security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9890db6fffaf4a40dd6d2e63787c3ab50cbafb2
sigma-rules/detection_rules/etc/version.lock.json
T
github-actions[bot] d9890db6ff Lock versions for releases: 8.19,9.1,9.2,9.3 (#5888) 
* Locked versions for releases: 8.19,9.1,9.2,9.3

* Update pyproject.toml

---------

Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com>
2026-03-26 12:31:50 -05:00

11784 lines
447 KiB
JSON
Raw Blame History

{
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "fcd948028bd42ce890deb31d6aef7d2a5f841d194d024c8a632bd40203c89554",
"type": "query",
"version": 414
},
"00140285-b827-4aee-aa09-8113f58a08f3": {
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "6a4eb911446aa850681cf14d125f358e8b44319da80c66a5b5495c9978aa3004",
"type": "eql",
"version": 319
},
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"rule_name": "System Shells via Services",
"sha256": "cb3da7e9d3d8be5b8a37e6526d979d878e4f35a4959e471586e3d34af70bdc1a",
"type": "eql",
"version": 419
},
"0049cf71-fe13-4d79-b767-f7519921ffb5": {
"rule_name": "System Binary Path File Permission Modification",
"sha256": "b518c8d687daf21c36ee77a0ddf040b991db8663e026b77cb7d77e29d05f85c3",
"type": "eql",
"version": 6
},
"00546494-5bb0-49d6-9220-5f3b4c12f26a": {
"rule_name": "Uncommon Destination Port Connection by Web Server",
"sha256": "ed35207381806ae6ebc471fc8ddd9c91238868639b006db03dbb1c966adcc472",
"type": "eql",
"version": 4
},
"00678712-b2df-11ed-afe9-f661ea17fbcc": {
"rule_name": "Google Workspace Suspended User Account Renewed",
"sha256": "f18ac0fef8bbe46018b12cbc49078cde5a800a49a288127e4b72f51ac086b3ea",
"type": "query",
"version": 6
},
"0136b315-b566-482f-866c-1d8e2477ba16": {
"rule_name": "Deprecated - M365 Security Compliance User Restricted from Sending Email",
"sha256": "32f3b43818d6f5da6596d482417e82040958499d42ebf0de735791d1372a0ef2",
"type": "query",
"version": 212
},
"015cca13-8832-49ac-a01b-a396114809f6": {
"rule_name": "Deprecated - AWS Redshift Cluster Creation",
"sha256": "f6e7e8c38698de53c1f503b5a483cd61fe060eba93c72f3d9d394148f9fb36ea",
"type": "query",
"version": 210
},
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"rule_name": "Potential Network Scan Detected",
"sha256": "5484efed9ed2e59b10577e3d86ecbe4dca7de9f28a241e509931c2595d8d9f4c",
"type": "esql",
"version": 15
},
"017de1e4-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Detected - Elastic Defend",
"sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416",
"type": "query",
"version": 5
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "0a276cca1f7578e64b5757ea19a2830db4e4fdd87f7ce4bec939fd66a82e067e",
"type": "new_terms",
"version": 207
},
"02137bc2-5cc2-4f7f-a8e4-c52dc239aa69": {
"rule_name": "AppArmor Policy Violation Detected",
"sha256": "88dba2a32e25df07ff1ec197f82476ff39ecf0522f67fee729ea5d919aaf7d62",
"type": "eql",
"version": 1
},
"02275e05-57a1-46ab-a443-7fb444da6b28": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Unusual Utilities",
"sha256": "cd854516c52abc224cf16271f439eec724281de54a4aa6f6a7ce1013430393af",
"type": "eql",
"version": 2
},
"022c37cd-5a4f-422b-8227-b136b7a23180": {
"rule_name": "Azure Arc Cluster Credential Access by Identity from Unusual Source",
"sha256": "3193240005005ffe39a4b8d546c9f2ea645ddcb1f574d8bd1aea201712b6baa0",
"type": "new_terms",
"version": 1
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "effdc73f270011dd596efce8ebf1cec1af482896d9c27adf8015357428042c50",
"type": "eql",
"version": 211
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "701256e1dea091dbc7088014923ab37d3d04abfac5128574f4719f4a5819f555",
"type": "new_terms",
"version": 207
},
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
"rule_name": "Process Created with an Elevated Token",
"sha256": "c276363723d8b741ba88a34397b8c1583a2d904e7b15eadff5a03a89e40e51e0",
"type": "eql",
"version": 10
},
"02a4576a-7480-4284-9327-548a806b5e48": {
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "62e97c7d00aad9eb5dba5a59ca2ea7e2ef5f9d11050504af0511e9efd98ac08f",
"type": "eql",
"version": 311
},
"02b4420d-eda2-4529-9e46-4a60eccb7e2d": {
"rule_name": "Spike in Group Privilege Change Events",
"sha256": "8caf70090c5c180faa0955b692debfff1999f7c20aeb1f8aabf07eec4e4ebf09",
"type": "machine_learning",
"version": 4
},
"02bab13d-fb14-4d7c-b6fe-4a28874d37c5": {
"rule_name": "Potential Ransomware Note File Dropped via SMB",
"sha256": "3c0cee1485089d0039569fe729555644745a965f74000c5e30fb73ff1a31a7ae",
"type": "eql",
"version": 6
},
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "27d2f755c29364e32433065a224cd6626f6d8310b9a12d92bc6e3264c52682e4",
"type": "eql",
"version": 110
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"rule_name": "M365 Exchange Email Safe Attachment Rule Disabled",
"sha256": "a3802ec0747674644557b2597c0c55f8fae19a9c2d058fb00938f48e2f11630d",
"type": "query",
"version": 211
},
"03245b25-3849-4052-ab48-72de65a82c35": {
"rule_name": "GitHub Actions Unusual Bot Push to Repository",
"sha256": "140774caf8e4b7021655033023dbfa647c2f8182ea0f44b41319db1b86aa381c",
"type": "new_terms",
"version": 1
},
"035889c4-2686-4583-a7df-67f89c292f2c": {
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "2a22d0f3cf317970be4b88c0a8ccdfe129a55d326c2025d0b931e84121a5ba59",
"type": "threshold",
"version": 216
},
"035a6f21-4092-471d-9cda-9e379f459b1e": {
"rule_name": "Potential Memory Seeking Activity",
"sha256": "17893f9601250048949847c5698b0273035419cc62613c7a4e3cc2e74aaa111d",
"type": "eql",
"version": 6
},
"0369e8a6-0fa7-4e7a-961a-53180a4c966e": {
"rule_name": "Suspicious Dynamic Linker Discovery via od",
"sha256": "969bc5383f6f200cd085a0639173548ff5820d7f75afba0622e631c4eb5ac813",
"type": "eql",
"version": 107
},
"03a514d9-500e-443e-b6a9-72718c548f6c": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "db16c791683827ffea8705d7c3c3a3c8793db69d1e421f594a01616cf7fb7509",
"type": "eql",
"version": 5
},
"03b150d9-9280-4eb8-9906-38cfb6184666": {
"rule_name": "First Time Python Accessed Sensitive Credential Files",
"sha256": "838f2075137a748159619966cd450776c11dffafbdcc30122666d3dc310e90b0",
"type": "new_terms",
"version": 1
},
"03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": {
"rule_name": "Potential Network Scan Executed From Host",
"sha256": "5be26fe7fb4dde7b807a564ff9eeac7a6b17504c9dceefcc79585a26e487de8e",
"type": "threshold",
"version": 7
},
"03d856c2-7f74-4540-a530-e20af5e39789": {
"rule_name": "Multi-Base64 Decoding Attempt from Suspicious Location",
"sha256": "348d1c05b34234300fa1f78f365e55ffce4ef690c71b5b29ad426db5ccec5ab0",
"type": "eql",
"version": 2
},
"0415258b-a7b2-48a6-891a-3367cd9d4d31": {
"rule_name": "First Time AWS CloudFormation Stack Creation",
"sha256": "aa9bbf4e95f9d88307a86039a78988c7fe8e87827e029e593d2bc314f2f56605",
"type": "new_terms",
"version": 6
},
"0415f22a-2336-45fa-ba07-618a5942e22c": {
"rule_name": "Renaming of OpenSSH Binaries",
"sha256": "a2faa9510f754d12856a3c441ec7131acb631c84fb8379d3ecd121af580d35a8",
"type": "query",
"version": 114
},
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
"rule_name": "Deprecated - Potential DNS Tunneling via Iodine",
"sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047",
"type": "query",
"version": 105
},
"0428c618-27f5-4d94-99e6-b254585aba69": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 100,
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql",
"version": 2
}
},
"rule_name": "High Number of Protected Branch Force Pushes by User",
"sha256": "6ecf2e6fbea8d375d4737291540983e97ce7ca80ec165d6380a11eab3287782c",
"type": "esql",
"version": 102
},
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "45bafb4d78532d1c14f39e0ec63bd6e8c82780af7b66030bbfcac222cf82913e",
"type": "eql",
"version": 205
},
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
"rule_name": "Entra ID Global Administrator Role Assigned",
"sha256": "b832dd8ee2fb783cfc93a509c2689f8d13f9eb4b536af7935f64be085e91d258",
"type": "query",
"version": 106
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"rule_name": "User Added to the Admin Group",
"sha256": "fc962dbd88cfb0860ac58c4125afeaaa0668366e0f9d1ad035411aee787a69f6",
"type": "eql",
"version": 4
},
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"rule_name": "Suspicious Microsoft Antimalware Service Execution",
"sha256": "0dae8d0010c9ebf4d51a556663c7a4e0f0b4a9d1780196c19012553a41e2fa5d",
"type": "eql",
"version": 216
},
"054853f3-2ce0-41f3-a6eb-4a4867f39cdc": {
"rule_name": "M365 Defender Alerts Signal",
"sha256": "35c1046191b7ca47e3823cf1bd6d886e46229c2c7a24ddf6d2a71f52b7756723",
"type": "query",
"version": 1
},
"054db96b-fd34-43b3-9af2-587b3bd33964": {
"rule_name": "Systemd-udevd Rule File Creation",
"sha256": "b041eda883625c151da07f6f712fa59b323ed321f5facabe50784b6d214b2835",
"type": "eql",
"version": 12
},
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "0959fd7aaf5bc8255ede40413834dc1ccfa5885a9e516724151852e596d397f4",
"type": "eql",
"version": 217
},
"05a50000-9886-4695-ad33-3f990dc142e2": {
"min_stack_version": "9.3",
"rule_name": "System Path File Creation and Execution Detected via Defend for Containers",
"sha256": "0070de4186b0d66470a7b71b34781036a4107a7cb9e7d7d07ce655d2783238c8",
"type": "eql",
"version": 1
},
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "f4e1f9d6d33fedcd444fbe238ea99dbeb66031172f00bdf4cd900ea91586d6fc",
"type": "eql",
"version": 312
},
"05cad2fb-200c-407f-b472-02ea8c9e5e4a": {
"rule_name": "Tainted Kernel Module Load",
"sha256": "276dd21bd66c3a47606b31db6057e86c2968df89161ab2a5662f9c6a9064e959",
"type": "query",
"version": 8
},
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
"rule_name": "Interactive Terminal Spawned via Perl",
"sha256": "7a0c46e89bdb6cc0aeb28545a624f72dcac23bf7fd53eeb7121b9e521615a66e",
"type": "eql",
"version": 113
},
"05f2b649-dc03-4e9a-8c4e-6762469e8249": {
"rule_name": "Suspicious AWS S3 Connection via Script Interpreter",
"sha256": "98707dba65515504ddccd478b6d990937253b23206d517eec8fb008262a30d53",
"type": "esql",
"version": 2
},
"0635c542-1b96-4335-9b47-126582d2c19a": {
"rule_name": "Remote System Discovery Commands",
"sha256": "d830586c866338070858fc3d79f60a78040bbbbf9694a72accfda57739d022bb",
"type": "eql",
"version": 216
},
"064a2e08-25da-11f0-b1f1-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection - Sign-in Risk",
"sha256": "58ce72a27d22c9c620a894c2cf4c6a7e00dc88f3fa626da7483868a1861765da",
"type": "query",
"version": 4
},
"06568a02-af29-4f20-929c-f3af281e41aa": {
"rule_name": "System Time Discovery",
"sha256": "a6862748b17c59d814bdbc083c1cc7d27381aed9732b14f0f1b32474464fd2ef",
"type": "eql",
"version": 113
},
"0678bc9c-b71a-433b-87e6-2f664b6b3131": {
"rule_name": "Unusual Remote File Size",
"sha256": "940b98aed51ecda72eec089172e648832d8c8a6eec2015e92e44bbbd0a52854f",
"type": "machine_learning",
"version": 8
},
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "16e3f15d9751ac5e7a214666d2ab0a3a815ecba1a81eee2d411339acc726759f",
"type": "eql",
"version": 213
},
"06d555e4-c8ce-4d90-90e1-ec7f66df5a6a": {
"rule_name": "Dynamic Linker (ld.so) Creation",
"sha256": "293efcde7679450961742320fa3bb6fd1b7734fb3b358c1f39d7ebc8621dd8f7",
"type": "eql",
"version": 106
},
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "6ca7734eae8382f1a540c93eb25ee68b216e6cafef14039079486562079a8960",
"type": "eql",
"version": 218
},
"06f3a26c-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Memory Threat - Prevented- Elastic Defend",
"sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd",
"type": "query",
"version": 4
},
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "58d2522836e9696867c5013f86c837c3de9c6139334c45f21862af1141102989",
"type": "eql",
"version": 315
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "211d86814c799c776291d2387868439b4ebd6e01c2e243d10d387bab0362ac36",
"type": "eql",
"version": 209
},
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "2a82445079956301b16981f1c33b9a8f5c65ffee6d2ef7b6948e62f24689a072",
"type": "threshold",
"version": 9
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "f1f4e6d8b819fb5e66fde3baab76b5530022b5b45365fa55e5218a19f2fb1902",
"type": "eql",
"version": 318
},
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
"sha256": "efff36dcc67637acab70b8bdc118ef3d48a67a477cc5bff8a765be0b98c69d9c",
"type": "query",
"version": 109
},
"080bc66a-5d56-4d1f-8071-817671716db9": {
"rule_name": "Suspicious Browser Child Process",
"sha256": "c3033b6202ba8d06a3cce953bf5efde4f3292bfd7e4b02fcf073bcb3b4c38c0b",
"type": "eql",
"version": 112
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"rule_name": "Launch Service Creation and Immediate Loading",
"sha256": "a103bf9dea2202ad2c785712eb8d03c825973f10f2c2237c5fc3640b9c519ee4",
"type": "eql",
"version": 111
},
"083383af-b9a4-42b7-a463-29c40efe7797": {
"rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation",
"sha256": "1cab7c406a0a2310ac6081b7332ff99c4f29843587b48401e6b8fcb7f8006d21",
"type": "esql",
"version": 9
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "92729a5db8411c86f55936222a8fdbd7c1634c859d8453339bf3d82144af86cf",
"type": "eql",
"version": 110
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"rule_name": "First Time Seen Removable Device",
"sha256": "4c42eef9c2804f93e9e02bcdfa8e0f36f462f32538c84ce59afcb648b391cb53",
"type": "new_terms",
"version": 212
},
"0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": {
"rule_name": "Node.js Pre or Post-Install Script Execution",
"sha256": "95dfc163dc1bc31c6f67c9956a92031cea559ff27d774bc621436fbce4e3c4be",
"type": "eql",
"version": 3
},
"08933236-b27a-49f6-b04a-a616983f04b9": {
"rule_name": "Alerts From Multiple Integrations by Destination Address",
"sha256": "d6accf93019b97c82298a163af364a097f31b22146454acba734fd8f76d90c6e",
"type": "esql",
"version": 3
},
"089db1af-740d-4d84-9a5b-babd6de143b0": {
"rule_name": "Windows Account or Group Discovery",
"sha256": "d2b0a72d8ef6f07e4647ae018611e94e004d13dbf270da1125381720f769fc59",
"type": "eql",
"version": 7
},
"08be5599-3719-4bbd-8cbc-7e9cff556881": {
"rule_name": "Unusual Source IP for Windows Privileged Operations Detected",
"sha256": "f0c3939a5957cddd4b6387710c93b4c9797c526fdc426a83b3c681d57d67b47b",
"type": "machine_learning",
"version": 3
},
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
"rule_name": "TCP Port 8000 Activity to the Internet",
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
"type": "query",
"version": 100
},
"09073bf4-a8ea-4bce-9fd5-2bb56b4d31f4": {
"rule_name": "Attempt to Clear Logs via Journalctl",
"sha256": "dc61913b2bea0be5a6013cb04da91ce28b84fce2780a58eb7bcb8c1a871ba003",
"type": "eql",
"version": 2
},
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "34aa7a13a75998606560cb32b50285f079aa350b0d28634aec6ce222a47b0985",
"type": "eql",
"version": 112
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"rule_name": "Deprecated - Process Termination followed by Deletion",
"sha256": "b732879b1c2fe0dc643e22be8c9dfc66ffd9b3362f8964d99df43ec8ce295335",
"type": "eql",
"version": 114
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2ffad86dda9d63530d2b961af027f8ccf552593370bec658c394b6bfbee14ed9",
"type": "eql",
"version": 206
},
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
"type": "eql",
"version": 100
},
"097ef0b8-fb21-4e45-ad89-d81666349c6a": {
"rule_name": "Spike in Special Logon Events",
"sha256": "42bb7ebf26e253f5a13b0f718a37a6de590190e051705ab28122bca64c59bbb5",
"type": "machine_learning",
"version": 3
},
"098bd5cc-fd55-438f-b354-7d6cd9856a08": {
"rule_name": "High Number of Closed Pull Requests by User",
"sha256": "ff907a6ea72cb5c7385c4bd5df56b41d6fe30d15ad9c631e4e85cc03ec5aa94d",
"type": "esql",
"version": 2
},
"09bc6c90-7501-494d-b015-5d988dc3f233": {
"rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory",
"sha256": "c7a49217ed78a7200634360d649716d6ba9e9ee6c138e093d73d3dfc6bef4542",
"type": "eql",
"version": 10
},
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
"rule_name": "Azure VNet Firewall Front Door WAF Policy Deleted",
"sha256": "b355161ce513a7d91cd204faecec0dedc264b18e54ef41c242523cbc6c0af30f",
"type": "query",
"version": 107
},
"0a97b20f-4144-49ea-be32-b540ecc445de": {
"rule_name": "Malware - Detected - Elastic Endgame",
"sha256": "6dec72ce9f7aabecc519652ba7299033d64fbfe4d155e3cbb9fff040f62ecef9",
"type": "query",
"version": 105
},
"0ab319ef-92b8-4c7f-989b-5de93c852e93": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence",
"sha256": "b9f9c2acd032277ca219864f2c819167d986f72f5926874ea56998544a0f85a6",
"type": "query",
"version": 8
},
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"rule_name": "Deprecated - PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "ebd1536f42ca0141a7b6beb2b1e75d981b95992088751d5824b10f54c3797b98",
"type": "query",
"version": 212
},
"0b15bcad-aff1-4250-a5be-5d1b7eb56d07": {
"rule_name": "Yum Package Manager Plugin File Creation",
"sha256": "89ca0e093d48d490f8ef9e04a952b23f45c4763cb50f8b27742fdc91cc20c6ea",
"type": "eql",
"version": 9
},
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"rule_name": "Anomalous Windows Process Creation",
"sha256": "5885c1e445642eebfc9b74d7427c15b9a7c7696141ebc1f2032514b026740cd1",
"type": "machine_learning",
"version": 211
},
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"rule_name": "User account exposed to Kerberoasting",
"sha256": "ecc8972d8837c63f62167cb4b7a5827b1681b456c8e41028f287e9036edc1ed1",
"type": "query",
"version": 219
},
"0b76ad27-c3f3-4769-9e7e-3237137fdf06": {
"rule_name": "Systemd Shell Execution During Boot",
"sha256": "9e0d97a7a8ab3f2db8a8aed2dda95a0c7b8f362c314ba0749004294a61229409",
"type": "eql",
"version": 5
},
"0b79f5c0-2c31-4fea-86cd-e62644278205": {
"rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User",
"sha256": "06ad68bb0d0a78ccb3ee0674ced6bf71d574074395b2ecf56cf37cecd6f529f3",
"type": "eql",
"version": 5
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "b6adb62c08f32a47497e1c0133aedae77c417a7f5449d1676df18b4e1792f38b",
"type": "eql",
"version": 112
},
"0b96dfd8-5b8c-4485-9a1c-69ff7839786a": {
"rule_name": "Attempt to Establish VScode Remote Tunnel",
"sha256": "ce86f3f1fdb44fad33878a2c180f3a96be54462661ae37cf787ba39b29c9ec78",
"type": "eql",
"version": 110
},
"0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": {
"rule_name": "Elastic Defend and Network Security Alerts Correlation",
"sha256": "6c598d2eefbd251000e42180ee7d6cf054a1ee4b470d12f784a85bec03c01cb6",
"type": "esql",
"version": 6
},
"0c093569-dff9-42b6-87b1-0242d9f7d9b4": {
"rule_name": "Processes with Trailing Spaces",
"sha256": "eea37dd20530605c66b9747aec38cabb0194bce5bb2991f9b1744136a6c3cf26",
"type": "eql",
"version": 5
},
"0c1e8fda-4f09-451e-bc77-a192b6cbfc32": {
"rule_name": "Potential Hex Payload Execution via Common Utility",
"sha256": "fdf8da563f4c822a873e7d1f66565737110906d8c9e10b2107140aeccb84524e",
"type": "eql",
"version": 106
},
"0c3c80de-08c2-11f0-bd11-f661ea17fbcc": {
"rule_name": "M365 Identity OAuth Illicit Consent Grant by Rare Client and User",
"sha256": "ff0822277c602739fb3c4c5a94325860245526567107723822b394098d3de9b5",
"type": "new_terms",
"version": 6
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"rule_name": "Threat Intel IP Address Indicator Match",
"sha256": "de0fce0fbcce6580a6a0af3a9cbd36da077ec0b32571149301aaaf7e6b50bc35",
"type": "threat_match",
"version": 9
},
"0c74cd7e-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Ransomware - Detected - Elastic Defend",
"sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb",
"type": "query",
"version": 5
},
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"rule_name": "Peripheral Device Discovery",
"sha256": "d7f8506e81915c1204c05dd7b7969f115103b046e89d6b214aa261cd5cb72929",
"type": "eql",
"version": 314
},
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
"rule_name": "Deprecated - Threat Intel Indicator Match",
"sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a",
"type": "threat_match",
"version": 204
},
"0cbbb5e0-f93a-47fe-ab72-8213366c38f1": {
"rule_name": "High Command Line Entropy Detected for Privileged Commands",
"sha256": "59c263dc1cdfe3855fdd501367d03907ed748e52353b5e059b96f1ee2c5afde3",
"type": "machine_learning",
"version": 3
},
"0cd2f3e6-41da-40e6-b28b-466f688f00a6": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session",
"sha256": "9d095c731b4c2d46ef473af7f62cb760bc1290a8a9ef4788e231d9ecebfdaecf",
"type": "esql",
"version": 7
},
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
"rule_name": "M365 Exchange Mailbox High-Risk Permission Delegated",
"sha256": "d528dd1ee6d6f0dbfd598d62261c0dcae9ccecf382b0f35ad32fccdb0b5c618e",
"type": "new_terms",
"version": 212
},
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
"rule_name": "Multiple Alerts Involving a User",
"sha256": "f65217585fc96240d13bc4de41e59f92b3ce81627267bebed176d7add7fa5697",
"type": "esql",
"version": 7
},
"0d3d2254-2b4a-11f0-a019-f661ea17fbcc": {
"rule_name": "Entra ID OAuth User Impersonation to Microsoft Graph",
"sha256": "c9414871e97120cfd2ba849f228fcb33c42b7bafea04ef136b692d90f3c5886c",
"type": "esql",
"version": 7
},
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
"rule_name": "Nping Process Activity",
"sha256": "c4bdbe8b150dc0ae69e6b9976ce317d49affb800b6a372b6b57f7aae39e58093",
"type": "eql",
"version": 212
},
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
"rule_name": "Execution of File Written or Modified by Microsoft Office",
"sha256": "c35a544ede6291a5e7cfafd2e811015d5bf703d447b07963ff1e071a644958d4",
"type": "eql",
"version": 113
},
"0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 204,
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b",
"type": "esql",
"version": 105
}
},
"rule_name": "AWS Access Token Used from Multiple Addresses",
"sha256": "25d6b63d8ad4a081ad48d656666160d13bde2d0fac22a33427f2f6cdf5395cc1",
"type": "esql",
"version": 205
},
"0e1af929-42ed-4262-a846-55a7c54e7c84": {
"rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected",
"sha256": "7aff08d29ead13e4514a8f4d8ec07442b5d0682d2fcfc0107c6f5e7fb64e7567",
"type": "esql",
"version": 4
},
"0e42f920-047d-4568-b961-2a50db6c4713": {
"rule_name": "Potential Persistence via Mandatory User Profile",
"sha256": "5a2113036516752d10ffde2f40f78885d6a13a520f8ed58a99121231a5602e22",
"type": "eql",
"version": 1
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "b2bc93de86a42b4c55877c2a128da76f5f058e48fc9af4396b89dd28a935fea5",
"type": "new_terms",
"version": 207
},
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
"rule_name": "M365 SharePoint Malware File Detected",
"sha256": "14a1af1d926f42ad0025a51954a328ea770e664a871c163227e8597b49329bf3",
"type": "query",
"version": 212
},
"0e524fa6-eed3-11ef-82b4-f661ea17fbce": {
"rule_name": "M365 OneDrive/SharePoint Excessive File Downloads",
"sha256": "b6c8e87bc4292bde1ff1eaa810648c48bab7c0f07e0d8c39bc7b3f714fd32d5f",
"type": "esql",
"version": 7
},
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
"rule_name": "GCP Service Account Key Creation",
"sha256": "13e3ae6b28abf879bb3effd835f64e3514061113d41c183ecea88cfb42499628",
"type": "query",
"version": 107
},
"0e67f4f1-f683-43c0-8d45-c3293cf31e5d": {
"rule_name": "Lateral Movement Alerts from a Newly Observed Source Address",
"sha256": "77726aac9ceb48e0f529980fb81396999b0c6688cf5bab0f232aa63d3a653918",
"type": "esql",
"version": 3
},
"0e79980b-4250-4a50-a509-69294c14e84b": {
"rule_name": "MsBuild Making Network Connections",
"sha256": "8bd791257510714b815ae04669e2f5ed846133f80ab4f376c6541bacd64856b2",
"type": "eql",
"version": 214
},
"0ef5d3eb-67ef-43ab-93b7-305cfa5a21f6": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "07263690e8379296f216fcdd9c9c9f5b6b9d4785df9804d973ab13ac573a61c7",
"type": "query",
"version": 6
}
},
"rule_name": "Sensitive Audit Policy Sub-Category Disabled",
"sha256": "fbff6a0aa16505d2d8cb07a9632dbef91e5d416239e7681efd02a5a1ccfc5830",
"type": "esql",
"version": 106
},
"0f4d35e4-925e-4959-ab24-911be207ee6f": {
"rule_name": "rc.local/rc.common File Creation",
"sha256": "2cb9858f77267b218ffde0b05f379d42d3e9892bffe8c5a2558a7747e616dfa5",
"type": "eql",
"version": 119
},
"0f54e947-9ab3-4dff-9e8d-fb42493eaa2f": {
"rule_name": "Polkit Policy Creation",
"sha256": "5bce1633b77528c70b19a239627042b9c5319822749afbec67e1683f8580686b",
"type": "eql",
"version": 106
},
"0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": {
"rule_name": "Netcat Listener Established via rlwrap",
"sha256": "498fd7d5af2db2a9cac662b6334d76045e188a07af85252f9c58e5e3553c5157",
"type": "eql",
"version": 108
},
"0f615fe4-eaa2-11ee-ae33-f661ea17fbce": {
"rule_name": "Behavior - Detected - Elastic Defend",
"sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c",
"type": "query",
"version": 5
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
"type": "query",
"version": 100
},
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "a22ce5b0813ff129839c6ae3330c9cb4a64b73879125342eecbf840e3c1f2c35",
"type": "threshold",
"version": 313
},
"0fb25791-d8d4-42ab-8fc7-4954642de85f": {
"rule_name": "Kubernetes Creation or Modification of Sensitive Role",
"sha256": "d431f464078e8ba6df2d879cf09611ed71bb66449f85d3d04c20acaf59179284",
"type": "esql",
"version": 2
},
"0fb83aa0-3d17-41e9-b09c-56397bf7a7d9": {
"min_stack_version": "9.3",
"rule_name": "Decoded Payload Piped to Interpreter Detected via Defend for Containers",
"sha256": "f743bb12bafa53a42bae5f3eb32c50b072927cb62403e1cbd006537e9dae6e63",
"type": "eql",
"version": 1
},
"0fe2290a-2664-4c9c-8263-b88904f12f0d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubernetes Sensitive Configuration File Activity",
"sha256": "0733fbd77e1dcbbf858340c7c49c0409b1c8d13fcbce786043e46d561f30f8e7",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubernetes Sensitive Configuration File Activity",
"sha256": "7d61d62319c071310d69e8c15bf997fdaaa97c0d900ea9029b54bb02144275aa",
"type": "eql",
"version": 102
},
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "36da4f7c17d19fd33bbe592e8381c3917e11c309d47f43c7909d76b2740eb47b",
"type": "eql",
"version": 110
},
"1004ad5b-6900-4d28-ab5b-472f02e1fdfb": {
"rule_name": "AWS SSM Inventory Reconnaissance by Rare User",
"sha256": "8e7b6e88f72d16369595ba3f6fa07c1940d1a4aee7465ac6f4564e40e0d81cfb",
"type": "new_terms",
"version": 1
},
"10445cf0-0748-11ef-ba75-f661ea17fbcc": {
"rule_name": "AWS IAM Login Profile Added to User",
"sha256": "62236c3efc78d49212ef0d41035637d27a8639dc5eb24125db16fc4b5c5367dd",
"type": "query",
"version": 4
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
"type": "eql",
"version": 100
},
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"rule_name": "WebProxy Settings Modification",
"sha256": "5b102cd6d9e208ef30f244a8b4029b391783c1ec3f3bc24d5830028376bf8fd4",
"type": "eql",
"version": 210
},
"10f3d520-ea35-11ee-a417-f661ea17fbce": {
"rule_name": "Ransomware - Prevented - Elastic Defend",
"sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4",
"type": "query",
"version": 5
},
"11013227-0301-4a8c-b150-4db924484475": {
"rule_name": "Abnormally Large DNS Response",
"sha256": "c564ec0a3d6571899bf9b4573c706d7a88b754f61ae9a3abfee468abfcd88ce6",
"type": "query",
"version": 107
},
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "3e3281f18ce3ea8d213d81c02aa7392e82725b7561db23878c2c8734e0f2f225",
"type": "eql",
"version": 217
},
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "b12993087a23a4196dff52b6d262095861045f58a03883e15e371a3d746f3b44",
"type": "eql",
"version": 315
},
"119c8877-8613-416d-a98a-96b6664ee73a": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "219dd5e932b1758880482e0558051af64fba130f0e282e5da6aec5c00090ba9b",
"type": "query",
"version": 211
},
"119c8877-8613-416d-a98a-96b6664ee73a5": {
"rule_name": "AWS RDS Snapshot Export",
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
"type": "query",
"version": 100
},
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "46c73ea2723d14ad9de10a0e66eef0f2833b48c7be940c0df3a709acb4dc3e7f",
"type": "query",
"version": 118
},
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "064c4ddec156a1b2ea065455a460a17c81974239e07c623f01ea2d4f20bba2d5",
"type": "eql",
"version": 216
},
"12051077-0124-4394-9522-8f4f4db1d674": {
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
"sha256": "3acdb831ecb148e687e802d033deaa6355218c3c02b42df9fb149c159039ac68",
"type": "query",
"version": 211
},
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
"rule_name": "User Discovery via Whoami",
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
"type": "query",
"version": 100
},
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"rule_name": "User Detected with Suspicious Windows Process(es)",
"sha256": "7f2d9e5d94f4c5e73f555b37e6616ecee53130fe84f4f52617e299de2d14f53e",
"type": "machine_learning",
"version": 110
},
"1251b98a-ff45-11ee-89a1-f661ea17fbce": {
"rule_name": "AWS Lambda Function Created or Updated",
"sha256": "1360886265d6aeb35c9b356643d02b243b43284698ffec99bd03641da8d34084",
"type": "query",
"version": 4
},
"125417b8-d3df-479f-8418-12d7e034fee3": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
"type": "query",
"version": 100
},
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"rule_name": "Suspicious Lsass Process Access",
"sha256": "8fc33262811096f6ebaf8b7fad2b6eed5f0b75c788cdac1c3ca035ea465b07ef",
"type": "eql",
"version": 211
},
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
"rule_name": "Kubernetes Suspicious Self-Subject Review via Unusual User Agent",
"sha256": "e0e45a77fb72c89d7d27f6371c8f82d70d1d23bd3d6f1f962526d6e106e52c1b",
"type": "new_terms",
"version": 209
},
"12cbf709-69e8-4055-94f9-24314385c27e": {
"rule_name": "Kubernetes Pod Created With HostNetwork",
"sha256": "2a6679b8ec4feee4091109685833d57445de939c658377f5a6a27773a57cb7f6",
"type": "query",
"version": 209
},
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "505e0b601d7587cbd3f1b7ee9245a75299117258243f44320f661a6adb73c77f",
"type": "eql",
"version": 209
},
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "3158b0d587e1f5c04d72866daa49f755711572ab959d2b9ed59f244d0c20d50f",
"type": "eql",
"version": 319
},
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "9d888cca63e4fd57e41ada2889695309fd3ca6c756c2a2e915512e7462aa586f",
"type": "eql",
"version": 414
},
"135abb91-dcf4-48aa-b81a-5ad036b67c68": {
"rule_name": "Pluggable Authentication Module (PAM) Version Discovery",
"sha256": "d4c5b7180a304ce4c1347d1dd042952513c3376e1c92f4c035026a43f1dcbe26",
"type": "eql",
"version": 106
},
"138520d2-11ff-4288-a80e-a45b36dca4b1": {
"rule_name": "Spike in Group Membership Events",
"sha256": "e2e661163bffdfe10ea5fed8565f15060b3aa280538e6ab7961a0c4d34d930e3",
"type": "machine_learning",
"version": 3
},
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
"rule_name": "Rare User Logon",
"sha256": "dbbfc73fc0478644faa929c86d67c4ce1a7a6af123ba5c96a3c57ba7454db18f",
"type": "machine_learning",
"version": 107
},
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"rule_name": "Potential Ransomware Behavior - Note Files by System",
"sha256": "8204b19646063fea56f0893a743d86c1465aea28c9b920541a3549dc9ebead09",
"type": "esql",
"version": 213
},
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
"rule_name": "SQL Traffic to the Internet",
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
"type": "query",
"version": 100
},
"13e908b9-7bf0-4235-abc9-b5deb500d0ad": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score",
"sha256": "526f288219500704dab7160a26e0af9e6dbb812dcf0e2b12895e0f2412792343",
"type": "eql",
"version": 13
},
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
"rule_name": "Entra ID External Guest User Invited",
"sha256": "abd487e50565029f7b1ec1087e69423836bd8a499b13c5d16adfba6c67015832",
"type": "query",
"version": 107
},
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
"rule_name": "RPC (Remote Procedure Call) from the Internet",
"sha256": "c3e44edb8ffe05292ab119e3e6a439e72576953fd826f11cac889b1df3eea2bf",
"type": "query",
"version": 108
},
"14dab405-5dd9-450c-8106-72951af2391f": {
"rule_name": "Office Test Registry Persistence",
"sha256": "1f2420c1ad0345dcb66852c413a62f765e3499a3c4dbb67f3b14a010ae460a3f",
"type": "eql",
"version": 107
},
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
"rule_name": "Kubernetes User Exec into Pod",
"sha256": "cf1c663833ab749a97c110eb45d0228ed320353b274995fff26ec5b6488b25d8",
"type": "eql",
"version": 210
},
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "233001ab1d4e9b16df6638802a83a9ccf377e3ef2380ef7d548ee980f5dcaee6",
"type": "eql",
"version": 315
},
"14fa0285-fe78-4843-ac8e-f4b481f49da9": {
"rule_name": "Entra ID OAuth Phishing via First-Party Microsoft Application",
"sha256": "f5561c37096b4f71f0b29f3adc5adfe88f2505bcc9814aa9b052b68f7a0cb7f2",
"type": "query",
"version": 6
},
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "a787c8a5d1e30ca3e750ec49ca534e9a496786f700ab8794b3a8449050392808",
"type": "new_terms",
"version": 207
},
"151d8f72-0747-11ef-a0c2-f661ea17fbcc": {
"rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation",
"sha256": "e9f82f46cfea1b7298cf223f305e62b8a734e63548d2f0a51969e2abdd8c5a40",
"type": "eql",
"version": 6
},
"1542fa53-955e-4330-8e4d-b2d812adeb5f": {
"rule_name": "Execution from a Removable Media with Network Connection",
"sha256": "9a4f4276c90368c6a8826ebb5a400f92dcee779b4ecfa447e64fec3a3d6441e7",
"type": "eql",
"version": 6
},
"15606250-449d-46a8-aaff-4043e42aefb9": {
"rule_name": "Suspicious StartupItem Plist Creation",
"sha256": "f63835bd6dbd1ae1525c1f9d9b34983545dcb86f455e65e49d50b96726bcd6c8",
"type": "eql",
"version": 1
},
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "21792bd878e448ec862da9cc5bf6e3b5f64978c7a1e9ad278a91cd0dd908326d",
"type": "eql",
"version": 215
},
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "f3d8e62676ec8a7f2494ca228c62e29e6bc9f3e5d0bf2415ce40916f2e489335",
"type": "eql",
"version": 318
},
"15dacaa0-5b90-466b-acab-63435a59701a": {
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "8989fd255ab499907a77f2db83d4e2da1f9652d1ea9fb30aa192586ee11a4e9d",
"type": "eql",
"version": 112
},
"1600f9e2-5be6-4742-8593-1ba50cd94069": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Kubectl Permission Discovery",
"sha256": "c1da63bbab5facc4c4cb7cc3ec0cfef430b4733d91393d9b58441c092c54e0e5",
"type": "eql",
"version": 4
}
},
"rule_name": "Kubectl Permission Discovery",
"sha256": "6d731657ec8c591dcefb910a3a67801314448feb8ea2db28a604c77d3be33979",
"type": "eql",
"version": 105
},
"160896de-b66f-42cb-8fef-20f53a9006ea": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified release_agent File",
"sha256": "4c00679776f9e7ead043ed786b01f9db2e6d2ea968ba62ad170841e5c21c3f3a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential release_agent Container Escape Detected via Defend for Containers",
"sha256": "95ff258d6ac709d104147fbee7270bf69b23fcd62a49434721b8ac5e3ea07b6b",
"type": "eql",
"version": 103
},
"1615230f-beb7-48d8-9b3f-6d10674703bf": {
"rule_name": "Suspicious SIP Check by macOS Application",
"sha256": "232a4bd93c50355d6ea770cd06a363c1777f939be142b3e759abc4eba094138d",
"type": "eql",
"version": 1
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"rule_name": "Azure Automation Runbook Created or Modified",
"sha256": "ccff816d3b5217865698a800af2ba48cf248e6704d67b488436bd6259be29eba",
"type": "query",
"version": 106
},
"163a8f2f-c8a0-4b7e-9c4a-1184310eb7f3": {
"rule_name": "Potential CVE-2025-32463 Nsswitch File Creation",
"sha256": "7327d13e4308d6dd816e0a5adb7b5d7d2d10242e25063b24ea6c81e06d94b261",
"type": "eql",
"version": 2
},
"166727ab-6768-4e26-b80c-948b228ffc06": {
"rule_name": "Potential Timestomp in Executable Files",
"sha256": "141a26e1964995ca85bbc37b582076f5a4d13eff6f252e85569630fe95aee60f",
"type": "eql",
"version": 110
},
"16904215-2c95-4ac8-bf5c-12354e047192": {
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "0626527bb17e1ca3b9ae1e90bed0f13a81152908cce78d40a11e8cc9d8b709de",
"type": "eql",
"version": 111
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"rule_name": "AWS IAM Group Creation",
"sha256": "0410eb7c7e319a25e36a3370d6a0086693311aa6adeb100e11867aaca931a2c8",
"type": "query",
"version": 211
},
"16a52c14-7883-47af-8745-9357803f0d4c": {
"rule_name": "Component Object Model Hijacking",
"sha256": "437f8b15f0baa696bdadcf1b5d6da3bb8548f56cdf75c8baeb6b1e3562e6e7a2",
"type": "eql",
"version": 119
},
"16acac42-b2f9-4802-9290-d6c30914db6e": {
"rule_name": "AWS S3 Static Site JavaScript File Uploaded",
"sha256": "8097298e41017acbee4a85afe9287a41dabe58a6a8a4e7a30a98fa7d8f13d652",
"type": "esql",
"version": 5
},
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "fe5e13f3787fcc982378ee56140edbaf40dae2433b59f7317df27287c7e6ced4",
"type": "eql",
"version": 214
},
"1719ee47-89b8-4407-9d55-6dff2629dd4c": {
"rule_name": "Persistence via a Windows Installer",
"sha256": "11c0bff91c47efa25c0f5f167b3d977f3ac07a6fb5ff0158d88d3445efe327d9",
"type": "eql",
"version": 5
},
"171a4981-9c1a-4a03-9028-21cff4b27b38": {
"rule_name": "Suspected Lateral Movement from Compromised Host",
"sha256": "48e0f928ed481c3e3c645ecfad961dfa891e8afe2e2b8ae94990745ace5522fb",
"type": "esql",
"version": 4
},
"17261da3-a6d0-463c-aac8-ea1718afcd20": {
"rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User",
"sha256": "852bbf9498b8b722277364bbd060e191e04de17966cf39f928840e4974f232cc",
"type": "esql",
"version": 6
},
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"rule_name": "Unusual Windows Username",
"sha256": "cf219e480a43620acf15659f951b5ab4c83d86326bc078bf6b2b9e165c3c30bb",
"type": "machine_learning",
"version": 210
},
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"rule_name": "Unusual Windows Service",
"sha256": "cf343116462e929ad9523a65633ab5d29d3e34227fb9f496e44e7321c07f75f0",
"type": "machine_learning",
"version": 209
},
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"rule_name": "Suspicious Powershell Script",
"sha256": "1c4ffadb6be238942250eb70da7b3ef6df530fb7793f6ba3c397dc6c585aa53c",
"type": "machine_learning",
"version": 210
},
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "4f6f47fc1343004d014ac17f50a4ada7c10665feaa2e7d259c490c975a0f98ff",
"type": "machine_learning",
"version": 209
},
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"rule_name": "Unusual Windows Remote User",
"sha256": "90b5af752da98e9b3d570fdf8548369f161dbac4cf139339d72de4bccc30fcbc",
"type": "machine_learning",
"version": 209
},
"178770e0-5c20-4246-b430-e216a2888b23": {
"rule_name": "Spike in User Lifecycle Management Change Events",
"sha256": "9ceb5ec5bf8532d79372332317d958ae4138bcd71f3e24e3f6ee5fe4bb1c3e7f",
"type": "machine_learning",
"version": 4
},
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"rule_name": "Systemd Service Created",
"sha256": "e16f5c2479b4e9bfcd17e1a2b4dc927c71622b135694e9b9797e8acf3cff9230",
"type": "eql",
"version": 19
},
"17b3fcd1-90fb-4f5d-858c-dc1d998fa368": {
"rule_name": "Initramfs Extraction via CPIO",
"sha256": "87ea53b4b70ebf750914ab208825d5c3c7161366d9b24c6267fb095279b01da7",
"type": "eql",
"version": 6
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "afce4b3088aca5a734f64bc68ba2987653003a735afea849b300a51884c0802c",
"type": "eql",
"version": 216
},
"17e68559-b274-4948-ad0b-f8415bb31126": {
"rule_name": "Unusual Network Destination Domain Name",
"sha256": "2f942b288c66f4480066469ad579758c9ff2fe4287501321cfcac506bd4e3288",
"type": "machine_learning",
"version": 108
},
"181f6b23-3799-445e-9589-0018328a9e46": {
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "132e35479cdc72c87bced9eb39159645e0dac333bed9e051208ed8838a8863bc",
"type": "eql",
"version": 207
},
"183f3cd2-4cc6-44c0-917c-c5d29ecdcf74": {
"rule_name": "Simple HTTP Web Server Connection",
"sha256": "f6e041665b8400ffbb3efd67855273d1656d8f3ac6b46b71510847394f7733e9",
"type": "eql",
"version": 6
},
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
"rule_name": "GCP Logging Sink Modification",
"sha256": "1d09e6dc623e3a07c2777f44c0be0f4b406a57136bd176f255d6d99ab846bfbd",
"type": "query",
"version": 107
},
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
"type": "eql",
"version": 100
},
"185c782e-f86a-11ee-9d9f-f661ea17fbce": {
"rule_name": "AWS Secrets Manager Rapid Secrets Retrieval",
"sha256": "f6237fa0956bc5b66b294f3ddb4f97f871ca7c1bd1419a1049c8dd7916cad1ec",
"type": "threshold",
"version": 6
},
"18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": {
"rule_name": "Spike in Number of Connections Made to a Destination IP",
"sha256": "5a2fa17a72429e5dca1c71f463c15e999e99ad7897637a4b66a0bfada9540daf",
"type": "machine_learning",
"version": 8
},
"192657ba-ab0e-4901-89a2-911d611eee98": {
"rule_name": "Potential Persistence via File Modification",
"sha256": "0199418e23bdf78a20dd96bd7572555513e8aaa1350c6e48d99cf860a48b9ba9",
"type": "eql",
"version": 10
},
"193549e8-bb9e-466a-a7f9-7e783f5cb5a6": {
"rule_name": "Potential Privilege Escalation via Recently Compiled Executable",
"sha256": "f15ed23d38cca46be371b9df5688d56fad4b3de8988e041fc987e6418b647eb1",
"type": "eql",
"version": 9
},
"1955e925-6679-4535-9c1b-28ebf369f35f": {
"rule_name": "Suspicious File Creation via Pkg Install Script",
"sha256": "0a64f7723f488b5a5aaedf74fbc2c5eea7ab8e890d2138f3da1694b5a0fec32a",
"type": "eql",
"version": 1
},
"1965eab8-d17f-4b21-8c48-ad5ff133695d": {
"rule_name": "Kernel Object File Creation",
"sha256": "ba9962370e567452f85b765d9e529539c0332e858e748851ab1a63dbd9815488",
"type": "new_terms",
"version": 5
},
"19be0164-63d2-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS Service Quotas Multi-Region GetServiceQuota Requests",
"sha256": "9025277d05a9b28f25e42b2ca001c86870d137286831af240685932876845347",
"type": "esql",
"version": 7
},
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
"rule_name": "Rare AWS Error Code",
"sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb",
"type": "machine_learning",
"version": 212
},
"19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": {
"rule_name": "Spike in Number of Processes in an RDP Session",
"sha256": "83a8f2d7386bddc053bfcb9ed1b462e2c6fee0711d78805f9f432f03029b4bda",
"type": "machine_learning",
"version": 8
},
"19f3674c-f4a1-43bb-a89c-e4c6212275e0": {
"rule_name": "GitHub Exfiltration via High Number of Repository Clones by User",
"sha256": "b293b29ab681ba26a92119332275e4c89a2bc3dd8a598d9f9b0968a5c264d2ad",
"type": "esql",
"version": 2
},
"1a1046f4-9257-11f0-9a42-f661ea17fbce": {
"rule_name": "Azure RBAC Built-In Administrator Roles Assigned",
"sha256": "f8e44c4dc36c0654e1a87dcd4065540ec7f58e7e5474827dc1b175f2f8a28edd",
"type": "query",
"version": 1
},
"1a289854-5b78-49fe-9440-8a8096b1ab50": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Suspicious Network Tool Launched Inside A Container",
"sha256": "b35cf28e6c98f67ce2f60eee9fda257649fbc1f6217dbdf63219e032d521c28a",
"type": "eql",
"version": 4
}
},
"rule_name": "Suspicious Network Tool Launch Detected via Defend for Containers",
"sha256": "8d074f725afa65640f0f03c34a5c5845de08a1a9d4d29c575892c50a57bf380b",
"type": "eql",
"version": 104
},
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
"rule_name": "Entra ID Application Credential Modified",
"sha256": "f5a979a948b890f1d19ff5fd5e8c05378e51ba006eacddde32f49e3f2dc1faea",
"type": "query",
"version": 107
},
"1a3d5b36-b995-4ace-9b85-8a0af429ccf6": {
"rule_name": "Newly Observed High Severity Detection Alert",
"sha256": "29750080e44ba02bb3c10e8a58ca3288e54debe1660f33b1e3d7a40247dcc479",
"type": "esql",
"version": 4
},
"1a3f2a4c-12d0-4b88-961a-2711ee295637": {
"rule_name": "Potential System Tampering via File Modification",
"sha256": "01016fb07b4de034fd77a549366e844c1df0ef74f37599b5e5b3dc0e87a4c168",
"type": "eql",
"version": 3
},
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"rule_name": "Execution of COM object via Xwizard",
"sha256": "0755b62a96de7d1a62ad93b17b76d05e799c2288c120223dc3afbfaece5d8c4c",
"type": "eql",
"version": 317
},
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
"rule_name": "AWS CloudTrail Log Suspended",
"sha256": "00d32e6fa5bbccc98584ca85d490bb3a869cf0f18122627e710ce3c3e0edf137",
"type": "query",
"version": 213
},
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"rule_name": "User Account Creation",
"sha256": "860d01c2bb53d9b7a09a8718626d0909a9e37d78d4f26bad282749d406874f1c",
"type": "eql",
"version": 314
},
"1ac027c2-8c60-4715-af73-927b9c219e20": {
"rule_name": "Windows Server Update Service Spawning Suspicious Processes",
"sha256": "b74e84be6cfe9c1defab5c385b553c14e467b5829d982f21c40c7b3343061ac9",
"type": "eql",
"version": 1
},
"1aefed68-eecd-47cc-9044-4a394b60061d": {
"rule_name": "React2Shell Network Security Alert",
"sha256": "08e985fa35d9303acb5dddf9821bb7615d98d194999ca608123e0952f6ea2989",
"type": "query",
"version": 1
},
"1b0b4818-5655-409b-9c73-341cac4bb73f": {
"rule_name": "Process Created with a Duplicated Token",
"sha256": "2d3d874eed0f3d13992e5dbaec2e6f002a36fb0df39992d174abd1d48f5610c0",
"type": "eql",
"version": 6
},
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
"rule_name": "Connection to Internal Network via Telnet",
"sha256": "a0a40875e83b365491356586b13f47638211dbab5eb725cd74e481088f4abf31",
"type": "eql",
"version": 212
},
"1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d": {
"rule_name": "Remote Management Access Launch After MSI Install",
"sha256": "04339c5baefede30ec62d7622df43d61a7eef47d7e5140c4166a4ef84c05df63",
"type": "eql",
"version": 1
},
"1b65429e-bd92-44c0-aff8-e8065869d860": {
"rule_name": "BPF Program Tampering via bpftool",
"sha256": "e84a699789d0edc48edfecd3b086d0e0b60583a630ef2d5a9fdb8e419271263a",
"type": "eql",
"version": 1
},
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
"rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted",
"sha256": "7bb163ffa02ead7013b9865823123774e06e0f2b67f15bd5f74d2502b70eedb1",
"type": "query",
"version": 210
},
"1bb329a5-2168-4da5-b7b9-d42a51deb6dd": {
"rule_name": "Correlated Alerts on Similar User Identities",
"sha256": "a3ef283129c4f9b2d2ff401a29cf89bafab9d5241edd4760ffc71517c9f865cc",
"type": "esql",
"version": 2
},
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
"rule_name": "Potential Internal Linux SSH Brute Force Detected",
"sha256": "47d4620c23138f802607ae88c1771da89921da694ce270e4830492b18d2eb9bb",
"type": "eql",
"version": 15
},
"1c5a04ae-d034-41bf-b0d8-96439b5cc774": {
"rule_name": "Potential Process Injection from Malicious Document",
"sha256": "ce6e5c0d567af464050071029e7ca367ab9b070855f566cda0626a678b8c95ef",
"type": "eql",
"version": 4
},
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
"rule_name": "Entra ID Illicit Consent Grant via Registered Application",
"sha256": "a8f8c2a897481a4c3d6bba8a3f6c01ec6140dd59c3f96b711b8e5d594f6923aa",
"type": "new_terms",
"version": 219
},
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
"rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence",
"sha256": "cf847fe5e118883f401f0194f9dc8736fb85d9bcbaf36d14d3a4d74b938ed6a8",
"type": "eql",
"version": 120
},
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created",
"sha256": "cf9b597b001a31d848656557413a3721467ad321627dd60a0845a2a01c54d08c",
"type": "query",
"version": 107
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"rule_name": "New GitHub App Installed",
"sha256": "2a64f127e91b425ba0867b5db45435456582c294290f7aa666e65b682a28afbc",
"type": "eql",
"version": 207
},
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "6acfd449e15d1064ff19e9f8a3ed2f814e77e39a7baa5be696eb049d192e2fe6",
"type": "eql",
"version": 213
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "2e9317401b317d36fee46e10db1c02198eeb2362780b252d333bfa26d2b8b7e7",
"type": "new_terms",
"version": 211
},
"1cfb39e1-4b6c-4dc7-85fe-733e4a1a33ca": {
"rule_name": "Entra ID Domain Federation Configuration Change",
"sha256": "b991e58bb9febec0cf5ed7a76608a9ebc8025adc011b26dfe10a27851c63a867",
"type": "query",
"version": 1
},
"1d0027d4-6717-4a37-bad8-531d8e9fe53f": {
"rule_name": "Potential Hex Payload Execution via Command-Line",
"sha256": "2e108812f7164bba9127e0aa6659bcd9a2c8350f27be5be3a3fd06a9dcbaf48b",
"type": "eql",
"version": 4
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "44d7a6f871c3cef4250b42b0edb9f34272d3a8d90ab59b37b4e58ff12a88c7c1",
"type": "eql",
"version": 214
},
"1d306bf0-7bcf-4acd-83fd-042f5711acc9": {
"rule_name": "Initial Access via File Upload Followed by GET Request",
"sha256": "97574d1e96bef8af267abfb06bc0f7cb8d0586d2437b3b101bee18f491296858",
"type": "eql",
"version": 1
},
