e6",
"type": "machine_learning",
"version": 106
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "f97906536045e8a37072e35fe3dd11bc159ba1f4a5e694dc791bbabb26e5ff2e",
"type": "query",
"version": 107
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "88b128e1492a41140c22f156270d3bd228b717e97d37c8cd718f1c1c236a7053",
"type": "eql",
"version": 4
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "a841b25a9c5ca7ed8be704802bd4ebc96b9db3e18262d6a5ec6539bb26f1d458",
"type": "new_terms",
"version": 211
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"rule_name": "Suspicious Explorer Child Process",
"sha256": "767a247a17d7f488ec953c0b00654ee87e48e20a7fdecb693b33584dd8366f1b",
"type": "eql",
"version": 311
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "5efe0175858db799cb86835bf76cadfb54983b0348cb5e39d4c7a155c696cc77",
"type": "eql",
"version": 312
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "5261d7a8d3df0f503139f70be2c16478f9da435dcb45315321b70c9f0136c973",
"type": "esql",
"version": 5
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "fbbbcf42d72cc9678593f3cb1cd52d8ca8140c07465150b448d0586331f2b009",
"type": "eql",
"version": 208
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "287f6ac5a52ff4383a691416c5eeaa3ba88367394dc92853b803e535bc0ebc63",
"type": "eql",
"version": 316
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "97874993b0c58b51d4cf8b92cc07103dabced133d989df2f285d76338a58dc62",
"type": "eql",
"version": 7
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
"sha256": "dbce0ac372cdee0e86c1fa79185c79ba9a678d925893a5180c2488477bf75437",
"type": "eql",
"version": 211
},
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
"rule_name": "Unusual Interactive Shell Launched from System User",
"sha256": "41e4144827c330aed22e9fb3410630e482c9710e2911c5980314189fbe90972a",
"type": "new_terms",
"version": 3
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "3ce6e57836a8e47fc2bdec74bdc1dee3810fe88c14ff946e80ca852b6017cc09",
"type": "eql",
"version": 112
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "014ebef9bcc283ff37e34247a31d54f04d6c13164349890ebb9cfde745730c09",
"type": "eql",
"version": 4
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "ae63679c14f66942cb097cb9188ef25304a304ec2f8300918436a4be80b688c1",
"type": "eql",
"version": 312
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "953a524b0b3d91c85ecc2a3526664151677da8f53e3148cd0262132eb8f2f95e",
"type": "new_terms",
"version": 314
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "88d77a212036f8bffda65aeacf7d1a4d770b17c85276000ca46dda3a6b49ee95",
"type": "eql",
"version": 315
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "5c18f5e2e17dbb223ce2164dba7a0bf20c596fd35aecdc39d6ba908321229f47",
"type": "eql",
"version": 215
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "ee7caadf9e57096bf55162a61c21bdd5591ba6cc377d489e2aec823816bd1ccd",
"type": "eql",
"version": 212
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "9fe199019b52e009894e09df47891d15855277603433827428a795daa3afff31",
"type": "new_terms",
"version": 317
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "97111ee5914163f12e353b1cf1d6fd9cd0f38495228862bbefbd9eeb3f79997f",
"type": "eql",
"version": 210
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "bd25f67aa2f26ef04d210a0f6f7ce2ecd81c54bc633bc29d2238358f4aa29ff0",
"type": "eql",
"version": 109
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "b8784aef89568400787b3d0995bf9a1de920f87adc2b2044ac9e5250247a0c08",
"type": "machine_learning",
"version": 106
},
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
"rule_name": "Azure Entra ID Rare Authentication Requirement for Principal User",
"sha256": "24907196a67e425d158aec2f12eb18d9cd325c82900a25cfdd36cf2f3ac04194",
"type": "new_terms",
"version": 2
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "89df536f5b25ba25214b381670e72f779c1f1ec53c648b8536dad34296c4825f",
"type": "eql",
"version": 4
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "5a8e8bb4d6e8f39e3c767e4d2a12e9ca51ca278ec993a2e15c272c268ad3a487",
"type": "eql",
"version": 213
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "3d2bedb8dbe52bf72ea2bfe034fa4420c6f8c3fed4f3481a3d313a586efc696c",
"type": "eql",
"version": 218
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "3d5effea9b0d9b9442ea373b0d86c76173820c14dd31b612d5a9bebb0b451677",
"type": "new_terms",
"version": 213
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "68f61a54191f15c1261c898f36314ca4cb967b98ff74d0fd37320e1c69f85198",
"type": "new_terms",
"version": 314
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "A scheduled task was updated",
"sha256": "dec73f37882fe3c00468033b180b963f0dcc1dcccf01e546a42b2b79ec68f6c8",
"type": "eql",
"version": 112
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "a2c350073531eda06404ae20beae25708733193fec7b72b8c359420653479b9a",
"type": "eql",
"version": 6
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "cf6ae9f715cb5ea3c39f4d96c9987d8b1e11a5fa75ccbf24b93b2bf7ce263e87",
"type": "query",
"version": 107
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "4f61d3eb44f8b3e1680e5f53ee2af54c5ff18458a3463e9f240959a1828ea00a",
"type": "eql",
"version": 209
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
"sha256": "feb29e526f2204abcaf760975ba4dc9cd13b9324c9d062cec0a74b1cfbf0b969",
"type": "eql",
"version": 212
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "f5e7edca07f99dea285c4edeed73b5a44f86dde34547e824a5266c22b6006dd2",
"type": "eql",
"version": 211
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "d3397ec5dcdac6ec80a54a81487ed63355411e7df782e3ae9e7fe4f1a14db365",
"type": "eql",
"version": 210
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "1971789adad6e515416151b5792e33fa9a4cf64fdce9af7e3fc076899ad5683e",
"type": "query",
"version": 106
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
"type": "threshold",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "363670cc032fbd6a35b0fe945458705e5d35877c387db8b9abc5a7c85f135148",
"type": "eql",
"version": 110
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "f72b18afc4bfe233b1e640f183215f1cec65e7ad11c124be03b8d46ba1de3d95",
"type": "eql",
"version": 8
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "faf336b6ca7cfae7df2acf5404511e10beba52740c7434f0042023acc001f5c0",
"type": "eql",
"version": 313
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "25d29a23f09950c3413dffbfe3de61b29916474a7e22ba124d13d36dd8bd2638",
"type": "new_terms",
"version": 3
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "ac8f88233a774a1b9653200a673481d3f4979114d0cf4d64652d156fb7525193",
"type": "new_terms",
"version": 3
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "e09f132a61e78248c0985ea31087cb472c5afcc13d0bc9c839a8fe01e82990bc",
"type": "query",
"version": 109
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "e1facc452ccfcc245ef3f50b13fa5f913f10e2880c7241c776df5034b5f34860",
"type": "query",
"version": 110
},
"a300dea6-e228-40e1-9123-a339e207378b": {
"min_stack_version": "8.18",
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
"sha256": "bf90d5f51fb39e5f57e19e4773bb64baed072b90cc870fe6941712cda65ae86a",
"type": "machine_learning",
"version": 2
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
"sha256": "8dfd2089a94c68f6f98efd6d32b55308a9b7b1125d343ad0e64d3df972e45c8c",
"type": "eql",
"version": 310
},
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
"sha256": "1d90a08a37464262c54504cffadf25b8444faec72634d6250cec1bd61b8dc4ba",
"type": "eql",
"version": 3
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "f411eac70f276b97d882a93968ae23599a3a6a93aff1b8e32a7fdc4583003e2a",
"type": "eql",
"version": 110
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"type": "eql",
"version": 4
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "CAP_SYS_ADMIN Assigned to Binary",
"sha256": "5342f9618bbfefca7ac662036caa8aadf6fd6e0fd949255ea2b36ad1f4849c98",
"type": "new_terms",
"version": 3
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "963c0bb0d55c196143cd45ea2b308dfbb9cd5277f1918ecc371fb14a6dd743b9",
"type": "eql",
"version": 9
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "eb3790e4a7ba8906adfed13f99e823964d4d4dbf558c99156a5a0f1b9a7e0eb6",
"type": "new_terms",
"version": 211
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Azure Active Directory PowerShell Sign-in",
"sha256": "0d86b960d20feba20d79ee25c9f9aa562c19dfb4879ae78e020459f782078538",
"type": "query",
"version": 106
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "c061bcef15efcf1c65649493512805d27d383b262ef29f1ee14d2c941e88724e",
"type": "threat_match",
"version": 8
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"rule_name": "Suspicious MS Office Child Process",
"sha256": "98afb5623a1228581b9214ad947c048d563e6cbd3965600973b7479bb3f950da",
"type": "eql",
"version": 316
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "bdd2715fb7a9c3f4d83571791536de28eec316ae4c33488698b360e17280ba48",
"type": "eql",
"version": 3
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "47f9aac54e4fe7c1d6b99cf3d18d923f52c0347c88d2dc8480fc062b6d47291a",
"type": "eql",
"version": 110
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"rule_name": "High Mean of RDP Session Duration",
"sha256": "4a25312234d5821d645719593d2558a91df62ae0ae2efe3fa469dda24cdd036c",
"type": "machine_learning",
"version": 6
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "7c8f84f11fd19709acf3708a7c09f18104021c4f47b4462f8478cb07aca0a4f3",
"type": "eql",
"version": 115
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "e6699654c24bf7afcb20023fc563e8e4db29601dae88d2b08ed439f69eed3501",
"type": "eql",
"version": 314
},
"a80d96cd-1164-41b3-9852-ef58724be496": {
"rule_name": "Privileged Docker Container Creation",
"sha256": "6d169b8ef6174e48cc5b9da071aeae0d5e489fd8b0f2fe23f0e9151adc0d1658",
"type": "new_terms",
"version": 4
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID Device Code Auth with Broker Client",
"sha256": "cc6ac4f23ad5af4de24d86b48037a2ef4f613028008428e70af218986caedb40",
"type": "query",
"version": 3
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "718899b2492eb5e52f6cc280950ce01a86f8bfc177fb3b7f332cce40a3ee5c4b",
"type": "query",
"version": 104
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "1d8fa59ab20e897e9672635212c32527d3d62cb6be364f57eeda2274c9a00910",
"type": "new_terms",
"version": 3
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "3bf43b40ca6bafbfc82a329b6065a48fe4eb89be606faca51b84684bede3c1ef",
"type": "eql",
"version": 7
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
"sha256": "20b9c0fd40ad05703c36b023e243746d64594636d415191358b11378eab36a7a",
"type": "machine_learning",
"version": 6
},
"a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": {
"min_stack_version": "8.18",
"rule_name": "Unusual Region Name for Okta Privileged Operations Detected",
"sha256": "736ad95b333f3779eb2c66cd26b572b02fdfba7dcb6171638617b604fc74491a",
"type": "machine_learning",
"version": 2
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
"sha256": "ead058de5d6144ce2c3b3954a52a05bfda970aa418f8b0ba2bd6b5702e64b75b",
"type": "query",
"version": 208
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "5b197de69deb341b9cebdaf82f31401455d8e964d74ebf70dba9f539fbc6222e",
"type": "query",
"version": 207
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "48e3d9c417c9d98a1f70c6ec7abd0d6755a395a847ee9cdbcb12792a6c44c455",
"type": "eql",
"version": 211
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "98ec6927598c3b7c5900d8a4709bc8a5939a5c33841e424075c14cb153ac04b2",
"type": "query",
"version": 107
