github-actions[bot]
d81bc25d09
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 * added newline in version lock file to trigger checks * removed trailing newline from version lock file Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
11924 lines
402 KiB
JSON
11924 lines
402 KiB
JSON
{
|
|
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "fc9d05639917fdd13a3a474200a618648fe3dbd6fbc059714179e692544d1354",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Policy Rule",
|
|
"sha256": "6959ea68e624648c00260b8b0f15cd196d5b8c735a992496989e2dafdaae5661",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"00140285-b827-4aee-aa09-8113f58a08f3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "29906b5a42e6ac00b7559596f5c5327de6ca290d9877eb26efb0e61575b5c5e3",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Windows Utilities",
|
|
"sha256": "f19012c14051bae97b3ec8e0c2b82ee4325142f29b82f38ff5bebe41342457e4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "5aff2208b89b678394ce6b10523f8a94b9b0f4040e3c3ab34d1fb21eb93b84bc",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "System Shells via Services",
|
|
"sha256": "0fe818f621c2aac35b61d66e89a3823e0ce1005f6e9a78e7aa59e7feaff0def4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0136b315-b566-482f-866c-1d8e2477ba16": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "c72d8f82f106bf83eb7d5f9d25f896f0ed189396d6e2d1c852d98474a64beb90",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 User Restricted from Sending Email",
|
|
"sha256": "800b46e07338fe2de6177e541487caae40e39dfecd6c44a09abea5ffc429e8e9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"015cca13-8832-49ac-a01b-a396114809f6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "eb3736cefa46a5dcce1de0ed5fa67788a24a1b819b872293ce195cdd9010cef3",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS Redshift Cluster Creation",
|
|
"sha256": "fe128a2d94b1e9cb689c906063c5ba7210a0e6b0e7cc558cf0d602aa66e265c4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "a93161f8d12b12b14db50925d087ef2adf59daafde9fea16c12c215165b50a87",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Cookies Theft via Browser Debugging",
|
|
"sha256": "e494a8188f625906605b8bd31de9606107ac62aaac03ec711215e13a8f58502f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"02a23ee7-c8f8-4701-b99d-e9038ce313cb": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Process Created with an Elevated Token",
|
|
"sha256": "babc171b240347eaf4920522de2da1254bdd2e789de1fe564489410d93f7a88d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"02a4576a-7480-4284-9327-548a806b5e48": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "546acb2fcf58eef7251c6c37a89278982183bacaa6fdc0fa8d92e496263fcf67",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
|
|
"sha256": "ee9747dc3fc3130f3167380e429cab16bda06d2f5c1bfa3f71e5afc2e8491afe",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Dumping Account Hashes via Built-In Commands",
|
|
"sha256": "edf7168dd151cf0a7e4500bcba59ccff8a3004d20e2ae870e0ef6ae06cbc2dda",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "4a340d1fec5675d9dfc9c013617fefe21a1a261c35a09dd54144b47d385c4c59",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled",
|
|
"sha256": "9c753af8cfa4af8e249a5d5b351338c1541b3f7cdef2bd4ba97f693cab83a0b0",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"035889c4-2686-4583-a7df-67f89c292f2c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0",
|
|
"type": "threshold",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "High Number of Process and/or Service Terminations",
|
|
"sha256": "2f093a0b877870ea5f9abe171eff67a09e27bcdebb5c7277d26406d18beea3d4",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"0415f22a-2336-45fa-ba07-618a5942e22c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "da887bc33601673a5a00749d1953a98ee66c546948e91f8e746a90e08fa4c049",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Modification of OpenSSH Binaries",
|
|
"sha256": "9c6c8085d85d10c9acfad0058cf824b42e944f3a526546007d5d3d0cd1611619",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"041d4d41-9589-43e2-ba13-5680af75ebc2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "96319d6e8c7e83a6a43aa136270b48ca5bb2f42597e4b2ff315f51a5d3a9647e",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Potential DNS Tunneling via Iodine",
|
|
"sha256": "da42562546a403904c8ab4d5f1bf64eb76d5933a509a3923c1133f73475ba559",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"04c5a96f-19c5-44fd-9571-a0b033f9086f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "408b65909c88e865f1a0887596f07f4b24a11e39935e929a2c1d3bb91aac1475",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Azure AD Global Administrator Role Assigned",
|
|
"sha256": "288b33ef30117913f0017bba83da1caa675d73c6c6c58088ce9f550fde43042c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "de34faf4f96a549763f00c82b808b22856e14f4190971cb78e017e2d7eccd5c8",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
|
|
"sha256": "8528138a2d42c4ef0f5c4052a6f4eb1e452a851f16de34d153d962ba1cd4b3cd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"0564fb9d-90b9-4234-a411-82a546dc1343": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "a2d10a32b4853413485f5f6915fdcf4c3cdb89c73effacb1ce4f3a76b763ee71",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft IIS Service Account Password Dumped",
|
|
"sha256": "23de4df2cd6bfd9e632f1c1c5e44778eb7cd4441fd64abad932892a1ef24a49d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "23a86a0bf2473481c76378774eccb40698f45db12ad58515d161e5245bf8cfe7",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Conhost Spawned By Suspicious Parent Process",
|
|
"sha256": "a2aadbeecd98d97ac40097f83ce9824be3bd7ea20729c15eebe2b0ace25da03f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"05e5a668-7b51-4a67-93ab-e9af405c9ef3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Interactive Terminal Spawned via Perl",
|
|
"sha256": "0078a2280c39199096a1666696783c47e12ff57a914887aa283bb1feb53a4eda",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0635c542-1b96-4335-9b47-126582d2c19a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "1b9982c0a4942993c1bf78121bf735580c62c1fdc406e1ff3ee3e37eee78737c",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Remote System Discovery Commands",
|
|
"sha256": "14f8498cd9c3605264e7ba2a12f22b9587f55c134839a41c1cbb2b657d80c6d3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "04e0ff561e9cf8e25c144701cc06935d7771c3f428c622d0f58378374eb93d4f",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Potential Evasion via Filter Manager",
|
|
"sha256": "b72eade5797f5c4ed2a437fbb6014d0dda26177c4568b901d1751bc7c7609a80",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"074464f9-f30d-4029-8c03-0ed237fffec7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "d362fd4092ce222911f1e61fbfbc4b8bb7f5e6d04ea3df0bd31eaeedfaf2006b",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
|
|
"sha256": "da423967e65592c24be1e1cd4a998549f30d538a498800300b2e4fb9571984cb",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Local Account TokenFilter Policy Disabled",
|
|
"sha256": "e70e9329ce8b4308ae7f01050224eea0c75f6bfea98838e42c8868bcc5817fd5",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"07b5f85a-240f-11ed-b3d9-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "1c82ea9b65fada4ec684045bd8b3e5eaa0730b35b41ddef3dd151ff26a9d6be9",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Drive Ownership Transferred via Google Workspace",
|
|
"sha256": "98600fe4b1c0c882bb99021122279f31ce5cdd2266abf34b56bab33f0cb7f190",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"080bc66a-5d56-4d1f-8071-817671716db9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "dc49030353809caf15787143903515263c46d7ff699e8bed72b0e1a145e8cabb",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Browser Child Process",
|
|
"sha256": "afa7dc9c54a09f38b12e1660d9eb9f59c0d3927cd37a1c97421e68a93d86a653",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
|
|
"sha256": "3b62e132ce8cef71cb164ea4c4b54e63e5c749c1d0f4d923c832d382a3d9416f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"083fa162-e790-4d85-9aeb-4fea04188adb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Hidden Child Process of Launchd",
|
|
"sha256": "4301991920ad02c8337985a13f5be1043ada71e5df06a0e28467d6a3773bdd84",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"08d5d7e2-740f-44d8-aeda-e41f4263efaf": {
|
|
"rule_name": "TCP Port 8000 Activity to the Internet",
|
|
"sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"092b068f-84ac-485d-8a55-7dd9e006715f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "374f2ae1482849fd100fd62cb31c79cefe23ca89d3058ba8f7c0fc5a15b07943",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Creation of Hidden Launch Agent or Daemon",
|
|
"sha256": "52e1b04182507661b743ada81f03a0fc7e728c1a3a85d3f63352ce04365e4e44",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"09443c92-46b3-45a4-8f25-383b028b258d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "8e654753f94cbe50967dfba421ab8bccd10ca84d40d0a245ba08031a4e5957b6",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Process Termination followed by Deletion",
|
|
"sha256": "810d0e8b66236addc1c0514c2be23053922b1d223ce68c39d7fb7d5b4a376ed0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"0968cfbd-40f0-4b1c-b7b1-a60736c7b241": {
|
|
"rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion",
|
|
"sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"09d028a5-dcde-409f-8ae0-557cef1b7082": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "8ee919cb70451c98d111e5e7e7e2f9636a1d0064a49e02e77f997b1b14265537",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted",
|
|
"sha256": "e9b638ed7f3e43e337695cbafa761a7fabd832f38a7fae09bea663e61f0492c3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0a97b20f-4144-49ea-be32-b540ecc445de": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Malware - Detected - Elastic Endgame",
|
|
"sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Windows Process Creation",
|
|
"sha256": "e56af9f20aeb3c799f9f604360002ecd00c37feb5a712e6ffd320b7248621010",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "ce5ff6004e5f73f7ba93d2299282f773bc858aeacefa8f3cc3385f6eadd25086",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "User account exposed to Kerberoasting",
|
|
"sha256": "db61615c674a3ce285700a7ca9c38689748cc60f7de2015c7c87809fb3916bc7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "f24ca9a1f60d75defed517b7817577335a4262fbb3b7ed6b226eaea2c3c5e0ce",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Peripheral Device Discovery",
|
|
"sha256": "0bf5f8e7339eeba4e9a7789f3ad562427540da2818dc30028fc88a0a2946aa31",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Threat Intel Indicator Match",
|
|
"sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718",
|
|
"type": "threat_match",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Threat Intel Indicator Match",
|
|
"sha256": "ba224a6d2c59ed8072d4b28f8b86c7a161e511a747418aa937074171cd5a390c",
|
|
"type": "threat_match",
|
|
"version": 103
|
|
},
|
|
"0ce6487d-8069-4888-9ddd-61b52490cebc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "f6eacd7c05b07f07ea615052aa4f672c47f4ff237bab83ee299daa65484ff83a",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "O365 Exchange Suspicious Mailbox Right Delegation",
|
|
"sha256": "f42ea7acfc39b867f160d77cb67980e378220b0b29dbec1c46ba81a85b3ec497",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0d160033-fab7-4e72-85a3-3a9d80c8bff7": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts Involving a User",
|
|
"sha256": "8d4c07265bf4bd3c24f522e31ba75c8a38f0b8d8b41064fcc50c4dcf0e4e168f",
|
|
"type": "threshold",
|
|
"version": 2
|
|
},
|
|
"0d69150b-96f8-467c-a86d-a67a3378ce77": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "249b51758445451417eec4803297e5a0a2451bf859faf040db420301a8db3d2e",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Nping Process Activity",
|
|
"sha256": "95be323eeaf86c2effc37f493654631497f6ba359a6e2eb9e9c461fbcb58fdcd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "d5d64a8e365a6086e3eb761be4e4722395cb58969f220252263994c9d2a86241",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Execution of File Written or Modified by Microsoft Office",
|
|
"sha256": "d1c654b34a3bd7c6f19a7b3f7674402e59d17633ad8d3d7060e9a0783595ed4d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"0e52157a-8e96-4a95-a6e3-5faae5081a74": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "fd74b2c8aa258d63dfa815857d9150709e02798bba6f9903829af995d2d27d5b",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "SharePoint Malware File Upload",
|
|
"sha256": "52e4662dae5a3d57aebcef8d8c8ac99e9cb8a6d96ce0efecbc4e95e04cfeb435",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"0e5acaae-6a64-4bbc-adb8-27649c03f7e1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "9c70b737fec17aa177eea51e4447e68f4f484f94b407ee4bacf654c6c8be1f7e",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Service Account Key Creation",
|
|
"sha256": "e40dbbf4fb95d007939d7dbb342fda9d8bdb333215cfff5d9b1c12eaad38dc9d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"0e79980b-4250-4a50-a509-69294c14e84b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "MsBuild Making Network Connections",
|
|
"sha256": "4df93b719f1595d13e8faa6544efea6143cc58d16eb2793f57b4f55307c4f4ac",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"0f616aee-8161-4120-857e-742366f5eeb3": {
|
|
"rule_name": "PowerShell spawning Cmd",
|
|
"sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "8fcce021f112699cc2b8bdd61edaaf16d26633221793e2f64a8d2b45d395e21e",
|
|
"type": "threshold",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
|
|
"sha256": "03daf4406b3a6c0a3d064d46ca7c9729cde431977ba9da360fcae6cd99fa0f86",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Root Crontab File Modification",
|
|
"sha256": "89e18c1cef45d91c291bdc174d2787c052129462adfb9fa1c195e190a62cb8cb",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"10754992-28c7-4472-be5b-f3770fd04f2d": {
|
|
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
|
|
"sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "WebProxy Settings Modification",
|
|
"sha256": "8b5887a6716a56ad696d9a249954a8832431d07e47b28d7b041c25bc7755de4c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"11013227-0301-4a8c-b150-4db924484475": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "72179393e4eaeb676c7ddec38aa17e29cdb602ddbac0b4b4c2727b39bbbd33c4",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Abnormally Large DNS Response",
|
|
"sha256": "cabcfa0923767a42d630bc1550d41c1cfd0eec28064a1ff44817b3d538250a01",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "9c71d67d03bb28988290278d67be14ad1ed058623cd9989b68da55945b0884d6",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs",
|
|
"sha256": "5438fc1433d2ca860d647566772ae4ef2959b4c6a0d40fe51aaa41e08e80bc01",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "f93caaaa0c67c047837860a3ee7f31fbe03b3df7af0f7fb2c29658c22dbb89a5",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
|
|
"sha256": "485416373aeb322528add817d2f8b225bab411e7134c8181012c38ad6042886c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "14d892036447ee2dc39a6709bd9e0d3257e7f26fc746c067ed110d862c0688b8",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "09100ecbae6d7900d19afa230b411ff3868e72070afd10045314a87e3355af27",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"119c8877-8613-416d-a98a-96b6664ee73a5": {
|
|
"rule_name": "AWS RDS Snapshot Export",
|
|
"sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
|
|
"sha256": "0f8e7d4c05e2aa942a177e9e8522674ba38bc37003575e007b6ec8cbaa5c3a49",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "50288dc2ce260ad28cbd659c5050727cc77e2dd0725409ad7443869e47bcd52c",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
|
|
"sha256": "409af5cb1a316eff6937b8fb2d5e75b21ee959aa0249f1c96c09daf49f497f09",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"12051077-0124-4394-9522-8f4f4db1d674": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "7b9f296c6822ee18168d7c4ab63f9d12781ebe9c8704290c6e4bbbf250b1da44",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS Route 53 Domain Transfer Lock Disabled",
|
|
"sha256": "f3e99151601129baf7c4df19db50e81306094e02bb5816b758347d236b6b52df",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"120559c6-5e24-49f4-9e30-8ffe697df6b9": {
|
|
"rule_name": "User Discovery via Whoami",
|
|
"sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"125417b8-d3df-479f-8418-12d7e034fee3": {
|
|
"rule_name": "Attempt to Disable IPTables or Firewall",
|
|
"sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"12a2f15d-597e-4334-88ff-38a02cb1330b": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "344dd45b89887d9f6037e782a5c6e321a7e348581f1372c4180b8b5e2aad81e9",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Suspicious Self-Subject Review",
|
|
"sha256": "0c29ed380ed39fc8a80d4f4fab1fe8785ddfcd617f0c34564bb083d38a585f26",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"12cbf709-69e8-4055-94f9-24314385c27e": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "1944874623a3c0eb94b6c60e923f345644329467a5e2b4d450710fa23af51940",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostNetwork",
|
|
"sha256": "7d550e16a5e9a5ee59b288c4bc693f4e6703004a127827dc0e04fd4ca293ebe3",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "14dee3b14b6f395041ed83582c528b803b220c3528665d1da4a1bc87de358524",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Cmd Execution via WMI",
|
|
"sha256": "1e861f3b182c5b50efd36db4f39a4e83a996856067e175be07e1e88511da1573",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "dd487bb51dcb9f39021bc76a62c8cd0821d1d6a83f7dcbfa4995e6fdb51914f7",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Scheduled Job Creation",
|
|
"sha256": "9fda9d17c81262f9a2b7ef16a17d4f2654c7aca9a546b5e3ea8f07bc91b8ce39",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"138c5dd5-838b-446e-b1ac-c995c7f8108a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Rare User Logon",
|
|
"sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"139c7458-566a-410c-a5cd-f80238d6a5cd": {
|
|
"rule_name": "SQL Traffic to the Internet",
|
|
"sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"141e9b3a-ff37-4756-989d-05d7cbf35b0e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "884e2787044397ab5139c3a166b7ef487915885576122d86d3eee5fa26cb6b31",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure External Guest User Invitation",
|
|
"sha256": "cd3ff42d4d39f286f6ea43a9dc3e39036052e41de46a2361d7f2e03b904b56ff",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"143cb236-0956-4f42-a706-814bcaa0cf5a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "RPC (Remote Procedure Call) from the Internet",
|
|
"sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"14de811c-d60f-11ec-9fd7-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "939f1dfae51e5df729029c2bf9c6cd64c211afd38624b26e0878e4e9f0623956",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes User Exec into Pod",
|
|
"sha256": "90b7f6defe4977b45e05aa289bc82b0dd8a381c0e699c711715d6c350070ca92",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence via Time Provider Modification",
|
|
"sha256": "409958e26d80d4305202efb2cd4613478ca9ac6769ea6e570e86e34c4c25b92e",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "a37caa10322b243e5b1aa27c757d8348af9ac05dff0d4f48a54774f68c207385",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Task Execution at Scale via GPO",
|
|
"sha256": "d7a930666b4897f3e6ad4cae910ba7d91950f18ee7f501d9b51052e6c46f00c7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "8d3046d9ab68612adecfa2ba45a822de6d59c106baa88cb919d7f814adef7705",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
|
|
"sha256": "98425472d0a343245e1fb8eb9746934a14bb7d1f680cba1f6de34536a9e334fe",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"15dacaa0-5b90-466b-acab-63435a59701a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "ab01939284a35f49a970a029c0ae49717b8c8a40df7d14e420432cf17423300a",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Virtual Private Network Connection Attempt",
|
|
"sha256": "79289e433be5f382d046d2d79e703e4495d19322cc3d3ce6896b79dce7c300e6",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "5856d870c5052798edc3f6128683f5e39e62d60519ada98556b15fef9fc2df55",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Automation Runbook Created or Modified",
|
|
"sha256": "1ddd06726c54971391c661c9aea4eac602559a462ed0ecd122be0d5432a23e3c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"16904215-2c95-4ac8-bf5c-12354e047192": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Kerberos Attack via Bifrost",
|
|
"sha256": "ec98e1c703684c98f1163b4b0fc13d2567f6cdc5873bad42694434d53255a29a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "e40e6fa8910826f514e017875dad384599cb9360369e8f04f154bb76879db2ba",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Group Creation",
|
|
"sha256": "36d85b8991ba411ea3abb812164d7816a169f8c2865ae140831f5bbc32103fee",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"16a52c14-7883-47af-8745-9357803f0d4c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "5898cbcb8ba124f960428a6f5171e59b41b955310aa5d055f300dc1a341c1b4f",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Component Object Model Hijacking",
|
|
"sha256": "29332fb4fe36ca9a1f9b5e944510166732b74e9ca40c6ab4a5632e3d03623d32",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "2dbe2743cfdae34c434469eef59b198bcabab7f9fe1700cea7401f78495d4755",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Startup/Logon Script added to Group Policy Object",
|
|
"sha256": "64a498b05a35861230579c6423cfa101e7722f72d4f10e9c15842d6d98a21772",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Username",
|
|
"sha256": "8f1da2c97c296b4e212e5aacd5a608a1043a71c6de193a0568f82e09fc04cb6e",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Service",
|
|
"sha256": "526315821ea6ac3e9449850d95215a802bdacb4518640f64f454e99f6cf6f251",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Powershell Script",
|
|
"sha256": "3f2c7a02718fef440dc22e8f1b4f26a82a874244e78627aa709c4a62d0a6ff0f",
|
|
"type": "machine_learning",
|
|
"version": 101
|
|
},
|
|
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows User Privilege Elevation Activity",
|
|
"sha256": "e46cdedd322a3698ace70334ffe46355b69407965f560634a7857023937319b4",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Remote User",
|
|
"sha256": "139ece349432479b389dbad5de09391bcb55c55f5fe0e4a9d97c27079deea3f6",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Execution - Short Program Name",
|
|
"sha256": "a49a574d1dd2dc2b3e273604ba9444652782dad8165b44003650a266a3d8c831",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution - Short Program Name",
|
|
"sha256": "7a0b3c02a3b14b9244b72468593f852fca3d88b7bb05f831ee30796ee3f495c0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"17e68559-b274-4948-ad0b-f8415bb31126": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Destination Domain Name",
|
|
"sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"184dfe52-2999-42d9-b9d1-d1ca54495a61": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "f543b8cf2fdff969c2280c9426bcef331857717573fa30ecfdcfba95c8283625",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Logging Sink Modification",
|
|
"sha256": "4ff90adb8f0ca4bb71028c214898da08ab3b11d12e8029ba076eb1cc46a8718f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"1859ce38-6a50-422b-a5e8-636e231ea0cd": {
|
|
"rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion",
|
|
"sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"19de8096-e2b0-4bd8-80c9-34a820813fff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "6b29390c6c450c02027712c15174d3241eadf50fd00e80be20970e8d2385f21a",
|
|
"type": "machine_learning",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Rare AWS Error Code",
|
|
"sha256": "d9ae135b7d670facb6304754243732fcf0c80f068ee0d8b6aae7c8821fed2a2d",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"1a36cace-11a7-43a8-9a10-b497c5a02cd3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "08c7be0a262c66e42f4a684e6a3250d4686374b71f6fa817d9cf0b369eacdf81",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Azure Application Credential Modification",
|
|
"sha256": "4578d2fa5303996ca9dae8665c8478e5f83d838b6e503934124775b995cf839c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "f914b30a66a3801986631b2260c2b0be902fee7f3f9e9ea83082a555276b833e",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Execution of COM object via Xwizard",
|
|
"sha256": "9ed4bd98aed4f19ac6f2d34893f938f5e783e7d97ff483f165f2830a9bcff335",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1aa8fa52-44a7-4dae-b058-f3333b91c8d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "fd4a95d88aee2bbce7a930bef232433c82600847adb3624342557eb85672f1c2",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudTrail Log Suspended",
|
|
"sha256": "50dca61081a44cffb4a6c96baea903dbf1e040e5a6d090026f428770e92c2de8",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "1891ff7763da99e8748a754e4c9ea618908a0273d1dae964934e27ac482dcb2e",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "User Account Creation",
|
|
"sha256": "a2dbc4558d0bf8ffd0cc05bd5b6b9aef55467bd203ab02bac09fe694c09913f4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Connection to Internal Network via Telnet",
|
|
"sha256": "f66b62f323c084928fc2012b45d085cc4676bdc6994ce86c0f2e425b15fffd2b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "3ac35392968bc4bfe1ec662a9d0b96fd14d0f58c60be9132d68c95fc85b635c9",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS ElastiCache Security Group Modified or Deleted",
|
|
"sha256": "4cb4cedb42b0a57c864fe7c83f8baeb8b06a53cbcdfbefe6a1c2a0261b1bbc59",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1c27fa22-7727-4dd3-81c0-de6da5555feb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Linux SSH Brute Force Detected",
|
|
"sha256": "39da680feee7ad38a8cee738d28975c62ada6344a4154b17e3c349b57c74a4b7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "d00d3e8f0516c4848290f845aa45897ed6207d1a3f9b71738aaa821f9c3805fd",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
|
|
"sha256": "90b6e6f3757968c798b350aec14b7a9a3b4567f3917a518eab4a067d93bc8f92",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"1c84dd64-7e6c-4bad-ac73-a5014ee37042": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "f48c4a2437aad0de0ff36c4dfeff61ccdccf6df20dc3ceb3cba6c9400244e0ea",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious File Creation in /etc for Persistence",
|
|
"sha256": "fd574c78325d2683a832f7b4b8df354b794166d3cf0d68721511a8b1df6772b5",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"1c966416-60c1-436b-bfd0-e002fddbfd89": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "2717595854d57fdf2727a0361b9f0d549070644843408b2e19e67e30e64a546e",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Azure Kubernetes Rolebindings Created",
|
|
"sha256": "d60a2598b31e2c9c16a051b1cf76726ce5d8f024423f62da4ce30e959924ff97",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Incoming Execution via WinRM Remote Shell",
|
|
"sha256": "01259c36f97d276e0dfe2ed552945732d4f7c9730deb8bfa28fddc8aa693f4b6",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"1d276579-3380-4095-ad38-e596a01bc64f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via Script Interpreter",
|
|
"sha256": "b1a736e4388da27ace78d942f540fe8f3c7dea6f9a69d7691928adcd8f040401",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1d72d014-e2ab-4707-b056-9b96abe7b511": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "676c2d4dfe1aa314a6f063884871cc7fd0e04da8d7e3182b2b6eaae113e6f86f",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "External IP Lookup from Non-Browser Process",
|
|
"sha256": "06e930d7efabbb24b827945b89ae86d7a301a1f9862f58465942b2f33f898062",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "2bc46ca9cbee507967b5dccfac7f86142c08d85ba6d3151747c404858da10b74",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
|
|
"sha256": "48994d6de2a2d73e1189eb0ec482166dc5885216aeeee1deab4e45ecf1d01797",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Execution of File Written or Modified by PDF Reader",
|
|
"sha256": "1a3fead9dfc895c3f67d29aa030d9c614de5a22faf47214edfc3715c905a1157",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"1e0b832e-957e-43ae-b319-db82d228c908": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "9a24ad9aff9d1b7e5f0dd32ef47be286477cbe4f2695b212eb665007066eba72",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Storage Account Key Regenerated",
|
|
"sha256": "3328d28b7049bd0768a8c49e258c4d07acf8100a03153adfeb091e534e234847",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"1e9fc667-9ff1-4b33-9f40-fefca8537eb0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Sudo Activity",
|
|