"1d485649-c486-4f1d-a99c-8d64795795ad": {
"rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt",
"sha256": "c074d6687b59f8e9a8ddf9fb262efa268ccb014e0e218c7d1f8ee218f6d627eb",
"type": "eql",
"version": 2
},
"1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Profile Creation",
"sha256": "e033fea1b5824fcb4bb6be09775b5afaba93c267fe98719d420ccc5fac613758",
"type": "query",
"version": 7
},
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
"rule_name": "External IP Lookup from Non-Browser Process",
"sha256": "8d05c32f44d67de63080ae2a1b59170a1394351c67170174791519ff480c2348",
"type": "eql",
"version": 110
},
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "38928a45f4c6a0857efc517d37d79a536bc57a05c5e6765aeee651010e704b25",
"type": "query",
"version": 112
},
"1dc56174-5d02-4ca4-af92-e391f096fb21": {
"min_stack_version": "9.3",
"rule_name": "Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers",
"sha256": "40236f57640750a3b31ff46c28be35c721abe771fc5b5775af8eec75337a763e",
"type": "eql",
"version": 1
},
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "1aa8b91518fa800db672ea1885139d417ebbaaee15004144118a44663c79ea1b",
"type": "eql",
"version": 316
},
"1dd99dbf-b98d-4956-876b-f13bc0ce017f": {
"rule_name": "Alerts From Multiple Integrations by User Name",
"sha256": "5b591df265379ba718a43e0d8ae57ae7b2e96d60ea25cc141bb89faa9fffa7bf",
"type": "esql",
"version": 3
},
"1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": {
"rule_name": "Suspicious Inter-Process Communication via Outlook",
"sha256": "390bc042a612982783d6f66639e318555d5edbcbbcd41b6203d0a4c312c2aa05",
"type": "eql",
"version": 11
},
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader",
"sha256": "3caf1dd70a817330534a0dc7cdc46d615214890e6f3d34081977f33977018794",
"type": "eql",
"version": 211
},
"1df1152b-610a-4f48-9d7a-504f6ee5d9da": {
"rule_name": "Potential Linux Hack Tool Launched",
"sha256": "add8f0ecf98bfcdc50001b5a40e7f3f325feb495eb4cf5f976c2561095f6517d",
"type": "eql",
"version": 108
},
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"rule_name": "Deprecated - PowerShell Script with Discovery Capabilities",
"sha256": "bcc5e6231ae54f6a2e5b47919bc03cb87e06ee59f9a0e3419814d466ebafed45",
"type": "query",
"version": 214
},
"1e0b832e-957e-43ae-b319-db82d228c908": {
"rule_name": "Azure Storage Account Key Regenerated",
"sha256": "c7cbda0a1bd62ce7de66a49d9a512d910cd16ab1501fc668c39cdddcc91b5a8e",
"type": "query",
"version": 106
},
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"rule_name": "Creation of a DNS-Named Record",
"sha256": "6727eeb8359a38b6bd76f7f485a4edc0afb2aba6967a5e19c21724161d1d0395",
"type": "eql",
"version": 107
},
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "4797e35fc4a38dd74999a3a08a192ec1ca5363c6fbbefbe0efd341d55e664036",
"type": "eql",
"version": 108
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "60be0421e1c04fcced83d9e1eb5f6d9d4b817b26e543c09d54442c9ec8354280",
"type": "new_terms",
"version": 207
},
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
"rule_name": "Unusual Sudo Activity",
"sha256": "affa4cbf4b252e4c8041f18f7949ab5c47ea25f683997a7fcfab80690076234c",
"type": "machine_learning",
"version": 107
},
"1eb74889-18c5-4f78-8010-d8aceb7a9ef4": {
"min_stack_version": "9.3",
"rule_name": "Spike in Azure Activity Logs Failed Messages",
"sha256": "9c8b0e80daf7cb337ca4cb7707c9b96e69b175935a5fa7b55707c9270f9a0653",
"type": "machine_learning",
"version": 1
},
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "390a8ddd1ebfe760745876334b3873130a04a7357b53a3c9f1633c02379441a7",
"type": "query",
"version": 116
},
"1f45720e-5ea8-11ef-90d2-f661ea17fbce": {
"rule_name": "AWS Sign-In Console Login with Federated User",
"sha256": "c625e68b89b88e69474d98cf2961b99044f04f96a94fa852d147cfb0244d2ce7",
"type": "query",
"version": 6
},
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "590b9afb0a946a0d20b405f3236763b25916bc1c2865980d1471878bfeb9420a",
"type": "eql",
"version": 107
},
"1fa350e0-0aa2-4055-bf8f-ab8b59233e59": {
"rule_name": "High Number of Egress Network Connections from Unusual Executable",
"sha256": "8987fcc178e2284c1227542322e424b652518be8cab76cb538d54ca2cc90c055",
"type": "esql",
"version": 9
},
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
"rule_name": "Unusual Linux User Calling the Metadata Service",
"sha256": "d4adbf8ea6feea59616adf3ad8302ad326c5860a91a7973921f942b5849c1e0e",
"type": "machine_learning",
"version": 107
},
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "4464c8de4f4905d81bb1c5f492987ef4c8032d9738d50bf6d5b533da1da754a2",
"type": "eql",
"version": 218
},
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
"rule_name": "Exploit - Detected - Elastic Endgame",
"sha256": "7c4db2799c89ee449c815b82891485079d5833e668c3397ab35496c6c65e1c04",
"type": "query",
"version": 105
},
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "7b68836a32e1779b0267875f39a97f5637ee17d6c9b4023e6479dc210b6bf15a",
"type": "eql",
"version": 316
},
"202829f6-0271-4e88-b882-11a655c590d4": {
"rule_name": "Executable Masquerading as Kernel Process",
"sha256": "faff9adbb63f6a41bdd2ff861ff8e99f6c1f4c38e8577828ae719b6599578cdd",
"type": "eql",
"version": 108
},
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "cb97ac512379616b3ee47f87a9d7a7f6cdc27f77c1aeb2207f6fa1bbc5fa06af",
"type": "eql",
"version": 314
},
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
"sha256": "f2be664b86234fbaa51823ced7027a936bf9a98ac1533b209d3aabcfbe69a841",
"type": "query",
"version": 211
},
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"rule_name": "Suspicious Web Browser Sensitive File Access",
"sha256": "969933445a0d95b7684221b4c55a04a981a502c5061dfdacb076bba52fa14b38",
"type": "eql",
"version": 213
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "5268893db28ba2b8355e2703a825d92212770bc7a639a48c747da8fe62a6814c",
"type": "eql",
"version": 206
},
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "591b6b1f70000a85406841ab2da5998d65bbb536ca44563cf9739d26d2467844",
"type": "new_terms",
"version": 216
},
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
"rule_name": "Auditd Max Login Sessions",
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
"type": "query",
"version": 100
},
"210d4430-b371-470e-b879-80b7182aa75e": {
"rule_name": "Mofcomp Activity",
"sha256": "069467922720ae9d5c59123eab480682aba33e1683b603c12a13cc2d16d7de61",
"type": "eql",
"version": 9
},
"2112ecce-cd34-11ef-873f-f661ea17fbcd": {
"rule_name": "AWS SNS Topic Message Publish by Rare User",
"sha256": "9e1527dfa34c8a262625248c7a5788f2e59f32a8c1f26af52aa804ae2eeee552",
"type": "new_terms",
"version": 4
},
"2138bb70-5a5e-42fd-be5e-b38edf6a6777": {
"rule_name": "Potential Reverse Shell via Child",
"sha256": "a0b684e1e7368b195c63cc2c1e61a39406f53d8fbdb8814f02345bec65fbdbb5",
"type": "eql",
"version": 8
},
"214d4e03-90b0-4813-9ab6-672b47158590": {
"rule_name": "New GitHub Personal Access Token (PAT) Added",
"sha256": "db8bef0b0a2eb7f45525fc2a6b93213b5c3dec305f2a77d26d848728f61ad823",
"type": "eql",
"version": 1
},
"21bafdf0-cf17-11ed-bd57-f661ea17fbcc": {
"rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application",
"sha256": "373fbf888323ceb2b501fedff354a2a9bee1a0105ca631e2d18e381ff2e803be",
"type": "new_terms",
"version": 9
},
"21c3536f-b674-43db-9bfc-dcf4cf9dcc37": {
"rule_name": "GitHub Secret Scanning Disabled",
"sha256": "60108ce2bea920d768d05e18030a5a231623180aa8a8f88ec58401d4fd5fae49",
"type": "eql",
"version": 1
},
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "2bbcf7084bfafdedf47eb0145f4de495e556088a7daf3e7d6c0e0d7784c736a8",
"type": "eql",
"version": 111
},
"220d92c6-479d-4a49-9cc0-3a29756dad0c": {
"rule_name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy",
"sha256": "36e7433b9ac363f3b9eb6a9f77719796db3fdf22e0cef25d0318ab203e4c92ee",
"type": "esql",
"version": 1
},
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
"rule_name": "SSH Authorized Keys File Activity",
"sha256": "09ce90780ee8c5b0abb47761859ddd4909e777651474a0de5937379b4fe1de9d",
"type": "new_terms",
"version": 210
},
"22599847-5d13-48cb-8872-5796fee8692b": {
"rule_name": "SUNBURST Command and Control Activity",
"sha256": "c954a580d6a107f3549d5eb9ba4cc18b263b5cecfb80b52f61371d0561a8a053",
"type": "eql",
"version": 111
},
"227cf26a-88d1-4bcb-bf4c-925e5875abcf": {
"min_stack_version": "9.3",
"rule_name": "Encoded Payload Detected via Defend for Containers",
"sha256": "6a07a74b399cf5346bcf3fb2acdccd01c3489906a3b780afa3a617c278537902",
"type": "eql",
"version": 2
},
"227dc608-e558-43d9-b521-150772250bae": {
"rule_name": "AWS S3 Bucket Configuration Deletion",
"sha256": "188373da495c052baa5f489c9a5e4ce8d8133ede03d4aec038290f45949ebd5a",
"type": "query",
"version": 212
},
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
"rule_name": "Potential Shell via Web Server",
"sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1",
"type": "query",
"version": 105
},
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
"rule_name": "GCP Storage Bucket Permissions Modification",
"sha256": "10057cdacf301c40c25637993cc4b38700c574b3f414544168b5375acb7cf76f",
"type": "query",
"version": 107
},
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
"rule_name": "Kernel Module Load via Built-in Utility",
"sha256": "a06f1985bb2ac22749c86a7b54bbc101a924941d49abfa208f890b470ad6323d",
"type": "eql",
"version": 216
},
"2377946d-0f01-4957-8812-6878985f515d": {
"rule_name": "Deprecated - Remote File Creation on a Sensitive Directory",
"sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4",
"type": "eql",
"version": 2
},
"2388c687-cb2c-4b7b-be8f-6864a2385048": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
"sha256": "5b3192389352616bc5f12a2b226e1c3c6eab2403648dc902fbaf3666238b8eac",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Kubectl Masquerading via Unexpected Process",
"sha256": "d70c260690f552cfacb02450ed891f4c669046f11b94c24f5f0973a7bb51d56f",
"type": "eql",
"version": 103
},
"23bcd283-2bc0-4db2-81d4-273fc051e5c0": {
"rule_name": "Unknown Execution of Binary with RWX Memory Region",
"sha256": "64d186dce545974e3eefff0ffe0de8acbed12482e69e54ecbb96567916bad861",
"type": "new_terms",
"version": 7
},
"23c53c4c-aa8b-4b07-85c0-fe46a9c8acaf": {
"rule_name": "Potential SAP NetWeaver Exploitation",
"sha256": "1a947a8c0e8b33f904c1ca77617bf8cc6e689ef281f75f7f41e0d5ebe10702c4",
"type": "eql",
"version": 1
},
"23cd4ba2-344e-41bf-bcda-655bea43fdbc": {
"rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "9e411037eb901ed4a4be89ef5b0a5f6d36e45637a15a1ff70afc11937f1244f7",
"type": "eql",
"version": 3
},
"23e5407a-b696-4433-9297-087645f2726c": {
"rule_name": "Potential NTLM Relay Attack against a Computer Account",
"sha256": "49224a1d4f9dd6793aaf01e3e60bbd0e26b0c0efa3fdd05e7a58bac235c0d5f0",
"type": "eql",
"version": 1
},
"23f18264-2d6d-11ef-9413-f661ea17fbce": {
"rule_name": "Potential Okta Brute Force (Device Token Rotation)",
"sha256": "fbd7404391275a1fb3c33e3cb3f065b69b751b4428efb98114c67b17021c2ba9",
"type": "esql",
"version": 210
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"rule_name": "New GitHub Owner Added",
"sha256": "284425d2163342436ce5a9d1e9fdd61c509eb88df35502cba160ef18c8ca5d17",
"type": "eql",
"version": 209
},
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "bd35da091eebd6bb34af785cf1de52b0361a62eb9f8cc40804e0864ed4545115",
"type": "eql",
"version": 312
},
"25368123-b7b8-4344-9fd4-df28051b4c6e": {
"rule_name": "First Time Python Created a LaunchAgent or LaunchDaemon",
"sha256": "c9411c14d3c259f994d78ca45f0e9303aeb82698376b4c9179418ad2875882bb",
"type": "new_terms",
"version": 1
},
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "c0142afe736323db7e77ec68ca8df2377a389d488407ec0a48f004f811012543",
"type": "query",
"version": 109
},
"2572f7e0-7647-4c68-a42b-d3b1973deaae": {
"min_stack_version": "9.3",
"rule_name": "Potential Kubeletctl Execution Detected via Defend for Containers",
"sha256": "c7663a155471fff8ff929fa79611c9b8a5bdb6f45c70f80a2ad6170e9ab67a25",
"type": "eql",
"version": 1
},
"259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": {
"rule_name": "Potential Reverse Shell via Background Process",
"sha256": "87752d0d2674be61e35e91cd109a9bc7c29f88b96135fcdd527bc9b9a3185371",
"type": "eql",
"version": 109
},
"25a4207c-5c05-4680-904c-6e3411b275fa": {
"rule_name": "Multiple Elastic Defend Alerts from a Single Process Tree",
"sha256": "7454d14373817e95309e9422997b9eb330ec75601215a6d4c0eb4b5c0d237ec6",
"type": "esql",
"version": 2
},
"25d917c4-aa3c-4111-974c-286c0312ff95": {
"rule_name": "Network Activity Detected via Kworker",
"sha256": "85c27973460435a413b6d080b9381b7ea5624d36191a071d581a977d752b5ee8",
"type": "new_terms",
"version": 9
},
"25e7fee6-fc25-11ee-ba0f-f661ea17fbce": {
"rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added",
"sha256": "882ff0c3deba5b93ff172e6bb626f39297b8242984e5b7db11bc8ca90e5bcca2",
"type": "query",
"version": 5
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "4e6c45b24b5b94cc4745674e2f05215e98a912f621fdffa24f291fc52a0a1194",
"type": "query",
"version": 210
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "c0c3359887ae31c91a2f36ba8659716838b2b3ea8e601eeb98d253ff3f6b2cb7",
"type": "eql",
"version": 10
},
"263481c8-1e9b-492e-912d-d1760707f810": {
"rule_name": "Potential Computer Account NTLM Relay Activity",
"sha256": "6e3289d45024e4d880f10179b6094e2c94afd47352c36eaa34a002c376a5b034",
"type": "eql",
"version": 109
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"rule_name": "Azure Blob Storage Container Access Level Modified",
"sha256": "0d88306546254e65e4e1beab45579c8ed49a79fbba03f5084bde42ff665193c4",
"type": "query",
"version": 107
},
"264c641e-c202-11ef-993e-f661ea17fbce": {
"rule_name": "AWS EC2 Deprecated AMI Discovery",
"sha256": "db895e7b67949c6c7700164a14589892cc0b07f890bcd76f290663eba89f0a36",
"type": "query",
"version": 7
},
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "716cc35650ba4a9892b5d18a9799bac51553c52d29a9799bd63789601ac6263c",
"type": "eql",
"version": 316
},
"266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": {
"rule_name": "Unusual High Denied Topic Blocks Detected",
"sha256": "f402dc7309dd06392ef91427f1cb93e23a9faae48cc56345bad56494e78803fb",
"type": "esql",
"version": 4
},
"267dace3-a4de-4c94-a7b5-dd6c0f5482e5": {
"rule_name": "Successful SSH Authentication from Unusual SSH Public Key",
"sha256": "61d9e243f182813ab7398db6ff475278201d6d9cf292caab584d2a10e77f3ee7",
"type": "new_terms",
"version": 5
},
"26a726d7-126e-4267-b43d-e9a70bfdee1e": {
"rule_name": "Potential Defense Evasion via Doas",
"sha256": "2a473991dd2c9e0841fda1733aff3038c36a186cada11331d5e0f6841a34d332",
"type": "eql",
"version": 105
},
"26a989d2-010e-4dae-b46b-689d03cc22b3": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request Detected via Defend for Containers",
"sha256": "0f913614bc84eeb793c53a337d82071dc54799ad1f8546f5444f3ab8919fc6d0",
"type": "eql",
"version": 1
},
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
"sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d",
"type": "eql",
"version": 11
},
"26edba02-6979-4bce-920a-70b080a7be81": {
"rule_name": "Entra ID High Risk User Sign-in Heuristic",
"sha256": "f1f24452c78281a35fc0521f35bf52cc5613c987d589630ceb5a55d35ffa0a4f",
"type": "query",
"version": 109
},
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"rule_name": "M365 Identity User Brute Force Attempted",
"sha256": "611117d9bf686033e96ae07ecab210040e6ef9f46a896073660c4d23f7fa9635",
"type": "esql",
"version": 416
},
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "f3e07490e13703f24bd9972072c4789312cbf42c4ad361669075995598aba108",
"type": "query",
"version": 212
},
"2724808c-ba5d-48b2-86d2-0002103df753": {
"rule_name": "Attempt to Clear Kernel Ring Buffer",
"sha256": "cc0c2851cb9e2e1facc925729c2f7cca24af0ac04d12a8ebdbe16870cdb540a3",
"type": "eql",
"version": 110
},
"272a6484-2663-46db-a532-ef734bf9a796": {
"rule_name": "M365 Exchange Mail Flow Transport Rule Modified",
"sha256": "3c93957c1e2ee5027e98b637df528737ddc67548e2c42a5e0e5d9f0e7d6dced2",
"type": "query",
"version": 211
},
"27569131-560e-441e-b556-0b9180af3332": {
"rule_name": "Unusual Privilege Type assigned to a User",
"sha256": "579ed4cf157c5823aba1285af6e70c68cb53ea8b58681a305bb4b2fad6f975e3",
"type": "machine_learning",
"version": 3
},
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "0b92fa2b539cd8298139f4fc871d9deaf90e1cfeee5e16fdca9e0246f72e12f3",
"type": "eql",
"version": 214
},
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
"rule_name": "GCP Firewall Rule Modification",
"sha256": "677e4f99e43770464f7c8109f73a9b6de9e59a595226aadb28817b9892ed438b",
"type": "query",
"version": 107
},
"279e272a-91d9-4780-878c-bfcac76e6e31": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Process Execution Detected via Defend for Containers",
"sha256": "c2d5e99aa5d5f7c2d4ec0558b50319e50e78c108addf943b7ccc4232c74d71cc",
"type": "eql",
"version": 2
},
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
"rule_name": "Deprecated - M365 Teams External Access Enabled",
"sha256": "b83875f1dac9ec8962c9e0d434baf51e77c060c9eef0c74cedbd0aced9af4abd",
"type": "query",
"version": 212
},
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"rule_name": "Account Password Reset Remotely",
"sha256": "ffe585779ed8bc8e90664110fc24c5f82e480fc0b761763450369e714f0ac7b5",
"type": "eql",
"version": 221
},
"283683eb-f2ce-40a5-be16-fa931cb5f504": {
"rule_name": "Newly Observed Palo Alto Network Alert",
"sha256": "55f2451b2b926a62fba0cf39411dbdf9e3ab7b8893f5de6f6f67983d14178ffd",
"type": "esql",
"version": 2
},
"28371aa1-14ed-46cf-ab5b-2fc7d1942278": {
"rule_name": "Potential Widespread Malware Infection Across Multiple Hosts",
"sha256": "4b406b760e32e9a412057481852ee5187afe0ca95f051e000e375a52f6da5f6d",
"type": "esql",
"version": 5
},
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "33c1f21b8ad943e006b0b8c052cb8e8e00dfc46a3d39b3b1baf2da061b691319",
"type": "eql",
"version": 214
},
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
"rule_name": "Exploit - Prevented - Elastic Endgame",
"sha256": "ea2ff866a53552d5f6b37d8fb6a24a980d6d123a4b964b5f369a83bf3fb5bbb6",
"type": "query",
"version": 105
},
"28738f9f-7427-4d23-bc69-756708b5f624": {
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67",
"type": "eql",
"version": 8
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
"type": "eql",
"version": 100
},
"288a198e-9b9b-11ef-a0a8-f661ea17fbcd": {
"rule_name": "AWS STS Role Assumption by User",
"sha256": "27c7aa43b06bcdf5a54290f27d411866cfc693c85f82ab73c01872b76435defe",
"type": "new_terms",
"version": 7
},
"28bc620d-b2f7-4132-b372-f77953881d05": {
"rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE",
"sha256": "d8189e4d4d87c58434d81440d509cddc5f5851df4ba905bf8d3efa83d8030eba",
"type": "eql",
"version": 6
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "c7e7e68e68ded776a6cb26f46fe6f7578514c8482e90a226136274592d1f964f",
"type": "eql",
"version": 110
},
"28eb3afe-131d-48b0-a8fc-9784f3d54f3c": {
"rule_name": "Privilege Escalation via SUID/SGID",
"sha256": "64c610f7502c9c9fe5de3292ae31f7b7d9069333e4670ee1e070608a7f05dae7",
"type": "eql",
"version": 110
},
"28f6f34b-8e16-487a-b5fd-9d22eb903db8": {
"rule_name": "Shell Configuration Creation",
"sha256": "f464d90995d80076ad4ff6a8ef87d3d52a6c4521f1c16c71285d835d37a2002b",
"type": "eql",
"version": 10
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"rule_name": "AWS EC2 Security Group Configuration Change",
"sha256": "3aaa75d486f4ba4c2eb992e5edbd1b9d18d5ba4ab2475b4f71eabe69e2a35fc6",
"type": "query",
"version": 212
},
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "4bd4408885e9a117457d761703a208973169337ceb574c33f517d95f9b2e4c11",
"type": "eql",
"version": 320
},
"2917d495-59bd-4250-b395-c29409b76086": {
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "190fe19deb24dbdf5cb26c1e6a680c43d3a978174783db1fce8caab8f4eb4344",
"type": "new_terms",
"version": 421
},
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "0de08935d7b273c2883aff48269919228f3954a001f1b8a630d6c5b6a67de4e2",
"type": "new_terms",
"version": 420
},
"29531d20-0e80-41d4-9ec6-d6b58e4a475c": {
"rule_name": "Alerts in Different ATT&CK Tactics by Host",
"sha256": "89d0958894efc5800bc1c37dbe4e22073f736ad6f2e95ae99a95e83421e0f3b3",
"type": "esql",
"version": 2
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "1537231ffbe3f9f7c4366b5fc908eb9fd04fc332d5810b920c40f450550dc123",
"type": "query",
"version": 208
},
"29ef5686-9b93-433e-91b5-683911094698": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
"sha256": "d91da4e45de36496cea35cbe616336e3d2d5f81928397cd7a1301eb440e154ce",
"type": "new_terms",
"version": 3
},
"29f0cf93-d17c-4b12-b4f3-a433800539fa": {
"rule_name": "Linux SSH X11 Forwarding",
"sha256": "422904218232bf8f3987431c10b2f795fa972b2aef5a52beff47d02665c3e482",
"type": "eql",
"version": 108
},
"2a3f38a8-204e-11f0-9c1f-f661ea17fbcd": {
"rule_name": "Microsoft Graph Request User Impersonation by Unusual Client",
"sha256": "6bc991d4d49a1e97b058050ecf22b39b7f14ca2485a5cb04706ce0e339c32a82",
"type": "new_terms",
"version": 6
},
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "80cb87d47a5427da963fda4a8c8bcb1f2d1b47a4de77893fd97e4970e50596fe",
"type": "eql",
"version": 12
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"rule_name": "Kubernetes Pod Created with a Sensitive hostPath Volume",
"sha256": "e4cccea06a30da3b02e7dbe87de564aa89ade0c37ffd59e8e30bdc6cf4f0c780",
"type": "query",
"version": 209
},
"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": {
"rule_name": "ESXI Discovery via Grep",
"sha256": "bc667855081341dfcef940f0322f9eb6be13661698225c444ca64298ef62b31a",
"type": "eql",
"version": 112
},
"2bca4fcd-5228-4472-9071-148903a31057": {
"rule_name": "Unusual Host Name for Windows Privileged Operations Detected",
"sha256": "09d0cf5e77010be2cc43c4031d377ce5839b0314b7c66300b0bbcf1eaef32711",
"type": "machine_learning",
"version": 3
},
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"rule_name": "Deprecated - Adobe Hijack Persistence",
"sha256": "2fd56ecb1298afd514114cf19c5b066b10912b8f46028af6af05cecf9e549595",
"type": "eql",
"version": 419
},
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "114f9531c6f7277c8cc743ecf821000f04fab47ce28cde1ea88bfa9ca40f90e2",
"type": "eql",
"version": 317
},
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "c22b3e1c37ec22f448030cd1e024fefd0147a393609a60363ad325a47039b1e7",
"type": "eql",
"version": 215
},
"2c40dfe2-c13e-48a8-8eff-fb9bfb2a7854": {
"rule_name": "Newly Observed FortiGate Alert",
"sha256": "a03c57f295928b0d76701bfde0f0f24c71f4f0468545519ef16b580061b27cff",
"type": "esql",
"version": 3
},
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"rule_name": "Potential Foxmail Exploitation",
"sha256": "f9995a1f0a95afb24be29dd71a3ddf5c203bb6c2b32550ca795e94f59e06b674",
"type": "eql",
"version": 206
},
"2c74e26b-dfe3-4644-b62b-d0482f124210": {
"rule_name": "Delegated Managed Service Account Modification by an Unusual User",
"sha256": "4cb49f08cf5c89365a0f424c80e59095940ef6ec6a67224688a28f1c883212b3",
"type": "new_terms",
"version": 3
},
"2d05fefd-40ba-43ae-af0c-3c25e86b54f1": {
"rule_name": "BPF Program or Map Load via bpftool",
"sha256": "ec42dc0d8c393f7e859114d5d0dfea8e76e9a4dee7ee35c4ae48700ea479b355",
"type": "eql",
"version": 1
},
"2d3c27d5-d133-4152-8102-8d051619ec4a": {
"rule_name": "Potential Okta Password Spray (Multi-Source)",
"sha256": "aaafdc1afbc528d12bc055c3b9dca2d9057d8a4c2cc482e31728d931115c0b58",
"type": "esql",
"version": 2
},
"2d58f67c-156e-480a-a6eb-a698fd8197ff": {
"rule_name": "Potential Kerberos Relay Attack against a Computer Account",
"sha256": "f447ca71b251486b3b8cedd1c5d1c3fd8ef2cc2d6d7fff0d4869dbe86bd982df",
"type": "eql",
"version": 1
},
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"rule_name": "Command and Scripting Interpreter via Windows Scripts",
"sha256": "550e0e7a2940f35a6a904171e569f5a7c7657c5a8bf8ddeea1c12e84c90afacb",
"type": "eql",
"version": 208
},
"2d6f5332-42ea-11f0-b09a-f661ea17fbcd": {
"min_stack_version": "9.1",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected",
"sha256": "09e0db85e9bb2792e16cac43d4386f3e6669fc339ee9f0fd5b9c0766b24390d7",
"type": "esql",
"version": 6
},
"9.0": {
"max_allowable_version": 205,
"rule_name": "Microsoft Entra ID Excessive Account Lockouts Detected",
"sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842",
"type": "threshold",
"version": 106
}
},
"rule_name": "Entra ID Excessive Account Lockouts Detected",
"sha256": "e22015b3cd61c71a94b4ee9413e7fd3b109b10fae88dcaf1da276ffa0b846144",
"type": "threshold",
"version": 206
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"rule_name": "Unusual Kernel Module Enumeration",
"sha256": "8c0da309dd6e65f4fa9e9274761b3992b3dddf900cf7115e9408c8d9471ab051",
"type": "new_terms",
"version": 214
},
"2dd0d4fd-0cc9-4d18-8b46-1a507e28bbc0": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected",
"sha256": "08dc663e2efbf90abf4ead11bcf832d3c646081461d593b9b1ca097c52a8b111",
"type": "esql",
"version": 2
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "fcd23614b99095e148def771cb5dfbe0da249760f4f43c054a3abb6ea13c18ac",
"type": "eql",
"version": 315
},
"2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": {
"rule_name": "Potential THC Tool Downloaded",
"sha256": "b051575b660ddb58230d3dbdd7da457964ad0d6e708995983b29f8e9fc712ff5",
"type": "eql",
"version": 108
},
"2de10e77-c144-4e69-afb7-344e7127abd0": {
"rule_name": "M365 Identity Unusual SSO Authentication Errors for User",
"sha256": "bf27b5f423aae8f1125e4c60009329db0174ac9d72b6c52104791813da17c14f",
"type": "new_terms",
"version": 213
},
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "931d384242cb325d15e63af27218a647c2acce98a2c49398df4b115f0ac31854",
"type": "eql",
"version": 214
},
"2e0051cb-51f8-492f-9d90-174e16b5e96b": {
"rule_name": "Potential File Transfer via Curl for Windows",
"sha256": "24a5a79f109f05bf21d2f754c52ffc6b254ada0f09dc5a17a35dc19a34885963",
"type": "eql",
"version": 5
},
"2e08f34c-691c-497e-87de-5d794a1b2a53": {
"min_stack_version": "9.3",
"rule_name": "Unusual GCP Event for a User",
"sha256": "55a21a226a7f4725775a54520604ff27ad80dc2b5fdb23531a58c027ae21a46d",
"type": "machine_learning",
"version": 1
},
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"rule_name": "Renamed Automation Script Interpreter",
"sha256": "6a560a6ffcbba02c197efbaa1459015a7ee1a9f0dc30546961d0c558b4c86638",
"type": "eql",
"version": 216
},
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "1182966a50d90ea8aa6e0dcf3bf488fd484f92fed47e6f9f6841ea493d8f235a",
"type": "query",
"version": 217
},
"2e311539-cd88-4a85-a301-04f38795007c": {
"rule_name": "Accessing Outlook Data Files",
"sha256": "91a6e248732a14c80990696a2fd6c4b667418459b6a00227136e0249a419f6bd",
"type": "eql",
"version": 108
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "279b0690d3f64f1daee0a3359ba854a476b3caa9d9bf86d9c005065b74ee0b61",
"type": "esql",
"version": 309
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"rule_name": "Halfbaked Command and Control Beacon",
"sha256": "8e69b1881bc5d9e9b7cb08a41c64dfbc871b30af555dd21d9af9f47c6da2a3de",
"type": "query",
"version": 105
},
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "fa987929fc52327c1216c3eb0cdeb12ad53aec394acd16dff1a1e3ade053edb0",
"type": "eql",
"version": 314
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
"type": "query",
"version": 101
},
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "4118fbde9fb7da5dfde559ee21035f3c10aedd631eb6a5a80afced7314403204",
"type": "query",
"version": 216
},
"2f8a1226-5720-437d-9c20-e0029deb6194": {
"rule_name": "Attempt to Disable Syslog Service",
"sha256": "c5b6abead67063cc3196d089f76977673f487a6b61ccd94b175282fc266b654f",
"type": "eql",
"version": 216
},
"2f95540c-923e-4f57-9dae-de30169c68b9": {
"rule_name": "Suspicious /proc/maps Discovery",
"sha256": "f6b06ba2f41bccdff7861549bc087a2e1fae2ef2c4959ad2911665a2c04a9887",
"type": "eql",
"version": 8
},
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
"rule_name": "Startup Folder Persistence via Unsigned Process",
"sha256": "ca7ce2c52ed307c8e0dfdc3196ada1ba7743edbe12ba4c4f6a5ee659403fa32b",
"type": "eql",
"version": 112
},
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "a6bde68683d9c99f460b23f1e21e7f1ab65298609f2036cefc6cad4d24bfdfd4",
"type": "eql",
"version": 217
},
"301571f3-b316-4969-8dd0-7917410030d3": {
"rule_name": "Malicious Remote File Creation",
"sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0",
"type": "eql",
"version": 1
},
"30562697-9859-4ae0-a8c5-dab45d664170": {
"rule_name": "GCP Firewall Rule Creation",
"sha256": "373eac2208e12bd5891af7081fd3241bc526ffffeb55efa28a459d5647c124c9",
"type": "query",
"version": 107
},
"30b5bb96-c7db-492c-80e9-1eab00db580b": {
"rule_name": "AWS S3 Object Versioning Suspended",
"sha256": "1337e852010b0bcdf4249080f5ca94c55575a9ce0eb52bed223f32709bbf23ae",
"type": "eql",
"version": 7
},
"30bfddd7-2954-4c9d-bbc6-19a99ca47e23": {
"rule_name": "ESXI Timestomping using Touch Command",
"sha256": "0803b6abb72d53ff4e03e0a82bb6729e4adceebe4e21f5846840b73ad1105a91",
"type": "eql",
"version": 112
},
"30d94e59-e5c7-4828-bc4f-f5809ad1ffe1": {
"rule_name": "Suspicious File Made Executable via Chmod Inside A Container",
"sha256": "997ddf8d6ff0730e4be95a6d5a9d0c12d2d308ab78fae888f52f344063f9e853",
"type": "eql",
"version": 3
},
"30e1e9f2-eb9c-439f-aff6-1e3068e99384": {
"rule_name": "Deprecated - Network Connection via Sudo Binary",
"sha256": "0ccc424fd1a44356e97f8bb93e682d73a8d500ff088b5a4122bc69de9ccbbe9a",
"type": "eql",
"version": 8
},
"30f9d940-7d55-4fff-a8b9-4715d20eb204": {
"rule_name": "Windows Script Execution from Archive",
"sha256": "9aa5c9aced2b2c00f42c467774366d05a2b8edd0dd84dcb6df6ffbac36efbebe",
"type": "eql",
"version": 1
},
"30fbf4db-c502-4e68-a239-2e99af0f70da": {
"rule_name": "AWS STS GetCallerIdentity API Called for the First Time",
"sha256": "d0a538eca3e53a0b766d51bc2e1cfd3c7c34e55419b44ff625875fe71b156609",
"type": "new_terms",
"version": 7
},
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
"rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID",
"sha256": "6b100f429a57364a288437713e9bea4c94889faec043b71341c4c389c7dbb3ac",
"type": "query",
"version": 106
},
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
"sha256": "a008c8165baa887d0f799ca34dbe16b08a499c28c83ca4cfcaac485bba2d9fb1",
"type": "query",
"version": 105
},
"314557e1-a642-4dbc-af43-321bc04b6618": {
"rule_name": "M365 Security Compliance Admin Signal",
"sha256": "96f0acbb1e0769543a2b94ad428a81031d4f2f99da97acea5bd7a636725b64eb",
"type": "query",
"version": 1
},
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "15ec1bf4d34174c04c219abeeaf5b0b370bd00a31d1c2b24d99ea9120ffee8f3",
"type": "eql",
"version": 321
},
"3202e172-01b1-4738-a932-d024c514ba72": {
"rule_name": "GCP Pub/Sub Topic Deletion",
"sha256": "92ce4a83bef3e49c7d7d4de7aad7116cf2ebb8f4deb88788ee2ef780d7e62b56",
"type": "query",
"version": 107
},
"32144184-7bfa-4541-9c3f-b65f16d24df9": {
"rule_name": "Potential Web Shell ASPX File Creation",
"sha256": "7ba990105bc83c1f1f4f503531aaaafde90450fc0cc781251c267948e03cef91",
"type": "eql",
"version": 2
},
"3216949c-9300-4c53-b57a-221e364c6457": {
"rule_name": "Unusual High Word Policy Blocks Detected",
"sha256": "c065de140770b25338ed259f21b0ba2ceba8fa855f7ea4c6532010e88a4b77e7",
"type": "esql",
"version": 4
},
"32300431-c2d5-432d-8ec8-0e03f9924756": {
"rule_name": "Network Connection from Binary with RWX Memory Region",
"sha256": "eb38f04d808e77835373a09365283aa656dd9cf6ff09ff8359687c1616120657",
"type": "eql",
"version": 8
},
"323cb487-279d-4218-bcbd-a568efe930c6": {
"rule_name": "Azure VNet Network Watcher Deleted",
"sha256": "bc8da5072865b63a9bd11c87ff29a7be4cab8bb532de7d07b671c8a43a9c6c65",
"type": "query",
"version": 107
},
"3278313c-d6cd-4d49-aa24-644e1da6623c": {
"rule_name": "Spike in Group Application Assignment Change Events",
"sha256": "d5a88c5d3cd16e0906a590a49c7ef668ec5f349624dbd24d53e48b0e0928742e",
"type": "machine_learning",
"version": 4
},
"32923416-763a-4531-bb35-f33b9232ecdb": {
"rule_name": "RPC (Remote Procedure Call) to the Internet",
"sha256": "52eace0c1aa59cca6016fb9f15f526f1609d7dc2b94b05825d6f7a9b7a34ec3f",
"type": "query",
"version": 107
},
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"rule_name": "Program Files Directory Masquerading",
"sha256": "426407f9d70d47d2798e31bf2fdd499117b8ae0bf6d2144f2543c4ea62d02391",
"type": "eql",
"version": 319
},
"32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": {
"rule_name": "M365 Identity Login from Atypical Travel Location",
"sha256": "30d151c70b48bcb9403acaac9fdbeefd66a5c29ccbe15d9ce278cc5cb6d15068",
"type": "new_terms",
"version": 8
},
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "835cae7a4d3ce95fad31a8965f6443101566d4d85e7e1013fa1d8788fd80ffd0",
"type": "eql",
"version": 419
},
"32f95776-6498-4f3c-a90c-d4f6083e3901": {
"min_stack_version": "9.1",
"rule_name": "Potential Masquerading as Svchost",
"sha256": "4f6ac75ddc2b31218e382f6dbfe04ffc27077d66ebf97c24740e7c9d12cb028d",
"type": "esql",
"version": 3
},
"3302835b-0049-4004-a325-660b1fba1f67": {
"rule_name": "Directory Creation in /bin directory",
"sha256": "e3735feb30f32effe12806ccdc1a553515976ed4186f7ce45c814752fae1fc63",
"type": "eql",
"version": 106
},
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
"rule_name": "AWS IAM User Addition to Group",
"sha256": "20c47ad4fd1ebfa6af30670a5f1c8320fdbbb069b2af8f3184de6556eed50a90",
"type": "query",
"version": 213
},
"33a6752b-da5e-45f8-b13a-5f094c09522f": {
"rule_name": "ESXI Discovery via Find",
"sha256": "def030dc671ced61e475a8544d8b4124320a6d97819fe54fbef13913246ebd45",
"type": "eql",
"version": 112
},
"33c27b4e-8ec6-406f-b8e5-345dc024aa97": {
"rule_name": "Kubernetes Events Deleted",
"sha256": "3740512a442422b4a21266e212c408167b5097c243274be72642c1bff27a04a0",
"type": "eql",
"version": 2
},
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
"rule_name": "Remote File Download via PowerShell",
"sha256": "3503b23c3c18c821b2fe161a47d818e80df0be7b955e0702f34dae35cebbd1ab",
"type": "eql",
"version": 115
},
"33ff31e9-3872-4944-8394-81dae76c12d9": {
"min_stack_version": "9.3",
"rule_name": "Potential Cluster Enumeration via jq Detected via Defend for Containers",
"sha256": "01dc99277408753626228faea19f9692f74986b27893fa10d56ec72f7f599cba",
"type": "eql",
"version": 1
},
"341c6e18-9ef1-437e-bf18-b513f3ae2130": {
"rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution",
"sha256": "d535abad52b8d6adb581e3d93e127daceb495d7d568e7909e07888cff673237b",
"type": "eql",
"version": 2
},
"342f834b-21a6-41bf-878c-87d116eba3ee": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container",
"sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6",
"type": "eql",
"version": 3
}
},
"rule_name": "Dynamic Linker Modification Detected via Defend for Containers",
"sha256": "162dc3fe83095dff7ae84bbb1a7b8a20fed852e1e2c06a1944bb5b36e65de8fd",
"type": "eql",
"version": 103
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"rule_name": "GitHub Repository Deleted",
"sha256": "5b506ed4d8840b778d0b592753b40d79a8dd07c7bae0cf37aa6fd2b10f8933c6",
"type": "eql",
"version": 206
},
"349276c0-5fcf-11ef-b1a9-f661ea17fbce": {
"rule_name": "AWS CLI Command with Custom Endpoint URL",
"sha256": "d57bc63901b5b57de73fd7d0f786fb7815d8dae601a9cf7297eeb7473de8e7b1",
"type": "new_terms",
"version": 6
},
"34fde489-94b0-4500-a76f-b8a157cf9269": {
"rule_name": "Accepted Default Telnet Port Connection",
"sha256": "a63dcd3cac0e13109997f588b8687ad8378e29f22ac15957240b8814d579bc3d",
"type": "query",
"version": 111
},
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "4ebbd5cfc55a9e5f65b0b34f53162cc5ffe1409cfc36197862c2df1b74591fd0",
"type": "eql",
"version": 110
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1cfa7770bfca864df1b18fd84d7c054c4f56be21ec171828d78e7b892f66e45d",
"type": "eql",
"version": 416
},
"35a3b253-eea8-46f0-abd3-68bdd47e6e3d": {
"rule_name": "Spike in Bytes Sent to an External Device",
"sha256": "7561c0ed3d1c144a972a8eaa915a539f587e6ef68023c251fa8487c2ffd986ac",
"type": "machine_learning",
"version": 7
},
"35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": {
"rule_name": "Entra ID Sign-in Brute Force Attempted (Microsoft 365)",
"sha256": "6b40afd8ad082d50127a6763205ef715f82e974cdb98e2f2a763d45e4350c00e",
"type": "esql",
"version": 109
},
"35c029c3-090e-4a25-b613-0b8099970fc1": {
"rule_name": "File System Debugger Launched Inside a Container",
"sha256": "3127e57c1a692231a31a20d783e45dd5372621d16e598bf3c8917ebcee63c693",
"type": "eql",
"version": 2
},
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "dbd205d0455f5c80c9c6ef5c0bc88b7a2028098a9aefde11c54d3b8b9f3fbcca",
"type": "eql",
"version": 319
},
"35f86980-1fb1-4dff-b311-3be941549c8d": {
"rule_name": "Network Traffic to Rare Destination Country",
"sha256": "2076f8bac484f53cb646463676897a5173dc94e42712835dcbc45c9f571f6a56",
"type": "machine_learning",
"version": 108
},
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
"type": "eql",
"version": 100
},
"36188365-f88f-4f70-8c1d-0b9554186b9c": {
"rule_name": "M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs",
"sha256": "e1655d0157c9924353f67254db15e5e91b0f8fded8ecd95c781ab50945f70db6",
"type": "esql",
"version": 6
},
"36755b43-a1f9-4f2c-9b61-6b240dd0e164": {
"rule_name": "Executable File Download via Wget",
"sha256": "71221bb9da8496eb982f703abdfa41780325a6d81b484361e1c41ae00352f8bf",
"type": "eql",
"version": 1
},
"3688577a-d196-11ec-90b0-f661ea17fbce": {
"rule_name": "Process Started from Process ID (PID) File",
"sha256": "6165a31cec72ee460cd8e53b67fe0da967b0f32bbe123f7ad1243b90483dcb9d",
"type": "eql",
"version": 114
},
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "8490f06845e72c6453d237d605f6cf7d0ad70db3477dc1eae14b87f8fb9dc42c",
"type": "eql",
"version": 313
},
"36c48a0c-c63a-4cbc-aee1-8cac87db31a9": {
"rule_name": "High Mean of Process Arguments in an RDP Session",
"sha256": "0dd412be9597895aea816ce7c5b554a930386c831c7359dbc53124227be95134",
"type": "machine_learning",
"version": 8
},
"37148ae6-c6ec-4fe4-88b1-02f40aed93a9": {
"rule_name": "Command Obfuscation via Unicode Modifier Letters",
"sha256": "75a776871e76a8928fc6bd78caedc961f3637f619f15c66d9411d266f6b68acf",
"type": "eql",
"version": 1
},
"3728c08d-9b70-456b-b6b8-007c7d246128": {
"rule_name": "Potential Suspicious File Edit",
"sha256": "d63517c8906dad8af61b5965cf2b74af9be8714918eee953fe5fff9f31607e92",
"type": "eql",
"version": 109
},
"375132c6-25d5-11f0-8745-f661ea17fbcd": {
"rule_name": "Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)",
"sha256": "c4a01e355bab3704b716b1f4c8ea76c08cce8953cde36d3c884f22a0a30752b8",
"type": "esql",
"version": 6
},
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
"rule_name": "Deprecated - AWS RDS Security Group Creation",
"sha256": "c9f89048a7e0698840505d8e2efd51acbecd8bb0b26cd134a6653247dba5faa1",
"type": "query",
"version": 210
},
"37994bca-0611-4500-ab67-5588afe73b77": {
"rule_name": "Entra ID High Risk Sign-in",
"sha256": "0edcf9d044d9b5fb5c991aed926c5901b8a69ace3a70f40cf1d8e9ae506550cd",
"type": "query",
"version": 110
},
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
"rule_name": "Anomalous Kernel Module Activity",
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
"type": "machine_learning",
"version": 100
},
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
"rule_name": "AWS SSM `SendCommand` Execution by Rare User",
"sha256": "875a515147c0850d9b1d30b2c70e06da3654d604253413fa960d81ba9df5f424",
"type": "new_terms",
"version": 215
},
"37cb6756-8892-4af3-a6bd-ddc56db0069d": {
"rule_name": "Disabling Lsa Protection via Registry Modification",
"sha256": "93f61a20155835d2e47aec16e3e4fa2a50686f2a8cb46cbe10473a471e1b4906",
"type": "eql",
"version": 4
},
"37cca4d4-92ab-4a33-a4f8-44a7a380ccda": {
"rule_name": "Spike in User Account Management Events",
"sha256": "bd6a9507ccb771be5c4d84d5289168f672b66e36e548c57fb2b4c8c99b6fc847",
"type": "machine_learning",
"version": 3
},
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "b96238524f55ee991b4d048d01069616a1e1cd0bf41dd07a5f82e5c52387cb95",
"type": "eql",
"version": 211
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "be1bd9b556ac557afbe8f745f307835a1dc26a7d90561ccfae0c1e6c05c8e6cd",
"type": "query",
"version": 414
},
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"rule_name": "Network Connection via Certutil",
"sha256": "fe0ac836d1b43d51e68aa54e4ef57826d67680dcf11888e6e66fc7b46063fe1d",
"type": "eql",
"version": 218
},
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"rule_name": "Prompt for Credentials with Osascript",
"sha256": "b5759121d56608be8b41755b2685e9332b61fa9b5220e13d1ad7ede9144752a3",
"type": "eql",
"version": 214
},
"3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": {
"rule_name": "M365 Identity Login from Impossible Travel Location",
"sha256": "052a0f257369554fcb13f156ac2746ee3f5f386df4e4bce25b278a8427e3865f",
"type": "threshold",
"version": 8
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"rule_name": "Entra ID User Added as Service Principal Owner",
"sha256": "400d8ceb1496cc07897f0c6f55ef9a74fa419908b1fae46ca7df95a9683d90cd",
"type": "query",
"version": 107
},
"38f384e0-aef8-11ed-9a38-f661ea17fbcc": {
"rule_name": "External User Added to Google Workspace Group",
"sha256": "0489e57457017d44cad2f7c958d916daa747b2818dde332ed7113b56f323f582",
"type": "eql",
"version": 5
},
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
"rule_name": "AWS EC2 Network Access Control List Creation",
"sha256": "bb7db3c3467098559484d1c9aeacc4c48a8e103859dfd04ea38ef1ba7bef6b3d",
"type": "query",
"version": 211
},
"39157d52-4035-44a8-9d1a-6f8c5f580a07": {
"rule_name": "Downloaded Shortcut Files",
"sha256": "ded93faac0894e933d7149edc58d04b9fc25d90319023229ca2ac82a295aab13",
"type": "eql",
"version": 6
},
"393ef120-63d1-11ef-8e38-f661ea17fbce": {
"rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls",
"sha256": "a2ae354dd666a1ae571d0b286934c5d03358e88ab0e6ed648b6e49e82281940a",
"type": "esql",
"version": 7
},
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "faeda0ecc334d9a83831ab6154315aeb7c2686fd6f4cd6f8244eefe72f46dd30",
"type": "eql",
"version": 311
},
"39c06367-b700-4380-848a-cab06e7afede": {
"rule_name": "Systemd Generator Created",
"sha256": "35a5819442db79680deb67568da0eda6a93fda85b19ff93a21b2e6a45bbc73fc",
"type": "eql",
"version": 7
},
"3a01e5c6-ce01-46d7-ac9f-52dc349695fb": {
"rule_name": "Kubernetes Anonymous User Create/Update/Patch Pods Request",
"sha256": "befed322a39aa806451d32ff48e001b234b58ed1b1ce44bacc40e509e8f51a21",
"type": "eql",
"version": 1
},
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "a48541ec5ea28eba5a75f325730d4f1b8492343efbdee7039f65b368fd650367",
"type": "eql",
"version": 314
},
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
"rule_name": "Suspicious Module Loaded by LSASS",
"sha256": "e71a8895b84bf69f2ef7b6d3e9eafc406daeda7066b2dd7b15f74627bead842c",
"type": "eql",
"version": 12
},
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "578f758b47b1aead0b38e093c09d6cf0b68b2f4f3b8412cb9e7a7aec89f7c7c9",
"type": "threat_match",
"version": 107
},
"3a86e085-094c-412d-97ff-2439731e59cb": {
"rule_name": "Setgid Bit Set via chmod",
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
"type": "query",
"version": 100
},
"3aaf37f3-05a1-40a5-bb6e-e380c4f92c52": {
"rule_name": "WDAC Policy File by an Unusual Process",
"sha256": "2f64969093014bc671fc8724aeb9018b2690f30500934734c6a4a0b25bc995f3",
"type": "eql",
"version": 4
},
"3ad362a9-40cb-4536-8f8b-6a8b5cc24d3c": {
"rule_name": "External IP Address Discovery via Curl",
"sha256": "8b76cd9c1817c00cade7709946be584ee7ae14b634434ca378634e3d717e5172",
"type": "eql",
"version": 1
},
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
"rule_name": "VNC (Virtual Network Computing) to the Internet",
"sha256": "b2370cf022a97844dc68bdabfcf7602ace007aad1da28145f9832a3f8104bcc9",
"type": "query",
"version": 109
},
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
"rule_name": "Azure VNet Full Network Packet Capture Enabled",
"sha256": "b9dcfb3ae17a8961aa5f86049d0b5eeac6f55adae6be1a5f3319a650a193fbca",
"type": "query",
"version": 108
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "9b60a36c69eb59819eabf8baff81ce0f4d7f7c8663d59efc062d57990122d231",
"type": "new_terms",
"version": 207
},
"3aff6ab1-18bd-427e-9d4c-c5732110c261": {
"rule_name": "Suspicious Kernel Feature Activity",
"sha256": "6f7601969f40ce64db3593969b2b45b39d87e16a2367fcd69bf04a55cb2514a9",
"type": "eql",
"version": 4
},
"3b382770-efbb-44f4-beed-f5e0a051b895": {
"rule_name": "Malware - Prevented - Elastic Endgame",
"sha256": "e1d1e24c41ffc15f2af27ca5bffcae7132edad1fef3f0ae1b8f21d8428eedda5",
"type": "query",
"version": 105
},
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "440c3ea8936f58e36bcf475f0e64f03e4fd2a222675ac584b203256450b3b70e",
"type": "eql",
"version": 416
},
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "aa63bdc2a7538eec3f979380907645702455792bf47303a3d54536b535759cbb",
"type": "eql",
"version": 319
},
"3c216ace-2633-4911-9aac-b61d4dc320e8": {
"rule_name": "SSH Authorized Keys File Deletion",
"sha256": "58c96f189661675599648c6b056b6f6af4c7b7456acb19e526f4605819800e45",
"type": "eql",
"version": 5
},
"3c3f65b8-e8b4-11ef-9511-f661ea17fbce": {
"rule_name": "AWS SNS Topic Created by Rare User",
"sha256": "52b8cb5230887893f47fd0d99335171ba317de2e290a59aa35ff58ae5f6f071a",
"type": "new_terms",
"version": 5
},
"3c59d2e1-8ca1-4f13-b2ac-f4bb99ff69d7": {
"rule_name": "AWS GuardDuty Member Account Manipulation",
"sha256": "40c120e7720460b12e7dec873f00ddc222dc36f6deb8859a453ba1c04ffadc38",
"type": "query",
"version": 1
},
"3c6685eb-9eaa-43a4-be1b-a7f9f1f5e63d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Potential Impersonation Attempt via Kubectl",
"sha256": "dc9f92addd41a67185697f22d88c67575a47eac0b95a555df193cccb4ce93367",
"type": "eql",
"version": 2
}
},
"rule_name": "Potential Impersonation Attempt via Kubectl",
"sha256": "bdaa5069decd53d75ef631a5ca01e4278a643b1b8d2943d67de98646b9816fc7",
"type": "eql",
"version": 103
},
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
"rule_name": "Unusual Linux Network Port Activity",
"sha256": "90959aa7c932be6c768d07a768fca0c68d5723a9ef7996a75caa8f0bf3d55716",
"type": "machine_learning",
"version": 108
},
"3c82bf84-5941-495b-ac41-0302f28e1a90": {
"rule_name": "Kubernetes Sensitive RBAC Change Followed by Workload Modification",
"sha256": "18fe84303cd10390a63bedefefe74d000e354fbf6b6e498762afdfe1def7c97d",
"type": "eql",
"version": 1
},
"3c9f7901-01d8-465d-8dc0-5d46671035fa": {
"rule_name": "Kernel Seeking Activity",
"sha256": "7e139f90c3e517c0e4d321c2e1f8c85980072158ef2c577fc65ca7091b81ab0f",
"type": "eql",
"version": 6
},
"3ca81a95-d5af-4b77-b0ad-b02bc746f640": {
"rule_name": "Unusual Pkexec Execution",
"sha256": "3e999931a2319e491b908b53254937c3e4896d529f025cc8ee67faa129ecdeee",
"type": "new_terms",
"version": 106
},
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "8f2ca239d2218e6e52e1d647acc0e7c03554c548b312f30435e3bd5f3d1c6e84",
"type": "eql",
"version": 208
},
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "c659f3531861796f257f84b285c8bc268159860e17ada2092b5ddb0004cc8f68",
"type": "query",
"version": 211
},
"3db029b3-fbb7-4697-ad07-33cbfd5bd080": {
"rule_name": "Entra ID OAuth Device Code Flow with Concurrent Sign-ins",
"sha256": "d3dc62e69239981e53542dd69d147adb8924ff76106d1ccb90d05c4862c3f03e",
"type": "esql",
"version": 4
},
"3dc4e312-346b-4a10-b05f-450e1eeab91c": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Compromised User Triage by User",
"sha256": "f7d7a3d2b3fa34c89c46ec93946265b367223bda8341a57198fb272f8bd91505",
"type": "esql",
"version": 3
},
"3df49ff6-985d-11ef-88a1-f661ea17fbcd": {
"rule_name": "AWS SNS Rare Protocol Subscription by User",
"sha256": "09b1c205b24ec1820aa83763ee862d5e56b7d41bba93c7a655d266acb214106a",
"type": "new_terms",
"version": 8
},
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
"rule_name": "AWS CloudTrail Log Updated",
"sha256": "426691651da55a13486adb2edaeb92be4fc3e76aa6173bcc31152e8ef79bffcb",
"type": "query",
"version": 213
},
"3e0561b5-3fac-4461-84cc-19163b9aaa61": {
"rule_name": "Spike in Number of Connections Made from a Source IP",
"sha256": "7a39f70bd50840452642735a3e67da404e3d64e454887950151ab398e3c8fb76",
"type": "machine_learning",