},
"aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": {
"min_stack_version": "8.18",
"rule_name": "Spike in Group Lifecycle Change Events",
"sha256": "44175b891138ca8c93582e811d23a3431a0599a39bbe1485d6a3ef33b9754912",
"type": "machine_learning",
"version": 2
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "452ab49b0f9dc2f3c1c19c0aeee12037d79e8f643b65f9aec8dedf91a2018957",
"type": "query",
"version": 106
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "d8b636f7ed97611b6d3aafa4b492420a4a97a26e63b35dc090da06b20b9d780f",
"type": "eql",
"version": 215
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "696bd89a899752e09aea72e0e14f9c835d8328afa033359e2ddaf992bc0fa819",
"type": "eql",
"version": 215
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "8630662b8abaacdce8369bd10d8e4bc743a7b88b899a50021f083928f5d7c9c6",
"type": "eql",
"version": 4
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "dc906d8e338b0fba7e19f677e0f95691c4e1c94fab8b366f0f0fa007db2226e3",
"type": "threat_match",
"version": 9
},
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
"sha256": "26901e4f806ec7b2bf0dc36bb13dfa4ebd8fedbeae5bf554ce2f0f3953848f90",
"type": "eql",
"version": 3
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "7b7360a11e47e0c93649167201cbcf8ee633e2ec65595d1645bddfe19ca7089b",
"type": "eql",
"version": 118
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "1c4116077882a8c3b1782c85376e117a8225402265a79c2226beb656e12fdb82",
"type": "esql",
"version": 4
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "3e62b3114e4ed0b8d120080d5e8a06c01ed63d8466a052cf5de197d1c23f8c61",
"type": "machine_learning",
"version": 208
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "adf332174ec90b1eec51f30548d1d34f0377950076a8b71ae44cac181a19cc98",
"type": "query",
"version": 110
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"rule_name": "Suspicious WerFault Child Process",
"sha256": "d368d419406c6ac4bdc9cf1c532503e1f0aed475b1efee62a2b12393f7a6245c",
"type": "eql",
"version": 417
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "8e8a19e38db671bcb280f6c70712f9a5237c1eba53d7085fb399ccc32e228119",
"type": "eql",
"version": 105
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "ac08c62437040d4218a78492551eb6c2748c770126e952f48c9a5e634a83d3d7",
"type": "eql",
"version": 203
},
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "3f6e5a78fadd550b76988f7ca250123d25b55da4b9824d7eecabfa64097fb7ed",
"type": "eql",
"version": 103
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "21b8974dd8b5814fcf9b96a9a0d24e1f5225418f815f4b79a50304d608962cd5",
"type": "machine_learning",
"version": 210
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"rule_name": "Potential Protocol Tunneling via Chisel Server",
"sha256": "e913a80ca34bb872d7290228e6861c9434d96bc425cb4722139a9ba9f86a1e72",
"type": "eql",
"version": 9
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "577f4aba498cb31d69f14ada4653012ca10809256e20685c96d092dba3930b39",
"type": "query",
"version": 212
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "2dd59381ecd634b40a37425279dae41c1f783d4c3302698d52bb8ca5c531689a",
"type": "query",
"version": 208
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "c3daa30914d8cf8b5b9947379541272b88d1975fa5d675ebf3e560aca7a2dea5",
"type": "eql",
"version": 108
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "a2a3aa41f4af6ec4f1dcbff4d74dced9549d75c40687e4c11f47750125e7ac2e",
"type": "threshold",
"version": 110
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "a0a231ca4e9cf82b137b5d6631813285eaa3e9f561d5e8a3e75ec6cdf6ff8901",
"type": "eql",
"version": 311
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "474904225145565b09a257907f01d0a72d0617cc87159d20de17a2f382920e48",
"type": "eql",
"version": 312
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "e95939015fd8d8a80a3ce5fd7035326f3149d0c77c12c64b20d6e683f271499f",
"type": "query",
"version": 207
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
"sha256": "dd49b62956f5fa4291d55bc8f22d9b9a3ab99cde4f57a533fbe0f0d42f8f3ac3",
"type": "eql",
"version": 105
},
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
"rule_name": "Decline in host-based traffic",
"sha256": "7490f14bef592f25bd7016b90cb944a28f27fd6ae5ef596b169badbcb0f62ad3",
"type": "machine_learning",
"version": 2
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "24969b426e95f76e5db568517afdce0c70ff24322916769ce3556ef5c88d8d14",
"type": "query",
"version": 214
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "81cde5714e33354419a3b62b69049ede680af9b05734d4fdb139b2f06175c4aa",
"type": "query",
"version": 108
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "8499bab73940c1cc366630196ef1ee13f93c5beb8a2372bdbcfa2ac0c5c4a775",
"type": "eql",
"version": 107
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "f2a97c5c24c622d6e26a7cb125197d863c5757652943400d20364ccc8f41fc25",
"type": "eql",
"version": 213
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "29b48453166b55dc914de5c4bbcd5c70e1c09c568c74a52fab474f76c9bd5b90",
"type": "eql",
"version": 8
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "16a5653ff8d7067c50a5c377f3d2fe23bf416e714a27a2a1e6b601255f3b282d",
"type": "eql",
"version": 108
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "2c643176109471b5cd32730f599e63976acfd0f8c4bf1de203d431b8f3340447",
"type": "eql",
"version": 207
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "9408cd6ac38dc0da463229572dbde69da9eaf01d92029b3074de5a34ccbb3583",
"type": "new_terms",
"version": 11
},
"af22d970-7106-45b4-b5e3-460d15333727": {
"rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol",
"sha256": "360664ed03398cf4f0daedfe93b7da70afd925a5aae60ac70cbd46467d44f743",
"type": "new_terms",
"version": 4
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "3f4adcdf4447da22c211f94b5deda293013b59a4c2bb583e4598610135398bb6",
"type": "eql",
"version": 7
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "031d053394e3549af466993aced4f7b21df4bce7ad0cbaab72f9b866d01c7c0d",
"type": "eql",
"version": 211
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
"sha256": "ed800dc02d52bbff8862e8f6661cfe854ae1c6bdd8febf22e433d797eb171600",
"type": "eql",
"version": 9
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "986b08079a199c4b66c2d0a231421099e2e7812d42434397b2f548b75242b3d9",
"type": "eql",
"version": 8
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "9caae5c032cdb7cf608633e1541b4df7fe459a5aa52afa0d3afc1168e2d7e214",
"type": "eql",
"version": 108
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "00e0d64bdcf221fbee1bbeeb0668d4d350446038e2bf5a069ca3c39fb28c3e8d",
"type": "query",
"version": 108
},
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
"rule_name": "Potential Denial of Azure OpenAI ML Service",
"sha256": "c9d2dd4d5025502e98992e141e6b0d49267b5dcd50dbe6052eab9fd6a7040b56",
"type": "esql",
"version": 2
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"rule_name": "Netsh Helper DLL",
"sha256": "8b119576ed42967ddb45ba97d9c85db4effa2c1df4096e2fda8992083710baf2",
"type": "eql",
"version": 204
},
"b07f0fba-0a78-11f0-8311-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Web Service",
"sha256": "b9be49d1d5dd892e86dec535d35199f881a7aaff5e435d8ac04df0d424b761c4",
"type": "new_terms",
"version": 2
},
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "a249fc24c5e7f6003962c14a5fb28a06904d00414a1e94fd415717a50819f666",
"type": "eql",
"version": 104
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "0ec57bc339f3fce1eca49752d9517e31d376889501714169d4c2e86fc43c6d2e",
"type": "esql",
"version": 4
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"rule_name": "Potential Network Share Discovery",
"sha256": "9dc0dd963c4e6d73597e7c8a9e9349fa33574404f483a5c5cb48bc84c830e191",
"type": "eql",
"version": 108
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "d7e69c5f4ef0d10b65e8cdb0955b73c4c63040fe109d92cce86776d96d07f4f1",
"type": "machine_learning",
"version": 106
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "d53618c6bcdaf4d8d4fb8d5251c10d56f078ad221b8f6831259904bd19c5ed4b",
"type": "eql",
"version": 214
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
"sha256": "5c7237d1505535b209cd71fd5c9ab551124f150a749c55ce95a69f1ec8af0794",
"type": "query",
"version": 208
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "78e8c3f1ee31af1bdb839b3e67e099350e1dd8e33031ab4aad7271abc0a60cf9",
"type": "eql",
"version": 210
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
"sha256": "7fc4733fad7e75e105f9f2b54271489fc4fb147d1c58f76f7d977592b98e1dac",
"type": "machine_learning",
"version": 106
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "18ee6b6986644ed0c2d38fef7ac4983ae92ed3132d7dd3415b25177be103035e",
"type": "eql",
"version": 4
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "81603073dbeb45f77db9d041056c24002d4c9f9373b6be6f5560b1746d676a9c",
"type": "eql",
"version": 316
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "3458d09302edde504e2799053577f863c8e59b513fd99d9aa917a1b90c4b43bd",
"type": "eql",
"version": 213
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "57c17da4329eb6e9affcb5405ae01363a9b5eb3482c2a5b2ae3ccf437fe2db54",
"type": "query",
"version": 108
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Abuse",
"sha256": "365031b7d60b30567562557a83d556297b8293ce10da07fa098efb64a16bce4d",
"type": "query",
"version": 208
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"rule_name": "At.exe Command Lateral Movement",
"sha256": "08c85058be95c0ba76de40562a37ef695cdd7a93003dce433a4b81a3fdd423ff",
"type": "eql",
"version": 107
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "c8c6556d38f9955cc734b183b4e55614674315ba1a83737244551d638477aa88",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "d2a7d308c3e84bc4e2f19da76eec9112a60fa32402909778b5086ef66a79130b",
"type": "query",
"version": 412
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "cb73e5540f01764d015f668b42ec2cc86a1d2e9d75463e2ef684c07645f2af3e",
"type": "eql",
"version": 8
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"rule_name": "Clearing Windows Console History",
"sha256": "7853f306c666ad514f4db27b2a00b3c20cc4422847edd8804face70f6b1d776e",
"type": "eql",
"version": 315
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "08993051c086d51ffc23695e7e35bef8eb1b6961b7f85725a896496576260d31",
"type": "eql",
"version": 315
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "72b8f916648cd3baec90e50058c660c235bc7b95a6981eb955da1ef79576f081",
"type": "new_terms",
"version": 5
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "9744416a03faf34857e6b438b55a96e8304c367948409b39ef51e77426b22f4f",
"type": "eql",
"version": 109
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "14c07dfa8c30b66fa51de6958006e13e6bedf1d82e303c693c81672f4ec3b2f5",
"type": "eql",
"version": 212
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "847fdeed10f05c62642db8d85502ae1bbc9cc6d31c3d4e8d87288e299cfd84b0",
"type": "eql",
"version": 206
},
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "95ef8c46a06584212e273b4acb8e25ae7838de0a57ef92d03eaa74eceaaecbde",
"type": "eql",
"version": 104
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "f385be98338c328152d5d63514e6bf683ba6b715e9abd050c8dddd345728454e",
"type": "query",
"version": 105
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "bab968eb40f5ad626342a32f0e22e901245c3618d0f488c7dbc51fd7db2ce2c7",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "248e61ef773fdf2e6a26ec1952ac354a0992ed91f4ff760554ff08ba104dfc65",
"type": "query",
"version": 412
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