"sha256": "9d82b230918f0db964b2f2e07fca49ec284c7105c28d58018a4d322e5893bca0",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"1faec04b-d902-4f89-8aff-92cd9043c16f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux User Calling the Metadata Service",
|
|
"sha256": "0aec86484ab498ecfb07296e0217a2b218976158fc0c2d60ed1d7afa05fbeee4",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "d2af4370e5ccb4aabdb1f4ce6b028ddd92fca5b5d6970163ee44af539b870b4e",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Activity from a Windows System Binary",
|
|
"sha256": "043fd214a5e74e23bcc4de915f6a875519278944ff560c9c81d82ff805167289",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"2003cdc8-8d83-4aa5-b132-1f9a8eb48514": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "e3f47d3e8da634596dad903884e6404a7bd1ca78392299f700ef679f0d8844b9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Exploit - Detected - Elastic Endgame",
|
|
"sha256": "95bb907bc085874a3566cc325863a188bd1ac263ddbc008b39980f9e3ff2fd0c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "107eb5a4de0ac13cbd117ad1de8746519602749dc797b311ab7bc596399090fc",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Suspicious .NET Code Compilation",
|
|
"sha256": "bdd29081febe1d9be776a40e184b16da3aedf6b4da70a5326bc95b07e12dfe6e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "1832ded92050593610491cfc98ef5d0e93dd09d196b802ee1637443001ac3ff4",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of Root Certificate",
|
|
"sha256": "71dc9d9f456e473f1b57e9241e4674855a370dec025e2376399d97ee7426965a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2045567e-b0af-444a-8c0b-0b6e2dae9e13": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "41835cffbde1bc4c8def4abccce017a21640bc560e4e697c6436a6dbaa30ac34",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS Route 53 Domain Transferred to Another Account",
|
|
"sha256": "9d52800d94fafc364ae8b490281527d60770d6a379f47520a2cb09cf05e99bd3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Access of Stored Browser Credentials",
|
|
"sha256": "cc35011933319f19d5d25465cfc6b0b777e0e2c92545b9bd6d47bddd4b8ef7f3",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Access of Stored Browser Credentials",
|
|
"sha256": "59b7aa852dfcdd555a54d71d26da5452801d12ff9aaf3c8af65e99c107decbde",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "65e99f073be3045a2ed201ca6b6bf32304b1beb501977a009056ee034859e4ec",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "LSASS Memory Dump Handle Access",
|
|
"sha256": "6692aea3904b62c7c555a43f6924b23132f4e04c32517510298d016cb7c673bc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"20dc4620-3b68-4269-8124-ca5091e00ea8": {
|
|
"rule_name": "Auditd Max Login Sessions",
|
|
"sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
|
|
"sha256": "cb1b2c1498fe0d00358b83a85406d0cc88a7566b95f7ca25855519313bd66ef7",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "SSH Authorized Keys File Modification",
|
|
"sha256": "f7a5c712a4469a66a6f138c749ceb8daeb01b6acceeccb4972e3b13332ede4d2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"22599847-5d13-48cb-8872-5796fee8692b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "SUNBURST Command and Control Activity",
|
|
"sha256": "fd465a42d6a0691cfe41c2518974982ed473aef77d93c55718d406776f513808",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"227dc608-e558-43d9-b521-150772250bae": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "d6a3320318fe0bc9a9196f7470698bd1149ca127c9eb16c24f195c7f3ff1f717",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS S3 Bucket Configuration Deletion",
|
|
"sha256": "4523d993d766256af5e47aa06906e05f478cc014137850ad19f6ef2925c36411",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"231876e7-4d1f-4d63-a47c-47dd1acdc1cb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "ad845b271a9ada61e663ccdc1032f4d9c07f07ce757333abfa7b481455026e2d",
|
|
"type": "query",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Potential Shell via Web Server",
|
|
"sha256": "4514b076f4ae9f9a5905f71bae0fe30bffd6a120c18e51e72580bb87a0a96a30",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"2326d1b2-9acf-4dee-bd21-867ea7378b4d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "6d0b3a0e08e8e535f4a76760347d2d8c15e7887ae3ac62a39f1dd16b9b27115d",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Storage Bucket Permissions Modification",
|
|
"sha256": "99a2e12d697c64e1ffd1ec2a86da9159c5a9281c37b2691a9a2bc22c85510c7f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"2339f03c-f53f-40fa-834b-40c5983fc41f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kernel module load via insmod",
|
|
"sha256": "2c8e5266ab5da1541a55c06d3c261f4a64776941bebe6315ba84a0f6dd0cad62",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Kernel module load via insmod",
|
|
"sha256": "560deab9cf9e540b16155fd81c9b95e705bc60d3a0b877a66a7208b103c6eeeb",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "b993dccca52b5d4477a99f7ef9be23ebd2ff8f22e6186ed8f9b33a6b3cb1156b",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Lateral Movement via Startup Folder",
|
|
"sha256": "1b40d513146b863cf1464a86bc81d91c77265387701e0b1afb0429eed32ee3cb",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "7602867c71364d35f82ca94e41c81d3d9f612df26487ff881a23b5545d15836b",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Blob Container Access Level Modification",
|
|
"sha256": "4cad95b3cb6eb2f2107dab0dafaacb3393fb7f29826d6aa31c2fd134e5745e7e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "819355eaae5de0d1efaf7e63f85a97b5c3f010d3afeff305b789336f94202b64",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Update Orchestrator Service Hijack",
|
|
"sha256": "146e2ecc5ce7ae31124dd9c100979b40dd6e79a929aa79f0c71780be4ed6f900",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"26b01043-4f04-4d2f-882a-5a1d2e95751b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileges Elevation via Parent Process PID Spoofing",
|
|
"sha256": "a999339d78291ff225a48caf23bba368f705e42d0a3fce3c5a4a2ff664b5f947",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"26edba02-6979-4bce-920a-70b080a7be81": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "6800b997e4c2e3b643fe0522e8af631880e58d352b074b99f40bf8fb49b14314",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Azure Active Directory High Risk User Sign-in Heuristic",
|
|
"sha256": "61c5ef7f4e05aa853ab39b31d813d371abe1daba1350e751167e8758bd66efb2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "c4f5f357386b15ba28af1de205a888deaf0e001d60f39435751bee223fbc3cb7",
|
|
"type": "threshold",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
|
|
"sha256": "b1fe391f2303c93bb37c3c897a8f47d2e405bd9039dc3ddf007b4c0f84b3ab0b",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"272a6484-2663-46db-a532-ef734bf9a796": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "065b6a9a53f1b0d420bf42e2a57ce12b9f77684422e6dd59b66a0ad77e2b9aab",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Modification",
|
|
"sha256": "e44cf5df8dbb32d716d2a4362cb8385e493638cb71b141aa8aa3717205bc20bc",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2772264c-6fb9-4d9d-9014-b416eed21254": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "089d0ecdbcb613691dc9e414c064213c63e11df6eac4880f3ee5199aa9072446",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Incoming Execution via PowerShell Remoting",
|
|
"sha256": "f205af382353a1fad072152a1d4207f2a6879ad7f1d85ad7eaf0fc9354a31ae2",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"2783d84f-5091-4d7d-9319-9fceda8fa71b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "66e3eceb3d773269f1d0fd6a4e447eacdb2003685a2e44f54df142b50f7dcbac",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Firewall Rule Modification",
|
|
"sha256": "3ecb269b043c21a8351338e9b181a3a9fbfbbc7c27e850a9cb2fedac86f81bd0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "2cf5e365a6fd347095c38267456d4deb4f7645f703c0df2c7777da604f4de7db",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Teams External Access Enabled",
|
|
"sha256": "9c73b9c2b54cace47d3e2a3ef52215f855ab5f0db468115a949b43b64571e34d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "ddef55a84fc5714b3eed06cab34766ed8096ead0f5d7f47aef40646e7c4de3c8",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Account Password Reset Remotely",
|
|
"sha256": "4f368ca08309253b3eb4c2ee299b7e9a2ff1f704e42cff23c25d11536e8561c1",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "5176f711c953c51b47e31b596f2230e9cfd42b8195fe45785435a85f712b6fda",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "Account Discovery Command via SYSTEM Account",
|
|
"sha256": "de68135083464aa79aa27d8c11e76b7faa142b9d887bcb485ab746e6a3dad878",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2863ffeb-bf77-44dd-b7a5-93ef94b72036": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "282272412a4945d5f698bd3f4e9469c69c4e54b7270e15886a8e6a3fb00b4bc9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Exploit - Prevented - Elastic Endgame",
|
|
"sha256": "27305767d7089a0c2bead91f22c1603ce3948e10ed90397be8c2155689b3ed24",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"28896382-7d4f-4d50-9b72-67091901fd26": {
|
|
"rule_name": "Suspicious Process from Conhost",
|
|
"sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Security Group Configuration Change Detection",
|
|
"sha256": "36dc480e5ec70e4c9af74ef68d2a6fd570f93d92e8df822b4b7545dea44a8cc9",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "AWS Security Group Configuration Change Detection",
|
|
"sha256": "a9b4f01618dab4656c0ba36b475526cc02968ff74953533fbfa6f9e2f51b2583",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"290aca65-e94d-403b-ba0f-62f320e63f51": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "72859e3a7a189ce94083d0382f1e220a0040974a14e143acd3d47e2ba1f8c8f8",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
|
|
"sha256": "4774cc40af7c1d02c912d46a56bc55e5e5eae6fbf673bb5bcf039fb171217cec",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2917d495-59bd-4250-b395-c29409b76086": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Webshell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "0b3202a976dc29f3f75c66ab052467c3444264673daa31059d3f7d66a50b5132",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
|
|
"sha256": "35fc24276860b62a3fda0a8738e107a5eadda479fa14eb5fb74db90f33812ee3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "a1e315972da4cc09efd55ced26e8c184ed87d6fb66a809b7e9084bfa8cca6b46",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Privileged Local Groups Membership",
|
|
"sha256": "47b528308d655d9a40ebf1c7faaa183193cc2911f418dfca1c1a10cfe13cdcfc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "c0ee6425ca26e268371a5176086ec5beb58fc8ceae2a33daf00d09b473fc448c",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume",
|
|
"sha256": "f7cb9e4f92a13ef9246e6b2a163b71a5da25f361343619ab307e6815cc43761a",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "b178ab23fa3f6c3794d7488ad3ced9780881fa75a10c9608be3649149c5b7a1b",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Adobe Hijack Persistence",
|
|
"sha256": "371201ebdfb6505b584a6a3ef2f7b348ccd569d100e26eafc11d0250cd514198",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "46ccc5f940c4ecc1081a55bc5b907463b5f4a03443c2584c7ff5d4444897c325",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Windows Defender Exclusions Added via PowerShell",
|
|
"sha256": "90e4cc8abb986f46dab686af73a37a4246fdd36871e9f8c47c6c8f50cb31f95b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "a50a568f3977633c70f5057540c6eb4a81c8426cf8b417ec8d4d2be3fc4cd1f3",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
|
|
"sha256": "f9531e1584aabf2f2528c56d59e44fcbf39b460a6487c901b195b2c83ffa024d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Kernel Modules",
|
|
"sha256": "22b03287ec583dc4b58992a5292c592a3d4b32cdc92036f8e67c9dca6565d163",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2dd480be-1263-4d9c-8672-172928f6789a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "b769e06899d9619b0a54a288034e007dcc8ea8a8401422cf67dba285e087b633",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Access via Direct System Call",
|
|
"sha256": "e5fa5af36e560ed36941b83c231bf7b0f3622624e24caf9f30d1bfd932791de3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2de10e77-c144-4e69-afb7-344e7127abd0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "9427e6829127b009d4e0423ca57d1ef4fa2e36f94ee01872755bcb8028c4135a",
|
|
"type": "threshold",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "O365 Excessive Single Sign-On Logon Errors",
|
|
"sha256": "1d488ef91e96ded9a1b9dfddd9e26c6a2fdae410b8d33c28258f21f2c899bdf9",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Wireless Credential Dumping using Netsh Command",
|
|
"sha256": "02c5948a1e79499d7d9f76651be8747b4875ae05d57d48b23f41b10c01109ffc",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "8acf72dc610beddfe319ee7a8c6fb03105880620d6c3c0d1a9863e0370b598e3",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Renamed AutoIt Scripts Interpreter",
|
|
"sha256": "935c0df53d376819e57cc582c24130fc1a742486e6d1dd978024344076b3df47",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "cc671371e4839eb14f885ef52c5e4762055d1a8fd43f3bdd3f2b209cbbddbcdd",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Potential Process Injection via PowerShell",
|
|
"sha256": "8c6f27c7e2b39957500b3f0d690080088b823c905b6f202e1b1b0de855c8553f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2e580225-2a58-48ef-938b-572933be06fe": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Halfbaked Command and Control Beacon",
|
|
"sha256": "846c561aa886bc0c006237aec72dd464697e504a852617c4245e047b9b8514c9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "db902f8c25b3bb1600a3e7e89328228a086bbda8655946640882d39f011d2162",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Creation of a Hidden Local User Account",
|
|
"sha256": "b5b7fe84b518ea200be721f09eec0cb13a04466a16e16d2986a0fafd3a01be33",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "b8e4625040554d5c1f2451a70b6f3e297aa34486444490e23fe522132ac22254",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "GCP Kubernetes Rolebindings Created or Patched",
|
|
"sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "783f7f7d5000b69b13e7a69593dcfa30f5a6f3718b7709cc35c9a861f5e79aac",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
|
|
"sha256": "7116ad8f42568440dcb1c9bc6b196885c1878eea0730ad2d2b0b7825393a398b",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"2f8a1226-5720-437d-9c20-e0029deb6194": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Disable Syslog Service",
|
|
"sha256": "e65f2bc49d0ad4f48d814b50ee066ea12b93e1776a29720fcf0740865d58d560",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"2fba96c0-ade5-4bce-b92f-a5df2509da3f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "7cfa769e4622b0dcaa8fd6d4d1dfab115f59e2ad039c747fb202045f037bc07c",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Startup Folder Persistence via Unsigned Process",
|
|
"sha256": "890eb42c847f15bd6d6b51bc0b5cacd6c12940853bccc839ee58099d08caf628",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "c63aadf9db63ccaf7ddbf7b7161c6cee10ab37bc1bfd97c9dcdfd673409e876d",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Windows Defender Disabled via Registry Modification",
|
|
"sha256": "68219cff8e6948e91b9c691d17c8468a217a81a425b9dd836288cb4736c0f830",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"30562697-9859-4ae0-a8c5-dab45d664170": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "ff221c9a9ebc80ae9b08b0f866baa376ad28f3c06c3745cddbd372115ad46b77",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Firewall Rule Creation",
|
|
"sha256": "0cd1853858d4f3371c6cfa74a65b7ee87839134dc7658d155d4e862feb5c8f66",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3115bd2c-0baa-4df0-80ea-45e474b5ef93": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Agent Spoofing - Mismatched Agent ID",
|
|
"sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"31295df3-277b-4c56-a1fb-84e31b4222a9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "943fea62ed46d1726416acf34d120b55397d708ea2908776307bfd1cc2ef6bb4",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Inbound Connection to an Unsecure Elasticsearch Node",
|
|
"sha256": "0ecd023337890a68318fe076b3b7d30c7a36d3cdea28c26494e94930ed77e8da",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "364cb88794750124cf291c05db0ec791a411800f8b5a0892215efa1b21ac7168",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Bypass UAC via Event Viewer",
|
|
"sha256": "19e3fbac9a133912f5c8476b82c5ecc872f5d7367409ad3995b22d10cae0f082",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3202e172-01b1-4738-a932-d024c514ba72": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "d733a231bb4bb41883ff22688ac80673160772a01a9cb0a01d30d6f82de76a83",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP Pub/Sub Topic Deletion",
|
|
"sha256": "5dabf36750452813028395a66c743a6be256e6ec9de931117e59260476ee6d0c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"323cb487-279d-4218-bcbd-a568efe930c6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "95f906464f7aea6a76e1cb3ac05699945bc15d2fe8449f4971b45ce615ccc662",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Azure Network Watcher Deletion",
|
|
"sha256": "6ef41c449f78258c39b4bb1940c9e184e32ee4a1b272d2362a90a87fbf09bf91",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"32923416-763a-4531-bb35-f33b9232ecdb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "RPC (Remote Procedure Call) to the Internet",
|
|
"sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "c2b106c6d1f8fe88d7d17a876ffb805d98a7ff98312c1a0b063079ade73aace4",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Program Files Directory Masquerading",
|
|
"sha256": "3d70557ef51f421270aba1f5519ca59a7229e0ed8b71ce80abe4f1a28eb3c481",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "cad3761270f406d3de6f1b31a7af654c06ff4ad72de8f0cc56f72056b56bb3c1",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Suspicious MS Outlook Child Process",
|
|
"sha256": "80f2fe91b63ee0be68a68f2e42b7df27bc1a488a20199390c3addb74b300d82d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"333de828-8190-4cf5-8d7c-7575846f6fe0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "c9c22a0c2b777489ba4b3aa4c246cf6aaffaebdae98094cdd4039d9331d30f9c",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM User Addition to Group",
|
|
"sha256": "085da40d06c485f1bd62157fd8b681b7133f751e4b3863235e37307d1225e7f0",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"33f306e8-417c-411b-965c-c2812d6d3f4d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via PowerShell",
|
|
"sha256": "b4cbcbeaab77654b0a79cd46dbb306f35d00e9ebec8920604a27b0cdb3362774",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"34fde489-94b0-4500-a76f-b8a157cf9269": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 13,
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "3dd4a438c915920e6ddb0a5212603af5d94fb8a6b51a32f223d930d7e3becb89",
|
|
"type": "query",
|
|
"version": 11
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Telnet Port Activity",
|
|
"sha256": "b0bdfa73639226fb83eadc0303ad1801e0707743f96a36209aa58228d3bf6a89",
|
|
"type": "query",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Accepted Default Telnet Port Connection",
|
|
"sha256": "15e7fe1aab91be2d8c8cf7662336d7e3db7dc28dd6aee3d08f863c2039c555b9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Execution via Electron Child Process Node.js Module",
|
|
"sha256": "b870e18df524af3f3795c326cf73ee7201da3e9d54d7be257c7b9be1e0ebdd8b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "8bc206952bdfb0f4a3e80173859884ddc65ed10c87622cf11b8a074a6d6bb7b7",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Port Forwarding Rule Addition",
|
|
"sha256": "c38f64c9b7ec1405f6bd6d58ffdf5c3d46436f668bc7647f08b69026a1a4542d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "7c5a48d477f750354508c02ec3d9004066b56b5ce2c688d01d44c7cd329e9787",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Unusual Parent-Child Relationship",
|
|
"sha256": "2f85170a5be1299fa452697ad6d739794a9d64ef069bcfe68190fb5df08c7f9d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"35f86980-1fb1-4dff-b311-3be941549c8d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Network Traffic to Rare Destination Country",
|
|
"sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"3605a013-6f0c-4f7d-88a5-326f5be262ec": {
|
|
"rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP",
|
|
"sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"3688577a-d196-11ec-90b0-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Process Started from Process ID (PID) File",
|
|
"sha256": "33f6b875baae098995aaf796af0d3f2d526e52ea81fbfaea897bf5ea92c1b100",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Suspicious ImagePath Service Creation",
|
|
"sha256": "6d23ae79b615ba0ff2595a24336880f5b5cec118805fd2a92192d191baedc4af",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"378f9024-8a0c-46a5-aa08-ce147ac73a4e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "25100adc67a2737ddd09ab2dd8c635399ad873710c0242f0e6afa3e58e3d979c",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Security Group Creation",
|
|
"sha256": "e7d3f401c3b6114f2e8a8e0bce305970520dd87f021765fe5b56c02684e65866",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"37994bca-0611-4500-ab67-5588afe73b77": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "c7cc75526928d591ed126201c83d478b9222386698b765bee0f764952c683a1f",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Azure Active Directory High Risk Sign-in",
|
|
"sha256": "1817eadf9b1e8d7744fe1dabaa9ad4fc2548be336b168c43b152b519c035981a",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"37b0816d-af40-40b4-885f-bb162b3c88a9": {
|
|
"rule_name": "Anomalous Kernel Module Activity",
|
|
"sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"37b211e8-4e2f-440f-86d8-06cc8f158cfa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "3b588a6ca2d1186405396678aac45e8c22ad34e9a2cd091dcdb7ef3dae53bfbf",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS Execution via System Manager",
|
|
"sha256": "37e24cd034ad5e5a2960504bb45bb2e6e51afc216f4b5917667b972a160c6398",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"37f638ea-909d-4f94-9248-edd21e4a9906": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "045d8e7502b926e26ab18b5c5f28ed08e69a2ea66c929a788fa41fa077a9b994",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Finder Sync Plugin Registered and Enabled",
|
|
"sha256": "5ba5ece012a45bd56c0bb251137bb809476d35d9027ec98ba7e4e8ab51b602f6",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "13da5f81dbdb334792b90ef620648df28a3b0cb81086b956da96c3011943b7d2",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempted Bypass of Okta MFA",
|
|
"sha256": "5dc3d4b26fb6d7a5870f5b587f98ded53d043ff35b39a5d1a79e515e57488dff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "e2a886833c9313e5ed1648b2cd0aa48e43a796ee388021298e7f72833fdfc449",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Certutil",
|
|
"sha256": "23439b30666a515639fd228a293b4067ae50a8897d41f096344a3dc1548230a8",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "0911285f8149632adde696e8aafb25cceed0b7fff1a508891c1b8ed5e9dac922",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Prompt for Credentials with OSASCRIPT",
|
|
"sha256": "3db8688b994dcff22dcccee19e202c9014c66b6151b0c115a1afc21ef6d682fa",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "13224c93738cb87ff2afafd59555be1bb67d931a78e830dc523f190e8f57379b",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "User Added as Owner for Azure Service Principal",
|
|
"sha256": "97d1d34640ed067b24cd9c6aec92a3218d38a9e44e5e1c3858822b9f355e152e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"39144f38-5284-4f8e-a2ae-e3fd628d90b0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "5807817c0cf3d448a595125d017ba9fb9d059f06cb6e042ba576786a3ed1adcd",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 Network Access Control List Creation",
|
|
"sha256": "19eaf15725e3a5061e078f8fc55b6ba952482d0dd6f2b10350eb1fd40d8d799d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "56ea439ae2b7c5e6b41ca7f0768cc34d29247563a1d2d643811d659e054f7fed",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Microsoft Outlook VBA",
|
|
"sha256": "d0bbe421f7c9efc6c86d3cda2bf634f026d26480db4be79869da3caea3c8e400",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48",
|
|
"type": "threshold",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Potential DNS Tunneling via NsLookup",
|
|
"sha256": "a8a1a371b9550d05b8e1840d92e8a8a25864eebe560287ba9628c50d53182529",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"3a6001a0-0939-4bbe-86f4-47d8faeb7b97": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious Module Loaded by LSASS",
|
|
"sha256": "967dab45578fdf1310371870860d3f589a837714a257113de6dbb87755db91e6",
|
|
"type": "eql",
|
|
"version": 1
|
|
},
|
|
"3a86e085-094c-412d-97ff-2439731e59cb": {
|
|
"rule_name": "Setgid Bit Set via chmod",
|
|
"sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3ad49c61-7adc-42c1-b788-732eda2f5abf": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "VNC (Virtual Network Computing) to the Internet",
|
|
"sha256": "bbcc9ecd7b10f4e3d3eeebb7532731a3be93c1cdc5be362edd4643a610990c99",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "c9c718b423aee91718c0bf62f1ab14a94fe7cce3c1049c045276b5fd699561ba",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Azure Full Network Packet Capture Detected",
|
|
"sha256": "ed7c759eb27766427a4ddb53b35f5c39aadeb89cbe40c95c3cfd0a943127616e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3b382770-efbb-44f4-beed-f5e0a051b895": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Malware - Prevented - Elastic Endgame",
|
|
"sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "f81811cb000b7963e364dacd66eb8b69a136a29dc8855ecddb89d21d0041d617",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Unusual Parent Process for cmd.exe",
|
|
"sha256": "3ef34431ad0dc12cc4a147ae0719621b1e6371fc9c6d29e1a728adabbbd22df4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "e164f1dead9cc83510d1756090ae6dfc77c8dcbfca29674471aa62232dad8c8f",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "NTDS or SAM Database File Copied",
|
|
"sha256": "ffe47adb572b674887d9377ae4e12905ccc1f24e3f6c1ad6dd6990f0f58acbff",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Network Port Activity",
|
|
"sha256": "1000f8d810e8053e982148bf3c89a01161b070ee8107e63e90cf68a25bb11a6f",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"3e002465-876f-4f04-b016-84ef48ce7e5d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "e4a35e3746eb87acf3634c20147f086f31ba60bf865a7071d2e487e805ba8f49",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudTrail Log Updated",
|
|
"sha256": "3afb8229909e17eec5a9fda597163babfaafd7a4510223872b422ec15d5d64ee",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"3e3d15c6-1509-479a-b125-21718372157e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Emond Child Process",
|
|
"sha256": "1dea3548159b04248612f43a48880c5f88ce5a6511e3a7d4dfc5e9814bd2a47f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "c912293b3805322572fe2894ed6cb070418e166e88d9c9d44065e3e7a8fa9373",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
|
|
"sha256": "074fd0d8a85b82a67861fb901174c4f93c7c70925ae995a5fdde252998142a5a",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "3d971d8d3f05861e0d92880b25c50c248d3638001e5fbd8e6ec0e690c5b1b2a6",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Creation CallTrace",
|
|
"sha256": "0d83d1d3d1683d3321cac152c8ad4aa6ee214dd53e38424c1d3cf35db28e6d7f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"3efee4f0-182a-40a8-a835-102c68a4175d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "0bf5a30ac72fec595c33431fa1e1bdc2925b1dd387b50d13e0a43796998c58b1",
|
|
"type": "threshold",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Potential Password Spraying of Microsoft 365 User Accounts",
|
|
"sha256": "c2c2f1f18bd31515f4fbc65a849bdb58c56ead6aa70b4d4fb8aaee1449fdb474",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "bb434ddf7feb733a486db86a3bae859e6dacf37ab4f237124aee3545eab372f5",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "CyberArk Privileged Access Security Error",
|
|
"sha256": "eac32a4108db050129c6234b8b03ef41e888ffedde7571c022877c1796c3c574",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"3f3f9fe2-d095-11ec-95dc-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "ecb4904f46329f1d5fb6bfc35aecf483751ef689a4287ddd8b45c72ffaa7d4e5",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Binary Executed from Shared Memory Directory",
|
|
"sha256": "8b929648cfb7d78b3a120a4f301a77f449cb973bfe1a9c27f06181ed69f7166a",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Persistence via Services Registry",
