From c44cf3de3ad8a72129e5535496d6d8c6355c0bad Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 22:29:22 +0530 Subject: [PATCH] Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4267) (cherry picked from commit ebb3675ea0d60fc28b0f9e11b3ea720aa572a8c2) --- detection_rules/etc/version.lock.json | 24910 ++++++++++++------------ pyproject.toml | 2 +- 2 files changed, 12520 insertions(+), 12392 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index bd9dc39f360..03447aac79e 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,13338 +1,13466 @@ { - "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", - "type": "query", - "version": 208 - }, - "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7", - "type": "eql", - "version": 215 - } - }, + "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", + "type": "query", + "version": 209 + }, + "00140285-b827-4aee-aa09-8113f58a08f3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74", + "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", "type": "eql", - "version": 315 - }, - "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "System Shells via Services", - "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "System Shells via Services", - "sha256": "708a60d7b82bcae8d3c5d83d4e192c9b30bb0f4e8d73b7c6c3cb947d05f98199", - "type": "eql", - "version": 314 - } - }, + "version": 115 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "Potential Credential Access via Windows Utilities", + "sha256": "95d6bda6c85aa51a099bee8f81f8ca363afbd0a32c6243308b42ca2e6acbcbf7", + "type": "eql", + "version": 215 + } + }, + "rule_name": "Potential Credential Access via Windows Utilities", + "sha256": "d0e504df5a08de7cc03083586e584341e9e476f9a9f5e9a525b4412d81faee74", + "type": "eql", + "version": 315 + }, + "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "System Shells via Services", - "sha256": "a162645a77b6acee9dc5af1ce0bf4c383a1bdf53a97e697cb36ee608f06e7774", + "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", "type": "eql", - "version": 414 - }, - "00678712-b2df-11ed-afe9-f661ea17fbcc": { - "rule_name": "Google Workspace Suspended User Account Renewed", - "sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee", - "type": "query", - "version": 3 - }, - "0136b315-b566-482f-866c-1d8e2477ba16": { - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", - "type": "query", - "version": 206 - }, - "015cca13-8832-49ac-a01b-a396114809f6": { - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", - "type": "query", - "version": 206 - }, - "0171f283-ade7-4f87-9521-ac346c68cc9b": { - "rule_name": "Potential Network Scan Detected", - "sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79", - "type": "threshold", - "version": 7 - }, - "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", - "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", - "type": "new_terms", - "version": 1 - }, - "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004", + "version": 111 + }, + "8.13": { + "max_allowable_version": 413, + "rule_name": "System Shells via Services", + "sha256": "708a60d7b82bcae8d3c5d83d4e192c9b30bb0f4e8d73b7c6c3cb947d05f98199", "type": "eql", - "version": 207 - }, - "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", - "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", - "type": "new_terms", - "version": 1 - }, - "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { - "rule_name": "Process Created with an Elevated Token", - "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", + "version": 314 + } + }, + "rule_name": "System Shells via Services", + "sha256": "15ba51d5a9926689787c960642056ab3de981a47b061a42487b3d8425f22e435", + "type": "eql", + "version": 415 + }, + "00678712-b2df-11ed-afe9-f661ea17fbcc": { + "rule_name": "Google Workspace Suspended User Account Renewed", + "sha256": "8283b518baac8842c7ce326891bda4e15bace4d280e83afbd132727190139aee", + "type": "query", + "version": 3 + }, + "0136b315-b566-482f-866c-1d8e2477ba16": { + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "35df6afe89ac91c72e0499d991574f17f0b1d4567e874f7e65976b6828bfac4f", + "type": "query", + "version": 206 + }, + "015cca13-8832-49ac-a01b-a396114809f6": { + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "4b8809bf7107aa3e8169d82047acb52c422c663b159574d29a8176d7a9fb6dca", + "type": "query", + "version": 206 + }, + "0171f283-ade7-4f87-9521-ac346c68cc9b": { + "rule_name": "Potential Network Scan Detected", + "sha256": "0b7bd18f56d2a7b5f3bc16613aeb6e2a09c6a9ccc54a0592c9835fff18811b79", + "type": "threshold", + "version": 7 + }, + "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", + "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", + "type": "new_terms", + "version": 2 + }, + "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Potential Cookies Theft via Browser Debugging", + "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", "type": "eql", - "version": 6 - }, - "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 307, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", - "type": "eql", - "version": 208 - } - }, + "version": 107 + } + }, + "rule_name": "Potential Cookies Theft via Browser Debugging", + "sha256": "28cbeaec5f3660a4e3a04bc6a7cb9638f8a0875530b512ad5614994fe1c3f004", + "type": "eql", + "version": 207 + }, + "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", + "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", + "type": "new_terms", + "version": 2 + }, + "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { + "rule_name": "Process Created with an Elevated Token", + "sha256": "a08170ff704e6eee3ac998cc9775b0a089926b6ba906ba421faa17c0c11a47db", + "type": "eql", + "version": 6 + }, + "02a4576a-7480-4284-9327-548a806b5e48": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "378f6d82a234a955375536d3a61db47a5093fe754b62078f81f9746f4e1a3ac7", - "type": "eql", - "version": 308 - }, - "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { - "rule_name": "Potential Ransomware Note File Dropped via