"type": "threshold",
"version": 4
},
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "0041448b174d360c353186f2289154e2647e516ccf083b80c30bbe9a7e80e4f5",
"type": "query",
"version": 209
}
},
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "370f610832cd7a206b47fe7803bc40e23b9df347708fd13e003d751e0aae82ae",
"type": "query",
"version": 411
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "5a00ad94a423c34375feac92d8a797b65e9fec09e9645f3563f6574ff51b0e5e",
"type": "eql",
"version": 4
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "2bb044fc86f61541f4ba022f3eebe2271afe29d9c1d8519e3654b1bd730239f0",
"type": "query",
"version": 109
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "a562dec8b60f1f740ea96b3d145fac4953c1cb26319750c3c582161935081d4f",
"type": "eql",
"version": 414
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
"sha256": "40ea5f7db27e4b8a6c2e992399ecdc3093f71c17aa81d7fd9611d7c09b292c29",
"type": "eql",
"version": 208
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"rule_name": "Kirbi File Creation",
"sha256": "37b0326fa10041ad96b39e1371a5e03b141e40ef574999963845c65a04da4aef",
"type": "eql",
"version": 313
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "8d61695be244bcd61491ff9ee3b9e87e7c6b56f368a933a429812ab08d733df6",
"type": "eql",
"version": 311
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "bceaadad35276ffb04d6bd8812cb004d849e83c1c14fb4f4dd910afee2ceb030",
"type": "eql",
"version": 216
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
"sha256": "aef435eb45ab94bbedc0548295f1f51ce5a044d334416fcdcf0a64ab51890383",
"type": "eql",
"version": 3
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "19d1c906ae5392003ceb75e3b5029ddbf145381cfd2a57fe149af0c098078bcf",
"type": "threshold",
"version": 5
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "57c0fc045b8567bcb1f71c1225bd793bf02be62ce96118b07d957b4e49b4bb3d",
"type": "eql",
"version": 213
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "cec6730a302f70f809a0b6fa80aaf9ea94e04937cd6a26c74ea2ecaf0e7ea53e",
"type": "eql",
"version": 114
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "24e0aba1907d3b154ae698cc53763c266e7e3d2379de61741452251f6607ba5a",
"type": "eql",
"version": 313
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "3447097791a88bbf09a394b52a1dccc20d0702600c9926d76c0f3833f6b4474b",
"type": "eql",
"version": 104
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
"sha256": "8ed24c92aa311a914921aa68556ed4d7d864396aaac9625c8e05c8ba62527777",
"type": "machine_learning",
"version": 208
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "78203718bf9153ae050ec6e0c41b037e34f6916e09b6cfb0d771158a41500c71",
"type": "esql",
"version": 2
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "1513a4773f404bffc0e3cdb8078d93b7d43b143b54b109775e5927d24fb44ce3",
"type": "eql",
"version": 5
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "f9a2f72f3a38457c282d9c580db5aa42a1e76c523d951cddb047a3d0f68ec06d",
"type": "eql",
"version": 211
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "205e2ddbd5a1220a30b0b3612ca370127cf1f0d5ab902fb690078504406f73f5",
"type": "query",
"version": 3
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deletion",
"sha256": "df1d2f0627fe84a1c630349ab8edf73199995bbd43ca19db174867e02780541a",
"type": "query",
"version": 104
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "a92cec668144d3166b4032e3146f87a22fefebeec3b6f854d901bb9ffda6020b",
"type": "query",
"version": 208
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "OneDrive Malware File Upload",
"sha256": "126aa1f2bb9843e14f0a747fa8006dd468611b0d44573830dca8568908e327d5",
"type": "query",
"version": 208
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "daf0d5f0ba307d70c3678c9a881be4a10972abf9b1831f13289ab0409a002b5b",
"type": "threshold",
"version": 12
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
"sha256": "e8102c088a32061fe749478f009b060f4d2b30d27b1c0e9a5f80b76e8f22daea",
"type": "query",
"version": 209
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "AWS Root Login Without MFA",
"sha256": "c2a46f080af802fd9c7af4b800499efd51cd48c379b8742387bbc4a6433e2932",
"type": "query",
"version": 210
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "3e2b0190f192c460cc6e053ca6a11a7e2290978c6e56ff05f27b0de15041a080",
"type": "query",
"version": 106
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "94fbad6793b437cdd6ce3abf2f38eabfd51edd95887ec7a0769ddf2f82ff426a",
"type": "eql",
"version": 5
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "04c7abe67f3daa110842e0d1bd39802f22604c2208677281ce9fb7a4e704dc8d",
"type": "query",
"version": 108
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Microsoft Entra ID Conditional Access Policy (CAP) Modified",
"sha256": "a32dae8a7dd5208737ad61a29f0beb40f97f9ab3bd06b75f2ed0964dacedeb52",
"type": "new_terms",
"version": 105
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Potential Non-Standard Port SSH connection",
"sha256": "04eae86e18caf842f7358d776ce851a91a34c30c9e9263cb82c0192ed9c5dd7c",
"type": "eql",
"version": 8
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
"sha256": "6f028a778cd80c68e68678c08f372afb760cb750e2c09cc05b8f599f3b97d2cb",
"type": "eql",
"version": 3
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "324f2200a090d6c04d09defb8869b8e172ba4fdc384b3cb5599dd5eabadeb388",
"type": "query",
"version": 106
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "93382678df93803ca4bde61537d7b101f7abb06ca5c01cc83f437fb9aa7ea979",
"type": "query",
"version": 7
},
"bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": {
"min_stack_version": "8.18",
"rule_name": "Spike in Privileged Command Execution by a User",
"sha256": "c25a6d3b25cc9621b9d07f9e45eda69a619d4d81b1e2302d19ccc028b24977ff",
"type": "machine_learning",
"version": 2
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "a3d6471cf1ea32d94fe5cbdd05696924387927c77216eca2fdf0fe34075464d0",
"type": "query",
"version": 216
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "422c3370ec3b26cd9a46df9e873549516889da20384ce3c8c0065add3c64f1b1",
"type": "eql",
"version": 108
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "40cd3a34cf55958cdbc3e7cdbce267dbe66c8c23a756a06b91af346ab41bf4f5",
"type": "eql",
"version": 210
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Potential Pspy Process Monitoring Detected",
"sha256": "0143c33d3f591c2df1d42e89ad5da48554ef31bdf7d4f93edac26d79ad814c93",
"type": "eql",
"version": 10
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "1619f3dd27557576b15b1722278498a6bb81fec9b56695b36d8499f4711457e9",
"type": "eql",
"version": 212
},
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "73050d70a759c88f80e90e0edddf60c7bcdd1ef6abdac3dc350d984e3fc5497b",
"type": "eql",
"version": 106
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"rule_name": "Host Detected with Suspicious Windows Process(es)",
"sha256": "6c63c12c97f2bdafc33a42a0b745504ac184465871b6a167ac909c7b96233d7c",
"type": "machine_learning",
"version": 109
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
"sha256": "6b634e212b5dcafda9d320c410d4698421629c01dcff82cdc34f7f53957316bd",
"type": "machine_learning",
"version": 6
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "990ae878c5abd509abad18f0fe8063648e2cf311fef1dbc05f6368993f797de5",
"type": "eql",
"version": 315
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "234b375bb5f91e52387d72dd515da60e02676517be04b0ffa0a75871babecfb6",
"type": "eql",
"version": 209
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "95ac57d7c37abd6f427c185327f8b943928535bc35a501604dd0a3a37879962c",
"type": "eql",
"version": 4
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "a5b6ae88c3e86627f9d32ba5003869780b99d1d4a0b66b595dbe3a3001797709",
"type": "machine_learning",
"version": 6
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "8446e2bb6fb8a00d63f64829d2bd0dba653c6273bf8610f925c66425fab369e4",
"type": "eql",
"version": 215
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "d14e4c6a66931182d9b1473e4f830335200c8a9f8afe321d707dfe76f07129a7",
"type": "eql",
"version": 110
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "54c20725fa5342e7d71c9eb119f1c21185f5de4e8e42e5502bfef005adc36422",
"type": "eql",
"version": 312
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "260baba4a026a272e648f568530059f1eea3a4f0c91f0895da0a4110d7f684aa",
"type": "esql",
"version": 2
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "f83f9a3a883e2629dbfed9adc3119fa73446e4e7cc8236f2d5edc40f92f84bd9",
"type": "eql",
"version": 3
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615",
"type": "query",
"version": 105
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "eb449cb7215e17016cce984442ed6a89ce50708479dc74b62e0092b12f915b48",
"type": "query",
"version": 105
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Suspicious Renaming of ESXI index.html File",
"sha256": "b3b96e8d988742a1f9b6e87cabd9b7a17cff40414f4d9385b5857d0be3c3033b",
"type": "eql",
"version": 9
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "c491b5a0b42aa83499f9efa22bfd6cc3660fa16cd364647122a215676bfbe45d",
"type": "query",
"version": 208
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "f3f3e571b434f11463b7ee2ab0b934d5fef81c5255f3670a198fd32a1be942b0",
"type": "new_terms",
"version": 2
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
"sha256": "3aafc5429538ce15883d86a274c32f57532b3b2a5c8ff61e1a3a05b2c233eabe",
"type": "new_terms",
"version": 4
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "5322de121f56dffdb40249e35fca739f1a16ebbb85ec7371a5c65a3234a46657",
"type": "eql",
"version": 103
},
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"sha256": "4e813e3929f68212f112bf17bb58d3dce810a27e3f4f10e06d543f08c99d07c5",
"type": "eql",
"version": 6
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "2338edda91ea70dbcfc2677ddebbd9c26ed6a22e0d89095429678931d74254b9",
"type": "eql",
"version": 315
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "90242136b72d57a88a384fd0cc8cbee8df2d4b2de1277dcec0e0719b8ec05b44",
"type": "machine_learning",
"version": 106
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "a9f12858c66714399a174dfe4a5781808e6693a87054fa03e3954bb3d71c3666",
"type": "eql",
"version": 110
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "52a5a9a333f384654c1ffb05f5f4d3cdaeee5b674dfb7173dfc80df45da59d64",
"type": "eql",
"version": 5
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
"sha256": "bcbec784809bcdc44ea6e9582b4f0f70c0af25e51477eae81747a03e7587bab2",
"type": "eql",
"version": 210
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "23db8b09fdb9f4b08efb4ad8bcdfde256153602b55b53b81a85fe1273b9664de",
"type": "query",
"version": 105
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "ac87d2ea86014bbbad8e736029c418502bf307493bac41e28f009e426309d75e",
"type": "new_terms",
"version": 5
},
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
"sha256": "30d638a0c717fc26289aeffb7689f1277517f01315c434177f121a37236f0e0b",
"type": "query",
"version": 2
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "1add85789364640458ee305f5b8550a2e25a163c43f36fec51731cae26970e36",
"type": "eql",
"version": 412
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "030a1aeb1792ce0139cafd7bb96dfdf4948e5d117f5eb07f5402469679e24022",
"type": "eql",
"version": 106
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "2a2a2083dffa1918977c8e220791e6696c8988d89f3ae5d1cb7be6f64c6d113e",
"type": "eql",
"version": 314
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "3b384f5b7167037b7701ed3ee94a88db2419d715497a541bd02d487e183d4048",
"type": "eql",