|
|
"sha256": "17ff31335feeac670296837a85edd3bbc15614c9575165e6f55443b12906f06b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"416697ae-e468-4093-a93d-59661fa619ec": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "e3169a15a582ed381d71ec7441f39b94e7b70ef75eeb2f899062384c1bcdbc2d",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Control Panel Process with Unusual Arguments",
|
|
"sha256": "24331d993a6e4c2f5301e09ba904f3f9fb329271629b4085a4ebe11441e9c11f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"41824afb-d68c-4d0e-bfee-474dac1fa56e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "5ffb48fcc0228a90e171449a6aba484182df9781408e5c1306a4217261769daf",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "EggShell Backdoor Execution",
|
|
"sha256": "f5664f6d22aa17c0d8a19b1c354d5b527c55951fd8c2b1931b4adc9bd15ed203",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential Hidden Local User Account Creation",
|
|
"sha256": "4a7aaebaa2ce9419d5058d02d56b8be9d14cd9508bd5e7c7082dab9b79c9bdf5",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"42bf698b-4738-445b-8231-c834ddefd8a0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "47d01123e73660000a53d24eb5e14dd39a5c983cc1c554abd5436125dbb7e3b6",
|
|
"type": "threshold",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Okta Brute Force or Password Spraying Attack",
|
|
"sha256": "20c32ae0449654c229d96f32b7577f83c6e1990b578aa631578de9a5d8c5d0c1",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"42eeee3d-947f-46d3-a14d-7036b962c266": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Process Creation via Secondary Logon",
|
|
"sha256": "052d5a9f9406a1f40d7f42883351dbe850f4516a045258094c2329d751a43be5",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"4330272b-9724-4bc6-a3ca-f1532b81e5c2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849",
|
|
"type": "machine_learning",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Unusual Login Activity",
|
|
"sha256": "c0354cedd39286c9d93efd09fc08c489dcc534a65e4e8914c873908ab4a052bc",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"43303fd4-4839-4e48-b2b2-803ab060758d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Web Application Suspicious Activity: No User Agent",
|
|
"sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "cfb507a36698d0446c774fc7ef06ef4b5de6d367ca531d909f6f096e95896ba1",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Startup Persistence by a Suspicious Process",
|
|
"sha256": "30f302d504e7f3768c383d320c55b537db5af1f0a3213e53fedb25a3696826b1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"445a342e-03fb-42d0-8656-0367eb2dead5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Path Activity",
|
|
"sha256": "96e95f6a002908e770ee8dc9e06b3f4955d02ace7a630a562d77630e0f51b2f7",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Vault Web Credentials Read",
|
|
"sha256": "01c2d67560189623c292b168be7435d48a38318feb338e35bfc1854ecb950346",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"453f659e-0429-40b1-bfdb-b6957286e04b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "f3d686edf2d9ca3878005a30ce88485d9ef2a2120659c70763d60dca188661b9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Permission Theft - Prevented - Elastic Endgame",
|
|
"sha256": "57da49505fa7a935e774a271cd364bf67750bc8021808efebe06fbdec618e335",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "22523a171ded4e5880a944e7f2bd14015c141eb0f2a9fdea86bfe18ab758ecf7",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Windows Event Logs Cleared",
|
|
"sha256": "10626d753b4eff838e90b212ec77c6670f7cd47eeede6ac704face10fd5bf4d7",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"45d273fb-1dca-457d-9855-bcb302180c21": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "ac2eca72a473716bdda62693b2f9724aeadb537a5476776b76e8191eb71e12cc",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Encrypting Files with WinRar or 7z",
|
|
"sha256": "b37a7206844162a0d22b4306477a385bd3b9232f2f33434163d4ad93c827260e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 15,
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "e42e40c2baa181d6c3f51c29b3ad19394bba3709da075d2c61d17bf16d393bb9",
|
|
"type": "eql",
|
|
"version": 13
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "6f997eb7cf9d5091b1747d41b5ca87f485f9515b7a8ea120ee5dc1f143d9d810",
|
|
"type": "eql",
|
|
"version": 16
|
|
}
|
|
},
|
|
"rule_name": "Adding Hidden File Attribute via Attrib",
|
|
"sha256": "f11df93aa8c62381c21958a50b7c2c9c24cbcb222dcb2bc2a5a8cc41c59b7e65",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential Local NTLM Relay via HTTP",
|
|
"sha256": "934a5cdd87bc886db489096eab6e4470534ec37559f348aabca934b11b963da1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"46f804f5-b289-43d6-a881-9387cf594f75": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process For a Linux Host",
|
|
"sha256": "dd683127f834182f5df0f60d7a3e94dc4e45b4c40f7852a7e4bd07f9bd32c77a",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "9d24cbe6c80544c362d427e1b23f7acef6a8dc871e8b89160ec935e35eeedd53",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
|
|
"sha256": "4580fa6e639f76df7d490f941e5046bb7e8515e2da02aab4835d5dc59fba7f56",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
|
|
"rule_name": "Execution via Regsvcs/Regasm",
|
|
"sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"47f76567-d58a-4fed-b32b-21f571e28910": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "f7ddac7735b02e68cd1d642a6db3d68fd155364d19743b482f51b26decb0e61d",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Apple Script Execution followed by Network Connection",
|
|
"sha256": "f50f8109a82efebbb2664ce9520fd6e9e6cc53e13dcd6bfc7018c4d37505189b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "496bfb9b3f67c01e4e370424e21a9a6ea701f672c17bd05201f5ac349e788564",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
|
|
"sha256": "a4dbbb4088b9409a6d7b87480f7360684c93c2c4e61b1b0841bb7c1089822188",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"48b6edfc-079d-4907-b43c-baffa243270d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure from the same Source Address",
|
|
"sha256": "db40bc83f15ca46413d2e2a28895c8e182be5e1915dbb23757ee962f4b5f93c5",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "5d1cbe92ec650c7766655f7a43846444576f39f460ebd7fbbba20175343861bd",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
|
|
"sha256": "2ca21ad7e8066e8aa35bb7e76a61d641a18979a9d0a3c154f687d22bb658b731",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence via Periodic Tasks",
|
|
"sha256": "695b539958b4e2497da7725110ed07a75b54d29bbc67606202f6acf6ca73cd6a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"493834ca-f861-414c-8602-150d5505b777": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0",
|
|
"type": "threshold",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent",
|
|
"sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68",
|
|
"type": "threshold",
|
|
"version": 100
|
|
},
|
|
"495e5f2e-2480-11ed-bea8-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "f65ab660ff049917ef0d56928b4115a2675fd3a83ade36c9569b28cd3cf3397d",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Application Removed from Blocklist in Google Workspace",
|
|
"sha256": "1425ad887371020ed16a18072658404fa91af9a56fbbdc316e44823c9370d614",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"4a4e23cf-78a2-449c-bac3-701924c269d3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Possible FIN7 DGA Command and Control Behavior",
|
|
"sha256": "415aab90dbe7f905c62073c0aa550090f429218aa6b8f2465ab705f404348b45",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "31b403ff6fa07ce7ed4ab81d3c6554a1563e623e1b134195b20053548660cddd",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "Disable Windows Firewall Rules via Netsh",
|
|
"sha256": "1aa7d1cf17f5fdb0d5f722ed42e7956aeed0b3abccad4e62ac99050d602740ad",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "6192e34c6abd68cbba835735bd7136ea29ded5dc353ae9ccf07cc693f0c679e7",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
|
|
"sha256": "0e45f8ea50b78d82273844db4bba7e44f683fa0c35b2c8877c5baa9f4a49a507",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "PowerShell Share Enumeration Script",
|
|
"sha256": "74c65a7829bcc251f06c98c0d4f413e59c86158ee47f518c8c9b158a3166ef82",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "3ed8a98d1ef9c21203e4ec08b63e50526e3000773836588648145b0b130d7f44",
|
|
"type": "threshold",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS Management Console Brute Force of Root User Identity",
|
|
"sha256": "ef11a9260283c9287c2457c41043ac3eda591df8431603408cbbb0f62e984892",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Disable Gatekeeper",
|
|
"sha256": "e626d42c263b5f4f856008238c6128c93f4314fb38f49395bc5f1b7a1e46520e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "51d1269f8e2276398c0f5d29467e8bdd1f4dbb5235021d0dc5f3b251fb6c39d7",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
|
|
"sha256": "601d99c47256f14bb93a96523ea4ce04d64d54e9bf07d5e52470688c40b2be00",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Logon Failure Followed by Logon Success",
|
|
"sha256": "6eec5b895f96299f32ce5a547b7554f3387e9847f925b55db9da6ae5dd29712f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "c86bcd9cdb30e9d9ac9367c672dd7e6025fa45e77981d513a20dc812028f7af3",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
|
|
"sha256": "7185f396c0a6d3dc587b2f463b06a5c816250dc4d27a03a6bb2f4aea01b0dd17",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "129776c510bb194a778681da82bc2c956b71ac053f38dea10117b4985192b247",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Script Object Execution",
|
|
"sha256": "a5456b1d3e100f0532a51a6b3a3326f232a118804e724b35790e46a1dc752cb5",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "ee5d812977b79c71b85e4e55336fcc15c2d20188d2b5fcd9ac21b6fd496817ab",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unauthorized Access to an Okta Application",
|
|
"sha256": "b3b118ad1059195cca5ad6345c2480031da54ca94602e5e88c8446dbf90c793f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"4fe9d835-40e1-452d-8230-17c147cafad8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "7cb63a043aff02554c012274584ff7ff80fc6723a0d6c1f983206c216fd55eb0",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Execution via TSClient Mountpoint",
|
|
"sha256": "c1533f107dd0693e4bcd8671c11baa1f69edcf1c4c4d5711ce1c81f99c1e8f1f",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "57dbd74bfd822602da425403e0a3c431ecdb96eac9008a235f5225a553549e1f",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Registry Persistence via AppCert DLL",
|
|
"sha256": "945adaf1da104dda386b7da6783208291170a7075f38d5fd27420b9e22fbeddf",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"514121ce-c7b6-474a-8237-68ff71672379": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "b48aa189d57f533507819f12b46f526cb6d7ab0c49bcdf4ebf4d1de29b2c34c5",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled",
|
|
"sha256": "4b3ee12f6ed02b5f7a530627ebcf4a03977f654840b6fa6044a377809b7ce8f2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"51859fa0-d86b-4214-bf48-ebb30ed91305": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "48a7d8bc2c9f506512eeea79d30612f16df12aa5dca84286fd93f7fb9d885976",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP Logging Sink Deletion",
|
|
"sha256": "f9dbf652d2a93e2123d4f8eeabeb30b9f67f8073e9e446c605bb560618ba8db5",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement with MMC",
|
|
"sha256": "84333efdaebe96753fe47f8b3d97adfbb398b331532578c8fc78b63fb704d142",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"523116c0-d89d-4d7c-82c2-39e6845a78ef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "afd6a56c29475450e04c09eaf498ce483ade18d2de1b79d09af2820957f0073a",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS GuardDuty Detector Deletion",
|
|
"sha256": "fd8d5239f94600865974276bc39a3197dc624360e4fda40949cee520970b6737",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"52376a86-ee86-4967-97ae-1a05f55816f0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "1bd60ae858ac0dcb98eab6ad5625674d60d39feb72b2c399e8f9deccd5440abe",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
|
|
"sha256": "7030623ff8ed02e7b897ef7ef3b699bea67e8ba26933109df011dfd79d4ba57c",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "3985e64b901dcf6691814ebd08009710ba3dd6a53bed60613bdedffd86599cfc",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Connection via RunDLL32",
|
|
"sha256": "a16976984526b0efb4f810dce465854718dbce285eb527269af3546e03d291db",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"52afbdc5-db15-485e-bc24-f5707f820c4b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18",
|
|
"type": "machine_learning",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Network Activity",
|
|
"sha256": "f5304548d6e36152f1e8a35019086b17cb71276fcf3b12fec97aebb69fe3be01",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-485e-bc35-f5707f820c4c": {
|
|
"rule_name": "Unusual Linux Web Activity",
|
|
"sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"52afbdc5-db15-596e-bc35-f5707f820c4b": {
|
|
"rule_name": "Unusual Linux Network Service",
|
|
"sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"530178da-92ea-43ce-94c2-8877a826783d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious CronTab Creation or Modification",
|
|
"sha256": "b93ac2d647d1d104cc0f81b10bec1b70f7117b533224e44fba3009f1fb8444ef",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "3619ee48c368bfefcad2d7adc1df941162570787ba6b770591b8c394d54b3e7d",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS EFS File System or Mount Deleted",
|
|
"sha256": "92dd7f3eee2909b37416ccffcca01ddac8ea9b079249d58b7a68bca79b05b846",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "63ed88064a1f87a0c2789942216e2610e00be3801d98465816e698d1a33c0230",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Diagnostic Settings Deletion",
|
|
"sha256": "a33f7703c7150e2ab58f7c1af92f17d3358b8944ec15b284545340ea7c235bd6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "1a29db0563afdb6e7013b41d66732f8655e1cf56d8a9d96bbec53e38fe9499ff",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PDF Reader Child Process",
|
|
"sha256": "4eecc44812f99aeebf6a0a1df5aa74b9985e0cd3cb6ead1a5dee6eb8ebf7eaf6",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 10,
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "53219ff8987584e6547f9575812b0376420e95da290d5f3e600c864516a5d0d4",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "eab90afc9e1bee717a0f2d2c8d444c6ea131d22bdee7de0f594f43235e7286bc",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Uncommon Registry Persistence Change",
|
|
"sha256": "78053ffb2f6d18894711e915e3f8f75cc0d3c8e2ce9aaf804c49fed719d77d48",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"54a81f68-5f2a-421e-8eed-f888278bb712": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Exchange Mailbox Export via PowerShell",
|
|
"sha256": "a48a9cbb679372bd144a77cbe76de0fbd8975e021e3052cbc9a8b7b217712c04",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "a5518862b6e142e509712bef3ce38b3512bcaec6a6c764bf34405cba00d25086",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Network Logon Provider Registry Modification",
|
|
"sha256": "7ca66284bce88ec198338d4cf3dc829bbea1eba3196c77250cca1db5029d5e05",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "1466eae5d9a4dbe705623258baa2696cd48caaf9b249634b5aab4f5f05adc0a6",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Windows Service Installed via an Unusual Client",
|
|
"sha256": "cbd75271ff293520f527248177c43524f79dd2cbf3d0203a274805532927a8af",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "f01d40062b8f60a89a6058c159db1f7725d8bf0b9bb3ac2e52cc3cf50f91cfc5",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "PsExec Network Connection",
|
|
"sha256": "b6d5e91e9f7c07e30a1816a074c11ac6162222c251084abfba430e58401a9e13",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
|
|
"sha256": "3b02d3bd00e128128af001792d78b3a97a35b7b7e7c0d547e24cf044ba8a8d89",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"565c2b44-7a21-4818-955f-8d4737967d2e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential Admin Group Account Addition",
|
|
"sha256": "09d5529f1a30aae573d932c339ec2b44920c60d8f88eea78f40a6bf13d0533cb",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"565d6ca5-75ba-4c82-9b13-add25353471c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "1aae329188f75eb40aa473688626d40da1970b42f828fdff72427020b3a56f1b",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Dumping of Keychain Content via Security Command",
|
|
"sha256": "1b0608263eed61162d31297ff1eb7b6570d7caf17abf6396de4e73c1c5817731",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "0f8d828b75d1d1185fff5eda64e2a044723a8b1aab5c9ed8d15f1087725abb14",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "GCP Logging Bucket Deletion",
|
|
"sha256": "282a179a621aa51ff8a275643d155c980068398a81af68563529bcd2dbef5473",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "47cef88aac24764140fab221634ab4cac6d1e0fdb9d01f711a40b5c909c57031",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "PowerShell PSReflect Script",
|
|
"sha256": "11eb65e63a95ed292472ba5a64844f98470b90ed7eaef8847ba571ec81dffaa1",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"5700cb81-df44-46aa-a5d7-337798f53eb8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "VNC (Virtual Network Computing) from the Internet",
|
|
"sha256": "05408e6d3450b8f61459e1fce920890b470a6691c922ec593b102ec10303db95",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"571afc56-5ed9-465d-a2a9-045f099f6e7e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "814a6dd8c3abc42543896f44736ed05c0a51994d35d5f413a7cb3d666dc73a5c",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Credential Dumping - Detected - Elastic Endgame",
|
|
"sha256": "e9490c3bf59b4ca766d6cfb1d1844fbf2dc71adcb09780c761b527ecff87b428",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"573f6e7a-7acf-4bcd-ad42-c4969124d3c0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "2dc7f16072cc532537c6fe9627efeb5c18b758fba96416d36c8398993280e858",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Azure Virtual Network Device Modified or Deleted",
|
|
"sha256": "36b5cdc1f4072787f2a7ee1f75cf300934251e66bd85f8471752d14d63f3cbbc",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "5ed40da998cd797bc689f43438ef2020370ec0f926c7286b305ba9edbcfcae0b",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "PowerShell MiniDump Script",
|
|
"sha256": "efa8737d826a936ed57d1404ea8b8ea907281530808f0add72c400af16dc720d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"581add16-df76-42bb-af8e-c979bfb39a59": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "0bfe91ed225a8f88a48d4a8932529beb3194bda90c9c6c34bf7000ec4d9eb024",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "Deleting Backup Catalogs with Wbadmin",
|
|
"sha256": "609caebd497f4a8333b9025f2e584e355b7eeb60a622cabc1ae396a5eb748a21",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "1db0e174745538cf33858bcfbd6624c7214f52df40a4e91ff951ab7b9db7dcf2",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "RDP Enabled via Registry",
|
|
"sha256": "4e36c6d4be89d1ba98f409ec26a65bd3ec13dfc184675da7d1b6edc1d9960b02",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"58ac2aa5-6718-427c-a845-5f3ac5af00ba": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "b3723887b9bf279cdf495e0de89757e9d1a4490463b6993ccc1e0e387da9b934",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Zoom Meeting with no Passcode",
|
|
"sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"58bc134c-e8d2-4291-a552-b4b3e537c60b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Potential Lateral Tool Transfer via SMB Share",
|
|
"sha256": "b49ddd0192e64fbe2607a6277982590f11818fd13c62a0465a6c08a4d93cbbdf",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"58c6d58b-a0d3-412d-b3b8-0981a9400607": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "d21a3917238ca1a1a6b8319f592c64861d215606c6120103900ba67cbf643d14",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Potential Privilege Escalation via InstallerFileTakeOver",
|
|
"sha256": "6c6474212e173bf71aa2762198429c2a46be05f67cf4e6914f3e6b3a885f109a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5930658c-2107-4afc-91af-e0e55b7f7184": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "4aef6221e7182cd1ec1b7a9c4601fcde475bf48061adf1d0248fd6010baf2499",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "O365 Email Reported by User as Malware or Phish",
|
|
"sha256": "2967ee9d92e6919fd392653ca21163fd3cb0c2231fe79fa57a28134dcba36c9a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "452b3ca5d359e3ff768e8c77fc4274ae51aeb2b514fcc589a4bd4f1295f42877",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudTrail Log Created",
|
|
"sha256": "055be0622bfc6d60ecb2e50829308f1a2b61c2e60635c285babb016e8dd82c3a",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"59756272-1998-4b8c-be14-e287035c4d10": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux System Owner or User Discovery Activity",
|
|
"sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux System Owner or User Discovery Activity",
|
|
"sha256": "e41fd4f6fee735f8f4d622091922635835073038420494f835501080da741b64",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "3f39f6f5177668db2bc706c123caebf4f32fab44956ed321bd067f98e077e866",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
|
|
"sha256": "8adcf0b50277ccfe121c702235c5e9ab12ab9bff9581837b0518836a910f8713",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "7c73e32e581e8c012be9579704cb4af5639d44af7819e90225394d82f8dfe84a",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
|
|
"sha256": "b155970c7e73cb523e459fa39f92799a94642e17e5c4325815e6d66942409c8e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "b42e9f2369de3fa9727f635d630089197d955d8b0e0a1dcb89bcd880066ea6ab",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Potential Secure File Deletion via SDelete Utility",
|
|
"sha256": "238836bc408f36b44fe30561a37f0482e9b65fc7db8afd3d54cbd6bd3da56cf9",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"5b03c9fb-9945-4d2f-9568-fd690fee3fba": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Virtual Machine Fingerprinting",
|
|
"sha256": "406c63c241969aec0d4903a96fdfee40068bd8ba9eeff7e28dd19054e77ccb74",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "807b3ee056b0f0094cf79aaf7a47f5560f16b4d853b0be14672407c7fb0fda12",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
|
|
"sha256": "5464a6a89f709f4d9c92ecc8ccea8b89be78e0391e1ff602d20f9d2787c88adc",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5beaebc1-cc13-4bfc-9949-776f9e0dc318": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "b5257122319e9bc4edc6da90b4f9ce51f865585667549443dd5a5bc186e8adab",
|
|
"type": "query",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "AWS WAF Rule or Rule Group Deletion",
|
|
"sha256": "eba683b3c4d41a39fb0a9208b548250bcc4a1adc8e19e79bb910f6b1b5b86361",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5c983105-4681-46c3-9890-0c66d05e776b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Process Discovery Activity",
|
|
"sha256": "af77025b9a595eb66fc50d24b2dd04472ce63a9aa0ad7a240af00ce76c0c6708",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "0f815b455140ed43bab2a6eb85a0bc7af11f3fb955ce357959ca12408b42e27e",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
|
|
"sha256": "9c594459e0740868fd9a258c882e7948d2972807b91addebcee2541deefc52bf",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "User Added to Privileged Group in Active Directory",
|
|
"sha256": "5f8c09d4a95f39252ed35586660a9bfb97cec6c902021704d19f8dba94707d9d",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "User Added to Privileged Group",
|
|
"sha256": "72cf570c5e08d6e35939e770e5346b5ded9f7f6c44b25695126e2871c24bc330",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Persistence via PowerShell profile",
|
|
"sha256": "ab29c404e5ca358f2154318f81acc6ac2a2a07d047887f86d01b297dbd8bb335",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "6edec2c011265bc7e9989c18ec7b057ec4e790b4dbc45ed26c9800cd87f1888d",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Login or Logout Hook",
|
|
"sha256": "e9320203bf1fbc54b64d6914929886703e21f8781d3ef603498d71ba38612420",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "0c9b6b24a43b7dedc4a80d31fcb597b5c9672a16ff85566b03ac4f05915b07f2",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution via Scheduled Task",
|
|
"sha256": "85a2281fbf64ebec64f1cde66b10fb36c274f656d24cdf962ae49d5590121b42",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Automator Workflows Execution",
|
|
"sha256": "09972428965cad7ce24c375b53714069efc1b45c2d6e712b899c8d87414c88dd",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"5e161522-2545-11ed-ac47-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "0e4f796c44b12756ec86c03bef7bca532a986bd70cbe34fda071162af183bb2e",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace 2SV Policy Disabled",
|
|
"sha256": "a5a33cf12e70b976a8a202090de8c4e819f48cfb96c7be5ca799a3cd710da520",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"5e552599-ddec-4e14-bad1-28aa42404388": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "f58a40f75d1820aa083b0af15229d3a3192bb4cb2c90b6d45852d9531ba86659",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Teams Guest Access Enabled",
|
|
"sha256": "50aae074ddb8947d940c38965282b736fbff99f023d2a715cb22e2dca25e2f4d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"5e87f165-45c2-4b80-bfa5-52822552c997": {
|
|
"rule_name": "Potential PrintNightmare File Modification",
|
|
"sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"60884af6-f553-4a6c-af13-300047455491": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "e195b4abc35917aed5f150ec5e04b7bfe705c776edd2df6d0d18614aab1231a8",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Command Execution on Virtual Machine",
|
|
"sha256": "5637e2ee71403942ade1e207efd0fb68aad7ddb05c75fbbec08760e3d430476d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"60b6b72f-0fbc-47e7-9895-9ba7627a8b50": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "63f8524b34d7396a39558b7b1a71918cb1af0dd94168d585c37e41ebd3e62733",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Azure Service Principal Addition",
|
|
"sha256": "790a04ad7ff41fcd3757920bdaeedf2c17109f20ae4edce09b8dce36774e3b32",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"60f3adec-1df9-4104-9c75-b97d9f078b25": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "d4bae7b60e7b8ae9d81564cc05893fe9ab226915e0ba6ae6f588226f2a37981b",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange DLP Policy Removed",
|
|
"sha256": "ebca4569bef15eab7d2b131134f2c0a4f17b6f29255255feaba207e377d2ba7a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"610949a1-312f-4e04-bb55-3a79b8c95267": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "b00636e435888cfbac55fabaa232b7ff7792edae939e7fd52cfd7586228f89e4",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process Network Connection",
|
|
"sha256": "759b5d1ccf8df3fcd3a052ca91ec0bec595a98f6f42d6f4fd2b71664d5da2ceb",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"61ac3638-40a3-44b2-855a-985636ca985e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "4260f2832dbbedc282f3767cd8e7776d8a1f4cdc13b5dac16dff8107ea31e1d3",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
|
|
"sha256": "40e4e50e213f12414a720dbad1084ac9c5c66f7327c57db4a0983cd0f76293aa",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"61c31c14-507f-4627-8c31-072556b89a9c": {
|
|
"rule_name": "Mknod Process Activity",
|
|
"sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "534101b851d9fae2e8255f7a270ca3d66f536b49f133fa7ef49a91d5bfed2816",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AdminSDHolder SDProp Exclusion Added",
|
|
"sha256": "6e4e3620fed8f9ea0448c296c02aa8ae04d544da84785fc04054bf8607a3f582",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "cc8a4382982924e277e4c3d743dd97006b5d0d444c6c16f0af5bfa54175f1571",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
|
|
"sha256": "4a2e1d4bea93d31717b9a5d7c2a243452b41a43ed33ed0c434000b4c7af85d4e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Account Configured with Never-Expiring Password",
|
|
"sha256": "f328cea65c10625168e096a7e5c8e93cdd31f422cca5d98369d950159018d39e",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"63c05204-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Suspicious Assignment of Controller Service Account",
|
|
"sha256": "6d2337a15ccdd51f06b3a84154839bdc194c7036182e8687c647dbc2761a55c8",
|
|
"type": "query",
|
|
"version": 4
|
|
},
|
|
"63c056a0-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Denied Service Account Request",
|
|
"sha256": "98e67a6d5fcc9a9226d3fc6cb0ab03c069462d38266890233f83a5f68e208133",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"63c057cc-339a-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Anonymous Request Authorized",