"version": 8
},
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "ad39e0da9f1528903f7b948f8722a764d84af29138f38e7e451b2b69d31dda52",
"type": "eql",
"version": 210
},
"3e12a439-d002-4944-bc42-171c0dcb9b96": {
"rule_name": "Kernel Driver Load",
"sha256": "1cfc003150210222cb170a89f51cbb0bee81d70c92b6c8e2693294d342150c76",
"type": "eql",
"version": 7
},
"3e3d15c6-1509-479a-b125-21718372157e": {
"rule_name": "Suspicious Emond Child Process",
"sha256": "4fa0ac66cb92ef74e5a36e307cba5dfe26c171ba3a6bd0eb01fc3749398e7eb4",
"type": "eql",
"version": 112
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"rule_name": "Potential Remote File Execution via MSIEXEC",
"sha256": "cb3453ce4f1b900e13227ac8b2a43f98f7f8ec2fadf350c28db58c5506bf5858",
"type": "eql",
"version": 6
},
"3e528511-7316-4a6e-83da-61b5f1c07fd4": {
"rule_name": "Remote File Creation in World Writeable Directory",
"sha256": "0cb04efb6341ee2e9701dfb0c64bc7685bbe040b6e31d895935fe01ef04be3ab",
"type": "new_terms",
"version": 6
},
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "fa87191c3cf871683d788f6c4d5cc2edb041153f3a910a86bb2f52dd63f9bf30",
"type": "eql",
"version": 316
},
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "c0abb71eca9e028ab82101da58ff61404406b4478f3dc27ff4585f8a484b1bc9",
"type": "eql",
"version": 310
},
"3ee526ce-1f26-45dd-9358-c23100d1121f": {
"rule_name": "Linux Audio Recording Activity Detected",
"sha256": "25b189c8cc3cec6eaf6f44babd229e8590b233434678bbfcdacb28cdd93364f5",
"type": "new_terms",
"version": 2
},
"3efee4f0-182a-40a8-a835-102c68a4175d": {
"rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts",
"sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f",
"type": "threshold",
"version": 208
},
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
"rule_name": "CyberArk Privileged Access Security Error",
"sha256": "3eb94d24ef340393e84bcccc412d51e707667d2b28aaa9d880f3fffa449e518f",
"type": "query",
"version": 105
},
"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": {
"rule_name": "Potential Protocol Tunneling via Chisel Client",
"sha256": "0e79bd66f39ffccf0dd308f5d8eb9210be82176aaaf589daeeb7bb7d3d946777",
"type": "eql",
"version": 11
},
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
"rule_name": "Binary Executed from Shared Memory Directory",
"sha256": "21b51af36a810d45a807a867f60a4f93c19598bed97497ed7ba1dfd3231d2407",
"type": "eql",
"version": 115
},
"3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e": {
"rule_name": "Potential Data Exfiltration via Rclone",
"sha256": "2e3ecddf559e0628c0c0383712aba5abcadf55bcb864c269701b5f12f98a8f06",
"type": "eql",
"version": 1
},
"3f4d7734-2151-4481-b394-09d7c6c91f75": {
"rule_name": "Process Discovery via Built-In Applications",
"sha256": "69d7a45361fa360c7008395ce81012bd3497330d2b62c25ebfd1913cbd58a87b",
"type": "new_terms",
"version": 7
},
"3f4e2dba-828a-452a-af35-fe29c5e78969": {
"rule_name": "Unusual Time or Day for an RDP Session",
"sha256": "2a301f3d0e21bf2994bfb6f0dc94ceb8bd4a934687f3a98227e7c367528996dd",
"type": "machine_learning",
"version": 8
},
"3f7bd5ac-9711-44b4-82c1-fa246d829f15": {
"rule_name": "Command Execution via ForFiles",
"sha256": "255a17c6998bc460aa1ef70e094bfa64b27c0bfb7530291b23749c3b7f99db09",
"type": "eql",
"version": 5
},
"3fac01b2-b811-11ef-b25b-f661ea17fbce": {
"rule_name": "Entra ID MFA TOTP Brute Force Attempted",
"sha256": "1393f9d0d39d1816d59b14c249c6f51943fe8913b7e7a32f5e1180f32117f716",
"type": "esql",
"version": 7
},
"3fe4e20c-a600-4a86-9d98-3ecb1ef23550": {
"rule_name": "DNF Package Manager Plugin File Creation",
"sha256": "9b63eb868c7d021d7edc961d57776d534b830e6abb84ac86fe4468029f6f94f5",
"type": "eql",
"version": 107
},
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"rule_name": "Unusual Process Spawned by a User",
"sha256": "861bb0285ecfc831be0ed890516dad1897e980cd14f45cfb90f50367e05fdcc9",
"type": "machine_learning",
"version": 110
},
"4021e78d-5293-48d3-adee-a70fa4c18fab": {
"rule_name": "Potential Azure OpenAI Model Theft",
"sha256": "785d2c7d8206511fdb0a93798255102ab0b1c900ab4d7bc907fb1e30dde95ab4",
"type": "esql",
"version": 4
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"rule_name": "GitHub User Blocked From Organization",
"sha256": "7b0f9689a8a45ba9dde72567402b194089a439875f380ef1ece3fbea910dfe3a",
"type": "eql",
"version": 206
},
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "53ec3c9de6cdade61cc0a64a9f0a1f4b8eb7587226bd349f521eee3cec24e2cc",
"type": "eql",
"version": 315
},
"40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": {
"rule_name": "New GitHub Self Hosted Action Runner",
"sha256": "f76ddacb189a3accd814ea3630278fdabf423414b7ebc8aec38cba2b9b725cd7",
"type": "new_terms",
"version": 2
},
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"rule_name": "Suspicious Modprobe File Event",
"sha256": "1c99be63c7b57bc74bf7952e4a71821d7f267473c111fb0300ba5661db3aea67",
"type": "new_terms",
"version": 111
},
"40e60816-5122-11f0-9caa-f661ea17fbcd": {
"rule_name": "Entra ID OAuth PRT Issuance to Non-Managed Device Detected",
"sha256": "bc1ac7ee1b4aeae8bb0d1dce3d10bd2dc1112121731c9dda25ab248e337152ce",
"type": "eql",
"version": 3
},
"40fe11c2-376e-11f0-9a82-f661ea17fbcd": {
"rule_name": "M365 Exchange Inbox Phishing Evasion Rule Created",
"sha256": "3182151b918f1eb8735a78061444af2e61b835bb51025b310d342915bd4049c6",
"type": "new_terms",
"version": 3
},
"41284ba3-ed1a-4598-bfba-a97f75d9aba2": {
"rule_name": "Unix Socket Connection",
"sha256": "50405e170ddbf72168eb26b96b10d0ddeef2da2ea25dbc04fd4820ec47ce4aef",
"type": "eql",
"version": 109
},
"41554afd-d839-4cc2-b185-170ac01cbefc": {
"rule_name": "AWS Sensitive IAM Operations Performed via CloudShell",
"sha256": "1d21f6f6232a83d4b72d32a65c605f092c9eaaa78603c82e4d9d7adbd2cc39a2",
"type": "query",
"version": 1
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "fe7c4d3464cff0dabddfb6424b2fbd4e36eedae5bf156da320f3a9f43d4068cb",
"type": "eql",
"version": 317
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a44f29bc649117953df7644b522fe34d02e04792ce1995c96d63aefa46581be4",
"type": "new_terms",
"version": 207
},
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
"rule_name": "Deprecated - EggShell Backdoor Execution",
"sha256": "ad194c072b22ac1d47da8069b2c2cda6478e3fd76ec7f8dd2e6914f3328b7ecb",
"type": "query",
"version": 107
},
"4182e486-fc61-11ee-a05d-f661ea17fbce": {
"rule_name": "AWS EC2 EBS Snapshot Shared or Made Public",
"sha256": "db41de2f7dde8f87a05ff3b1437f8583a12a119fca5fa5745addf8b45a77ca8b",
"type": "eql",
"version": 9
},
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "516ad5a0c30748314f1cd52da501ad91627b02886e06d85affdabc86ebb8a38f",
"type": "eql",
"version": 110
},
"41f7da9e-4e9f-4a81-9b58-40d725d83bc0": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Mount Launched Inside a Privileged Container",
"sha256": "9599b657201d226cccb73d627949385bb21c69eb6e7c4554c43014a63a681978",
"type": "eql",
"version": 3
}
},
"rule_name": "Mount Execution Detected via Defend for Containers",
"sha256": "4aea5af437fef5fae47cf6ed305293ff950199332e2fb03503525348f1b6cbb6",
"type": "eql",
"version": 103
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Interactive Exec Command Launched Against A Running Container",
"sha256": "0f61633254922e0ebf567567b6aa39f07580e86d34cd1cb9240a2c1ce7ce5034",
"type": "eql",
"version": 4
}
},
"rule_name": "Interactive Exec Into Container Detected via Defend for Containers",
"sha256": "3beffdc64d3c80e62705d9f9f3a6b6fc92f18bd94136f30202711303713d78b3",
"type": "eql",
"version": 104
},
"428e9109-dc13-4ae9-84cb-100464d4c6fa": {
"rule_name": "Unusual Login via System User",
"sha256": "6827d23b4b308b9c67cf7b406b2045535b0fdc580189116432682385555b8a3a",
"type": "new_terms",
"version": 6
},
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"rule_name": "Potential Okta Password Spray (Single Source)",
"sha256": "0c7e12d72953b3c07806fef01d5da914e1fadf25c25a821eea63561154a53f74",
"type": "esql",
"version": 417
},
"42c97e6e-60c3-11f0-832a-f661ea17fbcd": {
"rule_name": "Entra ID External Authentication Methods (EAM) Modified",
"sha256": "eecb7179169c511c89f3de6f2709e952ed6d3e0e4f779d1a69058462ee5eaae5",
"type": "new_terms",
"version": 2
},
"42de0740-8ed8-4b8b-995c-635b56a8bbf4": {
"min_stack_version": "9.3",
"rule_name": "Kubelet Certificate File Access Detected via Defend for Containers",
"sha256": "ac7f3df4cbc5e5487d605fc840c2e142f6d4479b7bcec3e8da8cfbad8db0b388",
"type": "eql",
"version": 1
},
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"rule_name": "Process Creation via Secondary Logon",
"sha256": "3c3c993e8730eb3546b9a22b493dcf55eba6a7e9215c41c15ce7dbb82a53e283",
"type": "eql",
"version": 115
},
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
"rule_name": "Unusual Login Activity",
"sha256": "12ada8027cc4b74be40a4135f2de36c58b9e21027dd2c0987441b08f97e69590",
"type": "machine_learning",
"version": 107
},
"43303fd4-4839-4e48-b2b2-803ab060758d": {
"rule_name": "Web Application Suspicious Activity: No User Agent",
"sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919",
"type": "query",
"version": 101
},
"43d6ec12-2b1c-47b5-8f35-e9de65551d3b": {
"rule_name": "Linux User Added to Privileged Group",
"sha256": "e0d65c12d238b383dffaf13d4fb55100ee4b35aff545616783b87a81049c7bd8",
"type": "eql",
"version": 113
},
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "b9df7ce43be836f72812813398926c6d65b207b67ed79c5de0687dc3e1ff82fc",
"type": "eql",
"version": 314
},
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"rule_name": "Unusual Windows Path Activity",
"sha256": "3620bec2f351c8445f9975f73413065df3dfadbb936c41d6823c708a960d9ba9",
"type": "machine_learning",
"version": 210
},
"4494c14f-5ff8-4ed2-8e99-bf816a1642fc": {
"rule_name": "Potential Masquerading as VLC DLL",
"sha256": "a3ea7556a748c2042b4ddc53356093c97193a916b4a367701ae9c45c75e2d656",
"type": "eql",
"version": 7
},
"44cb1d8a-1922-4fc0-a00f-36c1caf57393": {
"rule_name": "Potential snap-confine Privilege Escalation via CVE-2026-3888",
"sha256": "0ecac433216f510856ef55e68d0524fd3a0347b0708ed684ffb499bed9bf2a13",
"type": "eql",
"version": 1
},
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "4674d5f4a49d989f5bd2e7c5a3c68c4cb0b3c01bd3785dbaf23d881418bbd326",
"type": "eql",
"version": 116
},
"453183fa-f903-11ee-8e88-f661ea17fbce": {
"rule_name": "AWS Route 53 Resolver Query Log Configuration Deleted",
"sha256": "f76b785c752d68bcdb8b49d66187f8e22fe050f7f4b94f4effc62169e6aa3408",
"type": "query",
"version": 7
},
"453f659e-0429-40b1-bfdb-b6957286e04b": {
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
"sha256": "a9591128215a5ec0b9ebce85a74cbb8d346e601ad9c1a77447b066f0d77cee20",
"type": "query",
"version": 105
},
"4577ef08-61d1-4458-909f-25a4b10c87fe": {
"rule_name": "AWS RDS DB Snapshot Shared with Another Account",
"sha256": "8ad4d9f18ebddd6e3145aca58b6e2ac3a3b3a7b78e2e3292a031e37fa680bdb2",
"type": "eql",
"version": 7
},
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"rule_name": "Windows Event Logs Cleared",
"sha256": "5dbb2ba25bb9773b3f4cbfe7113bdfbea3297b4abe47e86d665329d81f9ce439",
"type": "query",
"version": 216
},
"45d099b4-a12e-4913-951c-0129f73efb41": {
"min_stack_version": "9.2",
"rule_name": "Web Server Potential Remote File Inclusion Activity",
"sha256": "836bf7b7a903a992358ac80bed2c8ff3f07f397efb36ab12d93757da9280dd72",
"type": "esql",
"version": 2
},
"45d273fb-1dca-457d-9855-bcb302180c21": {
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "2508e7257e5f68a940fbb8e31ebf364ffa3e653cb4da62b6b4a633c7004d8da7",
"type": "eql",
"version": 218
},
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "bf0dc3f9af62bcf975d6708ddea0834bfc5563351cec9db10181d602016abb45",
"type": "eql",
"version": 319
},
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "e4d8e7444b42bd9bae0893dacdaa1532c6cc36480a2100ee2ae9a27922f2b0b3",
"type": "eql",
"version": 315
},
"46b01bb5-cff2-4a00-9f87-c041d9eab554": {
"rule_name": "Browser Process Spawned from an Unusual Parent",
"sha256": "7a34269b905c935b622166cefde9ec843b43f40a4c1f33fea3cf3b297c84d4bc",
"type": "eql",
"version": 1
},
"46f804f5-b289-43d6-a881-9387cf594f75": {
"rule_name": "Unusual Process For a Linux Host",
"sha256": "6c4cc176cfcf4e1333279896e4a7af3d18d9b540a8dde255d48339baeeba33b8",
"type": "machine_learning",
"version": 108
},
"472b4944-d810-43cf-83dc-7d080ae1b8dd": {
"rule_name": "Multiple Cloud Secrets Accessed by Source Address",
"sha256": "d0c4f9e600d97fef5ad96bac93093b7a8c14fcd1e8984e95303ff1e323528203",
"type": "esql",
"version": 5
},
"47403d72-3ee2-4752-a676-19dc8ff2b9d6": {
"rule_name": "AWS IAM OIDC Provider Created by Rare User",
"sha256": "1cb9c0fd0274dca1ebc356d8b502ed8e73079bada5103d878b1c4611bbf060c1",
"type": "new_terms",
"version": 1
},
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"rule_name": "System V Init Script Created",
"sha256": "a5511918810879fab5872afa2bad76386c05810eb83a332eafdbbc354f50a688",
"type": "eql",
"version": 118
},
"47595dea-452b-4d37-b82d-6dd691325139": {
"rule_name": "Credential Access via TruffleHog Execution",
"sha256": "0ebaa20afe2747b15511424d174dff2a614551b155f5398c86ae2a524375e129",
"type": "eql",
"version": 2
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Files Compression Inside A Container",
"sha256": "c45335d0cf5b97ef7c4f655e919b98f962426de4d8347ffb18ce6bbfea13bd98",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive File Compression Detected via Defend for Containers",
"sha256": "4cfac6296ff70d20ff834bd019d6afd9198871c12036cd15a02473a29fb199b9",
"type": "eql",
"version": 104
},
"476267ff-e44f-476e-99c1-04c78cb3769d": {
"rule_name": "Cupsd or Foomatic-rip Shell Execution",
"sha256": "d4cf683f05e6166f5ded6247948a4c8098ccebb8419921179ed3b00c4b7575f1",
"type": "eql",
"version": 106
},
"47661529-15ed-4848-93da-9fbded7a3a0e": {
"min_stack_version": "9.3",
"rule_name": "Chroot Execution Detected via Defend for Containers",
"sha256": "8eef44e54c58bacf8930637ce3c1ccc456d47e98096fb6b90d0117c387cfb747",
"type": "eql",
"version": 1
},
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "a3c41fcfa1ca8b2ef3742212cb83d03ed47e7de62ec719449aea2350bc944579",
"type": "eql",
"version": 216
},
"47e46d85-3963-44a0-b856-bccff48f8676": {
"rule_name": "DNS Request for IP Lookup Service via Unsigned Binary",
"sha256": "b77d74a3141da1892738e8c0d4fd55bcbe16d6888bb1c16ec266c429adf9d305",
"type": "eql",
"version": 1
},
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
"rule_name": "Execution via Regsvcs/Regasm",
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
"type": "query",
"version": 100
},
"47f76567-d58a-4fed-b32b-21f571e28910": {
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "b4330f7c0ad66d1ea72157d55fa7ee76b34f1a8874ea8a9125aa105875f73fdb",
"type": "eql",
"version": 112
},
"47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5": {
"rule_name": "Potential Database Dumping Activity",
"sha256": "2e2294edc305537dd5c97fbbf11464f167eee021a72fd084ab5cdddee62b2244",
"type": "eql",
"version": 1
},
"483832a8-ffdd-4e11-8e96-e0224f7bda9b": {
"min_stack_version": "9.2",
"rule_name": "New USB Storage Device Mounted",
"sha256": "d9c4c1882638f87b1efbed9faeba2bd77e279205865e378e6c57377a911029ac",
"type": "new_terms",
"version": 1
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "efe13789f0e114a22962a031a630587a9068815b16a6fecfd9212043b5c8e175",
"type": "eql",
"version": 316
},
"48819484-9826-4083-9eba-1da74cd0eaf2": {
"rule_name": "M365 Exchange Mailbox Accessed by Unusual Client",
"sha256": "336b24221a2d27495c6571e4c6ffb5247de93322c7e5dd4f48ec48edabde1809",
"type": "new_terms",
"version": 112
},
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"rule_name": "Potential Reverse Shell",
"sha256": "3a4131ff417a75bb309eef287209c5f0e59cc7de9c9c317835e818d041b05c4d",
"type": "eql",
"version": 14
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "80aaccc263883da16479de247fa05463955050b307d6afcf01a64ce744b68f7c",
"type": "esql",
"version": 118
},
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "be6c7b51b8751b54b6b8c450645ccbe983f6d0ad6b84552de2019226faae60b8",
"type": "eql",
"version": 111
},
"48e60a73-08e8-42aa-8f51-4ed92c64dbea": {
"rule_name": "Suspicious Microsoft HTML Application Child Process",
"sha256": "ca1b5ca19262980e5766116e70f08a65f1eed7775f88a4c285ba663ed4106a12",
"type": "eql",
"version": 1
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "20d159f7d05efe06ca199cdaaa7dbfd309d575bb0863bb8a3abb182ce79e8ac5",
"type": "eql",
"version": 110
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"rule_name": "Remote XSL Script Execution via COM",
"sha256": "e4bf09e686462fb9baf9d6d83508dc82620348bfe2ed3c7d1168344e63c8d406",
"type": "eql",
"version": 6
},
"491651da-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint/OneDrive File Access via PowerShell",
"sha256": "12b2f26e1de89428096370a95afe5282f53ef905809bc143ddbfe3283d5b799e",
"type": "new_terms",
"version": 2
},
"493834ca-f861-414c-8602-150d5505b777": {
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
"sha256": "ebb9007ad27001cdcce71f4a7afd8ac119b58dd0d5e483f569eb30251b762431",
"type": "esql",
"version": 105
},
"494ebba4-ecb7-4be4-8c6f-654c686549ad": {
"rule_name": "Potential Linux Backdoor User Account Creation",
"sha256": "746fa196876978fc4504823fefe63f4a01aa792823509324a65d2f5dc281611a",
"type": "eql",
"version": 113
},
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
"rule_name": "Application Removed from Blocklist in Google Workspace",
"sha256": "ddbea71b52b73ad21036e2450178461c83e9d6076e9758efe70ec27b6f51afc4",
"type": "query",
"version": 109
},
"4973e46b-a663-41b8-a875-ced16dda2bb0": {
"rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable",
"sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7",
"type": "eql",
"version": 3
},
"497a7091-0ebd-44d7-88c4-367ab4d4d852": {
"min_stack_version": "9.3",
"rule_name": "Web Server Exploitation Detected via Defend for Containers",
"sha256": "7472e79abc8837f88013d2d6772b889d8508248d6455205e9f51839bdd0512f8",
"type": "eql",
"version": 2
},
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "547cc7d9e89793916feda5f91bfa09fcdb1001369b259f28b1d90f8790b0c8b7",
"type": "eql",
"version": 111
},
"498e4094-60e7-11f0-8847-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 8
},
"9.1": {
"max_allowable_version": 206,
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 108
}
},
"rule_name": "Entra ID Federated Identity Credential Issuer Modified",
"sha256": "ebbb6d7619e8290583db7012b09dd1fd3cd9f0d2404d0db20e1a98227e66794d",
"type": "esql",
"version": 208
},
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
"sha256": "dd05e7d6c7892b37af6ce478458d3a6f3871020996bc0929e482c9e16fb134cd",
"type": "query",
"version": 107
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "b92e224e525668611f60f5d1de7994d2062c86e282b1fa72a42abf3a60d2d74b",
"type": "eql",
"version": 110
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"rule_name": "Potential Cross Site Scripting (XSS)",
"sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6",
"type": "eql",
"version": 2
},
"4ae94fc1-f08f-419f-b692-053d28219380": {
"rule_name": "Connection to Common Large Language Model Endpoints",
"sha256": "3757df1c47780a8ca59cef529bfea5554132941f7c7e759dda3693ddb8de1d05",
"type": "eql",
"version": 3
},
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process",
"sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982",
"type": "eql",
"version": 6
},
"4b1ee53e-3fdc-11f0-8c24-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection - User Risk",
"sha256": "5296ce8af32d0c657d2b2755990e979726a60839a6ec79936ae9ded15f28d90d",
"type": "query",
"version": 3
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "8b0ebf29f24beae56eb99431550627a0e281254d764c3580a9a8d69ce2e6b145",
"type": "eql",
"version": 315
},
"4b4e9c99-27ea-4621-95c8-82341bc6e512": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "Deprecated - Container Workload Protection",
"sha256": "411897304d67f1f8954d01b12bd234c002308f5cb7c284cc8edc8e86398b5506",
"type": "query",
"version": 6
}
},
"rule_name": "Container Workload Protection",
"sha256": "498945c61a0e56d7dee2199258dd45db789fe0034e64cf69ce36b49ebf2a1568",
"type": "query",
"version": 106
},
"4b74d3b0-416e-4099-b432-677e1cd098cc": {
"rule_name": "Container Management Utility Run Inside A Container",
"sha256": "4f51a26ce742ddabf94b2be228930f7be04de3fd92771dc7c1caa6374a58215c",
"type": "eql",
"version": 4
},
"4b77d382-b78e-4aae-85a0-8841b80e4fc4": {
"rule_name": "Kubernetes Forbidden Request from Unusual User Agent",
"sha256": "96f9b15e64a5aae3a06bb23e8ef6300fa3c5410b9e4105647ebcc1f58ab564f9",
"type": "new_terms",
"version": 4
},
"4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": {
"rule_name": "ProxyChains Activity",
"sha256": "a76e8e094705d102623bb7c79b5e3344c90196027095d45507853879747eb5ed",
"type": "eql",
"version": 109
},
"4b95ecea-7225-4690-9938-2a2c0bad9c99": {
"rule_name": "Unusual Process Writing Data to an External Device",
"sha256": "be73c5ed12e0253799f57a2dc46812a22b59acc194e0151b9a0b49121a071e60",
"type": "machine_learning",
"version": 7
},
"4bae6c34-57be-403a-a556-e48f9ecef0b7": {
"rule_name": "M365 Quarantine and Hygiene Signal",
"sha256": "3867e20407fa8e99b982da896d109a4bdf4a843a97dbd1931bce9c4ea41f6819",
"type": "query",
"version": 1
},
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "08f92365c8289d32623711be239952da8e2d840c26fc0c8cd00126ee17684e8f",
"type": "eql",
"version": 314
},
"4bd306f9-ee89-4083-91af-e61ed5c42b9a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Access Followed by Kubernetes API Request",
"sha256": "abb3c2c95247c1ae963a50fad9c2ab4cb792da935c24a7134f5cefed76cc18a0",
"type": "eql",
"version": 1
},
"4c3c6c47-e38f-4944-be27-5c80be973bd7": {
"rule_name": "Unusual SSHD Child Process",
"sha256": "175b2c8f0b31ace9a05e0103f05f2ba382449003519ab9feeebc42dc01a0cbc5",
"type": "new_terms",
"version": 6
},
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "26c370c500763204d1c4ce8130f04b1598d572b21a9846450b74d92c48b08943",
"type": "query",
"version": 115
},
"4c5a4e8b-3f2d-4a6e-9b5c-7d8f9e0a1b2c": {
"rule_name": "Azure Storage Account Blob Public Access Enabled",
"sha256": "7b23580cfc0831ecac7064fc5806bc46292e3561169b89261d0210a0d55ed4fd",
"type": "new_terms",
"version": 1
},
"4d169db7-0323-4157-9ad3-ea5ece9019c9": {
"rule_name": "Potential NetNTLMv1 Downgrade Attack",
"sha256": "8dc9a67886d1c45cb259c5bc2ca6d2a2b56e44b4afdaae58c692f7b3a58b3d6a",
"type": "eql",
"version": 3
},
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "4264cb81ac0a3711b6c0aeb972da662aa892128c7719288fd235f65a3494b2b0",
"type": "eql",
"version": 112
},
"4d4cda2b-9aad-4702-a0a2-75952bd6a77c": {
"rule_name": "Docker Release File Creation",
"sha256": "4d35efcecf6648618eb05b3ef497625b2a92ef5040a48ff5d402a774fbc5bca6",
"type": "eql",
"version": 3
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"rule_name": "AWS Management Console Brute Force of Root User Identity",
"sha256": "12b357e6311ff4eea5365916c53f043cd00969e62b4dcf117b519303de5b9559",
"type": "threshold",
"version": 212
},
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "eec67c093d03b4278ef06c5c3fb57728ac4e7f26c2fd9148fa049687b0874c0d",
"type": "eql",
"version": 110
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "9da3a00827b47a5c8bc78213e855c936d592e23250b29822768cbd60a9c7a8de",
"type": "eql",
"version": 318
},
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "4f540063885c56e9d5964c0feaec926d03e793ef575ab8567f0878ce2bbb307a",
"type": "eql",
"version": 116
},
"4ec47004-b34a-42e6-8003-376a123ea447": {
"rule_name": "Process Spawned from Message-of-the-Day (MOTD)",
"sha256": "5548a1d92b6c1155ffc6a202dd592aeedea51a61915faf6440b392753b182de9",
"type": "eql",
"version": 114
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "c244bdf6026d00890decfa2967be12774a0a0856e9c2b4648c27e387152ef430",
"type": "new_terms",
"version": 317
},
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"rule_name": "Suspicious Script Object Execution",
"sha256": "72dd52f88f0c957bd2e6d26f2d78ea3aecaf8ebbbc994fcc72baf28fce12fc4c",
"type": "eql",
"version": 212
},
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "1da534261dd74dbfe7a88a3120ea11d3178d0d7d15bc26c55663375b183b66ce",
"type": "query",
"version": 413
},
"4f2654e4-125b-11f1-af7d-f661ea17fbce": {
"rule_name": "M365 SharePoint Search for Sensitive Content",
"sha256": "f1b0c07102a00a597a4213a80a301d7d51d4d784c15d6641cd09775742725dfe",
"type": "eql",
"version": 1
},
"4f725dc5-ae44-46c1-9ac5-99f6f7a70d8a": {
"rule_name": "Kernel Unpacking Activity",
"sha256": "e98cdfe47f6f762212f97a88c9e9242fe21f61b9c7ea51aeab5e6492b9609ccb",
"type": "eql",
"version": 6
},
"4f855297-c8e0-4097-9d97-d653f7e471c4": {
"rule_name": "Unusual High Confidence Content Filter Blocks Detected",
"sha256": "182bc938e327e6c65baf1a2fa6331963551b438902b9978d4d203832c22df4d6",
"type": "esql",
"version": 8
},
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "0f48a61ca555356c3d245243f9e62a82d9a3dc30915701f68c281590c1712afc",
"type": "eql",
"version": 317
},
"50742e15-c5ef-49c8-9a2d-31221d45af58": {
"rule_name": "Okta Successful Login After Credential Attack",
"sha256": "cf4ea6ec96f91bf55c3c6f1eca9cc056966f470e390fcba12bbe8e6264352a14",
"type": "esql",
"version": 2
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "765c282f30b0895e1d0260ea7fd4e8cc74f36d47fd286a736aad6211de527511",
"type": "threshold",
"version": 210
},
"50a2bdea-9876-11ef-89db-f661ea17fbcd": {
"rule_name": "AWS SSM Command Document Created by Rare User",
"sha256": "28b1e5a0e4c3e07dd157f7004dca638856150b66910942f40ebe3de18fc16311",
"type": "new_terms",
"version": 5
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"rule_name": "Windows System Information Discovery",
"sha256": "92df936b5c9f8126935576c6ee8792aa9b49ee7ab49dd26a96de5d5812293028",
"type": "eql",
"version": 111
},
"5124e65f-df97-4471-8dcb-8e3953b3ea97": {
"rule_name": "Hidden Files and Directories via Hidden Flag",
"sha256": "00a937a6551df200e27af0c95020a908bd832f721000e682fd65f512541cc2c4",
"type": "eql",
"version": 108
},
"5134be90-42c1-4ac7-859c-4d82caaddbec": {
"rule_name": "Proxy Shell Execution via Busybox",
"sha256": "79b4ea149f88a2ee4fc8326864cadcd00ea7b142318e7e9100ab5c90dd688825",
"type": "eql",
"version": 1
},
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "1210bd635a5f10b91c32ed2675bbce9dd1590f829d331d1646fc29bef344b08f",
"type": "eql",
"version": 416
},
"514121ce-c7b6-474a-8237-68ff71672379": {
"rule_name": "M365 Exchange DKIM Signing Configuration Disabled",
"sha256": "f24841812cdc6d72fb13f86792013f16481609bca3cf8354e6bec8635402bd34",
"type": "query",
"version": 211
},
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
"rule_name": "GCP Logging Sink Deletion",
"sha256": "2d8881e424afe188907789186fdf2aade7107730fdb292c3ba0aa7f9193281ac",
"type": "query",
"version": 107
},
"5188c68e-d3de-4e96-994d-9e242269446f": {
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "129e731066612ab4f0fb68a77299875530e032fda26945ae4b97f420099df286",
"type": "eql",
"version": 207
},
"51a09737-80f7-4551-a3be-dac8ef5d181a": {
"rule_name": "Tainted Out-Of-Tree Kernel Module Load",
"sha256": "101ac22e38fb1ef498354c278d2e76287baa392a0c1074025757e79c688f0f69",
"type": "query",
"version": 6
},
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "f00b370497ce5969ecadca0e206dee295d1ff4035feecadd855b451da24e4b8f",
"type": "eql",
"version": 211
},
"521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": {
"rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected",
"sha256": "2bea7d2c25ab910e0d606af8c8c55279b47893c6895044b905d268f6bfc3a206",
"type": "eql",
"version": 11
},
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
"rule_name": "AWS GuardDuty Detector Deletion",
"sha256": "a5abd99b2a0a622491aabaea8ba35522361bd5a944c646f467b88b38a0852bc8",
"type": "query",
"version": 211
},
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "30cf63ffb34e834c8b222bb11f4868475bdb20321c2ffe90ebb8451f39d7d1ce",
"type": "eql",
"version": 118
},
"527d23e6-8b67-4a8e-a6bd-5169b90ab2a8": {
"min_stack_version": "9.3",
"rule_name": "Tool Installation Detected via Defend for Containers",
"sha256": "6a19c11e4ec0d2dbf6539a7ae96322c3cfd2ae84d1d3ddc45b59bfdf5141dd10",
"type": "eql",
"version": 3
},
"5297b7f1-bccd-4611-93fa-ea342a01ff84": {
"rule_name": "Execution via Microsoft DotNet ClickOnce Host",
"sha256": "a646f739b6321105caf7f40d15ddb77bc29668a1f12c883ed026d7680fe6061a",
"type": "eql",
"version": 3
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "90812c1c9901f3f69bc370a453a057fbf7475807091099873d900dc451e7c486",
"type": "eql",
"version": 213
},
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
"rule_name": "Unusual Linux Network Activity",
"sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84",
"type": "machine_learning",
"version": 108
},
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
"rule_name": "Unusual Linux Web Activity",
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
"type": "machine_learning",
"version": 100
},
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
"rule_name": "Unusual Linux Network Service",
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
"type": "machine_learning",
"version": 100
},
"530178da-92ea-43ce-94c2-8877a826783d": {
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "1dade4110ac7b55a500a7fe97a1a86de13e5858a566842318543c910dafe18e8",
"type": "eql",
"version": 111
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "937b80edc9af486f626f90a862b96a362dc3fa4fd55e45096b3780dc6d57a408",
"type": "new_terms",
"version": 14
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"rule_name": "AWS EFS File System Deleted",
"sha256": "9502632eccfa0e324016bb477fc6a2d249c08cee1d91e5ac9fa91976bd60e1d6",
"type": "query",
"version": 211
},
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
"rule_name": "Azure Diagnostic Settings Deleted",
"sha256": "aaa470eef5ffb1b82d4233597469b4ad1297f06bc713fa4c327fd8faaec12ad0",
"type": "new_terms",
"version": 108
},
"5378a829-30c2-435a-a0f2-e3d794bd6f80": {
"min_stack_version": "9.3",
"rule_name": "Rare GCP Audit Failure Event Code",
"sha256": "68286b273629f0e76ab3ed11d530a7aa0bafc6f2fce33cc438cee7402360c949",
"type": "machine_learning",
"version": 1
},
"5397080f-34e5-449b-8e9c-4c8083d7ccc6": {
"rule_name": "Statistical Model Detected C2 Beaconing Activity",
"sha256": "7298e067ae7df7ada3b5061b2f4fddbd40508f911cf0156071f9a0fd3957e8e0",
"type": "query",
"version": 9
},
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "d0f06b830a6476ff9a07972ea36ba0f652acd5ae46fa229d3630f98e5857443a",
"type": "eql",
"version": 316
},
"53dedd83-1be7-430f-8026-363256395c8b": {
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "0294867fbd8ba3c9141d4557d0eca1f503d2bc94440bee39f8aad70295442ea2",
"type": "eql",
"version": 109
},
"53ef31ea-1f8a-493b-9614-df23d8277232": {
"rule_name": "Pluggable Authentication Module (PAM) Source Download",
"sha256": "0f4f3659e783f09c99b9205d00d643cda69a018e82153aa94e2843dc2cac9ad3",
"type": "eql",
"version": 6
},
"54214c47-be7c-4f6b-8ef2-78832f9f8f42": {
"rule_name": "Network Connection to OAST Domain via Script Interpreter",
"sha256": "b23a8e48776683b5d40549babe8be8f226fea5f293ee533b5441bef2203396ef",
"type": "eql",
"version": 1
},
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "85b3ae783986f75b82921357341bc4ee866a9da2bf84fdf8a1c810f6ded404b1",
"type": "eql",
"version": 215
},
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "fbf103aa3c39bb293ade25f6cb74acb3444ece6c2a9ffe3441d5d8be36a1bc89",
"type": "query",
"version": 214
},
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "8559ba99f619be1e87b32244f4b2d26bb2bc5c1d0c40ea0780192ab395054472",
"type": "eql",
"version": 216
},
"55a372b9-f5b6-4069-a089-8637c00609a2": {
"rule_name": "First-Time FortiGate Administrator Login",
"sha256": "12264a88f6fcad9572c92f14f075c023b869acf3fd69f4ac23d26f7819b71c70",
"type": "esql",
"version": 2
},
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "d9d7b7c944e438656c8d6c348d8acd34be6f45ef68c23cdc5c1e679c1eb476f2",
"type": "eql",
"version": 217
},
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"rule_name": "PsExec Network Connection",
"sha256": "e668e79265b55406cd93383522749d6bce039b43589478b9a489a0a5b77b8b67",
"type": "eql",
"version": 212
},
"55f07d1b-25bc-4a0f-aa0c-05323c1319d0": {
"rule_name": "Windows Installer with Suspicious Properties",
"sha256": "a8fdb430eef1c2a8a281cadce30763cc48c12db7cd45cafcc018d558cac60d8d",
"type": "eql",
"version": 4
},
"55f711c1-6b4d-4787-930d-c9317a885adf": {
"rule_name": "Suspicious Execution with NodeJS",
"sha256": "703c739baa06c65f081e0a6f4d49107b415aef292f2d9e69d0ee75fe9768e379",
"type": "eql",
"version": 1
},
"56004189-4e69-4a39-b4a9-195329d226e9": {
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "eca5395ab95a933bd111e9188d2ae22c48eb93cb47655489d123e4414dabfe5f",
"type": "machine_learning",
"version": 110
},
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "e5063799ab10aae18df8b80273efb3ce5480722024992f100e3a70f3f4ccd897",
"type": "eql",
"version": 209
},
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "3a242f21a87f21c464c0cfe42e52881f5dca8297e5ceb5cbb98215aaa42fe75d",
"type": "query",
"version": 211
},
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"rule_name": "Potential Admin Group Account Addition",
"sha256": "4ce263d173a70707a23ec71e9d047dcaa6073d6e38f210d0ccf8ebc29318b608",
"type": "eql",
"version": 210
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "e402572e5dc8c2c7305905227898b75e4d1a151ec425b3c8b433e5816cd325d4",
"type": "eql",
"version": 112
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"rule_name": "GCP Logging Bucket Deletion",
"sha256": "01315f67e14fa8ba6873b6f6773f13ff2b404f9a5e551ab293a0bab6031404d0",
"type": "query",
"version": 107
},
"56d9cf6c-46ea-4019-9c7f-b1fdb855fee3": {
"rule_name": "Windows Sandbox with Sensitive Configuration",
"sha256": "94be0dc595363ca7f2604e399af5a08685b8fe50a3780c410ab319cb8637a99d",
"type": "eql",
"version": 2
},
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"rule_name": "PowerShell PSReflect Script",
"sha256": "6c697a981e583ada22e4f514b9fe1cc69e210a0cd838679036eb1158118d1beb",
"type": "query",
"version": 317
},
"56fdfcf1-ca7c-4fd9-951d-e215ee26e404": {
"rule_name": "Execution of an Unsigned Service",
"sha256": "c1892bef95d251f7d7a47ff403d9820d9133ad7d52d07ded161c63a0664c92ba",
"type": "new_terms",
"version": 108
},
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
"rule_name": "VNC (Virtual Network Computing) from the Internet",
"sha256": "a2ea199f37920a1f0bdc7b5a401338b7ac2ee4316586ee61f879f019c7fb7854",
"type": "query",
"version": 109
},
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
"sha256": "c7c3ab0c50a276ad16b97c50145d1b1c44b1d09b2582d5f75868b68006f33c2b",
"type": "query",
"version": 105
},
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
"rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted",
"sha256": "914135ecccac7234592a2f0c768301fedcf43c6c78e8ec8977774bcd9ecb70aa",
"type": "query",
"version": 105
},
"5749282b-7524-4c9d-af9a-e2b3e814e5d4": {
"rule_name": "AWS Credentials Searched For Inside A Container",
"sha256": "a0bcf9364ee8f47430f8b5b764ed21b99fe2d5d6c1ef4f06d82d091e7820ee3a",
"type": "eql",
"version": 3
},
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"rule_name": "PowerShell MiniDump Script",
"sha256": "98face230511c302dabda23c6bcb794a5acc16c97b7229bb982b298b421618d0",
"type": "query",
"version": 213
},
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "200c9a6cf6ea2b424d9f8f4c5fdef6b620058afef51217c3581d139a0f79adf3",
"type": "eql",
"version": 108
},
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "06514c775695c6ffb15b50ee3e811ce692a4cdd882e2912e1a0ee65bbe346273",
"type": "eql",
"version": 208
},
"57e118c1-19eb-4c20-93a6-8a6c30a5b48b": {
"rule_name": "Remote GitHub Actions Runner Registration",
"sha256": "1d0cb6b6f76ce755ca5fb4d086cbe1b222f7cf1a54d1751338d1440ff5acdcc3",
"type": "eql",
"version": 1
},
"581add16-df76-42bb-af8e-c979bfb39a59": {
"rule_name": "Backup Deletion with Wbadmin",
"sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135",
"type": "eql",
"version": 318
},
"5841b80f-a1f8-4c00-a966-d2cc4a7a82e4": {
"rule_name": "Unusual Web Config File Access",
"sha256": "8de79d7265cefe1c4c9df3381c7d64befd5e4205b2fa99aa541ffc785d375e1a",
"type": "new_terms",
"version": 2
},
"5889760c-9858-4b4b-879c-e299df493295": {
"rule_name": "Potential Okta Brute Force (Multi-Source)",
"sha256": "483f341a689103f78ee0028c88bc8ff03e6d6ce55e6b3bd6e70f13c790a58d36",
"type": "esql",
"version": 2
},
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"rule_name": "RDP Enabled via Registry",
"sha256": "572350cc1b7ee9eb743fe3f4cfba0c9b6316477ce99490cc1ccffdf8a74bb4ab",
"type": "eql",
"version": 315
},
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
"rule_name": "Zoom Meeting with no Passcode",
"sha256": "ccb0acf3cc1b30624083f57a468ae8f3d188ca69b2ae0551b5122b12e90e6b36",
"type": "query",
"version": 104
},
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
"sha256": "47b60f124f8acd655a58e96f9d25ddaacdfec0e89d70fc600d8bba38e78f8950",
"type": "eql",
"version": 112
},
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
"sha256": "aa0faf0feeded63930dae2ccaac0af504981592f7e7e9ecd84e12b30fbe3dc0a",
"type": "eql",
"version": 114
},
"590fc62d-7386-4c75-92b0-af4517018da1": {
"rule_name": "Unusual Process Modifying GenAI Configuration File",
"sha256": "abc0e27008b4d86a36e73961924ea3f39bc1c7fae09ed2b3e3e17d2a812608cb",
"type": "new_terms",
"version": 4
},
"5919988c-29e1-4908-83aa-1f087a838f63": {
"rule_name": "File or Directory Deletion Command",
"sha256": "613a83f0df9c2f3768df88ec52bff6d22e0eba6ca14447a6c66b0f7bdcf5efbc",
"type": "eql",
"version": 6
},
"5930658c-2107-4afc-91af-e0e55b7f7184": {
"rule_name": "Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish",
"sha256": "7df117f2d8cc2a6407e7ce63ab750f7abac6c399fedb9cd5e5180dcbd3ff2b44",
"type": "query",
"version": 212
},
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
"rule_name": "AWS CloudTrail Log Created",
"sha256": "9c331554770ecb70eaef91e13b8c815f94e30019ac7bece602e598f6487eaf86",
"type": "query",
"version": 212
},
"59756272-1998-4b8c-be14-e287035c4d10": {
"rule_name": "Unusual Linux User Discovery Activity",
"sha256": "1b3e6cbb40f046d22b7ccadce341898603e5676bd73c703a48a3dd0a50beae19",
"type": "machine_learning",
"version": 108
},
"59bf26c2-bcbe-11ef-a215-f661ea17fbce": {
"rule_name": "AWS S3 Unauthenticated Bucket Access by Rare Source",
"sha256": "9fe3cf2fe1d2d052eb9543fccef6eea8a7ac5383268b9589b016836b97b85426",
"type": "new_terms",
"version": 7
},
"5a138e2e-aec3-4240-9843-56825d0bc569": {
"rule_name": "IPv4/IPv6 Forwarding Activity",
"sha256": "9e1626197ed5941926dbc41962782ca8a323883170b2f3163b67df9866765cbc",
"type": "eql",
"version": 107
},
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "af550c49b54fdde4f457b46291419fcce1a52c87f48f17702fea4f9f646df8a7",
"type": "eql",
"version": 313
},
"5a3d5447-31c9-409a-aed1-72f9921594fd": {
"rule_name": "Potential Reverse Shell via Java",
"sha256": "11037a250f68a1970df97139622a157e84807139f8126e5d9c7bc7cf56b3b77c",
"type": "eql",
"version": 13
},
"5a876e0d-d39a-49b9-8ad8-19c9b622203b": {
"rule_name": "Command Line Obfuscation via Whitespace Padding",
"sha256": "0cc699f383c20c3ff271c516d77b95b987ed2739b33f240704c85b6544251d02",
"type": "esql",
"version": 3
},
"5ab49127-b1b3-46e6-8a38-9e8512a2a363": {
"rule_name": "ROT Encoded Python Script Execution",
"sha256": "406f524f675016ccdb5300c19a77dbbf5709c9f48608737209128a31fac9c822",
"type": "eql",
"version": 5
},
"5ae02ebc-a5de-4eac-afe6-c88de696477d": {
"rule_name": "Potential Chroot Container Escape via Mount",
"sha256": "c857ed14ca09f8505114fd0edba3e1aebc519d4769ba8e166ba7663b168e4364",
"type": "eql",
"version": 107
},
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "801b331954e244547654f39e1cd8f34d2021a71a4b42b41e160a8ac6279bd843",
"type": "eql",
"version": 110
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "52e50adab24a9c98ab490445823f19da1c977fbb1095aa36f198857a03f478f5",
"type": "eql",
"version": 312
},
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
"rule_name": "Virtual Machine Fingerprinting",
"sha256": "8bdc45642eabfb3f0ef103bce978e447aa2cad2f8846c07c660012a23bb3f07e",
"type": "eql",
"version": 113
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "600013f59808acf8e3fbcb916efe820a124db6b8d3605bf5fe031d1b729b358d",
"type": "eql",
"version": 11
},
"5b18eef4-842c-4b47-970f-f08d24004bde": {
"rule_name": "Suspicious which Enumeration",
"sha256": "586b56458f4d63afd014b8dbb35e00f09492345bfd80de251a5c644f7f95b60d",
"type": "eql",
"version": 111
},
"5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d": {
"rule_name": "Successful SSH Authentication from Unusual User",
"sha256": "a8ae34ad74aa452d1ef26abfb920f07ad6dead22112f38645c036c46d2498937",
"type": "new_terms",
"version": 4
},
"5b9eb30f-87d6-45f4-9289-2bf2024f0376": {
"rule_name": "Potential Masquerading as Browser Process",
"sha256": "4556a2b4d9ae5c0709537287d7c352c49fd07266ec3e249028df8c684d8e7bf2",
"type": "eql",
"version": 9
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"rule_name": "Deprecated - Suspicious PrintSpooler Service Executable File Creation",
"sha256": "fc9cef486a73aa99f5eb2449ccb3aeb22c54905f0aed559e59310a191b5b19c1",
"type": "new_terms",
"version": 320
},
"5bda8597-69a6-4b9e-87a2-69a7c963ea83": {
"rule_name": "Boot File Copy",
"sha256": "9631f14860402dcf2e73a1613d08cf82bef87f7b793098b03b5ececfe9236c85",
"type": "eql",
"version": 5
},
"5bdad1d5-5001-4a13-ae99-fa8619500f1a": {
"rule_name": "Base64 Decoded Payload Piped to Interpreter",
"sha256": "a3e5e93104eff8cc43073a34010259addb085407c0b9db48084e216971198b42",
"type": "eql",
"version": 6
},
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
"rule_name": "AWS WAF Rule or Rule Group Deletion",
"sha256": "822b3f02a852acf4b757d3db5af307df3d08328bf3cf41433c24fd0c0282215d",
"type": "query",
"version": 211
},
"5c351f54-4187-4ad8-abc8-29b0cfbef8b1": {
"rule_name": "Process Capability Enumeration",
"sha256": "eb2f66cac706f2d5cd5a072b7e91723e2bdcaf18c2bcdbce959b054343e1bd32",
"type": "eql",
"version": 8
},
"5c495612-9992-49a7-afe3-0f647671fb60": {
"rule_name": "Successful SSH Authentication from Unusual IP Address",
"sha256": "31b27a7e3c38e5075a078da3897b0903804faf938bb93fe6a383dcc1847c4a8a",
"type": "new_terms",
"version": 4
},
"5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": {
"rule_name": "Deprecated - SSH Process Launched From Inside A Container",
"sha256": "5b2188d09bbe293e3e5d684a0febaaeb6e8027038ba64aa70585fde1b3f59fdd",
"type": "eql",
"version": 3
},
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "c7b6447476c63c646a11dcddd2f18d6f0ba3ebebe596eca3d4aec3c2526d2226",
"type": "query",
"version": 107
},
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "258ce18f9e3bfe08e0472e79e46a880d2f2efc413d2cfc53babcfac7f60655dc",
"type": "new_terms",
"version": 118
},
"5c81fc9d-1eae-437f-ba07-268472967013": {
"rule_name": "Segfault Detected",
"sha256": "2e81ce6769021daba9c871cf5baf734f4fb6fbbdc9590bcc56e0bf1853d51d1e",
"type": "query",
"version": 3
},
"5c832156-5785-4c9c-a2e7-0d80d2ba3daa": {
"rule_name": "Pluggable Authentication Module (PAM) Creation in Unusual Directory",
"sha256": "4c48c84cd522696977dcc06b074e1009f2d813319099312d8f038742dc590289",
"type": "eql",
"version": 105
},
"5c895b4f-9133-4e68-9e23-59902175355c": {
"rule_name": "Potential Meterpreter Reverse Shell",
"sha256": "0c3e1712dbacd60a7b25849404c3640e128985029f0549a100664928c6d062d7",
"type": "eql",
"version": 11
},
"5c983105-4681-46c3-9890-0c66d05e776b": {
"rule_name": "Unusual Linux Process Discovery Activity",
"sha256": "73a2b26e4a677c2f45db8dfe14c180513fa2b5b51e66828388e71dd909955e75",
"type": "machine_learning",
"version": 107
},
"5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": {
"rule_name": "Potential Defense Evasion via PRoot",
"sha256": "e1ae2e1cbed489a77754e6fab8a50f37f6de818e6fa2ca20d8096664e8add36c",
"type": "eql",
"version": 112
},
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "36b4447995d99aeb6a7fc572fef2c2472373f1ef385d286717d76ea772593543",
"type": "eql",
"version": 213
},
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"rule_name": "User Added to Privileged Group in Active Directory",
"sha256": "9c592d696b111ba2667fac67712827ef98ca432b69f7dc378b1cf79c1902bea0",
"type": "eql",
"version": 215
},
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"rule_name": "Persistence via PowerShell profile",
"sha256": "1de4421d5b5299213d99591da32512ca3a1acf592d3d8a5e9f9f512812cf976d",
"type": "eql",
"version": 213
},
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "1b07692857d4196dca0282c0a6b818c123b5d8d3fcc412fb9139a364e2a4a08d",
"type": "eql",
"version": 111
},
"5d1c962d-5d2a-48d4-bdcf-e980e3914947": {
"min_stack_version": "9.3",
"rule_name": "Forbidden Direct Interactive Kubernetes API Request",
"sha256": "be914b17ebae1af44b244d51b3c23386e68cba1e711e1a3016ff61269a549396",
"type": "eql",
"version": 1
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "e52b20d0a6e626ac28133aab573b99bebcb41ce8c3f24117cfd84b235119ea53",
"type": "eql",
"version": 215
},
"5d676480-9655-4507-adc6-4eec311efff8": {
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "fe9828fdb1e826e9a4887dd4b52754e5a56c0b775c59963881f4538c3dc240fa",
"type": "eql",
"version": 106
},
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "e8fa74379179a6e9e9280508afc640cb96c331cc171808a748ed740b40cef25f",
"type": "eql",
"version": 111
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"rule_name": "Google Workspace 2SV Policy Disabled",
"sha256": "fdff095d924623c81dd84192e86d2cd857ea9237a184331ffecbc98be0f08e7b",
"type": "query",
"version": 109
},
"5e23495f-09e2-4484-8235-bdb150d698c9": {
"rule_name": "Potential CVE-2025-33053 Exploitation",
"sha256": "e515ba416d112f154ee9c1ea73f1ac151201233455473ca6ac4c7bb238c79648",
"type": "eql",
"version": 1
},
"5e4023e7-6357-4061-ae1c-9df33e78c674": {
"rule_name": "Memory Swap Modification",
"sha256": "43d5d47f2f41f6a0da32a9f0a41268a9522c6eb161b7c9cdfe04ae2cb49caf67",
"type": "eql",
"version": 107
},
"5e552599-ddec-4e14-bad1-28aa42404388": {
"rule_name": "Deprecated - M365 Teams Guest Access Enabled",
"sha256": "6bd26b637d8d65d21fab98797574709274097ccf34020470f0460c4fa98adbae",
"type": "query",
"version": 212
},
"5e87f165-45c2-4b80-bfa5-52822552c997": {
"rule_name": "Potential PrintNightmare File Modification",
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
"type": "eql",
"version": 100
},
"5eac16ab-6d4f-427b-9715-f33e1b745fc7": {
"rule_name": "Unusual Process Detected for Privileged Commands by a User",
"sha256": "c9aa68e0bbefe704a06a42460c07f488861cf71aaaec68520a0c536c8084352e",
"type": "machine_learning",
"version": 3
},
"5f0234fd-7f21-42af-8391-511d5fd11d5c": {
"rule_name": "AWS S3 Bucket Enumeration or Brute Force",
"sha256": "afe5cf0b41fabafb43587e9fff374222c812f9f85f2e6d494c41f2795f46e771",
"type": "threshold",
"version": 7
},
"5f2f463e-6997-478c-8405-fb41cc283281": {
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "e1bc7738d6422a53137fd0fd3a0f1caea8ad0963f3c1ad4e800995133bf37fd2",
"type": "eql",
"version": 207
},
"5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": {
"rule_name": "Potential Docker Escape via Nsenter",
"sha256": "9b1fac0383ed7d24fc3004e580cec7bd3f701dee9659155fe2a61132c4c6280e",
"type": "eql",
"version": 5
},
"5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891": {
"rule_name": "NetSupport Manager Execution from an Unusual Path",
"sha256": "c80b105dcd79c80989bff9ac24cf5177de43e229e7d10b6401345ba38e066596",
"type": "eql",
"version": 1
},
"60884af6-f553-4a6c-af13-300047455491": {
"rule_name": "Azure Compute VM Command Executed",
"sha256": "ac7900fe9b05ceca8ab042dd5c2b56878cd81674ea05fffaac4e4a0afedb300a",
"type": "query",
"version": 107
},
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
"rule_name": "Entra ID Service Principal Created",
"sha256": "212f5fd759cc852fe02f5a6c8387e49ca36c98e7e38a7f9f8f15b48443052582",
"type": "query",
"version": 109
},
"60c814fc-7d06-11f0-b326-f661ea17fbcd": {
"rule_name": "M365 Threat Intelligence Signal",
"sha256": "79dc01a9db946e1a3d5c41a5e8c2af04359b9e44ecee31c16c38a3723d8bab07",
"type": "query",
"version": 3
},
"60da1bd7-c0b9-4ba2-b487-50a672274c04": {
"rule_name": "Discovery Command Output Written to Suspicious File",