"version": 309
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"rule_name": "Windows System Network Connections Discovery",
"sha256": "45fd633bec3aa011ea01f6d351e3e2fcd06bad30dd1ada1998a933e7fa819751",
"type": "eql",
"version": 5
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access",
"sha256": "413b967819d04045182bf441734756bf08b4f4196d2795d2de10e72cdeadedf2",
"type": "eql",
"version": 109
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "48fc6f4115824391458d5b90d7118d71ad2e32e87ce1b1910a64290767ed25b0",
"type": "esql",
"version": 2
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
"sha256": "68d02dae09181510d0735a66666d78e0c14f7192c8e60065aab743cf1fed3de3",
"type": "eql",
"version": 108
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "a795a0b3eb0b959a2a21561b09a36097e65626b939ff18fbe53a213be1942f6b",
"type": "eql",
"version": 311
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "155bd7ff5163abb1afe509cc0739b9243d99ef4e900d35f2e8e756675e137035",
"type": "query",
"version": 106
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "eaf25862c9bf125c65589fb0fb0c659c8012700145ae890be2a7b03c259d3206",
"type": "eql",
"version": 210
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
"sha256": "c57de02e0312120013f3b35ba6089b89954c8eeb296a8473c66a7d37e1bdad10",
"type": "eql",
"version": 311
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "9cb6d2c7eaf7230f2ce8b4ca744c4ec0f2af15679c1260845be87a1c67d7b611",
"type": "eql",
"version": 314
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "44964f1f76958f71511ca53492443b0ead56e8f4c1b4b7714d7f7bc8405ef1fb",
"type": "query",
"version": 104
},
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
"rule_name": "Initramfs Unpacking via unmkinitramfs",
"sha256": "4b9618fe9be661b140ce9c3fa6eddaece5fa772c37c83e4ddbdae34e63d7a36d",
"type": "eql",
"version": 3
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "f7b55ffc96a8a14f724488cb8765c8d5f7f8e5ea016b9b66eb9d8df89e751b95",
"type": "eql",
"version": 317
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"sha256": "5dc411adacd7845d2c32dfe1d1b08f2b7cfb75f5e07a9ca693f8b1050edb2fa3",
"type": "esql",
"version": 3
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "dad15ba894bcc5ff04c6d29ad18348d0ae785598205d8bfce378e6652e599f4b",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "1590b91d2a310db59d4be78dd783b99ca002164e41bf4bda055a579b5997a418",
"type": "query",
"version": 412
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "759198a89c60e9ee7a73bbd3954fd8b6224469a0a0e9f9ba0f9006b461325f05",
"type": "query",
"version": 209
}
},
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "647b6150d46ffebacbc7c94ffc91c209d7486c4e3ac86878d2d565ba13f0600c",
"type": "query",
"version": 411
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
"sha256": "77caa22057265ab8e0e08aa1f6e45194a13d799d554e991173dd4727feabed58",
"type": "eql",
"version": 4
},
"c766bc56-fdca-11ef-b194-f661ea17fbcd": {
"rule_name": "Azure Entra ID Rare App ID for Principal Authentication",
"sha256": "c81e8f570b36fc2e7eac006c5013a73487bb1e2b5246a2427d02a13f163e4ff2",
"type": "new_terms",
"version": 2
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "e7371ea07e32cc452af83c45fbddf9ab5aab3f347528de0fd8997805c763e816",
"type": "eql",
"version": 209
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "de087f742b07a73ca37a9dd1e2cbcfd964b575c3b06272aa820cd747ec663828",
"type": "query",
"version": 206
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "65c76f66dbe4281743cd66e5a20a5b751a2c2ae1c0f5a4aac7c4606fef6bb32f",
"type": "eql",
"version": 213
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "e93266dd5b90875257fa5e902cf0b66f97b7c083f726c9c20e9bed33519f1fef",
"type": "machine_learning",
"version": 107
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "8d79be44b5c0b7c7e64b9529e924dc03e0871fae709ec2171918e7ee840f5471",
"type": "query",
"version": 109
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "60a4a2128f08ca893da602dafdbcfdd3ee5298a868f4c7ccd7743278b2872a7c",
"type": "query",
"version": 106
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "a8ebfee5f22f77f59e118ef4464a4f4433bda8d02ad4471c7a579efa864f888e",
"type": "eql",
"version": 115
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "0ffb4419e58ea0570521ceb4adc2f18877fcf1268ae42ff67aa3c0d7dc5e1892",
"type": "eql",
"version": 107
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "18dd894d1e0202622b85047ba07b4b40ad322d9e8fe29889b16a0b4e337e2e75",
"type": "eql",
"version": 109
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "4fb255a0ff108d17311e170e7f81f100c406aee9ee127695ef4218672592ff65",
"type": "eql",
"version": 13
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "2d9f545bfac7aee1ea38651b3db7700ab3574efb7b2deecef99d4d84dbea4a8f",
"type": "eql",
"version": 315
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "0f1e8fc31dd4402875dfdd831131857f49b3cb63132a36830d645f3fd4456e03",
"type": "eql",
"version": 315
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "bfb100141081dbb5b23bc7bb4be9aadac948aee1e5660ac97e10031e9e6c3cb7",
"type": "eql",
"version": 8
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f",
"type": "query",
"version": 105
},
"ca3bcacc-9285-4452-a742-5dae77538f61": {
"rule_name": "Polkit Version Discovery",
"sha256": "a1aa534e7609aa75d1d774e6fdc6ce0103baf709710d459ef76e10baabd1c106",
"type": "eql",
"version": 4
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
"sha256": "dbf2c7a7950cef5e0c8c5da97ea355d90be5de15e8e691d052c3e52fbe341020",
"type": "query",
"version": 208
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "4d4a261ac62f1ad69fe8e45c32d47574d73d96f4ea277e7a6659a3097ba787ad",
"type": "eql",
"version": 11
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "317e8ed377eb24f0bfdc3d729ed408a061e539ca89a6bbbdbe2ef5554c821a3b",
"type": "new_terms",
"version": 216
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "96be8a52587c138e28212eb60040122180b72ad4429fdda89ca97b336387c917",
"type": "query",
"version": 209
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "de04b212d84afcdf96a74f9863cac14695bb61a761b9721b54d146e273f321d1",
"type": "query",
"version": 108
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "16b0d3114254d27bbe44fe8ce3cacf6f04aa4d3a899b20e052e1ff710f2138a9",
"type": "query",
"version": 108
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 101,
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 3
}
},
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd",
"type": "esql",
"version": 305
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "f96fbc507831ee383d5aba6dc23368580577fa8db5f2b9b96e30d8637df2d617",
"type": "machine_learning",
"version": 6
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "22b7548c81f0ed23863d9ab1db3c97d841dbd6e50980d50375c8acdd261a2a34",
"type": "query",
"version": 108
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "b45b88597c5f41272e1a9f367f7a4fcb2bcfe93e2420e108482fc5dca3dd926a",
"type": "query",
"version": 106
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 309,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "710c62d83fdaa016127ed9e29d989f772587c9eab5f3cf3062bacc34d969a8f2",
"type": "query",
"version": 211
}
},
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "87d9073072570535e42c78de5197be360faf07af27a71df53d97c788135ab744",
"type": "query",
"version": 413
},
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
"rule_name": "Azure Entra ID Password Spraying (Non-Interactive SFA)",
"sha256": "6c701e58e1612d0491da0b3b77e57b49ef3688848d3a1110cfa3ed6f1210f903",
"type": "esql",
"version": 1
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "6b030bb11fda77cb9c68d2328306b80b13f3d9a055aa8504740c09a98e57139d",
"type": "query",
"version": 210
}
},
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "d26a0e15cee5125bd0609727b6b3466cf97483d31f391851e77e6df3bd5226d6",
"type": "query",
"version": 412
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "fe70d9588bd723020455f5f5fa9a058975b89ac60ad613245881451906ce55c9",
"type": "machine_learning",
"version": 106
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "12c6428f25fb80e5262b434aa320d3967d7a932a89e1479d48238ffc4f4c1191",
"type": "eql",
"version": 213
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
"sha256": "e1e22d875cf9882ea60fb4f187227061c3018296fa8d5212781e842966659b32",
"type": "eql",
"version": 5
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 310,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "48fedc9e649a01c172f18890a7ad9521f25b3c6d743edaaccebba5be9cb4e759",
"type": "eql",
"version": 212
}
},
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "731233eb6532a1950765586c4da2b20469cc887e6ce10b531f9629065e58bdd4",
"type": "eql",
"version": 414
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 309,
"rule_name": "Okta User Session Impersonation",
"sha256": "384b87d73752bb34af3573330f4217d16470de86054bb4c2c698c6434d47cdde",
"type": "query",
"version": 211
}
},
"rule_name": "Okta User Session Impersonation",
"sha256": "49290b5d15db111ba6e47fbc4647d92b0ad2fc0a32fcb0a2423011357494dbe9",
"type": "query",
"version": 413
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "271da71dc04f1010eb364ce5754f2c7a3683ae430311df7195bd66b7972ae841",
"type": "query",
"version": 215
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification by Unusual Process",
"sha256": "6e0b6acb39b82e9faa8ad82a12cbe0b2dc3795c5098fe2e77d48b83bc9084a3d",
"type": "eql",
"version": 4
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "738e11ad446b5a83cb22b42945b260706c1056b5f8c27efff52bef483188223c",
"type": "new_terms",
"version": 205
},
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
"rule_name": "GRUB Configuration File Creation",
"sha256": "9d595f40499cc72da6c3709fdf71a203fddd9a1b11ef8be2f023f31c9a89e90c",
"type": "eql",
"version": 3
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "117d952e5bcd2c164962af88219378aeff64efbf8c1da73dbf3dabea0d1d6409",
"type": "eql",
"version": 314
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "7917f89564301d83f5dcb2013db39240afa955863bc98f21a1016208a37ea998",
"type": "query",
"version": 106
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "e99dc301a62fee73fb630e903c70c8548070df3071cae7bcea8ee2a230f2a16c",
"type": "query",
"version": 207
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Unusual Discovery Activity by User",
"sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230",
"type": "new_terms",
"version": 2
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"rule_name": "Trap Signals Execution",
"sha256": "eaa28b7f8c71baf866712cf248d8f8b4111526a9f7eacae1f89a3d683b4b4fb3",
"type": "eql",
"version": 3
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "29123cecbb9df40ee043d7ac6c3949bd7dd0847391c4881c5bdd0f4f7b93f4a6",
"type": "eql",
"version": 317
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
"sha256": "b550e6d7b2adc9a8755324f1e6643b372a92d8c374fda50fbade8dfe08dce397",
"type": "eql",
"version": 3
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "2c3ad4d81dd5ab991f6860243ef78ede43c23895366d447e9cd0bc92bcf17e2e",
"type": "eql",
"version": 112
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"type": "eql",
"version": 3
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "34191ec3d33f4d663071054a511f3ca9cffbbb925a2bfbcf697264fc8f64568f",
"type": "eql",
"version": 313
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "a4fa6279cb8ac2a13ac55785c7ba2d6748bd408d9896469b5a126ea561f8ff73",
"type": "eql",
"version": 315
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "753158074f3976bdc74f647b716f04e016fbdac165668222daab86e8a669859d",