|
|
"sha256": "bc9fd4446bc35467a272aa7150180eb90221bb5d1abea7ad48d04b982089e511",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "80c6dfdcbb866f19a43a66a1fcf01571c849a5d333763e6728b8cc38e96f7ada",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Signed Binary",
|
|
"sha256": "34b5bd89b1d4d30fa175cf86cd44ed53c5c85123834f03f7c6dc30a92afa5b5b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"647fc812-7996-4795-8869-9c4ea595fe88": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Process For a Linux Population",
|
|
"sha256": "58ad6b8312fa08066d30ca38f7178f10d0af84bc3348a306635a0d5693e495fb",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Modification of Safari Settings via Defaults Command",
|
|
"sha256": "85226d664433c75a1ba9a0f7368e06dbcbd54ca1058db58bca3fb5c3826c29d7",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6506c9fd-229e-4722-8f0f-69be759afd2a": {
|
|
"rule_name": "Potential PrintNightmare Exploit Registry Modification",
|
|
"sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"65f9bccd-510b-40df-8263-334f03174fed": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "013298b6842e5c3da39c9653179dd8e9b62b3dfd4227f34256471cf64bcfe2ee",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Exposed Service Created With Type NodePort",
|
|
"sha256": "aa3a90493355e6e960301ed926a807576421146a83a0d1c0d1f4686da676d96f",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "2be9c7475eaf8e2adef7e68471761491a0be92b510e4dee69d85cd0b718d5383",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Mount SMB Share via Command Line",
|
|
"sha256": "2ba49aa997ae90a8ef6cb2c2d7e74d38103e0b87cca74d771b7b50e0d317aa98",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "2788dc407749eecaee222081bf50995a97061ee76f3874ac5d57b024c5b0f0c4",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "WebServer Access Logs Deleted",
|
|
"sha256": "b278ad316df91b043b52c2733d1a7a52b28387c296ac7d735830aa6b2cd87c3a",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"66883649-f908-4a5b-a1e0-54090a1d3a32": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Connection to Commonly Abused Web Services",
|
|
"sha256": "433792545469486e2a5214c11409cf9ab38b871887f85c63476ba706c09d35b7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious macOS MS Office Child Process",
|
|
"sha256": "4627a724e71b8e995e9a6ea864f490506445b9f2f6a1d2ac42b4a67118caba09",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Modification of the msPKIAccountCredentials",
|
|
"sha256": "73d4b5395efb686a194e3ddb89c49017e043c35ba64ca0a14bfa70c12ee0954f",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "1ef55d057c977c919a011ee2c0a5877b55c1b5467523826f3720ee782ceb87f5",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Policy",
|
|
"sha256": "920fbba08c958b8664071c20d1ba637d146ed67edef7e8cf792e6b24155ab831",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"675239ea-c1bc-4467-a6d3-b9e2cc7f676d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "d56428a2ebb97ff26a961b1941691823e9c600e8c7878d6093f1eaa010965ede",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "O365 Mailbox Audit Logging Bypass",
|
|
"sha256": "be4affa23789ae2a09fbd537820317eb2e39cdb1582e3fa38dc10d83f53e8aeb",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "f2e4b16a361bc69205d6496b1d0ae5cb98c14fdc18dfd120a57d3ed1242393e3",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Revoke Okta API Token",
|
|
"sha256": "89eb0d585dbafbd7f1ed391a4b5ba76bc2f8adffa69f5c6d9206537fd862d777",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"67a9beba-830d-4035-bfe8-40b7e28f8ac4": {
|
|
"rule_name": "SMTP to the Internet",
|
|
"sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "32f86106ce9707e4ba55425d0e257d1a8d98fc30943af2df10ecb86ccedcb082",
|
|
"type": "threshold",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "High Number of Process Terminations",
|
|
"sha256": "639238e9ffd3ee7e008b5f02e37b7ccbf46d4422ab31c96c38fbd007b5aedbed",
|
|
"type": "threshold",
|
|
"version": 103
|
|
},
|
|
"68113fdc-3105-4cdd-85bb-e643c416ef0b": {
|
|
"rule_name": "Query Registry via reg.exe",
|
|
"sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"6839c821-011d-43bd-bd5b-acff00257226": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "0efe7d423a7ebfb1e3d9380de840f4ddbf0f5e4229dacbad6ebd38795ed1fe91",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Image File Execution Options Injection",
|
|
"sha256": "129755f1c3fe208bbd3b63c67b582c4316d010234336b7c14fa6ea88f28985a8",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"684554fc-0777-47ce-8c9b-3d01f198d7f8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "e410d2309f7b7bd1ec6767a6f0d4756716d3d87da15161771420026a2603c7b0",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "New or Modified Federation Domain",
|
|
"sha256": "b36b28a3d7c05bc571463614e266a0db27d51920ae9cafa0b2ab15e654b98a7a",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "95b23b6dceecf5c37c57266723121ae726f35c91584ae156eeb28b463d118cea",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Threat Detected by Okta ThreatInsight",
|
|
"sha256": "6b3365514534840a4ded646f7e1a3e0cb9eefa5c2f9a6442524d9cb7b4f1abe9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "40892b7e96739d876cf5ef96e0cfcb5df2803f9e217d6c15edfc656d66dfbdd0",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
|
|
"sha256": "f94022bb9cee4fa87302b3689aba7a4724d3493f584b1702b40f1edfc785be09",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"68994a6c-c7ba-4e82-b476-26a26877adf6": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "b93cd2bb2b978c4a49aa012e3ba233f122287ffdb705c852467201a2f5818c37",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "b21a45d51ea3f04918d7eeaabb24efea888bc2f7a9c326ed3858bc775f4243e0",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 203,
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "2c52d4ab28968599f73fc69986af4d6bb32fa1a7990400dedb69a00d27923991",
|
|
"type": "query",
|
|
"version": 104
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Assigned to a User",
|
|
"sha256": "900e09e88ba2b9b8a350387557983bccad76402efaa5f254d620c7a35f2dc7e7",
|
|
"type": "query",
|
|
"version": 204
|
|
},
|
|
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "81a2f954d5b7761177fa3bc11019a2955eef17aab753143bbea9a8bd67bc55a6",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Task Created by a Windows Script",
|
|
"sha256": "6ae18b5f3d2bb2e82d3ac9a01b5472e239e95fcbf9bea0ac33ece58e9328e914",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"68a7a5a5-a2fc-4a76-ba9f-26849de881b4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "f5a7bed82e84d98883e645ca43ca8091e0d6b505c417342c2685bc0bccc55e96",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudWatch Log Group Deletion",
|
|
"sha256": "d0a9a6cb6cd44daf60559ddacdaeff6895ff27e2cae7d409516313da16aac165",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "1c69a26d73e24b3d036b3bb0d2a5d6651123dca79c58a6df26d303222cc3aa19",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
|
|
"sha256": "0c5f99cea5f3552409a80a188c9c044a4779eed733fbe6d26f8d4d66cf5c53b0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6951f15e-533c-4a60-8014-a3c3ab851a1b": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion",
|
|
"sha256": "2b67895f213f344c0727d912a9536936ca3c72c0af1b9ce24070f5ff8ff76582",
|
|
"type": "query",
|
|
"version": 1
|
|
},
|
|
"699e9fdb-b77c-4c01-995c-1c15019b9c43": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832",
|
|
"type": "threat_match",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match",
|
|
"sha256": "b6ac668cc6d5e2dce2615788c3f70ee23c8f8c4f5e3006c06b4e197b0174d651",
|
|
"type": "threat_match",
|
|
"version": 103
|
|
},
|
|
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "2103024f5ee4817b2e7dece3748aa9ca71c8a4ee68de02c6ed318bc1377e83e5",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Modification of Boot Configuration",
|
|
"sha256": "c7aab16c8edb6cacd45b49054600b02d7b4b88b1758fbe3e988d672e6515fdae",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "94e15d61afdb62ad13547e0aaf3b6702c4e69ffbf47d983b6416ae9e3d6810bd",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Password Recovery Requested",
|
|
"sha256": "b9cca5071a90915b420201300534cf7294a09a03ce5a02fdc723ec827c3ec094",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "3086f0755beef3bc637f52b992f4b001ed10d7155978344d650e9ab12d2b44d5",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Service Host Child Process - Childless Service",
|
|
"sha256": "93f7fc7f35be3c5c54358ba7a7406c6515bd8a211135b2339115e1af2e3b5a28",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6aace640-e631-4870-ba8e-5fdda09325db": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "e5af89fb2a0cdf3e47de3ac1fc26f371b765520be293a2e451e61c793aefb73c",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Exporting Exchange Mailbox via PowerShell",
|
|
"sha256": "c67ead923f191802c3f4b9ac87ce88c947bd2556188ad794e916a19872202460",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"6b84d470-9036-4cc0-a27c-6d90bbfe81ab": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Sensitive Files Compression",
|
|
"sha256": "fee59fe99d0d07ff31585fb6fd902e2345ca5effd3f73a26bc436917b51c6f95",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Remote Computer Account DnsHostName Update",
|
|
"sha256": "a17f13296f2d3df813973ae7fc885584d1eed5ef45a4d7dd26ddeec6ce3a8524",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "e08745f50529b4335fb58264f3ee42c749085a6a0c4dcee4d04aa790d386d05d",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
|
|
"sha256": "83a95e41c0a91174a27106ed77afa73c9c4f8e3aa9234321dc94d3abffa313ca",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a",
|
|
"type": "machine_learning",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Unusual Process For a Windows Host",
|
|
"sha256": "791ab8700a52039f24e5816979494fbae818c52ba20be375d733e9fa730af444",
|
|
"type": "machine_learning",
|
|
"version": 102
|
|
},
|
|
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Process For a Windows Population",
|
|
"sha256": "0f387df0bf637f8a7cdcac7e35c402a5c25cab0df5667d31c4ed069e209e0acc",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "e63135af0e5924b96b28af7b3bf95259660d6458c0e1f94fee88f8d7d23538af",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AdminSDHolder Backdoor",
|
|
"sha256": "823a60f4eff0a08a07f0b7b587d0bdc4c9ba0ed9937b83d090f7cb54af71c584",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "82208392d7e64f65ffc52fefb132ec3415dabd2548e78cd6ecfc122a6d9b2090",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
|
|
"sha256": "aec5c59039bdbfe42a3f5c8858b62e095f7b35e8ceffc51d9faa27f104378e87",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Windows Error Manager Masquerading",
|
|
"sha256": "99b1cbc77cabf198a6d1b40cbd01f93ab1c2dc6e40450dcab3f363baafadccdc",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "db29bad908a46be8a59efc119ed564e77fa8ef7c6a4bd2a47fba5e361fa0be25",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Security Software Discovery using WMIC",
|
|
"sha256": "5745ad3ce43344bc4dc32cc87c8d9276fc087ab274729b4ab67e240e0866d42b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"6ea71ff0-9e95-475b-9506-2580d1ce6154": {
|
|
"rule_name": "DNS Activity to the Internet",
|
|
"sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
|
|
"rule_name": "SSH (Secure Shell) to the Internet",
|
|
"sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "9cb9378f77ddd21f125d4bd96ae0f071a38f364c8fd7d446fb6d72144274f37a",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "244dc1f48bcc75832806b71e104f30425388ca2f33f6810e00dd12f2906b426f",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "daef89c776f6dbbe4af324d1e25088b7050e7ea1d1e9ab4726f530b8a5b4a5a5",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Role Modified",
|
|
"sha256": "ecaaefd4c78cf905024b3584372e31dd778a12b5a3a53cbc478adf8099648e69",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"6f683345-bb10-47a7-86a7-71e9c24fb358": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the find command",
|
|
"sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-441c593e16ab": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "a4ff0cfaccd58b87eaa594425fccba1ee8ad9372d16c1f8f900f9ad8f064b7f9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudTrail Log Deleted",
|
|
"sha256": "ce55eead3919754accd3f1a64b700a60517012119cb29a5769db5adbd16b1aed",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7024e2a0-315d-4334-bb1a-552d604f27bc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "43704baff18966de9952e1a0f3c08d898c72c1231d9122fcb2eb2854ef396a56",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS Config Resource Deletion",
|
|
"sha256": "182b4c2c6b7ba8e35ef738d31da5e5d5dad3bc70fa62492e3422e46dd230e50f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Persistence via WMI Standard Registry Provider",
|
|
"sha256": "ea976bea0c42decd5220fb567bc03743ffec736e226359b03d3e0d229a376769",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "f7b73fb04043a3546f845ee4b9167420e82f46abe62cc0880f760715211d4c57",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
|
|
"sha256": "94005066f1b0fc146c8990cf5e2a309235b927c0a74ae8b10edde002cff9f42c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"7164081a-3930-11ed-a261-0242ac120002": {
|
|
"min_stack_version": "8.4",
|
|
"rule_name": "Kubernetes Container Created with Excessive Linux Capabilities",
|
|
"sha256": "b64f9686d24491e87ac24ea4f8e2e8a5ea1719fe99fdc4d0393fb9503dc56ff9",
|
|
"type": "query",
|
|
"version": 2
|
|
},
|
|
"717f82c2-7741-4f9b-85b8-d06aeb853f4f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Modification of Dynamic Linker Preload Shared Object",
|
|
"sha256": "41ea9f156324eea554574fff4f47cb2f85787cfbd528d003c4edf70727d46273",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"71bccb61-e19b-452f-b104-79a60e546a95": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "a0532649648f730107a0133d1d34ba08d749a89fe702237470c2e9ba8af94ad3",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual File Creation - Alternate Data Stream",
|
|
"sha256": "ed682581d7ce837ffeb2bb1be122fb8a8e0920720f15a954b568698df0fba347",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "c4f2f189b4b7fd579305f0b3d350ce9691203ef9c69669f8ea8b3be72f875195",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious RDP ActiveX Client Loaded",
|
|
"sha256": "9bea88454cef0264173454d8b38876e4f8051f105f17df41e962fbfaf45f72cd",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"721999d0-7ab2-44bf-b328-6e63367b9b29": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "de3533885523c98ef8c93be8721da011f9faaef2f59686ee92c84ad626c929c1",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Potential ransomware activity",
|
|
"sha256": "5ed8b9792817be8710679364f5e1af5fef0cf852e05c97076743efb4d24e3db2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"729aa18d-06a6-41c7-b175-b65b739b1181": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "55b7a39561fa69e358537b62420d5479578bc7a658b937d80114bd6e334abce8",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
|
|
"sha256": "605f9a888e2693ecfd1f05ee530a9d7e986088669abf71629dcbcbbcd91c025d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"72d33577-f155-457d-aad3-379f9b750c97": {
|
|
"rule_name": "Linux Restricted Shell Breakout via env Shell Evasion",
|
|
"sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "12b47e8a1e1df6f0c7239beff9393ef1170c61308c73a09a69f215951937952b",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Potential Modification of Accessibility Binaries",
|
|
"sha256": "1fdacdfbf32f3f59d7306fc32e8afe3f5117a61908f7d28b8828f982f9ac5d00",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of Environment Variable via Launchctl",
|
|
"sha256": "eee473b2a22ea8df57eed1ec8893c9ade87d5b5eb7916d102429055badfe191a",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Modification of Environment Variable via Launchctl",
|
|
"sha256": "749b8ee5925d0dd076a889e4b0e482642c053cc89d6ea770263bc0cca23dc4ab",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"745b0119-0560-43ba-860a-7235dd8cee8d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Hour for a User to Logon",
|
|
"sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"746edc4c-c54c-49c6-97a1-651223819448": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual DNS Activity",
|
|
"sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Web Application Suspicious Activity: Unauthorized Method",
|
|
"sha256": "ac64583e7ae5ae0b7d30afcee64a1d3f5415d1e43351b8cd71d4d428704faf34",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"76152ca1-71d0-4003-9e37-0983e12832da": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Potential Privilege Escalation via Sudoers File Modification",
|
|
"sha256": "975acebfbfee11fe275fadbe5e279d2f027ceca46046b7a4d1564e298f1f58df",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"764c8437-a581-4537-8060-1fdb0e92c92d": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "8845c5c341a499cd38d65de796f7a5a18d12bb9527efd90d7c1f1b89c36c02e5",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostIPC",
|
|
"sha256": "7ea37e2bc8f94aefecaaac63a56ce676dfef1e14b2d2c9aa712e9591643fd140",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Access to a Sensitive LDAP Attribute",
|
|
"sha256": "b740d503c95c58aeba713bc41e42f568aac13a10168ddde244b4f1fd24e48d82",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"766d3f91-3f12-448c-b65f-20123e9e9e8c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "798005e896c8c1cfbceb44c167fb97fec88162d0f7ed225950029ecf2e355337",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Creation of Hidden Shared Object File",
|
|
"sha256": "9315850612e1d358cb5968a2fb3eefae569db6be399418ffb5a3b90436cc6318",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "cd03875e5215659d4a9dc647d4349d17c2d6ab4cfe4f196e34f114dc5de5dc93",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
|
|
"sha256": "99c5bb339a1512b8f753365e2c6d29d4577384d344ce8c12f08e40c930bec8d3",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "b7b15c433fb890a500de66e990cffb64232c3c9983db33dd7ed952206cca6e13",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Potential Remote Desktop Tunneling Detected",
|
|
"sha256": "f71f9959cbfa4defa4fcbb2678313c49e955671588e8c575ad0c4f9ed1b95df4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "e1035282bef10663f92eb6000566f4f1597d215a0cf5cc4b7fe21c95cb248a39",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
|
|
"sha256": "8da9d30053904300da24876da71120a23e9c67114026340de33f20e1c6b0c4da",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"774f5e28-7b75-4a58-b94e-41bf060fdd86": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "221e88f2a1891057d283196c7aab129be0f5a2eb1f8631fe80e43865e7dbe0bd",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "User Added as Owner for Azure Application",
|
|
"sha256": "a97f673b735d37b32973f00c9e6ea2608c0f8e7a451e7da2ed05a256eb20d451",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"77a3c3df-8ec4-4da4-b758-878f551dee69": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Adversary Behavior - Detected - Elastic Endgame",
|
|
"sha256": "915716860c1f135cec8ba36dd5ee26b28cde838556f277fe9bfcb874ab78f8e3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "05659e0fca8bfd5b058797e8189179ad491969abb24b47e22e586ea42c527deb",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "5e45bae76ca5b927ec5755d9bb797b2012a6884ff93d4deb09b0127a0b0e273f",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "a3cc84e17ebd0f9217243f6d5128ebb437ecb8d4e643a5ea8d1b3e3e40f343be",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Application Added to Google Workspace Domain",
|
|
"sha256": "ea4f94ba987a5d1684dd0f0d8c07ad19ab402403f98ab0c3f6c90db032a9a1e4",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"7882cebf-6cf1-4de3-9662-213aa13e8b80": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "a72422827c480ac2b9747935d238c62d58f73ac2814b048de4b484e0c71d660f",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Privilege Identity Management Role Modified",
|
|
"sha256": "c90a096cbf363f1f42cf58b076b63e022b205e76679fb84b1ec6bd95a4db33d5",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"78d3d8d9-b476-451d-a9e0-7a5addd70670": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "106b495c6e5eb5e409cdb8294ecab91a7ebc9dbab945cfcdbedd158cbe87cc46",
|
|
"type": "machine_learning",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Spike in AWS Error Messages",
|
|
"sha256": "c1a8068d4d5059d01977763d96ffbc2cab7212164cb5731ffd24fc6abefcc5ed",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "47a0cc7f95baa26446d9632a6b279c5cc1208bf3b8ba2d27f61cdacdee9edaf4",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Key Vault Modified",
|
|
"sha256": "4e3adeb6c003172b64e7a0159d691edd03b0b1732440043433a32593315ee0d2",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "db8f5998b6c1ef6c15dbc8bcdeb7525851f386baa8e20bdefd37f4511f7e6594",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Shadow Credentials added to AD Object",
|
|
"sha256": "64806f347838c3a33b49368f7d967eb7d3aecbf621422c687f39c639b19a856c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"7a137d76-ce3d-48e2-947d-2747796a78c0": {
|
|
"rule_name": "Network Sniffing via Tcpdump",
|
|
"sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7b08314d-47a0-4b71-ae4e-16544176924f": {
|
|
"rule_name": "File and Directory Discovery",
|
|
"sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"7b3da11a-60a2-412e-8aa7-011e1eb9ed47": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "c27a6ebbde5ed895c419e9247fb27acdbfe2112b70c5ec4cb645f19b9a694f5b",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS ElastiCache Security Group Created",
|
|
"sha256": "25e965176005d56b0d73ff069dc3ac7b084832901d17b8466d3786f84b192af2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "1b6f54e06cc026d118a54820c8a360add1add24912d31ccadd63e7661acaeaa8",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Windows Network Enumeration",
|
|
"sha256": "557392e9571bf6df69971f7d89344f7608bc8026f7e19f9b3fa156f3fe8b2400",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "9af915cd549d5c285a49f42912dac118f64b9faf1c216e1bc345fdd6f7cbbb37",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious LSASS Access via MalSecLogon",
|
|
"sha256": "c6dc6bde05788088400398e0436398ecb324245f53ddfc83e8ac6a01c1dc1a19",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"7bcbb3ac-e533-41ad-a612-d6c3bf666aba": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Tampering of Bash Command-Line History",
|
|
"sha256": "2b96d18fa5abf049d0a09e9ae9d08ce9926fd025ff095f2a2ac87073602ec8d7",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Tampering of Bash Command-Line History",
|
|
"sha256": "4890ed7ae740bdeb75cb9ad063fdc380a37dd68e59c591aa9686bded5f79d1e1",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"7caa8e60-2df0-11ed-b814-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "e433cddd2695f67bea309beea9d1d29197cb7f724fd7e8b1fe04b09657cfb195",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Bitlocker Setting Disabled",
|
|
"sha256": "93dc8b13643b49a519faaa37a39d18e52b52eff11913929d9063bf0040ad8880",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"7ceb2216-47dd-4e64-9433-cddc99727623": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "007c9309e37591fe3ca25816e08d1be1e25944279ed9da43b1285ca58048a188",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Service Account Creation",
|
|
"sha256": "49fc3c9ded84d779ac8c5ca91ab119e47c70543da16192e6ce24a5c1ae167347",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"7d2c38d7-ede7-4bdf-b140-445906e6c540": {
|
|
"rule_name": "Tor Activity to the Internet",
|
|
"sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "1c6eb53bb3fe9a161a80405a8261bedc5d20b5358713447a8db60cd32ca6f117",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WMIC XSL Script Execution",
|
|
"sha256": "7c746073f14091c0db94a0407170a215f88942c88148f1d213c71f67b257fad0",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "16e7dd99135fbaa3f9f1b584df44a7e0f234188ddcf848e797c8936a7e80d3cf",
|
|
"type": "machine_learning",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Unusual City For an AWS Command",
|
|
"sha256": "553972bbf7ded2fc4f7cfed78b58d590ff19c65a22ce4c84cae7ae8aa9becdca",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"80c52164-c82a-402c-9964-852533d58be1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "4e779ccf1f49a38c2de417875a39930a1324e6ee7368de9a614db42b476ba077",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Process Injection - Detected - Elastic Endgame",
|
|
"sha256": "61983f7e0e2a5a6846f2e64148a468e508bffa658f0914904759ddedd3c8b1ce",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "45b135d716bf1684bcd549aab366c94aa3d640bbf603da35656891bf733ed7cd",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Script Block Logging Disabled",
|
|
"sha256": "a2000bbbde0a0139acf7eef00fdf896e2e271786f47c59d7397db938a6e43d58",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"81cc58f5-8062-49a2-ba84-5cc4b4d31c40": {
|
|
"rule_name": "Persistence via Kernel Module Modification",
|
|
"sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "ac0a5aab69c72adf4afd406b14b4627ac2efe4b584ed0b6fd3c71df98e0dad55",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
|
|
"sha256": "8d5dd848650d0aa7e36c11cb01d8832928c0dc44d91d010b25bc66eb8e0caa76",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Temporarily Scheduled Task Creation",
|
|
"sha256": "fd5ab0ae7cb653cd05d3107277504f88d6ebadc8fec6a461410a5a5600eef57a",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "304b9c056fef81640d1eec475c5d66b9689826093aac96f3581e293750584219",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Apple Scripting Execution with Administrator Privileges",
|
|
"sha256": "61bc5adf3d139b7c48e74b4505c37969aa35787f826780938887a0132253c5d2",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"83a1931d-8136-46fc-b7b9-2db4f639e014": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "027ba090d0505871c507a51754723e8256895b8ed102083aa2b05b93e2d31e24",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Azure Kubernetes Pods Deleted",
|
|
"sha256": "fd9f832afa3eb4db90466e05aa43684b05fbd8af82fa4d943022de552cdb9cc4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the mysql command",
|
|
"sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "0e089d3ca893acb3dc41493b56c47678ee8a9c31af770e7cbbdb13b477b3e118",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
|
|
"sha256": "eef33d66aaf848e38c39036b29b15ce3e36cb55857d20014ac38be7cccf81125",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"850d901a-2a3c-46c6-8b22-55398a01aad8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "ae690790275a04d830343066d6671002a9a95f939102986b9711e1291616442b",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Remote Credential Access via Registry",
|
|
"sha256": "12ad8300187f8f8f5a9836c103f88114fd217d0c28e14c7400a7287e0e664e4b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"852c1f19-68e8-43a6-9dce-340771fe1be3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "fbcec5e3319f343869931abf427186d400817f3564e7f2720236072d6113e9bf",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Suspicious PowerShell Engine ImageLoad",
|
|
"sha256": "8e601902d87b0b2fd978c53af4787be1559c0254580fa8c7bc4fc405842b6f70",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8623535c-1e17-44e1-aa97-7a0699c3037d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "2c624a60350aacfd7edbee02670148038cf139f25cd0248f61f2c975e8015141",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 Network Access Control List Deletion",
|
|
"sha256": "bcb4aade8b5ba3c22a8c82cdf9e5c119b5c206ac7a8a25c005c9c46bdac688b0",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"863cdf31-7fd3-41cf-a185-681237ea277b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "ff70e69014113484cc022ae28d71a4b3bee57090c3cec63a2d6e92e9aa22f53e",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Security Group Deletion",
|
|
"sha256": "b9740b6e6fe0a2bf15223ae18f550d8f48741f5b183edaba4d75d1780eb7fdeb",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"867616ec-41e5-4edc-ada2-ab13ab45de8a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "b2a945b0a9a01661e2e49cb626d4fa31a86548be87e638f40e983ee01fafd9dd",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Group Deletion",
|
|
"sha256": "ad3bca60bba8131fb73f2ba77fef189865b606cf0e8f75552a0f665a03e7c9ea",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"870aecc0-cea4-4110-af3f-e02e9b373655": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "842aa69813b8f9b0e5dea1537e9c52e707457bf22191d5e1525aa2e6b14cb5c7",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Security Software Discovery via Grep",
|
|