"sha256": "0f20b925e290e8b322e4fbca19247555026e2be561e5f19adeeed82693fbd764",
"type": "eql",
"version": 1
},
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
"rule_name": "Deprecated - M365 Exchange DLP Policy Deleted",
"sha256": "d49413545670c96c3b5d14b25f8f532a2453b7464b7332636cb2977953371e86",
"type": "query",
"version": 212
},
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"rule_name": "Unusual Process Network Connection",
"sha256": "eedf094a7798099e64d10398f58d50331624cf7b56aa5b1d6cf30a6ac7ee5c40",
"type": "eql",
"version": 211
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"rule_name": "New User Added To GitHub Organization",
"sha256": "65d60bb1e3e58c78ebdedb1c5ef222be1b3beda2413b057f21671ccae8870b82",
"type": "eql",
"version": 206
},
"616b8d00-05f8-11f1-8f33-f661ea17fbce": {
"rule_name": "Entra ID Service Principal Federated Credential Authentication by Unusual Client",
"sha256": "9e0f60e5d2e546787e888d2c54ba461cfc4a3c257bbb2676cababb43348c99b3",
"type": "new_terms",
"version": 1
},
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "89c4a7e78c150d6be51a0ac7825e8c185a6b6079831022b8ba59a2cfd77f7047",
"type": "eql",
"version": 108
},
"618a219d-a363-4ab1-ba30-870d7c22facd": {
"rule_name": "FortiGate FortiCloud SSO Login from Unusual Source",
"sha256": "d2abab1390a043ad71171a861b542dc9d94f79af253dd0032c1fe0b04e90beb0",
"type": "esql",
"version": 2
},
"618bb351-00f0-467b-8956-8cace8b81f07": {
"rule_name": "AWS S3 Bucket Policy Added to Allow Public Access",
"sha256": "432b70fbe0e399988c18b6bd0f70a80bfa5cd7b7d0848ed2fe754ecdae6ea112",
"type": "eql",
"version": 2
},
"61ac3638-40a3-44b2-855a-985636ca985e": {
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "f0416cbdf5fa18a079d3d3c82eae6bd19b83bdf9c69f6fb2425e8242e6a585d1",
"type": "query",
"version": 319
},
"61c31c14-507f-4627-8c31-072556b89a9c": {
"rule_name": "Mknod Process Activity",
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
"type": "query",
"version": 100
},
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "fc0df56314ea288221a4cc45552eda89e248931b37fa4cc8ac7ee9991d12fda4",
"type": "eql",
"version": 217
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "8718b5f7766c49df934b5a358670fd814c176f3dba6835a0ec719cd8c6560b56",
"type": "threshold",
"version": 210
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "25f5507d36b8030ec4b934a15054ff440470648a722b209844f64d8f983b3975",
"type": "eql",
"version": 210
},
"627374ab-7080-4e4d-8316-bef1122444af": {
"rule_name": "Private Key Searching Activity",
"sha256": "8c9ae7796579d97d69a04310defc6854fc7624628efe267439acba9c94241356",
"type": "eql",
"version": 106
},
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "8f5451e26ac0b2ec8d6274f9cf8c4f90ead9a3b42453322334620f2e494bf627",
"type": "eql",
"version": 216
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection",
"sha256": "ed5ff57cbeb63400deadf4043db9a50648c79985b315214fa0826a98bc3f6839",
"type": "eql",
"version": 9
},
"62ba8542-1246-4647-9b84-98aa1bc0760a": {
"rule_name": "Persistence via Suspicious Launch Agent or Launch Daemon",
"sha256": "e96f8422546d427d174b67e32e22f9f294338e62a32b312144be86d8f54cbf31",
"type": "eql",
"version": 1
},
"63153282-12da-415f-bad8-c60c9b36cbe3": {
"rule_name": "Process Backgrounded by Unusual Parent",
"sha256": "75b9496ea55a4093c1a530bf9d5d06b67b782ad0fea18e9f34fc26ae90875888",
"type": "new_terms",
"version": 4
},
"632906c6-ba8f-44c0-8386-ec0bbc8518bf": {
"rule_name": "M365 SharePoint Site Sharing Policy Weakened",
"sha256": "0d544b7572d561d522b7a1f66e3d6249547e10deb500eae0e09a7284cbd87030",
"type": "query",
"version": 1
},
"63431796-f813-43af-820b-492ee2efec8e": {
"rule_name": "Network Connection Initiated by Suspicious SSHD Child Process",
"sha256": "45658ca009518a884a05c4cc9d68fdc61b4964fc64f0c576c2daf30b3bcb9df1",
"type": "eql",
"version": 8
},
"63c05204-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
"sha256": "3eb4cf8191b540261c82f3be237b1d7d0d7a6c89daac1922c17723115c99e60b",
"type": "query",
"version": 11
},
"63c056a0-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Denied Service Account Request via Unusual User Agent",
"sha256": "b5f24bfa2e0ca5124eb8906e21888074cbc74f7ce03972f697e7da5b3a9dd341",
"type": "new_terms",
"version": 11
},
"63c057cc-339a-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Anonymous Request Authorized by Unusual User Agent",
"sha256": "67374027e182776c03ce4412cb80c48c6224950afbbd622642c858cd97e5964f",
"type": "new_terms",
"version": 12
},
"63e381a6-0ffe-4afb-9a26-72a59ad16d7b": {
"rule_name": "Sensitive Registry Hive Access via RegBack",
"sha256": "f1b41199a328bd02b1d8e68577dea1a0148279f462f58eb741ee169e443888cf",
"type": "eql",
"version": 5
},
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"rule_name": "Network Connection via Signed Binary",
"sha256": "9dc44d0287d85742433a237643de326b02cb67b5850c7c1cb67d39e39ff29d97",
"type": "eql",
"version": 212
},
"640f0535-f784-4010-b999-39db99d2daeb": {
"rule_name": "Potential Git CVE-2025-48384 Exploitation",
"sha256": "6355a097393b9deb52341b25d066690bfbd55cad96abb33b13e41ac9e3a0df67",
"type": "eql",
"version": 1
},
"640f79d1-571d-4f96-a9af-1194fc8cf763": {
"rule_name": "Dynamic Linker Creation",
"sha256": "ef77f16d65b993459a5a079b5d1390f30ca2572dc700b7be825a98af2e546d42",
"type": "eql",
"version": 8
},
"642ce354-4252-4d43-80c9-6603f16571c1": {
"rule_name": "System Public IP Discovery via DNS Query",
"sha256": "2441c0f7156104f1405a955199b80b4134fefeff71f2746eb534985a66a1ad90",
"type": "eql",
"version": 2
},
"647fc812-7996-4795-8869-9c4ea595fe88": {
"rule_name": "Anomalous Process For a Linux Population",
"sha256": "58734d751552517001b8693378f42770573d4d066dc38f676bd455a29192c217",
"type": "machine_learning",
"version": 107
},
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "f04f7762a2d3bbdd47fc5d15c9ccbbdf7c3920065615febd7cfe2ecd45a20eab",
"type": "eql",
"version": 111
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"rule_name": "Network Connection via Recently Compiled Executable",
"sha256": "7ca1e9aa4bc2c98207af68b12ab4815c488fb92aaaca0ed2a51e25f5223e9d19",
"type": "eql",
"version": 11
},
"64f17c52-6c6e-479e-ba72-236f3df18f3d": {
"rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences",
"sha256": "9bb82ad0e9bc06828a6c9959f3e13a9a5b3cb76d96ecae5e74a67b9ab53a6abd",
"type": "esql",
"version": 11
},
"6505e02e-28dd-41cd-b18f-64e649caa4e2": {
"rule_name": "Manual Memory Dumping via Proc Filesystem",
"sha256": "190a8efe19f33011395185ea35900c11f27889bad11a0f7a8152f2cb4c405674",
"type": "eql",
"version": 3
},
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
"type": "eql",
"version": 100
},
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "f57dea79c94f721b7f8cbc38f822f95a03a7020cbcef7591ff7b6834bf00038e",
"type": "eql",
"version": 205
},
"65613f5e-0d48-4b55-ad61-2fb9567cb1ad": {
"rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments",
"sha256": "a721bcec40558c7e2341203c42d6c8be5bc3d58df369d41d5254731131cc6409",
"type": "new_terms",
"version": 4
},
"656739a8-2786-402b-8ee1-22e0762b63ba": {
"rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent",
"sha256": "2f2b36cd3287567c3df71f99ffa36b3040ae29ca1871d964961cbf2e42e915b1",
"type": "new_terms",
"version": 3
},
"65f28c4d-cfc8-4847-9cca-f2fb1e319151": {
"rule_name": "Unusual Web Server Command Execution",
"sha256": "1ea13a93ae8354cb943d5d0635f94625e6f3fd00ddb5e18727aae85bae4ea947",
"type": "new_terms",
"version": 2
},
"65f9bccd-510b-40df-8263-334f03174fed": {
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
"sha256": "2962f75c4c913a7ae6568d692aa100bc991b3f0a49913ed652b7423b7d56b4cd",
"type": "query",
"version": 207
},
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "7596d477c75194501eab55a1d56dbc23f408e9b52f0d6e9477fa3caf989cd8e1",
"type": "eql",
"version": 112
},
"66229f32-c460-410d-bc37-4b32322cd4bb": {
"min_stack_version": "9.3",
"rule_name": "Service Account Token or Certificate Read Detected via Defend for Containers",
"sha256": "b46c90e3fb46b1ed19f04b00acefbe47de9bebecafc766b1f2395be6d66db5b7",
"type": "eql",
"version": 2
},
"6631a759-4559-4c33-a392-13f146c8bcc4": {
"rule_name": "Potential Spike in Web Server Error Logs",
"sha256": "effc61a862d7377ca5db5b1edccd523326415b1fad2a0176cf40a825888b0431",
"type": "esql",
"version": 2
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"rule_name": "Suspicious Termination of ESXI Process",
"sha256": "a7ac6a2e16d97312a1f7e3689e445d816e61c1b2556bd4fc7d7a784553b57be0",
"type": "eql",
"version": 12
},
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "73db657803846bffc7d107cbc8bf0cc7d9bbda6f034becce1f0990588362cb7f",
"type": "new_terms",
"version": 208
},
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"rule_name": "WebServer Access Logs Deleted",
"sha256": "9b067a4e19e27494227981d9814f26e3262881c5cb3f74ed5c0a1d833408f0fb",
"type": "eql",
"version": 210
},
"66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": {
"rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected",
"sha256": "af55f3437d949d59400578ea1514295bd1960458ff28643620ab709ce16f75c9",
"type": "eql",
"version": 11
},
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
"rule_name": "Connection to Commonly Abused Web Services",
"sha256": "36c806d8631c3382ce02b6ddc4f9fe4014909b9c44ac217b7884a8d585ad71a8",
"type": "eql",
"version": 128
},
"66c058f3-99f4-4d18-952b-43348f2577a0": {
"rule_name": "Linux Process Hooking via GDB",
"sha256": "17f4fe2ff61bcd9e8f15d4be875e352215f40c08ee78633c078953f304b1a7b5",
"type": "eql",
"version": 107
},
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "1cbce0d436f0e84332bd5c6fdb6208ea47ff267a6c91804b470dc6f0f25e0c04",
"type": "eql",
"version": 211
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "dd68706b99e4beb5be8e24958080e7a849d9798d75f9e1933ed87542d10c7617",
"type": "query",
"version": 118
},
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "a641b7d199f4e4fd832c1dc4b7bb8e8e0693119f5efdf132d673600f1a67de92",
"type": "query",
"version": 413
},
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
"rule_name": "M365 Exchange Mailbox Audit Logging Bypass Added",
"sha256": "8be27f29a033a1bf2d289bdfa875dbfcc33c406d400aa521e3688b61c23174d9",
"type": "query",
"version": 211
},
"6756ee27-9152-479b-9b73-54b5bbda301c": {
"rule_name": "Rare Connection to WebDAV Target",
"sha256": "79c89592ce4eeceb4031a2a222deccbfc0af47774b4091697bc5095dce3ffa51",
"type": "esql",
"version": 5
},
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "46ce327e5a7721a4232d054cffea7064e587e8fe9066deaf0b52b4dce137c44e",
"type": "query",
"version": 413
},
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
"rule_name": "SMTP to the Internet",
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
"type": "query",
"version": 100
},
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
"rule_name": "High Number of Process Terminations",
"sha256": "680382f572bc86ba9176bd3c8a36fc5d0e5243f44981819bad005566fcf79f13",
"type": "threshold",
"version": 117
},
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
"rule_name": "Query Registry via reg.exe",
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
"type": "eql",
"version": 100
},
"6839c821-011d-43bd-bd5b-acff00257226": {
"rule_name": "Image File Execution Options Injection",
"sha256": "c27202eab20774ab1eb8e25fda99113ea2cdb28f9e3dc0dbc5cea32eff56ace4",
"type": "eql",
"version": 313
},
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
"rule_name": "M365 Exchange Federated Domain Created or Modified",
"sha256": "a2d5481cf00bcc615174c048a94e4cad3d67177547935b236402280cb3a59b38",
"type": "query",
"version": 212
},
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "0213339b429615707aed9697fd239830b2cc1c6c0f4d8b8ea9c25c860c76c36d",
"type": "query",
"version": 412
},
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "762b94746bef2ca7e80bb657ace66afa3602a6c62a978487f801d78e7d744308",
"type": "eql",
"version": 316
},
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
"rule_name": "Google Workspace Admin Role Assigned to a User",
"sha256": "1532614e797cd095c55034b762a0bc6b838adcd29d3c103a933df074cc826f7f",
"type": "query",
"version": 209
},
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "d16ac49d6c15b783cff7f695326de41b63df37f6a44a4fb2840ac736b581fa1f",
"type": "eql",
"version": 211
},
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
"rule_name": "AWS CloudWatch Log Group Deletion",
"sha256": "1b7b501e7883c46efe035c8b341ea0fcfabd82d6b5b1b567adc1489b4ba7109a",
"type": "query",
"version": 213
},
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "5d62319954b4d714f0fdc2b7ca74f32a7e5ff04025b3e9603a15d4b54b4cbdb8",
"type": "eql",
"version": 108
},
"68c5c9d1-38e5-48bb-b1b2-8b5951d39738": {
"rule_name": "AWS RDS DB Snapshot Created",
"sha256": "ad69aa058d530466a81bf883cda42a241f9ad8a415e5291d1aea004a51787720",
"type": "query",
"version": 3
},
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "77f75f86866b174600e6178727630e93c2e2eb7a46ef23e7e0395d266892854f",
"type": "eql",
"version": 213
},
"68e90a9b-0eab-425e-be3b-902b0cd1fe9c": {
"rule_name": "Suspicious Path Mounted",
"sha256": "c0ba7548cc496aae440498c2f64657c17215d4d8c1fc31821b516a0e55804eb3",
"type": "eql",
"version": 3
},
"6926b708-7964-425f-bed8-6e006379df08": {
"rule_name": "FortiGate SOCKS Traffic from an Unusual Process",
"sha256": "984c1410626d079006e9478eb02012d69dbe7ab70c8dcba0271941495d44a43a",
"type": "eql",
"version": 2
},
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
"sha256": "9561f0044194d3f868b07a589cc6e35db672b4a1d17f4997ab364b92b28677f3",
"type": "query",
"version": 111
},
"696015ef-718e-40ff-ac4a-cc2ba88dbeeb": {
"rule_name": "AWS IAM User Created Access Keys For Another User",
"sha256": "cde5eb69a93612087164e1626195700bd500e73b3e1248816d9a757a270b15bc",
"type": "esql",
"version": 12
},
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
"rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match",
"sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85",
"type": "threat_match",
"version": 204
},
"69c116bb-d86f-48b0-857d-3648511a6cac": {
"rule_name": "Suspicious rc.local Error Message",
"sha256": "ef5f5704546088d8e6c96f86d9b5bcf9595a80fdb94e5d01e0b17295987aecca",
"type": "query",
"version": 6
},
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"rule_name": "Modification of Boot Configuration",
"sha256": "062ebbb18e87088c2415a14ef1813c552955a440c290ca1cd073a4f6e9b42770",
"type": "eql",
"version": 314
},
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
"rule_name": "AWS Sign-In Root Password Recovery Requested",
"sha256": "46d7bc444c3b0896efa5f0d56b1c811d852a0bc06b30a29c613a12bceb80f68c",
"type": "query",
"version": 211
},
"6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": {
"rule_name": "Attempt to Disable Auditd Service",
"sha256": "cf6b52ea88e41b620aa54fd85324e5f3d9ef4e38700901748067699ef21e2b9b",
"type": "eql",
"version": 105
},
"6a309864-fc3f-11ee-b8cc-f661ea17fbce": {
"rule_name": "AWS EC2 AMI Shared with Another Account",
"sha256": "92a73731285ad8a586f20c44168203095329ef10c5faa34456fd4fecdaddbbc2",
"type": "query",
"version": 6
},
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "95af9566aea54e42762a51b57cd302ff63e6aa9f85764d94bf0c073f89f67e72",
"type": "eql",
"version": 313
},
"6aace640-e631-4870-ba8e-5fdda09325db": {
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "5095fe669c7a28cd0bd4ac67b605eac71f438d90afe54c8b6c1d52d1bd3efdf6",
"type": "eql",
"version": 420
},
"6ace94ba-f02c-4d55-9f53-87d99b6f9af4": {
"rule_name": "Suspicious Utility Launched via ProxyChains",
"sha256": "4619173954afe3c4ee3678df3b6a09d06d4e6c7044ca0cf1f841a8617e468f6d",
"type": "eql",
"version": 112
},
"6b341d03-1d63-41ac-841a-2009c86959ca": {
"rule_name": "Potential Port Scanning Activity from Compromised Host",
"sha256": "8c0ebef4188bbef987e1a1c3bf87cbe8a894ea61606c8fffac0daa41f6c2ff05",
"type": "esql",
"version": 10
},
"6b82a0ce-10ac-4cb7-8a66-0ba4d24540cf": {
"rule_name": "Suspicious Curl to Google App Script Endpoint",
"sha256": "e2fc6cd326556ed26877b749ff45a326d60917f1600dd11d2af16624358755ed",
"type": "eql",
"version": 1
},
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
"rule_name": "Sensitive Files Compression",
"sha256": "21ac45217a2911444af91c4b8718e6c8d41f5981ef2e51a3ad618510a24f804c",
"type": "new_terms",
"version": 213
},
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "d73cbc7943b74d57e8f4fa3f49925afeefbca90f5912507c92e1459ed29cb513",
"type": "eql",
"version": 213
},
"6c6bb7ea-0636-44ca-b541-201478ef6b50": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Container Management Utility Run Inside A Container",
"sha256": "dd5a08e03197da48709653f75417252ff3f50846d7c1925b2b9a6880fd5489cc",
"type": "eql",
"version": 4
}
},
"rule_name": "Container Management Utility Execution Detected via Defend for Containers",
"sha256": "4ac4af6457b467b5f177d488c77ce39c4a0b0290702497ae30e67fd0ae43e525",
"type": "eql",
"version": 104
},
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "69a395d0e80347499365554d56ecb7013b51d87f12d29487a7c19e439da8ed6f",
"type": "eql",
"version": 311
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"rule_name": "GitHub Repo Created",
"sha256": "531384d15d52b8c071346a4f472a9f04c83f068c11e87cf028088200812078e7",
"type": "eql",
"version": 206
},
"6cf17149-a8e3-44ec-9ec9-fdc8535547a1": {
"rule_name": "Suspicious Outlook Child Process",
"sha256": "ead3bdb03abbff29fb244e73d16f7594a5225127c4cf750abe0bb59b4f881ff9",
"type": "eql",
"version": 4
},
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"rule_name": "Unusual Process For a Windows Host",
"sha256": "3daaa058e3efafed14592627624d5744ecfbcc23d1d0dc1c4618589616b032a3",
"type": "machine_learning",
"version": 215
},
"6d8685a1-94fa-4ef7-83de-59302e7c4ca8": {
"rule_name": "Potential Privilege Escalation via CVE-2023-4911",
"sha256": "b4a42530866bb3fcf923be492968e1ec069ccff128907752f4eb635c73bdbaa8",
"type": "eql",
"version": 8
},
"6da6f80f-fe41-4814-8010-453e6164bd40": {
"rule_name": "Suspicious Curl from macOS Application",
"sha256": "c6696e22c0f6ea9d62054fd0a21b17180d6a932ffcdf222d3cbd4ca42f32170e",
"type": "eql",
"version": 1
},
"6ddb6c33-00ce-4acd-832a-24b251512023": {
"rule_name": "Potential PowerShell Obfuscation via Special Character Overuse",
"sha256": "0956563347ca9848e890ebe9a07a4ac68d34ad6b42b34bab5bc227b7b7dd9136",
"type": "esql",
"version": 10
},
"6ded0996-7d4b-40f2-bf4a-6913e7591795": {
"rule_name": "Root Certificate Installation",
"sha256": "0f941a4eec0eae5e8eafaea7a2a635dfc143067d98587953b98d26e0c1e891cd",
"type": "eql",
"version": 106
},
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"rule_name": "First Time Seen Remote Monitoring and Management Tool",
"sha256": "0cebb0d5468a00c201258ecea11ecb78a034ade64ba90268854176e43d1b4832",
"type": "new_terms",
"version": 116
},
"6e2355cc-c60a-4d92-a80c-e54a45ad2400": {
"rule_name": "Loadable Kernel Module Configuration File Creation",
"sha256": "dfa88fafc1898a28d3c0b60e028940c7c8bf94c78ffec613d0a7fb9d99618482",
"type": "eql",
"version": 6
},
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "0e4aee03edacf69e9198f2b0c2990d55cea3c4c8807f745eeaada13da2490dac",
"type": "machine_learning",
"version": 211
},
"6e4f6446-67ca-11f0-a148-f661ea17fbcd": {
"rule_name": "Potential Toolshell Initial Exploit (CVE-2025-53770 & CVE-2025-53771)",
"sha256": "305c77756be1aa3ebef6c4519ccf07b2c84119e59377b3bba5a957090f6843c9",
"type": "query",
"version": 1
},
"6e5189c4-d3a5-4114-8cb3-bd3a65713f19": {
"rule_name": "System and Network Configuration Check",
"sha256": "a39bd3cc0735f30a80651410c92c4d6c2d965fe1b0719d5ce05215534f48bd47",
"type": "eql",
"version": 1
},
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"rule_name": "AdminSDHolder Backdoor",
"sha256": "dc6bffc49011189309e7b9497e36f0d750f096ab012779a4e963c370a87370a0",
"type": "query",
"version": 215
},
"6e92a21a-58e7-449a-9cfd-9f563f59ac88": {
"rule_name": "Multiple Alerts in Same ATT&CK Tactic by Host",
"sha256": "2721e5e930982a6897a8da41631c6208072d6a03cb7bd026ece1d156d5308d26",
"type": "esql",
"version": 3
},
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "ee1131249647118b84975962d58442cf80fa8283768385f7427a1880ed82cfcc",
"type": "eql",
"version": 212
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "5c64c10228a0a54dc71ec736d0ceedf77938cee9b5bc4431aaa0997896c72131",
"type": "eql",
"version": 214
},
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"rule_name": "Security Software Discovery using WMIC",
"sha256": "1a271b28efc2579203a371e1810f70f4c164c9030910f0cc18297ec982ee80a5",
"type": "eql",
"version": 217
},
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
"rule_name": "DNS Activity to the Internet",
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
"type": "query",
"version": 100
},
"6eb862bb-013d-4d4f-a14b-341433ca1a1f": {
"rule_name": "Unusual Exim4 Child Process",
"sha256": "a433b41c505b25d8ad3ab6790255c6130616643723ef55a98eedeac022eecb39",
"type": "new_terms",
"version": 3
},
"6ee947e9-de7e-4281-a55d-09289bdf947e": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding",
"sha256": "fcd07e40992b3e612a095210ff3c48f93387e580802fa2fa7a2b78eb18a98fd9",
"type": "eql",
"version": 114
},
"6f024bde-7085-489b-8250-5957efdf1caf": {
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "da293aa9452ee7845abaf5b12c58972177020377e4cd25286313013d62cf57be",
"type": "eql",
"version": 107
},
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
"rule_name": "SSH (Secure Shell) to the Internet",
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "d58f1b2ff3f4055daa2a2dad3692f51bb7e7934e1801a5a9219b4d5487f74b1b",
"type": "new_terms",
"version": 210
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"rule_name": "Google Workspace Role Modified",
"sha256": "59cfd1766bf59330cc09e1890b460c610c178db06840e3d7abc6ef15bdafba7f",
"type": "query",
"version": 208
},
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
"rule_name": "Linux Restricted Shell Breakout via the find command",
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
"type": "eql",
"version": 100
},
"6fa0f15b-1926-419b-8de2-fce1429797ba": {
"rule_name": "Suspicious SeIncreaseBasePriorityPrivilege Use",
"sha256": "2dc11ea177c7c2f16472de6dbab833afbf3a072256b6d50918a81d0ff453de33",
"type": "query",
"version": 2
},
"6fa3abe3-9cd8-41de-951b-51ed8f710523": {
"rule_name": "Web Server Potential Spike in Error Response Codes",
"sha256": "84da8f73568810bc4a06e418203b08260dc85c43867f04478490a2f4a1c53d4b",
"type": "esql",
"version": 3
},
"6fb2280a-d91a-4e64-a97e-1332284d9391": {
"rule_name": "Spike in Special Privilege Use Events",
"sha256": "ed6ffa275f2e757c537e56f54d8322172b0f69b4f8654de69c31e43cf69165f2",
"type": "machine_learning",
"version": 3
},
"6fcb4fe4-ac74-449d-855b-2bbd5c51c476": {
"rule_name": "Multiple Vulnerabilities by Asset via Wiz",
"sha256": "efc967ea17b6d6bd24680496c417b3ce7a00dbe16a1fa6bd08ed0d87e586e737",
"type": "esql",
"version": 2
},
"70089609-c41a-438e-b132-5b3b43c5fc07": {
"rule_name": "Git Repository or File Download to Suspicious Directory",
"sha256": "cb888ec5cdd28b517fc5e25fad86b205b4dcad80d3a654af3170ac8efe593e9c",
"type": "eql",
"version": 3
},
"7020ff25-76d7-4a7d-b95b-266cf27d70e8": {
"rule_name": "Interactive Shell Launched via Unusual Parent Process in a Container",
"sha256": "f71732f04d4bb9024781631a563a70bc613f39033a63805b0e4f5383ed9f5398",
"type": "new_terms",
"version": 3
},
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
"rule_name": "AWS CloudTrail Log Deleted",
"sha256": "79aba5e19e05a67ee76105ba02f4dd8ababc70a7cbd06a8c833f55e51a0f48c3",
"type": "query",
"version": 214
},
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
"rule_name": "AWS Config Resource Deletion",
"sha256": "ec5d6173a7089c9a99c4018cec4613e5b87e0d90954baf0de5c452cfd9fd5e4d",
"type": "query",
"version": 213
},
"70558fd5-6448-4c65-804a-8567ce02c3a2": {
"rule_name": "Google SecOps External Alerts",
"sha256": "3875d92943fd3bd7e6de3c62cedde504db8217fbfd89d59c6a6e5afa159386d3",
"type": "query",
"version": 1
},
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "65980fe1ae4be0bcb253357e4e833ea08e6cf9acc68b212beaf62c43948c1e50",
"type": "eql",
"version": 105
},
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
"rule_name": "Persistence via WMI Standard Registry Provider",
"sha256": "864ff665dcbced65f2a50abeae6420224e6af1557598ac0a35e6405ebf5a78df",
"type": "eql",
"version": 112
},
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "eee78f93f7aeeb4b4f0ea1b35b303f8ee2141b44381b92e735a4e4cf30039209",
"type": "eql",
"version": 111
},
"713e0f5f-caf7-4dc2-88a7-3561f61f262a": {
"rule_name": "AWS EC2 EBS Snapshot Access Removed",
"sha256": "8375b2b999c5f940480f6e373670eb7929fed1299d974aa69e7aab0bdcd1ea1c",
"type": "eql",
"version": 5
},
"7164081a-3930-11ed-a261-0242ac120002": {
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
"sha256": "e0e1831b2349191eba34af454905c373ca7a88563bdba740fec6039dce4f5885",
"type": "query",
"version": 10
},
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
"sha256": "f99e79395663b62abc9522267b9d5174757d2af93dd136bb6f8834c55ef2d6e8",
"type": "new_terms",
"version": 214
},
"71bccb61-e19b-452f-b104-79a60e546a95": {
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "9c1640b304d2ecfd067fc5ff92db9997add131c76536014281faa3cc13b006d6",
"type": "eql",
"version": 322
},
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "1477e66dec703b018b8fa3520a35c332275b252a01e165852dbf34f41d35a41b",
"type": "eql",
"version": 213
},
"71d6a53d-abbd-40df-afee-c21fff6aafb0": {
"rule_name": "Suspicious Passwd File Event Action",
"sha256": "5c1c2e9bc622fdfd22307f8a78bba011d594c683e3261da78070e1aa65082567",
"type": "eql",
"version": 7
},
"71de53ea-ff3b-11ee-b572-f661ea17fbce": {
"rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA",
"sha256": "10ff6f7ba102585480c02d7d27e5114fc04dee598ef2592541cc6d8a08e5287c",
"type": "eql",
"version": 7
},
"720fc1aa-e195-4a1d-81d8-04edfe5313ed": {
"rule_name": "Elastic Security External Alerts",
"sha256": "5378d1cf9cc62c93c87fca496cb3de399093caee93924ada0c9a7fc88cb0dfee",
"type": "query",
"version": 2
},
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
"rule_name": "Deprecated - M365 Security Compliance Potential Ransomware Activity",
"sha256": "2a680c4a4e1bbda3a08c46d451d0034d870388b139588ae38b32738977071f96",
"type": "query",
"version": 213
},
"725a048a-88c5-4fc7-8677-a44fc0031822": {
"rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User",
"sha256": "4dd3bc4d2338df9e5861a9dd612da6fa7b5e626521e7802ad9e0b71c51f0d760",
"type": "esql",
"version": 6
},
"7290be75-2e10-49ec-b387-d4ed55b920ff": {
"rule_name": "Suspicious Network Tool Launched Inside A Container",
"sha256": "e690efec89bc3ebf684c741843cb0885156128d39a89c7ffbf53f96e928c3f50",
"type": "eql",
"version": 3
},
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "cc1423cbb9a6308b079d91c2db23175ab961848433acd76b756d3d618d8ae37f",
"type": "query",
"version": 413
},
"72c91fc0-4ac0-11f0-811f-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Non-Managed Device",
"sha256": "8026621e50d1b1c883adbac1eae5cc2bf09526a2c68ff5162edbc435265b3295",
"type": "new_terms",
"version": 2
},
"72d33577-f155-457d-aad3-379f9b750c97": {
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
"type": "eql",
"version": 100
},
"72ed9140-fe9d-4a34-a026-75b50e484b17": {
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable",
"sha256": "527d4c975ef02b353316848967aa3a17c73dd08fb1948043078733d94aa336dd",
"type": "new_terms",
"version": 4
},
"7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8": {
"rule_name": "Newly Observed Elastic Defend Behavior Alert",
"sha256": "991c0b527369d84cb5ee39d4b00d92c6f07f1ea690d1589e4b8a2324575ff59e",
"type": "esql",
"version": 3
},
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "51694939fb7c336362382b2eb663e0be6f71da0693aa969468b3052e2048e38c",
"type": "eql",
"version": 207
},
"7318affb-bfe8-4d50-a425-f617833be160": {
"rule_name": "Potential Execution of rc.local Script",
"sha256": "91c30c741416b6e4252375919a24edfe25b7f361f9481c1e9afcdc428ce1fc95",
"type": "eql",
"version": 6
},
"73344d2d-9cfb-4daf-b3c5-1d40a8182b86": {
"rule_name": "AWS API Activity from Uncommon S3 Client by Rare User",
"sha256": "74803ed8898a6b97a3a3216b37765bc5bc8b9fca5526bce51cad41266e545733",
"type": "new_terms",
"version": 1
},
"734239fe-eda8-48c0-bca8-9e3dafd81a88": {
"rule_name": "Curl SOCKS Proxy Activity from Unusual Parent",
"sha256": "eef7fa38c10ee1aaee36c1f6492fc37db1b42e462bf3138c334bc5874eb3096a",
"type": "eql",
"version": 6
},
"737626a2-4dca-4195-8ecd-68ef96fd1bad": {
"min_stack_version": "9.3",
"rule_name": "Interactive Privilege Boundary Enumeration Detected via Defend for Containers",
"sha256": "914bcc5197cf41c4c4e45b450b881a1cccfcb8cb88385ff00dba131d1a82a7d5",
"type": "eql",
"version": 1
},
"737b5532-cf2e-4d40-9209-d7aec9dd25d5": {
"rule_name": "Potential PowerShell Obfuscated Script via High Entropy",
"sha256": "7326cf6d3997c601c7fdfb47f61c62a2ee7636dda3bb752ab1d671b794d8b908",
"type": "query",
"version": 1
},
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "3a1f9137b0ac5c869b1a85c1f9cf33b9842c078786d4f226f86133349f0dea88",
"type": "eql",
"version": 216
},
"74147312-ba03-4bea-91d1-040d54c1e8c3": {
"rule_name": "Microsoft Sentinel External Alerts",
"sha256": "a34a03f8ae7aa0e2dd7e603598ea2a6ce21901318fe406e2e71b9bb9a42f8d8f",
"type": "query",
"version": 1
},
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent",
"sha256": "ddf21d53d6b8b8924b7cd9e99aa28d4f195a780f81fedcabd802cfa7f5eb3443",
"type": "eql",
"version": 210
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"rule_name": "Unusual Hour for a User to Logon",
"sha256": "cad0a70827a88e131e905da0a07e883407cc68f8408f036139f4501e8e78b192",
"type": "machine_learning",
"version": 107
},
"746edc4c-c54c-49c6-97a1-651223819448": {
"rule_name": "Unusual DNS Activity",
"sha256": "3bb8a6e567f321ccd00a7d8e30e775bc9185cd5cfd1f86345dfac966d25b186a",
"type": "machine_learning",
"version": 107
},
"74e5241e-c1a1-4e70-844e-84ee3d73eb7d": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubectl Workload and Cluster Discovery",
"sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubectl Workload and Cluster Discovery",
"sha256": "72b36e719acfa3ff798e7b986ca4a13227619e6e45f91695ff986bf2d8af3c17",
"type": "eql",
"version": 102
},
"74ee9a2d-5ed3-40c8-9e6c-523d2e6a17ef": {
"min_stack_version": "9.3",
"rule_name": "DNS Enumeration Detected via Defend for Containers",
"sha256": "c9fe483624c1c5ce68d3204bdec7b49c5d76ddc4e1b5181599fbb10d3854f78f",
"type": "eql",
"version": 1
},
"74f45152-9aee-11ef-b0a5-f661ea17fbcd": {
"rule_name": "AWS Discovery API Calls via CLI from a Single Resource",
"sha256": "5d3683cb87a4b6feb76eab7180a861d4ee2475204293f6f6516782f4dd6d2e46",
"type": "esql",
"version": 6
},
"751b0329-7295-4682-b9c7-4473b99add69": {
"rule_name": "Spike in Group Management Events",
"sha256": "1f0d951f0aa45a48dc46316b1f1d4e02ff8c900e6c997441383ac1f247d42aa0",
"type": "machine_learning",
"version": 4
},
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"rule_name": "Suspicious Sysctl File Event",
"sha256": "cb879068d644f437de4d77d3f7ab51738082390ba4e77c8e6ccdaa9941a721d7",
"type": "new_terms",
"version": 111
},
"75c53838-5dcd-11f0-829c-f661ea17fbcd": {
"rule_name": "Azure Key Vault Unusual Secret Key Usage",
"sha256": "efd873fb048032b0a290a3986f5614b57744f6cceace4616d5fc25427abfcac1",
"type": "new_terms",
"version": 3
},
"75dcb176-a575-4e33-a020-4a52aaa1b593": {
"rule_name": "Service Disabled via Registry Modification",
"sha256": "99972be3aaef2b87210728a09b1bcabb051d032b977008f6cc411bafbbfe88b8",
"type": "eql",
"version": 5
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
"sha256": "134c4594176dbca2b7f74074f945c476a08d79d6a308778f0f010a173d7a48da",
"type": "query",
"version": 105
},
"76152ca1-71d0-4003-9e37-0983e12832da": {
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
"sha256": "b16e7aa630bf09efd8c9c4b5abd21061b8abe08ed648b264ae75cdd15c7444cf",
"type": "query",
"version": 107
},
"764c8437-a581-4537-8060-1fdb0e92c92d": {
"rule_name": "Kubernetes Pod Created With HostIPC",
"sha256": "fad10679c3e41ef62b3464b9a30fea4414b61d69f36e2952798e696aeadbdf0c",
"type": "query",
"version": 209
},
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "af536a89c8431a57461522f9c43fb2bb20200fbdaead36aa1c3f6d802487313a",
"type": "eql",
"version": 117
},
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
"rule_name": "Creation of Hidden Shared Object File",
"sha256": "fdaa141067192258d1fba1bc103d8e8971607fbf4b6aad9407dadd5afc396de9",
"type": "eql",
"version": 215
},
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "58a655e54c5cb166ac6ab5498819171cec1889190859287d7c41626ff6632018",
"type": "eql",
"version": 210
},
"76de17b9-af25-49a0-9378-02888b6bb3a2": {
"min_stack_version": "9.3",
"rule_name": "Unusual Country for an Azure Activity Logs Event",
"sha256": "cac25f96b39b9f32e48d401acb7829a913876e84f086a0f780c95de1e2974997",
"type": "machine_learning",
"version": 1
},
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "f2d7e5b912a866467377c5e412b5b25073dc6d48860aecd8f818f158b769cc70",
"type": "eql",
"version": 14
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "2f1dc5042c5324178d8de82aebbac4085da8ad4cdf63a22939b6c481f989c4b0",
"type": "eql",
"version": 419
},
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "b9e24cba4cbda3e2ed33c9da86174cd9d7e7422319ea041848dcf546768713fd",
"type": "eql",
"version": 318
},
"77122db4-5876-4127-b91b-6c179eb21f88": {
"rule_name": "Potential Malware-Driven SSH Brute Force Attempt",
"sha256": "4b09604c6f3250ef34ab3b31005bb1a0faed886bb1605c15862580c2d8365528",
"type": "esql",
"version": 9
},
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
"rule_name": "Entra ID User Added as Registered Application Owner",
"sha256": "f83c205a8791d9c71a57853abe76651cc64e90daf4bb5bfdc15481a45b6c570f",
"type": "query",
"version": 107
},
"7787362c-90ff-4b1a-b313-8808b1020e64": {
"rule_name": "UID Elevation from Previously Unknown Executable",
"sha256": "09f5609b75e9a346caa33172e5f5805a0e1c5241c717d0db503b4b4792f5bef5",
"type": "new_terms",
"version": 8
},
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
"sha256": "e51927f3ba4b177d5d468bb2d7ca79af15177de99cc468aff4c790fe8b29fd75",
"type": "query",
"version": 106
},
"781f8746-2180-4691-890c-4c96d11ca91d": {
"rule_name": "Potential Network Sweep Detected",
"sha256": "d6a7aee26189c060e18f3968d98c5c20583366dd1285c8ec97f92fff6e54fa0b",
"type": "threshold",
"version": 14
},
"78390eb5-c838-4c1d-8240-69dd7397cfb7": {
"rule_name": "Yum/DNF Plugin Status Discovery",
"sha256": "c1b3684999c95292d2253c9a75fb57179ae653ca85316fdb894bad0d4e581df4",
"type": "eql",
"version": 107
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"rule_name": "Application Added to Google Workspace Domain",
"sha256": "d8715340030f5e840104979c68ca6a5bee643b38558bc0f8cefeeab653cb8c01",
"type": "query",
"version": 208
},
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
"rule_name": "Entra ID Privileged Identity Management (PIM) Role Modified",
"sha256": "19c6e5338fb238cda3c675ae8c10f1f391e073d6926ff35cdfb69a0ca2bd0f49",
"type": "query",
"version": 109
},
"78c6559d-47a7-4f30-91fe-7e2e983206c2": {
"rule_name": "Unusual Kubernetes Sensitive Workload Modification",
"sha256": "f76ed0d7a2b70dd121cafecc10eb29a699db9fac35dac6c3f7f771e25cfbcd63",
"type": "new_terms",
"version": 1
},
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
"rule_name": "Spike in AWS Error Messages",
"sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89",
"type": "machine_learning",
"version": 212
},
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "030f794bc9fe8acd0c6e7d24f93ccf1656808b54cd87b4027d431fabc125dce0",
"type": "eql",
"version": 312
},
"78e9b5d5-7c07-40a7-a591-3dbbf464c386": {
"rule_name": "Suspicious File Renamed via SMB",
"sha256": "8707838785d36a930a0b2e027746fc7dc78264f09fc45fdec3a61d89ae361de0",
"type": "eql",
"version": 6
},
"78ef0c95-9dc2-40ac-a8da-5deb6293a14e": {
"rule_name": "Unsigned DLL Loaded by Svchost",
"sha256": "727bed32f960f3646b304cd0dddef223d4d3389c7f0f1fe781a6429f84b3eebe",
"type": "eql",
"version": 10
},
"79124edf-30a8-4d48-95c4-11522cad94b1": {
"rule_name": "File Compressed or Archived into Common Format by Unsigned Process",
"sha256": "b1d168024b3a453b93f1e31cf146ca7287afc7386c503ff86dfd88c47aee5845",
"type": "eql",
"version": 6
},
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
"rule_name": "Azure Key Vault Modified",
"sha256": "662dc91439e997c034a7d87f072269b25668dcb3444557e4beac3dbf2ebc5f40",
"type": "new_terms",
"version": 107
},
"79543b00-28a5-4461-81ac-644c4dc4012f": {
"min_stack_version": "9.1",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "e952b2c22ea74d519101db31f240accb3c939550221f13dc5f35591267a4d717",
"type": "eql",
"version": 5
},
"9.0": {
"max_allowable_version": 203,
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263",
"type": "eql",
"version": 104
}
},
"rule_name": "Execution of a Downloaded Windows Script",
"sha256": "34ff2faea0f0010dbb984347aa520ba5d3cb219dcb2d9090d8a798f211e7a2af",
"type": "eql",
"version": 205
},
"7957f3b9-f590-4062-b9f9-003c32bfc7d6": {
"rule_name": "SSL Certificate Deletion",
"sha256": "5fbbd63d53cc0bd3f5bbee608b8d9827efa8a7109088607acffa178fec33e640",
"type": "eql",
"version": 105
},
"79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": {
"rule_name": "Potential Masquerading as System32 Executable",
"sha256": "8b980b38e01743202bf213e8e3a1684119d087b4ece47c02ca74498829afa271",
"type": "eql",
"version": 8
},
"79e7291f-9e3b-4a4b-9823-800daa89c8f9": {
"rule_name": "Linux User Account Credential Modification",
"sha256": "50562e7ed1bab71a9aaff6ee05bd9aeca8a88c82cb416c4040a682e448246eb8",
"type": "eql",
"version": 4
},
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"rule_name": "Potential File Transfer via Certreq",
"sha256": "739bccdcfd3db9fb32edaff3316a98acf52b7a8558af12bc59d2855b1961179a",
"type": "eql",
"version": 214
},
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "6dca80a21bd07d4cb0946bae4db9e87b3308a608f61d7f83ee89227f5470903f",
"type": "query",
"version": 217
},
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
"rule_name": "Network Sniffing via Tcpdump",
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
"type": "query",
"version": 100
},
"7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": {
"rule_name": "AWS First Occurrence of STS GetFederationToken Request by User",
"sha256": "7f73b59426def61220e9575ea798d2e13c5f8042e708adb4930dcac5af33f0a6",
"type": "new_terms",
"version": 6
},
"7ab5b02c-0026-4c71-b523-dd1e97e15477": {
"rule_name": "M365 AIR Investigation Signal",
"sha256": "7c2b1e9f0ab3d40c7743bcdd398666dea7ce01f11bbb9e71369a218dc1463f85",
"type": "query",
"version": 1
},
"7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": {
"rule_name": "Potential Privilege Escalation through Writable Docker Socket",
"sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9",
"type": "eql",
"version": 10
},
"7afc6cc9-8800-4c7f-be6b-b688d2dea248": {
"rule_name": "Potential Execution via SSH Backdoor",
"sha256": "822ab7570929788dc137266adcda1e304a01e733c283426f6c467a7521680cd3",
"type": "eql",
"version": 10
},
"7b08314d-47a0-4b71-ae4e-16544176924f": {
"rule_name": "File and Directory Discovery",
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
"type": "eql",
"version": 100
},
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
"rule_name": "Deprecated - AWS ElastiCache Security Group Created",
"sha256": "d73d32e46188296a20f50b9c74ae911374036b587ff978a813cffdc26e567c3d",
"type": "query",
"version": 210
},
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"rule_name": "Windows Network Enumeration",
"sha256": "1287015e2cbbf36f6c4fd25871e0f13e424829e01845ab1568b70bc999cc1c93",
"type": "eql",
"version": 216
},
"7b981906-86b7-4544-8033-c30ec6eb45fc": {
"rule_name": "SELinux Configuration Creation or Renaming",
"sha256": "132d0281d9ffb39716b5e09b2766d142277327f0aa62e243fc7be053cda4e360",
"type": "eql",
"version": 105
},
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "e0970ad84e517e202db952ebde06a5d447c4632796391a9ff76564e69d0b1ab7",
"type": "eql",
"version": 311
},
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
"rule_name": "Tampering of Shell Command-Line History",
"sha256": "86c142a7a15c278ed74582e86edcee7de433f554bb163446de4fa128c5a46b6a",
"type": "eql",
"version": 111
},
"7c2e1297-7664-42bc-af11-6d5d35220b6b": {
"rule_name": "APT Package Manager Configuration File Creation",
"sha256": "f81d72430f1b2d89ce17a700ebf187085759b5a6ebf54a9403e6e441bfeb17d4",
"type": "eql",
"version": 8
},
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
"rule_name": "Google Workspace Bitlocker Setting Disabled",
"sha256": "157e5ffc06f419ad6940e871b764ead2932667dd53a17c103978827e8a3116f1",
"type": "query",
"version": 109
},
"7ce5e1c7-6a49-45e6-a101-0720d185667f": {
"rule_name": "Git Hook Child Process",
"sha256": "a694f40a65b07c3c43af49d86e22e12be7e5373f3c29c10218235a7fc851d6de",
"type": "eql",
"version": 106
},
"7ceb2216-47dd-4e64-9433-cddc99727623": {
"rule_name": "GCP Service Account Creation",
"sha256": "1ff9d6f50da5c85c4aba702a23bff1479031602cd3c7b1418f230190dcb0dfe8",
"type": "query",
"version": 107
},
"7d02c440-52a8-4854-ad3f-71af7fbb4fc6": {
"rule_name": "Alerts From Multiple Integrations by Source Address",
"sha256": "1b10a9f9c9fdd43c1e8e5a1457824e37efbddc0f82866117cf399d9e5831b8ae",
"type": "esql",
"version": 3
},
"7d091a76-0737-11ef-8469-f661ea17fbcc": {
"rule_name": "AWS Lambda Layer Added to Existing Function",
"sha256": "9bd31c52b89b1c34fd08553ad975e18ed5d7bc6ec0b6940c262d7d9717a12c31",
"type": "query",
"version": 7
},
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
"rule_name": "Tor Activity to the Internet",
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
"type": "query",
"version": 100
},
"7dc45430-7407-4790-b89e-c857c3f6bf23": {
"rule_name": "Potential Execution via FileFix Phishing Attack",
"sha256": "3a1b732e8be3a1cf4952a67727c6163f1f442150dc53f09939833ae406ce4ab2",
"type": "eql",
"version": 1
},
"7dc921db-4cd3-48ef-88bf-2bfa91f29f5c": {
"rule_name": "Entra ID Custom Domain Added or Verified",
"sha256": "dd26cd3faf49a87dbdbae5742f5eea1de370b89f32551d8795c9b5175b405cde",
"type": "query",
"version": 1
},
"7df3cb8b-5c0c-4228-b772-bb6cd619053c": {
"rule_name": "SSH Key Generated via ssh-keygen",
"sha256": "53ba04010f20edbac2f1dd089f6e59d5828a9c6462083b10b69251dd20b2e843",
"type": "eql",
"version": 106
},
"7dfaaa17-425c-4fe7-bd36-83705fde7c2b": {
"rule_name": "Suspicious Kworker UID Elevation",
"sha256": "bf59b10250da89d024f6f5d1f4c7e97528116633e4d8418f440ad65dd0424702",
"type": "eql",
"version": 6
},
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "493e22ea78c761eae9056fac3878d9b6d1ebbaee2624fee14ae21875d09353b1",
"type": "eql",
"version": 313
},
"7e763fd1-228a-4d43-be88-3ffc14cd7de1": {
"rule_name": "File with Right-to-Left Override Character (RTLO) Created/Executed",
"sha256": "f568ead2710b37deeb2320ef4fc6ea487c4490d7ddb3b1b30f2a50461fbabeb5",
"type": "eql",
"version": 3
},
"7eb54028-ca72-4eb7-8185-b6864572347db": {
"rule_name": "System File Ownership Change",
"sha256": "cd283fa0bc6b54331bf4d6de31672ac996500854d552589e0fb3d87ee53718d7",
"type": "eql",
"version": 2
},
"7efca3ad-a348-43b2-b544-c93a78a0ef92": {
"rule_name": "Security File Access via Common Utilities",
"sha256": "aa8bd6fdfbed576bb8c1b64ea5fe017b18e991910e48f211f5b76ead1eaaedec",
"type": "eql",
"version": 106
},
"7f3521dd-fb80-4548-a7eb-8db37b898dc2": {
"rule_name": "Potential Notepad Markdown RCE Exploitation",
"sha256": "88714010e65bea6f44a54b09c5312c0844757ded9c621de9a615efcbfc8f73d7",
"type": "eql",
"version": 2
},
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "209bb76a623ef2ceecf2a1aee175416811264a846f5849790c6d7cbb8ef45131",
"type": "eql",
"version": 212
},
"7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b": {
"rule_name": "Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation",
"sha256": "6815297487b127a300e756f95452928556f43a380b3247d72f838c651ec85eb8",
"type": "eql",
"version": 1
},
"7f65f984-5642-4291-a0a0-2bbefce4c617": {
"rule_name": "Python Path File (pth) Creation",
"sha256": "9cb285c73a58b7f55d2270444624ce284968b053b72781884d5a33bff30e62b5",
"type": "eql",
"version": 6
},
"7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": {
"rule_name": "Web Server Potential SQL Injection Request",
"sha256": "e8f73888757eab5978f3e31aef96d979b411a46e20872f2538df52b0572a1cc3",
"type": "eql",
"version": 2
},
"7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": {
"rule_name": "Discovery of Internet Capabilities via Built-in Tools",
"sha256": "c36b3a20bc7851ef82f259a38a6c6a7ec11f8f1ed9af8787d9658342939f9463",
"type": "new_terms",
"version": 105
},
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"rule_name": "Systemd Timer Created",
"sha256": "ffd12199db7dafd205e3b23c7316d44a9a304ac3c3e6730b2075260fb983096c",
"type": "eql",
"version": 19
},
"7fc95782-4bd1-11f0-9838-f661ea17fbcd": {
"rule_name": "M365 Exchange Mailbox Items Accessed Excessively",
"sha256": "6fae3da0bf4143abd7787088664f1e758001bec8447d74fb799b599fcebbbd32",
"type": "query",
"version": 3
},
"7fda9bb2-fd28-11ee-85f9-f661ea17fbce": {
"rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded",
"sha256": "273635e3d94265c8539f908bff1965b23021614338a6e90d4dc7c080147d8dde",
"type": "eql",
"version": 10
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "ecaafc5bf5d7b3e1ea6d21e1969ffec6b5571bfc6d8a868e834f8b53ee791434",
"type": "new_terms",
"version": 110
},
"800e01be-a7a4-46d0-8de9-69f3c9582b44": {
"rule_name": "Unusual Process Extension",
"sha256": "85aada873799d2431ff32fe657e4ba002fcd4cf73c7d5d23d9660764dcec119d",
"type": "eql",
"version": 6
},
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"rule_name": "Deprecated - Potential PowerShell Obfuscated Script",
"sha256": "72a01fd54afb28c944bf94f431e2f37ee0678bbd7fc3d85d119f6a3282220b26",
"type": "query",
"version": 109
},
"804a7ac8-fc00-11ee-924b-f661ea17fbce": {
"rule_name": "AWS SSM Session Started to EC2 Instance",
"sha256": "7021d0a49f1f181d98e8c95a1f7b133889bb579c31106b36cec007663429cb20",
"type": "new_terms",
"version": 5
},
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "e7c4132d51d3d348842c0ba1e39ac406a80258333d648ada160ba675f302facd",
"type": "eql",
"version": 107
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"rule_name": "Unusual City For an AWS Command",
"sha256": "272e14dd9496c7030d82926713a2ce20703c2bbdd138ab8e3102543dec9d6ed8",
"type": "machine_learning",
"version": 212
},
"80c52164-c82a-402c-9964-852533d58be1": {
"rule_name": "Process Injection - Detected - Elastic Endgame",
"sha256": "3d170371447ea0ae70919136a26912497111be7f8e2587724e3d9187e4608f77",
"type": "query",
"version": 105
},
"814d96c7-2068-42aa-ba8e-fe0ddd565e2e": {
"rule_name": "Unusual Remote File Extension",
"sha256": "71c7673c8d33664e251206a8c6b33692ab2583160ba5cb665ca3f4feb143979a",
"type": "machine_learning",
"version": 8
},
"8154d01d-04d1-4695-bcbb-95a1bb606355": {
"rule_name": "Gatekeeper Override and Execution",
"sha256": "8afead563aec10ecbe9ff320f472d7ef9aaecb7af95c998f1f5e9db6c65350e4",
"type": "eql",
"version": 1
},
"8167c5ae-3310-439a-8a58-be60f55023d2": {
"rule_name": "Suspicious Named Pipe Creation",
"sha256": "253e887c55def671178ffe4b57883d3bc98217574f194ba83ff1120724e1a7e3",
"type": "new_terms",
"version": 5
},
"81892f44-4946-4b27-95d3-1d8929b114a7": {
"min_stack_version": "9.3",
"rule_name": "Unusual Azure Activity Logs Event for a User",
"sha256": "3b6dd078f56e918a4356301a29cfba68433b1d0cfd22ff759aebf7778600c5ea",
"type": "machine_learning",
"version": 1
},
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "411db9f26f4878e2033a9601ec260076e0ae315d11b48c8c388f3452cc55d9d8",
"type": "eql",
"version": 315
},
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
"rule_name": "Persistence via Kernel Module Modification",
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
"type": "query",
"version": 100
},
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "067bbe4c3d422970852d7c5d7dbe42bb1d0dedee1abaedd5eb778bf92e40fbbd",
"type": "query",
"version": 318
},
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "739b4ff940e656c440d455ca916fb7a7619d4cb080a6a7ecebd1386e347a9de0",
"type": "eql",
"version": 113
},
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "05adc3d0061ec5ff0fcfef1b7b4774742c17bc49ce1d5932c4ce5a56238e3ff4",