"type": "eql",
"version": 7
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "33bd527a750fda29b5480c117dda72748a391c83d695c92ca7282bef013f36be",
"type": "eql",
"version": 4
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "e764c602ea496d375b2316d4109ca5aa936049ea10464e2a4f17ee8397c0a980",
"type": "eql",
"version": 3
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "8939090aaadaa05ae89af695e1d1e2151452ea651f9bf671534760bc050eb84c",
"type": "query",
"version": 108
},
"d2703b82-f92c-4489-a4a7-62aa29a62542": {
"min_stack_version": "8.18",
"rule_name": "Unusual Region Name for Windows Privileged Operations Detected",
"sha256": "6af539d1a1901b9397023a322186941933974f4ede39a83b4639958216815645",
"type": "machine_learning",
"version": 2
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "ab1e2c41e83ba93f5ec9b9f3c8ac16f61367c771f6f4abf5081a1f1d8b423a0c",
"type": "eql",
"version": 313
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "2a085de8209f72daca0b30fd53664e043c5176dfa985aef71df3e5077be22176",
"type": "eql",
"version": 317
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"rule_name": "Remote Windows Service Installed",
"sha256": "d468dc445682809a0a8c9641ed31494c4efe288793dc26e3753af0b84edc33f9",
"type": "eql",
"version": 110
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "16399edc8a9fe5bc74a0dd86a31391a4303e4d5b2907381e4740e2ec22fbbca4",
"type": "eql",
"version": 106
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "ea44e7c45639646c0f5afea36e85f87dbfa7d0a0cd434dbc6d5af8ef7ff1f098",
"type": "eql",
"version": 110
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "1b5f1c4e9c160b09738959ad464afcbea5ed84ce2d36eda8a9863ec747c6f2ac",
"type": "eql",
"version": 3
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "08df81b97dfa133653055496f11e710598c74c28c4fdaf0efd0a3f3ea2cfe666",
"type": "query",
"version": 209
}
},
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "7fd97a6d16b2f196ff002868f67ce2d17332792e74235f415f84980cbecc93c1",
"type": "query",
"version": 411
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "6350cb52e1f9a7474b743ea8a49c8835573160720c9b65e3ce6e5bf25485d134",
"type": "query",
"version": 104
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "d856f5bc791ad881ae2e422fd298fc90902f2928d5fb89d126fe3fbf155decfe",
"type": "machine_learning",
"version": 106
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "1002b1c17b431e49e3e235d8b15c84468824a76d7c5dfaea4cc8f90cafe26f31",
"type": "machine_learning",
"version": 106
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "fec6a0fa524575a41ba86fe848bb8fc7e9c103ac839a72cda6b2066ad75c6625",
"type": "eql",
"version": 109
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "9082be85ba93ddeec1e89ba8a3fc75dcf1ac8aaeba7127d029e4fa7ca48a8a85",
"type": "eql",
"version": 9
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "bde7e76a0841721264382a3359a2ff7d8ffa73d5adbb7888ab65b49c63057296",
"type": "eql",
"version": 6
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "c6567e2b9b097b8c88a70182f1a3d3e18b4f548a5882956238790067fc1acb6d",
"type": "eql",
"version": 310
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "6f347c2a22c881f591ab308ee4e149bb0d2460d463ea37ee64dd2a3445863f2c",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "2f4ecad22e3439e40d872ec6622ef847643a5b296c87bb2da5026854babd4a0a",
"type": "query",
"version": 412
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"rule_name": "Service Command Lateral Movement",
"sha256": "364e0e90aaf611c022c4397d51f9b8946415f1a861b48d5a08ebb218ffb0abed",
"type": "eql",
"version": 209
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "6f40b41de80d42bad45d272850576b66118db1fa6654c09a47a6249c3004ea57",
"type": "eql",
"version": 5
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "6d58ad5eb89fda1ff2f19018d0aca2f560050a01c42ffe92460ba52ae49fc5cd",
"type": "query",
"version": 210
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "44cd3ade23e797d60feb1b58151d8cda1f5762e043c6f92ba9beb586f21181a3",
"type": "query",
"version": 107
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "80a57f989c5ba72872a155815ac64a7927ed2bb48bd3b42c423fb64bc1228916",
"type": "eql",
"version": 117
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
"sha256": "2ca84c125e2f7b43139fe845f2f9c3c21078b72aab62be3a9110d77ae7438692",
"type": "query",
"version": 208
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"rule_name": "Modification of WDigest Security Provider",
"sha256": "221929268d5d76c2d02c7e67c51e7e8569e66ba2086a2311e0a26844195b2348",
"type": "eql",
"version": 212
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "be5cfbaf3f14fdc6b141a2da1ba75ce6fd4f73cd5a034cc56495c307cffec29f",
"type": "eql",
"version": 316
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
"sha256": "7753db2eea6710433d8e516034d1ad3e10f9665998fc63eda0e7fac38eaf8d49",
"type": "query",
"version": 208
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"rule_name": "Suspicious Memory grep Activity",
"sha256": "9498dc0bbf5a8874168de36c387041aaa159b6d63cbe54c86fd0483d6f69ffc5",
"type": "eql",
"version": 106
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "2988d34ddda441fe4a4b88cb90d7d411968ded85b2b2494470af9d7e620da3f4",
"type": "query",
"version": 208
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "8811c39c35e4b6c052e17cac45d0beed552fc6c1d22b19f1a9f1d7ab8531d50d",
"type": "eql",
"version": 213
},
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
"rule_name": "Python Site or User Customize File Creation",
"sha256": "dfddf9feef64b9a41da72fd362a26321a45456fed11420facba72a5a9d821b96",
"type": "eql",
"version": 2
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Permissions Modification",
"sha256": "c98d93eea336ce6205777f449eed6bfd33abf038146dd1f87c45ab7cefd14258",
"type": "query",
"version": 106
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"rule_name": "Spike in Logon Events",
"sha256": "0bae75a43068e3d724f8d1ac0152ed8cf0acaa0ad5f0176618d0355340d37aef",
"type": "machine_learning",
"version": 106
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "d971cf7bbec2f72915f427094136083e496ac965e48c0afe7bc8524784702f52",
"type": "query",
"version": 107
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "30b26c87085b90ec42c4df57678a049026e6e4b3fcda21236d3488c15582e2b3",
"type": "eql",
"version": 11
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "38c6d7b6cfa4aa16d60be7b4d72e0615ac60e0e9f95c54313d98997dae0ebf43",
"type": "query",
"version": 211
},
"d93e61db-82d6-4095-99aa-714988118064": {
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "d0b2bc419679d9286796d3a66037207d62902e4055b129a79858b59852f1cb77",
"type": "eql",
"version": 206
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "494b7da88fc5d6c219aca8cee782a27dff130484eef06aab786146e58ebd2187",
"type": "eql",
"version": 315
},
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "0be8fe7e3c4ba21ee47fbbd8f1a5d1cbc73daca022c05caab0ef900e29994edf",
"type": "eql",
"version": 204
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "e1ad0a26e85539ab019b057014df784c143b65894b744e2c58f1ebec3d8e902b",
"type": "eql",
"version": 213
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "636be48736d1fc5c1023b5e1ebe4fb3d03be923e8f049de7990cea48d1551b44",
"type": "query",
"version": 7
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "515cacb66d212f2083ea6b28972bc51a0c9167be27f0d0f84638b314049ae0dc",
"type": "eql",
"version": 113
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "4d68fe24dd0d301c1e923372d847dbba0bf64c745c110c39d6eb37c633173043",
"type": "new_terms",
"version": 109
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
"sha256": "2d9632002d649b472a5c733c0f47ed0f56bb23e1709525d6d93ddbfb119b22a3",
"type": "query",
"version": 106
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "8521413a11ba536084e345e3f1613d7fd496ad569a008aa17227c553e15e3fcf",
"type": "eql",
"version": 205
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "a9671169c35a71ba384b845fd9765c7d89e1e98600a415f4e36f2647c7b5e162",
"type": "eql",
"version": 211
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119",
"type": "query",
"version": 105
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e498c1b47d7ba79f452f9c2064d0831a336c2666b3e012b595f05ed4028b10cd",
"type": "eql",
"version": 108
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"rule_name": "Git Hook Command Execution",
"sha256": "6443cd8b3cfbda2d7a70fd612bca43a314b67cbc2397648e973451f13d05c47d",
"type": "eql",
"version": 104
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "4db94576091206cc07684b6d0525c81be43ac5230ab521b61ac715ec94cf4272",
"type": "eql",
"version": 112
},
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
"rule_name": "Dracut Module Creation",
"sha256": "059f1216689ab35326cf9bb3737e7b909fdebec22c5b630abf28df3d2e12a1fd",
"type": "eql",
"version": 3
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "26ae20aa5968e9f262435fe74ace17fb9288ff9ff0699c897846eb9c1c208d08",
"type": "eql",
"version": 315
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "da4cbf0c9c49d0017d6024802770daaa114775caf1b2166996fbea05d143f0bf",
"type": "machine_learning",
"version": 210
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "fffcf31bef3d24ead7f7bb3b63ea7317ef98f42f3d4fa08603ee2d0f926e15bc",
"type": "eql",
"version": 207
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "29bff27ecc7b22548eff76aee34d753aab9506f5e9679c823203a88116f86d2e",
"type": "eql",
"version": 212
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "c5e58b53df939293538e3efd32441106b18f08c9fac0f261930e3b2ebd2414db",
"type": "eql",
"version": 6
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"dd983e79-22e8-44d1-9173-d57dba514cac": {
"rule_name": "Docker Socket Enumeration",
"sha256": "149cce82433148ce029d90e16163afe91fbbd5c7a7d212750d165f7faee39d8c",
"type": "eql",
"version": 2
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "345ef25b94eaf7afb1dfb7f61c124b3d66e41677ee7daf2af9590dfdb0164a57",
"type": "eql",
"version": 312
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "c129a707d58db25a4c45591577570e807c1cda2be7e4167c44a922ada89b2939",
"type": "esql",
"version": 4
},
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
"min_stack_version": "8.14",
"rule_name": "File Creation in /var/log via Suspicious Process",
"sha256": "cae1516dc1a068f2f2284cfdbdf3d349a65b44b039ecd235dd3b6ed582d6c262",
"type": "new_terms",
"version": 2
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "8058b4f596b37cefc52cf3fb95fa1d733b08790bc436107045b3fc6158b578f7",
"type": "eql",
"version": 315
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "f5e956781dab82d481e1c191e5072fb081fdc35642565479ae6a5a74589b0eb7",
"type": "eql",
"version": 213
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "b5f0f72e6447ced9a66c345ae4f28a96d82114336517c32b52ad7e8e09e58551",
"type": "new_terms",
"version": 107
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "3c532319046fcb837e9e636b12fc2228f64068979187d2dae380b4db54b277bc",
"type": "new_terms",
"version": 10
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "698b739a519f1247043c8a2392c5f1b69d8f2f5a37daf5f26c0ddd108ac9833e",
"type": "machine_learning",
"version": 208
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "9dd6fdef678461381fe5ca9243a9f390260edbe650857120bf5201c3240cff0b",
"type": "query",
"version": 104
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"rule_name": "Dynamic Linker Copy",
"sha256": "8746efd8c7a5db283a0c57f09d50c2b779a4c77f14d4c420a7ef94ab09871f26",
"type": "eql",
"version": 212