"sha256": "129a4e1974a0392ab3bb57658105152788a1fb91d25315e845647a163ef2bde0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"871ea072-1b71-4def-b016-6278b505138d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "c84189dae6dd27a858b984c28e71eaab51ea763f33d1f2751c03e187debf384b",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Enumeration of Administrator Accounts",
|
|
"sha256": "f0439ce3410d09e36cfe5bea67ac81cbd854b04fe0638e1389b43253b80919c3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"87594192-4539-4bc4-8543-23bc3d5bd2b4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "b5a9c1b1250bc364e28b68fbb0d9f068648ea66105469377e7797470547d8859",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS EventBridge Rule Disabled or Deleted",
|
|
"sha256": "7318a2445dc5a3d30e791c384f8cb3a6fb45f6a517e2d3cd4c7e8a7920bc5915",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"87ec6396-9ac4-4706-bcf0-2ebb22002f43": {
|
|
"rule_name": "FTP (File Transfer Protocol) Activity to the Internet",
|
|
"sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"88671231-6626-4e1b-abb7-6e361a171fbb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "511c1fd76c1b2e36d3bfcbdba847fdef7fac66c36378a5c88d8f22b1a07e0dd3",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
|
|
"sha256": "06a2870dd213505ab21cf79e77102f038a0ca424bb6609f239f62e97824509c9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"88817a33-60d3-411f-ba79-7c905d865b2a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "7023870a232e75c229fce7670d936c9514f231294f18ef242f5084e928730d68",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Sublime Plugin or Application Script Modification",
|
|
"sha256": "96cef235db652c80d2229b9ebd51d0f1b93383e36e3ef01ed98ce8d5e8dc315e",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "e26456a31031a0df8d8fc53b2a116ea9983241ae39b61fda256b5dc1e11abb6d",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WMI Image Load from MS Office",
|
|
"sha256": "24a072738bed45a9f85847afa11085b8755aba6070b5de82437e6824f6c2e91b",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"89583d1b-3c2e-4606-8b74-0a9fd2248e88": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the vi command",
|
|
"sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "1fe268f03a22f4fe8ba24b86ca8cd99917884f39b92761d8d1e16b440e8d6569",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Kerberos Traffic from Unusual Process",
|
|
"sha256": "eb79af7a0d1ae7661fef27bd36c626d2564dd9767c5a700716eab0cb6838f57b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Command Prompt Network Connection",
|
|
"sha256": "0e6cdc42682824ec961f8f917fa0581506a8972e1b64189011ccfbccca479715",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "e39e5487a503cf505c04da8ed3950d7af41af80b4f115ded879c6444e77acca0",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Persistence via DirectoryService Plugin Modification",
|
|
"sha256": "e212e645cc030c4bb3501b291e1901149824289b91b9a5cfe2388941fc8ae351",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Setuid / Setgid Bit Set via chmod",
|
|
"sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Setuid / Setgid Bit Set via chmod",
|
|
"sha256": "6a80154c3a5116e568ba0afae93dac63bd5675af257d579e4e578a852d662260",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "a47d7783b08ae45cc48a096ac462b7ba64c071e4c726814bd2735c55d0b2291b",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Execution from a Mounted Device",
|
|
"sha256": "6e16eeb9535512d07166b5aae986854c9c1c1d439c052e070c90111713e08dd5",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "9ec0f9d2f6a790cc8b9a48259789ce126d9bc5b6f99c22ce8663bd21fe54ae13",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Network Zone",
|
|
"sha256": "e612843f8f71a01687c6f3336181dc7b0c3ecab0c355105ec92ebafabaee95c5",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8acb7614-1d92-4359-bfcf-478b6d9de150": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious JAVA Child Process",
|
|
"sha256": "8c9d449f2d77918beb11a47ac69141e08ec8a0314266c3487cc5b7914f919d42",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious JAVA Child Process",
|
|
"sha256": "d8854fc273717c92698bc56feb67d2ff72722db4497210cefe7a668fa62b567c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "c0ff885682d6b3a8ec3a61fa4c7eb513fccf86a4e34a3689415a52bd739b8956",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Executable File Creation with Multiple Extensions",
|
|
"sha256": "751ba10c6558329de809a79ae19a26faafb9b21cafd906a6fd316aea938c33a7",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "de11f1daa80d49b74fadb3068f2107bfd866a31171b32101127721fc105fd299",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Enable Host Network Discovery via Netsh",
|
|
"sha256": "74510191015c185a374e1505178bf65f49bed49b31bdb935b1856d0d4c39a6c7",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8b64d36a-1307-4b2e-a77b-a0027e4d27c8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "aaf8e61e49cd5a9a2ff6c9ac5d61ee70922bbd40d5e949421e3eb7c1957da874",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Azure Kubernetes Events Deleted",
|
|
"sha256": "d2fda40a22fb4d46eb3a36ed6cc7bc6304f6f30019afbff7fcd240859601b9e1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 15,
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283",
|
|
"type": "query",
|
|
"version": 13
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "e8b7d833a2cad5ad92e04ba43b572eb374e775daa2ec9fa71f72a4b5cad614ee",
|
|
"type": "query",
|
|
"version": 16
|
|
}
|
|
},
|
|
"rule_name": "RDP (Remote Desktop Protocol) from the Internet",
|
|
"sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "c05edecd41eae1c1e746556cd00877c32ee249c380954c34ee4f81b5facfbfc6",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Process of dns.exe",
|
|
"sha256": "6e87aedff457b5e169efc11f58fe44487a39db5525fa543cc91fd2f0c05f991f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"8c81e506-6e82-4884-9b9a-75d3d252f967": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Potential SharpRDP Behavior",
|
|
"sha256": "bf4ec47dec3f0f1b9f73167bb0ee94a34c978bbe196ffe541c8f5c8b400663a3",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Ransomware - Detected - Elastic Endgame",
|
|
"sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"8cb84371-d053-4f4f-bce0-c74990e28f28": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Password Guessing",
|
|
"sha256": "f3072b10eb99e14482d38788bec66c31017c460362ce56b950f8364b00fa3026",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "8b35059e3e2c9c1cfabfbd9ae383daa10e26ff3840e20952d4805a3bdb73db8e",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Privilege Escalation via PKEXEC",
|
|
"sha256": "59e68c56d5fc6ad0c04dc18a23f9dcb28d139880b1bf811883a2d3bb10333665",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"8ddab73b-3d15-4e5d-9413-47f05553c1d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "c93cbe263234d1244103ea203ea11ca8c8bfedf4031665aee1d47cacc8de0ced",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Automation Runbook Deleted",
|
|
"sha256": "4a094369167a5416694956facfb84594a711b8f4622441fe2d9376ce2c65fcb2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"8f3e91c7-d791-4704-80a1-42c160d7aa27": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Port Monitor or Print Processor Registration Abuse",
|
|
"sha256": "3cd4e9761f0a100970eaed937b18a81e9747ee7369fbbc6778033bad1fe22b0b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
|
|
"sha256": "476402c6ddfcece3d90d14fcea6a2d95989e9e5e90338ca131a99b59f18157a7",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"8fb75dda-c47a-4e34-8ecd-34facf7aad13": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "284ee563a01f7f29092045e4942635becdd0589c17ffe37a8c962b9ebfbffb3f",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Service Account Deletion",
|
|
"sha256": "b9be0632bf3604570fe1351a591ba3a70dcda3be7ec0f027e58dc34c3ad7c382",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"8fed8450-847e-43bd-874c-3bbf0cd425f3": {
|
|
"rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape",
|
|
"sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"90169566-2260-4824-b8e4-8615c3b4ed52": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Hping Process Activity",
|
|
"sha256": "ae8e750b52b2b170b9b595bfec9a99d5e74d8c48eca1662c7e2363cf99744d40",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9055ece6-2689-4224-a0e0-b04881e1f8ad": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "97bd59f5a9a96e0511ded5a2da4b36c10c6d31ab327079de9f57d4e5d4a7c67c",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS Deletion of RDS Instance or Cluster",
|
|
"sha256": "e0467768e8198131a5fe5d6684af0485b7eb13b4149b9c52f1435e6c954b6c3c",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "ce59e6b81e04017b34df77cfe4c51e18af5013272bba925a081c6fb0ee665fa9",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Keychain Password Retrieval via Command Line",
|
|
"sha256": "6d811692fd3478974552c92961d7baad1568881e0c640d0aad6bdff308f6f687",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"90e28af7-1d96-4582-bf11-9a1eff21d0e5": {
|
|
"rule_name": "Auditd Login Attempt at Forbidden Time",
|
|
"sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "cc8b23dc9d3e030eed1a44e8cad432bb0390a7e48ee21309fc4343fb3dc2b463",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "GCP Virtual Private Cloud Route Creation",
|
|
"sha256": "c524a31fb3babd9583c570f4119294357ff4bda43eca7a0dcf6f7f1e51962d7c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"91d04cd4-47a9-4334-ab14-084abe274d49": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "63de1e69153fc3e3aa0522cbbf59b284da031bdd9b6141e5cad92dbc5aa4277f",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS WAF Access Control List Deletion",
|
|
"sha256": "4268caaaedc7a1b5641e0396f7a2594afb2038c989475450700a48f6284fb026",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"91f02f01-969f-4167-8d77-07827ac4cee0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Web User Agent",
|
|
"sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"91f02f01-969f-4167-8f55-07827ac3acc9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Web Request",
|
|
"sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"91f02f01-969f-4167-8f66-07827ac3bdd9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89",
|
|
"type": "machine_learning",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "DNS Tunneling",
|
|
"sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was created",
|
|
"sha256": "81c3b09aa79394e3f8c0d5a43f43d06e82f1334a2bac6d7a821a263a0a8623ba",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"93075852-b0f5-4b8b-89c3-a226efae5726": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
|
|
"sha256": "077973b9dba0ebc75ab5c34f0b0075aa5b1517cd247e99e8b66588aadd499dc2",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS Security Token Service (STS) AssumeRole Usage",
|
|
"sha256": "33e33fcf51a64052e25ea495dc5d119f6366f59ca29734cb8fa950094f0098ec",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Sudoers File Modification",
|
|
"sha256": "f613c46321294e0f2f60d3c9ef954f4fa6e1074870bf27df228ecb690302d2c1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9395fd2c-9947-4472-86ef-4aceb2f7e872": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "07653926c326ccebd08700b72fc84eaa740a6ba547802368f559a7d9aabca3aa",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS VPC Flow Logs Deletion",
|
|
"sha256": "4656214e0a08b54eed5d54e98fd6c82f702e4d232c534b24cf6770fdbb9b34e6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "4f928cce10435e844d606a37b9aabd2dc953c04bb8322a2a391ea2490c7a701a",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious SolarWinds Child Process",
|
|
"sha256": "ba3ba7e16b3c896a576bc949c2afab142fa779885483078b5d2f2420aed82d1d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Encoded Executable Stored in the Registry",
|
|
"sha256": "07295d532c98a32c8f49af42d8b5b21ef24be6837b9e0e285f2418c2a15d7600",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"93e63c3e-4154-4fc6-9f86-b411e0987bbf": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "5ec1e79923aaa0e99aabed335419a6c200972553ebdd4d99139bdb5bee03c8e6",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "213d54562eb126f314c2a6e1a102b4d4987ee2333524f5466bcf10b27609a92e",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "ef6d929dc2c2361a81de3f98368a4b583d1b79accfccf61f4bd2660192e320d0",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Admin Role Deletion",
|
|
"sha256": "7b6697a97cdf6019e2920baed1a4b6396b33c1f4589dc81aab2539b378a9cdd9",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"93f47b6f-5728-4004-ba00-625083b3dcb0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Modification of Standard Authentication Module or Configuration",
|
|
"sha256": "7d6777454df6facd354b08c4197378596cc01b01499f020dbf54fb37d8d31f16",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9510add4-3392-11ed-bd01-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "5fd3d2b8c4d529473f1faf8da5346efc3e1c194556689eb7bba24604dfea18db",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Gmail Route Created or Modified",
|
|
"sha256": "c316a06037035aae30e827897a80b0b965715ee7b63e7e6b1863c59d617d1292",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "6160a0f0792097e86209482cea32782afd35428338b00cb36c0fe15245637629",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Remote Scheduled Task Creation",
|
|
"sha256": "90c477350e43563dd35753a3763380c2af955b7c61ad7f4ffe5a8e017bc92c8c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"959a7353-1129-4aa7-9084-30746b256a70": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "214e7786508b17298b4d5e4ca8a3b769a671e4fd6ffcf746bb954095ec2d5bed",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
|
|
"sha256": "6e6d3db2b74e72a7814e88a22790a69b7bad458685f57587be4f172643d4f0f7",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"968ccab9-da51-4a87-9ce2-d3c9782fd759": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "ce1de12aa8f7582ef6d3d1846c6d640e0de6fa00d59ce5e60628804490b7c265",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "File made Immutable by Chattr",
|
|
"sha256": "24ee320fcd777929a2e5be22e8b6bb6a925eaa230669693b1b271f05c62b36f2",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "f2d80ff8056ed1820ee12746dd418047054568b123e882fb2a027450fd44c366",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Create Okta API Token",
|
|
"sha256": "ae0253993e1eaf34f0186cf3d7d0f136791d0ca732c546fb7a21b737c650f6c7",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "5aeb0b55e7b86fec78236620f91f77e61f892206e3119251b7aa12a048000ff7",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Access to Keychain Credentials Directories",
|
|
"sha256": "fe9970f965407d8d169807d2921d948e85199acd85ac9b4ec2b8a1a7f1f171ff",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"97020e61-e591-4191-8a3b-2861a2b887cd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
|
|
"sha256": "6a428eff4cb49321ab0db87db4f6fe8b6a3852452364e86ba6c9254190520428",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"97314185-2568-4561-ae81-f3e480e5e695": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "54ff733ee97e4a165dfd1039fd74be008bf78840b8c7659f031f10c84b5f8f3f",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification",
|
|
"sha256": "df0c3ab6007ab01b0442eb8dcd1dc90c541d8fba362f7d3f9beea700be864ac6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"97359fd8-757d-4b1d-9af1-ef29e4a8680e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "0ef7e8043ff95f5a35ab1e7a0dd0efc69ba23e525c478493718253f936751aed",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Storage Bucket Configuration Modification",
|
|
"sha256": "b5d7f59e9c5704eff3cc4ba5dec2442e830314023bb5b527d96bdffe13d2b64e",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"979729e7-0c52-4c4c-b71e-88103304a79f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS SAML Activity",
|
|
"sha256": "812ed9f6bf5c927c2ba6b57066e8ccefe60290e47b5f0adeaf212f4e86625a23",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS SAML Activity",
|
|
"sha256": "3562ea5dacaba4792e94f1cba2be2c388e6626ce6dd758043403775900a9016e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
|
|
"sha256": "6075a54140551e0fd7cc6593ecc1e93225ab830101e2e6f2a85aa8cc63d87e51",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
|
|
"sha256": "0c99c47c86b7ae409358e4703c4571d70e52ff54917ca3592ac7cf77b5af8436",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "f77318af5a1db73ac10d7dbdfca459aa65435c32e3783ce7986396369e80b14e",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Zoom Child Process",
|
|
"sha256": "dd939581723d661987df2737da4c3fa25c21a400672768701385994e58c280d3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"97da359b-2b61-4a40-b2e4-8fc48cf7a294": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the ssh command",
|
|
"sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"97f22dab-84e8-409d-955e-dacd1d31670b": {
|
|
"rule_name": "Base64 Encoding/Decoding Activity",
|
|
"sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"97fc44d3-8dae-4019-ae83-298c3015600f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 9,
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "d7812909f8d6b7f07a49520b790a1a5d653f213f6d542753f78f0d29e06b612c",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Startup or Run Key Registry Modification",
|
|
"sha256": "d597275294c4f0dbbaecd5d52b743e652a9500e3074cfd8faec62dd070517c9d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9890ee61-d061-403d-9bf6-64934c51f638": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "17a8ba105b28a2bef5fc9686588f3e87600600df80e9916169f33fbf80a5eb26",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP IAM Service Account Key Deletion",
|
|
"sha256": "970e1d438ecb681a25da6551a2468604dac0a6e9a7c6d0579b345d383f487dfb",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"98995807-5b09-4e37-8a54-5cae5dc932d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "7e266e3832b65302b422074a36cfda15fc068b534841ee2e41230749f897d098",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Management Group Role Assignment",
|
|
"sha256": "6471164015e40253d0c1c8e6c4cf9747913ca95c6bc387f9a648fb04097bc611",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"98fd7407-0bd5-5817-cda0-3fcc33113a56": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "6e34ebc3b9fb35f0f03651ef649c19d89a83e00ad363000c7c13e4b320b85223",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 Snapshot Activity",
|
|
"sha256": "f3fdfc71ac8ed85e02874585be90ec331b4725f8e79097a73b1ab34d93265aba",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"990838aa-a953-4f3e-b3cb-6ddf7584de9e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "3026303e47b30c3d7908350f7a4909e7023eeef7c9604e3441805456e92606e4",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Process Injection - Prevented - Elastic Endgame",
|
|
"sha256": "9ab23922eb244147b8146766869d5af8629bcc869464c836e684ad7e387fafe8",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "612aeb08fb3d95a693c4e7b636be831969fe9f509515850d81f1c71057b17b76",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "MacOS Installer Package Spawns Network Event",
|
|
"sha256": "74cfc6e7ef481eaf94443407b69a13d70d5a6c845ed54d6e9507e828d5ab25b0",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"9960432d-9b26-409f-972b-839a959e79e2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "5e6eb76f79365f2c3e22451f0586b9f7f6f2b725c4025b9e23ef42da22c5f816",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via LSASS Memory Dump",
|
|
"sha256": "f37325bcbbb94c410c0011ab48d3cc9b6298aac29d1fa5c53038fc884fe002c4",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"99dcf974-6587-4f65-9252-d866a3fdfd9c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Spike in Failed Logon Events",
|
|
"sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Endpoint Security",
|
|
"sha256": "cee77122bb31a59353a9f4b22737d0a05002244e0776613c49597c6198be5b0b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"9a3a3689-8ed1-4cdb-83fb-9506db54c61f": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Shadow File Read via Command Line Utilities",
|
|
"sha256": "27a18b2286b78190be3e83ddf1104972fae3a94768bcb2404ea96c07041f0314",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "a385464cd3b312a278a6ef28182942b3d46b348e577bccf6b6a8dc675fb8b5db",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Explorer Child Process",
|
|
"sha256": "6e1e6cd672f794638c657385ab94e0964efe96a9c0be9992e467d15807e559b8",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "c64956f19906b8c5f1dea22b70e30365ac8dbb583f6003a7793b3c41ca7da876",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Scheduled Tasks AT Command Enabled",
|
|
"sha256": "dce9f409b21dc3e54b55f4c8ddfadaac650e4143ff91f322b24946653a24c454",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "914798e110d1bb31c1ab9703cc0b301c3f7df6714b71152e6760473b06e849e1",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistence via WMI Event Subscription",
|
|
"sha256": "10fa980ec626c339cc784118830b30d6e5a6432fc77069dc693b9ad482b33fc5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 11,
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "7781b8fa8e3efcefff36f16dedd64ea47131e917b9a753e61c95f86427a03d06",
|
|
"type": "eql",
|
|
"version": 8
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "9d05191a051ba7015c7eba4ce4c876bb0200bbdec3739b249c89f1ce4a60eb99",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Hosts File Modified",
|
|
"sha256": "49841a36240c8471bbffa262cd743d965df3c094190a05d526fc7ab67a405852",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Logon followed by Scheduled Task Creation",
|
|
"sha256": "3f358925fb1d6175f876ca1d4cad49e8c5cf468acb9dc145c3f137b1c8614bd8",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "c21df2d07d7f4513ea3c3fd1f60a19ce8dae6d618d45e58cce1d5fe045a5b1dc",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Command Shell Activity Started via RunDLL32",
|
|
"sha256": "d10741a1a3c783a25a2bf1bd6869553db40b735bce0e289de9cb0ab6cb8bdf56",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "172d2f04879c10e383d6f900e6bb2f9d49626e7a95d7f235e3183c36ab0e80ad",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Group Access Modified to Allow External Access",
|
|
"sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": {
|
|
"rule_name": "Trusted Developer Application Usage",
|
|
"sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "6f39bcd147321071e27d48d6ee2bc4fcfdb4c5920d0bfa506839c1a81d1ac606",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by a Script Process",
|
|
"sha256": "5bcbc6af79d0a09d1a5b8ecf5c459d11792147328f5e60fbf82f0ce18f0096a8",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "4cd8a6a7070860dbcf09cdc8a2d07796dbbbaba7c4bc67393e3a5868713f6a0e",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by a System Process",
|
|
"sha256": "7fa419b223deafb9c309ef22dd9fdd358b7685393b08b61bd5a50013ea6fb90c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "0aac0eff739e989b3935785a5d9ae953c258b7e29f1dfd87cc6d1b2e06845792",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Using an Alternate Name",
|
|
"sha256": "eddaf3020dfedc86991c4f7556bce2b67fd732aa4c21a3fd4906300d38af82e2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "99f644d483aa7e62b116154134e64f342c68588a7e3cf31ec99fa65d355023f3",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Trusted Developer Utility",
|
|
"sha256": "80bf6c81b4f2528b9dcc40303cafc9d9c52936fe52d9e0b220d2e743270b0812",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "ddd272c7d3025a013cf7b4ff887e8d46913babdb205c31eb9e273a99c32f11ff",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started an Unusual Process",
|
|
"sha256": "27cff76e52d4d00871a16031b28decdf5bbba3239e0b1ba64ae72a5b9f5f475e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Process Injection by the Microsoft Build Engine",
|
|
"sha256": "5d0d12b8db795d61a1fa80a175e24fd864ee7ac1db13ca4829f3f96ca2f4e8bb",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"9d19ece6-c20e-481a-90c5-ccca596537de": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "07200d6320009773c3e6531cd1c9c52f580218018e9ed04ebed4dce43a451862",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
|
|
"sha256": "86bd3ea116d0455bd9e4d4883a882e3e6b63c08ee2002e8af77d2204a9c49da1",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Process Calling the Metadata Service",
|
|
"sha256": "9243ab3c932d9d5e3c214eaa2b7e38d098a5449a40b12f7e500b06c542217a95",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "ec8cfaef587d9072c573177fac91a6ab6d196e321bfb0d0f785e0d70aa0782ac",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Protocol Tunneling via EarthWorm",
|
|
"sha256": "dc2785bae701f3db2068ccfb0d9028dda6ef433d33320a42a115a42336a0f54b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "345ac7678d26ee9d3db9adf2161f06a608f43a368ecb4f865a886d5ff757e776",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via DCSync",
|
|
"sha256": "262e2f1b79195159ea878ea195be2cd996c36a56d8a22a540290756ccb0eb873",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"9f9a2a82-93a8-4b1a-8778-1780895626d4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "File Permission Modification in Writable Directory",
|
|
"sha256": "76c18132af091ccdc7fbbffc1b1b54fd995b3924508bd36a4aecd4a171a3edf1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a00681e3-9ed6-447c-ab2c-be648821c622": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "6d7151b8ae711435d5a3f87fe51fab04baafb6d64e43e891e98e48fea42f82a8",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS Access Secret in Secrets Manager",
|
|
"sha256": "956a4e2a20d3578da77f54966ee45f9d7afbf99d5202c538adc365975371a7ba",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "A scheduled task was updated",
|
|
"sha256": "ce882bbfb1d9c40e848cd45e39dbf0045e84ebb64af21331dd4b1ebae249347e",
|
|
"type": "eql",
|
|
"version": 3
|
|
},
|
|
"a10d3d9d-0f65-48f1-8b25-af175e2594f5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "f7db93b2082fa3611d64a119be89368e720bc1c9611f9fc78b024e67030c20cf",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "GCP Pub/Sub Topic Creation",
|
|
"sha256": "b866b767f7a977da0302c531f3a1355af29b067e1588869a3426acbead3c4ae0",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"a13167f1-eec2-4015-9631-1fee60406dcf": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "49819033aefa5809fe297a7693313d5736b3dd7f1cf9c75b6e2d3bf510ff6379",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "InstallUtil Process Making Network Connections",
|
|
"sha256": "4574b9d8e17ff1d9a21c9cb08b31aa5a9499bcf303aa2f1fa5cef47684023dea",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a1329140-8de3-4445-9f87-908fb6d824f4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "17e1166f1b8127f46a21c291885ad5397ddfec70435ffe0dd21873b74f3afe3c",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "File Deletion via Shred",
|
|
"sha256": "91778159aa6189ce86a7237ebb39890b7343661c5348e2506db78d5692582242",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "5555c7321afa2efb68bb89aa1d082f8724038437b936b26bb609f2993898d85d",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
|
|
"sha256": "5d73e325c64f2a8668da0ce79cf1bff26e17c02a25d990f13b888b7417405735",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a17bcc91-297b-459b-b5ce-bc7460d8f82a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "b5ac65a63f581957f074015ba818a2b1dd5427f1195bdeea848eb558cf8bf62a",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Virtual Private Cloud Route Deletion",
|
|
"sha256": "fcd5cbdabbc7af153dc5192f69e2da0c7fc2a02aedfa86746db1eb2e8dcce2b6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"a1a0375f-22c2-48c0-81a4-7c2d11cc6856": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "2791d8f9a164a800f5e848c702d3ab0456c8298a4ce580e944cc05531deabe31",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Reverse Shell Activity via Terminal",
|
|
"sha256": "0ce306c8954c9e8f5f08497de7dc877d455e2526cfcd8ee25d7f5a1eeb5c6b9e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "1e40e74617b19ed7c7e61596961acef067e9aa8e925c41d24e23055b29940180",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "DNS-over-HTTPS Enabled via Registry",
|
|
"sha256": "8e47ff8f881fb5978fcd29a274ec01d8e220e26a778ddf6363e4a8a2ce461337",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a2795334-2499-11ed-9e1a-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "4c7b59991fca9e2bb874d73b26702beea98e72c40bda59d83f8a795d18fdbcf9",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App",
|
|
"sha256": "ebe6d8d11a370fe917eae7f3b885397f87978a7afb50ab4626fdb93bd08ef4f1",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "046dfc582f23167ace33f512ae4ba61f612f57fc61790894f76d786f60f8ba97",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Execution via local SxS Shared Module",
|
|
"sha256": "f74d96ff986397cdc44cd43a95eaaccd7196f07676c5fdbf863e8c71293af6a9",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Windows Registry File Creation in SMB Share",