"type": "eql",
"version": 212
},
"8293bf1f-8dd0-434e-b52a-1aa6ec101777": {
"rule_name": "Suspicious Write Attempt to AppArmor Policy Management Files",
"sha256": "805555cf50ddc4f2911f97266442eb357b42c55674a349ea4f73f305fce05479",
"type": "eql",
"version": 1
},
"82f842c2-7c36-438c-b562-5afe54ab11f4": {
"rule_name": "Suspicious Path Invocation from Command Line",
"sha256": "ad582fa6b85b731dfd67150d645a69c5478eea3109f26f40072c23b827f5968d",
"type": "new_terms",
"version": 6
},
"834ee026-f9f9-4ec7-b5e0-7fbfe84765f4": {
"rule_name": "Manual Dracut Execution",
"sha256": "3bc6296afa7a84b607821333ebadb5a4bf6583f34383b0ea2862032d4220bffe",
"type": "eql",
"version": 6
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"rule_name": "Potential Linux Local Account Brute Force Detected",
"sha256": "152b7876dd4317ea25bc84006aecaedf71528a0c13aa89171dbaee06e249ac49",
"type": "esql",
"version": 12
},
"8383a8d0-008b-47a5-94e5-496629dc3590": {
"rule_name": "Web Server Discovery or Fuzzing Activity",
"sha256": "8787d0cb27f370bbd955f6698debb537d8d9fd461b6ad06b70e5069711975bdd",
"type": "esql",
"version": 3
},
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Pods Deleted",
"sha256": "1807ed4b420937b5ad8f9500fd49c97726830c9013d83872b86052b660f36a42",
"type": "query",
"version": 107
},
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
"type": "eql",
"version": 100
},
"83bf249e-4348-47ba-9741-1202a09556ad": {
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "553ef147268721ddc516e579c19daf3baccf3cbd76f1162888b183f723f1c224",
"type": "eql",
"version": 211
},
"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": {
"rule_name": "Attempt to Disable IPTables or Firewall",
"sha256": "9d5125b89bf4b28b23fd80a946975483f91bbbae3e051bccc7ca6128bb7e2918",
"type": "eql",
"version": 114
},
"8446517c-f789-11ee-8ad0-f661ea17fbce": {
"rule_name": "AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role",
"sha256": "09f6c49d3b72f57141f343b4f77c8b4112cb859139b6ef1a85f09ae998fb6a1f",
"type": "new_terms",
"version": 7
},
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"rule_name": "Deprecated - Microsoft Exchange Transport Agent Install Script",
"sha256": "231fa1320c2fe2c406250a79a7d96b9d5ba958d3b53f96867c8c3d563d7b55f5",
"type": "query",
"version": 110
},
"84755a05-78c8-4430-8681-89cd6c857d71": {
"rule_name": "At Job Created or Modified",
"sha256": "e03a6361412c5e8705b679c6544081b684e4b0d563f052e0624e583983c7baec",
"type": "eql",
"version": 7
},
"84d1f8db-207f-45ab-a578-921d91c23eb2": {
"rule_name": "Potential Upgrade of Non-interactive Shell",
"sha256": "a68732ae9d35dba87c95fbec9aec936ab7565c1de5ba804a22841eadf018b195",
"type": "eql",
"version": 108
},
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "8624f4e60af1f160aa68e3c6b11686acf57681f4864862952925ef57000708d8",
"type": "eql",
"version": 217
},
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
"rule_name": "Potential Remote Credential Access via Registry",
"sha256": "205dcbab529bfe7df0ee458c41dc53611d1634570eba8540c5243e4cca827912",
"type": "eql",
"version": 113
},
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
"rule_name": "Suspicious PowerShell Engine ImageLoad",
"sha256": "3d4e8b23caaf37cfeca9cb09bb5568d5eba46c78af72613b9b30c7f5e3043a03",
"type": "new_terms",
"version": 216
},
"85d9c573-ad77-461b-8315-9a02a280b20b": {
"min_stack_version": "9.3",
"rule_name": "Process Killing Detected via Defend for Containers",
"sha256": "801e043b5aec7ea7952aa8ade78a681fd2bb3fdde4e305a4c8dae8cda599d58d",
"type": "eql",
"version": 1
},
"85e2d45e-a3df-4acf-83d3-21805f564ff4": {
"rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction",
"sha256": "c396f8d6ed3ce693a1e895c47d620e54b123aade8d0fe2f21984be74f6d47b0c",
"type": "esql",
"version": 9
},
"860f2a03-a1cf-48d6-a674-c6d62ae608a1": {
"rule_name": "Potential Subnet Scanning Activity from Compromised Host",
"sha256": "b29b22ccd587b0cd409163c8bcb8cbe450cd8de6a9879edb11b706e88090a34d",
"type": "esql",
"version": 9
},
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
"rule_name": "AWS EC2 Network Access Control List Deletion",
"sha256": "eb62471735cfd4bfb2cd002ade4f573a5b9115a04dd55af928694604808f56bc",
"type": "query",
"version": 211
},
"863cdf31-7fd3-41cf-a185-681237ea277b": {
"rule_name": "Deprecated - AWS RDS Security Group Deletion",
"sha256": "38f7dc5b29c5986c717c1259d1a767564079165597fcf2388d0c68538bc9609a",
"type": "query",
"version": 210
},
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
"rule_name": "AWS IAM Group Deletion",
"sha256": "9241124c7f4220175aa98fd31ad23ff6eb875c3ff08d333a6c3c7f80a0346066",
"type": "query",
"version": 211
},
"86aa8579-1526-4dff-97cd-3635eb0e0545": {
"rule_name": "NetworkManager Dispatcher Script Creation",
"sha256": "426456937bff5d6c76e9959095c5e30f7a9735e8bdad3fecebbc757628d21aae",
"type": "eql",
"version": 6
},
"86c3157c-a951-4a4f-989b-2f0d0f1f9518": {
"rule_name": "Potential Linux Reverse Connection through Port Knocking",
"sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc",
"type": "eql",
"version": 1
},
"870aecc0-cea4-4110-af3f-e02e9b373655": {
"rule_name": "Security Software Discovery via Grep",
"sha256": "dd820be9349011d4ec335569d9898cb70ea8a935ad0df6f01cbe987c9d711bc7",
"type": "eql",
"version": 113
},
"871ea072-1b71-4def-b016-6278b505138d": {
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "16a09969e21612a30a1b6a5e8210ee37ea2c34d611997845e31c136980d6de63",
"type": "eql",
"version": 218
},
"873b5452-074e-11ef-852e-f661ea17fbcc": {
"rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded",
"sha256": "ad55d7c869a8687881afbb4d90f0f33189652cba0b8de7c0f0f8778db0e12175",
"type": "query",
"version": 7
},
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
"sha256": "c30d4f3affb3f542a49d43b8722a103a8b771386946628814e8bc5b7f7bd18a6",
"type": "query",
"version": 211
},
"877cc04a-3320-411d-bbe9-53266fa5e107": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 100,
"rule_name": "Kubectl Network Configuration Modification",
"sha256": "f52b65c61add58050fdf37f23b51c7f49e70f75ffcd36f2a268c0c7d8fb5b4c7",
"type": "eql",
"version": 1
}
},
"rule_name": "Kubectl Network Configuration Modification",
"sha256": "610a8cb4d2094544038062f65ed4745f98198a7994038fa0aeb006581813e4de",
"type": "eql",
"version": 102
},
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"rule_name": "Linux Clipboard Activity Detected",
"sha256": "586482d2e766199d7d20451c536089086726536ce2d6b78324c97ca9e8a27dac",
"type": "new_terms",
"version": 10
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"rule_name": "M365 Identity Global Administrator Role Assigned",
"sha256": "2b31ac6446ccc8882c59f1695ac283d95bd873f81e66fd55efcd8c5330ea7fc4",
"type": "query",
"version": 213
},
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "dffeb89bd2bc7aa9295056acf3f3e48cf641480002098af31aac13a9fd518282",
"type": "eql",
"version": 113
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"rule_name": "Potential Sudo Hijacking",
"sha256": "154688775047f1e42f01bfbe28727cdbb601d1e00c8e0e830004be87c6e9438d",
"type": "eql",
"version": 111
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "09e1c7f150b87198870ffe8fc507a6dc726cee93d0b56ac28541e82f1e09fdf0",
"type": "eql",
"version": 211
},
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "806992ca659709f31c282aa36432f26f3390a06a625c9a7a25de043e9d5f394d",
"type": "eql",
"version": 107
},
"894b7cc9-040b-427c-aca5-36b40d3667bf": {
"rule_name": "Unusual File Creation by Web Server",
"sha256": "c960e94b6fe858a351dc1e1bc20464d5403ad087c32cad69b265ddbca2bbcc6d",
"type": "esql",
"version": 6
},
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
"rule_name": "Linux Restricted Shell Breakout via the vi command",
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
"type": "eql",
"version": 100
},
"896a0a38-eaa0-42e9-be35-dfcc3e3e90ae": {
"rule_name": "FortiGate Overly Permissive Firewall Policy Created",
"sha256": "dce4787b06484f9e268d774d7f7f6199d15c9024ebf21b96d01d29eda07c2b61",
"type": "eql",
"version": 1
},
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "ebee242d6ebd5dd4df5eb9d53e35e8796a2b0bcb6e499808ec159da4d51abda8",
"type": "eql",
"version": 213
},
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"rule_name": "Suspicious Command Prompt Network Connection",
"sha256": "3213a8de8068cd9157da88af05f5df49400dc63b5a902a20fbd436008c12e78d",
"type": "eql",
"version": 213
},
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "e1d2923b4618260ae746187c3d2d189c499dd85784378c90e3221265517e2688",
"type": "eql",
"version": 110
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "c626e05d95bf6f2caeec7338d852ca07b9d6465fb05303e6c68a3d8ab6196eb4",
"type": "eql",
"version": 10
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "fb1ea0e63a803e1940dff9f62dd54930786b39fa993f1997a8229653dd5551ec",
"type": "eql",
"version": 211
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"rule_name": "GitHub PAT Access Revoked",
"sha256": "f2df2aa417dd23bf02331ebd404b3dd336f446beb1284f6393f29558895e7cbf",
"type": "eql",
"version": 206
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"rule_name": "SUID/SGID Bit Set",
"sha256": "e2a83a3fdca1852a222f19e286148fd37cec4304dc95d3edb9abb5c519dcc48d",
"type": "eql",
"version": 109
},
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "dd402a12633ed1ab118bbcbc953d65b005d1dc74c6eac3297fb4350cef59619b",
"type": "eql",
"version": 212
},
"8a1db198-da6f-4500-b985-7fe2457300af": {
"rule_name": "Kubernetes Unusual Decision by User Agent",
"sha256": "1e224a2bc29fa5fe95faf7db7dd26935a7eaea101a9e5bada56484b937112be5",
"type": "new_terms",
"version": 4
},
"8a556117-3f05-430e-b2eb-7df0100b4e3b": {
"rule_name": "FortiGate Administrator Login from Multiple IP Addresses",
"sha256": "8a440ac513665ee94c1d34a0b512de1f6e575d5edf5661d50035fb6a66156621",
"type": "esql",
"version": 2
},
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "dbce4eb6536e98fead4c6b92a94a9dfc69b503211cd450e3c89655a61ff3653d",
"type": "query",
"version": 413
},
"8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": {
"rule_name": "Unusual Command Execution from Web Server Parent",
"sha256": "532a58af8d89c41e3de894fde3842c7d363fe0607782382b0a6307e6ce89bfe1",
"type": "esql",
"version": 9
},
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
"rule_name": "Deprecated - Suspicious JAVA Child Process",
"sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693",
"type": "new_terms",
"version": 209
},
"8af5b42f-8d74-48c8-a8d0-6d14b4197288": {
"rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287",
"sha256": "f89e4c36997cbe9bbd3b245a20fdb5ca518b563f1fbeb22c2fdde82146a8ffde",
"type": "eql",
"version": 109
},
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "795dc8b265d22118111f0d5222bd9a7cd27f3afa85be0ed6cf1a82ebeeeff7b5",
"type": "eql",
"version": 313
},
"8b4d6c3a-2e9f-4b7c-9a5d-6f8e3c1b4d2a": {
"rule_name": "Azure Storage Account Keys Accessed by Privileged User",
"sha256": "13c93c67dce22b5c520c5d03a138357b9213cf966ca3d2a2406a76eeef54ce99",
"type": "new_terms",
"version": 1
},
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "99dc7a9c6876fec4e4060cdbcf28d7130c3565fea6a90dd59ca66e76b6b32c09",
"type": "eql",
"version": 314
},
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
"rule_name": "Azure Kubernetes Services (AKS) Kubernetes Events Deleted",
"sha256": "20b2586d7fe6f001abbc023f34c06f874edf48193694fcb62b237762033f9174",
"type": "query",
"version": 107
},
"8bd1c36a-2c4f-4801-a43d-ba696c13ffc2": {
"rule_name": "Several Failed Protected Branch Force Pushes by User",
"sha256": "3935786d70057d64ab74ad51d331966c633ef77288e78f0bd9fe008e0a5fd11a",
"type": "esql",
"version": 2
},
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
"sha256": "dcdfd61701dea4fe94233755e511f8bcf367c7b025cf088786c7a2d094011cec",
"type": "query",
"version": 107
},
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "049ee13aaa5ccfc606fd52f980a2bce0189ce70877afc655a8218996270d86b3",
"type": "eql",
"version": 317
},
"8c707e4c-bd20-4ff4-bda5-4dc3b34ce298": {
"rule_name": "GitHub Private Repository Turned Public",
"sha256": "42654e6c2452af15d18ae7b1e5c546972385081b427c52884bb51dd9bd60cd0f",
"type": "eql",
"version": 1
},
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
"rule_name": "Potential SharpRDP Behavior",
"sha256": "6d506eeffc6b03a3695cc525f379e6d1c988c17a56a8b90f8f8e202c073febb8",
"type": "eql",
"version": 111
},
"8c8df61f-ed2a-4832-87b8-ee30812606e0": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding via Command Line",
"sha256": "f4ec1a9e2f971442d5dbcfb322a4643fd862ebbfad2327f63defa293adad462a",
"type": "eql",
"version": 1
},
"8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": {
"rule_name": "Unusual Host Name for Okta Privileged Operations Detected",
"sha256": "7a6965067decb91421ed50757505f4af9ffd89cf9cf0f0e91cae128d11f3a3e9",
"type": "machine_learning",
"version": 3
},
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
"rule_name": "Ransomware - Detected - Elastic Endgame",
"sha256": "2011f6739abbd03c4369c3fa7727c0657b1f67a5333d12dd0d202ebdee66f918",
"type": "query",
"version": 105
},
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
"rule_name": "Potential Successful SSH Brute Force Attack",
"sha256": "39313bee43b740e0f0e4d9e657d8c296d27cf1b22b639cf3c6cc6163940f9905",
"type": "eql",
"version": 15
},
"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": {
"rule_name": "RPM Package Installed by Unusual Parent Process",
"sha256": "fd3063980542ef2a702e17a3d1846cff65911774f84b6f95d92358d7c03f8e7b",
"type": "new_terms",
"version": 6
},
"8cd49fbc-a35a-4418-8688-133cc3a1e548": {
"rule_name": "Proxy Execution via Windows OpenSSH",
"sha256": "b2cbea79be7cb1bdd6745a9aa091c6bab2f473f2dbbb56db20f761cb3b44584d",
"type": "eql",
"version": 1
},
"8d366588-cbd6-43ba-95b4-0971c3f906e5": {
"rule_name": "File with Suspicious Extension Downloaded",
"sha256": "f9b8f99ec26b989e24f1152d9ad42ab9af8e41d40acd404ef8667b07cb6f0ac4",
"type": "eql",
"version": 5
},
"8d3d0794-c776-476b-8674-ee2e685f6470": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - Suspicious Interactive Shell Spawned From Inside A Container",
"sha256": "88ade54075f60d3f7d6b81818ce258f39b487468f44dde8a70aaac119e397edd",
"type": "eql",
"version": 5
}
},
"rule_name": "Interactive Shell Spawn Detected via Defend for Containers",
"sha256": "50e2c7782f8be9f72c7128dc4db0539b9d79ef43293b239f22635c9dbe0b1cd5",
"type": "eql",
"version": 105
},
"8d4d0a23-19d3-4186-a6f1-6f0760d2e070": {
"rule_name": "Multiple External EDR Alerts by Host",
"sha256": "f7b9e9fbe3d9cfbfb3793b59abf31a5bfa623b9ab49b9c176023b6db3ad28892",
"type": "esql",
"version": 3
},
"8d696bd0-5756-11f0-8e3b-f661ea17fbcd": {
"rule_name": "Entra ID OAuth ROPC Grant Login Detected",
"sha256": "c6a5293af2a49a475ae8216a308aed808bb06db83161d49a1d3fae4e71ada003",
"type": "new_terms",
"version": 2
},
"8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6": {
"rule_name": "Potential Data Exfiltration Through Wget",
"sha256": "8daccf899c1de00970772d1b6a6a89519475d13897cc49c15a3a4a4d4d619d79",
"type": "eql",
"version": 2
},
"8d9c4128-372a-11f0-9d8f-f661ea17fbcd": {
"rule_name": "Entra ID Elevated Access to User Access Administrator",
"sha256": "f3c8c758f1401358a58572b2f351d55e706b678acc2c00cec14b534ab3af2b84",
"type": "new_terms",
"version": 3
},
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
"rule_name": "Potential Privilege Escalation via PKEXEC",
"sha256": "deb464e30e85354dc3dcfc4f32483257772a7a1b609d9dc33a8560f230be4e90",
"type": "eql",
"version": 212
},
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
"rule_name": "Azure Automation Runbook Deleted",
"sha256": "846de30bfee2fb2851a8c6bdcfcca47cd415e4a2b0aeab32df3404dca827caae",
"type": "query",
"version": 106
},
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "13e32526ec5f3ea8afe105014601fb2d3cf7ede6434f1558469e2246d7a17072",
"type": "eql",
"version": 210
},
"8e39f54e-910b-4adb-a87e-494fbba5fb65": {
"rule_name": "Potential Outgoing RDP Connection by Unusual Process",
"sha256": "4d5ec92b6f2172b7a6f70ad0e96425134d404f434be5f19e8347ab2f531bce2d",
"type": "eql",
"version": 6
},
"8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": {
"rule_name": "Entra ID Actor Token User Impersonation Abuse",
"sha256": "f0f5507ec01c62ad2d52cfa28f5838a924c8c89eff04e88ea7870b454d0d8541",
"type": "esql",
"version": 5
},
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"rule_name": "Bitsadmin Activity",
"sha256": "ebcef83158cf83d309f5a795e4af56f9baaf29a4683c7458757351eec539a0f2",
"type": "eql",
"version": 108
},
"8eeeda11-dca6-4c3e-910f-7089db412d1c": {
"rule_name": "File Transfer Utility Launched from Unusual Parent",
"sha256": "7f9c0e2ac161d55ba0eb7cbe17ec9b58afd387e4186d09779061dc427cf38ba1",
"type": "esql",
"version": 9
},
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "148b2bc654243c7d2b288bd24935dfcf2bbe95f5389f6b3e61979400f65a353f",
"type": "eql",
"version": 107
},
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
"sha256": "90bfca890a90f146165106b1404b8a6885c1a3564652b5582fa49eba3b3ea4a9",
"type": "eql",
"version": 111
},
"8f8004e1-0783-485f-a3da-aca4362f74a7": {
"rule_name": "Linux User or Group Deletion",
"sha256": "fac2426e338073ef38d46aefaf5984f891f175da708d915a34cc536123f8eba9",
"type": "eql",
"version": 1
},
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "5a6c0fd9f1056ae1872a6860d6986dba91877e1eeb3641f5a39569457c350d3f",
"type": "eql",
"version": 210
},
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
"rule_name": "GCP Service Account Deletion",
"sha256": "d28cb031d8ed5b38960fed5ee753e8fcc442cf190199f12d1d7b4e3d117d8de1",
"type": "query",
"version": 107
},
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
"type": "eql",
"version": 100
},
"90169566-2260-4824-b8e4-8615c3b4ed52": {
"rule_name": "Hping Process Activity",
"sha256": "1209b2a3c652cad88138da2eb87892666eaa6d7c4a8b6182d2134dd19b745c51",
"type": "eql",
"version": 212
},
"9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": {
"rule_name": "GenAI Process Connection to Unusual Domain",
"sha256": "ab16862be294a8cafb0878421a7b9aafabca479c054566f98ab72db037fcd213",
"type": "new_terms",
"version": 4
},
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
"rule_name": "AWS RDS DB Instance or Cluster Deleted",
"sha256": "3602d27de89394c54e88e9f9e61c85c7fe63a2035148ba390a4631590844b731",
"type": "query",
"version": 211
},
"907a26f5-3eb6-4338-a70e-6c375c1cde8a": {
"rule_name": "Simple HTTP Web Server Creation",
"sha256": "a23cba747475bf65ee2f72a8b5b8dc3170f33feba6b87c356651dc311074c83a",
"type": "eql",
"version": 105
},
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "c39cbcc9ec00fb8b8524d9882aa4493642e4a647cde6977cb299df8d20c86b1d",
"type": "eql",
"version": 113
},
"909bf7c8-d371-11ef-bcc3-f661ea17fbcd": {
"rule_name": "Excessive AWS S3 Object Encryption with SSE-C",
"sha256": "256a589cab0178165256a49917ed4905f485c3158a20f6bb14c3df1d0cf997e7",
"type": "threshold",
"version": 5
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"rule_name": "InstallUtil Activity",
"sha256": "1f836d04fff5d1714236d933b95423d63a44b8df46085065d9e394338ffd3e8c",
"type": "eql",
"version": 107
},
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
"rule_name": "Auditd Login Attempt at Forbidden Time",
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
"type": "query",
"version": 100
},
"90e4ceab-79a5-4f8e-879b-513cac7fcad9": {
"min_stack_version": "9.2",
"rule_name": "Web Server Local File Inclusion Activity",
"sha256": "33952d37f02671cfd9f0b61713e18036220cf9bd1a581fa74190fd1a7aceaa27",
"type": "esql",
"version": 2
},
"90e5976d-ed8c-489a-a293-bfc57ff8ba89": {
"rule_name": "Linux System Information Discovery via Getconf",
"sha256": "aa1f61fe8a16a44fd7569befb93e71d7bf94d8ade6285a0afabf70257ebdf9ec",
"type": "new_terms",
"version": 5
},
"90efea04-5675-11f0-8f80-f661ea17fbcd": {
"rule_name": "Entra ID Unusual Cloud Device Registration",
"sha256": "5b2c500cbc2dab1090c08cd6291b33e213a59618a2b5198d2e8b99f1b41b2dd5",
"type": "eql",
"version": 3
},
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
"rule_name": "GCP Virtual Private Cloud Route Creation",
"sha256": "9ed99ec9a3de42fb40262d6e25e3ad8a768e7d263d9871a96371fbd40bab8993",
"type": "query",
"version": 107
},
"91d04cd4-47a9-4334-ab14-084abe274d49": {
"rule_name": "AWS WAF Access Control List Deletion",
"sha256": "61c06b3226a56a2419db79c875557cc018c1da926b89cbbf2e8d3962167808ad",
"type": "query",
"version": 211
},
"91f02f01-969f-4167-8d77-07827ac4cee0": {
"rule_name": "Unusual Web User Agent",
"sha256": "ac0052e2c70450d918b677a7f8f2d3408af1b451b1788e4f8c86581933e2603e",
"type": "machine_learning",
"version": 107
},
"91f02f01-969f-4167-8f55-07827ac3acc9": {
"rule_name": "Unusual Web Request",
"sha256": "48f49cf6ff7a2b88e730b821486130bdeb51163a054125e315df8a5b5f18e1f5",
"type": "machine_learning",
"version": 107
},
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
"rule_name": "DNS Tunneling",
"sha256": "2871a56af162b6dcaa9cb770f845ce1100523e91f5cf859a93332be52e9d4a0c",
"type": "machine_learning",
"version": 107
},
"929223b4-fba3-4a1c-a943-ec4716ad23ec": {
"rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account",
"sha256": "e05cc04048543a016fd0b4cfe4f9c7ef35ce1777a691f3305b103b16989fb6eb",
"type": "threshold",
"version": 102
},
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "58da4c9a17bcfbc79ef87cb25e7a4fcf2d48d7ed569789517061ef9be0b86634",
"type": "query",
"version": 214
},
"929d0766-204b-11f0-9c1f-f661ea17fbcd": {
"rule_name": "M365 Identity OAuth Phishing via First-Party Microsoft Application",
"sha256": "dbc0ec41f751d7441029d96a10b598fb57dd1d8b6709ae7bd616890f2b0801fa",
"type": "query",
"version": 3
},
"92a36c98-b24a-4bf7-aac7-1eac71fa39cf": {
"rule_name": "First Time Python Spawned a Shell on Host",
"sha256": "e51b54650c42f9d44ee2560310bdc08ecb5641e1de49371a6ad5fe39db0610d5",
"type": "new_terms",
"version": 1
},
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"rule_name": "A scheduled task was created",
"sha256": "2ce457df9a671f64542590d29ec2bc1596c383270ec690af4ba166721023ef40",
"type": "eql",
"version": 114
},
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "adef5e4455f6e473e36a4449f35b4cc39bc56074ba769f171a3fa2a7514b6f83",
"type": "eql",
"version": 109
},
"93075852-b0f5-4b8b-89c3-a226efae5726": {
"rule_name": "AWS STS Role Assumption by Service",
"sha256": "03b386bdf11a11611a6a26938ba70a0bbf61c5512116c4ad60735dfffca3caa3",
"type": "new_terms",
"version": 214
},
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
"rule_name": "Sudoers File Activity",
"sha256": "94fc3790f7b269024ccf24f59ae98d94a131d31aa37ab462091d9ede98b5d6ef",
"type": "eql",
"version": 210
},
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
"rule_name": "AWS VPC Flow Logs Deletion",
"sha256": "a7065e1b8fe61ce3a22ffa4ef3c73475edafa82b86918e0e0c1225bc06fd4203",
"type": "query",
"version": 212
},
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "2f4bef09433201d5737c30386cbb965fe99bff5eb973d5f4b5d9e32905e035d5",
"type": "eql",
"version": 213
},
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"rule_name": "Deprecated - Encoded Executable Stored in the Registry",
"sha256": "819d88211a74681757c27c0eb0ea164fd5c4a94925056350fbf01ded6ddae907",
"type": "eql",
"version": 416
},
"93dd73f9-3e59-45be-b023-c681273baf81": {
"rule_name": "Linux Video Recording or Screenshot Activity Detected",
"sha256": "a7d3bdce1506512de3038f519099b488cfaf31a9ddf4c791ac8aca3c2861359b",
"type": "new_terms",
"version": 2
},
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
"rule_name": "Google Workspace Admin Role Deletion",
"sha256": "7be1cb011c38151697499b5072f449871604670f61f78a51bcc8cd4f20891454",
"type": "query",
"version": 208
},
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
"rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration",
"sha256": "1e54e18fae8c9afcee81de6f64a1d344e006e894e2357424bbdf76c9accceb1c",
"type": "new_terms",
"version": 208
},
"94418745-529f-4259-8d25-a713a6feb6ae": {
"rule_name": "Executable Bit Set for Potential Persistence Script",
"sha256": "c174873b577d0a7473d134cd1736941903ed102c0ff134d59d8b03a34388c261",
"type": "eql",
"version": 108
},
"947827c6-9ed6-4dec-903e-c856c86e72f3": {
"rule_name": "Deprecated - Creation of Kernel Module",
"sha256": "f57e1a7d616beee44b8df1ddbe37efef07389ae2b99b7b1490801184286ed01d",
"type": "eql",
"version": 6
},
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "17df1e8317f166bef619db95bf42ae315bcd87b76662babd058636cf0ed7532f",
"type": "eql",
"version": 214
},
"94e734c0-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Potential Okta Credential Stuffing (Single Source)",
"sha256": "3582f68249eb42feefbaee5cb78961ee3fdf381c206fd4985291b0a08d16cab3",
"type": "esql",
"version": 210
},
"9510add4-3392-11ed-bd01-f661ea17fbce": {
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
"sha256": "9e8da7966327e7084cc501b66081920953cc7c1339a8928f7290e52a4d2ef593",
"type": "query",
"version": 109
},
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "d7a3f1617beda3e7d11241a3206a0f8603150de68cfd53d84abede9af4557d63",
"type": "query",
"version": 108
},
"952c92af-d67f-4f01-8a9c-725efefa7e07": {
"rule_name": "D-Bus Service Created",
"sha256": "4aa02955237441509504054ce456733c32d997d40043e181b87b1ebc1806a13e",
"type": "eql",
"version": 6
},
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"rule_name": "Remote Scheduled Task Creation",
"sha256": "6da3743f708580488d3f5e70ddab86ceadad147350a9bde3f95229d0021ba8c3",
"type": "eql",
"version": 214
},
"9563dace-5822-11f0-b1d3-f661ea17fbcd": {
"rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client",
"sha256": "d2d21e61aaed02eb91ca93acff976be021e0eed60574c4213334cd83c09fd7cc",
"type": "new_terms",
"version": 4
},
"959a7353-1129-4aa7-9084-30746b256a70": {
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "31e2f17d4f6eee75ad942db3473974cffd6ff8ed827c2e83eda081d95f4fccd6",
"type": "query",
"version": 213
},
"95b99adc-2cda-11ef-84e1-f661ea17fbce": {
"rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash",
"sha256": "cd1a5de507c25bd1a6334afde371785eb24794bfa0ef15228a7e405e5ae20e85",
"type": "esql",
"version": 208
},
"962a71ae-aac9-11ef-9348-f661ea17fbce": {
"rule_name": "AWS STS AssumeRoot by Rare User and Member Account",
"sha256": "6a9330b4f80799423ca5aa1c542e8516f4fdae2830bbc271fb8933fd7e8747ac",
"type": "new_terms",
"version": 6
},
"9661ed8b-001c-40dc-a777-0983b7b0c91a": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container",
"sha256": "664d91c0caabcfe4dc2f59f70f0f2794d27fd6412090b2e38af73e4fe008def3",
"type": "eql",
"version": 4
}
},
"rule_name": "Sensitive Keys Or Passwords Search Detected via Defend for Containers",
"sha256": "a39b6d8b42657868bd51fc294ad4f68e4913d96ed2692c0b711d82a301b287c9",
"type": "eql",
"version": 104
},
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
"rule_name": "File made Immutable by Chattr",
"sha256": "f924c739edb9ebd321df9baebfbf20c658b48cffa6bc33e56a3061d08f2160d1",
"type": "eql",
"version": 217
},
"96b2a03e-003b-11f0-8541-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Scan by Unusual User",
"sha256": "3eed4a4c3204cad01ff4a9d1c6cc455649e35300c8afa58eb7986f4f11d49357",
"type": "new_terms",
"version": 4
},
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"rule_name": "Attempt to Create Okta API Token",
"sha256": "a5d1a18063a75668e70700f1528f8337ed0d0f3744f711f615a6b1bc9a4164c7",
"type": "query",
"version": 412
},
"96d11d31-9a79-480f-8401-da28b194608f": {
"rule_name": "Message-of-the-Day (MOTD) File Creation",
"sha256": "ac357aa91e08aa36f7be5de2449841183f216d2ec7c667740a641a11b9c65e8d",
"type": "eql",
"version": 16
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"rule_name": "Keychain CommandLine Interaction via Unsigned or Untrusted Process",
"sha256": "c279f98199a5b04feb2862a6366b838116076f27a12f928988e6fa4747284e71",
"type": "eql",
"version": 212
},
"96f29282-ffcc-4ce7-834b-b17aee905568": {
"rule_name": "Potential Backdoor Execution Through PAM_EXEC",
"sha256": "fa1a3b730a4e917d8ec81a44c2b67adb54d122a598d6b6bccb4d8d840f2a5c9f",
"type": "eql",
"version": 3
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "fbebd44525dceef0ede4b04ea6dc25697c9905dcbe4212fe2c02f891abcb80a4",
"type": "eql",
"version": 113
},
"9705b458-689a-4ec6-afe8-b4648d090612": {
"rule_name": "Unusual D-Bus Daemon Child Process",
"sha256": "4d2ab02405987d41c1061c79fef892618ed337cd1d4ddfd42bdebc91365a3e07",
"type": "eql",
"version": 5
},
"97314185-2568-4561-ae81-f3e480e5e695": {
"rule_name": "M365 Exchange Anti-Phish Rule Modification",
"sha256": "2b964a8c532a4689975a238a7f95f7ce0da79f73064066690a1a3b8ab7648808",
"type": "query",
"version": 211
},
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
"rule_name": "GCP Storage Bucket Configuration Modification",
"sha256": "c138eb09128dd118093e7159c1ca2369fe0593b5c3cfead636e46f3864dae12d",
"type": "query",
"version": 107
},
"97697a52-4a76-4f0a-aa4f-25c178aae6eb": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - File System Debugger Launched Inside a Privileged Container",
"sha256": "2d3f1fb31aed3137b4c66bc1c06f0b69ebd962020c11d14fad42177ba41d2319",
"type": "eql",
"version": 3
}
},
"rule_name": "DebugFS Execution Detected via Defend for Containers",
"sha256": "6f417db542766a62e63ab34064859b422867fa877dea2028ac2b68a752952766",
"type": "eql",
"version": 103
},
"976b2391-413f-4a94-acb4-7911f3803346": {
"rule_name": "Unusual Process Spawned from Web Server Parent",
"sha256": "28badeba84b69db9ee4eb75b4f53ecf57a1f2b8ccb9d7c366d49d05603891751",
"type": "esql",
"version": 9
},
"979729e7-0c52-4c4c-b71e-88103304a79f": {
"rule_name": "AWS IAM SAML Provider Updated",
"sha256": "15e8bd9e821ff9f947a44455beebc90071a7d9a4dfedbf53a308edfee89bd817",
"type": "query",
"version": 212
},
"9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": {
"rule_name": "Potential HTTP Downgrade Attack",
"sha256": "332b2fd1b93728b75ec6644427e2c70a980d7b9e53a67f205181e14114d99b4f",
"type": "new_terms",
"version": 2
},
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications",
"sha256": "e60ca0f40eef1090732be6cccd54853228ee8d052ddf109441c7cc42cf9e8ba2",
"type": "eql",
"version": 417
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"rule_name": "Suspicious Zoom Child Process",
"sha256": "49e682ed0900fe6b4dd64afcb66820ad063b579ddb64ab9e0f6f7ed0df6b229e",
"type": "eql",
"version": 420
},
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
"type": "eql",
"version": 100
},
"97db8b42-69d8-4bf3-9fd4-c69a1d895d68": {
"rule_name": "Suspicious Renaming of ESXI Files",
"sha256": "de75fc9bf1e6b63717acafa0f2e0c57992bb564865585ee68a30b90e82d33346",
"type": "eql",
"version": 12
},
"97f22dab-84e8-409d-955e-dacd1d31670b": {
"rule_name": "Base64 Encoding/Decoding Activity",
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
"type": "query",
"version": 100
},
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "ca0340b830856c1096c16293dea815fc9e920d28b925cd1837d17de17f277612",
"type": "eql",
"version": 118
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User",
"sha256": "a0ba2bcc49a34c7465962ad88f73de571ce3f2066628be2012d784ad3c144815",
"type": "eql",
"version": 7
},
"9822c5a1-1494-42de-b197-487197bb540c": {
"rule_name": "Git Hook Egress Network Connection",
"sha256": "23c1a06c016f64ebd69f1851f64863ed4c9f284af3b1505f31fcd2e6dbb36eed",
"type": "eql",
"version": 6
},
"986361cd-3dac-47fe-afa1-5c5dd89f2fb4": {
"rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent",
"sha256": "cb9a8717146f6e34600a679ddc6cd6389f9467ebaf8262cb9fb5bd4aaa054eb7",
"type": "eql",
"version": 106
},
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "1d8b7387ffc9ba14ad87292fe10c366ccadee0b56b8e0932723616aa4afb8154",
"type": "eql",
"version": 107
},
"9890ee61-d061-403d-9bf6-64934c51f638": {
"rule_name": "GCP IAM Service Account Key Deletion",
"sha256": "117b18f02e0d843e522d6111e758b53add8d55cb5ea06ccb3cb11fe297f88a4b",
"type": "query",
"version": 107
},
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
"rule_name": "M365 Exchange Management Group Role Assigned",
"sha256": "310d0d96f9c9dbf8d2359b702dc07c8547995f273adb1feceedeb1824ae453ea",
"type": "query",
"version": 211
},
"98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubectl Configuration Discovery",
"sha256": "f1ce3b64d18b203d2a5640f04f3f140a038e195d7d299e1891dcd2e4cd5b0c67",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubectl Configuration Discovery",
"sha256": "33897dd8a858f989c8a73f3f64ff7d370670cc9d413c2f2b022a4b1ef3ca0e10",
"type": "eql",
"version": 103
},
"98ebd6a1-77db-4fe1-b4fd-1bd3c737b780": {
"rule_name": "M365 SharePoint Site Administrator Added",
"sha256": "52534900cb089a485a4c94a1f500a1360cfdc36c116a0c025538279cd853204d",
"type": "query",
"version": 1
},
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
"rule_name": "Deprecated - AWS EC2 Snapshot Activity",
"sha256": "f018635a33a67f68ce5ed0b514c90f9a136b4bb3e7d4b2991c4d51c8bc7cb121",
"type": "query",
"version": 212
},
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
"rule_name": "Process Injection - Prevented - Elastic Endgame",
"sha256": "a0bffa98b85b5302f04968bd516704fa0a3f9b1d3c9378af798ce9ddbae69612",
"type": "query",
"version": 105
},
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"rule_name": "Suspicious Installer Package Spawns Network Event",
"sha256": "36abc0c0a66851f146ca5de478c883481a4db57dc1fa336a5e0434091e7e8288",
"type": "eql",
"version": 112
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "e6d17410dec032b711ab184de223d6a66583d99ce4761d37339a5dfddd2d61d4",
"type": "eql",
"version": 116
},
"9960432d-9b26-409f-972b-839a959e79e2": {
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "8644c4d2fd74db78d00a78306bbc41d28e0fa36336de210c61211c8d3b8b4c9a",
"type": "eql",
"version": 313
},
"999565a2-fc52-4d72-91e4-ba6712c0377e": {
"rule_name": "Access Control List Modification via setfacl",
"sha256": "14fa79860f040a253d5c11c72158206f1e5d8427bf093ceea28e56c485e5deb0",
"type": "eql",
"version": 107
},
"99ac5005-8a9e-4625-a0af-5f7bb447204b": {
"rule_name": "Potential Kerberos SPN Spoofing via Suspicious DNS Query",
"sha256": "386127d0c66af62ae5577f0cd57b8f5c8627cbcc9d3484f413ffe10d01dcabb2",
"type": "eql",
"version": 1
},
"99c2b626-de44-4322-b1f9-157ca408c17e": {
"rule_name": "Web Server Spawned via Python",
"sha256": "310b1e61d9b41741178106b8ba4ed0c827b48f8a08a902c110a7820c4292770e",
"type": "eql",
"version": 106
},
"99c9af5a-67cf-11f0-b69e-f661ea17fbcd": {
"rule_name": "Potential VIEWSTATE RCE Attempt on SharePoint/IIS",
"sha256": "bb8b21db9e5d74586d51fb821124a37c98917348d26a72bccecddea93d210c28",
"type": "query",
"version": 1
},
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
"rule_name": "Spike in Failed Logon Events",
"sha256": "f86fdfd7f9e5f3789e9063903170f36e24b74691d8e3c80a274cb3ad7158f35e",
"type": "machine_learning",
"version": 107
},
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
"rule_name": "Endpoint Security (Elastic Defend)",
"sha256": "9a34f25056907f42962de240e218fc715885d5e29636b34368c1b817e89a3e25",
"type": "query",
"version": 108
},
"9a3884d0-282d-45ea-86ce-b9c81100f026": {
"rule_name": "Unsigned BITS Service Client Process",
"sha256": "e5e1fcb9ece7005ef0bf2067c7f44e12d243276d89aa4b0a9100bfab5196ca5c",
"type": "eql",
"version": 5
},
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
"rule_name": "Potential Shadow File Read via Command Line Utilities",
"sha256": "e8efbccb131f12cbf2af6152d092d09160eccb18d0bf83fc5d299a3bb5ed419a",
"type": "new_terms",
"version": 213
},
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"rule_name": "Suspicious Explorer Child Process",
"sha256": "dd80f5817acac0027dcebc6619363825539469594a770675572c555afdec7fb7",
"type": "eql",
"version": 312
},
"9a6f5d74-c7e7-4a8b-945e-462c102daee4": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubeconfig File Discovery",
"sha256": "308de3e9eb7308216c0635af6334abd3db7814ad46abf18c269f84d999abd623",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubeconfig File Discovery",
"sha256": "9cf4ca024bd0b6a65da57d83de692104a85e503c0b78462225df6cfa64aeb91e",
"type": "eql",
"version": 103
},
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "a18589e10e7f28f4117607f6677da79ad0fff040ad5c9d28e93f837471c51963",
"type": "eql",
"version": 314
},
"9aa4be8d-5828-417d-9f54-7cd304571b24": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to User",
"sha256": "86d167e1986ba99c8b7ea81757c48cac39323a28f9f2ac0428b65a90b0687300",
"type": "eql",
"version": 9
},
"9aeca498-1e3d-4496-9e12-6ef40047eb23": {
"rule_name": "Suspicious Shell Execution via Velociraptor",
"sha256": "138f1d64018a840b6ce3d00fc5ba4b817f9e711ef2388631f0f2846b54debe9e",
"type": "eql",
"version": 1
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "f2f81d6a850a0317bfda8ce3adb7dc062645f5850734d86e983f453a3f48bcd4",
"type": "eql",
"version": 209
},
"9b35422b-9102-45a9-8610-2e0c22281c55": {
"rule_name": "SentinelOne Alert External Alerts",
"sha256": "68730c7058c78efbdb1fa839ed203894407fe046b9db371d79697927d04df699",
"type": "query",
"version": 1
},
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "c41ecc6deef7ce4de642b215d877cca87c3bdd1c8dbbddece705c8d211f78b82",
"type": "eql",
"version": 317
},
"9b80cb26-9966-44b5-abbf-764fbdbc3586": {
"rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities",
"sha256": "a7fef893c45c5cdabba9e2538c69c7dabb406bf38fcd6126bf456dc4a00d5b0d",
"type": "eql",
"version": 9
},
"9c0f61fa-abf4-4b11-8d9d-5978c09182dd": {
"rule_name": "Potential Command Shell via NetCat",
"sha256": "8b7366396a7d5ebe64d336b843c68f81ab1cb913704133ec08cad70891f0de37",
"type": "eql",
"version": 1
},
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"rule_name": "Hosts File Modified",
"sha256": "2a3d34af24f45fc01ea0f0bcd3ba685e5a5caa3780e1818985ea77f40f1e9ffc",
"type": "eql",
"version": 214
},
"9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": {
"rule_name": "Unusual Interactive Shell Launched from System User",
"sha256": "bf3dbe84dcadf1939a398f274b6aa86c42aa4e5b12716ae9952a8477f0a5a02d",
"type": "new_terms",
"version": 5
},
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "e6d216b19b6e5cd9fca8a136dce8a450515c8dafb5e2d0e9015ab2456807aebe",
"type": "eql",
"version": 114
},
"9c951837-7d13-4b0c-be7a-f346623c8795": {
"rule_name": "Potential Enumeration via Active Directory Web Service",
"sha256": "01cc2728a3aaa64490a4359643d8ef66af312f2ca4a2e9b3c9cf9d655fafea00",
"type": "eql",
"version": 5
},
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "379df55e153fd1e17d278871998bcf006f466b6c83ec9dffcb79da7c95d5c2fe",
"type": "eql",
"version": 313
},
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
"type": "query",
"version": 104
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
"rule_name": "Trusted Developer Application Usage",
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
"type": "query",
"version": 100
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "3b27f84b414ad14fef5c881ba7fd992f1742573d61e05a2fe2b20222eed9f15e",
"type": "new_terms",
"version": 316
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "ea39741402eae1c2de3b16ea9b7967105bb1104d83fde8cee5a1ed125bc989b6",
"type": "eql",
"version": 316
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "f6ac7fc8d32860bef59151f6f6bd9f35f7f4a0d8c9b4030c1f4ece5e3958cfaf",
"type": "eql",
"version": 218
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "c0a27cb947621baeb5635ca97bbe0d49655c9dc8093857231da6d79f7279c93b",
"type": "eql",
"version": 213
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "4a20239c78d80594c4f6a58e043c0e56b3ef5484fbded24b2a3fc9c5fd95748f",
"type": "new_terms",
"version": 319
},
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "a072afc3d6fd07513849b5a4100fd01811c2a7a1f13ddf178a7e069277df0073",
"type": "eql",
"version": 211
},
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "1f613942d9635e2ee4408f035335dc11248c2834c138baa4e331d1a0ec21274c",
"type": "eql",
"version": 111
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"rule_name": "Unusual Linux Process Calling the Metadata Service",
"sha256": "17a28b4dce20cb1cb51218cf838490173d818ace7c6afb91e9ecee3e1b61b565",
"type": "machine_learning",
"version": 107
},
"9d312839-339a-4e10-af2e-a49b15b15d13": {
"min_stack_version": "9.3",
"rule_name": "Direct Interactive Kubernetes API Request by Common Utilities",
"sha256": "98030edf36d06cdf0146bc3be290891b259b6a33b280ec19ff6382cb1126c2f3",
"type": "eql",
"version": 1
},
"9d94d61b-9476-41ff-a8d3-3d24b4bb8158": {
"min_stack_version": "9.3",
"rule_name": "Tunneling and/or Port Forwarding Detected via Defend for Containers",
"sha256": "abda5d886c027c7acdd2c2c9794c552d98d75d0f329d924d0c9509263235ebb4",
"type": "eql",
"version": 1
},
"9e11faee-fddb-11ef-8257-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Authentication Type",
"sha256": "221e95b30c3f9132594ca8d2ea13d90345e2f5e585597c7ed073f601c81148e9",
"type": "new_terms",
"version": 6
},
"9e81b1fd-e9fb-49a7-8ebe-0d1a14090142": {
"rule_name": "Potential Password Spraying Attack via SSH",
"sha256": "d8a4e3fc4bb049f1a083e2c8df73eca8941cfc9eb80dc2c1b7a531fd8847c0d4",
"type": "esql",
"version": 1
},
"9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": {
"rule_name": "Potential SSH Password Grabbing via strace",
"sha256": "d2fb1e7e88bb29491c8fa01f26a5a3a50a50065abdf06ed375a9b102a600ad60",
"type": "eql",
"version": 2
},
"9ebd48ac-a0e2-430a-a219-fe072a50146b": {
"rule_name": "AWS CloudTrail Log Evasion",
"sha256": "72fa86bb3d91c048d88e6a44f277390be7025a3e3382267559e14dd868db2651",
"type": "query",
"version": 2
},
"9ed5d08f-aad6-4c03-838c-d686da887c2c": {
"rule_name": "Okta AiTM Session Cookie Replay",
"sha256": "e83eb0975f982673d5e2c6240da8d5e17e7db175d72dc6df15da96c717104f26",
"type": "esql",
"version": 2
},
"9edd000e-cbd1-4d6a-be72-2197b5625a05": {
"rule_name": "Suricata and Elastic Defend Network Correlation",
"sha256": "069736ec0e27e4a41a9a2be1230b04c062e36fd2393cd332c593d7895d73e1ec",
"type": "eql",
"version": 2
},
"9edd1804-83c7-4e48-b97d-c776b4c97564": {
"rule_name": "PowerShell Obfuscation via Negative Index String Reversal",
"sha256": "b19dffa62d3df7148544385ab17298f3037388eb487eaf544505b0c11521d102",
"type": "esql",
"version": 9
},
"9efb3f79-b77b-466a-9fa0-3645d22d1e7f": {
"rule_name": "AWS RDS DB Instance Made Public",
"sha256": "afa0e64706733be39b84d5ae11086fec9d877d20a2940d73afaad175a608b6ad",
"type": "eql",
"version": 7
},
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
"rule_name": "Potential Protocol Tunneling via EarthWorm",
"sha256": "fab80c2f6dc690690e50c96aae45d746097c2abeaccf36db7f08dc8ad4f43cce",
"type": "eql",
"version": 215
},
"9f432a8b-9588-4550-838e-1f77285580d3": {
"rule_name": "Dynamic IEX Reconstruction via Method String Access",
"sha256": "7045b58f9119ab5ed4fa366f17cda1286910cc23c9f46bf53054547d2fa5b56d",
"type": "esql",
"version": 11
},
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"rule_name": "Potential Credential Access via DCSync",
"sha256": "58e3c0aea20cbb6bf38b5fc51576fdae9771ad92b74fb600c1c75aa17ea15d1d",
"type": "new_terms",
"version": 220
},
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
"rule_name": "File Permission Modification in Writable Directory",
"sha256": "45ebd846873b2090df7ce820b0ff1b65be3335784a8f200e2a1204c9e088e1f4",
"type": "new_terms",
"version": 215
},
"a00681e3-9ed6-447c-ab2c-be648821c622": {
"rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"sha256": "eb1ea031af0b93072c60fe7de7f74b89ac24f851cffb1cdc9effa0c920bdb9ba",
"type": "new_terms",
"version": 318
},
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"rule_name": "Unusual Scheduled Task Update",
"sha256": "be27942be42700441e3710adb1e8971797e4427df302caac077fb90e58cb5173",
"type": "new_terms",
"version": 117
},
"a0ddb77b-0318-41f0-91e4-8c1b5528834f": {
"rule_name": "Potential Privilege Escalation via Python cap_setuid",
"sha256": "7f0125f7dcdbcaf2089a121b23b1595e7a3f36729d2b82c30cd5753352589f16",
"type": "eql",
"version": 8
},
"a0fbd7a9-1923-4e05-92df-b484168f17bc": {
"rule_name": "Sensitive File Access followed by Compression",
"sha256": "e910bf96c71ee8bb6fec3cc3fde5260a1fed7f1c8601a0b631e0f7af2bd9217b",
"type": "eql",
"version": 1
},
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
"rule_name": "GCP Pub/Sub Topic Creation",
"sha256": "99fda56283f6a5bc7b7a2a8f783178516e9590efeb3d04c0a96f7ba53346810e",
"type": "query",
"version": 108
},
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "422c5f78e61e61a60f06cc1a38e9759242687246cda0c59c36ef24db0cbd5359",
"type": "eql",
"version": 211
},
"a1329140-8de3-4445-9f87-908fb6d824f4": {
"rule_name": "File Deletion via Shred",
"sha256": "f8e895d4c1baeff1e615618dc43e5e9a9599d7f61f70f464c2074f5eaa35334a",
"type": "eql",
"version": 215
},
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "e387af91f7e1e693d71caa63bc7a80a8cad970b65d3b9b3790eba5b894e71fae",
"type": "eql",
"version": 212
},
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "12fb13bd4b276eee68b30f7ce5743d3f6da9f2da1f47d5c77aee0fb852f1eab0",
"type": "eql",
"version": 212
},
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
"rule_name": "GCP Virtual Private Cloud Route Deletion",
"sha256": "354d06b8918adc41575d74a6e7c19525f434aef4a51c270d1a82c77a009f667b",
"type": "query",
"version": 107
},
"a198fbbd-9413-45ec-a269-47ae4ccf59ce": {
"rule_name": "My First Rule",
"sha256": "63fb939bf754aaa427be9132c2868915140e558a8c69ce185d547593c05ab4ba",
"type": "threshold",
"version": 5
},
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
"rule_name": "Potential Reverse Shell Activity via Terminal",
"sha256": "85632de93b14e074f7b1cd989c58964ffacc5f4c3adb2d382c0092498fb89563",
"type": "eql",
"version": 111
},
"a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d": {
"rule_name": "Azure Storage Account Deletion by Unusual User",
"sha256": "a34ca5e23f6bdc0676fadb6a439653d4c17c1d7123a2399983f25d24ecabd5c6",
"type": "new_terms",
"version": 1
},
"a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d": {
"rule_name": "Potential Account Takeover - Logon from New Source IP",
"sha256": "8ac9e5ba81be809685d81c56be8945e7562564d2acda52497a6a52f9d76eba2f",
"type": "esql",
"version": 2
},
"a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890": {
"rule_name": "Entra ID Protection Admin Confirmed Compromise",
"sha256": "38404d75082d19283a1f7a678f193438c1eb1868ab1c395c3b5633bd6c8e89e4",
"type": "query",
"version": 1
},
"a1b2c3d4-e5f6-7890-abcd-ef1234567890": {
"rule_name": "GenAI Process Connection to Suspicious Top Level Domain",
"sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea",
"type": "eql",
"version": 1
},
"a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": {
"rule_name": "Web Server Suspicious User Agent Requests",
"sha256": "94a64c4edcc2f609a23704924285d43d501c019eb270aa8ab580371e35072ef5",
"type": "esql",
"version": 3
},
"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": {
"rule_name": "Linux Group Creation",
"sha256": "ec196dbd90d33ec4874a0ea55614963b84c0372bb694bfc00779f85daec00889",
"type": "eql",
"version": 10
},
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "f5f6233b37a46200c93eabea190aaca9549c10deb5f9d832bc8cbff7479e5302",
"type": "eql",
"version": 315
},
"a22b8486-5c4b-4e05-ad16-28de550b1ccc": {
"rule_name": "Unusual Preload Environment Variable Process Execution",
"sha256": "e180f5334c7287e0ac2dbfc6bb6815060f5a68ceaf301c52643dbd7e133285fb",
"type": "new_terms",
"version": 5
},
"a22f566b-5b23-4412-880d-c6c957acd321": {
"rule_name": "AWS STS AssumeRole with New MFA Device",
"sha256": "eaaea319c13caf1cf8e2da240548950d1975fa2cebbd2d4ee5fa97b8687ebf62",
"type": "new_terms",
"version": 6
},
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
"rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App",
"sha256": "290f5dd4735fc16f954e39d424d7f47daab28148de0828a8a22ea588eee81314",
"type": "query",
"version": 110
},
"a2951930-dd35-438c-b10e-1bbdc5881cb4": {
"rule_name": "Kubernetes Cluster-Admin Role Binding Created",
"sha256": "53c6415a825693d1082030f2418e73a5c0d9b060e7482c1890ddbd2c48728f5a",
"type": "query",
"version": 1
},
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "55d54469459e3e10c63d48e5b841cec3199fb5050e041092c06301b26217a960",
"type": "query",
"version": 113
},
"a300dea6-e228-40e1-9123-a339e207378b": {
"rule_name": "Unusual Spike in Concurrent Active Sessions by a User",
"sha256": "6766dc8f5e02b59766bf64222d202554ead379489ef45a93a89f75f34701b72b",