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "5b60c93cf576b5f6d248526e3f315e45a9a62f0cb8eae284eb163cdd272ed32a",
"type": "query",
"version": 206
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "f33b42f628062aaf94789a5880e98522fa684c465bdf6da024d16c74a4f02efc",
"type": "esql",
"version": 4
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "d5df0c7078e1f0cd8f44092a93fd16ba9330112396065569a58ad1ad44e75cee",
"type": "eql",
"version": 205
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "4d0978b645653188ee76f1bb49ac3f4cbdc8def28285d7d0507c8e5dc14c34cc",
"type": "eql",
"version": 5
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure Firewall Policy Deletion",
"sha256": "82042a004c8f365799c05cb46f2eed28019b3c95b646c53156b2f019ed4dc227",
"type": "query",
"version": 104
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "8f3637bf0febf4ecf16e25e1fd99456f0a53e3b8088731ee5d0d0983b77f9fa4",
"type": "eql",
"version": 211
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "530ec32c26086a48a3b167fac750f221f891b1f1f4b49db52208b9f3ff05f1f2",
"type": "eql",
"version": 111
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 310,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "9b77e22fb6460cbdb3e85d6b43d58ba16119cf9ce64692958b30fc4ed9657bc5",
"type": "threshold",
"version": 212
}
},
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "6e3e41c82389d772556a2a178b933d4cdff82e9bfe42283e9f1ae3f5f2a1ff7f",
"type": "threshold",
"version": 414
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "7eec11f39785b3ac03e6d5bcd9632b6782226fbf7f23f36d696c9eb456216534",
"type": "eql",
"version": 108
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deletion",
"sha256": "83fedbbdfcf4592eddd94a5d936d244ead52098cae9c7a3bf8ca0fc11d67d74b",
"type": "query",
"version": 104
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS Route Table Created",
"sha256": "d16ebea3af139abc576479f31d634e6f56c0226ed2e34fa6ddad342c3d5838ef",
"type": "query",
"version": 209
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "AWS RDS Cluster Creation",
"sha256": "554d5defaab6dc8c8c458bc10c8a4e290370d6c9fca7cacf1b4fb2ab3b590265",
"type": "query",
"version": 208
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"rule_name": "Connection to External Network via Telnet",
"sha256": "68752d6f8a27c36dccc1293bdce1bbf7a32d59b77108cf2d69a41178b0eac77a",
"type": "eql",
"version": 210
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "5a371e71a9b488124d05e63a91f0dff222eb265f7a8fa1d38ae40440531480bf",
"type": "machine_learning",
"version": 6
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "c06b00e0148c664ffbe90af42685fc3808597c009d4d5cb267d43cd9654ea783",
"type": "eql",
"version": 109
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "b747d127de957cee57f1f89e40e8e048afce3f057baf95d733f590205eb24512",
"type": "machine_learning",
"version": 106
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "c2ce3c45b246ac1baa015811ebcdb54bf1a9daf4c3349f4aac378bbc7af2cbbd",
"type": "query",
"version": 318
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "94c926b40a93dc8729cd108cbc5d551b16391d79e31f494a6dd8ac3b91985c4f",
"type": "new_terms",
"version": 5
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "fb7284696c578f3cec014e5b1a12f7aea7aea33251f753a859a6b48e0479c879",
"type": "eql",
"version": 3
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "4c55ff0a69ff41b1f88c95d3e01110af11134d1a5cd9e98771ed8e401f60bcbe",
"type": "query",
"version": 210
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "52d8a7ec6eb615544d954620ce09365820081c38f65505c1e6ab641a585e3f7a",
"type": "eql",
"version": 4
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "33982e9e8c18594faa7ffebc2fae992052114cab1b331a7bc80c6ecdd1cd4beb",
"type": "eql",
"version": 212
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "2e70bd24e7e2462bbefc498fca2c0fdeb22e0e4458ca98bccf2ea13d7477dfc5",
"type": "eql",
"version": 213
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "dba30f098f2bfd00be8ffafd120ff63c8495b2efe909875c826852eddbe6ecd2",
"type": "query",
"version": 106
},
"e302e6c3-448c-4243-8d9b-d41da70db582": {
"rule_name": "Potential Data Splitting Detected",
"sha256": "148d6ab8d60cbdd98c4d4f554596945713e5b91683c4bcfbfd6dfa5b55ee6b6d",
"type": "eql",
"version": 104
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "8aa1de8df549e67e79bf31cfb452675c3318c91847ab584b0eda2ffcfcf32af5",
"type": "eql",
"version": 315
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
"sha256": "9d41ed59f3be5a9cba2a43308015da0c4613225ff148ec052e8ef5f782554ee7",
"type": "query",
"version": 208
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea",
"type": "query",
"version": 105
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "dbbdeb7ac1e711bf00274c964639594933e1ce5924de179e7882c488edbfe152",
"type": "eql",
"version": 209
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
"sha256": "58b1d84b309af8166c6ede9962ff74a03ffdaf9ead2362035ba25a08429f44fb",
"type": "eql",
"version": 217
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "9676cbf32057970b5e7a090bc2ca6c4dd6acda35d010009bb17e480d1df4070e",
"type": "new_terms",
"version": 108
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "e088d4ca612ade27d31a69dd5614c2f742ce616cc3e7fa7dd0f87acfabc6968b",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "ec4d4b49bb0557f30bd5406a763042ca5ca13027e3238d6f8ad289d21b9bb6f1",
"type": "query",
"version": 412
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "118acd90df3154153bf8557826919eab96f0fac35675eef1ec9142c8b40514d7",
"type": "eql",
"version": 209
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "a666e662ecead900200096c997feda81c48e650b4b6929fecf12819e17aa6d4a",
"type": "eql",
"version": 216
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "789d56eb67930d1e7ce1cc61bcd47f0ed36b4fff864e852b75efe0fa42991b2f",
"type": "query",
"version": 207
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "8c1053ff5fdfa8b8a4bb84a119023a812d15b37542c1a627ffa0600fa43f6beb",
"type": "query",
"version": 106
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "8c5a6d2e755c84d286e20429144a010c9dd5bb6d6d3c3b51006d595342506d53",
"type": "query",
"version": 109
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Possible Okta DoS Attack",
"sha256": "555778fe474de3773a42ba94313153209ce4209e51a196813715a3ddfa835ff8",
"type": "query",
"version": 209
}
},
"rule_name": "Possible Okta DoS Attack",
"sha256": "12284166256e64b7c01e39b512e688f68f637a8fb0b26b266d2652d2e2c22fd5",
"type": "query",
"version": 411
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "7f6c1610e97359d0ef8f39a95dec381fee893c0087cc0055732d40ca080ce765",
"type": "eql",
"version": 110
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "cfbb66f9f0f827ab92081dfd22c10a939925dbffa01dd36a5e36d654547a18d0",
"type": "query",
"version": 106
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "04d7360e6bde8541703c0b167175745f892ada5db0d307dce3f8f75b1f97e452",
"type": "eql",
"version": 5
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "8af66bdd03c5ba834cd114fc87732b927ba4293781453ea9250576e590fbb9a3",
"type": "eql",
"version": 209
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 205,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "123c8d391974a063625df859c1b10d7a95232b0f02f302c5097d70074e697164",
"type": "eql",
"version": 108
}
},
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "09987510e50d659ed83b389230a6a8dbb588e6329186fddc5231fa3674154535",
"type": "eql",
"version": 308
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "664e2b796744b9c89cf1599efecac9d8ab2046b29b5707040dbbe537386aa385",
"type": "eql",
"version": 3
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "58b8a9367b8203fb99729740505a056d82a055aeb7e8a8ac38ffe6692e2609df",
"type": "eql",
"version": 5
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "814b183eaeebf91847ccec2b4af4cdb9e57309815c606482f8529136a97d30f2",
"type": "eql",
"version": 203
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "9c3e96e69661d63d5b9d68e4ee264073533225ed49ff5998ec805c26b53266de",
"type": "eql",
"version": 111
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS EC2 Route Table Modified or Deleted",
"sha256": "2e08f2c516a61a43bbeb762f08cff51f167568c46646e53ee5e1d81921190fa9",
"type": "new_terms",
"version": 209
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "f324967cec3404ab2656bb12ef820476a31e80139d0bf1742ccb34948513855b",
"type": "eql",
"version": 4
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "9ae6927d3848fb08d6b9486923291fe8fccc0926069c6af97ba59af4a95fc7f8",
"type": "eql",
"version": 216
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
"sha256": "08778ef25240581721f6522164af5354c5b8e0feb536b6056f5e613b425ba7f5",
"type": "eql",
"version": 311
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "240192ef0bea37fc30db7b5ac9eb621b52e7692a21bbd108ab950b77e69d525b",
"type": "eql",
"version": 109
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "78abc9a2eed7a19b2d6ebc1bc05238321e4dba4e11da79bacb565b479cc4e386",
"type": "eql",
"version": 4
},
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Table Exported to S3",
"sha256": "2d6f19cd200dee46a2702d73743b4ddebe21c3af769273024bb586d69e114489",
"type": "new_terms",
"version": 2
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "564659b48deefbcf8ec40d29e3fedc5834cddfec5e82e40ac76d82f3885ddc3e",
"type": "new_terms",
"version": 109
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 310,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "11687f3cbf71206899bfb40ed8a027202830df829f70f0e59b649de19c51b3a4",
"type": "threshold",
"version": 212
}
},
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "923880a5e8c4d831cea799c355f62d9dc8f91e51c8179f3d757929b136581f11",
"type": "threshold",
"version": 414
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "AWS EC2 VM Export Failure",
"sha256": "3108c7939b46b2c24d8e8329dcc507d097bf974d63f37e757e8bcbd60db15a82",
"type": "query",
"version": 208
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "8f10b2a9adaf97ec1bc98f62ffa1451ae303e28e4e389e39f9a462a27e189318",
"type": "machine_learning",
"version": 6
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "42127b508b678cf780488971af93d4fd690ab6c5880568df13b1d408a9d9c1b8",
"type": "eql",
"version": 313
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "23e831b3f10fbd14d9101693407a6ce3404b02e7e97d674563a31c8fb16a0c0f",
"type": "eql",
"version": 108
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"rule_name": "Spike in Remote File Transfers",
"sha256": "9851656253510ce2fc2c4a7a08bf1ed0c825e9618390b9b89d0f69f923a4032f",
"type": "machine_learning",
"version": 6
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "f68c7c25601fabddc22a9338198f2264152d3ae7ab6ae0455b7427fd5216c3e1",
"type": "query",
"version": 104
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "44bc3a93c7a5f7f6606eb5f9b1f9b8bee2d056f00e5767ba61c13a4c71082c2d",
"type": "machine_learning",
"version": 109
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
"sha256": "a3a27ddcbee5752715ca4892770bb44b06a5ff20a585a8f29ea3d048cc49675e",
"type": "threshold",
"version": 211
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "3b98fded30d504c2ac622e68d4d5ea2082157e46544d6037ba65a4904c7face3",
"type": "machine_learning",
"version": 106
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "8b39b977aeb20d1dca078c897b14be9ecf5843c1be80362f589fafea5a30a009",
"type": "eql",
"version": 7
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
"type": "query",
"version": 105
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "c468778c4333b21155a1daae233d2e16b7ffda86f4d738698ae1cdc5a365323e",