|
|
"sha256": "c3814021c0eb6aca1aa21c04b263a9b25039f54d6374ab13925f8d6a0af471bc",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a4ec1382-4557-452b-89ba-e413b22ed4b8": {
|
|
"rule_name": "Network Connection via Mshta",
|
|
"sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"a5f0d057-d540-44f5-924d-c6a2ae92f045": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential SSH Brute Force Detected on Privileged Account",
|
|
"sha256": "8a396165e99be43114ae40eb1174151552a1821df4e8635e0a4012c01574ecc6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"a60326d7-dca7-4fb7-93eb-1ca03a1febbd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "e2f36dfdc3de9b8ddc22f7495e8eb3580b8b1ec1da46bf8d928c199b6aff8d0e",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Assume Role Policy Update",
|
|
"sha256": "19d2aebf9ae85d56bee05aa4659d2a70bd6ac1bbc017ec0b098a64e929e02ca2",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a605c51a-73ad-406d-bf3a-f24cc41d5c97": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "15f50bdcf18bdc3641481a853f0e2fc7fbe8c854fb6d2d87f02df72ff951989b",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Azure Active Directory PowerShell Sign-in",
|
|
"sha256": "32f30633093a69a2f6fb9a2e9e11c9c6bec8b28a8a24f17105341fe4a18c4267",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"a624863f-a70d-417f-a7d2-7a404638d47f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "e7b0b665d598b698f1d35c1ac96720ec586a4c822557256efcea65f282b86cb6",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Suspicious MS Office Child Process",
|
|
"sha256": "c2ada3a9efccb20c8ad7863b140f2f2e756b3c87ff6a109436f549f1782a7b97",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "bc7c01fa88f13cae39e43bc396abec202e2b39eb703151c6658fff5bf9e10990",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Emond Rules Creation or Modification",
|
|
"sha256": "efe4b861c6c2ab320cab6b0dfcc31133bbdc3eaaeef8ee69cc31ec934b02288d",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"a7ccae7b-9d2c-44b2-a061-98e5946971fa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious PrintSpooler SPL File Created",
|
|
"sha256": "c90974ac2dccaf21eef2a449d1974be7945e5716d893050f5f5f707fb76bd13e",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Print Spooler SPL File Created",
|
|
"sha256": "8b8df3cf8e9c99f48040d6eca42ab9281d6b0ad43e5a05234d78fb730d2759d2",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "bef335b8bcaff439fbf5df2b472483b38387be36ac81045d5ee346a6b34930d3",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Credential Acquisition via Registry Hive Dumping",
|
|
"sha256": "2194f83f1e6695af8a5a3061e0efeae5a22ae37776ccc3bc2da0d682830bfe74",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Web Application Suspicious Activity: POST Request Declined",
|
|
"sha256": "36617ec8850ae04feba7b8e3f638dbd57f270919fc6fe0f7e8fd1ee32c922bb5",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a9198571-b135-4a76-b055-e3e5a476fd83": {
|
|
"rule_name": "Hex Encoding/Decoding Activity",
|
|
"sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "8bcb179876e491dc57dcb74d2471a21b560fabcada15d9c803e602b45a1e1e70",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled",
|
|
"sha256": "fca5d6db063f33419f452eb6aafee03ae9dd503fce594e4a95d73d86620c04ee",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 15,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "c6815b312e514dde1e95bfba50fc831bfbdd71cde761c45cff9928ddd5251005",
|
|
"type": "query",
|
|
"version": 13
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "c4909172dfd50108f0abed3aba686e685089632adfc228255d684fb7b32e2c7d",
|
|
"type": "query",
|
|
"version": 16
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "b2daab0a2fb7c6a49d316684b16b34bc48a433eb4288b640b70d8f7155f44852",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Password Policy Modified",
|
|
"sha256": "d24e6279427b06647bf3fd06e31435ede2a5935b00f6d945edc95bb76184920f",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "0961c6edc3675ce139252e031dda275f7c2713ef3d76bfa44040aefb2afa7efc",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Hidden Run Key Detected",
|
|
"sha256": "433b9ac39a189255169106c8fce4bc7463ad9f93199e32555ff90c0c01feb037",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "IPSEC NAT Traversal Port Activity",
|
|
"sha256": "db21fad431416ec9441e3ecc36899ed7f07150934597bad7fea0821595ba12f1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"aa8007f0-d1df-49ef-8520-407857594827": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "04d6d20db9c8c8bbd98a77b090067d46efc0d6091ef0abe5e63bb6798f7c803c",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP IAM Custom Role Creation",
|
|
"sha256": "9f752228a317a2a789cdd726eee2ea32258ec954d76e1e967d18b561faa063d4",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"aa895aea-b69c-4411-b110-8d7599634b30": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "9a47a157326055c14e4487b55a906009c79e7e0b45fb280ccbef121b35e74e8e",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "System Log File Deletion",
|
|
"sha256": "e957af32272cbe8f63a9f16b0d4539f8c3015cbf87e63c4ee97aa3886b55bdf9",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "e9b84550c8017aec72d49f15fe13c67df843abbb87d04fdce004e54d174ef69e",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Remotely Started Services via RPC",
|
|
"sha256": "3d14c3fc5b846701ab09ed6c99c5d6bb55acc3e55ccf261882a624ceb4aba581",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Remote Execution via File Shares",
|
|
"sha256": "c2a5462c75d042d62a6055d50df0214ca4d11354cc6970ea2dea0a26e544012a",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Process Calling the Metadata Service",
|
|
"sha256": "e3d6764e1b127cbf3554a696701134a380a05acc03ebfd8ca6809ddb38161aeb",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "f182d2a5e737be7c35daf36c8ca3510919c2bf6cfc2379711b3a866f4069eac4",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence via Login Hook",
|
|
"sha256": "79ea1a08cbbb61e66bbf31ae15e0f7a93c5f389989ae980cbeee302412ab8cc0",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "2ba82e2240cb3b0213c5617a7d13fb0bcb0047fdd6f3b7d46f12aae06d22e472",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious WerFault Child Process",
|
|
"sha256": "23935934e5f6286a952467374de45be57eaf2f087a3a5d7173ca4dd442eab89a",
|
|
"type": "eql",
|
|
"version": 104
|
|
},
|
|
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "bf21bf3820a8d1fcbad4e7592d7c82a26e944e5b846959633030809fbd449532",
|
|
"type": "machine_learning",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Unusual AWS Command for a User",
|
|
"sha256": "d45010efbba1acde3da1ddbba00bfa078e4cb6a7309d024a56ea0e3f920e4c11",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "a342bfd3e7aa4925926c7efd91db9ecc8442cdeb5c66dbbcf772092e1a2d55cf",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
|
|
"sha256": "0c8d4a72c696e4332bfa9e13eb0dbd1124b52d8b7d0539a2ef5acffbd89393b6",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"acbc8bb9-2486-49a8-8779-45fb5f9a93ee": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "cb726260cbf8b5a0f646d56b06b9be07fc0ff6fb2efbda14ded64114e8e1c32f",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "e83a4b6239ffd937ca01ed100a5d9d4f28967445797a34ee411768d8991f212b",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "17446570b779206b8cae475969306c45b64cbe3a2b933fac52f4a5525d6023b2",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority",
|
|
"sha256": "a053c9d367e47803d813b89bafecf8c714193d46da3a2ec7eadea82da11342cc",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"acd611f3-2b93-47b3-a0a3-7723bcc46f6d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Potential Command and Control via Internet Explorer",
|
|
"sha256": "adc813bff915c60b2c50bd78173b416de06b9db9ee6168f30b02ce9f75930c00",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential SSH Brute Force Detected",
|
|
"sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e",
|
|
"type": "threshold",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential macOS SSH Brute Force Detected",
|
|
"sha256": "d7f718387fa41599ca59f347f3802f8b1f0f38313b0ab5520a32b45e380e1b50",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "a357b9a510442209bb5f8d23dabe74e4309831848d7ac1c52301f236013ec19d",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Managed Code Hosting Process",
|
|
"sha256": "1f3a8d026b152e0c054e68e3a7fb4124104cef4201b2f9e0e268bff0580872f8",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "d429e915fb2c4125fb4990d0e489102f961dd33224c3e70220b15d3751903824",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Signed Proxy Execution via MS Work Folders",
|
|
"sha256": "17bb60b98640ceb19c2048f47224222ff46757c6f9c6a1ecad88fa0f7ac20cd1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": {
|
|
"rule_name": "Proxy Port Activity to the Internet",
|
|
"sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ad3f2807-2b3e-47d7-b282-f84acbbe14be": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "d1b026666d40c609533cf8728001d959fbf822a6ea704f9471b93c1e1bc79142",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "c8bca11e5b1732bfc4bffb9bf1377db165824c647a7bc60bf84ec0f947cbde14",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "1994f125fb87d27a74be9c4dde9edc895032d5d6fa9897d86f19e87d15ba6b82",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace Custom Admin Role Created",
|
|
"sha256": "3c372d8580234e86ab7782b92f0f70b058b1cb50f36a7f7a9e6a90d83124659a",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "b70e724e7ed3a0764f4e30d64fa85314bc7819636d9f82c92bd6a72ecb0e9904",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
|
|
"sha256": "f657373af800c74ccef1ecd06cc71ed81e019056eb98a34716f2226c6016582e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "8eb1433d514c8bcf8670859a3904ff86b03e31f4050334e9bb5fe33dbb5b35fc",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Kerberos Cached Credentials Dumping",
|
|
"sha256": "f0fab0cfd34b827f9aa671466963896648dba1aeda9254e9d468c41731001dd4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Netcat Network Activity",
|
|
"sha256": "31a31c303f07c9556120cb94db7f8c7ebfb77cc7a363376fe5262ff8f5e2c07e",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "File Transfer or Listener Established via Netcat",
|
|
"sha256": "51c6165128b661d0b7b4468860289dc3c2cf78a66519095c032633694b43b920",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "ea88687da0b3e350cbec589c89e6b91be2999547a3762f95b3ee42423842539b",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Local Scheduled Task Creation",
|
|
"sha256": "1373b59fea16f6e151bcd9f897e78aae6f1df077b5e1d54bfdf95c93e26804dd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b0046934-486e-462f-9487-0d4cf9e429c6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "03332052d7bcda03a20798da8475f4f192d2d0f46af22fd17630ff8952aab524",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Timestomping using Touch Command",
|
|
"sha256": "d166013b261b74467ebee38865be0b81a1b072511ea74b4560ef8c0910aa8f07",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b00bcd89-000c-4425-b94c-716ef67762f6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "6019d3a7c04e868bfcd2a4ce5b6be1b4dad353849b67a12816d62c13d0db55e1",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
|
|
"sha256": "47a6d5ab9748a9ed7ba99f174a529f617f467026ff9b0e46e3cfea519ff8fb70",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": {
|
|
"rule_name": "Potential Persistence via Cron Job",
|
|
"sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"b240bfb8-26b7-4e5e-924e-218144a3fa71": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Spike in Network Traffic",
|
|
"sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "bbbe884c4ab21c2cf6da78196dbe4840ac39e83bbbfd9c7b989da641d7ecf781",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Remote File Copy via TeamViewer",
|
|
"sha256": "d7ee224cbe7c352b7afff98c16639289de222d95c24121fca3016edb3085c3e9",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b2951150-658f-4a60-832f-a00d1e6c6745": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "c15e0ca82179bc61cad6e21dcecf05156532d48168c2e929eb9225e9929bd54c",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Unusual Volume of File Deletion",
|
|
"sha256": "f9ce2b376d71fa22fe26823243794720d947aafa6bba580615d431c8cce57a99",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "15eb788d4a9800bec206ecacd72fceec547ba4fffccbf3f1860e532c9e9dcf2e",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Compiled HTML File",
|
|
"sha256": "d3a4b1d50f417f800b524bf46bfd44b26d551e31c5565f27aaff8b75580a6e2a",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b347b919-665f-4aac-b9e8-68369bf2340c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Username",
|
|
"sha256": "912c516b39b6f85f0aec770db42879bb07f167b39dceca96085ea274114e3953",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "bae454d37c97afdf6c1303e06d1e2bf81e178a7ac750f24c8fe9702a1fccd249",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Endpoint Security Parent Process",
|
|
"sha256": "0298711604cb417baaba1c3c6d2c027ebddc17bb81292016ade98dc1d957b2b5",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b4449455-f986-4b5a-82ed-e36b129331f7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "d12bd7983ff5fe776653f790d4e8ee2333413bf1e652396a00e96742ae0ed425",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Persistence via Atom Init Script Modification",
|
|
"sha256": "4a407fb648f6dcccebaf0e0d9fb0761631526b11e236b395dce88fc4f8b244a9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"b45ab1d2-712f-4f01-a751-df3826969807": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "a16c71cecd3c18625bcda7dcb6b779b65910eea51f4833319401d2b876751d1b",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS STS GetSessionToken Abuse",
|
|
"sha256": "a3b7e08e0a1fcb01e4ba8e753901196723bb44511604dd026d0d644d349b08f5",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "6117d395132d33dcb37abc399f31be1ec36cb113a46014969e3e8c346de92241",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Policy",
|
|
"sha256": "28b42be958d0bf8a397306dc7f0cb14cfdbe0f0eaccb5755c9de565c0880d356",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b5877334-677f-4fb9-86d5-a9721274223b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "38d90e293ad91df8f5b8d1b50f36ccf4ae6d4c025e1a72f7b44ee1c8cb296950",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Clearing Windows Console History",
|
|
"sha256": "3661ee7aca3791f75d6142e3997459c18128261a97d7c4e25c71b4b8ccee6f17",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "d7ea25e3433ca8f64f4699dda914009c10dcad92b0f1eeb1bc71a13391a2560e",
|
|
"type": "eql",
|
|
"version": 16
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
|
|
"sha256": "620157c94e530a9b79fc01d1cd732c48c936128b4202327b17e814f1c502d364",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"b627cd12-dac4-11ec-9582-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "bbf62b64c2be8fc69c5cf32a50509ac3984131a165cf3c4440aff53a0bedb78a",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Elastic Agent Service Terminated",
|
|
"sha256": "880308f389f72cf7aa685439c096f0f36ad2470ac1db401751d081f2aeca783f",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b64b183e-1a76-422d-9179-7b389513e74d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "239fc0484293f38ab48bea2184b5897df6fddbc7c1088d9ee2995547d0f72ec8",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Windows Script Interpreter Executing Process via WMI",
|
|
"sha256": "6e831fce582191305c1d7d3da75c0f080265f7c68e86194ad2a7f6b5bc6e4bad",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b6dce542-2b75-4ffb-b7d6-38787298ba9d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "cda9d6420803eeff9b35d9028aa6935ff4d213c1caa90595097960c9e1acd8bb",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Azure Event Hub Authorization Rule Created or Updated",
|
|
"sha256": "dec0e528ce72f07f7bf7bea01a9998937ee8f566408acb58fc234f02e7a2ca70",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "60164749c3210d3649e58a3e25f0cd7d7ba346fcabafc30b70aa5bfd1c7f953c",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Policy",
|
|
"sha256": "e80ff50996cd7da0cca7153e82a4a23ac280c4f59a61b07d8502cd37ea7573c6",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b8075894-0b62-46e5-977c-31275da34419": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "caf8faad9c8fe37979f1c02c18d19d948a17fae64f01a8e5cc016a50f1cf76da",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Administrator Privileges Assigned to an Okta Group",
|
|
"sha256": "232980a0baea2530b71daf1953c4957e214ab632c7911fbdbf3ff40ceda34c98",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "25a1de83681ef1540f609d3490620ba344894b74b2ee92d4ddc0bfb84a6b45b1",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
|
|
"sha256": "9dcd7e2de7584ee1abd8d7b7c44150f6d4ffea348f700cc8ffaa55eba3b8d265",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via MsXsl",
|
|
"sha256": "350f555b5d13e59fe6520c834730a719acf84dc65bd7e8d827cb550678ae071a",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "c331e0a716974ea21eae76d7b37f16e0f6b158e79b198cd009dcb38f562d1a90",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
|
|
"sha256": "bd08321fd4acb2e28f140106546a9b77fa1770af07439731deca251201d4aacf",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"b910f25a-2d44-47f2-a873-aabdc0d355e6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "bbf7065cbab3cc380cef1f9b3ef2e40c2686e1d5202252f23cd544a516877b0d",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Chkconfig Service Add",
|
|
"sha256": "8d327e0ae652be44e3e65d14ddd87454ab8620235a4e95a146e566464a1ac8e7",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host",
|
|
"sha256": "c0cab21b20611d9b1a263e9298c27e29fb538f6289afccfb13bb814958052974",
|
|
"type": "threshold",
|
|
"version": 3
|
|
},
|
|
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "1d211f0a0697815ab2ee20f20ab3163fb61e42278fa4b5921bbad99efa68634a",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Group Policy Abuse for Privilege Addition",
|
|
"sha256": "7faeeba1773a6daa9dcb89c1f792a9cb0e2592573b0762edf7db14d9a6ec5b80",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"b9666521-4742-49ce-9ddc-b8e84c35acae": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "285891514c70f9a4bdb265d76d50a0dea755e00ad2f1ea37619fbc8450287422",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Creation of Hidden Files and Directories via CommandLine",
|
|
"sha256": "f68595a5ca6c1311ff5da3bfaee65b416b49edb556d0890996e8ad1f19faa553",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"b9960fef-82c6-4816-befa-44745030e917": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "873d27c6621fc80c5c4890000abc5ee63099a0a04a7f19ad10551de3ecf660e5",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "SolarWinds Process Disabling Services via Registry",
|
|
"sha256": "7e024917580fb56c53fbf08d616d9bb2689d374f7a60c2645840b2462b43b7b5",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3",
|
|
"type": "machine_learning",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows Network Activity",
|
|
"sha256": "7b02abc336d84242dd450c5912423eaaed3a749e68d8a3f890cfdc80079a6226",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "fd7ce2d2723ab08731ea17180d65559e6f7a5c93cdcdf4ab2406d05846bf37de",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
|
|
"sha256": "cca15619da3b32135e9a82607a350fae3f122441c9af185b960dd2ff67233820",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "225a663f235910ed9a74eb8ff36cc51095ab83677e3d8daa8954da29de2b6b62",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Resource Group Deletion",
|
|
"sha256": "3b25861f68b1100642f9a3ed68c945e918ce6d65b653ee7d065ec2ab7378a294",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bb9b13b2-1700-48a8-a750-b43b0a72ab69": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "4025a11d274c2ceb96f009a6c57bf9fc493e1d91258bb40b290cc42a39464630",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 Encryption Disabled",
|
|
"sha256": "7cd457c3240ddfe26d5d4558b82fdeae39d887ca6d295f77ba3fa54ece53997b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "2046461085f32a7b72d00a3fc9d855150e46efce819a90720a13f1cafdd9f451",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "OneDrive Malware File Upload",
|
|
"sha256": "271d10e5de2e8992afac079441588c01bb4fea4985be37207a4f63cd14de73f3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bbd1a775-8267-41fa-9232-20e5582596ac": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "337779ecd316649e262c7e31f4d0f28ab285571f1cd3c8f3300f11ea579e9dbe",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed",
|
|
"sha256": "93d1b13957ac532ad6ab4712072ffdbed8a3d3107e6aec621b72742431d1c5af",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bc0c6f0d-dab0-47a3-b135-0925f0a333bc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "e41c94e88ce170a7642375c19b31680ecb8cb01b057519518c2e27ddf5dbbe43",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS Root Login Without MFA",
|
|
"sha256": "7b8bfb16fc7de8277d500572853e0879c958a20c05775e999fd83114615633cd",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "abccd332b70f7792ac3df97f8a8c7b820f8318e6dc845c71ee3a00c7fa72d21b",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP Storage Bucket Deletion",
|
|
"sha256": "134d12ef938ed48704eb9729c1a3e34f211490ec5dbb9e5d5cf458cdee36cb6c",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bc1eeacf-2972-434f-b782-3a532b100d67": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "8a2581f2613198e069bf50428befcccde626bde5c3329f7dd6799ffef0e2b66f",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Install Root Certificate",
|
|
"sha256": "15613b717994777371920a3579f34bcec1e7c1f6c0e88fa17e4c2b02df0b6b0d",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "0d5f7f7cd950530e43f8061422946c3ed98864c5d7f4e2a7b70ecbd0043b4dea",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Azure Conditional Access Policy Modified",
|
|
"sha256": "7d464f589cef8e69158a8ecfcec8ad0e0eb6b9100e4e8a046bc9d7d8331e9e65",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Potential Non-Standard Port SSH connection",
|
|
"sha256": "ef8d1e8236ba6dd2c821d9f2b49f9b7d3b4459a19442874457ff4d4ea6451b5f",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"bca7d28e-4a48-47b1-adb7-5074310e9a61": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "446316b8793acc21c065843e48659dc5c0741e50b48348c42d8091ead70aaf88",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Service Account Disabled",
|
|
"sha256": "e81d904e9ea39fca420643d85f858b8a0f52f2d7fc45be1523fae2dcb4f3ed94",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"bd2c86a0-8b61-4457-ab38-96943984e889": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "055b0cdf7f95c9f6a820c512ca9e97a7ff34a41bef1599875091ab66422a238e",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Keylogging Script",
|
|
"sha256": "cf831ea0e6e09584f2304383208a6412f6948628b50083815985e0281224fda7",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Print Spooler Point and Print DLL",
|
|
"sha256": "e9209e626b869f0bdb2dabee1e2af19340f537fa40c1237751a4067eb5d9c325",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"bdcf646b-08d4-492c-870a-6c04e3700034": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "015745600463e9a1d6e2dcb6b06f3e8a1734b07afbb6d7b4af670462e85f6a01",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
|
|
"sha256": "438aa121c93519e469d9edc53809ec8126490a8c7983d8287dcb3a31f2a192ab",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "c108531ffe8d2942cfd96060e577320ddea84961b41d8d0dc4f3184028a7e558",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Searching for Saved Credentials via VaultCmd",
|
|
"sha256": "2b6e5e5666967339707adb599eb8c02b6979423816b35151610432c1189c9a73",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"bf1073bf-ce26-4607-b405-ba1ed8e9e204": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Snapshot Restored",
|
|
"sha256": "407e232dcb7c87839e92e728b33fdd7802cd70f413d313d516e801c854217b38",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Snapshot Restored",
|
|
"sha256": "c70fa6812d5c09459120e55836e78e4d79aa13572a68b0e7b6c38a22b6266204",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "43df78621e41de3c8e5e86c1af48d514b045d358635229ba8a2fd0f7cc3490f8",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
|
|
"sha256": "a347a43db6424d3d3b80b739959fa0ab147a3e0befe437c9ba1debb026e02bfe",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "e38b278f03f4d9550032ce5e2c148ddf1f16e61c50f97af58dc6383df83f80fe",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
|
|
"sha256": "e308ba478ec7de6a8a8190ff610bc903fed794e457053ac22b303371c57bc18b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "eaaa0be08f9c816cdd87eda6ace86ee28b68147a27fb74acc5575b89f6b297bf",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
|
|
"sha256": "3f909709b3aa8d9847c721ac68984472e834901d3e9df009dce6bf311ab3cb2d",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c0be5f31-e180-48ed-aa08-96b36899d48f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "ebeacb47380be9a09a9d1eed5566517aca491c5c2d96341e0e7638da0f325dc9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Credential Manipulation - Detected - Elastic Endgame",
|
|
"sha256": "8d36cb1bb98e55bb4e2ed2cf06aac2db1e1f3a86b9c99dcc91ac589074a780b1",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c1812764-0788-470f-8e74-eb4a14d47573": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "beef9e00937e345042597f3ed53542f76ca08838731a5f61c294fb65b1f749b7",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 Full Network Packet Capture Detected",
|
|
"sha256": "eee2c9e0684f2d256680539e87c7efea97488a912d88721c8e0223d8348b8eb1",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "5d7466ef9e04c7cd2d7070b0824a4df93383dc6a3bb31abbc7becc064a38a057",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft IIS Connection Strings Decryption",
|
|
"sha256": "9244f3938dd5a9ba0c4ab6c1f52ead2a7160ec75fa00bf98471f6af86f91508b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c28c4d8c-f014-40ef-88b6-79a1d67cd499": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux Network Connection Discovery",
|
|
"sha256": "e124e0a0c8431f7cb9d2620441bbba0cd3b662770721332fa1e52b056c6c3dc2",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"c292fa52-4115-408a-b897-e14f684b3cb7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "2b60a88bd670e6e1ee0b80ff257f00a7f4e3d30c07ea6d3795398989840050cd",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Folder Action Script",
|
|
"sha256": "e6517f94787ac2460dd01b1015e31092e9aa1496e9515f352ede404519c81f88",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c2d90150-0133-451c-a783-533e736c12d7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "c02ad5adbafb5f0e2c94101b9d8ff86a48baaa9d36ab95c07a3df386963df3c0",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Mshta Making Network Connections",
|
|
"sha256": "6d9ac82faa0f2422dfc32ccead1d2f52f9336b8d5576ce54d343a19dbcaeacbd",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c3167e1b-f73c-41be-b60b-87f4df707fe3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "d678380453e0f0b6769da30e54f6a9ff1b02cdfd3c9f44817f5e52c3f76eccc6",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Permission Theft - Detected - Elastic Endgame",
|
|
"sha256": "8c71d85fb8e7ca57ddb9f334300043978dd5976f7efc1d0ad06d561ea9cad9b9",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "59903aa0ee2b98dd7b68d87048b5cac465cb91b05eaa78dbd066f43cc692a1b9",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Persistence via BITS Job Notify Cmdline",
|
|
"sha256": "9ce3f7975f4fbc0835b4a03638252e343f89b12c5ff3cbda48f97720db5f022b",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c3f5e1d8-910e-43b4-8d44-d748e498ca86": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "f60fe5b32ff54a35a502abef27b7a8c4a8294ad3ad27523e6a38c233611f7732",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential JAVA/JNDI Exploitation Attempt",
|
|
"sha256": "3510e04cfcd716d998a26241461fc1ae03bdca9c148528df59246366583fd498",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "2a4680018cf4295914ef398a0463c2bd7dcbc3ac5ad8cbda20d0f7fcc7777c5c",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Mounting Hidden or WebDav Remote Shares",
|
|
"sha256": "58bda59daa48d3f1c984087040349675b0a03376fc148822438592f2e75aa3b3",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "cb6467aec9a8efbce200c151befc915eb2db3882b84358a4cdf00d9104327d78",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Print Spooler File Deletion",
|
|
"sha256": "a81b65308960ddeda72e024312fd5d41cf288af5523ec31b92e679d9e2753317",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c57f8579-e2a5-4804-847f-f2732edc5156": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "58344617d62b41f202f44b3143e2f946d7600510e021c58a48cb1955c42157e9",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential Remote Desktop Shadowing Activity",