"type": "machine_learning",
"version": 3
},
"a337c3f8-e264-4eb4-9998-22669ca52791": {
"rule_name": "Kubernetes Potential Endpoint Permission Enumeration Attempt Detected",
"sha256": "c842a49d9921b27647b6349ad118e5d70cd985461f2b819bf9fa5f5a4a11bae3",
"type": "esql",
"version": 2
},
"a3cc60d8-2701-11f0-accf-f661ea17fbcd": {
"rule_name": "Entra ID Sharepoint or OneDrive Accessed by Unusual Client",
"sha256": "b0cb4bda3738ab20e63d9ccd9aa054a0151377801ad9d786fbe0ec4e521cd011",
"type": "new_terms",
"version": 4
},
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"rule_name": "Execution via local SxS Shared Module",
"sha256": "15ce53d9971d69e0cce8aa48ed7d5d0e8f07262067920ed25643ff74947439cd",
"type": "eql",
"version": 312
},
"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": {
"rule_name": "AWS EC2 Instance Interaction with IAM Service",
"sha256": "7f99f097bb57ddc1941d88331bcbee883d0ab39981bc2f9b36b90e3de2a4f6ed",
"type": "eql",
"version": 4
},
"a4b740e4-be17-4048-9aa4-1e6f42b455b1": {
"min_stack_version": "9.3",
"rule_name": "Spike in GCP Audit Failed Messages",
"sha256": "640606acf483065052865e9a6e801d491b8afb375423dfb06058d87b0b54b602",
"type": "machine_learning",
"version": 1
},
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
"rule_name": "Windows Registry File Creation in SMB Share",
"sha256": "0597bc8c77ba3bc0acc1e91426b0c1d17bd1799128e2d8549593007939740fbc",
"type": "eql",
"version": 112
},
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
"rule_name": "Network Connection via Mshta",
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
"type": "eql",
"version": 100
},
"a4f7a295-aba1-4382-9c00-f7b02097acbc": {
"rule_name": "Suspicious SolarWinds Web Help Desk Java Module Load or Child Process",
"sha256": "9bd9decc9c822a522bace342351db9b5899645c1b92caefa46a2b009e1b258d3",
"type": "eql",
"version": 1
},
"a52a9439-d52c-401c-be37-2785235c6547": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - Netcat Listener Established Inside A Container",
"sha256": "fd8969a55ab13b838a1e6d7c81ce6d0a88af0b34bec2c1e8ecd214505daf0196",
"type": "eql",
"version": 4
}
},
"rule_name": "Netcat File Transfer or Listener Detected via Defend for Containers",
"sha256": "fe7aecdc2e1b42b756c2f4858a8500d51905c2c99a9196db75f548c326d2b233",
"type": "eql",
"version": 104
},
"a577e524-c2ee-47bd-9c5b-e917d01d3276": {
"rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary",
"sha256": "ac4f1de021eef140be9defb824c7e9ee6b9253d4f74b46a48f745b35d636d7ee",
"type": "new_terms",
"version": 5
},
"a5eb21b7-13cc-4b94-9fe2-29bb2914e037": {
"rule_name": "Potential Reverse Shell via UDP",
"sha256": "ae71eb7835476969206ee90c8252e0a9b7f8981fcd5dec9dbe52e7dc2b7f7efa",
"type": "eql",
"version": 11
},
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
"sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22",
"type": "eql",
"version": 5
},
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 314,
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "2b5c3815588863a4c53018c1bf78b2e9b33ac20407ad8cf036a4226b127424c4",
"type": "new_terms",
"version": 215
}
},
"rule_name": "AWS IAM Assume Role Policy Update",
"sha256": "07e4d830eb22a626c11659d2c4d3ee7d09106df31772fc62b9088af6b2762f28",
"type": "new_terms",
"version": 315
},
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
"rule_name": "Entra ID PowerShell Sign-in",
"sha256": "2d6df52bc2882c8b98f3dc43e31ceb65ae06ac225eecffcabbcbebaae55f7dfb",
"type": "query",
"version": 109
},
"a6129187-c47b-48ab-a412-67a44836d918": {
"rule_name": "M365 Azure Monitor Alert Email with Financial or Billing Theme",
"sha256": "66d9cffd3773855d4fd0f97ae360322f71d92a037133a287df4d4ac524497a54",
"type": "esql",
"version": 1
},
"a61809f3-fb5b-465c-8bff-23a8a068ac60": {
"rule_name": "Threat Intel Windows Registry Indicator Match",
"sha256": "13b8297ead30f89bf1e834ac869dc0d250d9ed0b8604dea85acc5c85584ada84",
"type": "threat_match",
"version": 9
},
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"rule_name": "Suspicious MS Office Child Process",
"sha256": "c26ba77509e14edd7a244af9e057ae5c8ddde527759809d383616b2ad6d1dbb9",
"type": "eql",
"version": 317
},
"a640ef5b-e1da-4b17-8391-468fdbd1b517": {
"rule_name": "Execution via GitHub Actions Runner",
"sha256": "5c2e02372424c7523c482923663eaedd7d5dd64f7f91059d807cbd86fd1ab716",
"type": "eql",
"version": 1
},
"a6788d4b-b241-4bf0-8986-a3b4315c5b70": {
"rule_name": "AWS S3 Bucket Server Access Logging Disabled",
"sha256": "9b5c902d75557d153526704fc38bebd9df6ca630b31a4753c02ff69f55b3afbf",
"type": "eql",
"version": 6
},
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"rule_name": "Emond Rules Creation or Modification",
"sha256": "f6db651d781c09513c5a405895ceaf3b0365f2c340923c3dfb7af7aa8094a077",
"type": "eql",
"version": 112
},
"a6d4e070-b9b9-4294-b028-d9e21ad47413": {
"rule_name": "Entra ID Protection User Alert and Device Registration",
"sha256": "7607cf57a33694aa6eda42e9a81e1648c3a6e269564960f460daa3b881dd0e62",
"type": "eql",
"version": 2
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"rule_name": "High Mean of RDP Session Duration",
"sha256": "98b2e7d0d5c6e743cfc10a8e3764d9e083ab3e45612f50c8e656c82b2c87a42e",
"type": "machine_learning",
"version": 8
},
"a750bbcc-863f-41ef-9924-fd8224e23694": {
"min_stack_version": "9.3",
"rule_name": "Payload Execution via Shell Pipe Detected by Defend for Containers",
"sha256": "5846c6b43e380d83d1c497de9db85c35f4fb983138dde4300adddb76e4cd3ec4",
"type": "eql",
"version": 2
},
"a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e": {
"rule_name": "Execution via OpenClaw Agent",
"sha256": "5f23f3e55cc3e972b4ab8b3d979202308afb708a2f40538f2566149e13026d87",
"type": "eql",
"version": 2
},
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
"rule_name": "Suspicious Print Spooler SPL File Created",
"sha256": "7e536fc3989bef73d2411edbb92974c04d3cc027f95843bd49731c3a42aa5367",
"type": "eql",
"version": 116
},
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "6a81227e9d0bdc6b5dfa8718dd52f25b2ded9ee3476c28f289aa5a5f2ac132f2",
"type": "eql",
"version": 315
},
"a7e9e2e8-3c5d-4b9a-8e7f-1a2b3c4d5e6f": {
"rule_name": "M365 Purview Security Compliance Signal",
"sha256": "d963fc1b077051067a8bc042f00ec72e4f00312ac6bc459bfacda7b80c2b9ec4",
"type": "query",
"version": 1
},
"a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e": {
"rule_name": "FortiGate SSL VPN Login Followed by SIEM Alert by User",
"sha256": "fa03b03f4ae7bbd7463ecc32a9d20f903f89538bd10fe1250ee3e6d6eda108a6",
"type": "eql",
"version": 2
},
"a80d96cd-1164-41b3-9852-ef58724be496": {
"rule_name": "Privileged Docker Container Creation",
"sha256": "4e3c23c7881aeb5c679a751675fc7441b3984d00897e461cd40ecaeba57cdc62",
"type": "new_terms",
"version": 6
},
"a80ffc40-a256-475a-a86a-74361930cdb1": {
"rule_name": "AWS IAM SAML Provider Created",
"sha256": "d5cdab921477a06497e239824cd88e803d3eb45dd7f85f9bc3ef531c713c400f",
"type": "query",
"version": 1
},
"a8256685-9736-465b-b159-f25a172d08e8": {
"rule_name": "Suspicious Curl to Jamf Endpoint",
"sha256": "96bdc6dda9b99337a375bda8f6a1c8755a9bd449a70db25466f3f8d135bc2ed8",
"type": "eql",
"version": 1
},
"a83b3dac-325a-11ef-b3e6-f661ea17fbce": {
"rule_name": "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker",
"sha256": "16514f9c9cd35b419a7ea68569c80f7a25b1f66370b0276cfa62cb3ec62b0c42",
"type": "query",
"version": 6
},
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
"sha256": "5477bb1770d6318e393bcc2afa8bb0beb8c77aa1af475f245c7cb193b9f51338",
"type": "query",
"version": 105
},
"a87d49f0-24ae-4d6e-a0b4-5fd2f6188d6a": {
"min_stack_version": "9.3",
"rule_name": "Kubectl Secrets Enumeration Across All Namespaces",
"sha256": "dd2e61c000cb7733d1035682841ea2bd21ce20c73dc2b64c291657550b304ab2",
"type": "eql",
"version": 1
},
"a8aaa49d-9834-462d-bf8f-b1255cebc004": {
"rule_name": "Authentication via Unusual PAM Grantor",
"sha256": "60319003b74e45deda3b2f9aef3f6d1b8a77a689505e9b01bdb66e0edc283460",
"type": "new_terms",
"version": 5
},
"a8afdce2-0ec1-11ee-b843-f661ea17fbcd": {
"rule_name": "Suspicious File Downloaded from Google Drive",
"sha256": "a986702b7238a13ac729d815815083fad17ac0cb185b211b536aafa325fda726",
"type": "eql",
"version": 8
},
"a8b08d2d-6dfe-453f-87d1-11d5fc3ec746": {
"min_stack_version": "9.3",
"rule_name": "File Download Detected via Defend for Containers",
"sha256": "7639716e2528d68b95b96d7b6b558489c5d3825d36ff2d4a98b810b4372c40ae",
"type": "eql",
"version": 2
},
"a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0": {
"rule_name": "Newly Observed ScreenConnect Host Server",
"sha256": "5a8acf8b9ca572d30b42f96b89249dc24621630278b9db105d665630cbb8cb34",
"type": "esql",
"version": 1
},
"a8b3c4d5-e6f7-8901-a2b3-c4d5e6f78901": {
"rule_name": "Azure Storage Blob Retrieval via AzCopy",
"sha256": "630eb9459fc7c5632430c7f31e2e7b09b45d97301ab806d43a312588e54ee683",
"type": "new_terms",
"version": 1
},
"a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": {
"rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand",
"sha256": "cd7321baa685c0b8fdee3998ff993ac2f4f5761124d7f2e78e2c404978211ab3",
"type": "esql",
"version": 2
},
"a8d35ca0-ad8d-48a9-9f6c-553622dca61a": {
"rule_name": "High Variance in RDP Session Duration",
"sha256": "c1b7d0299bdbc6612b5661369ed5e4594203e23f1ac7c6f66177a0d4e9e639c5",
"type": "machine_learning",
"version": 8
},
"a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": {
"rule_name": "Unusual Region Name for Okta Privileged Operations Detected",
"sha256": "c1754fb24018b0b1ad18dda900585a848ef023365ffdb417c9ee87a5e201ac4c",
"type": "machine_learning",
"version": 3
},
"a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": {
"rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt",
"sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe",
"type": "eql",
"version": 1
},
"a9198571-b135-4a76-b055-e3e5a476fd83": {
"rule_name": "Hex Encoding/Decoding Activity",
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
"type": "query",
"version": 100
},
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
"rule_name": "M365 Exchange Email Safe Link Policy Disabled",
"sha256": "d95fe7a8034cfa3811029416e206a44840af20beb42cbbeffd08e3655cb0331c",
"type": "query",
"version": 211
},
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
"rule_name": "Google Workspace Password Policy Modified",
"sha256": "81d1942ffab6ae0133a69e39a646edbdede691809bcbafff2767f9f328c796b0",
"type": "query",
"version": 208
},
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "544161a59a89370ab4438a8bd397acb36f3567b1c2af131d5856d084531ea717",
"type": "eql",
"version": 213
},
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
"rule_name": "IPSEC NAT Traversal Port Activity",
"sha256": "b03b17a6bc41837d91b2207e76fe08aec227bfb082ba903b23cd1a007cde63c8",
"type": "query",
"version": 108
},
"aa1e007a-2997-4247-b048-dd9344742560": {
"rule_name": "Script Interpreter Connection to Non-Standard Port",
"sha256": "b395e05708d4c9e34bae97f6daf956aa4e62e1d0b6d36e3342294d4e1fa442fb",
"type": "eql",
"version": 1
},
"aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": {
"rule_name": "Spike in Group Lifecycle Change Events",
"sha256": "3ab7c41b734b153c7587be53dfc664648e566347fe8811622b4ec7949d802ed9",
"type": "machine_learning",
"version": 3
},
"aa8007f0-d1df-49ef-8520-407857594827": {
"rule_name": "GCP IAM Custom Role Creation",
"sha256": "aa97f5795e7ab2d0faa239249f1d62103360fb6dbacdd0aabd4f4b4bb16e3be0",
"type": "query",
"version": 107
},
"aa895aea-b69c-4411-b110-8d7599634b30": {
"rule_name": "System Log File Deletion",
"sha256": "f1178ad0ef58ec25525ca5d80993d16b763e918ec464f6760f9ff20bca37019d",
"type": "eql",
"version": 217
},
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"rule_name": "Remotely Started Services via RPC",
"sha256": "a4fab962e929045f641696e751146d262d934876aa3bd42a8e4724c004a6e2d9",
"type": "eql",
"version": 216
},
"aaab30ec-b004-4191-95e1-4a14387ef6a6": {
"rule_name": "Veeam Backup Library Loaded by Unusual Process",
"sha256": "b3a7cd498fd33ca79fa1c69681eed2d788109c32e03d62a5bebd236cc6300abd",
"type": "eql",
"version": 5
},
"aab184d3-72b3-4639-b242-6597c99d8bca": {
"rule_name": "Threat Intel Hash Indicator Match",
"sha256": "e2a2498e73e3f61c27758713a85c042b5c136d49093f9f6e33faaf38267ece36",
"type": "threat_match",
"version": 10
},
"aabdad51-51fb-4a66-9d82-3873e42accb8": {
"rule_name": "GRUB Configuration Generation through Built-in Utilities",
"sha256": "f9c20c9f91ef5e4ec353c199251c1547907c932794c488f511af325a87b5fc6d",
"type": "eql",
"version": 5
},
"ab25369e-ea5e-46f1-9cd5-478a0a4a131a": {
"rule_name": "Multiple Elastic Defend Alerts by Agent",
"sha256": "242ee3fae70ef07f142db55fd2fc4688fb001c1d263753660e29cb815de22402",
"type": "esql",
"version": 1
},
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"rule_name": "Remote Execution via File Shares",
"sha256": "2b2ec6b74139595571db7fb15900c6301b821915bf8934804499f2a156001755",
"type": "eql",
"version": 121
},
"ab7795cc-0e0b-4f9d-a934-1f17a58f869a": {
"rule_name": "Potential Telnet Authentication Bypass (CVE-2026-24061)",
"sha256": "c1d2e49b9c7ced7cce10153c0338a47448b25c6a03c1e185a3ae353d07665b67",
"type": "eql",
"version": 2
},
"ab8f074c-5565-4bc4-991c-d49770e19fc9": {
"rule_name": "AWS S3 Object Encryption Using External KMS Key",
"sha256": "71757caa90c47ad78c9750b701a3a4990bc4f2fcfb319bea634a219e08afc265",
"type": "esql",
"version": 10
},
"ab9a334a-f2c3-4f49-879f-480de71020d3": {
"rule_name": "Unusual Library Load via Python",
"sha256": "8d7fc19513012d8ab86d3ad4472b072a5722b6e85b2d0dcf628a1f4568016ba7",
"type": "eql",
"version": 1
},
"aba3bc11-e02f-4a03-8889-d86ea1a44f76": {
"rule_name": "Perl Outbound Network Connection",
"sha256": "44441dd2aaf2ceb05edf4613d7ec999000efd12bb8d89d09c06b0711794db3ac",
"type": "eql",
"version": 1
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "f4415dd1ab33127524c8f8e5d3d96559ff08c874c75581ea1f418527b37f297c",
"type": "machine_learning",
"version": 209
},
"abc7a2be-479e-428b-b0b3-1d22bda46dd9": {
"rule_name": "Google Calendar C2 via Script Interpreter",
"sha256": "49b0695a34b73511dba9f1d043a882b463dcee2a9a40a7ce26a3056fc2699e8e",
"type": "eql",
"version": 1
},
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"rule_name": "Potential Persistence via Login Hook",
"sha256": "8817908d1fcc931d10eaa32b81fbcb6a57cbbb8130bf2b99e7f1ded843a88c10",
"type": "query",
"version": 111
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"rule_name": "Suspicious WerFault Child Process",
"sha256": "059547fd67e3b5a221405c2f551459a0e5da4b472574b7b0a9f647824eca93b2",
"type": "eql",
"version": 418
},
"ac531fcc-1d3b-476d-bbb5-1357728c9a37": {
"rule_name": "Git Hook Created or Modified",
"sha256": "df1810d9ad8194c8a2583139f77a9e651a3e8b83cde95f4f4822db4abbd83aa2",
"type": "eql",
"version": 107
},
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "ccb9c2dedae4339f4a8402f20a272f5e31e98268fe151021905c5803581264a1",
"type": "eql",
"version": 207
},
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "1f09c70ccb7bd829212e7f28d45b59ad23a8b162294e57623f186995150eb12a",
"type": "eql",
"version": 104
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"rule_name": "Unusual AWS Command for a User",
"sha256": "1bb48c457ffaa6213c29fb112617a61f4513cf5ed3fe8ae984d050f46f0e2a14",
"type": "machine_learning",
"version": 212
},
"ac8805f6-1e08-406c-962e-3937057fa86f": {
"rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server",
"sha256": "17ae9656179a2b6fb7f79aea315027f19f3111acdcf84c547588963f22d80cda",
"type": "eql",
"version": 11
},
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "6f62627b38152a2e8e01bc9b475438152d6eaf8ca51a8ccc5aee958b6bf090ef",
"type": "query",
"version": 214
},
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation",
"sha256": "269058c6e89f4b6bc7158aedc2e877924bd1b4c12f2370e52061d34e70314ad5",
"type": "query",
"version": 209
},
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
"rule_name": "Potential Command and Control via Internet Explorer",
"sha256": "268da22fe3012eb7235a40832d96ae587a9b50ab8bbb40fbf09a44b3912383c7",
"type": "eql",
"version": 109
},
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "dd2d6c056560cc33d94c90d31c595af511cc7337acf1609880294a656269fe42",
"type": "threshold",
"version": 111
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "0e892fd6bcef9c6cf7081f8e1038b23eed575c1f75deebe83a933f7b038987bf",
"type": "eql",
"version": 312
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "08722f5e5dd94f6aa3a6b9f961dc93e655489cf429a7bcc8d18387cad4c6ff0d",
"type": "eql",
"version": 314
},
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
"rule_name": "Proxy Port Activity to the Internet",
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
"type": "query",
"version": 100
},
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
"rule_name": "Google Workspace Custom Admin Role Created",
"sha256": "10870b0be6a523545f966558befd0ad3a93708d00bc14db5a1770e6c942a9596",
"type": "query",
"version": 208
},
"ad5a3757-c872-4719-8c72-12d3f08db655": {
"rule_name": "Openssl Client or Server Activity",
"sha256": "85c351391431f6667bc08d272b279b43c0e10d769c6f8e477d4951ddf99870eb",
"type": "eql",
"version": 107
},
"ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": {
"rule_name": "Decline in host-based traffic",
"sha256": "6fc5bbba4f289f6433e148acbd5a3f03e6a19a814418a883f6f068b46e73beae",
"type": "machine_learning",
"version": 4
},
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "1cab4d236af2187cf214d9f7698d6bafb8c4fbbae2f26d08efeea2017a7e0f32",
"type": "query",
"version": 216
},
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "d5725f7f8e8be780fd21622817a7fba7953922117e6f18da9a72966708dbe4ab",
"type": "eql",
"version": 110
},
"ad959eeb-2b7b-4722-ba08-a45f6622f005": {
"rule_name": "Suspicious APT Package Manager Execution",
"sha256": "78f73bba97b67da61f9a1ce9f381ede05cd7b1d5148ea1b0446c91c90540f768",
"type": "eql",
"version": 110
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"rule_name": "File Transfer or Listener Established via Netcat",
"sha256": "4239c0e54a533bf54ce1ffa594d9547a1893c342c07465a5a130880daf78662a",
"type": "eql",
"version": 215
},
"adbfa3ee-777e-4747-b6b0-7bd645f30880": {
"rule_name": "Suspicious Communication App Child Process",
"sha256": "daaae8ed9bbb55f911868f672baf1ab3fddecc6081cba618abc705d40485e3a1",
"type": "eql",
"version": 12
},
"ae343298-97bc-47bc-9ea2-5f2ad831c16e": {
"rule_name": "Suspicious File Creation via Kworker",
"sha256": "7a29c8e7bc280e7a42cceecbdf82a980b9650be7de3082b0f18e7adfd0571ee6",
"type": "eql",
"version": 110
},
"ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": {
"rule_name": "Suspicious React Server Child Process",
"sha256": "f464b42faa30ed9c4a481383ade936264f8ae7018b3bbf4388d5ab11e87a8a62",
"type": "eql",
"version": 2
},
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "967c59ea43c5beb353059b127aead53cfc4bb82df6b3deffafa653e4fea554c8",
"type": "eql",
"version": 208
},
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"rule_name": "Shared Object Created by Previously Unknown Process",
"sha256": "da6adafb32495d2bbd2fb19670ba6a7fbe02883ae1b35a39820e364ff5b5314b",
"type": "new_terms",
"version": 14
},
"aeebe561-c338-4118-9924-8cb4e478aa58": {
"rule_name": "CrowdStrike External Alerts",
"sha256": "037f1bbd2a34edbd83be30b5fe879ea4147544e216a7ecf2e0337b876b72ec45",
"type": "query",
"version": 2
},
"af1e36fe-0abd-4463-b5ec-4e276dec0b26": {
"rule_name": "Linux Telegram API Request",
"sha256": "477d7d002c39e4eb1eb850629c391b63246779ac7e4ed964b3688f79d0d83941",
"type": "eql",
"version": 4
},
"af22d970-7106-45b4-b5e3-460d15333727": {
"rule_name": "Entra ID OAuth Device Code Grant by Unusual User",
"sha256": "8d9b8457210e9a424a62e6747d90cb0a5f9f302e639ecc373cce226284489ca0",
"type": "new_terms",
"version": 8
},
"af2d8e4c-3b7c-4e91-8f5a-6c9d0e1f2a3b": {
"rule_name": "Okta Alerts Following Unusual Proxy Authentication",
"sha256": "654269218ea4d36e4c6c44c897f0d1045a8e3958ec8ada141505606d41445514",
"type": "eql",
"version": 1
},
"afa135c0-a365-43ab-aa35-fd86df314a47": {
"rule_name": "Unusual User Privilege Enumeration via id",
"sha256": "58f5a32068e937f8a5a7e0ebf56c814d9d90bc5411188e096283a1699389e0bf",
"type": "eql",
"version": 9
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"rule_name": "Local Scheduled Task Creation",
"sha256": "b39882a9dab604277a59054b6df0d7b8110f25764a4dab64f049de9fe081793b",
"type": "eql",
"version": 212
},
"afd04601-12fc-4149-9b78-9c3f8fe45d39": {
"rule_name": "Network Activity Detected via cat",
"sha256": "551fb537c43ddce4d157eefb1f9e89955a4766f5a4742d877fc0926debec39bb",
"type": "eql",
"version": 11
},
"afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd": {
"rule_name": "Curl Execution via Shell Profile",
"sha256": "d8cd404e877272b325b702a0e8ac4f18db2c194ae25f1bec87a5deb487850f3c",
"type": "eql",
"version": 1
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "d8caabf41661b7eede526f852cecc1cb3fb45052aaaf902375b23226bf0ecca4",
"type": "eql",
"version": 10
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"rule_name": "Timestomping using Touch Command",
"sha256": "4fd7e132e755404d1ae3176095c943d11912cc430d74e29e24622bf7b9118cf2",
"type": "eql",
"version": 110
},
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "1a1342dd0291e3a2607fe7016af4f30658ce19b6c109196a12a2edc9103fbcef",
"type": "eql",
"version": 110
},
"b0450411-46e5-46d2-9b35-8b5dd9ba763e": {
"rule_name": "Potential Denial of Azure OpenAI ML Service",
"sha256": "5a86479548e1f4f7144d5006bfc38aad7c46f5d62ab025a804f899a4572ee5cf",
"type": "esql",
"version": 4
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"rule_name": "Netsh Helper DLL",
"sha256": "a50c04fdc476c71125eea0ba039cb89bf18e557653c7d2c893bd62b964d5d703",
"type": "eql",
"version": 206
},
"b07f0fba-0a78-11f0-8311-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Web Service",
"sha256": "9797dcc6378c0d57e76f5bd680375872b642a475cef26b5bbdf5a241bf149ec5",
"type": "new_terms",
"version": 5
},
"b0c98cfb-0745-4513-b6f9-08dddb033490": {
"rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables",
"sha256": "deec12e81c3d8c2bda1563d1d7e93dc1148fff91ddea9ab3eaff47117ad97a1d",
"type": "esql",
"version": 10
},
"b11116fd-023c-4718-aeb8-fa9d283fc53b": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Kubeconfig File Creation or Modification",
"sha256": "6a08ab8625a65609aa0bef37ef07d25179e617112666f1746d309fc4c5863570",
"type": "eql",
"version": 3
}
},
"rule_name": "Kubeconfig File Creation or Modification",
"sha256": "66a13f6294c6ee5ca9b08ab89692540cb784861984f18bb86b41db4c2b14b9c9",
"type": "eql",
"version": 103
},
"b15a15f2-becf-475d-aa69-45c9e0ff1c49": {
"rule_name": "Hidden Directory Creation via Unusual Parent",
"sha256": "a716f97119f1a7d01b1d42ed01f50aa1449a2b0330b185499e04caa530245f62",
"type": "eql",
"version": 106
},
"b1773d05-f349-45fb-9850-287b8f92f02d": {
"rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes",
"sha256": "9e418c454131da6894a78ddf5a4953ab68e81617b619ef5fc4f5b413511a3efb",
"type": "esql",
"version": 6
},
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
"rule_name": "Potential Persistence via Cron Job",
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
"type": "query",
"version": 100
},
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"rule_name": "Potential Network Share Discovery",
"sha256": "bb9bb0209d6b77927b4ec4b99c54e1510142c41168681b3eeb06a29054ae1d1c",
"type": "eql",
"version": 109
},
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
"rule_name": "Spike in Network Traffic",
"sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b",
"type": "machine_learning",
"version": 108
},
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "b9290b1a6d982395b7ea3dab20adc846398f3fbf1226c1238bcc889627029f9a",
"type": "eql",
"version": 217
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"rule_name": "Deprecated - M365 Security Compliance Unusual Volume of File Deletion",
"sha256": "f86f481f50bb0a81e04e053d44c7884c19126b9335761ec525ef2835a4be5a26",
"type": "query",
"version": 212
},
"b29b7652-219f-468b-aa1f-5da7bcc24b03": {
"rule_name": "Potential Traffic Tunneling using QEMU",
"sha256": "cd6c7c8ebd7053c22aea64363f762d7a129e69574650d16e1cff644d71ec01ab",
"type": "eql",
"version": 1
},
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "5ae46136e4a5238cfa794a88f7f0b05e83998ae1b1211edf89c69ad05cf6b4d0",
"type": "eql",
"version": 212
},
"b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e": {
"rule_name": "Azure Storage Account Deletions by User",
"sha256": "0f80a00629784a14aee160694167d10df069b573b26579e2bc65a08152b94be1",
"type": "threshold",
"version": 1
},
"b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e": {
"rule_name": "Potential Account Takeover - Mixed Logon Types",
"sha256": "09c99a80ca039fd0666a6d10512f3feb61fe4b3aeab6c4f625ac892d13462fdb",
"type": "esql",
"version": 2
},
"b2c3d4e5-f6a7-8901-bcde-f123456789ab": {
"rule_name": "GenAI Process Compiling or Generating Executables",
"sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6",
"type": "eql",
"version": 1
},
"b2c3d4e5-f6a7-8901-bcde-f23456789012": {
"rule_name": "GenAI or MCP Server Child Process Execution",
"sha256": "e63520b1ec668be51223850b69f8993bb005a5c45f77738dd229a1d2e4254334",
"type": "eql",
"version": 2
},
"b347b919-665f-4aac-b9e8-68369bf2340c": {
"rule_name": "Unusual Linux Username",
"sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1",
"type": "machine_learning",
"version": 107
},
"b36c99af-b944-4509-a523-7e0fad275be1": {
"rule_name": "AWS RDS Snapshot Deleted",
"sha256": "0e205375dc32c8ec2ab27fb098c7166cde2e60a4e7bfeda0a3b2de5ee7b82bb9",
"type": "eql",
"version": 7
},
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "663662cad8b04fffd15af7a0863496bc68ba12a9ac0245a2bfdaf1b9c63e284d",
"type": "eql",
"version": 319
},
"b42e4b88-fc4a-417b-a45e-4d4a3db9fd41": {
"rule_name": "Suspicious Python Shell Command Execution",
"sha256": "dd9a52bf74d28ebffb64b83134917f8d6aee148108e4fb2f7cde27b41fb69285",
"type": "esql",
"version": 1
},
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "b39b64612ea429e5a2ed645157eee033df7f908d4e338f5dc7f27ef9f7257b39",
"type": "eql",
"version": 214
},
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "20bfd59b3360c88f5f3e56a5321f9e88ffc3bafa00b215c52a612b5cc107f44c",
"type": "eql",
"version": 110
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"rule_name": "AWS STS GetSessionToken Usage",
"sha256": "d262c23e0e416fa8b25a50e95e04b830957bc29495995da225b0ab30d09de3ba",
"type": "query",
"version": 210
},
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"rule_name": "At.exe Command Lateral Movement",
"sha256": "d31b85a4a0c3afbb2fa6829eab9297104af0e9d5fb668fe2f19260b5b0303df0",
"type": "eql",
"version": 108
},
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "774aa21659a63c8b8b6166215078531f5d94fd43b5e2ee37fd411ccca68d5991",
"type": "query",
"version": 413
},
"b4bd186b-69c6-45ad-8bef-5c35bbadeaef": {
"min_stack_version": "9.3",
"rule_name": "Potential Direct Kubelet Access via Process Arguments Detected via Defend for Containers",
"sha256": "e26d8865848df84bf05891fff57ff9bafd1acf3c54e699d5cd07d4c923ed9727",
"type": "eql",
"version": 1
},
"b51dbc92-84e2-4af1-ba47-65183fcd0c57": {
"rule_name": "Potential Privilege Escalation via OverlayFS",
"sha256": "3852b315ecbd762ca27f312ca2ad0f3b674dff45eca735c17f0bdddcd36e9769",
"type": "eql",
"version": 9
},
"b53f1d73-150d-484d-8f02-222abeb5d5fa": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
"sha256": "df70d0745c16f105c5b28d1558cd717f10f40ed6dc2158b67f3455c357249582",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubernetes Direct API Request via Curl or Wget",
"sha256": "20b5bcb6b45398978619e78190a331e01385bd5c092d0769e6b36d1c8a28e413",
"type": "eql",
"version": 103
},
"b5877334-677f-4fb9-86d5-a9721274223b": {
"rule_name": "Clearing Windows Console History",
"sha256": "87d181da2c1d56e01ef1c972e929acaed2bc1160d0cf3f45b3741f8b073c130f",
"type": "eql",
"version": 318
},
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "c6f479ab0fcd76fd0a3254a67a74547f22840b4bde814cf46af69361e36d4d85",
"type": "eql",
"version": 316
},
"b605f262-f7dc-41b5-9ebc-06bafe7a83b6": {
"rule_name": "Systemd Service Started by Unusual Parent Process",
"sha256": "57cf240369b6476819ff1428960e30c61087363abaddc996cb3f1c307d126f72",
"type": "new_terms",
"version": 7
},
"b625c9ad-16e5-4f16-8d38-3e9631952554": {
"rule_name": "AWS CloudShell Environment Created",
"sha256": "c4fccaa7aab536283674e16a7b11aa361376826cbb7bd03f2eb2bdb49c64a25a",
"type": "query",
"version": 1
},
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
"rule_name": "Elastic Agent Service Terminated",
"sha256": "f58ebba1d4063ee0e5e0fad5b21e9dd7db61d517b25b32a324094ba175a2b5e2",
"type": "eql",
"version": 113
},
"b64b183e-1a76-422d-9179-7b389513e74d": {
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "c81ac4b9460caa3eeca4379f6ccfc4b06e1ee9b8437a5b9c88d91bd1eb0f6860",
"type": "eql",
"version": 213
},
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "94d59eb9110fa3146a9b5d7d6c7581e612695b83558cc2f640745f6a2fe1c47b",
"type": "eql",
"version": 207
},
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "209df9ae546ce07831a4b3ba56aba23d6f88229516b869bf7b7b1d654f795f55",
"type": "eql",
"version": 107
},
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
"sha256": "606d597ff55dce161d5826494f5c021adc1a97e3696c40533bbbc2491ef481f4",
"type": "query",
"version": 107
},
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "4cddeb02ca83f5ec2218122735fb4489929a8613f1d7da7bab02a3d2a4a87cdc",
"type": "query",
"version": 413
},
"b799720e-40d0-4dd6-9c9c-4f193a6ed643": {
"min_stack_version": "9.3",
"rule_name": "File Creation and Execution Detected via Defend for Containers",
"sha256": "4e1519a4656adf5de7dc890fa4f66a7b9a90263c36d67d8096b6835ad4f17220",
"type": "eql",
"version": 1
},
"b7c05aaf-78c2-4558-b069-87fa25973489": {
"rule_name": "Potential Buffer Overflow Attack Detected",
"sha256": "11fb2c414420fb768ad7993fc68b1c74c07ed35b6a72c9b94fad1706a163e9d3",
"type": "threshold",
"version": 4
},
"b7e2a04d-4f8a-4e12-8c9a-1d5e6f7a8b9c": {
"rule_name": "FortiGate Configuration File Downloaded",
"sha256": "dadf194589874cdb80905bdf9fda73d3c06041b662cef7f27dc6fa15a1a8a1a8",
"type": "eql",
"version": 1
},
"b7f77c3c-1bcb-4afc-9ace-49357007947b": {
"rule_name": "Multiple Alerts on a Host Exhibiting CPU Spike",
"sha256": "3fc38efdfb54c28bd83b93be278e07a0480084d972768a3dac3e6d6187408cb7",
"type": "esql",
"version": 3
},
"b8075894-0b62-46e5-977c-31275da34419": {
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264",
"type": "query",
"version": 412
},
"b81bd314-db5b-4d97-82e8-88e3e5fc9de5": {
"rule_name": "Linux System Information Discovery",
"sha256": "fa7b67791e4a1c0bddd450fbbbaf999f5c80e8ca6fdcb193e3822be4d331ba5b",
"type": "new_terms",
"version": 8
},
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "1e13c08a49a32e6ba3fd692d5e4a1a4a26a4a16e1c9aeea2ee40dff66fc30010",
"type": "query",
"version": 111
},
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "5e9c3cd4768e1f8abff71d8323e0a0808368503ce204d18acc448b89e3539f73",
"type": "eql",
"version": 415
},
"b84264aa-37a3-49f8-8bbc-60acbe9d4f86": {
"min_stack_version": "9.3",
"rule_name": "Tool Enumeration Detected via Defend for Containers",
"sha256": "37e4e5763b25cbe64d5632bc00bbda463f9ba20fc814a0423fd17c8143dc22a0",
"type": "eql",
"version": 1
},
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"rule_name": "Network Connection via MsXsl",
"sha256": "bcdd20128f5b5f6c161154d5df0b9bd8f96456e094845f30e33f1b159aad6694",
"type": "eql",
"version": 210
},
"b8c3e5d0-8a1a-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Recovery Services Resource Deleted",
"sha256": "1b78e1a881f43c3177aead24fc927410356a5d006d1cda47e70d26a9e9641342",
"type": "query",
"version": 1
},
"b8e4c2a1-7f3d-4e9b-8c5a-1d0e6f2a4b8c": {
"rule_name": "Potential Credential Discovery via Recursive Grep",
"sha256": "6e1f7fd530c168e50461f4e7afc7b92b389edc311ca0657f61cae0b885e3fab0",
"type": "esql",
"version": 1
},
"b8f54e38-7a1d-4c9b-9e2f-3a4b5c6d7e8f": {
"rule_name": "M365 Purview DLP Signal",
"sha256": "04360f0ce85534f39be7ba0ec1699302b04855d9ef703ccd49c39e0d6e39c3e7",
"type": "query",
"version": 1
},
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"rule_name": "Kirbi File Creation",
"sha256": "f0425912b32267ad405c24d9e2fc4da797b6544d08646645eb230ade605c0b4e",
"type": "eql",
"version": 314
},
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "e3c26b040bafc31479de3af9ed423b2dfc66a6eb7de0d5ab167a95fc721dcd00",
"type": "eql",
"version": 312
},
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
"rule_name": "Chkconfig Service Add",
"sha256": "49b9315515c7d56a7a53069e9dcd562e05e1b92f1524b25da32c7e186f5067ca",
"type": "eql",
"version": 218
},
"b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": {
"rule_name": "Discovery of Domain Groups",
"sha256": "78acee60a41b09251f89ee68e7c51c978e7174c9f003de84bcaed2bd0f34ce20",
"type": "eql",
"version": 5
},
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
"sha256": "58aea1cb23aecb61ecd0ad28ac516172a01ae3e42abf8d9fbb4ef879b389ee77",
"type": "threshold",
"version": 6
},
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "e1354aee6d1923e8a2981bf59472687a27e3af9e89fa81c9d248a652d6f15fce",
"type": "eql",
"version": 214
},
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
"sha256": "ccc20438dabf95f6714661407dca782bba70fc5acf468c799afa0997f7cfbd74",
"type": "eql",
"version": 116
},
"b9960fef-82c6-4816-befa-44745030e917": {
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "6c98718e177cba9e677d5be51571ab9cd59f1a48d6a9d7d1f9e6267b56b26095",
"type": "eql",
"version": 315
},
"b9b14be7-b7f4-4367-9934-81f07d2f63c4": {
"rule_name": "File Creation by Cups or Foomatic-rip Child",
"sha256": "3e2f948ac9829685c374f528f5f3357a976e25df1f5bec1d0f9a57f82dee167f",
"type": "eql",
"version": 106
},
"b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": {
"rule_name": "Anomalous React Server Components Flight Data Patterns",
"sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232",
"type": "eql",
"version": 1
},
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"rule_name": "Unusual Windows Network Activity",
"sha256": "8add33888ce9849b510c0d0b80fd76797ddc082ac5700758b7b90c58c80099c1",
"type": "machine_learning",
"version": 210
},
"ba5a0b0c-b477-4729-a3dc-0147c2049cf1": {
"rule_name": "AWS STS Role Chaining",
"sha256": "3bcb05b0905ba0f036c9669558547fe1c5c10663a53c5d1df57a888ca99d6251",
"type": "new_terms",
"version": 4
},
"ba81c182-4287-489d-af4d-8ae834b06040": {
"rule_name": "Kernel Driver Load by non-root User",
"sha256": "9c65f9d0b0b742e9ae409f6a0801d7341de785e65ee7b054256092bf1bfb8bfb",
"type": "eql",
"version": 7
},
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "090872d47d5a3f1428db18f1e48befbdfce5df0242cd30cca8a1535b18d528e4",
"type": "eql",
"version": 212
},
"bab88bb8-cdd9-11ef-bd9a-f661ea17fbcd": {
"rule_name": "AWS SQS Queue Purge",
"sha256": "de66db695baebdde84a330bfe3bde0083d66582be88489134f9799265204fbf6",
"type": "query",
"version": 6
},
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
"rule_name": "Azure Resource Group Deleted",
"sha256": "c852316f313b153ac3b61ca8c8ecc4ba69b7220da531214dfea51c375cd1aff8",
"type": "query",
"version": 107
},
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
"rule_name": "AWS EC2 Encryption Disabled",
"sha256": "439721690045cb46d6f9859269c364150b58109dbafffa7929de898b55893fc0",
"type": "query",
"version": 211
},
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
"rule_name": "M365 OneDrive Malware File Upload",
"sha256": "cd0ee58446ad10fef53b9675021f3383a26e3552230434632e711d88af2d5d1e",
"type": "query",
"version": 212
},
"bba8c7d1-172b-435d-9034-02ed9289c628": {
"rule_name": "Potential Etherhiding C2 via Blockchain Connection",
"sha256": "0239484ec551525aec443a437f14bbce8e9235329a703ffc6613bc8c74510667",
"type": "eql",
"version": 1
},
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"rule_name": "Potential SYN-Based Port Scan Detected",
"sha256": "815c666bcc295daeb2243a634ef0d8210a3b075ef8218de881cc4d8e7cb3cfce",
"type": "threshold",
"version": 14
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"rule_name": "M365 Teams Custom Application Interaction Enabled",
"sha256": "5ca8152db27b66fca754da1c64d145050b1590a423cf1a527a420a71d225c11b",
"type": "query",
"version": 212
},
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
"rule_name": "Deprecated - AWS Root Login Without MFA",
"sha256": "1f43dead85d0d3544a5c39d1e599b0413d8338a3bd86555c4c1259946d0a1686",
"type": "query",
"version": 212
},
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
"rule_name": "GCP Storage Bucket Deletion",
"sha256": "342c778ee565abc4c34b4a3a8797de7055cda16677ee2bafffd4887b48d1aa0c",
"type": "query",
"version": 107
},
"bc0fc359-68db-421e-a435-348ced7a7f92": {
"rule_name": "Potential Privilege Escalation via Enlightenment",
"sha256": "d8bf7e5a63698244691000196ba249c7936eab2a4eab1772ca5476f3f5322e21",
"type": "eql",
"version": 6
},
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"rule_name": "Attempt to Install Root Certificate",
"sha256": "7acb4cc8693f671522ac4141af3c6f946771d3534b18f6afef6140a69a1b8a52",
"type": "eql",
"version": 110
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"rule_name": "Entra ID Conditional Access Policy (CAP) Modified",
"sha256": "3ac0ca9520344b972f5a41af4a5e10a54efd11a2827dc838a359ba99a1557c43",
"type": "new_terms",
"version": 108
},
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
"rule_name": "Deprecated - Potential Non-Standard Port SSH connection",
"sha256": "a62aee60a38df90f6eeb03a3e144acc5341673270c9a27db837e523ad4a145b5",
"type": "eql",
"version": 10
},
"bc9e4f5a-e263-4213-a2ac-1edf9b417ada": {
"rule_name": "File and Directory Permissions Modification",
"sha256": "1229abc2361eeaad582a81ee4da6660075a6f9350b3ed2da734f3651b6d383d5",
"type": "eql",
"version": 4
},
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
"rule_name": "GCP Service Account Disabled",
"sha256": "43fa018ec25c255dc71671253bbb478cd5f5a122e8e5baf6bf52194fa4b2555b",
"type": "query",
"version": 107
},
"bcaa15ce-2d41-44d7-a322-918f9db77766": {
"rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain",
"sha256": "738bdc893bf3d562e861dbdf7a75427c263f7aaca05a2bb682d878ee38c60a5f",
"type": "query",
"version": 9
},
"bcf0e362-0a2f-4f5e-9dd8-0d34f901781f": {
"rule_name": "Entra ID Protection Alerts for User Detected",
"sha256": "fd64341da1fcdaa6a082cbf25b167c5db69c69f1dcc6d20c3ec818bb42e4da07",
"type": "eql",
"version": 3
},
"bd18f4a3-c4c6-43b9-a1e4-b05e09998110": {
"rule_name": "Manual Mount Discovery via /etc/exports or /etc/fstab",
"sha256": "e5e78d693e4425e712df0af92733019ad02ac2c0c9f7cd8c3d371c11cba4e196",
"type": "eql",
"version": 3
},
"bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": {
"rule_name": "Spike in Privileged Command Execution by a User",
"sha256": "0abbb06b0ea223dd93d5fe72d4038b28733b82fe49397d0f3f46a331b0bd7adb",
"type": "machine_learning",
"version": 3
},
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"rule_name": "PowerShell Keylogging Script",
"sha256": "f7b1bc1a3d0f9605b59dd71dcc889746c9c5235ffcb7f1920e9950b7fd85819d",
"type": "query",
"version": 218
},
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "ceeb8a74a863b5756a29ed6a9a6224998612c5ec72c4b20afaa84daa0dddbff1",
"type": "eql",
"version": 109
},
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "86aa1bc737f26987d86809d8f763aff7982e416bef5dc2bbd44444cf72678bf3",
"type": "eql",
"version": 212
},
"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": {
"rule_name": "Deprecated - Potential Pspy Process Monitoring Detected",
"sha256": "17aa7bf5c9f4b42c826a680248a06f16bf511e1af4de7d8e86c3e23611e706be",
"type": "eql",
"version": 12
},
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "037264e4531e277aca0fdee38754e89317fba7ebc3ca718a9a2498853349c488",
"type": "eql",
"version": 214
},
"bdfaddc4-4438-48b4-bc43-9f5cf8151c46": {
"rule_name": "Execution via Windows Command Debugging Utility",
"sha256": "5f00835a9adee4dd9a68ab262fb2d6cd7b32fbbd1331cc6a295e623d98be5d8e",
"type": "eql",
"version": 108
},
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"rule_name": "Host Detected with Suspicious Windows Process(es)",
"sha256": "7583da02b3461f3c8c23ab008a83a819453635fa8a62df30def1136237e68078",
"type": "machine_learning",
"version": 110
},
"be4c5aed-90f5-4221-8bd5-7ab3a4334751": {
"rule_name": "Unusual Remote File Directory",
"sha256": "b656146b40333aa0bbb38207431e1bda4ac60ed0c81425452fc9bdbeb293966a",
"type": "machine_learning",
"version": 8
},
"be70614d-4295-473c-a953-582aef41c865": {
"rule_name": "Potential Data Exfiltration Through Curl",
"sha256": "6ebfa1674b4fb1f63c8b2f093c2b147a12ca9cc31050e7e5dcc13e1338e4bd3e",
"type": "eql",
"version": 6
},
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "9528420d04a587758e5eaa1726f14ac0ca1f92c1f939f9ed2d5d86484aa588f7",
"type": "eql",
"version": 316
},
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
"rule_name": "AWS RDS DB Instance Restored",
"sha256": "dcf1b4b02597d1fbb9117d6283301d1cc4dcfdaef977185fc969396736431cdf",
"type": "query",
"version": 212
},
"bf8c007c-7dee-4842-8e9a-ee534c09d205": {
"rule_name": "System Owner/User Discovery Linux",
"sha256": "8333574a0bd6910364814cb33d533eeb7ff3ce241fecbde36cde344d754dd008",
"type": "new_terms",
"version": 8
},
"bfba5158-1fd6-4937-a205-77d96213b341": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Region",
"sha256": "f07aa0be2f6927907b2a0cf3a08fffbd806adb3c5bfcc5b8d825a8b68a8e5cb0",
"type": "machine_learning",
"version": 7
},
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "0b824a6c76d9e6ba990e3246a364639ed381da6595f7a64e4d7f87c5775b5c41",
"type": "eql",
"version": 219
},
"c0136397-f82a-45e5-9b9f-a3651d77e21a": {
"rule_name": "GenAI Process Accessing Sensitive Files",
"sha256": "bd69d866074bf4d6cd69d9bd018b8dbfc035fccbb9aea55c4d0fd9a2bbf0a2d1",
"type": "eql",
"version": 4
},
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "5208299f996ad99bd98466a5f61746b69aacc186c2a0462be9bf785783db4e0e",
"type": "eql",
"version": 113
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "4953192d062873314b4f801999d784d7d345b2594beb605d599a5d09325a9805",
"type": "eql",
"version": 313
},
"c04be7e0-b0fc-11ef-a826-f661ea17fbce": {
"rule_name": "AWS IAM Login Profile Added for Root",
"sha256": "74ca3a72d0eabe28dd5c38faab3e9d4d9ea86ed1a38b68c9e88498f41f084582",
"type": "eql",
"version": 5
},
"c07f7898-5dc3-11f0-9f27-f661ea17fbcd": {
"rule_name": "Azure Key Vault Excessive Secret or Key Retrieved",
"sha256": "532e349acfc6e6aab0897022466d2fc9b643a5fffd27576778848cd32cc20dbe",
"type": "esql",
"version": 6
},
"c0b9dc99-c696-4779-b086-0d37dc2b3778": {
"rule_name": "Memory Dump File with Unusual Extension",
"sha256": "9c208b045f8d819107c56a6d07dfab00cbb11c4b5f50381febbaac9d1a06045b",
"type": "eql",
"version": 4
},
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
"sha256": "c4fa342fec8bd2d9be3a0170fff08f1850375e0660f459377237bfb23cebe615",
"type": "query",
"version": 105
},
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "2791043f63074536de6e74909024903fb85f453091d8d74b441586745316aeea",
"type": "query",
"version": 108
},
"c125e48f-6783-41f0-b100-c3bf1b114d16": {
"rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File",
"sha256": "2c94180ce81703e6ed2e0d45922383a36583db9bd0d3e62b3068a2abf17b5cc6",
"type": "eql",
"version": 12
},
"c17ffbf9-595a-4c0b-a126-aacedb6dd179": {
"min_stack_version": "9.3",
"rule_name": "Rare Azure Activity Logs Event Failures",
"sha256": "c7ab4512404f799560ec6c788cef728597921e7cd5a135d3d184b219d3352eea",
"type": "machine_learning",
"version": 1
},
"c1812764-0788-470f-8e74-eb4a14d47573": {
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
"sha256": "9a970e5f890eb12630cec204f47833b5e4c7575dcb58e8e2ef15689f162e64c9",
"type": "query",
"version": 211
},
"c18975f5-676c-4091-b626-81e8938aa2ee": {
"rule_name": "Potential RemoteMonologue Attack",
"sha256": "ccc74ce67ff73841a84622e148b60bd2f573cbd316e7818dc2308c87b4714326",
"type": "eql",
"version": 4
},
"c1a3e2f0-8a1b-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Compute Restore Point Collection Deleted by Unusual User",
"sha256": "88df0fc3cd338a29ae8295259e9f0d1dadb41f0c776597e8de99f353aac0fa2c",
"type": "new_terms",
"version": 1
},
"c1a9ed70-d349-11ef-841c-f661ea17fbcd": {
"rule_name": "Unusual AWS S3 Object Encryption with SSE-C",
"sha256": "729840b0257c2eb8e9321efb5e5bb49aeac8813a3cecaa56977db51e30036bcd",
"type": "new_terms",
"version": 6
},
"c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": {
"rule_name": "AWS EC2 User Data Retrieval for EC2 Instance",
"sha256": "4c7dfeda31d6b9f55e701a3ccf5e3844215e4192a77f9754e1b26786019ec889",
"type": "new_terms",
"version": 8
},
"c20cd758-07b1-46a1-b03f-fa66158258b8": {
"rule_name": "Unsigned DLL Loaded by a Trusted Process",
"sha256": "90f4cf252faaaac2dc8deed5c5717b0be78711928ecc299a039b6460196f7be4",
"type": "eql",
"version": 106
},
"c24e9a43-f67e-431d-991b-09cdb83b3c0c": {
"rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes",
"sha256": "85e2710c5bac83b3134e7c2720609257a02d708edb281beb58dc59c73e2de482",
"type": "eql",
"version": 7
},
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "171b64c3655d63c4c9bc56f78576500ad24e42302644e1e342e4c67cffc91e94",
"type": "eql",
"version": 316
},
"c28750fa-4092-11f0-aca6-f661ea17fbcd": {
"rule_name": "Entra ID Sign-in BloodHound Suite User-Agent Detected",
"sha256": "a74e5dcb922b935e0a5a8037cb69bdb8c8bac9fd85a6efbce0aba2d6a83cc17c",
"type": "eql",
"version": 2
},
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
"rule_name": "Unusual Linux Network Connection Discovery",
"sha256": "34592f9549c2e381560c9c9a7a71bbb31090e65c7531ba8336578f4a2af2563e",
"type": "machine_learning",
"version": 107
},
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"rule_name": "Persistence via Folder Action Script",
"sha256": "415473fa35059a5d07964fed000f16360560c80dac0386baf8227972ac37c2f2",
"type": "eql",
"version": 112
},
"c296f888-eac6-4543-8da5-b6abb0d3304f": {
"rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE",
"sha256": "ade96b474e9768ab238966bce7bf5b5bd9756dccb3a1e36f53965027d4c4f781",
"type": "eql",
"version": 6
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"rule_name": "Mshta Making Network Connections",
"sha256": "6f3c1e9edde89e9c1fa7f4cec717c23b7fd08815ed56edde594db70cebd5207c",
"type": "eql",
"version": 212
},
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
"rule_name": "Permission Theft - Detected - Elastic Endgame",
"sha256": "23db8b09fdb9f4b08efb4ad8bcdfde256153602b55b53b81a85fe1273b9664de",
"type": "query",
"version": 105
},
"c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": {
"rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters",
"sha256": "13e8f259d203e8ed841c1a188f203e99cf912e41cfbc69b898f8b47aba4851de",
"type": "new_terms",
"version": 6
},
"c37ffc64-da75-447e-ad1c-cbc64727b3b8": {
"rule_name": "Suspicious Usage of bpf_probe_write_user Helper",
"sha256": "79f81b31e333915bbf3e7382c64a9a9f90b70d4aeb44491d2533694141db7e60",
"type": "query",
"version": 4
},
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "57e4a08ffa96452406d4b8eb47338b427e8c0f19c4d9c4b6d555820452c0b984",
"type": "eql",
"version": 413
},
"c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f": {
"rule_name": "Azure Compute Snapshot Deletion by Unusual User and Resource Group",
"sha256": "4f7950f2cb33bcd3c247ed3ad7b355be1a37c80d1fd2c9ef6f270eef5505deb3",
"type": "new_terms",
"version": 1
},
"c3d4e5f6-a7b8-6c9d-0e1f-2a3b4c5d6e7f": {
"rule_name": "Suspicious Execution from VS Code Extension",
"sha256": "c801b37699ca3fa63ec4095cd5889b3842b42a66e9a48c161a0dca78c7707c5e",
"type": "eql",
"version": 1
},
"c3d4e5f6-a7b8-9012-cdef-123456789abc": {
"rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity",
"sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688",
"type": "eql",
"version": 1
},
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
"sha256": "c353bf8d28c1c9cca5662d7a7a69e0a7229505982746bd0b0be3276fbda1444b",
"type": "eql",
"version": 107
},
"c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c": {
"rule_name": "Multiple Remote Management Tool Vendors on Same Host",
"sha256": "add88597d7ea3d73b19793a00e9750921e39c153eaefdf2a8a06b9bd6c4e6499",
"type": "esql",
"version": 1
},