"type": "query",
"version": 108
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "62446d0d38929b8edf499134e3d75f1ab2e2c46f23dd345bfb0455e46500755c",
"type": "query",
"version": 214
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "32389de8f4a3a9b8d96994f93486c9df96b9247ecd2ad1f574b7072d41e9064b",
"type": "query",
"version": 4
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "cd4655d53e4197405af37fc5456d62316e20bcd0d52f5f2000730fc4c7fa77e1",
"type": "eql",
"version": 213
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "395d279ec90b09e6498963fb15ac93a8e02e69ac2d5db03cdaf059d2ef813924",
"type": "eql",
"version": 413
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "b6e994e9cd4797cfe19d97fb226ea3f364300befe3165d3d6d447d04c79e5194",
"type": "eql",
"version": 314
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "1e0d8c9798180cfb6d6ca288ee27f77b0a1e754626962ae4668240dc20ec3dff",
"type": "eql",
"version": 316
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"type": "eql",
"version": 4
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
"sha256": "02f17712df688519b9a6c897ce5c4e4424fbb5aa0d5d13fe44b4e62b864d49d1",
"type": "query",
"version": 208
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "47e4958d50e93ed6778740ecfcf89bd396029c2690a9bf011d84767a7468ab0b",
"type": "eql",
"version": 5
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
"sha256": "26eb81d65b0052deb8fd6ae74d37f43fedc970ff9c1e5317e15e43470b1cd0e0",
"type": "eql",
"version": 3
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "AWS RDS Instance/Cluster Stoppage",
"sha256": "a2827f578cbd78913f8094870ea1f47520a28dcf7c9b73d68a250b0cc0e72993",
"type": "query",
"version": 208
},
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation",
"sha256": "44572f2362fa5d16dc5a5facad9a20fa1690c0d70c0ef5117bbc5f72bdd6355e",
"type": "new_terms",
"version": 2
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Azure Global Administrator Role Addition to PIM User",
"sha256": "11bc690130eb258d4981c113a2b0aa9423075397f2b7524177d58c05525885a0",
"type": "query",
"version": 104
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "e3342025886a8e9918d18e9751c9b684b1a5fff7ef36f6620ef24fa7e5dcd927",
"type": "eql",
"version": 316
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "16079a140012eb657c5c76c259629f9baab9f15ea6434d1329b8a947a2622c94",
"type": "query",
"version": 210
}
},
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "7293a963f88760ced8b6ac3254e3f873ac11ecb6772d9e3eddfc990c37999a27",
"type": "query",
"version": 412
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "57c89a202d59826b5d10267c4a7a74d3163450526be380ce825cee705fcc591b",
"type": "eql",
"version": 317
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "0df96960039330d93aff22d2804e6907345c7a48b9e8ece5549e29c1fb043ab3",
"type": "eql",
"version": 8
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 205,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "3a4e694a70d98f4075ad70e8cbc4c5820745c5ea03ab7103f18015a3cc68dc24",
"type": "query",
"version": 107
}
},
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "5fc77a932c49418d0045771eafe0e2e576ca9e4b14e91932f739b0faf338ace5",
"type": "query",
"version": 309
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "2d2e0f6240ae38f7e0b69ef6ad7bafd1d7e62832d4f2fe56e1add1e7821d3ecf",
"type": "eql",
"version": 212
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "04fec0a096749a95e17bd8ce3f6568b2511508263bbfb0721b15ad6d2442d450",
"type": "eql",
"version": 3
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "d848b5a89ce014c15a146a22d220f395c2bb9f3e8412a1503ee91eefce9eaf79",
"type": "eql",
"version": 110
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"rule_name": "BPF filter applied using TC",
"sha256": "30fe03333e35e38dd5d69d8669503dc6f9ed9d29cce312a4fb92f25344333167",
"type": "eql",
"version": 212
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "d05c810f55821a20d818adf7a89c3bd8b3b1a4ac214973fc7e936e1b1c046312",
"type": "eql",
"version": 110
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"type": "eql",
"version": 3
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
"sha256": "3348b3b7bb5f0a926e86c210c8fde190635cf95049710e10ac6c65948844e099",
"type": "eql",
"version": 215
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "778230a26def2a0e67e96f7595a9178850858357a21ca5b48469576b483692e9",
"type": "machine_learning",
"version": 6
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "793f90dcfcda045be8b8e57c76769b6cc6a67cd9b60f24692a41d6a1b46f09d0",
"type": "eql",
"version": 210
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"rule_name": "Suspicious HTML File Creation",
"sha256": "f4c82742914d3de3e48736b687e0456d3d69c4995b866f42433893ad855a7d50",
"type": "eql",
"version": 110
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "27066b5e84a225f2e379be5ede390f38f9c8187a9c43da195fe70a2e028f5ba6",
"type": "query",
"version": 209
}
},
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "6917f95f482828c07c75c4e7d6f72fb962c87be2f1fd72c040cbe80975b8db57",
"type": "query",
"version": 411
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "24c12ca485f16a98dbfc7c5b6106b7402942c22fba4d239c668a2f5538b406c9",
"type": "eql",
"version": 112
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Alert Suppression Rule Created or Modified",
"sha256": "4e6e449e7f6a73a48b024a0af1260491edd09435a3a83c8bbd642d4ff3483447",
"type": "query",
"version": 104
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "41e7d0dc2f138e4b3cefed3d2284d24efc6c860945ed14ac8e2bfd9b7744fffa",
"type": "query",
"version": 108
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"rule_name": "Potential Remote Code Execution via Web Server",
"sha256": "fe32158eb449f11f2206d9957876fadd3b363b614fd6269ae507b611aaeab0e1",
"type": "eql",
"version": 110
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "dab005eb675c77c6ed9e4baaf41dfe9836c839905f24763154a739a9dd05b029",
"type": "eql",
"version": 103
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "1591bdd1b5db5f19c511f74842217e37302a1d4f6ca0ff1d0dd525fca7d06e62",
"type": "query",
"version": 5
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "b8fea4ec10d167e43ccb1c206bc2a38d1f10729536b1bbd9b7aba0a4c1244b1f",
"type": "eql",
"version": 4
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification",
"sha256": "292d4aa8edd0caeec1e29fa8665f46ff2793206064a100df1cdcdb5a5b6c51c6",
"type": "eql",
"version": 106
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "4e0c75028fad0969d746242d8706e48f1fa9de31cbc176d524acc2800af48222",
"type": "eql",
"version": 111
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "2151659f71f600bfab423a33bdbe32e9e6e2ff0d58f3b392afd024f36d4034be",
"type": "eql",
"version": 212
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "568e1041f44361fecee31f7f90400410dea37ac50827c99845fd265d704235bb",
"type": "query",
"version": 4
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "42cba0422e9398684922e14a9f8bcb52726504673ccd9369a94911561994ab23",
"type": "esql",
"version": 2
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
"sha256": "d2f3e8208ecaff994acdc3a22be99eb3f6a4cbc504c08b35cfcdf358cd4091b7",
"type": "eql",
"version": 312
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
"sha256": "951f2e1673e102463093c2ff30c5e50e8c86c86165460ddcdb5f6bfb1b9d2acd",
"type": "eql",
"version": 313
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "AWS RDS Instance Creation",
"sha256": "ddbbec610db6a283c1d61228059725f34a19d4b41ba75691104de48cf92f873f",
"type": "query",
"version": 208
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "c335728c999783c3fb1640836780d8784caf524535b78b35a896e0573e194ea4",
"type": "eql",
"version": 9
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "ba93e280bf515c2416bd93583536626ae8456a25e0c828cd6aaff58c4ccc2cb0",
"type": "query",
"version": 7
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "9f7ee74673817cc624f9e5c0d29379b9b188c815005dd839249467c9432d5a5d",
"type": "eql",
"version": 213
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "18b9078e04e53665a9e42c20892ae7b343695676e33f9ab44a06568d4c56aa2f",
"type": "threshold",
"version": 106
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "909b708c3c5fe5419060f8cc3f4c608c5bedc609274b7e331c3f35ec45e53142",
"type": "eql",
"version": 6
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
"sha256": "21aefb47a6ff7d327c39e477956363c1d06d4a604575c934c1fb0a5848589868",
"type": "new_terms",
"version": 2
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "d523f9e7b0b0a672bde61148eda10896934ae0f610892a879adf5a29cd789057",
"type": "threat_match",
"version": 8
},
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
"rule_name": "Remote Desktop File Opened from Suspicious Path",
"sha256": "4784c8cfcfdd3d71afe46f06f3fefa52ed4a7e093dfdf5164a135a4998025ab2",
"type": "eql",
"version": 4
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Potential curl CVE-2023-38545 Exploitation",
"sha256": "6ea1cb9f3cf028cb815f82f3d33816c5615e61740687f8daa0f6242e0fd1d22b",
"type": "eql",
"version": 9
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "323f831275152839d4f63d0c24588e0258995447e74ae531d58005d1f7d3d08f",
"type": "eql",
"version": 310
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration",
"sha256": "0810cb58b59f4b62e59c00ba0b9d77a59176f6eda28c68246e58e8bf44fb123c",
"type": "eql",
"version": 5
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "52d2fe52f3a61720cb44331a7f25c02c0738d93fc4c7e5e4120c122aee4f9a97",
"type": "query",
"version": 216
},
"f4b857b3-faef-430d-b420-90be48647f00": {
"rule_name": "OpenSSL Password Hash Generation",
"sha256": "7dcd3d966aee09603447a9cbc9c2b71946b618905723f824015b77920d2ba856",
"type": "eql",
"version": 3
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "67cfc341651734d5dc809fca49d66ce14a80f2ba8535da9515f18242adfca0cc",
"type": "esql",
"version": 4
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
"sha256": "edb857bc70241122fedaa1996b651a7a9ba688d421972e539c625617eb9186d9",
"type": "new_terms",
"version": 4
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "34fc3925d1151fda722c2c035158838e8872f6d8a1466be160953b722a68c4bc",
"type": "eql",
"version": 9
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"rule_name": "Windows Script Executing PowerShell",
"sha256": "4378ee222919efba7427a577bda294aa0442bf9d057e250b39badf4e4ce132ed",
"type": "eql",
"version": 313
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
"sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355",
"type": "eql",
"version": 4
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "ae9457eb32db9a0db1ed90111e5b299471da915c82b32888e3f633e7bb0e700e",
"type": "new_terms",
"version": 210
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "098b67561c77f0c21c5f210a522714d38ba5c1d9399953b688dc2131d41afdbe",
"type": "query",
"version": 109
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"rule_name": "WMIC Remote Command",
"sha256": "80869aeaa9ecaa78b06215b22030b3c567e651a63e4742eb9d7430ac8da5dc17",
"type": "eql",
"version": 109
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "a4034117152cd8f97a567fb9c3b1044317ac7a928db9810a14c30d65995b5501",
"type": "eql",
"version": 109
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"rule_name": "Parent Process Detected with Suspicious Windows Process(es)",
"sha256": "5a191ad4b653b38b802827b84ba554eb61833a7aea198cd7e00c19f3bebd2ee7",
"type": "machine_learning",
"version": 109
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "bf07acc9ac42cff21fa4a5bdbb18b5cf1d2bc9b47b427a1c5331b9ef2d8074e6",