|
|
"sha256": "d880e73eb0f8381fffd43c6bdad0166536e7247a1ccf527249f2476e5bf71523",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c58c3081-2e1d-4497-8491-e73a45d1a6d6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "c5022f7a759d76bc0a187f9612b1034b0faa982c8e9b05ab345fe252c6ec2caf",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Virtual Private Cloud Network Deletion",
|
|
"sha256": "0a9032ef1c30200f1cc3ad3389897e916b69c06204af2f225c04e61f54f8bf90",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "e74680d2801209f53df00cfcad05ff388692b52918c2ff3f018df44999e5ab68",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
|
|
"sha256": "a8cc538288867af232cab4a49229033c8a3244f6b445a772a6811ee4d9bf38e8",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "f4cec74529561a0fc2e6dfcd5ba89600e6e9a30c2832e5070005d0d96511968d",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Installation of Custom Shim Databases",
|
|
"sha256": "39db7420236a73d9c816980fe605ad334fb16989bf120c412ac277de20917b30",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "ea301ca7e7d227378716c3ed96bdd9e028e2e189f0142885780ff9e9d157e6fe",
|
|
"type": "eql",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Build Engine Started by an Office Application",
|
|
"sha256": "14265e3277a7e20e4bf7db785cc93f810b94d8b9fd2941311095eaa1fffa83b0",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c5f81243-56e0-47f9-b5bb-55a5ed89ba57": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "11c7d628e42834cf18a0ff6695673e7b4d30da3ef8efad6fef35a2ccb3ef745f",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "CyberArk Privileged Access Security Recommended Monitor",
|
|
"sha256": "f059a8f7ede213e8a714e9da098089e0348d0911cdcfe111f57eb42c02d8ef07",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "276a468726946549ef3f02c8b97760a323a403a68dbfc8f7c3263d5f94a76f69",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Remote File Download via MpCmdRun",
|
|
"sha256": "0437f1d2b67c2d7f6a784569b8663a5c59898ff2edac629f5972d6c2a4345083",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c6474c34-4953-447a-903e-9fcb7b6661aa": {
|
|
"rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet",
|
|
"sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c749e367-a069-4a73-b1f2-43a3798153ad": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "8c2d99b22d9a821fd2097d3c5efb649fd5b1f9082edbb56773878940c64f83c0",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Network Zone",
|
|
"sha256": "ca0f503e8fae0469ced007730bbddcb8f7ccb18fbbf43730792333ca1a09aa73",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "96caea11aa97bb793f524a016ce9ea8a9547380f255f0468cc7b7780d1ad498a",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Application",
|
|
"sha256": "82ecca8efc10bc1cc58ea10d5ac7df12452174a2eb96738f54e5d4c36bcf3854",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"c7894234-7814-44c2-92a9-f7d851ea246a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "b02be7c05f4bb78a1a219cb52c0e1383c9d77a7d0091ecaaadbf9e2c177d7ab4",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Unusual Network Connection via DllHost",
|
|
"sha256": "6f2b6786c1e132360fe0d2620fe177ee8f7cc2df92a302c495e9e9549ddfd63c",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c7908cac-337a-4f38-b50d-5eeb78bdb531": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "01bac327794401a552f635ee0b3a0bcc5ae37d9ca094baaf92b7f233dbcbef0b",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Privileged Pod Created",
|
|
"sha256": "1fc74b97acb32fa696b0ac3a36626bb985e83b000303ff04257dc0415df35bf4",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "3d8b44e3b658a23b1d325e946b48ca23595108bf8b821c2afa0932775568c8fd",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Unusual File Modification by dns.exe",
|
|
"sha256": "bbb3f5026d23f21f3f16d0ed4f0baa27be993fcf8ecbd9b8f22c9b9e3f05f53b",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Spike in Network Traffic To a Country",
|
|
"sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Docker Shortcut Modification",
|
|
"sha256": "dd61b276ea5df6e544b1a727b69554a9ed3aea45d78be644eda030eccc88e01f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac",
|
|
"type": "query",
|
|
"version": 13
|
|
}
|
|
},
|
|
"rule_name": "SMB (Windows File Sharing) Activity to the Internet",
|
|
"sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "c6c4691ccdc5e9a66fbfda821c297d1d55b5cb07d3807002a8924db894f0ab52",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Direct Outbound SMB Connection",
|
|
"sha256": "2fdcff8e5aa43ac784f50625c3a90447290b647455ba7b6ff21a5bbf3c2b9407",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c85eb82c-d2c8-485c-a36f-534f914b7663": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "e3eee97261e6eb96eba1f05a344fe29cafc24ef890b991f423887461f7a2fa2d",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Virtual Machine Fingerprinting via Grep",
|
|
"sha256": "08f7dfa2f2caa4e537757679fc7820400d2a971cd8c606b0dd4b8c8a7f8c9e00",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c87fca17-b3a9-4e83-b545-f30746c53920": {
|
|
"rule_name": "Nmap Process Activity",
|
|
"sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Parent Process PID Spoofing",
|
|
"sha256": "16fa422031ccc857aaf5bec99748fddf9a627d062039deb25431918741bee770",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Startup Shell Folder Modification",
|
|
"sha256": "21ddf3399b356f22c1c87306172326d752ab5cac039e3f6bc37adc1431a2c08c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "2f2961f517d0e9d4a328175bccbd326bd7faf5dfee6e9f6503416f3aca86b008",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
|
|
"sha256": "48ea68fcd1f0cee1082ae2971e0117f3ed9a9ed908acafa550d3d1a1b92a8753",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "85039ed0d04d2658ca81064f458976d86e88705fa02d00cf22104d46ff4085b1",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Credential Manipulation - Prevented - Elastic Endgame",
|
|
"sha256": "40292ab6b3b74c0736e9142d0a2f4da6595e481d679c644ebce45713e3cf04d3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ca79768e-40e1-4e45-a097-0e5fbc876ac2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "0b482e9161bd3ed8bce4c2863a6411cc274efdd5134e2e3dd73e9ef1333dda0e",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification",
|
|
"sha256": "d3608aa64d0dd96d0b1a38306836f9ff19f6ed3b68cb7d959eb18eb762fd5149",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"cab4f01c-793f-4a54-a03e-e5d85b96d7af": {
|
|
"rule_name": "Auditd Login from Forbidden Location",
|
|
"sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cac91072-d165-11ec-a764-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "b8e199e0275a56f67e21011dad1879c8a66b32cfb373e69af50442d187c3c1bc",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Abnormal Process ID or Lock File Created",
|
|
"sha256": "62e87462fadee6fe66b6c85465f0e3ca7adbbbdd1d6fa0e41fb0a57728d1745d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 15,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "599fc850f87b0b11bb3af05aa1936c1859f7c5e188c1f83be2655ea3cc71a1db",
|
|
"type": "query",
|
|
"version": 13
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "3ffdd0f16144e0dd0d207c2e8604c3cfc075b03c9e2c2bc68530c26c20242b35",
|
|
"type": "query",
|
|
"version": 16
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 205,
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "c2c4cecb5067e1562eb9b4381cb2f02f94d8eb714461d1985ff84449ddb93285",
|
|
"type": "query",
|
|
"version": 106
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace MFA Enforcement Disabled",
|
|
"sha256": "34e19b874f33327105443e1ceee3593b9bcb1b30eb30f5795bf9102bb91339c1",
|
|
"type": "query",
|
|
"version": 206
|
|
},
|
|
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "a17d553f673da651ded7a3ea66e07c128029b88490acc7ebc9e1ace84c9584a1",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Calendar File Modification",
|
|
"sha256": "f99fb27505f4eac2571cc8fd9ed2603afda83fc1ec1b7b5c092f580496bfc88b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
|
|
"rule_name": "Process Discovery via Tasklist",
|
|
"sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Enable the Root Account",
|
|
"sha256": "658d8bdd8e41b3e08b66ea422ecdf4852d2aa00b25c5cfef9e754af84895ad90",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"cc6a8a20-2df2-11ed-8378-f661ea17fbce": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.3": {
|
|
"max_allowable_version": 103,
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "3518355a90ee6354be595124e70b25d82c59ea2fbdd8bbbcc0d0e2a62512acdb",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Google Workspace User Organizational Unit Changed",
|
|
"sha256": "d60b7181cd6749f1c0bad9cba1e5b7729a705db850228a659eec5f107737a162",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"cc89312d-6f47-48e4-a87c-4977bd4633c3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "bfe8159a7886d23dd38393fa9bee89ac16f4726a3c4f25cf4ed5898c41168383",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP Pub/Sub Subscription Deletion",
|
|
"sha256": "502bd12f4e8b045a85e3b60e96f365d676ee1b23bdb48ac6192572a63a476162",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "f3f3e6c106b9b59224b4adc2dcc0440429e547b549cf3968180a653aaabe5ec4",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
|
|
"sha256": "96d42c07c11ea1e66f37d0fe71463b4bc8ff9f7dba1c7aa62a2a77482af2d478",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ccc55af4-9882-4c67-87b4-449a7ae8079c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Process Herpaderping Attempt",
|
|
"sha256": "5cec07b6cc3a1468a586e6de3bfa17cf707581a32157c7d50099972ca88f91db",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "a1813eae5d63d4726b936d105486b17a6d73e0c440c903e014e7616dfe44172d",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
|
|
"sha256": "f62ce3d63c7514a1b1e3485043746bff4cbd29215e3532662de3da9a45385c48",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": {
|
|
"rule_name": "Socat Process Activity",
|
|
"sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Anomalous Linux Compiler Activity",
|
|
"sha256": "47355104ae58c2ce6a485512d48639feeab99afb93a70a0e73207a82bf3c6a9a",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"cd66a5af-e34b-4bb0-8931-57d0a043f2ef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Kernel Module Removal",
|
|
"sha256": "6cc9635dce995fdf627267bbb2abcd1fcb36561903af0b981a8a8b2a4762c7f6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
|
|
"sha256": "f0ba64dc6504953e0d1713f1a46c37f9a3ddddf5ac0dac882e80bc5fb9825188",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate MFA for an Okta User Account",
|
|
"sha256": "18737d6849af63f0300dab6e931af5464f8c15f68f31f5bf7bdbd6b3ccb1cdbf",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "fd41cb20e5354ce70352537af6589d7fe8bddaaa3efc190dcb7f28c90016dfa9",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Okta User Session Impersonation",
|
|
"sha256": "b839129d515b067cff4aac735b1c9dc12f24f90fe301eb0b9fbc9bbbf4a4f19d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "89f5e200675a86a78dd4ae429ab59815d6f2fc8a788cb55a3116bdfdf2661e67",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
|
|
"sha256": "92736e4242eab1da97777518c41f2b5844eb669f185cdefaf43fbdb7924602ad",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"cf53f532-9cc9-445a-9ae7-fced307ec53c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Cobalt Strike Command and Control Beacon",
|
|
"sha256": "efd4dd156b54adadf3583f42ef14c6f31ec98f4d4e076afa2a06b529dcfa7e16",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"cf549724-c577-4fd6-8f9b-d1b8ec519ec0": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "cd4f89243551c1339b5502a776a7ca15183d07da9cfd5df268a4c4b2e5954c56",
|
|
"type": "query",
|
|
"version": 12
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "05fe436d072dffdbdb136a88e93c7636e147f91bf5c02b89ba7eeed8fd336e3e",
|
|
"type": "query",
|
|
"version": 15
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "2422828361db58c9cb60d2f0b2d137390daca7d29b102789915ec3e3aa883430",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "Domain Added to Google Workspace Trusted Domains",
|
|
"sha256": "d78af46dd84eb3d641be256da5b6c0645335b47293787741d08ae3dc07ff0ed5",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "556e7fd38bd70311927aa98b016c3d73f728df2a0173385f0c7a6d5f72399060",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Execution from Unusual Directory - Command Line",
|
|
"sha256": "5fd5701587cdab72d657edfaccd7fe940fec90dd207cb6670a926ebf88271104",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d00f33e7-b57d-4023-9952-2db91b1767c4": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Namespace Manipulation Using Unshare",
|
|
"sha256": "282d06a65647fe54f60f3db53a4e90e4ca1f35d991c8465fa27433f7a6d4bc0d",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "d6965099fd14c541f08c466c817f679a6939cb7e9d4bb6bde634d79c16a5ca66",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Registry Persistence via AppInit DLL",
|
|
"sha256": "7ceebfd6b8b64994381d2f97949859f3249cbb7e95c4d3d27fd40080aebf51c6",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "1f6bd29235c4140598d12135b67fc6285adab3882cdbf5fb3eda91de5dd1b2b0",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Symbolic Link to Shadow Copy Created",
|
|
"sha256": "41aa39c02ea09e8c24673e02edba00dd99a5fe7e23e2c33b45b327c7ccf9eb24",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d2053495-8fe7-4168-b3df-dad844046be3": {
|
|
"rule_name": "PPTP (Point to Point Tunneling Protocol) Activity",
|
|
"sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "dfc63901f804b7cf2d08cccd4f0795208161faf81c73c1699baf48f8884fa9b1",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential Microsoft Office Sandbox Evasion",
|
|
"sha256": "7d943af65c10d24ea5d9b74ce28b1064eebe7fee33933b7244f44c230519016b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "32c87270f7d3db1e4556a1410d02bef58c136aa70569924f60318e9b22768dd5",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Disabling User Account Control via Registry Modification",
|
|
"sha256": "e3673f075041b1dcb529fa9445d9e7f022636aa583a56d6f325190852b415b07",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "f60152637e6804eaa8df1e4b003a7b6f42b4ae55bc5214071a76d06d100b4f92",
|
|
"type": "eql",
|
|
"version": 17
|
|
}
|
|
},
|
|
"rule_name": "Clearing Windows Event Logs",
|
|
"sha256": "3cdb7a1338aa9523b76c57f85dc185771716dd8d027d1caa4417983fab2c72e1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Remote Windows Service Installed",
|
|
"sha256": "bad7de839da9e8039e8ca5c03239d606ee947cec4daa12c23f502a690b8ddbd9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Shell Execution via Apple Scripting",
|
|
"sha256": "85ec5b42dc9fa6329c5c1025c6cbf400d037abcf4c33f8a1055a27f8248e66fb",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "9128314e4252732403889dadd2b7748918acd7e1ce8f8541daedaba48b40d4e7",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Application",
|
|
"sha256": "58adba1c923a8ce76e1a1764dc5cac882ab8ea93f2778dcf32c9c397a3aae8be",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d49cc73f-7a16-4def-89ce-9fc7127d7820": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Web Application Suspicious Activity: sqlmap User Agent",
|
|
"sha256": "f55b784285078033780f90e322ee607cd717bf5db25341e7e967a809e069de79",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d4af3a06-1e0a-48ec-b96a-faf2309fae46": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux System Information Discovery Activity",
|
|
"sha256": "3d98f764fe976df253f64e01eebc8c21b6f053483109c520c47251ae353f12df",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"d4b73fa0-9d43-465e-b8bf-50230da6718b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Source IP for a User to Logon from",
|
|
"sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Privilege Escalation via Windir Environment Variable",
|
|
"sha256": "a4e6f329e4b506a01f4a0574d6e1c747c0ec66383314f55ee4a711bae1a889aa",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "40a4b168923189b0651c8e31ddd382c3eee3007b4d93d968f76f9813567f708a",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Delete an Okta Policy Rule",
|
|
"sha256": "a734fea0dd23b59bccb99dbb39f55007140181853044b5bfacd32e882f62f49f",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Service Command Lateral Movement",
|
|
"sha256": "0fef863d942439ed36b80849f7c74e6bfbcb83e26895ff81570bb2257b761aff",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "43fab9e1ad69e93f3f1d82b141356b4241d3e3b6a4abe88c87f57950893e7b8e",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudWatch Log Stream Deletion",
|
|
"sha256": "5938c4ca763d90161f10cc3da2d26dfbd70bd5e4f2fb947388e17fce6692498d",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d62b64a8-a7c9-43e5-aee3-15a725a794e7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "5d074c906776ecd8e5847fb793728b81b80895a83cf706d49341241756921dbc",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "GCP Pub/Sub Subscription Creation",
|
|
"sha256": "2d736621691474ee5688c2ef5def48734be19b3a2111791e9814ee88635bf482",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"d6450d4e-81c6-46a3-bd94-079886318ed5": {
|
|
"rule_name": "Strace Process Activity",
|
|
"sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "System Information Discovery via Windows Command Shell",
|
|
"sha256": "4b9f1876b29d2bb14bad85f132f1ec3e2645bcc7bfee47279cf1c95e9d7d2cf6",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "0301f13a0cce7d153d3e01f8a199d99175bf2c028af2a3146f754e5c753f93be",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion",
|
|
"sha256": "dbf20a1e2bc0d4cdedbccc5865bddda69aca58f70f18ee6ac68eeabd3379e3fd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "1ad06b0fe0245e82429077bae391d3c2af5984b53799cfcec254e3b65569743a",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Modification of WDigest Security Provider",
|
|
"sha256": "c087b2c9c350fc3aca62f7a3f1936f7ba1cab0526b9a08c490a5e03a1809f705",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "c66dd3b64916aa7fabacfe800aa2076f58946cd244e563af4d3b0f6cee003610",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Command Execution via SolarWinds Process",
|
|
"sha256": "8a04aefb69a7712a7947f686c05ed66394c14341cb01f0b52422e94a7a17f87c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"d743ff2a-203e-4a46-a3e3-40512cfe8fbb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "c708af23dddbb7172b0b812a70be4c7b90797d357b2088d1db8bda43c16d92b2",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion",
|
|
"sha256": "f03f35ec4391254bd5a95e3213e02d739334563e9a20bd8f98055f0bd56f984f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "bad21256e2539ed2889697b46ad97e31897d99ae6b81423aa0ed71e86c03c165",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "SystemKey Access via Command Line",
|
|
"sha256": "142b1e31ec1f43ec5a497dc800ab38bbffa617fc1bdc6c9656b0283888a94ffa",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d76b02ef-fc95-4001-9297-01cb7412232f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 10,
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f",
|
|
"type": "query",
|
|
"version": 8
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "fb31d0eaf6786a71496f8d2605f731b9e3770b5a16af3d6e301e5b5432154634",
|
|
"type": "query",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Interactive Terminal Spawned via Python",
|
|
"sha256": "2cf5a9acb775dee9ad7c604ed07b8b591f1ecf553f8c29bbe7f9f6a70d9b47ab",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d79c4b2a-6134-4edd-86e6-564a92a933f9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "c0d96e3c996d58a507d4b57459abb95bc875d950f28a6dec3eb17e1091d5d624",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Azure Blob Permissions Modification",
|
|
"sha256": "e0d97c1b1c32137b6a20954682acc691d3e3b8865b7232a8796d2220df76c2d9",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Spike in Logon Events",
|
|
"sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"d7e62693-aab9-4f66-a21a-3d79ecdd603d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "SMTP on Port 26/TCP",
|
|
"sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "23d6f3d38e476c57d63ce8eec3ba6ce5ef7986d3db93dca2f21944b00209f9da",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Deactivation of MFA Device",
|
|
"sha256": "6de0db19b693fbcfbd5f488d03575649c5ac2e4a935a4906e749b6018f4e2b23",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "5598f885f41354f84ab95aeca4b2046243900f013a7edb6a0b1bebe13f3966ad",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
|
|
"sha256": "691f47444a1186adcb0191473dc7ddac403d41b132d33a3d551fccd49b717025",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Suspicious service was installed in the system",
|
|
"sha256": "d3660213ffad98fa0d57973d893f138195a92c78b6ea390b05707081ca2da77b",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
|
|
"sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"dafa3235-76dc-40e2-9f71-1773b96d24cf": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "3ca4a61f3f93dba1eb22f2c680262ddc66a954a10446af5a66a3d5d179c18981",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Multi-Factor Authentication Disabled for an Azure User",
|
|
"sha256": "b2bdedbd10d7b2fe14ac813a1e6edcc9034c9817db09d94531cf97ff29c60e1f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"db8c33a8-03cd-4988-9e2c-d0a4863adb13": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "3d1e91e1892322a81b322cb102e46b9cc9913bb297aa2e3495db029019a488d9",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Credential Dumping - Prevented - Elastic Endgame",
|
|
"sha256": "b0491008a10432af0609a3d3046c5ba9697fe4ee6fe28c05d20735f663452a74",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": {
|
|
"rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match",
|
|
"sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095",
|
|
"type": "threat_match",
|
|
"version": 100
|
|
},
|
|
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "520e6a810db9da762309f7f86fab50fbdab92279864f4374f2eb5bad2e042e59",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "Volume Shadow Copy Deletion via WMIC",
|
|
"sha256": "6dba42804d768761f5440777efb75a02ba71037afb497c77724ac592d4776ea4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"dca28dee-c999-400f-b640-50a081cc0fd1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "ae4289833d6b2477d4d3b35e5be4baa736658ec619798c552e85a718212e8dcd",
|
|
"type": "machine_learning",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Unusual Country For an AWS Command",
|
|
"sha256": "79eadfd13eb74b26a25e19a9599a223888ac01c8d8b65a114b63a3109dde4829",
|
|
"type": "machine_learning",
|
|
"version": 103
|
|
},
|
|
"dd7f1524-643e-11ed-9e35-f661ea17fbcd": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Reverse Shell Created via Named Pipe",
|
|
"sha256": "ddf86f713e01b7a42dfb4cbac2eabe95771dd00eb95e9272258e5eabed84b6f0",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "NullSessionPipe Registry Modification",
|
|
"sha256": "1a9802763149eb7cda4402f4d39d9724448a6a435b770e5262fcd6c8e0b2cd94",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "1402cb6fa10885f90b83f2612e179207ca87149a8fa931334c0b2c2854247ba6",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Process from a System Virtual Process",
|
|
"sha256": "6f2eb7f00e2d2fcc4b2a8b2ee76037dcdf6e586827be6adbff18bc79ae30ae7b",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"debff20a-46bc-4a4d-bae5-5cdd14222795": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Base16 or Base32 Encoding/Decoding Activity",
|
|
"sha256": "8f363bbd5a97faf23a2823c81078c304bbaa77645e263fa8622630d980a73fe5",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"df0fd41e-5590-4965-ad5e-cd079ec22fa9": {
|
|
"min_stack_version": "8.6",
|
|
"rule_name": "First Time Seen Driver Loaded",
|
|
"sha256": "194c1c07d081135e8e03f718023c0dabb3b4737446acc86ee710b96bed3ee076",
|
|
"type": "new_terms",
|
|
"version": 1
|
|
},
|
|
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Unusual Windows User Calling the Metadata Service",
|
|
"sha256": "634c76aca1df7fc5b64e42733e6536ac48114a9aedd05e57024538ba6798e092",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"df26fd74-1baa-4479-b42e-48da84642330": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "c55195c2b2ed4f0018d4b847a215c4d7be7df1e3a4b7d1b250c4ea8975172370",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Automation Account Created",
|
|
"sha256": "926e09c01d9a28535ee45c6b2e542a020fff0bc9b9b3876217cca6ac5d084ce3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"df6f62d9-caab-4b88-affa-044f4395a1e0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "da1ef679ca66c6b0366910d70af13bec01a81e77bacce23a37c4c8f52039680a",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Dynamic Linker Copy",
|
|
"sha256": "7b7e9ad109938d2ac95347969a9ba9cb37333f1ff469f990efebb38e2112e8be",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"df7fda76-c92b-4943-bc68-04460a5ea5ba": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "5f82d1552eab33089166bf4b52136d5755de62953bde404fa8922d5d4b39ac0d",
|
|
"type": "query",
|
|
"version": 3
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 199,
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a",
|
|
"type": "query",
|
|
"version": 100
|
|
}
|
|
},
|
|
"rule_name": "Kubernetes Pod Created With HostPID",
|
|
"sha256": "e01a11c3817ecedff0f82792adfb11d24bfa7f35d6bc7816c1f2f9b4ef54a428",
|
|
"type": "query",
|
|
"version": 201
|
|
},
|
|
"df959768-b0c9-4d45-988c-5606a2be8e5a": {
|
|
"rule_name": "Unusual Process Execution - Temp",
|
|
"sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e02bd3ea-72c6-4181-ac2b-0f83d17ad969": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "6f056b63bd37ce31e2fb8ff941b298f142fc93f6a9abb579ff043daf0b514d6a",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Azure Firewall Policy Deletion",
|
|
"sha256": "601b09f07040a7a4aae2b737306da9624a2ac0a71eabee5f238ce4bd2a827679",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "3d369cbdba03a5b562dc577c209d5c92d7e9c9eb91c01e06e9469552df357ba6",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "KRBTGT Delegation Backdoor",
|
|
"sha256": "4a5fff0627325f8c9a0c2f2d6e23358b50e1aa635e65b5e3d206e4ec625b73e3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "97577c6feb55a61357f1c8565ad69c823d142cbb5835b15aa759ff00d37641f0",
|
|
"type": "threshold",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Attempts to Brute Force an Okta User Account",
|
|
"sha256": "23bb5841739565c44acd0f0bd8f596eea3cd2a7450d383d72e0f5c73d983857c",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"e0dacebe-4311-4d50-9387-b17e89c2e7fd": {
|
|
"min_stack_version": "7.16",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Whitespace Padding in Process Command Line",
|
|
"sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e0f36de1-0342-453d-95a9-a068b257b053": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "22579997b9c568c17e2594954120cb37beba84d4adf9aa90e33f866fcd40502c",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Azure Event Hub Deletion",
|
|
"sha256": "dd78a77f8220a57fac6347ca0f4ada237ce03b1bea7e8f46129e55b0cb9dc04f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e12c0318-99b1-44f2-830c-3a38a43207ca": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "33c77b87c951490c44ac8b2643a1161ec8a8b1ef0850c08a6d2ebdd0e7d64014",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS Route Table Created",
|
|
"sha256": "e4d2ee157705e436b92c63f5f18e3fd0df6c0dc7b3d7924b35572f3231d54b0f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "441fc16b46dd672112bbe72c32cc9f23a481e2e18b210364ca9b7052e18a9818",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Cluster Creation",
|
|
"sha256": "19e68c72224ffbd5ec27a7e9eb60ec744c5074b38262ecb6ad00c2fdda82d2e6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e19e64ee-130e-4c07-961f-8a339f0b8362": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Connection to External Network via Telnet",
|
|
"sha256": "545d9dd1ff049f15814b21cf0dc0f15c1da647d3f82599d4d27a17a8831ab984",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e26aed74-c816-40d3-a810-48d6fbd8b2fd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Logon Events from a Source IP",
|
|
"sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f",
|
|
"type": "machine_learning",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Spike in Logon Events from a Source IP",
|
|
"sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "f24d9851bece6511354bb48a20a6a46b1c7f8432fc427ac95d278ad0a5d2d7df",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Suspicious .NET Reflection via PowerShell",
|
|
"sha256": "df2b42656b315cd8e12e0096dabeb608860871497071ca47c3a8d6fe12739c68",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e2a67480-3b79-403d-96e3-fdd2992c50ef": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "1984c64d7c425aa3e3dfa6e37906c5c0da217a8d298ecc5438605b05a294e597",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS Management Console Root Login",