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "fdd1ad3da3e246ada1aaa83d67e8f2b8a887e5f1473d9de6e4a45910ca70e4ad",
"type": "eql",
"version": 315
},
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "daac0bc012c68171ee7eecaca5a8245783c20db64d1f94bf65beaf3c89bd75fa",
"type": "eql",
"version": 310
},
"c4e9ed3e-55a2-4309-a012-bc3c78dad10a": {
"rule_name": "Windows System Network Connections Discovery",
"sha256": "54953666f891c689614cbee244e6c837541a8003ef5b0ccd0c482029d4f2220a",
"type": "eql",
"version": 6
},
"c4f7a2b1-5d8e-4c3a-9b6e-2f1a0d8c7e5b": {
"min_stack_version": "9.3",
"rule_name": "Multiple Rare Elastic Defend Behavior Rules by Host",
"sha256": "4542646fbec130c4f8575763a13a38d14024a3c708f352f590be00d4942eb20e",
"type": "esql",
"version": 2
},
"c55badd3-3e61-4292-836f-56209dc8a601": {
"rule_name": "Attempted Private Key Access",
"sha256": "e707e3c1a46f94d7499ab0a59780aea166d33755a2683120a0dd1227eaf3df43",
"type": "eql",
"version": 110
},
"c562a800-cf97-464e-9d6f-84db91e86e10": {
"rule_name": "Elastic Defend and Email Alerts Correlation",
"sha256": "2fc11b38c2f8ec9a736588762b46af650ebd81d71745eec15c0d395e3ac69c4e",
"type": "esql",
"version": 2
},
"c5637438-e32d-4bb3-bc13-bd7932b3289f": {
"rule_name": "Unusual Base64 Encoding/Decoding Activity",
"sha256": "54486ef06f4739ce2602ae30107b8d9100006c9cfafff813156cafb6153a2266",
"type": "esql",
"version": 8
},
"c5677997-f75b-4cda-b830-a75920514096": {
"rule_name": "Service Path Modification via sc.exe",
"sha256": "22e84ad2b75e336fb97f7a6c7a63140dd8f907a4d863e0569c43993bbe498833",
"type": "eql",
"version": 109
},
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "0641c9ee39050bac0336ca03815f4418d8f42b3f9c4a05788a18e4b115f51438",
"type": "eql",
"version": 313
},
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
"rule_name": "GCP Virtual Private Cloud Network Deletion",
"sha256": "37a8cf43dbd537aa0901deeae2eaf9f766dfce63e61823daae640cd566c4dbb8",
"type": "query",
"version": 107
},
"c595363f-52a6-49e1-9257-0e08ae043dbd": {
"rule_name": "Pod or Container Creation with Suspicious Command-Line",
"sha256": "0978c07dd959e8239b4ba8195831bf80b8e8978c16d7aae614691c0d82edec11",
"type": "eql",
"version": 1
},
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "a53e65d2430e3ea2e00f15ea40f9a151c2ea30db22fa0dca97a1936c8b70f192",
"type": "eql",
"version": 211
},
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"rule_name": "Installation of Custom Shim Databases",
"sha256": "2c5071fe46db0c491dbbe580964a42198e0d9e80cf5e02cb790b52b95aa3346b",
"type": "eql",
"version": 313
},
"c5da2519-160c-4cc9-bf69-b0223e99d0db": {
"rule_name": "Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt",
"sha256": "a0d9e978b3b963c3ac8dbeec2961f7bc2230436817e053ddfe69b035b30fb9c5",
"type": "eql",
"version": 2
},
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "41d2711d82ae1036c71c33e1e80f65df27a0f498c1f2d93e5864e359920cc5a4",
"type": "eql",
"version": 315
},
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
"sha256": "167111eaf58a3bbebd2719d2939ba47beb2bf57e4905de19dcb49e47b08bea57",
"type": "query",
"version": 105
},
"c5fc788c-7576-4a02-b3d6-d2c016eb85a6": {
"rule_name": "Initramfs Unpacking via unmkinitramfs",
"sha256": "3377babcb31164f78cb4544423ee54b63d1817459e38c4bfb401f150681ecbd3",
"type": "eql",
"version": 5
},
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "305950cba100ed21b2be7795222a4af5d37fb8e2237f1b3fbcd6a111d76ce8c5",
"type": "eql",
"version": 318
},
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
"type": "query",
"version": 100
},
"c6655282-6c79-11ef-bbb5-f661ea17fbcc": {
"rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source",
"sha256": "99b9962c6c09378b4025d49a579ee99cb8a9ae0277d461ac8296cc86e51c6e49",
"type": "esql",
"version": 4
},
"c6b40f4c-c6a9-434e-adb8-989b0d06d005": {
"rule_name": "Suspicious Kerberos Authentication Ticket Request",
"sha256": "5a2ab9f129366aaf001a9bd121ce1e65ab4ae4f1eae88702d2b15ca145a1e6d0",
"type": "eql",
"version": 3
},
"c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 105,
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "327ff75523310cbad3219c26ebc97ff87df70d0380a60c4d9607b8c0bf433c89",
"type": "new_terms",
"version": 6
}
},
"rule_name": "AWS IAM API Calls via Temporary Session Tokens",
"sha256": "2ab33e3210faabbf21634cb53b667334ab3853f7a3edab5accc936e62e0092c9",
"type": "new_terms",
"version": 106
},
"c73cc6ab-b30e-46bf-b5f2-29d9ab4caf7b": {
"rule_name": "Mount Launched Inside a Container",
"sha256": "4d00e7499220c3c3a60f9749322ef6e1454af67f7ae410f4f6d7c3f28dff5f95",
"type": "eql",
"version": 3
},
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "c52cfad33cb4e250d22ce58eae016d2063b67a5e56c310c77fd3d68bf7ca8b93",
"type": "query",
"version": 413
},
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "7aba5f4848c54d1dbdf9f339b258ef0b10e8f0ced4be14bbe8731c72fb21c2ae",
"type": "query",
"version": 412
},
"c75d0c86-38d6-4821-98a1-465cff8ff4c8": {
"rule_name": "Egress Connection from Entrypoint in Container",
"sha256": "dd1e7889df2c7ca7ad63523e2f2639f629b061768c4fb25e91a27e3da587f33d",
"type": "eql",
"version": 6
},
"c766bc56-fdca-11ef-b194-f661ea17fbcd": {
"rule_name": "Entra ID User Sign-in with Unusual Client",
"sha256": "acdbe411fad108d24ac7d90b26bc1d8a6292f370fd265a7a8ceb8dcbe48c8681",
"type": "new_terms",
"version": 5
},
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "3048fb1cb33c9d61e64c57c88bc310c6f76330a531c1a04fc2cbf5fa9a962e53",
"type": "eql",
"version": 211
},
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
"rule_name": "Kubernetes Privileged Pod Created",
"sha256": "9aa019833cca8394d175d9d6f5b2baacae100ed7cb549100a54180eef77ea9bf",
"type": "query",
"version": 209
},
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"rule_name": "Unusual File Operation by dns.exe",
"sha256": "4d49a5bd41e3590655a8d2043aece053a6a244c67f1919e2cd24eec334e11d00",
"type": "new_terms",
"version": 216
},
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
"rule_name": "Spike in Network Traffic To a Country",
"sha256": "0e93c7c9d8c379f5113f5da64c80c41a4baa81ef5c9f06da338f591b12f797b6",
"type": "machine_learning",
"version": 109
},
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "ab323cd4136ecba4ec4deb2bbe62345240087bafcd8ef51b2651926b6c108c28",
"type": "eql",
"version": 111
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
"sha256": "41eeff0d6b77b5166fca7d002d1570c3525c02a9afe6c94de757a4c836923659",
"type": "new_terms",
"version": 108
},
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
"rule_name": "SMB Connections via LOLBin or Untrusted Process",
"sha256": "014c152133b6e7926869d0bc180327c50123ae2840f113890084f4af3d820118",
"type": "eql",
"version": 116
},
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
"rule_name": "Virtual Machine Fingerprinting via Grep",
"sha256": "4755df4d8fe4221cbf2e2a70a0429b0cdabd6b9d109872751e2563e95e594424",
"type": "eql",
"version": 108
},
"c87fca17-b3a9-4e83-b545-f30746c53920": {
"rule_name": "Nmap Process Activity",
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
"type": "query",
"version": 100
},
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
"rule_name": "Parent Process PID Spoofing",
"sha256": "43124466259d6a488d240c7332f55565267d5fc744f9edd5f6f3ce4f3c7bb288",
"type": "eql",
"version": 110
},
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "5970502fee1978894616af37f79e879604513bcf66ed22247fb150855080e587",
"type": "eql",
"version": 15
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "7371f8792db6004595209da0e87adcbc16e1e4332f7ebd4d5ffa984adab5790f",
"type": "eql",
"version": 318
},
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "15827979279c1de9ee31614d226959b7c9932923d85da38e9b599c365263ebbf",
"type": "eql",
"version": 317
},
"c8e5f6a2-1234-4d5e-9f8a-b7c6d5e4f3a2": {
"rule_name": "Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource",
"sha256": "8a9ebdfe9236d7201f3e30cc3841547ebbacf7f90f7567d0b5da622f349dfcfd",
"type": "new_terms",
"version": 2
},
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "b20069169dd6d3d7fa0c2379f88e78d4dddcb749c32319199910a7018bdabcb5",
"type": "eql",
"version": 12
},
"c9636a6e-125e-11f1-9cd3-f661ea17fbce": {
"rule_name": "M365 Exchange MFA Notification Email Deleted or Moved",
"sha256": "df3b151df4fd569bcd9b3f33c7f7bf9ce148405ff51fcf9a672aa8413b0a6ba8",
"type": "eql",
"version": 1
},
"c9847fe9-3bed-4e6b-b319-f9956d6dd02a": {
"rule_name": "Potential Remote Install via MsiExec",
"sha256": "c059148c2721ed1f7b2d8824e5dd41b2d93e06364fe138d59d4295a56ce0484d",
"type": "eql",
"version": 2
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
"sha256": "cc40f7557b619c20a993ef46dd7b17fa103e74bae9608ccdd499efb61aa5b88f",
"type": "query",
"version": 105
},
"ca3bcacc-9285-4452-a742-5dae77538f61": {
"rule_name": "Polkit Version Discovery",
"sha256": "e4bec6658d6405825240fbf346b7b226e3557e511f56be55c68077970103f48f",
"type": "eql",
"version": 6
},
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
"rule_name": "M365 Exchange Malware Filter Rule Modified",
"sha256": "18a1ba7eebeeb47c4f007c39127a659ac95e7fa31565c171bf1ae73f2d794bed",
"type": "query",
"version": 211
},
"ca98c7cf-a56e-4057-a4e8-39603f7f0389": {
"rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder",
"sha256": "fb6a11f3a9fb02a05961368d62c9db5f12cf99258f9083decba913f341320074",
"type": "eql",
"version": 14
},
"caaa8b78-367c-11f0-beb8-f661ea17fbcd": {
"rule_name": "Entra ID User Reported Suspicious Activity",
"sha256": "a34b5d65dc328f2775a7359f20afa71e00d0dc77dbe92edb183e95b6e260c34b",
"type": "query",
"version": 4
},
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
"rule_name": "Auditd Login from Forbidden Location",
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
"type": "query",
"version": 100
},
"cac91072-d165-11ec-a764-f661ea17fbce": {
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "03e6cbb21ddd14cf08bb9645a2d0dfcb6f8c2a81dae5d4521565837f33ea95e1",
"type": "new_terms",
"version": 218
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"rule_name": "Google Workspace MFA Enforcement Disabled",
"sha256": "9a77d3bf78caa364a3501dc4041e9ba9e5c3d13e2b3b7aaa5eb6abdaaadfec14",
"type": "query",
"version": 210
},
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"rule_name": "Suspicious Calendar File Modification",
"sha256": "c165e516becec15b1c1aa845d2f5d093956b2a7e28df7cb656de4b393ca6a50e",
"type": "eql",
"version": 110
},
"cbbe0523-33f3-4420-b88d-5c940d9e72c1": {
"rule_name": "FortiGate Super Admin Account Creation",
"sha256": "16b6c260bc4650bc90da2cee64b21e22b2c5661ea91d7c4babb2ba055292197a",
"type": "eql",
"version": 1
},
"cbda9a0e-2be4-4eaa-9571-8d6a503e9828": {
"rule_name": "Kubernetes Secret Access via Unusual User Agent",
"sha256": "779866cad0e79ce9f2c9c7234c09cc2ccc2d4642c9bec7b268d036a244638cd6",
"type": "new_terms",
"version": 1
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
"type": "query",
"version": 100
},
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"rule_name": "Attempt to Enable the Root Account",
"sha256": "1d11314aa3de8e4ec889248829226cc47dcc245b1c1b32bd6d7b81f27312a317",
"type": "eql",
"version": 110
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"rule_name": "Multiple Device Token Hashes for Single Okta Session",
"sha256": "8e7204daa15aa64acf5ab9e352b8e028ba759ad98fbff579bc815a9848e31909",
"type": "esql",
"version": 309
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address",
"sha256": "cccf8163251c02a31b7641f4b2d35ec23a5878faccdeab0923ab6cc423dfcdaa",
"type": "machine_learning",
"version": 7
},
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
"rule_name": "Google Workspace User Organizational Unit Changed",
"sha256": "121726cd64a95f6fae236ff3668a6aa031ca24474771917197adeccf8a133e7a",
"type": "query",
"version": 109
},
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
"rule_name": "GCP Pub/Sub Subscription Deletion",
"sha256": "925c8d54bd81af668dcd38ad3ea61b8e8d48f40b0db136c69e8ddb6d02698414",
"type": "query",
"version": 107
},
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "ad8b058fbd73eb0d1d35b377a0e40d51bff4555e31e6a3aae172ebaa6c924480",
"type": "query",
"version": 414
},
"cca64114-fb8b-11ef-86e2-f661ea17fbce": {
"rule_name": "Entra ID User Sign-in Brute Force Attempted",
"sha256": "9df42e5af70c365bde3d6b8c7f2c2fd5602c895442f168e2225bc2f3411e9c6a",
"type": "esql",
"version": 7
},
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
"rule_name": "Potential Process Herpaderping Attempt",
"sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2",
"type": "eql",
"version": 105
},
"cccc9be5-d8b0-466e-8a37-617eae57351a": {
"rule_name": "M365 Entra ID Risk Detection Signal",
"sha256": "392041a3844e680f234c92dc4275823b02292a6f5e26d39151ebe50958c2231d",
"type": "query",
"version": 1
},
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7",
"type": "query",
"version": 413
},
"cd24c340-b778-44bd-ab69-2f739bd70ce1": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Interpreter Execution Detected via Defend for Containers",
"sha256": "dd5558b655f37b28a249477f9e372be817a1484e796ea566c51b3f8135df88d8",
"type": "eql",
"version": 2
},
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
"rule_name": "Socat Process Activity",
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
"type": "query",
"version": 100
},
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
"rule_name": "Anomalous Linux Compiler Activity",
"sha256": "6e739a1f4016e28fce4154f8593038c7ecf0675e1a1efc95f9e34a304b94a2cc",
"type": "machine_learning",
"version": 107
},
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
"rule_name": "Kernel Module Removal",
"sha256": "94cc28cf394367383a56845044b14d18c01451f0e54fcce503353ef789d7d0cc",
"type": "eql",
"version": 215
},
"cd82e3d6-1346-4afd-8f22-38388bbf34cb": {
"rule_name": "Downloaded URL Files",
"sha256": "4a47b2f5d23fc106e911c3431fc7d04910bf0abfb0acde9b0815898441f17516",
"type": "eql",
"version": 7
},
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "bf90da01585328d17be5647a18e2fc86f587ba6f75076c99f406a8bb81f8dd88",
"type": "eql",
"version": 417
},
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"rule_name": "Okta User Session Impersonation",
"sha256": "fd20dd3278688d63cc6c90f2a764d862c712ec3c2bf755f14cd15a06830ed4af",
"type": "query",
"version": 414
},
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "1fea0a2f7ea3bb2c16b62b1430f80ebd513dac2500b61d345a23a244da6d0f00",
"type": "query",
"version": 220
},
"cdf1a39b-1ca5-4e2a-9739-17fc4d026029": {
"rule_name": "Shadow File Modification by Unusual Process",
"sha256": "f51aa3f3b9cbf11d092933794749cd607580146c5a8d3123121f8fd0c2e675fc",
"type": "eql",
"version": 6
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "f3580149e911351b1ef86e81e65c4cf6c2023cc99c8c0743a7bec9e560389b32",
"type": "new_terms",
"version": 207
},
"ce08cdb8-e6cb-46bb-a7cc-16d17547323f": {
"min_stack_version": "9.3",
"rule_name": "Unusual City for an Azure Activity Logs Event",
"sha256": "441a4f1d55325a1222ec8e48f957b86abb0aba011fec2c67feae33279fcee26c",
"type": "machine_learning",
"version": 1
},
"ce4a32e5-32aa-47e6-80da-ced6d234387d": {
"rule_name": "GRUB Configuration File Creation",
"sha256": "85c46d9160a01a7051be6ea8c170a76720222e1a7a43aa5f113a868ffb132c84",
"type": "eql",
"version": 5
},
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "09087f914a3c126533c0de3158f57d7751d164361f1f81db15d9b3876a3df847",
"type": "eql",
"version": 315
},
"ce73954b-a0a4-4f05-b67b-294c500dac77": {
"rule_name": "Kubernetes Service Account Secret Access",
"sha256": "88dd742313deb546b807380819cb68b55d2d56fbad18f1995684fc407c9e68a1",
"type": "eql",
"version": 3
},
"cebabc1e-1145-4e39-b04b-34d621ee1e2c": {
"min_stack_version": "9.3",
"rule_name": "Shell Command-Line History Deletion Detected via Defend for Containers",
"sha256": "979ca3e8ac0709e5e783a63e0ca0ccd14744cb170a17f6cc02fa41296d31801d",
"type": "eql",
"version": 1
},
"cf307a5a-d503-44a4-8158-db196d99c9df": {
"rule_name": "Unusual Kill Signal",
"sha256": "87b48799b45644f192a3001a0f4b89af47c77b4ee43ae485b40c621af5497e63",
"type": "eql",
"version": 2
},
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
"rule_name": "Cobalt Strike Command and Control Beacon",
"sha256": "358f978a2e6f3e446c7216cd749cba581f6d777dd924f3883764e299d4ff4945",
"type": "query",
"version": 106
},
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
"rule_name": "Domain Added to Google Workspace Trusted Domains",
"sha256": "79a815bfe76e67bc24d51ea9ef619e32bb4055c15b4846ebe777ed42e5c6f1d3",
"type": "query",
"version": 208
},
"cf575427-0839-4c69-a9e6-99fde02606f3": {
"rule_name": "Deprecated - Unusual Discovery Activity by User",
"sha256": "13f9e9049c5bddcdde9abfd3501c2925eb76c07771c5c7a4c2e3cc40842774e0",
"type": "new_terms",
"version": 3
},
"cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": {
"rule_name": "Trap Signals Execution",
"sha256": "fb9b4b1726b85fc2cfd187b29071300f8b35a7bf14198061a2d21ac2cd7fdbaf",
"type": "eql",
"version": 5
},
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "630b88a3364fbe8639133004b3bbe4f833208f2804012fa6a85120ad434c6d85",
"type": "eql",
"version": 319
},
"cffbaf47-9391-4e09-a83c-1f27d7474826": {
"rule_name": "Archive File with Unusual Extension",
"sha256": "b3379c22774ddf7b3ad4cd9061769227cc13b67a811eed8e01aef15ddbb008eb",
"type": "eql",
"version": 4
},
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
"rule_name": "Namespace Manipulation Using Unshare",
"sha256": "8c05198a2611a9e538996fe4b19f24cc57aac06fc4c39687a77015f01794b109",
"type": "eql",
"version": 114
},
"d08ba1ed-a0a3-4fe0-9c02-e643b9a25a03": {
"rule_name": "FortiGate Administrator Account Creation from Unusual Source",
"sha256": "cf55391bf0ce9a58032099e6d67ffab973f4413bbb9277d300fcc3580cd93f94",
"type": "new_terms",
"version": 1
},
"d0b0f3ed-0b37-44bf-adee-e8cb7de92767": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - AWS Credentials Searched For Inside A Container",
"sha256": "b2a40d71fd9d37d3049115575c0b2fb19ff325ffd3ffd71b963d514ce7feb28f",
"type": "eql",
"version": 3
}
},
"rule_name": "Cloud Credential Search Detected via Defend for Containers",
"sha256": "06225be504fa72a83c99628e858b3fe5b84aa7da72d9175202ed5f07c09c016f",
"type": "eql",
"version": 103
},
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "2c64f99b095d83c721adcf4da78d8dbb39c650eff71ecaf8b311d50c750be7ae",
"type": "eql",
"version": 315
},
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "d3a52256086f20e3515d09e0eecbd462fd3912d7b2d978f5e544bbab87146f22",
"type": "eql",
"version": 316
},
"d121f0a8-4875-11f0-bb2b-f661ea17fbcd": {
"rule_name": "Entra ID ADRS Token Request by Microsoft Authentication Broker",
"sha256": "5feda5d73ab4d3ab81c92e2bb7f1a50af9c48b0a747bccc3751b155732abde29",
"type": "query",
"version": 2
},
"d12bac54-ab2a-4159-933f-d7bcefa7b61d": {
"rule_name": "Expired or Revoked Driver Loaded",
"sha256": "11b8167c23291c967fa2a069f2063970f0d8fa874b642503e2b9ce0b1cbc7496",
"type": "eql",
"version": 8
},
"d197478e-39f0-4347-a22f-ba654718b148": {
"rule_name": "Compression DLL Loaded by Unusual Process",
"sha256": "e460aefe896a4ca7a07b897e1d955f90b2add567d2d43c3a435b632d77a34bc4",
"type": "eql",
"version": 5
},
"d19a2399-f8e2-4b10-80d8-a561ce9d24d1": {
"rule_name": "System Binary Symlink to Suspicious Location",
"sha256": "38f91221ebf1ad1f815b2410711902a446bf634093f757a94276a1fc84a35506",
"type": "new_terms",
"version": 4
},
"d1e5e410-3e34-412e-9b1f-dd500b3b55cd": {
"rule_name": "AWS EC2 Instance Console Login via Assumed Role",
"sha256": "e81a04e3fd65b851b65dbec3a2b0a2b3d8ce15389bf8ddbc09e564e84ab18324",
"type": "eql",
"version": 6
},
"d1ee711a-a3ba-4d73-b5ab-84cab5b37fb3": {
"rule_name": "Curl or Wget Egress Network Connection via LoLBin",
"sha256": "3fbf4a9a5915e2ed78be6e0a19ab14fe424f8227b14736cc0d2b6e2cbbb83137",
"type": "eql",
"version": 1
},
"d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": {
"rule_name": "Privileged Container Creation with Host Directory Mount",
"sha256": "16394afb9f2c78168b53837f4bd19e6929e026be8f08c8291b17ea82e16d97ba",
"type": "eql",
"version": 1
},
"d2053495-8fe7-4168-b3df-dad844046be3": {
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
"type": "query",
"version": 100
},
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "429422145532225bd65534fedd80e071ba1dafca49a047729750299bfe3d4af9",
"type": "eql",
"version": 110
},
"d26331be-affe-46b2-bf4e-203d0e2d364c": {
"rule_name": "AppArmor Profile Compilation via apparmor_parser",
"sha256": "46f9b9dcc7c864ded6022aca5cdf7d66a3c6b1c46ede076a0e7cbbfcd22e3366",
"type": "eql",
"version": 1
},
"d2703b82-f92c-4489-a4a7-62aa29a62542": {
"rule_name": "Unusual Region Name for Windows Privileged Operations Detected",
"sha256": "4a27a3971ab4ac2abd8929f07178a8052f887401d8443d1e1f49f090638b2f20",
"type": "machine_learning",
"version": 3
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "4afd57a339d41912ae7ad833a7198061d9c2c8b8d84ef2755fe3994daabfa5c3",
"type": "eql",
"version": 315
},
"d32f0c27-8edb-4bcf-975e-01696c961e08": {
"rule_name": "AppArmor Policy Interface Access",
"sha256": "540ec9c59c4ac14e4d8d22452a9727e0b44f48c1495a3a435a5f31c1d189dd96",
"type": "eql",
"version": 1
},
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"rule_name": "Clearing Windows Event Logs",
"sha256": "6b9f951c8a016b83f49461ef758a4357b60f7b5a193b7244d68edf903d216ae8",
"type": "eql",
"version": 319
},
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"rule_name": "Remote Windows Service Installed",
"sha256": "f7391c261eb5cadf9fa292909ae5f7bb001644d1fafe546a3efac5fb51e4d32a",
"type": "eql",
"version": 112
},
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "51c7d5aa91a02787b7a35cb450939619d0c1ce259e63a6fb6071f939b1b10e98",
"type": "eql",
"version": 107
},
"d3b6222f-537e-4b84-956a-3ebae2dcf811": {
"rule_name": "Splunk External Alerts",
"sha256": "f378f24577665171fd3b33d5b1172def6d1fa3fa89da6e34e50c43d6f969e922",
"type": "query",
"version": 1
},
"d43f2b43-02a1-4219-8ce9-10929a32a618": {
"rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion",
"sha256": "7c5e02a840182b33f4790c944b9ec48af5f79dac23befdb0f069ef00258b4e70",
"type": "esql",
"version": 9
},
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "2527c4142d94796d2b6a29956710c8e839a75d3f11fd53b71390789e00214068",
"type": "eql",
"version": 112
},
"d488f026-7907-4f56-ad51-742feb3db01c": {
"rule_name": "AWS S3 Bucket Replicated to Another Account",
"sha256": "0278be6dda863249c11fe7d34a3ca5b26ea3b6d7608b458d13d3f818c99b7681",
"type": "eql",
"version": 6
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "55dcaf216c136ee36ab1a0795a0eac62cc5934afc12bf9c3aa62d375c85478ae",
"type": "query",
"version": 412
},
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
"sha256": "f8132f6b4f1aa63e9d8e5d21d90394f93a1b56d7bf48aee2bb0c885b3549587b",
"type": "query",
"version": 105
},
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
"rule_name": "Unusual Linux System Information Discovery Activity",
"sha256": "6627f591ca6d6b6c00b13706a2d600da692be5dda59b7cc6c0e071c43106075d",
"type": "machine_learning",
"version": 107
},
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
"rule_name": "Unusual Source IP for a User to Logon from",
"sha256": "0f5821323d386dee70029098f8d95f174c2b5cd85f465e9f17f90766c6facbe7",
"type": "machine_learning",
"version": 107
},
"d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f9a": {
"rule_name": "Azure Compute Snapshot Deletions by User",
"sha256": "3b5f8417da6870bbbcd433aa8a0d8ee6fca9e4ba3a22e13e4b4928bf9729e344",
"type": "threshold",
"version": 1
},
"d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a": {
"min_stack_version": "9.3",
"rule_name": "Elastic Defend Alert from GenAI Utility or Descendant",
"sha256": "cdaceb7b07acc4eed0fec1f0d29c98302d3dc5d01f0bb281c84fc3555fbcd5d8",
"type": "esql",
"version": 1
},
"d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": {
"rule_name": "Linux init (PID 1) Secret Dump via GDB",
"sha256": "b83c3c1532b5af713bd9011025fcc17c4214c07593127a7a206e19e9fb5e28a2",
"type": "eql",
"version": 111
},
"d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c": {
"rule_name": "Kernel Module Load from Unusual Location",
"sha256": "56e955ca39d25c4cfa531933b411d67ed74652d81495207e8d2ef7c743af219d",
"type": "eql",
"version": 2
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "e033856be7ad362345e1ba2b993b90b1aaeec55773bbadf68127329c2ac3bed8",
"type": "eql",
"version": 11
},
"d55abdfb-5384-402b-add4-6c401501b0c3": {
"rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities",
"sha256": "274dc56a6e1e3f97442ae5bfcd16d363d4283ea38f6abb9190081c4f7d31f8f2",
"type": "eql",
"version": 7
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "15fe34ca3118484deea0a66f9eae2dd88581f0e7135f0478d0ab3f9b5e98a61b",
"type": "eql",
"version": 313
},
"d591d7af-399b-4888-b705-ae612690c48d": {
"rule_name": "Newly Observed High Severity Suricata Alert",
"sha256": "de1f830567ec7ac8c8a76bd6164a6af0895adedc8ceb7ea49c91dda648461626",
"type": "esql",
"version": 3
},
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13",
"type": "query",
"version": 413
},
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"rule_name": "Service Command Lateral Movement",
"sha256": "2a32aeadc451efbdde9e929bbcf28e8a11e5c007b9b33dd0b853ad20943cd907",
"type": "eql",
"version": 210
},
"d6241c90-99f2-44db-b50f-299b6ebd7ee9": {
"rule_name": "Unusual DPKG Execution",
"sha256": "99110576912a770abca53b691f3644a5e26b87ded92c2ac26e342b388785161e",
"type": "eql",
"version": 7
},
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
"rule_name": "AWS CloudWatch Log Stream Deletion",
"sha256": "5dd0735831fd4a14204ba795e70b8a5793d58eaa264bfa1a33c4c7094e438fd5",
"type": "query",
"version": 213
},
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
"rule_name": "GCP Pub/Sub Subscription Creation",
"sha256": "8efda573b2a1bac665b991f72ec074f93082501d2f067f80ad8faf6f686205bf",
"type": "query",
"version": 108
},
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
"rule_name": "Strace Process Activity",
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
"type": "query",
"version": 100
},
"d6702168-2be6-4d7d-a549-9bff67733df3": {
"rule_name": "IBM QRadar External Alerts",
"sha256": "d87d352178c0de5f4c543c32276715abb35d6357dc42f75d84ac84b2401aa365",
"type": "query",
"version": 1
},
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "a12f6445936ab83bfae7520bc8f1d544d357ae58d9fca890908ee6320fefb81b",
"type": "eql",
"version": 118
},
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
"rule_name": "M365 Exchange Anti-Phish Policy Deleted",
"sha256": "4fb70852654dccfce55dca864f521914bd56cde848d581895e4c83a2e4e1b00c",
"type": "query",
"version": 211
},
"d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f": {
"rule_name": "Potential Protocol Tunneling via Cloudflared",
"sha256": "91bcd19a0c6ac9d676ba46dab1a6f60a67056006f701cdedc9b6984a39e4eeeb",
"type": "eql",
"version": 1
},
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"rule_name": "Modification of WDigest Security Provider",
"sha256": "b78d84ead9c2e2f8c0b080d7539804c006d2e82dda1e1d1bb489a991d1db248a",
"type": "eql",
"version": 214
},
"d7182e12-df8f-4ecf-b8f8-7cc0adcec425": {
"rule_name": "Pbpaste Execution via Unusual Parent Process",
"sha256": "3cfed4a1b0aa89c53b098fc2987859ebe883bc1267bc374ba18070c2e9a4f5e9",
"type": "eql",
"version": 1
},
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "0fa5e6c2ae95f0dfa6d132058644c70bac38f08a2148bf5eb9b6a26dd7ceaf09",
"type": "eql",
"version": 317
},
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
"rule_name": "M365 Exchange Malware Filter Policy Deleted",
"sha256": "71ade0933a7bec32785b9b65e651af4b2653864c0ac4b43f6bafb8f020212da3",
"type": "query",
"version": 211
},
"d74d6506-427a-4790-b170-0c2a6ddac799": {
"rule_name": "Suspicious Memory grep Activity",
"sha256": "90316dc22033d912089d941a034d244275e443b6634bc88b197272fe1e1124d8",
"type": "eql",
"version": 108
},
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"rule_name": "SystemKey Access via Command Line",
"sha256": "f8b1d74f08a045a33b10594b57edfd3f20896d97c6a7c6d78e4ad772596b160a",
"type": "eql",
"version": 210
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"rule_name": "Interactive Terminal Spawned via Python",
"sha256": "e7fce547c4db43bb3611e08cc2943197b41498464c41ee416e5e770a83e95700",
"type": "eql",
"version": 215
},
"d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": {
"rule_name": "Python Site or User Customize File Creation",
"sha256": "60863e4019007a38c549c67afc285d909ed41523046489f619dd198934b92715",
"type": "eql",
"version": 6
},
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
"rule_name": "Azure Blob Storage Permissions Modified",
"sha256": "04d0604eeb569168c49ba3fff5148538e9a7bb8f62ad4d0388884ad098c0b8ae",
"type": "query",
"version": 109
},
"d7b57cbd-de03-4c3b-8278-daa1ee4a6772": {
"rule_name": "Suspicious Apple Mail Rule Plist Modification",
"sha256": "0f15e69cc154771f61534e30c9066d955ed06e8098f4f9a80e3d8f4b6e45eb78",
"type": "eql",
"version": 1
},
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
"rule_name": "Spike in Logon Events",
"sha256": "354592452a896e760a771da189694898283fef283e30b4cd3fc4d2c8f0deaf52",
"type": "machine_learning",
"version": 107
},
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
"rule_name": "SMTP on Port 26/TCP",
"sha256": "81ffd7a87b123f53ba5a055652cd67738c4cfda70d52d8a9ef566f06d240ce9d",
"type": "query",
"version": 108
},
"d84a11c0-eb12-4e7d-8a0a-718e38351e29": {
"rule_name": "Potential Machine Account Relay Attack via SMB",
"sha256": "9a5a94e5c4aade5dd94fd013bdfb06e84c7d6f223f8bf5c214b4f54a36ba6f4d",
"type": "eql",
"version": 2
},
"d8ab1ec1-feeb-48b9-89e7-c12e189448aa": {
"rule_name": "Untrusted Driver Loaded",
"sha256": "521c26dd7b4a866375b12d8bf94fc96f58c4609c18d20e1af2bbb6737116b711",
"type": "eql",
"version": 13
},
"d8b2f85a-cf1c-40fc-acf0-bb5d588a8ea6": {
"rule_name": "Potential REMCOS Trojan Execution",
"sha256": "5edbe0cfcce77f5741297489ab7cd3d0b6fbc30eff4c47b9695617e90a279504",
"type": "eql",
"version": 1
},
"d8f2a1b3-c4e5-6789-abcd-ef0123456789": {
"rule_name": "Ollama API Accessed from External Network",
"sha256": "ecc28c21ed2096e0e2c6206a13a70fdc48e94cf4de217f5c528e21df266d1816",
"type": "eql",
"version": 1
},
"d8f4e3b0-8a1b-11ef-9b4a-f661ea17fbce": {
"rule_name": "Azure Compute Restore Point Collections Deleted",
"sha256": "ffb8ee8defb030d0393b9f49ecbd35b48e0c588a1fc7aa474c0ea9783cbb4084",
"type": "threshold",
"version": 1
},
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
"rule_name": "AWS IAM Deactivation of MFA Device",
"sha256": "3f8b720637522efa339b3f4d6a37132a0afde5245c9d019e1cc04b4692608858",
"type": "query",
"version": 214
},
"d93e61db-82d6-4095-99aa-714988118064": {
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "9e5b0489fe8d9d7ae6f525d392c077eeba531a182940f9c7e2e8647bb2dd4cec",
"type": "eql",
"version": 207
},
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "9550d120744ff92d7f4104b60b380d0debc4c6bd9a3171d48966998a5dd48226",
"type": "eql",
"version": 316
},
"d9af2479-ad13-4471-a312-f586517f1243": {
"rule_name": "Curl or Wget Spawned via Node.js",
"sha256": "d1600218fc96bb2a51bece15f870cace393f636ebcf4f68a4d9b06ccf8a80a4d",
"type": "eql",
"version": 4
},
"d9bfa475-270d-4b07-93cb-b1f49abe13da": {
"min_stack_version": "9.3",
"rule_name": "Suspicious Echo or Printf Execution Detected via Defend for Containers",
"sha256": "ce0e37c4131266899b3fff16ba9305d4088310293fc2c32ed800451178e89358",
"type": "eql",
"version": 2
},
"d9faf1ba-a216-4c29-b8e0-a05a9d14b027": {
"rule_name": "Sensitive Files Compression Inside A Container",
"sha256": "abaae9b121b4c9e85fe7f81aa82f7048fed76d2dfcef8712ec4ff82c33a93706",
"type": "eql",
"version": 3
},
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "aff7d38b73a0e95e989acef5b99c298a4ee9a1cb09ef6eb7a3eda510ac03edcd",
"type": "eql",
"version": 206
},
"da0d4bae-33ee-11f0-a59f-f661ea17fbcd": {
"rule_name": "Entra ID Protection - Risk Detection",
"sha256": "0f39ccaeadc0c6cf3a2ee85643d96368b7334c7b492b8517a90569b012196537",
"type": "query",
"version": 2
},
"da0ebebe-5ad3-4277-95e7-889f5a69b959": {
"rule_name": "System Information Discovery via dmidecode from Parent Shell",
"sha256": "c5119c7d8cb6ba0ab9fb94430ae2c2d1e3e6a6ebf20e2e18c60d9d4a5447293b",
"type": "eql",
"version": 2
},
"da4f56b8-9bc5-4003-a46c-d23616fbc691": {
"rule_name": "PANW and Elastic Defend - Command and Control Correlation",
"sha256": "1671e56ab926da333517e73469025c78710f8895f623fcda53659f9584fd8d1c",
"type": "eql",
"version": 1
},
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "de90093e93bac48091417fa26435ce13733ef66d348b2ee5fcbe5c2ca5699a20",
"type": "eql",
"version": 215
},
"da7f5803-1cd4-42fd-a890-0173ae80ac69": {
"rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score",
"sha256": "0ff9609987d9a6de247a349ff8e4b707f3c7580c7470faffdbac5d115c8e7307",
"type": "query",
"version": 8
},
"da7f7a93-26e1-49ce-b336-963c6dc17c7b": {
"rule_name": "Multiple Machine Learning Alerts by Influencer Field",
"sha256": "261d3febfee5e90a2350910f92af7a263d627358d8f42ad07c4a9e339509fdb5",
"type": "esql",
"version": 3
},
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "9a5fb2e46cf6489a1a39cd0be4a26dae1c3f91c4ab96dd6cece8cda288fe4de4",
"type": "eql",
"version": 116
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
"type": "eql",
"version": 100
},
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "a870ddcacfd1e7bd5be05da72321e3e4bd47cc425834ebb71582d0504694ff7d",
"type": "new_terms",
"version": 110
},
"dacfbecd-7927-46a7-a8ba-feb65a2e990d": {
"rule_name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access",
"sha256": "3290943a7f9eac7a81b22c85d4475823a85bc512db43b7fb89cfad523ea17c84",
"type": "eql",
"version": 1
},
"daf2e0e0-0bab-4672-bfa1-62db0ee5ec22": {
"rule_name": "Github Activity on a Private Repository from an Unusual IP",
"sha256": "7e678bb2e91b5748488cd6fc3db4e567d29471f1977f03b00c7fcc37bbacbacf",
"type": "new_terms",
"version": 1
},
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
"rule_name": "Entra ID MFA Disabled for User",
"sha256": "b54fc8c1edfe9d6f2035c2846c98bf0d3c51413ae61ac58e234172aa4fdb711a",
"type": "query",
"version": 109
},
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "e8a375d2c92b79dbedd319eb4d79fe9a66efc3263210f4b629ec811cb642db64",
"type": "eql",
"version": 207
},
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "3d2e5ac48ff0dd732d63a309fd8645c301330bfc555cc67fe1e4e842f3604e9a",
"type": "eql",
"version": 214
},
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
"sha256": "a78cb90c7f0afb001831e03cd16a5cb52e24282352980bd0daf83fa50fbc9119",
"type": "query",
"version": 105
},
"db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f": {
"rule_name": "Azure Service Principal Authentication from Multiple Countries",
"sha256": "a3374ebe2417fa418ec0532baa788b5b2ded9d847dead371b7a0699ab62ed7be",
"type": "esql",
"version": 1
},
"dc0b7782-0df0-47ff-8337-db0d678bdb66": {
"rule_name": "Suspicious Content Extracted or Decompressed via Funzip",
"sha256": "e9b9e809e2cf545314cb6ddadbc533e5c7aba5f5ece5aa2d433d7050c32fc96f",
"type": "eql",
"version": 110
},
"dc61f382-dc0c-4cc0-a845-069f2a071704": {
"rule_name": "Git Hook Command Execution",
"sha256": "f59a76eae734bd08b0262cde69d2f9485e13eb81bd6972ca814fccb3c9048511",
"type": "eql",
"version": 107
},
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
"type": "threat_match",
"version": 100
},
"dc71c186-9fe4-4437-a4d0-85ebb32b8204": {
"rule_name": "Potential Hidden Process via Mount Hidepid",
"sha256": "89224db65c511c704e59e1f3954ea53d015c2ad5d81525e57edab31e32d6c616",
"type": "eql",
"version": 114
},
"dc765fb2-0c99-4e57-8c11-dafdf1992b66": {
"rule_name": "Dracut Module Creation",
"sha256": "0e99d7949e86837bb6610359a57608bb2013bb4c567ebd78cc8d3eefe8449f80",
"type": "eql",
"version": 5
},
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "568324dbf93bcb87f147152b79e01102b76bcd7b14fe051242a4ce8faa280f64",
"type": "eql",
"version": 316
},
"dca28dee-c999-400f-b640-50a081cc0fd1": {
"rule_name": "Unusual Country For an AWS Command",
"sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f",
"type": "machine_learning",
"version": 212
},
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "3e7ff7380de734a0b98762b61a6c34d06b5e6209fa1b42b89385a27f3e709e1e",
"type": "eql",
"version": 210
},
"dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f": {
"min_stack_version": "9.3",
"rule_name": "Unusual Country For a GCP Event",
"sha256": "5453995a966b42c545508b8d3aa57fd84891a46c9ac167eb5e4b36d2c3f4fe3b",
"type": "machine_learning",
"version": 1
},
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "ab7d16c803fc15c77dc6801a94c2476e64591720f62dd9bcc56d4896f4b14a6e",
"type": "eql",
"version": 214
},
"dd52d45a-4602-4195-9018-ebe0f219c273": {
"rule_name": "Network Connections Initiated Through XDG Autostart Entry",
"sha256": "405e7084d6ebec98fee61cf3cff66178b05b514c0bf6d62492ebbf42928134b9",
"type": "eql",
"version": 8
},
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
"rule_name": "Reverse Shell Created via Named Pipe",
"sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c",
"type": "eql",
"version": 6
},
"dd983e79-22e8-44d1-9173-d57dba514cac": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Docker Socket Enumeration",
"sha256": "7138568f73259e78a31af51d2811c2a36244b38986fb20b48baf9928b692deaa",
"type": "eql",
"version": 4
}
},
"rule_name": "Docker Socket Enumeration",
"sha256": "58cc67adcc51ab6b32e392ef0edb01b69d46a6c5e44666e2f95cb708f722ebca",
"type": "eql",
"version": 104
},
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "1216996a5132262ba297122d42364ea18a50edcf869b1069489c8a412c0adb3d",
"type": "eql",
"version": 314
},
"dde13d58-bc39-4aa0-87fd-b4bdbf4591da": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Role",
"sha256": "65db2d31f29446ab309635049de6eda871a92d9ca2cc4aaff2e83bd9aea6239f",
"type": "eql",
"version": 8
},
"ddf26e25-3e30-42b2-92db-bde8eb82ad67": {
"rule_name": "File Creation in /var/log via Suspicious Process",
"sha256": "c93e5ca8c14efd2dfdd66fc555a1270d9dd497d15192f1fe8347c783cb238ff6",
"type": "new_terms",
"version": 4
},
"de67f85e-2d43-11f0-b8c9-f661ea17fbcc": {
"rule_name": "M365 Identity User Account Lockouts",
"sha256": "6ab64c006d24097f944e6a6908d33fcb3365fb7a054d3dbce20536fb0b4e609b",
"type": "esql",
"version": 6
},
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "25831887f2b7a10edc4724e5638ad06bd25f32f80be91516cad1f801bfd2738b",
"type": "eql",
"version": 317
},
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
"sha256": "3cbd491b0c22fa5ad46e7105f3ff9bf650b5b7cb2b5b6ae071ebe1fc541478c2",
"type": "eql",
"version": 215
},
"ded09d02-0137-4ccc-8005-c45e617e8d4c": {
"rule_name": "Query Registry using Built-in Tools",
"sha256": "c565926c3852c56892fb0501188df9bc15a1e1513cf40aad90ba10370499a8fd",
"type": "new_terms",
"version": 108
},
"deee5856-25ba-438d-ae53-09d66f41b127": {
"rule_name": "AWS EC2 Export Task",
"sha256": "db05870aa6ed8aaa9c35c23f2f027925b38e3f3641f4286a390c61be5c6a59b4",
"type": "query",
"version": 2
},
"df0553c8-2296-45ef-b4dc-3b88c4c130a7": {
"rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners",
"sha256": "1911bad236dfa90b27f167aac3ae24c7f49c5a1fc583ab500bff60f013b34dc6",
"type": "eql",
"version": 1
},
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
"rule_name": "First Time Seen Driver Loaded",
"sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e",
"type": "new_terms",
"version": 11
},
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "de5473b7189c06de5ae65d7300a87f99bc1f61cf9d84b7376eec6c9d45d247d8",
"type": "machine_learning",
"version": 209
},
"df26fd74-1baa-4479-b42e-48da84642330": {
"rule_name": "Azure Automation Account Created",
"sha256": "8feceb0ecaa575745516b5b6fa6e96ed670629de0b072d6623b7a23cf30b3eaa",
"type": "query",
"version": 106
},
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
"rule_name": "Dynamic Linker Copy",
"sha256": "003233b091321e0a4fe6df57cdaa994539bb71b6dd12601da5a6fd5f01de11d2",
"type": "eql",
"version": 215
},
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
"rule_name": "Kubernetes Pod Created With HostPID",
"sha256": "6473e4704235670950fe8e088ecbe56511ae0184f0bd6e59a0b9180e5049b37d",
"type": "query",
"version": 209
},
"df919b5e-a0f6-4fd8-8598-e3ce79299e3b": {
"rule_name": "AWS IAM AdministratorAccess Policy Attached to Group",
"sha256": "b14d3376a6870792125d64eb34405c64d913f93a299965903e0b1ff9f69959e9",
"type": "eql",
"version": 8
},
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
"rule_name": "Unusual Process Execution - Temp",
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
"type": "query",
"version": 100
},
"df9c0e92-5dee-4f1d-a760-3a5c039e4382": {
"rule_name": "Detection Alert on a Process Exhibiting CPU Spike",
"sha256": "1c1c33cb7492423d273e6363aba2b89549219fb617f2f7249b70a650f68c8226",
"type": "esql",
"version": 4
},
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "04754d1f1115e42d25e09ec628091486bee331e78bf83009b4038c838f2f8606",
"type": "eql",
"version": 208
},
"e00b8d49-632f-4dc6-94a5-76153a481915": {
"rule_name": "Delayed Execution via Ping",
"sha256": "3db533741b55d6d75bb2c5e997575e42cd8dfe5e3e5c71ca2726a0c46208a150",
"type": "eql",
"version": 7
},
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
"rule_name": "Azure VNet Firewall Policy Deleted",
"sha256": "c5ebf331761eb929cb3aa28abbc6e6e5ff2244812d43b41c3454891a5215d9bd",
"type": "query",
"version": 107
},
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "60f2e83e2e758d10795f462a4227d514cbaf954e3f734e293bcd14b0923008d8",
"type": "eql",
"version": 213
},
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "76b86024b492a5882735a99a0b302d59465ce6d3c4a76111d5c396c8fe3afee9",
"type": "eql",
"version": 113
},
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "6895c9fbae5168b04623118fd5fc7fd437115a39af78dc23169e7b1ec667b959",
"type": "threshold",
"version": 415
},
"e0cc3807-e108-483c-bf66-5a4fbe0d7e89": {
"rule_name": "Potentially Suspicious Process Started via tmux or screen",
"sha256": "cc1a82b33871698dca83debd13763adc7dd5248191fa09eb72daa77f2269beca",
"type": "eql",
"version": 110
},
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
"rule_name": "Whitespace Padding in Process Command Line",
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
"type": "eql",
"version": 100
},
"e0f36de1-0342-453d-95a9-a068b257b053": {
"rule_name": "Azure Event Hub Deleted",
"sha256": "196e87bc132f72c0d5ba55f801723dc80de03525b77a152b0d97a5487d58d8f9",
"type": "query",
"version": 107
},
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
"rule_name": "AWS EC2 Route Table Created",
"sha256": "0107e5ff857bb3b08c9181ad8398d51eb0862148b3a6e45e1e18d3ef85982147",
"type": "new_terms",
"version": 212
},
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
"rule_name": "Deprecated - AWS RDS Cluster Creation",
"sha256": "fbb6042f3855329eb580ee709a18e2bb89dc13f2ec1b6a3ed538b69cdc0b5c50",
"type": "query",
"version": 210
},
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
"rule_name": "Connection to External Network via Telnet",
"sha256": "8b3afa0d58084217b29e918bb34ad10a43cb606479d126d45a3f2ef8e47b035b",
"type": "eql",
"version": 212
},
"e1db8899-97c1-4851-8993-3a3265353601": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code",
"sha256": "1865ab89709d91f25e6761fe52e410b8cf0fe12c7ab1a66b8cff245fe6fe65ca",
"type": "machine_learning",
"version": 7
},
"e2258f48-ba75-4248-951b-7c885edf18c2": {
"rule_name": "Suspicious Mining Process Creation Event",
"sha256": "31f1e42fd073189974ef107fca4aa2c24131c2cd80c3eb16f91755fcfe3f54d4",
"type": "eql",
"version": 111
},
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
"rule_name": "Spike in Successful Logon Events from a Source IP",
"sha256": "797e8be045b28198233988299f917efbbbeab83acaef08795d0a7b3a8f56533f",
"type": "machine_learning",
"version": 107
},
"e26c0f76-2e80-445b-9e98-ab5532ccc46f": {
"rule_name": "Full Disk Access Permission Check",
"sha256": "513dd07104c0782edbca0973652ff1c0affc115b879c08c56ce1bd500d587595",
"type": "eql",
"version": 1
},
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "907edd17e466a818cba2a0af32a363af70af30da65bab6787f7c3c1cbe02cf49",
"type": "query",
"version": 321
},
"e28b8093-833b-4eda-b877-0873d134cf3c": {
"rule_name": "Network Traffic Capture via CAP_NET_RAW",
"sha256": "fab7fa210a76157c989ee04aefd0795f455e6c208c1448b2998bc869fbc08430",
"type": "new_terms",
"version": 7
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "39bd466dd0e2510cef75410efa33adfc11e78fe35175353653b4d3b314783d1e",
"type": "eql",
"version": 4
},
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
"rule_name": "AWS Management Console Root Login",
"sha256": "49e6685002f2a8bc63d3cf02f27027400fddc6ac909333f6472c52b60845fa6b",
"type": "query",
"version": 213
},
"e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": {
"rule_name": "System Network Connections Discovery",
"sha256": "b00992fce58b8dc70936e08ee54b5daac9d824811cc5a4c82eb3167aee0301ec",
"type": "new_terms",
"version": 7
},
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "e74a4c87a553413bb19d44ccacdd456c854985a1e328bf286519ec5247e28877",
"type": "eql",
"version": 213
},
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "c5dd1640be638638d42328b63e8b36a12443ad1dead6923ba13d075ad7d13001",
"type": "eql",
"version": 216
},
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
"rule_name": "GCP IAM Role Deletion",
"sha256": "1ec9e881d24cff075f684cd8fa0e526d97adbdeb15c05ac277f081cd676acc07",
"type": "query",
"version": 107
},
"e302e6c3-448c-4243-8d9b-d41da70db582": {
"rule_name": "Potential Data Splitting Detected",
"sha256": "4b19dd9f518a41b8105ead19de687f720f9565ed64a685148b4a6fd3ddb5ac68",
"type": "eql",
"version": 106
},
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "280fe85dbda49421337ee3e0acbe259db72a41d7fe3a0824a6d5c47ab39ece79",
"type": "eql",
"version": 316
},
"e3a7b1c2-5d9f-4e8a-b6c3-2f1d4e5a6b7c": {
"rule_name": "FortiGate SSO Login Followed by Administrator Account Creation",
"sha256": "94bc6e3515c8fcb6f1fe62327d4d4a02ccab5f9520a1e457b4c9b56868a0b76a",
"type": "eql",
"version": 1
},
"e3bd85e9-7aff-46eb-b60e-20dfc9020d98": {
"rule_name": "Entra ID Concurrent Sign-in with Suspicious Properties",
"sha256": "10e92fbdc7b268665e8611e80d3c2104328b31411a49372fdefe7d868a964903",
"type": "esql",
"version": 5
},
"e3c27562-709a-42bd-82f2-3ed926cced19": {
"rule_name": "AWS Route 53 Private Hosted Zone Associated With a VPC",
"sha256": "bb79588455fb19ea641cea5b513903bcfd62f5d8d8714dda71986fdc80fdcc13",
"type": "query",
"version": 211
},
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
"rule_name": "Ransomware - Prevented - Elastic Endgame",
"sha256": "6c528e2eaa2548c187927e68a1378a8ae0983ad6786b4c4ea83f5f2791f614ea",
"type": "query",
"version": 105
},
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "d0808046d0f021cc86ee33c736a3ec4929823a4b898788c98aea846d1d7326d1",
"type": "eql",
"version": 210
},
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
"rule_name": "KDE AutoStart Script or Desktop File Creation",
"sha256": "999d735f1b43bec7ac12aae0dfcb782d61f178d80df5c7d200629806c941435b",
"type": "eql",
"version": 219
},
"e3f5a566-df31-40cc-987c-24bc4bb94ba5": {
"rule_name": "Persistence via a Hidden Plist Filename",
"sha256": "e10babd2a4c59e058435d104fde73fcff04b3edff61dc053e1e33516665a6c8e",
"type": "eql",
"version": 1
},
"e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1": {
"rule_name": "SentinelOne Threat External Alerts",
"sha256": "187f393346f1e5ce97e9a11d3cb68a3d26efed06da5070cba9858bb5e01bef6e",
"type": "query",
"version": 1
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "1427e75700829bf8f8c5f393c446556c02e5016d04293bca9c2112a6d88fc352",
"type": "new_terms",
"version": 110
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "0fe269bb97bcb2fd0169410d29766dd6d5f9d7c0cb45606460e173d3a8122c76",
"type": "query",
"version": 413
},
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "dcdd90fdd58bbbdd33a53fae80e5df7d4963e028b4ce8ddd29df997cba2c0964",
"type": "eql",
"version": 212
},
"e4feea34-3b62-4c83-b77f-018fbef48c00": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "0cc36350d68626dc93304799effc87027ee6e7dfdb46469ccc949b5c0662e38d",
"type": "eql",
"version": 4
}
},
"rule_name": "AWS IAM Virtual MFA Device Registration Attempt with Session Token",
"sha256": "ea754dc7ebd790477767de5ab2895d06f2ef94d22a8707ae800e9f54986de376",