"type": "eql",
"version": 9
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "d9f5621f82be94bbf80b69482ac416431c8ab7e4448aaff2c48979576254bc22",
"type": "eql",
"version": 4
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "163f881eaabb32aed0575c3999e5a354e662d3b11845a984033f329d8c453063",
"type": "eql",
"version": 313
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "dfca3722b9402ca28d36a5ba2d1d4377c310d9461799ab5024314063fc1edc22",
"type": "eql",
"version": 4
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "2ea135090bfac64ddec4b4ad76c044f9295ca83fbe6a5e1c740159c43e661692",
"type": "eql",
"version": 313
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "6b0b3d8d5ab2b21ef1d01687fd7be5b31877f1c9a2da47182cfb0b9aacf54508",
"type": "query",
"version": 108
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "d8d5756ec5102a1f1585ee55ebc190c8622cbc2ea6fb78aa08c63ca978c50393",
"type": "new_terms",
"version": 3
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"rule_name": "System Hosts File Access",
"sha256": "dcabc1ccf456b619be16c7d4f319368e1a271b289411b3ae1e420c528ce1ee7c",
"type": "eql",
"version": 4
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Azure Service Principal Credentials Added",
"sha256": "7219f77cd9848f3f4062404a148267380a546a5464968f4f428716f29cdfdbd4",
"type": "query",
"version": 104
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "96c9e0f79001a3dcbc66f897b1e83dc22f8ae08600ffdcf93245f019d5f13059",
"type": "query",
"version": 210
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"type": "eql",
"version": 5
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
"sha256": "f45e24f7935b01886852f803af0a671162023bec83923790d3c34370c2f913f1",
"type": "new_terms",
"version": 3
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "a35c35cbe5c561bc2a55870adf6ca6f81a6001256e2ef3dd13a4d394e2dbed3a",
"type": "eql",
"version": 314
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "a532a89c0b87d8d326dd30af07959a5f51ed166fa6ad3649d33a3c6f83244105",
"type": "new_terms",
"version": 5
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "4b7054b8e93f511955f986fcb9c0790f8bb47247136d1f413860f8d12bc18b3c",
"type": "eql",
"version": 311
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "b082e34dc5445d9d4563b01d9de2f7d44bad034e4d4ee87eb5094a6f8748b28a",
"type": "query",
"version": 108
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "0c78ea160d14b7000a86ab7c9806b3b72fcf62f3a5b1c11da809f266711e06e2",
"type": "eql",
"version": 6
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "978f896c1de693c78158bf929f0f3fd25ad09e99fc1e0276ebaa53e9781e1ddb",
"type": "eql",
"version": 313
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"min_stack_version": "8.16",
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "73832f7d366d1bc467bd6c2e62319bb426f6a20c40bf11e45cd6b8d2d4481c9d",
"type": "query",
"version": 4
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "6d6c29f6c4d74cb4b200b2a08fbf6d6b1f2faf58e2e057a0beb744ecc04c44b7",
"type": "query",
"version": 107
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "365068a846f9feb609c7b78a42aa7600e72d3308dd0c4a83e8285247d7a2687b",
"type": "eql",
"version": 104
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "c8febe9de61b30b53213808729444c7bbd5b6a06aba843d8950832c61c11ec46",
"type": "new_terms",
"version": 205
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "e8d165c269c7428465ad2000b0408d4c755f74f15735d1dd4bcb716ded33abf5",
"type": "machine_learning",
"version": 107
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "141bfb7030bbb08d0e760a80ca58530ee3948f9a4ea1b9286f19d4b1561ef7f4",
"type": "eql",
"version": 10
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"rule_name": "Browser Extension Install",
"sha256": "826590a84d9b071c5ec21397f04b4937f65efe10243e39f4c278559bd586ecf8",
"type": "eql",
"version": 204
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Account Brute Force",
"sha256": "fd9cb608c0a9828af517dfcdf15ce5c04ea3a4193c748cd9b8ae22b0a587a769",
"type": "eql",
"version": 113
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.15",
"previous": {
"8.14": {
"max_allowable_version": 307,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "fa7f7c30177462dd01a22cc1653006645eec2ec9550c0e05cf9b058786f7fe47",
"type": "query",
"version": 209
}
},
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "500952a580afbbe6390f58f3f0b31699454e0cb7b77461a38bd6e97e96fc0823",
"type": "query",
"version": 411
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "e4fb0a015aa8b65e02295635ca3ac4260ce3020719a2516bc90aaa6ae8a10a88",
"type": "eql",
"version": 315
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "29bdb805f822d6e12dbf157fca185fb0ca8d0fb3e4534b668e5a2907818ac590",
"type": "eql",
"version": 9
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "c77ce42170e490ff1ba4ea8faa76d7ec4d182cc217a3dcf536002aa72522ccd3",
"type": "eql",
"version": 10
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "fe1ebe6319e71072a2d03a4dc28721626704ef8ce2709ab2c3a611fe1f408f6c",
"type": "eql",
"version": 316
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
"sha256": "bb42054256c8efdc34beb46fc6e70910e74d2120c46ff3d72c1368c8da9f12ae",
"type": "eql",
"version": 110
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "bc6183f19ad1f24925c495908e60195dfc34f3dc766fc14f6509ef305b27adca",
"type": "eql",
"version": 106
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
"sha256": "96d70c929fa6fb5d9cea50c41a975483d087021946d39373018bbd16942899fa",
"type": "eql",
"version": 210
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "f4b56d13ce48941d2efb1d7801030f018576d296074043e78b2560ca17f3f8b7",
"type": "threshold",
"version": 206
},
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
"rule_name": "Azure OpenAI Insecure Output Handling",
"sha256": "e58142a8bf546e096bbe8c91f73efb44d1322b1e0f14f51a6b33f10b5d5a22ca",
"type": "esql",
"version": 2
},
"fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": {
"min_stack_version": "8.18",
"rule_name": "Unusual Group Name Accessed by a User",
"sha256": "715017840362b90c4afc02cefbe632e15e6d399776f483595f96935fad0a2d20",
"type": "machine_learning",
"version": 2
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbb10f1e-77cb-42f9-994e-5da17fc3fc15": {
"min_stack_version": "8.18",
"rule_name": "Unusual Source IP for Okta Privileged Operations Detected",
"sha256": "4ec1208b05ec3c1dc1fc85bcec71cad131095d4f37cae134a8fba3f7b2817cf4",
"type": "machine_learning",
"version": 2
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "2bfe0f09fa75c7ec1a04cbc48f009f03b0613c9d3197f8ba8ca079549ac39130",
"type": "query",
"version": 208
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
"sha256": "1a83fa4c6a14a474917bcde7203eae0d54d7984b570d2c977434d743c4d3b893",
"type": "query",
"version": 3
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "dcea71ecff59d032273a925076f445c9eb7ed317f1a835955e72c20e47e4e9d7",
"type": "eql",
"version": 311
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "5afd2b4b47f8daf777747d5b54d3f43adeab8ebfc2a601d75add27b50a1ed9d0",
"type": "new_terms",
"version": 205
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "245c08ce291397722aad60cc96a145e36c9de1dc7bbeb34cd8f024537a60c65f",
"type": "eql",
"version": 5
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
"sha256": "3bce82896faacb7aff9e395f0caccc11bbf9d9fe26ccb4e6b342c85282f71ae2",
"type": "eql",
"version": 206
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "bcef80ce99e0643f140c1de7d1783bc828dcfec98f90defdc502a0748814e98b",
"type": "new_terms",
"version": 4
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "c6c598691891c47021b15584b386467669892b9e281b280041da2b25bbaab41c",
"type": "eql",
"version": 315
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "772055d2718256f4bc19e3cac6e4e64c6088b46cc33c2b5a00130092f9dd6a1e",
"type": "eql",
"version": 314
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
"sha256": "c12de214d8a61bf3934ce116d3def9a9b0fbd4e380cf29ebddc611afaefdb3a1",
"type": "new_terms",
"version": 421
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "c7dd523ee995702801df4e72a048f9b2b9dad4d22dd7e2d6fcb5f1053e3b9565",
"type": "eql",
"version": 3
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "7458239562922c07fa5fbe2b57f0a32dca9b7d369e61c7c9f45b07992bed5ef2",
"type": "eql",
"version": 15
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "3b7fcc833ae29993f5bfe461f349a924b0c644144a0b0f95cb70569620d93210",
"type": "query",
"version": 109
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "0c0ad1b4bf53280691b565421d24f30731e7da0b8573ebd7917751d738300334",
"type": "query",
"version": 108
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "8d1e6c74b1ae7a9611c49028b02b99bd23f963bb5bf0821aab7e371e2f41c960",
"type": "eql",
"version": 315
},
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
"rule_name": "Spike in host-based traffic",
"sha256": "e0962989a3dbad4777296e03170eeebe7294b77bb30f7d650fca6cd5a0b18530",
"type": "machine_learning",
"version": 2
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "da0ccb019dbc333fae22d23cadf1cceeb29c548ecd554876b8612b15a933cff6",
"type": "eql",
"version": 6
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "d604b333438108e727726a282d13876877fa1093ef87fa798a947dae38992c37",
"type": "eql",
"version": 3
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "b5bef117c3bf90e07665205a5aeb8720b92fd6832d7a0eea06807810b1aacbee",
"type": "eql",
"version": 309
},
"fef62ecf-0260-4b71-848b-a8624b304828": {
"rule_name": "Potential Process Name Stomping with Prctl",
"sha256": "ae175e80b6aaab67de73cce3fa316cf038329133246fbbb8530593296fc53e5b",
"type": "eql",
"version": 3
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "289575012fab7680dceb4a5488997db3ff25490b3e9cc11f4f5c79d4b521073c",
"type": "query",
"version": 106
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "c4c19185520ea14036cdc56468c062d97740dd9cdabc439e38952c4734606e89",
"type": "machine_learning",
"version": 7
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "a78d0a5dc23c4a969c9c6451f59877e6ff8407d12b3c6778908e518e569f718c",
"type": "eql",
"version": 16
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "05b250fcc47ff4c1499f73732e4379f5b86aca4a3ca05cfaba3307e81a4abee2",
"type": "query",
"version": 4
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "350a799cf5760880128b6ea530377bd17aa0e79d9b14a4a9a06993f70a2215ff",
"type": "eql",
"version": 12
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
"sha256": "06fa97e4725cff7836b459fdebcc3426aa43801813621eb22c18240e107a1c14",
"type": "query",
"version": 208
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "c002e7a00a7aca82906cee1a36dcfe457cfa6c5bd2de883b4756e7950a71d916",
"type": "eql",
"version": 203
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "249c67c2eb2e5057e0fc32b5f202a72dcfd125edd060d61622f98fe047847404",
"type": "query",
"version": 106
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.16",
"previous": {
"8.14": {
"max_allowable_version": 106,
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "b3468a2a0f4b606f04c16270c18b6b7d2a77491078aa852a13f671f64b328173",
"type": "eql",
"version": 8
}
},
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "8ecbdf47549e8e6e0505419841a833ab7e99e2fad93086226015e3cddcd843f2",
"type": "eql",
"version": 110
},
"ffa676dc-09b0-11f0-94ba-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Top Level Domain",
"sha256": "d9e6208c442ead0db826b31365ab398f087b999dc652e9f0f0aa31601109b67a",
"type": "new_terms",
"version": 2
}
}
Reference in New Issue View Git Blame Copy Permalink