|
|
"sha256": "942969774dcedab84751f0eb665f67b5bb5b05acad7e2b943a0a5c61b5c8df0c",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "a569325f4987343db397f8e9bc7bd812bec981788b66c578abc8a07d6f1e96eb",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
|
|
"sha256": "850df4fc3db497ef267746e415cbefbe841fe74b2ffd679707018bcdec01882d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e2fb5b18-e33c-4270-851e-c3d675c9afcd": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "1ee46ee5f8a64de558dc4c27460715faae0e711c7d1a7af0c771060037471729",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "GCP IAM Role Deletion",
|
|
"sha256": "017514f1e7b158a68ee2e227a2a1973c2bb7495b15f4e2774d90b0e1e479d8fd",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "1fca27785372d869e73f5920c8e1f5a2cfe9d1d2623946389e0f92f0668c0cd3",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Process Activity via Compiled HTML File",
|
|
"sha256": "bbef32a4135c5ceb7be223b3d952461d120d9900e55b8884b69a99a982b45b6c",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e3c27562-709a-42bd-82f2-3ed926cced19": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "7e0ce795dbe9c0506d547705f5519c33f1ca279066cbd0056f58ac48444f8314",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "AWS Route53 private hosted zone associated with a VPC",
|
|
"sha256": "cb12140c90dccd0a4c2824849be30730cffea3848e2d02fa0edfa31fbc9e7c4f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e3c5d5cb-41d5-4206-805c-f30561eae3ac": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "Ransomware - Prevented - Elastic Endgame",
|
|
"sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "08f9a6a7d9bdfcd6fccb7ea6baf0c48608a745befdf9be3782562c549736346b",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
|
|
"sha256": "1afda70d30580f714d8ab6ef20f8b1d918c131936b960d342ae6f6c6827dbb35",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e3e904b3-0a8e-4e68-86a8-977a163e21d3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "773655f13eb054137041e1317a67b1537cc6c6eebf234827f44638005203b357",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification",
|
|
"sha256": "66b9ceb8d93427406d2d097accc4acf0f4c1d6ad76dcfc0d9c7a8d3489c35868",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "6ea5f27f5addad69fded0976880577eb922b37615f7e5136583d5c41954cf838",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Modify an Okta Network Zone",
|
|
"sha256": "6daa40545ae110d23965c10cdd3b97559c76c2a36f9fc79abe0e93316a8d36ed",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Service Creation via Local Kerberos Authentication",
|
|
"sha256": "a07da4943d2aaf8e54ebf90165c0967ee8b7c6f00176ccc5a7a174a0c335fb21",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "594ec61d54894f173198a316ad2e8f5e7d004348466a0e738d8dc0a23b7c2a42",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Kerberos Pre-authentication Disabled for User",
|
|
"sha256": "1bbd28ed34614893af4f422de55b58962b7c6fcf2a5986a8cabead6a46da4d6b",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"e555105c-ba6d-481f-82bb-9b633e7b4827": {
|
|
"min_stack_version": "8.4",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 15,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "c2ac77cd236c9997bebad7dbd68fbca34417ff4c999a05fa26114d41393ec636",
|
|
"type": "query",
|
|
"version": 13
|
|
},
|
|
"8.0": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "da0c5e7ff098e790a9bbfe529a062110d2e03eeaf932eb822601bed55710c833",
|
|
"type": "query",
|
|
"version": 16
|
|
},
|
|
"8.3": {
|
|
"max_allowable_version": 202,
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "7f4d5eb6734f8c3c60ded7d24a7a3339afd5255c9fd1bf01acfe5972e671f89b",
|
|
"type": "query",
|
|
"version": 103
|
|
}
|
|
},
|
|
"rule_name": "MFA Disabled for Google Workspace Organization",
|
|
"sha256": "374a8185c7f83236836608b1bd1b4aa5ea94dfbb014a9ecbc59316b18f977a26",
|
|
"type": "query",
|
|
"version": 203
|
|
},
|
|
"e56993d2-759c-4120-984c-9ec9bb940fd5": {
|
|
"rule_name": "RDP (Remote Desktop Protocol) to the Internet",
|
|
"sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"e6c1a552-7776-44ad-ae0f-8746cc07773c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Bash Shell Profile Modification",
|
|
"sha256": "8881e4963ba8313ad806441ab35b10b080666906259266d9243987fed72beeea",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "54671c684270f841e5c8afcb9c0551b1860dffd29d8a2589f1b6d84ca2193107",
|
|
"type": "query",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Authorization Plugin Modification",
|
|
"sha256": "60a5cf6f1b13aa7770f812a5c146ce98fe354004adaaee3c681670f4fa2df378",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "d5ee7bc5de9e1f4610bc34e85624902d13fb82124efc99058407b42bfada5a55",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Possible Okta DoS Attack",
|
|
"sha256": "d79bf4f3a31c9f68d62437e3fc948da164cba7efb2dc53ccb82e3e44b85d75c9",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "e3a968c044da68d2f23aa6a66a47a0f3d61a734268792b0a360ce167fab200b0",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
|
|
"sha256": "7a1cbfdda7bb3863afe08f0c4f7f6395389d90ac2bc234b5d62f68e810f88b6e",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e7075e8d-a966-458e-a183-85cd331af255": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Default Cobalt Strike Team Server Certificate",
|
|
"sha256": "e9f3a0e9f8c621c8cb1262e6e8b7406d36b2dbf66fed10d7e756d2720bb4b8ff",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Execution of Persistent Suspicious Program",
|
|
"sha256": "cec0218cf84ea76940ae17a68714897a26dff71137374e5e7accc5b6f575f7eb",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"e7cd5982-17c8-4959-874c-633acde7d426": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "bdb348ecf6ea584e98544fef4a59aec7bf3f2242b523b3b71daa6db84836674c",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS Route Table Modified or Deleted",
|
|
"sha256": "67ea9be0dd5285b162d6349ba7b752221e964b4840555ee6ee3136de789eea4e",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "bd499e25fb8cc24f16dfb5ec400da1a758a867f6a919caef4719aecd9ec47e70",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Service Control Spawned via Script Interpreter",
|
|
"sha256": "a570ca618c8c2c947839d258b7a7708e622375200ea16c2f9975c52392b8f91c",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "1c94a28eb10cf8d623b9c7766c3e09c1277211577525c7aef2a0d95b82902eda",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Installation of Security Support Provider",
|
|
"sha256": "333e1ad90996ac5124fd2148cfec90c0a0a9d1e0f632bc37e20c3c6758c47616",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "14c75064015b57cde04fdcd0f5358d7f17272c249bcd3874ce2ec296f9e2cefe",
|
|
"type": "threshold",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
|
|
"sha256": "ae574796583503daf7ee6688cbb92eba2472a7b294a56a091ec363cc4778cb13",
|
|
"type": "threshold",
|
|
"version": 102
|
|
},
|
|
"e919611d-6b6f-493b-8314-7ed6ac2e413b": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "d4182fc6f1adb47b30a48ca8dc5b8d7ccd69e295f56db8bd67beef482087b523",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "AWS EC2 VM Export Failure",
|
|
"sha256": "1c55611b85f48a6b1fe78fbc7a0924ff4ecb5d3ff1c72dea07fe2188f9ffb39b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "b08da1641037f279ce706e380fa8da2c89eb8fabce5c70bf3bbd42df74e4de43",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Unusual Executable File Creation by a System Critical Process",
|
|
"sha256": "d3350a25cd52131c146c0e2381935380804baae832a5cd6a8f6d880c1302e1a4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Potential LSA Authentication Package Abuse",
|
|
"sha256": "6093c0719edb88ab5d79d8909213c1d348167e76132c0abb08ce012833998346",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"e9b4a3c7-24fc-49fd-a00f-9c938031eef1": {
|
|
"rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion",
|
|
"sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "40217a45f13f6e49a38e1428b1312af7a7d280737f29ed454c5516b82556c42a",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Automation Webhook Created",
|
|
"sha256": "f4753972bd7ed04f9ed23aaee4f55562c9579bc04e5068ab0ac000dce3afd4d6",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": {
|
|
"rule_name": "SSH (Secure Shell) from the Internet",
|
|
"sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"ea248a02-bc47-4043-8e94-2885b19b2636": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "044053705f8910f195400bf16dad023b28b4a9d17160ede41a24bc6c7081f12b",
|
|
"type": "threshold",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS IAM Brute Force of Assume Role Policy",
|
|
"sha256": "15748e6f7bbef30a739abbe16eeaca443c096f3a348a84f62826425b426e68a1",
|
|
"type": "threshold",
|
|
"version": 104
|
|
},
|
|
"eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Spike in Firewall Denies",
|
|
"sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"eb079c62-4481-4d6e-9643-3ca499df7aaa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "External Alerts",
|
|
"sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "External Alerts",
|
|
"sha256": "a85b3601831d4047395d6f38ca712e50515a4e8aa1a91dd3c803b3857d9a38bc",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "3bba2d24ab56fc6d4d2d951047e6f4b2269b43eb68527dd062f822632e86a338",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "PowerShell Kerberos Ticket Request",
|
|
"sha256": "61731234033af30d76cb16b67695025f656a28ab6010571fc3eaa82657bcb16e",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "48ccffc9a81724c28be76eede89fe50482103e2a7b6e501241e92a6e06a9f3a8",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Network Connection Attempt by Root",
|
|
"sha256": "8adfd0640c9ca04abf7402841ca60b0a46ace1af36fd88024a810c55d2946ba7",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Potential Disabling of SELinux",
|
|
"sha256": "92cb291d40a64cdf4134bffc69eda6c274d7e4d23cd7a5db74006b6bde75b548",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "34d22b9f451c2f7efc83c9d7cb724eaff3cdefef7d835846c87b624d83b08ff9",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Mimikatz Memssp Log File Detected",
|
|
"sha256": "3d8d0674c96d6b9b89ec29b416900f3ad0f46c95ab1be98065ab9f035bee042f",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "e9752afbf2c33f50ae435653a04acb7a4014f7ba2879c691383213ca884424be",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "IIS HTTP Logging Disabled",
|
|
"sha256": "291856580ae974b02e032a9162fd6199035816633c511ca48afc298367bb41a9",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "28a26a8ea059812344fc5b88cadfd47c83328674062824657484db1da6ee98f3",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Process Execution from an Unusual Directory",
|
|
"sha256": "28ef348237f04b70ac182fc3e3634171c2640ce9df3d265039e7919d8324856e",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "10ac2f7a79a955d91c4ae4232125eebb8d2678851db37d3f4e3a4d47c9b00d7b",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Inbox Forwarding Rule Created",
|
|
"sha256": "4d681383a39e51c0ebda801678fc42df905b3b46c407443db81029f0cf7e60c3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "231216c92c8b517d75784dfb4cb92f4d664c8b90eebbda4dc0b446280f081522",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Instance/Cluster Stoppage",
|
|
"sha256": "995b22ac9fadbcea67c7e92f61e00859c3b5f691c1429641ec9da77a43020dfd",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "da79376cfd32568b8b899acbdd94fa61e8f4b4f5fe1e2b7fe363aae8f7680549",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Azure Global Administrator Role Addition to PIM User",
|
|
"sha256": "949a29e953474fdd157968152b5f042ae8ae183a290987734bb6da5531768708",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "c4b497868eb20d062a8f046c7796d5b43fe75871b0c7f788c6592e876e673f28",
|
|
"type": "eql",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "AdFind Command Activity",
|
|
"sha256": "b02708d6d1e9bdedf8084b69e040672af9d2dbf7698d4cd3ab22a6f354707c36",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "239799d589689fbfd18345dad0c3f085138b963f4aba5028e65373cc8d36df4f",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Deactivate an Okta Application",
|
|
"sha256": "6dc4ff7b0ca3ce5144945a41508e56d1514037be901492a1a07c1baad5e0cc53",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 9,
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "ce1db93b10b8a940e45490c31cdb384062d41c0cb6395c3cc706e1de4c9cb46c",
|
|
"type": "eql",
|
|
"version": 7
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "15633a53798ae01e2fdfef1f1ea0a74d7916ced0a48d742d446644cbdb8c75e8",
|
|
"type": "eql",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "ImageLoad via Windows Update Auto Update Client",
|
|
"sha256": "b5f76f3b3b371f56e66afd92d9ae24ad3f700f1658bdfa94e74e98c7f0f8bf1d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "2f851991fa9398f083d7cfbc06bebd99acc958c0652597f0b8872a2fec42533e",
|
|
"type": "eql",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Unusual Print Spooler Child Process",
|
|
"sha256": "6bff68d8b00dabe9db85f2be96253c1906c784462c65d5675897cd472b2503b3",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
|
|
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
|
|
"sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"eea82229-b002-470e-a9e1-00be38b14d32": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "85fe1eb19d66f592dad24600606b8472dfc84b4716e64052f67af8043fef5a79",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
|
|
"sha256": "3461722b5a2983ba3f5e9f57e64ad24a335ca7f49901ca156e1edd0efc2a31b3",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "a890bd484df6a7b4170e055a13563f50c1b7f00282fc3b0623c176c561e6a911",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "BPF filter applied using TC",
|
|
"sha256": "27c2bf87022ca8599942fafab15bbcfb8e0c45cb1c4f6a0ec8a9473d593d6352",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "6255a59f1907f90afb7d99a93dc1de288448f8d5eddd72f4077c13a632048b84",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Whoami Process Activity",
|
|
"sha256": "59256cf0b2544c3b4aac5517c14738543bfec976b2ff3d83124c0328e48df8c4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "607544934e3152f41a4713b12c1f809518dfe52cfe1179d9f7c6ab62b27092a9",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Unusual Child Processes of RunDLL32",
|
|
"sha256": "35cc9eebf0f60da539f7f7ffa480c7120875bd6d77d228e2a966de8cc0bd0267",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f0493cb4-9b15-43a9-9359-68c23a7f2cf3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "a25733dc5db93e97dbb6099c740ad240b0c1822325ceaafe17732f7dc28dab29",
|
|
"type": "eql",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious HTML File Creation",
|
|
"sha256": "25325d3c2e37157dc98f57c5f79541a84e62c2e89bb6445f07f5e6bd5f322486",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "d15dd5779036e85d5d88bab96e6b6cd2e9fb5025dae8ef032429d99edf7ea868",
|
|
"type": "query",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Administrator Role Assigned to an Okta User",
|
|
"sha256": "1702f9d302ca3492bc215a85a0ab94b7db183f3f162e2419ecf3119b1fe07848",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Attempt to Remove File Quarantine Attribute",
|
|
"sha256": "66097f87ce7d53ec4c5a9c78d2ad5ea9434fb4800ba59615353fa48857104300",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Attempt to Remove File Quarantine Attribute",
|
|
"sha256": "50d82372449a68af50237034807ddaf08162fa3ffd86249d92605e5df185d5c2",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f0bc081a-2346-4744-a6a4-81514817e888": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "df8ec13cd47fc1fffe12deff3970a9194c19e52746805d646bb4f797e85a680e",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Azure Alert Suppression Rule Created or Modified",
|
|
"sha256": "1aac937a034e9aa7d16663a9672358b86762197d05247fbf54a3ed273dc682b3",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "7a4c42f5bfb7bee1424ed3f2c6a969c641f1c4b9b7d9ce817f921f447b076725",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Execution with Explicit Credentials via Scripting",
|
|
"sha256": "2dc22f1d2711ec05b707de2ffb129a4fd523c2ba910bb94f073ea5172e76c736",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "0faaa346858f2dcb17db77667c2b5405492684ba8c0108091bb15d7a4d76ac79",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Creation of Hidden Login Item via Apple Script",
|
|
"sha256": "943de12492043deaf058154991653a8e53e6edf186778c6de09a4e23fabb57d5",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f28e2be4-6eca-4349-bdd9-381573730c22": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "24b4d57df7a4e7ce08d3ad2bd3b675b8a5b3e8fd9173019958bacce878092ba8",
|
|
"type": "eql",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Potential OpenSSH Backdoor Logging Activity",
|
|
"sha256": "09802de623888464e61fa36f71e514e2afda4617aba39a3aa441293963dfec0e",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110",
|
|
"type": "eql",
|
|
"version": 4
|
|
}
|
|
},
|
|
"rule_name": "SIP Provider Modification",
|
|
"sha256": "25b1bd038b71b820af180019aeacc304092e14482b03e5cb9cb7b785ef689193",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 11,
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "3e6e50826d519b95be8230a60471e7347a0cf1a3f68d2aa857aac4ce300b05a7",
|
|
"type": "eql",
|
|
"version": 9
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "267feaf9654f7bc39c4ec3c0aeefa5ac3961a87fc6aea9c7feee3396bff425ec",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "LSASS Memory Dump Creation",
|
|
"sha256": "11689430f0d1df1d271777d2532b62f35c8431e8d5cff51fc7cd3cd410f2e391",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f30f3443-4fbb-4c27-ab89-c3ad49d62315": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "fdb052cc421e14176073509078d7ebb84e69338f14a02d61b3687ce413a5263a",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "AWS RDS Instance Creation",
|
|
"sha256": "33ac9a2e003f3ae8f4c6ec126a70fa22a0aedd817546b32ea0e75ea525224168",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f3475224-b179-4f78-8877-c2bd64c26b88": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "WMI Incoming Lateral Movement",
|
|
"sha256": "1ba6d0c019023e23ce796fa97e66efefb3d7c45ca7933c2a709a5a473503e03f",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"f37f3054-d40b-49ac-aa9b-a786c74c58b8": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7",
|
|
"type": "threshold",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Sudo Heap-Based Buffer Overflow Attempt",
|
|
"sha256": "16fad25f10dc1f87c6eb3b75be730b6858bd53d102f1b7170924c564f1c8e44f",
|
|
"type": "threshold",
|
|
"version": 101
|
|
},
|
|
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "a527339384f08721754875fa945abf7d3cdf22d66ac5c2e8f2b62e1706013b2b",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Persistence via Microsoft Office AddIns",
|
|
"sha256": "310e79551d145dcf236337f4b56480f3a4a59e1048aa2bcb2e219564e1b05ea6",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "bdb6832aff1a99405ce51272c3c4ea81e914802fc8149673b9ec7521cfe6a2cf",
|
|
"type": "query",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
|
|
"sha256": "2ed438689ec226d4ee5693d69db0e972c648d4f3aa0a4f727269734993893e68",
|
|
"type": "query",
|
|
"version": 103
|
|
},
|
|
"f52362cd-baf1-4b6d-84be-064efc826461": {
|
|
"rule_name": "Linux Restricted Shell Breakout via flock Shell evasion",
|
|
"sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "a540d7b91d337c085613ea8d5f7a5984c3e02c2b1c6020ce9051e8c37e7eca19",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Windows Script Executing PowerShell",
|
|
"sha256": "6f0c9476b43586d5a6916221e54075ab343ef2da4530561130eb8eb5f071dd67",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f5fb4598-4f10-11ed-bdc3-0242ac120002": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Masquerading Space After Filename",
|
|
"sha256": "a559ca7121903cf65479de35c9ed90846397108b147ba631b6ad9de1b8163b15",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "006a7c779aedd42261a1a521731bcf7cbcf76d5381683aab472281003a7f7bb4",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Windows Firewall Disabled via PowerShell",
|
|
"sha256": "042b248eef07037737bc0d472138c9557704ca65a5f29f0f3f50edc87d2a5e17",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "55e9fa64400f766306c6c956c730b863e3abb105aad98a773032dfd336d0ad27",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Delete Volume USN Journal with Fsutil",
|
|
"sha256": "313c51a7be90df7eabfc103fc3b5975357fabdee5c21f9a91e81afd68db8e682",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "SoftwareUpdate Preferences Modification",
|
|
"sha256": "ccda63a01079eee6633e4ba5d0a52491f209f58ccd8231318b69d6b1ebc70e82",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f766ffaf-9568-4909-b734-75d19b35cbf4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "91839fac086519a95bf9186adb97fdcab72a39a1c0e719461638efa09485aae7",
|
|
"type": "query",
|
|
"version": 5
|
|
}
|
|
},
|
|
"rule_name": "Azure Service Principal Credentials Added",
|
|
"sha256": "5ce0477a42d9ef224de6a9ce9e33d0348397e764da6da42221c86966aa7e0ab4",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f772ec8a-e182-483c-91d2-72058f76a44c": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "8ad42f1e8cb0d26f21a5da2eb9d80dbfad54d5a602c8d033ecbb349f0aecb297",
|
|
"type": "query",
|
|
"version": 10
|
|
}
|
|
},
|
|
"rule_name": "AWS CloudWatch Alarm Deletion",
|
|
"sha256": "6ac5090cd8ac8ecb82a8cc372f060d8ad5ac25bc946da022e11c3168c5aafa5f",
|
|
"type": "query",
|
|
"version": 104
|
|
},
|
|
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "15943bc13543a3c145d72f22f142223d4b10ef04fa295fb914b0a1ba1ace1307",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Persistent Scripts in the Startup Directory",
|
|
"sha256": "38c8dfcd66295cd777eec5ba387748c7c1ea726b0fccd2a9fa6ee79a391cece1",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f81ee52c-297e-46d9-9205-07e66931df26": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "702da601e24ddc5235a8fc5057bd20f2a12903f1374117532cee7c9f1352f3f2",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
|
|
"sha256": "0ddf2eed504d084d07755fc397177d651ed3f6f2a652c0ef0eef3b9d1acdf269",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "5146e28a6514142021a6718494e20683e8163f2f3998cbfb5c5e5b27b3b33396",
|
|
"type": "query",
|
|
"version": 3
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
|
|
"sha256": "91e6069cebc752735b234532d79705bff3682be87d756c439b2bedd7828fc76f",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "69e4d6aba25b972ffc1d02bcc6bb8a5b00e1a1e84d8d24b549b384e85e81b560",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "Modification of AmsiEnable Registry Key",
|
|
"sha256": "5491e1d0affb62624da488680a5b736899b5c616088124fce33d0daf7caa3981",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Unusual Linux System Network Configuration Discovery",
|
|
"sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8",
|
|
"type": "machine_learning",
|
|
"version": 2
|
|
}
|
|
},
|
|
"rule_name": "Unusual Linux System Network Configuration Discovery",
|
|
"sha256": "14d20e2e82e941edcdbd220e8a8452c2b7c3d439345f8c165c7028552891d60d",
|
|
"type": "machine_learning",
|
|
"version": 100
|
|
},
|
|
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
|
|
"min_stack_version": "8.3",
|
|
"rule_name": "Privileged Account Brute Force",
|
|
"sha256": "fd55d37e39f06e0295a19c28a056edf2a605a5e2c962f3bbaaad28bd1fd125a9",
|
|
"type": "eql",
|
|
"version": 2
|
|
},
|
|
"f994964f-6fce-4d75-8e79-e16ccc412588": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "723e46c1bcdfafc46527365b132c23ef8da4019c75dbbb363e9768944234eeb5",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Suspicious Activity Reported by Okta User",
|
|
"sha256": "f6bd7eceac3a9f5c358384b9eb45ceb6fe554256572255ed542f2f087252080d",
|
|
"type": "query",
|
|
"version": 102
|
|
},
|
|
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "56b1ecfa2db9264a36ac1f9f8bf803d472f490b7851d54ed7cb678484069cf55",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Remote File Copy to a Hidden Share",
|
|
"sha256": "091e93067807aca326570b5ddafa90bdbd8c31a6edb8ded46aa63ff345027a91",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "c346662d4ca6f6e99bd7d943aaf1b6e3ff59a95a78beec24b080fdaf82289c3e",
|
|
"type": "eql",
|
|
"version": 14
|
|
}
|
|
},
|
|
"rule_name": "Network Connection via Registration Utility",
|
|
"sha256": "2c53c0f5b55d1a25c761bb14a020e9d1644dc06f9f6605176e43cfb9a7ee51cf",
|
|
"type": "eql",
|
|
"version": 101
|
|
},
|
|
"fb9937ce-7e21-46bf-831d-1ad96eac674d": {
|
|
"rule_name": "Auditd Max Failed Login Attempts",
|
|
"sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412",
|
|
"type": "query",
|
|
"version": 100
|
|
},
|
|
"fbd44836-0d69-4004-a0b4-03c20370c435": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "bb8a45312a7cd79e9fdb40d1fe639f5a426fd830420ed64cd08efb557b612edd",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "AWS Configuration Recorder Stopped",
|
|
"sha256": "e79304750f220b67d89c08be6ce16930f98a32ab89a07fc60751023170a17e4b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "b224ba9133037909f492e2403fc22a98d8d4409df23717060ec4ee312f323658",
|
|
"type": "eql",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
|
|
"sha256": "9c396d9526f1752f76e68a9735ccb6a47e50e06e7dba7b1235416f164261060e",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"fd3fc25e-7c7c-4613-8209-97942ac609f6": {
|
|
"rule_name": "Linux Restricted Shell Breakout via the expect command",
|
|
"sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032",
|
|
"type": "eql",
|
|
"version": 100
|
|
},
|
|
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "a7f66209cee9e1f45ad0e512e71f847b6c46c94015ca52f7f08b345a9c60b28c",
|
|
"type": "eql",
|
|
"version": 12
|
|
}
|
|
},
|
|
"rule_name": "Potential Application Shimming via Sdbinst",
|
|
"sha256": "a16f8e6c05b39c8018a133ee6f7c2ba3df98ec0f6d7b7de80d48357c7448083d",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 16,
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "72b6aefd420c13f2f9a75c27271f96b8fc4a9d2ba474654cf69f6a5586bab85a",
|
|
"type": "eql",
|
|
"version": 14
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "4a4057d6b10296e8a4a271e309922994d7208971a5baee1d7805193e3f27fe81",
|
|
"type": "eql",
|
|
"version": 17
|
|
}
|
|
},
|
|
"rule_name": "Suspicious CertUtil Commands",
|
|
"sha256": "1721697147f4cedc9f63a4628a9dcc49e6b913745c784a5f688bc498201cc953",
|
|
"type": "eql",
|
|
"version": 102
|
|
},
|
|
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 14,
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "3d668370d9b557693bef4d3e27feee891c659346bc032f6d62a25a08561cf61f",
|
|
"type": "eql",
|
|
"version": 12
|
|
},
|
|
"8.2": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "a5ec087e76c65ab534d4a43f658c0765caa060175968b140808538a92d80abb4",
|
|
"type": "eql",
|
|
"version": 15
|
|
}
|
|
},
|
|
"rule_name": "Svchost spawning Cmd",
|
|
"sha256": "4b0c2280b1f1227ef7f18cc4cce110b9d96cf0f2e7d52ebf53509c27a97cffed",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "7ce1ab37d88d1e6455883aa77e2ff80ecd52499d612b2dd90dd803b11040a078",
|
|
"type": "eql",
|
|
"version": 7
|
|
}
|
|
},
|
|
"rule_name": "Microsoft Windows Defender Tampering",
|
|
"sha256": "ff91692ee0f8423946d96ef632978d0f2f961b21444100eadfd292914d380a84",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "3e42b34005caca684b62e9680d19d3b026730f8518c88065d34dbaa6db7db2b4",
|
|
"type": "eql",
|
|
"version": 6
|
|
}
|
|
},
|
|
"rule_name": "MS Office Macro Security Registry Modifications",
|
|
"sha256": "f7938b7956db2bea096646bae6d80cb9b1a8f7c075485e429c284c2aed9ab9e4",
|
|
"type": "eql",
|
|
"version": 103
|
|
},
|
|
"ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099",
|
|
"type": "query",
|
|
"version": 11
|
|
}
|
|
},
|
|
"rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
|
|
"sha256": "7ab43899684dc9dfdbd0d111723d74eae5ec0abc9b4ddd9c6e06896ed083af8b",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "070acfe2b3f2fc4f568c643936593196e64cb629b3005c6fdc739b28ca4bc1ec",
|
|
"type": "query",
|
|
"version": 9
|
|
}
|
|
},
|
|
"rule_name": "Microsoft 365 Exchange Transport Rule Creation",
|
|
"sha256": "b2a97a4e796fd889d8a2767c60e251b137c8dd7025a5caf5a1099c25fc09e8c2",
|
|
"type": "query",
|
|
"version": 101
|
|
},
|
|
"ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": {
|
|
"min_stack_version": "8.3",
|
|
"previous": {
|
|
"7.16": {
|
|
"max_allowable_version": 99,
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "028f2986eed7da7502174e85bb85dd5d500ad50a933a1d7e90343e1a8cfea632",
|
|
"type": "query",
|
|
"version": 8
|
|
}
|
|
},
|
|
"rule_name": "GCP Firewall Rule Deletion",
|
|
"sha256": "7c5d449d6c60389c14e240553ff0cb6515b0851c294f68f04fffbdfd4e89e297",
|
|
"type": "query",
|
|
"version": 102
|
|
}
|
|
} |