"type": "eql",
"version": 104
},
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "33eb3aeb5b3dd4bea1245d0a515df9229d87de7f2c0ec19e04d60911f451099b",
"type": "eql",
"version": 217
},
"e516bf56-d51b-43e8-91ec-9e276331f433": {
"rule_name": "Network Activity to a Suspicious Top Level Domain",
"sha256": "c2210953bc0ea85caae3af77749d98d8ef8e88559dfa7871f04e8f1d43287f17",
"type": "eql",
"version": 3
},
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
"rule_name": "MFA Disabled for Google Workspace Organization",
"sha256": "8d84f71e1bd9d53371b05b590f59d4d7625f35ddc50596b9e85358d04a9ea3d6",
"type": "query",
"version": 208
},
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
"type": "query",
"version": 100
},
"e5d69377-f8cf-4e8f-8328-690822cd012a": {
"rule_name": "GitHub Authentication Token Access via Node.js",
"sha256": "ad6ddc79e5e91fdcefbc8d3ede209e443bf203dc4336b588f87cc5c7702a1222",
"type": "eql",
"version": 3
},
"e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b": {
"rule_name": "First Time Seen DNS Query to RMM Domain",
"sha256": "852b7662551d2f31372bcde3d5232a889196a760de7cb2516e7ce37075e95609",
"type": "esql",
"version": 3
},
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
"rule_name": "Bash Shell Profile Modification",
"sha256": "2fd375388407792fd51a8969b707aa25f45b320020108a7979676d7a7f9a867e",
"type": "query",
"version": 108
},
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"rule_name": "Authorization Plugin Modification",
"sha256": "744d55b2624acf5063085463e8c93573a6bd166726891c49518a7e0f876c9506",
"type": "eql",
"version": 111
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"rule_name": "Possible Okta DoS Attack",
"sha256": "b21e24b57dbe58161fb421ca64574bc8e25b38423b8b0522e7245c63e7482a0b",
"type": "query",
"version": 412
},
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "3f5eaac76da3b4b7c5d8d535d0176d7838894c7e60cf0c23bfc833dd1f9a07be",
"type": "eql",
"version": 112
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"rule_name": "Default Cobalt Strike Team Server Certificate",
"sha256": "04bf3e29bdae001d0d6e5252b2e7ffe48bf3768f072adbeb9f4a138613d1a911",
"type": "query",
"version": 108
},
"e707a7be-cc52-41ac-8ab3-d34b38c20005": {
"rule_name": "Potential Credential Access via Memory Dump File Creation",
"sha256": "22885ae14d09906f786705183a0dfa366fb542f4048dbe5e5b30dc12c0ac3e22",
"type": "eql",
"version": 6
},
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "b115ce618bac0c40e2c9a0017d3c755ba486d73979b049d7abae7e6bfe172fd6",
"type": "eql",
"version": 210
},
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "51288e9d92eab1be4110bbd923499cd63439b5d593f3c03b97113ede4ed854e2",
"type": "eql",
"version": 311
},
"e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": {
"rule_name": "Potential Windows Session Hijacking via CcmExec",
"sha256": "f0d0dfaf215a9c74db6e276efa561707f2c059d3035cf81463cbaac81b4827ca",
"type": "eql",
"version": 4
},
"e74d645b-fec6-431e-bf93-ca64a538e0de": {
"rule_name": "Unusual Process For MSSQL Service Accounts",
"sha256": "467937da7cc714e1f6a0386a8944592cc48e2285f954a8f9c601ff715c8c0209",
"type": "eql",
"version": 6
},
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "7fa81f350e13f62767add8eac8f6ed5ff6bded35dfbc9240a90f6afc1a74579b",
"type": "eql",
"version": 205
},
"e7cb3cfd-aaa3-4d7b-af18-23b89955062c": {
"rule_name": "Potential Linux Credential Dumping via Unshadow",
"sha256": "095bc67fc213affaf3d86f181676fa71bf12541b50aebded9b6b8a386f4336bd",
"type": "eql",
"version": 113
},
"e7cd5982-17c8-4959-874c-633acde7d426": {
"rule_name": "AWS EC2 Route Table Modified or Deleted",
"sha256": "f18144745e343e210c9169d503a65725d2a19d82ea50df322b5d417924d93cbb",
"type": "new_terms",
"version": 211
},
"e7e0588b-2b55-4f88-afd1-cf98e95e0f58": {
"rule_name": "Suspicious Outbound Network Connection via Unsigned Binary",
"sha256": "ce53d5d2947803141c22295600533afed56ad3287b80b85ca8c9dd0d17b0af3d",
"type": "eql",
"version": 1
},
"e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a": {
"rule_name": "Potential Protocol Tunneling via Yuze",
"sha256": "da8044c4f43ed4839eb4e34c47fa76d078c1149e5f37d29600c0df04067e11b0",
"type": "eql",
"version": 1
},
"e80ee207-9505-49ab-8ca8-bc57d80e2cab": {
"rule_name": "Network Connection by Cups or Foomatic-rip Child",
"sha256": "0d70a846b5231fa5055bd8dab47d27adc7650f6ea92664b759685a8cff6e619c",
"type": "eql",
"version": 5
},
"e819b7eb-c2d4-4adc-b0c9-658aeb140450": {
"rule_name": "Lateral Movement Alerts from a Newly Observed User",
"sha256": "a3258f0d15c7c51105bf8854c5ce37f0d660fb5f008b73587d0eb4314de34c12",
"type": "esql",
"version": 3
},
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "2f9cf61e66c50847a30dfde7b4a3bbf289e90674920e25039f08a8953eb1eace",
"type": "eql",
"version": 217
},
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"rule_name": "Installation of Security Support Provider",
"sha256": "8f41ce2cba95e21cdd0446de79cfee143daa1fac5ca9af0a52476dc70dda83e4",
"type": "eql",
"version": 313
},
"e882e934-2aaa-11f0-8272-f661ea17fbcc": {
"rule_name": "Microsoft Graph Request Email Access by Unusual User and Client",
"sha256": "2c86e3a65889b2dcc098107030beb9848fa1a54fc6f7874911e7148f919a36d2",
"type": "new_terms",
"version": 4
},
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"rule_name": "Host File System Changes via Windows Subsystem for Linux",
"sha256": "fc04a26c8bd9015b4cca4f17b20d8f18ac3eacb335a947d8793d0016b6ebbf0f",
"type": "eql",
"version": 112
},
"e8b37f18-4804-4819-8602-4aba1169c9f4": {
"rule_name": "GitHub Actions Workflow Modification Blocked",
"sha256": "8a03e6a43d6c01bdf79a1197212c01b4c7c27862f9dbe9176f70cc1506b487e2",
"type": "esql",
"version": 5
},
"e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Policy Added to Share with External Account",
"sha256": "651f7eb7bc6d9f26754d5a8e04106fb4b65004ed9bf01a8c593c6df5ca9482aa",
"type": "eql",
"version": 8
},
"e8ea6f58-0040-11f0-a243-f661ea17fbcd": {
"rule_name": "AWS DynamoDB Table Exported to S3",
"sha256": "7a1c848b9332b7abde093a99eab67afa7b533fe25cef0d9374d8854c2e0a36e7",
"type": "new_terms",
"version": 5
},
"e9001ee6-2d00-4d2f-849e-b8b1fb05234c": {
"rule_name": "Suspicious System Commands Executed by Previously Unknown Executable",
"sha256": "9ae5a217d42efb627b6ac44f09ebae8cecffcbc04bee2a7a6de32120c50d311e",
"type": "new_terms",
"version": 111
},
"e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": {
"rule_name": "Potential PowerShell Obfuscation via String Reordering",
"sha256": "84fb725b362cfa15cd93030dd0ee407c62219b8e75e23fc673d4b4411efc479e",
"type": "esql",
"version": 12
},
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "cd48b966ef0a6d90372a5d1bea8755963aa907f83d7e62adacbb43d77280b961",
"type": "threshold",
"version": 415
},
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
"rule_name": "Deprecated - AWS EC2 VM Export Failure",
"sha256": "7339232c396fb3ef53df007330bd3fdbe73aba02804975f4a767f59c658cb33f",
"type": "query",
"version": 210
},
"e92c99b6-c547-4bb6-b244-2f27394bc849": {
"rule_name": "Spike in Bytes Sent to an External Device via Airdrop",
"sha256": "3972b1d0f6ef586df99e20db1f8a7b5f3e92843225a0ead8bdfb2bfda5096834",
"type": "machine_learning",
"version": 7
},
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "d0d79e029dbc2c30f3d6e94335597e07feda824c2751b442c658b9aa9867d635",
"type": "eql",
"version": 315
},
"e9a3b2c1-d4f5-6789-0abc-def123456789": {
"rule_name": "Ollama DNS Query to Untrusted Domain",
"sha256": "0b119216b26c97e9d09c1c3f8a6f57140261fe8f360165369dd6242701c3c765",
"type": "eql",
"version": 1
},
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
"rule_name": "Potential LSA Authentication Package Abuse",
"sha256": "ae65f0070012be05d928e6b1ac86c345635c083d43d2d847b0ce313aa91a6787",
"type": "eql",
"version": 109
},
"e9b0902b-c515-413b-b80b-a8dcebc81a66": {
"rule_name": "Spike in Remote File Transfers",
"sha256": "6eab278586da677be043352e5acc6918724d546e2a66017c7babdd4f44d5a2f9",
"type": "machine_learning",
"version": 8
},
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
"type": "eql",
"version": 100
},
"e9fe3645-f588-43d6-99f5-437b3ef56f25": {
"rule_name": "AWS EC2 Serial Console Access Enabled",
"sha256": "4f14c69238fcb650530a5884d6ebbbfe0c80780c84a29a6d26d078bb3114929b",
"type": "query",
"version": 1
},
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
"rule_name": "Azure Automation Webhook Created",
"sha256": "8214976ada75f1392c7072b184b4e333f9e13a69726fc7c43c3ee15f2c60bf2d",
"type": "query",
"version": 106
},
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
"rule_name": "SSH (Secure Shell) from the Internet",
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
"type": "query",
"version": 100
},
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d05c4f87423f7e7375d862028b9f83a9a3ebb9175e51a3de0db0f4b8e983ecda",
"type": "machine_learning",
"version": 110
},
"ea248a02-bc47-4043-8e94-2885b19b2636": {
"rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy",
"sha256": "0c0f0eb2a7f6d55541448bebed4b150affcf95c0e6cc3fd1c4524b8fa02d6480",
"type": "threshold",
"version": 214
},
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
"rule_name": "Spike in Firewall Denies",
"sha256": "1682a0c3be0d13c2d886046e969759c83cba4312382efe8fca8f9be342ef8e86",
"type": "machine_learning",
"version": 108
},
"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": {
"rule_name": "Suspicious APT Package Manager Network Connection",
"sha256": "fc4cdb8ca683ffa65896c61ff70e92915bae58e9ea0ae565d2ca5dee990ac6a7",
"type": "eql",
"version": 9
},
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
"rule_name": "External Alerts",
"sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5",
"type": "query",
"version": 107
},
"eb3150eb-e9fb-4a64-a0fc-aa66cdd35632": {
"rule_name": "Telnet Authentication Bypass via User Environment Variable",
"sha256": "dad30a9b0ac5bb3048cae4d42fe0015a25c5bdf4122aaec696d0bfede5c73556",
"type": "eql",
"version": 2
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "f994e110b50cb2736e928c79c4c504229652f18fda04a1328cd19dc6f0b6eb27",
"type": "query",
"version": 110
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "76ee3184eccc1adb58829a3db55ed8a13a43cc08ce6f1e29cc4696c5b979c901",
"type": "query",
"version": 217
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"rule_name": "Suspicious Network Connection Attempt by Root",
"sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e",
"type": "eql",
"version": 104
},
"eb804972-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Behavior - Prevented - Elastic Defend",
"sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69",
"type": "query",
"version": 5
},
"eb958cb3-dead-42b6-94ff-b9de6721fab2": {
"min_stack_version": "9.3",
"rule_name": "Curl SOCKS Proxy Detected via Defend for Containers",
"sha256": "3592443fb0d2e39fa025942bdc23a32bf151877ce039710cbaf0182ee1a69a17",
"type": "eql",
"version": 1
},
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
"rule_name": "Potential Disabling of SELinux",
"sha256": "a983e45d426bb8f3a4ef45dfd2f57506e858af2344cca3033b44a1671fdaa745",
"type": "eql",
"version": 215
},
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "15a0fd7044827c36f60417515284afb4f6fe23e1dbae54a45a6b44e8ae0887fd",
"type": "eql",
"version": 415
},
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "639dbba324d05efce28f2d414c6687f844c4a2bf1bf2c510e07a4ab8b7728728",
"type": "eql",
"version": 316
},
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "a142efdb2037310db7836d7d03a99bebf545ffb3f5260aeb9930d874603d6d63",
"type": "eql",
"version": 318
},
"ec604672-bed9-43e1-8871-cf591c052550": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 103,
"rule_name": "Deprecated - File Made Executable via Chmod Inside A Container",
"sha256": "e83d9c10df932ec1ea757f8db704550f8f70c3bb48b0155578659ee10099091c",
"type": "eql",
"version": 4
}
},
"rule_name": "File Execution Permission Modification Detected via Defend for Containers",
"sha256": "cb17a8960fbe32d16f37c061338c7d98a517c4803aa4f73b976ef7ad40c15496",
"type": "eql",
"version": 106
},
"ec81962e-4bc8-48e6-bfb0-545fc97d8f6a": {
"rule_name": "Kubernetes Forbidden Creation Request",
"sha256": "d033bf3df19beb0e8f39e0a74b8438439e657b5a940999c60096803581fdc6d8",
"type": "eql",
"version": 2
},
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
"rule_name": "M365 Exchange Inbox Forwarding Rule Created",
"sha256": "b993745b45fbc5109fc2f625b7cc15b902271dfaf502d2d85d2fa5208f31de8b",
"type": "eql",
"version": 213
},
"ecc0cd54-608e-11ef-ab6d-f661ea17fbce": {
"rule_name": "Unusual Instance Metadata Service (IMDS) API Request",
"sha256": "cf396164e5d336a90010d7d9340539f2952de6f2af4e6f3feb848daed8b245cd",
"type": "eql",
"version": 7
},
"ecd4857b-5bac-455e-a7c9-a88b66e56a9e": {
"rule_name": "Executable File with Unusual Extension",
"sha256": "b9cbdb757c2d5778d0c1a517bd488966edd65b3f3716a9afe62b215d97b44f5d",
"type": "eql",
"version": 4
},
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
"rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage",
"sha256": "2eba03080f61dc66ae0a110e2c12eaf47e267f31eb5fea196cf483d6b9a64510",
"type": "query",
"version": 210
},
"ed3fedc3-dd10-45a5-a485-34a8b48cea46": {
"rule_name": "Unusual Remote File Creation",
"sha256": "a7a4aa5dee70a0b7400227badb99bbd92c05ec809b52bddb0719918089f99323",
"type": "new_terms",
"version": 6
},
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
"rule_name": "Entra ID Global Administrator Role Assigned (PIM User)",
"sha256": "a435c4e0f2296569715d62e9a745c6e53e807369ee3ef0969605a24d68dc0661",
"type": "query",
"version": 107
},
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"rule_name": "AdFind Command Activity",
"sha256": "7e0624287ad182ae9bacc67dc50b8c0dd7eefdfd4cd89c815901306e3312297b",
"type": "eql",
"version": 317
},
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "3d33d63b18b70ecb260d4753743b10a2f38b083d5fd42f92e86d1a27f815795e",
"type": "query",
"version": 413
},
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "248af1fe0e07120481568edfaa652ca97c59f7155e4e42898736bf32eed87e29",
"type": "eql",
"version": 318
},
"edfd5ca9-9d6c-44d9-b615-1e56b920219c": {
"rule_name": "Linux User Account Creation",
"sha256": "5560af4da75f6828cfd7b29908eba789035a6a7fb66d4380dc6d4acc5ff5a967",
"type": "eql",
"version": 10
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "79bcd3e51917161d1bbbb3d46ba9ae90ed7261430e0bddd58d172517d5348729",
"type": "query",
"version": 310
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "54e542eced060164ea48e1acd0e2dad60a507e92b22080e79fefa1717cdb3600",
"type": "eql",
"version": 215
},
"ee53d67a-5f0c-423c-a53c-8084ae562b5c": {
"rule_name": "Shortcut File Written or Modified on Startup Folder",
"sha256": "ed57ac9eacaf051cab3aeae3f09c0a59fdfb7eb9ca18e4ceada98adc47ac6bc6",
"type": "eql",
"version": 4
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
"type": "eql",
"version": 100
},
"ee7726cc-babc-4885-988c-f915173ac0c0": {
"rule_name": "Suspicious Execution from a WebDav Share",
"sha256": "c5748ea3783ef8a9981c04d76db7206edabc9aeec804a0174f7827ef1b46c95b",
"type": "eql",
"version": 1
},
"eea82229-b002-470e-a9e1-00be38b14d32": {
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "ea81b8be42aac46fe858037a08802a107f542b90f33471e6fc3a43c0b3467395",
"type": "eql",
"version": 112
},
"eef9f8b5-48ec-44b5-b8bd-7b9b7d71853c": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 101,
"rule_name": "Kubectl Apply Pod from URL",
"sha256": "548e6c3705fae441b48d6c6931d33d907796f823cd985983d79c6041af367472",
"type": "eql",
"version": 2
}
},
"rule_name": "Kubectl Apply Pod from URL",
"sha256": "539eb4b8333957dbb835a5fcda5f747181b40de7bd28cfb8c4956c51c7e8ac28",
"type": "eql",
"version": 102
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"rule_name": "BPF filter applied using TC",
"sha256": "52518d228cda96c48b2c5695e5de6764e65caeeafda816216817b6cbb73abd40",
"type": "eql",
"version": 214
},
"ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": {
"rule_name": "Potential Linux Credential Dumping via Proc Filesystem",
"sha256": "ad898972711331ccf7f9526e14f2a3aeb21a112d374a94bc253896390e35af91",
"type": "eql",
"version": 112
},
"ef395dff-be12-4a6e-8919-d87d627c2174": {
"rule_name": "Potential Linux Tunneling and/or Port Forwarding via SSH Option",
"sha256": "15b509aa1f5ce2c13415561c334b6a518da12328ed335527951d3c70264464b1",
"type": "eql",
"version": 4
},
"ef65e82c-d8b4-4895-9824-5f6bc6166804": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 102,
"rule_name": "Deprecated - Potential Container Escape via Modified notify_on_release File",
"sha256": "e4750e67d85a5bceb46ee02825a18989d55a065f353791467ac9bdcc98f4cb7a",
"type": "eql",
"version": 3
}
},
"rule_name": "Potential notify_on_release Container Escape Detected via Defend for Containers",
"sha256": "fac418cef4e709d91017ce5c1eeaa17b08e05b05e91e0e7584f00c36d2c239ad",
"type": "eql",
"version": 103
},
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"rule_name": "Whoami Process Activity",
"sha256": "ace9db18b4a07550b5124ee75c0cca3828231ea1b3026a59683313dea39aff61",
"type": "eql",
"version": 216
},
"ef8cc01c-fc49-4954-a175-98569c646740": {
"rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port",
"sha256": "9667b0b7ffba66dae17bfc62970411ae6a4e086390057e42a8754c1474cbe60d",
"type": "machine_learning",
"version": 7
},
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "73689aac5e6dab00ff9d9e0b6cb0a4cf94ded423187205e46947d23a6b8fe7af",
"type": "eql",
"version": 213
},
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
"rule_name": "Suspicious HTML File Creation",
"sha256": "18b02d56b8977e6689317b231313b622102493a6d66bb8a7af4608c3ec84eaed",
"type": "eql",
"version": 111
},
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"rule_name": "Okta User Assigned Administrator Role",
"sha256": "1e7973d1b497e6f96e61cbfaa3a288c8816dde52e132d6ea55bd329c23af6f63",
"type": "query",
"version": 413
},
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process",
"sha256": "3cfffd4d242ffeb5421de910ed98187cfc586d3e708da24716ad4d4088fa0a15",
"type": "eql",
"version": 114
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"rule_name": "Azure Diagnostic Settings Alert Suppression Rule Created or Modified",
"sha256": "a988572c3f417b12e0af2abbf55d5553d198f8cb97e74208235017aac887d051",
"type": "query",
"version": 107
},
"f0cc239b-67fa-46fc-89d4-f861753a40f5": {
"rule_name": "M365 or Entra ID Identity Sign-in from a Suspicious Source",
"sha256": "dad1523274411b29ab40efb86f89c772f7a8cdeb2603d7907007291a05e49bc8",
"type": "esql",
"version": 5
},
"f0dbff4c-1aa7-4458-9ed5-ada472f64970": {
"rule_name": "dMSA Account Creation by an Unusual User",
"sha256": "568644c5f0c19e90ec4b242b6ae4cd524440192c962a326f062fd4fe997d9400",
"type": "new_terms",
"version": 3
},
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "c238de5d2b0c57efaa4780d8e7f5f95a05cf99a2ec8a5840a05e31456acd97c4",
"type": "eql",
"version": 110
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"rule_name": "Suspicious Child Execution via Web Server",
"sha256": "a0ea44a78f0bbd39976f1721161118620c9aa5435b8992d8abf6c28af287ca94",
"type": "eql",
"version": 112
},
"f18a474c-3632-427f-bcf5-363c994309ee": {
"rule_name": "Process Capability Set via setcap Utility",
"sha256": "4c9ff6fd3bc2367862aa9960cc4f632134ecfb095ec2aede00a28e28ac26b6e4",
"type": "eql",
"version": 105
},
"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": {
"rule_name": "Forwarded Google Workspace Security Alert",
"sha256": "6c195dfca2a28a28d01a307ee437b722bb378e2ea1c8e923cdf41304d729a75f",
"type": "query",
"version": 6
},
"f1f3070e-045c-4e03-ae58-d11d43d2ee51": {
"rule_name": "Manual Loading of a Suspicious Chromium Extension",
"sha256": "426036f0b34c260a562af79e9d849b8f8aa0ee5cae04dc9020917c3acf02d99f",
"type": "eql",
"version": 1
},
"f2015527-7c46-4bb9-80db-051657ddfb69": {
"rule_name": "AWS RDS DB Instance or Cluster Password Modified",
"sha256": "d02e97bb6a0789367e1693e0b732ffa53703803ee806bfaa956690ee97b9c78b",
"type": "eql",
"version": 7
},
"f20d1782-e783-4ed0-a0c4-946899a98a7c": {
"min_stack_version": "9.3",
"rule_name": "Unusual City For a GCP Event",
"sha256": "4234c7b13928ef16b739961abee68fe89b024428f43b5cd08e09ffce6d53e103",
"type": "machine_learning",
"version": 1
},
"f236cca1-e887-4d14-9ba9-bb8dd3e16cf1": {
"min_stack_version": "9.3",
"rule_name": "LLM-Based Attack Chain Triage by Host",
"sha256": "286422b3b4035aa2adeafd1b284e053369eeed39302d7369532e46de03eaff07",
"type": "esql",
"version": 3
},
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"rule_name": "Service Path Modification",
"sha256": "479c0261e46fdc70b821b6577c00bdd690bec74af99f5f6a36350458a33dcaca",
"type": "eql",
"version": 107
},
"f246e70e-5e20-4006-8460-d72b023d6adf": {
"min_stack_version": "9.3",
"rule_name": "Modification of Persistence Relevant Files Detected via Defend for Containers",
"sha256": "3e7ee604dfdadac507a1fcb9f2a39b6e5718c90169c1e0bfaabd701e0c5fad63",
"type": "eql",
"version": 1
},
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "96eccd66b8f60e06e7aabfbd9a3d372d3e994cc5b1de8d08ea6f3473c5872be8",
"type": "eql",
"version": 113
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
"sha256": "ee2c306632aee8a22150db2c7587372127fa5271d41bb6482a9de851728670bd",
"type": "eql",
"version": 214
},
"f2c3caa6-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Malicious File - Detected - Elastic Defend",
"sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa",
"type": "query",
"version": 5
},
"f2c43e8c-ccf2-4eab-9e9a-e335da253773": {
"rule_name": "M365 Purview Insider Risk Signal",
"sha256": "7b79f31c41b50f2de307dec4edf986446644ccdd5d81087cd0d65070e5bc6841",
"type": "query",
"version": 1
},
"f2c653b7-7daf-4774-86f2-34cdbd1fc528": {
"rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session",
"sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf",
"type": "esql",
"version": 4
},
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"rule_name": "SIP Provider Modification",
"sha256": "47389d060af838e9b3ab54a6aa1da8ef352339436cef82bf5ad8b528326c1857",
"type": "eql",
"version": 314
},
"f2e21713-1eac-4908-a782-1b49c7e9d53b": {
"rule_name": "Kubernetes Service Account Modified RBAC Objects",
"sha256": "fe3ea9fd1b170164d8daf973f8b612f71ce7ec34e095f92b8c657f899b33e35a",
"type": "query",
"version": 1
},
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"rule_name": "LSASS Memory Dump Creation",
"sha256": "4de3d5e198211653435573047cfbbcede3b079ce2d9b1e159ebc6c4a8e1bcda3",
"type": "eql",
"version": 314
},
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
"rule_name": "Deprecated - AWS RDS Instance Creation",
"sha256": "863ac4e46bb8284dfcebade9676b5ed0fb1c1ca7b91932266ea432c660e6b7c3",
"type": "query",
"version": 210
},
"f33e68a4-bd19-11ed-b02f-f661ea17fbcc": {
"rule_name": "Google Workspace Object Copied to External Drive with App Consent",
"sha256": "e3d5d22bf6f0e1c8cdf350e9585236e6eb414438bc033c531501c84f9d4d3681",
"type": "eql",
"version": 11
},
"f3403393-1fd9-4686-8f6e-596c58bc00b4": {
"rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain",
"sha256": "cc612f1f8949a5a302e700bfce9e41755c128540eb3c8ba1fd55732719b8c692",
"type": "query",
"version": 8
},
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "09e8a918c81fe0701b414046f7b2978cf6917f27d256594f18f20c0766f12651",
"type": "eql",
"version": 215
},
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
"rule_name": "Deprecated - Sudo Heap-Based Buffer Overflow Attempt",
"sha256": "3ba917f1ed940e767bf7bb2718523c84ade13c97c047be506fc17e8391856d86",
"type": "threshold",
"version": 108
},
"f3818c85-2207-4b51-8a28-d70fb156ee87": {
"rule_name": "Suspicious Network Connection via systemd",
"sha256": "761746a21d11fe68935d152466349eda5c767337ab48bddf66f4f99acc061b21",
"type": "eql",
"version": 9
},
"f38633f4-3b31-4c80-b13d-e77c70ce8254": {
"rule_name": "Potential PowerShell Obfuscation via Reverse Keywords",
"sha256": "4e8a1d0b5d2d08befba089df12e7d27768455c6c08f58a912f825e916e665108",
"type": "esql",
"version": 10
},
"f391d3fd-219b-42a3-9ba9-2f66eb0155aa": {
"rule_name": "Kill Command Execution",
"sha256": "515ee3620ceebe5a3c857932d84400a916c4dfbbc3383564bcfb866b360ffc3f",
"type": "new_terms",
"version": 5
},
"f3ac6734-7e52-4a0d-90b7-6847bf4308f2": {
"rule_name": "Web Server Potential Command Injection Request",
"sha256": "95e422ccd18e1dad7d4806054cb0a70a9b5645c4ff9713a90146dab8aa2806c9",
"type": "esql",
"version": 3
},
"f3e22c8b-ea47-45d1-b502-b57b6de950b3": {
"rule_name": "Threat Intel URL Indicator Match",
"sha256": "155ff4eef509d2fc7fd1c2d2123e8343f5ccec6b90178d7647703aec30eacf8b",
"type": "threat_match",
"version": 9
},
"f401a0e3-5eeb-4591-969a-f435488e7d12": {
"rule_name": "Remote Desktop File Opened from Suspicious Path",
"sha256": "26f9f4f5c8a08b36972822b6f7cb3ab8523673772d71d9c8284730bf427c7345",
"type": "eql",
"version": 6
},
"f41296b4-9975-44d6-9486-514c6f635b2d": {
"rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation",
"sha256": "27658290df434832b404370cab3edf8183411d533f7a367cdc636a7c386590ed",
"type": "eql",
"version": 11
},
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "cba4b95ced426d90a06aeb6a7c29ed69852042fa8e4104dfcd4ba0c44c6ed44b",
"type": "eql",
"version": 312
},
"f48ecc44-7d02-437d-9562-b838d2c41987": {
"rule_name": "Pluggable Authentication Module or Configuration Creation",
"sha256": "5cd5abcec00ab4d48721e29f5b4cc866f7eca9cd14922809c30ba8ec33f3fbe6",
"type": "eql",
"version": 8
},
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "0b5d7f47e5c4ebb2acfbdfe0785732ab09dcf0424d53a6c2a309fab1432fbb38",
"type": "query",
"version": 218
},
"f4b857b3-faef-430d-b420-90be48647f00": {
"rule_name": "OpenSSL Password Hash Generation",
"sha256": "a164b65b563ecd65fc0fbd6d8300fed0c16b4c6af4a648f638316832a8a14b51",
"type": "eql",
"version": 5
},
"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": {
"rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request",
"sha256": "32f734a7ca7c0ede2de12cee44877eff6f0c6b1fd835696e64e13f6376b52917",
"type": "esql",
"version": 6
},
"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": {
"rule_name": "DPKG Package Installed by Unusual Parent Process",
"sha256": "cb6ce5435bb465794285c5c4f9f24703ff68bad3a3f7ec90b462e3decfeca0be",
"type": "new_terms",
"version": 6
},
"f52362cd-baf1-4b6d-84be-064efc826461": {
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
"type": "eql",
"version": 100
},
"f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": {
"rule_name": "Suspicious Data Encryption via OpenSSL Utility",
"sha256": "3fcd77e51226a469c34f70b54591a6b2d919e2192ba24ed71fd90921290431cc",
"type": "eql",
"version": 11
},
"f541ca3a-5752-11f0-b44b-f661ea17fbcd": {
"rule_name": "Entra ID Sign-in TeamFiltration User-Agent Detected",
"sha256": "98230e0e75ded9d6ec8d0165892b6be2cf9441831b3080575b66006d7ba1275a",
"type": "query",
"version": 2
},
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"rule_name": "Windows Script Executing PowerShell",
"sha256": "63504b45de08ac60e947b5c14b035dac62d99c21b83c7a4b4ec514718274a3f8",
"type": "eql",
"version": 314
},
"f5488ac1-099e-4008-a6cb-fb638a0f0828": {
"rule_name": "Deprecated - SSH Connection Established Inside A Running Container",
"sha256": "e9a0161ce66e4dbbc1d7b04ff2e17e6b37a210d29e6dff9d8ca021d2a0c65355",
"type": "eql",
"version": 4
},
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "85aa99a054bc951c424dbbd1370be140b58104a2af079671be01f409fce66d1d",
"type": "new_terms",
"version": 211
},
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "35631fdae636c785efe1e73f4d79126c72bd13989ea378c9dc433297c2ad42d0",
"type": "query",
"version": 110
},
"f596175f-b8fd-43ac-b9e9-ea2a96bb55d8": {
"min_stack_version": "9.3",
"rule_name": "Kubelet Pod Discovery Detected via Defend for Containers",
"sha256": "fa389bca269e14286f8cea1c5c9e8d2111a1d1d534a488c3c19363f409cbd697",
"type": "eql",
"version": 1
},
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"rule_name": "WMIC Remote Command",
"sha256": "2104b6abd124b33aa4ba66650b7c9c6981626f1d93a7a3a712a22891a8210b48",
"type": "eql",
"version": 110
},
"f5c005d3-4e17-48b0-9cd7-444d48857f97": {
"rule_name": "Setcap setuid/setgid Capability Set",
"sha256": "7d55c24807d5e11d68b942c22f26d003376325dc2940ae98d118906ceb07f421",
"type": "eql",
"version": 111
},
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"rule_name": "Parent Process Detected with Suspicious Windows Process(es)",
"sha256": "892146af9028d4e03537dd1233b7a26ed1239787574f281d9204b25cab92ee63",
"type": "machine_learning",
"version": 110
},
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
"rule_name": "Masquerading Space After Filename",
"sha256": "b3aeacc283aba77fab3366bc3519f42fb6dc01607663db4ba67a67ee5efd409f",
"type": "eql",
"version": 11
},
"f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": {
"rule_name": "Account or Group Discovery via Built-In Tools",
"sha256": "dc828379a80bcd81d6d54e8910635b11a89acc59e65e859525568e856567c371",
"type": "new_terms",
"version": 7
},
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "696b0f2a0dc84944f6e5c874bb805643fba4e2ac642c897e9d439fc5d0a4074b",
"type": "eql",
"version": 315
},
"f6652fb5-cd8e-499c-8311-2ce2bb6cac62": {
"rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled",
"sha256": "72d6ffe9d368a4201f747eaaddfb00673f47079f4e5e11524d775d7352ebe202",
"type": "eql",
"version": 7
},
"f66a6869-d4c7-4d20-ab13-beefd03b63b4": {
"min_stack_version": "9.3",
"rule_name": "Environment Variable Enumeration Detected via Defend for Containers",
"sha256": "027b3215839ba15dbe8fa88451f7537ead96e5c39072209f9de455446fd2da30",
"type": "eql",
"version": 1
},
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "4ffb25a4641ad9040be58848570f2509850ed15374327784d814848e21628a93",
"type": "eql",
"version": 314
},
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "55f87f6cb95594cde489f7fbc1c78ae461b53294d959a80b4daa38923b1fa95c",
"type": "eql",
"version": 110
},
"f6d07a70-9ad0-11ef-954f-f661ea17fbcd": {
"min_stack_version": "9.2",
"previous": {
"8.19": {
"max_allowable_version": 106,
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "b3c32636964b52850bbe219b1d46df5e11ff74998859388137839aa155bb529f",
"type": "new_terms",
"version": 7
}
},
"rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User",
"sha256": "6cec1911a7c8af3fc5091d352854bcfe521af7739b5b7b10183edf8c3e3e5dfe",
"type": "new_terms",
"version": 107
},
"f6d8c743-0916-4483-8333-3c6f107e0caa": {
"rule_name": "Potential PowerShell Obfuscation via String Concatenation",
"sha256": "f56190b966c8b01230a154a0851ed2e59d80595a1de876b0764e3d046e9bea51",
"type": "esql",
"version": 10
},
"f701be14-0a36-4e9a-a851-b3e20ae55f09": {
"rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing",
"sha256": "4c6019ccf42c348cb2a29ee08d4a35da9880807d962fb9fc188a5141e3532d87",
"type": "query",
"version": 2
},
"f754e348-f36f-4510-8087-d7f29874cc12": {
"rule_name": "AWS Sign-In Token Created",
"sha256": "5a4040e73d23453205709b9e456464e7d162621cff2e1513ca9e81c7a3b97414",
"type": "query",
"version": 1
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"rule_name": "System Hosts File Access",
"sha256": "7123d78652fee531afc9d913c683b786e750e8fea34b80fe043c72af99909774",
"type": "eql",
"version": 6
},
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
"rule_name": "Entra ID Service Principal Credentials Created by Unusual User",
"sha256": "9408efd3b40a1edce701707f8b2eb8304dd34bd7dc0a40781b638b195c025399",
"type": "new_terms",
"version": 108
},
"f770ce79-05fd-4d74-9866-1c5d66c9b34b": {
"rule_name": "Potential Malicious PowerShell Based on Alert Correlation",
"sha256": "4f767eb21c0e9bf26fdc415d37852193d399b3803909b03b97f98d81741f4054",
"type": "esql",
"version": 4
},
"f772ec8a-e182-483c-91d2-72058f76a44c": {
"rule_name": "AWS CloudWatch Alarm Deletion",
"sha256": "6ada016a934606d912dacab8241969dd93d1076577dd1741588cbbdd0a7a3179",
"type": "query",
"version": 213
},
"f7769104-e8f9-4931-94a2-68fc04eadec3": {
"min_stack_version": "9.3",
"previous": {
"8.19": {
"max_allowable_version": 104,
"rule_name": "Deprecated - SSH Authorized Keys File Modified Inside a Container",
"sha256": "841b368a5a82196761403f4ff326d8459a4501d8431b5e1dc3395acd18a3c104",
"type": "eql",
"version": 5
}
},
"rule_name": "SSH Authorized Key File Activity Detected via Defend for Containers",
"sha256": "f4bffbc221ab135eae28675f5c599a369cf70b32f57f5c8e7c1426f72ddb310e",
"type": "eql",
"version": 105
},
"f7a1c536-9ac0-11ef-9911-f661ea17fbcd": {
"rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance",
"sha256": "62ae72c726fceedcc62eca5b723bb6a64e92c8c54e1b2444e2242babdf604457",
"type": "new_terms",
"version": 5
},
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "35d3ea41fa9ffee27aaa289788a090d3a14737ce66c8825d1c8f7b4120bbd05a",
"type": "eql",
"version": 316
},
"f7c64a1b-9d00-4b92-9042-d3bb4196899a": {
"min_stack_version": "9.3",
"rule_name": "Service Account Namespace Read Detected via Defend for Containers",
"sha256": "54cdee057e604fae8b8629fb7e641ec29e9b46917648e63203fbd8a5f0f52430",
"type": "eql",
"version": 2
},
"f7c70f2e-4616-439c-85ac-5b98415042fe": {
"rule_name": "Potential Privilege Escalation via Linux DAC permissions",
"sha256": "e014f76230f1cf349a09ebfaffcd9a5b48436e9f2ac8f84cd7f352fc63f8e1ca",
"type": "new_terms",
"version": 7
},
"f7d588ba-e4b0-442e-879d-7ec39fbd69c5": {
"rule_name": "Potential SAP NetWeaver WebShell Creation",
"sha256": "5ef7adfab7e5ad994436c7c51bb8593c125f817dba1b6574dc78f5f1c3019a32",
"type": "eql",
"version": 1
},
"f80ea920-f6f5-4c8a-9761-84ac97ec0cb2": {
"rule_name": "AWS CLI with Kali Linux Fingerprint Identified",
"sha256": "9ecf45d00058271bf4fa11c2e9f63e56a95e59e9fb13bd243c0bcb5e1ad1e0fd",
"type": "eql",
"version": 3
},
"f81ee52c-297e-46d9-9205-07e66931df26": {
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "7f5921e49d7d378d9126e4e01f1bb63e3abd0633ab4ee92b798e220f40aa258c",
"type": "eql",
"version": 313
},
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "944482376711795146b91fa8d586f565364c9cab3cf94481924fb5d7128846c4",
"type": "eql",
"version": 110
},
"f86cd31c-5c7e-4481-99d7-6875a3e31309": {
"rule_name": "Printer User (lp) Shell Execution",
"sha256": "41e5f6292b3da2fa4e4cc8ef8570dcfe66b54c1617c8e677241d550643887f49",
"type": "eql",
"version": 9
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "3d21669e611960932ce8953bc186daa36ad6fa5e5de719f84cc5ea2bbf58bdf6",
"type": "eql",
"version": 315
},
"f87e6122-ea34-11ee-a417-f661ea17fbce": {
"rule_name": "Malicious File - Prevented - Elastic Defend",
"sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b",
"type": "query",
"version": 5
},
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "9b00ce7091da71e0b1b89223c76bab169fa1371f533d50810c46f8bfbdd7a8d3",
"type": "query",
"version": 109
},
"f909075d-afc7-42d7-b399-600b94352fd9": {
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "4cdb24a07ee208f032eb6af7f9b7479f039879b8d59682896a08b3a03db5875c",
"type": "eql",
"version": 105
},
"f92171ed-a4d3-4baa-98f9-4df1652cb11b": {
"rule_name": "Potential Secret Scanning via Gitleaks",
"sha256": "33e0146feb9de871b5ada55b0af64c3223f0c8f03ad5434f251ab66a85956093",
"type": "eql",
"version": 1
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "d5a3a16d749ae91452f393b87578d057671c3e1eb36e9a68367d6160ec3bfd52",
"type": "new_terms",
"version": 207
},
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
"rule_name": "Unusual Linux Network Configuration Discovery",
"sha256": "b1e4aa334a9c74399d4b35c0e73a331197fd44f3b8ef34669b8d6b23d87620cf",
"type": "machine_learning",
"version": 108
},
"f95972d3-c23b-463b-89a8-796b3f369b49": {
"rule_name": "Ingress Transfer via Windows BITS",
"sha256": "366cb6c3328cef16cb3c1cea540e261884f849c12470d35ec36d48668d76c807",
"type": "eql",
"version": 12
},
"f960e8a4-31c1-4a6e-b172-8f5c8e5c8c2a": {
"rule_name": "Okta Admin Console Login Failure",
"sha256": "b81d0b73d164001b8e1540672ae510843355372f5ed90223d71be86812b9cd27",
"type": "query",
"version": 1
},
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"rule_name": "Browser Extension Install",
"sha256": "81bcee1c190422617ecec5060d5c56cac2493d8ea917f010d9ecb2c97e1c8082",
"type": "eql",
"version": 207
},
"f9753455-8d55-4ad8-b70a-e07b6f18deea": {
"rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion",
"sha256": "2ecbf0a719e60c1a4d65cc86c0d02ce00fa12333fbb32e834f271fc17367cd24",
"type": "esql",
"version": 9
},
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"rule_name": "Privileged Accounts Brute Force",
"sha256": "8fa3055e557162d0cd158764a538f0dc70116cc3ce0500980b9140e49da04ce3",
"type": "esql",
"version": 118
},
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "6e2937a3d1e9b3398d71d4bd594a454dcd061816ff73f7c83de5de94a21590d2",
"type": "query",
"version": 412
},
"f9abcddc-a05d-4345-a81d-000b79aa5525": {
"rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion",
"sha256": "e429a1bb7579d75e52d9c21dba63b12b1d6d5efe9aa7dbff56eb09d652825da3",
"type": "esql",
"version": 11
},
"f9de0949-94d8-441d-ae9a-8eb1e040acf2": {
"rule_name": "Newly Observed Process Exhibiting High CPU Usage",
"sha256": "ac67c25e692fc04e2eeae6c2c6c597c4c637f8d746afc513e7b9e0370b67cdf7",
"type": "esql",
"version": 2
},
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "1b028848a7c0c89d6a35c04425246332f3a3d075fd2c35a8865d6a80f2107ea0",
"type": "eql",
"version": 317
},
"fa210b61-b627-4e5e-86f4-17e8270656ab": {
"rule_name": "Potential External Linux SSH Brute Force Detected",
"sha256": "9731338ba3f551d2349c7c13e09c98d974880b06e1b03a55ee03454295de4adb",
"type": "eql",
"version": 11
},
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "d1a2565f06c73545ea8ed2035cf39758845220914c54c84574ca09aee433fb19",
"type": "eql",
"version": 12
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "0cd027bc2a6c875c929dcf7cc81896925357907008c382104fa069cdb024cb9a",
"type": "eql",
"version": 319
},
"fac52c69-2646-4e79-89c0-fd7653461010": {
"rule_name": "Potential Disabling of AppArmor",
"sha256": "2f19b753f33613c744acac5ad08008b53e8791926ce4f2e512d8f9d0738fe054",
"type": "eql",
"version": 113
},
"fb01d790-9f74-4e76-97dd-b4b0f7bf6435": {
"rule_name": "Potential Masquerading as System32 DLL",
"sha256": "43e8b63eb9570e74bea2bd40c0278bb6bd6689e146817245638379783aeb1e04",
"type": "eql",
"version": 109
},
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"rule_name": "Network Connection via Registration Utility",
"sha256": "ccf026fc7183644829bbe566e34f7580033ac7c72f6f608881280dc1f70db8cf",
"type": "eql",
"version": 211
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "0b2014b51f05dc7bab6bf89177d97bfe529a2168a887e107d01282c03ab79482",
"type": "threshold",
"version": 207
},
"fb16f9ef-cb03-4234-adc2-44641f3b71ee": {
"rule_name": "Azure OpenAI Insecure Output Handling",
"sha256": "be48db6e30b0170a36b5062f126e73ca47624d8431d7c42a25da373ec3441207",
"type": "esql",
"version": 4
},
"fb3ca230-af4e-11f0-900d-f661ea17fbcc": {
"rule_name": "Okta Multiple OS Names Detected for a Single DT Hash",
"sha256": "e00405635f604093c0a8a65f92aa45f3a61a087ba4372ea7b1d6a2b5e06d486a",
"type": "threshold",
"version": 1
},
"fb542346-1624-4cf2-bcc7-c68abaab261b": {
"rule_name": "Kernel Instrumentation Discovery via kprobes and tracefs",
"sha256": "a8a874542376d67bfb7e56d83b295e1b28912d3a594ba3364a7f056091b145ed",
"type": "eql",
"version": 1
},
"fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": {
"rule_name": "Unusual Group Name Accessed by a User",
"sha256": "9f2db22b9e734b5a889262f1f2f439535f666e0297237040c15e016852a51ff1",
"type": "machine_learning",
"version": 3
},
"fb8790fc-d485-45e2-8d6e-2fb813f4af95": {
"rule_name": "Dylib Injection via Process Environment Variables",
"sha256": "7da78ac164b35b7695d523d656762c1510c83d8e8889eb47d0e9153a3ef95e84",
"type": "eql",
"version": 1
},
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
"rule_name": "Auditd Max Failed Login Attempts",
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
"type": "query",
"version": 100
},
"fbad57ec-4442-48db-a34f-5ee907b44a22": {
"rule_name": "Potential Fake CAPTCHA Phishing Attack",
"sha256": "8e3289b4539e63e0d4bbe85963ed47f490894e78c1b8e45d5b57da403063d53f",
"type": "eql",
"version": 1
},
"fbb10f1e-77cb-42f9-994e-5da17fc3fc15": {
"rule_name": "Unusual Source IP for Okta Privileged Operations Detected",
"sha256": "f1169e957a20125ed74336cc3fa63c1c0f4d95f9affb1dff7262a2ab43453162",
"type": "machine_learning",
"version": 3
},
"fbd44836-0d69-4004-a0b4-03c20370c435": {
"rule_name": "AWS Configuration Recorder Stopped",
"sha256": "e321ac71904b38ac1d8cd69e2c42acbaddaeb9a13ea72f048fe899741b5e613e",
"type": "query",
"version": 211
},
"fc5105ce-2584-48b6-a0cf-9ace7eeffd3c": {
"rule_name": "Process Started with Executable Stack",
"sha256": "1f4d2ebb8ad5c86faee9ef8bab795952baa6d520b4d4f15f39063ab84c86a639",
"type": "query",
"version": 4
},
"fc552f49-8f1c-409b-90f8-6f5b9869b6c4": {
"rule_name": "Elastic Defend Alert Followed by Telemetry Loss",
"sha256": "932ab00c7e5ac71de6d9da2454af4619e78995498c9e33eee3ca284013f4ff26",
"type": "eql",
"version": 2
},
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "5a82f8caac0fe4454c5282d9afcc90b60b161d0c3799c54bd699873bfc0a5905",
"type": "eql",
"version": 312
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "e48789ac4282a1b2d6273567fbd11cf4ac27ad3e4f605c515108f3468274a1ac",
"type": "new_terms",
"version": 207
},
"fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6": {
"rule_name": "Proxy Execution via Console Window Host",
"sha256": "71c27f7195ec6a29dadac01c5679565bdbb368f049b138fb1a4ea088756ec63a",
"type": "eql",
"version": 1
},
"fcd2e4be-6ec4-482f-9222-6245367cd738": {
"rule_name": "M365 Identity OAuth Flow by User Sign-in to Device Registration",
"sha256": "74ddd66430f2986bde9f01e07df5dfddc8b19563d60db53255f18ad59d59778c",
"type": "eql",
"version": 3
},
"fcf18de8-ad7d-4d01-b3f7-a11d5b3883af": {
"rule_name": "Threat Intel Email Indicator Match",
"sha256": "cfa8a4fcc12561cec5bb571ef7f143d87543fe860577aa1f11b2b284b2e7ecb2",
"type": "threat_match",
"version": 2
},
"fcf733d5-7801-4eb0-92ac-8ffacf3658f2": {
"rule_name": "User or Group Creation/Modification",
"sha256": "fcbb49983377e93047c9f5a2a4f5dcf889f9a9e308e22fc7dd85ac8b69f77402",
"type": "eql",
"version": 7
},
"fd00769d-b18d-450a-a844-7a9f9c71995e": {
"rule_name": "Kubernetes Creation of a RoleBinding Referencing a ServiceAccount",
"sha256": "df1b7a9eee719cedbb64cb235247c2ab465f23806209179a82088f85d0d39f4e",
"type": "query",
"version": 1
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"rule_name": "GitHub App Deleted",
"sha256": "0f605aa5517a6ddb5f3a5cd04b4b6e30a44d35fcb3b13f030655b6a428b252c8",
"type": "eql",
"version": 207
},
"fd332492-0bc6-11ef-b5be-f661ea17fbcc": {
"rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag",
"sha256": "65f323aa4c16663d824d2073835378825966b7bba7c5d6a2c0c35e90e5e6803b",
"type": "new_terms",
"version": 8
},
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
"rule_name": "Linux Restricted Shell Breakout via the expect command",
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
"type": "eql",
"version": 100
},
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "d9690771206500e07e7c25755beb650bddea9bff417f6e2bbdf01c97d2926969",
"type": "eql",
"version": 317
},
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"rule_name": "Suspicious CertUtil Commands",
"sha256": "382f88c563097d4a8091b774c5ae43d94baa29779ece49ef509c639e57494bbc",
"type": "eql",
"version": 315
},
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"rule_name": "Svchost spawning Cmd",
"sha256": "33447fa26939a022e4a103627c64288d1909ecce7376d823c0d28f19006d7a95",
"type": "new_terms",
"version": 425
},
"fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": {
"rule_name": "Image Loaded with Invalid Signature",
"sha256": "03745c7178dcf6374257634aeffef34bd5009ab9b52fbd8e2dd6d77b57ba1a47",
"type": "eql",
"version": 4
},
"fda1d332-5e08-4f27-8a9b-8c802e3292a6": {
"rule_name": "System Binary Moved or Copied",
"sha256": "c20425759c10146a7e712fece38e597058b1970b880b8dc01d9683d931348140",
"type": "eql",
"version": 18
},
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "aab00e43628fbf27cb1346ec2f5b519d10644c98ff198583648ba08ab65f088d",
"type": "query",
"version": 111
},
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "1992da8023f1475e7ecead13adb32485cb6a234a3f49e3d3e880464a2402d474",
"type": "query",
"version": 111
},
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "90aa76c4f7daef4acec489e280a63032de791c9a2a5fe91e3474bb593165a881",
"type": "eql",
"version": 317
},
"fe8d6507-b543-4bbc-849f-dc0da6db29f6": {
"rule_name": "Spike in host-based traffic",
"sha256": "7d0904f2a6c2a004781895aff437401514b91b5b08ebb3f2ee87de5341e110a7",
"type": "machine_learning",
"version": 4
},
"feafdc51-c575-4ed2-89dd-8e20badc2d6c": {
"rule_name": "Potential Masquerading as Business App Installer",
"sha256": "c5e9f8c709c0808958e145ec92d9317af9b254b2b3fcb319f673d2549a0e8e9d",
"type": "eql",
"version": 10
},
"feba48f6-40ca-4d04-b41f-5dfa327de865": {
"rule_name": "Data Encrypted via OpenSSL Utility",
"sha256": "7e4c14c019100eba38aacd09b9887e2a69be967cb5d4d31da74999b96845c8d4",
"type": "eql",
"version": 1
},
"fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": {
"rule_name": "Execution via MS VisualStudio Pre/Post Build Events",
"sha256": "296701dc33e1684c4011dbf1ccfd9d85369255ae83c23295e720aa97b8e4136d",
"type": "eql",
"version": 4
},
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "0ff563e99da750acf3e694ad34679010f0fa64883c84a72877f2fcefe7b762c6",
"type": "eql",
"version": 311
},
"fef62ecf-0260-4b71-848b-a8624b304828": {
"rule_name": "Potential Process Name Stomping with Prctl",
"sha256": "d2d8d9adc0b0a1e18a247c5c551721be0f8dae7e8136df787c2c7c7b44f86070",
"type": "eql",
"version": 6
},
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
"sha256": "b5131178d38397bc930bc5a900e33c256bbf4a95c3a2fc168f30b03bed4d26f9",
"type": "query",
"version": 107
},
"ff0d807d-869b-4a0d-a493-52bc46d2f1b1": {
"rule_name": "Potential DGA Activity",
"sha256": "f662722869546977900cdcf6f61af6921039cb77001c739166a0c0338860eae8",
"type": "machine_learning",
"version": 8
},
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"rule_name": "Cron Job Created or Modified",
"sha256": "911f2754934b26787ef6ce346dd060a5ff237c442db717002c7f6c6d0678ec96",
"type": "eql",
"version": 19
},
"ff18d24b-2ba6-4691-a17f-75c4380d0965": {
"rule_name": "Suspicious JavaScript Execution via Deno",
"sha256": "d5dbd70a27f0f56416d46fbf0ab1cd9ae7b67b0a76c5343bde0ec3596b3d5e3c",
"type": "eql",
"version": 1
},
"ff320c56-f8fa-11ee-8c44-f661ea17fbce": {
"rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added",
"sha256": "c725902f0e85dff5bad6928200527e7b0f5da156f4dbe5de51b229844a6a11e9",
"type": "eql",
"version": 7
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"rule_name": "LSASS Process Access via Windows API",
"sha256": "9ac7770cb7a1a1d0348ae3f523fb76bbc3740b98d2354456e5f0495c5c6896c5",
"type": "esql",
"version": 16
},
"ff46eb26-0684-4da3-9dd6-21032c9878e1": {
"rule_name": "Active Directory Discovery using AdExplorer",
"sha256": "5498c911565a0f24b7ec48e5e494dd62b58ee7efebfd30ae802acb1a12829893",
"type": "eql",
"version": 1
},
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
"rule_name": "M365 Exchange Mail Flow Transport Rule Created",
"sha256": "4a88bab059f05b02eb58e86a81c507e014566594a60cf5b281da458f592d8b69",
"type": "query",
"version": 211
},
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "a48e20350f413cf45c9adacf6a299a1b22445bab666f464c05bc37755bb70959",
"type": "eql",
"version": 204
},
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
"rule_name": "GCP Firewall Rule Deletion",
"sha256": "77a309ec983a7d24866bd6b5e90d5423ef1edf0411c0eb6a116b4cb33996448c",
"type": "query",
"version": 107
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "7dee889e4307b772481635d2b67ec6dfbc300840bfed47d7b74ea140549cfc50",
"type": "eql",
"version": 111
},
"ffa676dc-09b0-11f0-94ba-b66272739ecb": {
"rule_name": "Unusual Network Connection to Suspicious Top Level Domain",
"sha256": "6fae13669a71fb69141b56f8ea1faa51ec5717011111ca52cae34917ddc408ce",
"type": "new_terms",
"version": 3
},
"ffd8b5e9-aa63-42b3-aead-6fdb170da9a3": {
"rule_name": "Suspicious TCC Access Granted for User Folders",
"sha256": "6329ee62398952755171a82d57fd5c59d159290b7d4fab00d7fe6043899ca3ea",
"type": "esql",
"version": 2
}
}
Reference in New Issue View Git Blame Copy Permalink