SMB", - "sha256": "c09424400f8baab1bc7e15018527a7b26314073d02a79aac933a265ba32a2bf5", + "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", "type": "eql", - "version": 3 - }, - "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { - "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", - "type": "query", - "version": 106 - }, - "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", - "type": "query", - "version": 206 - }, - "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", - "type": "threshold", - "version": 112 - } - }, + "version": 208 + } + }, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "378f6d82a234a955375536d3a61db47a5093fe754b62078f81f9746f4e1a3ac7", + "type": "eql", + "version": 308 + }, + "02bab13d-fb14-4d7c-b6fe-4a28874d37c5": { + "rule_name": "Potential Ransomware Note File Dropped via SMB", + "sha256": "c09424400f8baab1bc7e15018527a7b26314073d02a79aac933a265ba32a2bf5", + "type": "eql", + "version": 3 + }, + "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { + "rule_name": "Dumping Account Hashes via Built-In Commands", + "sha256": "450f7c6f060ecb022c4c2e14be6190a34524d0c07a56809370cfbd62e51f85bb", + "type": "query", + "version": 106 + }, + "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "74d0cdf9039c5f529d26a7d3c4c076e387ed8e163e3ae7e021feb78bbd355573", + "type": "query", + "version": 206 + }, + "035889c4-2686-4583-a7df-67f89c292f2c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368", + "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", "type": "threshold", - "version": 212 - }, - "035a6f21-4092-471d-9cda-9e379f459b1e": { - "rule_name": "Potential Memory Seeking Activity", - "sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c", - "type": "eql", - "version": 3 - }, - "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { - "rule_name": "Suspicious Dynamic Linker Discovery via od", - "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", - "type": "eql", - "version": 2 - }, - "03a514d9-500e-443e-b6a9-72718c548f6c": { - "rule_name": "SSH Process Launched From Inside A Container", - "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", + "version": 112 + } + }, + "rule_name": "High Number of Process and/or Service Terminations", + "sha256": "4ba341e47ade2acd985606544787c92e19701acffaf9c287fd5689ac401c7368", + "type": "threshold", + "version": 212 + }, + "035a6f21-4092-471d-9cda-9e379f459b1e": { + "rule_name": "Potential Memory Seeking Activity", + "sha256": "20152e6156019129d0fbbb345d391d5e782b2a10b7ae835fd26d8be3e6e3838c", + "type": "eql", + "version": 3 + }, + "0369e8a6-0fa7-4e7a-961a-53180a4c966e": { + "rule_name": "Suspicious Dynamic Linker Discovery via od", + "sha256": "4ae40153ed65b4fdddee0a5528f9123c100ef8e2ba1710993374975e3b6320d8", + "type": "eql", + "version": 2 + }, + "03a514d9-500e-443e-b6a9-72718c548f6c": { + "rule_name": "SSH Process Launched From Inside A Container", + "sha256": "f4b1b23b638e8ea812f6cf173daedccc2a82fb1df5feeca4e6723b6726052c4d", + "type": "eql", + "version": 2 + }, + "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { + "rule_name": "Potential Network Scan Executed From Host", + "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", + "type": "threshold", + "version": 3 + }, + "0415258b-a7b2-48a6-891a-3367cd9d4d31": { + "rule_name": "First Time AWS Cloudformation Stack Creation by User", + "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", + "type": "new_terms", + "version": 1 + }, + "0415f22a-2336-45fa-ba07-618a5942e22c": { + "rule_name": "Modification of OpenSSH Binaries", + "sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972", + "type": "query", + "version": 110 + }, + "041d4d41-9589-43e2-ba13-5680af75ebc2": { + "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", + "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", + "type": "query", + "version": 105 + }, + "043d80a3-c49e-43ef-9c72-1088f0c7b278": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "Potential Escalation via Vulnerable MSI Repair", + "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", "type": "eql", "version": 2 - }, - "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a": { - "rule_name": "Potential Network Scan Executed From Host", - "sha256": "d8d678cf5d5ac1994120d5171bc69702a7acd37f5bb9611dd14a19a952652ea4", - "type": "threshold", - "version": 3 - }, - "0415258b-a7b2-48a6-891a-3367cd9d4d31": { - "rule_name": "First Time AWS Cloudformation Stack Creation by User", - "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", - "type": "new_terms", - "version": 1 - }, - "0415f22a-2336-45fa-ba07-618a5942e22c": { - "rule_name": "Modification of OpenSSH Binaries", - "sha256": "04af79fc085a46b7a9239dd4f9bfaf09118355ac4802004f3fdb734b00113972", - "type": "query", - "version": 110 - }, - "041d4d41-9589-43e2-ba13-5680af75ebc2": { - "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", - "sha256": "bee1691d491fbbea753a91ebb85df78974469ba5769d4a517e72420787563047", - "type": "query", - "version": 105 - }, - "043d80a3-c49e-43ef-9c72-1088f0c7b278": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67", - "type": "eql", - "version": 102 - } - }, + }, + "8.13": { + "max_allowable_version": 200, "rule_name": "Potential Escalation via Vulnerable MSI Repair", - "sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102", + "sha256": "ca6b6244eb33d751ab8afe90e9447bc34a5cd46b0e4604ee73d8c2e77612cb67", "type": "eql", - "version": 202 - }, - "04c5a96f-19c5-44fd-9571-a0b033f9086f": { - "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", - "type": "query", "version": 102 - }, - "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { - "min_stack_version": "8.12", - "rule_name": "User Added to the Admin Group", - "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", - "type": "eql", - "version": 1 - }, - "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", - "type": "eql", - "version": 111 - } - }, + } + }, + "rule_name": "Potential Escalation via Vulnerable MSI Repair", + "sha256": "8a7f7f22aef8cdf2fa76b6194ccab0d26453470ba193c15aa82ef83fa9cf3102", + "type": "eql", + "version": 202 + }, + "04c5a96f-19c5-44fd-9571-a0b033f9086f": { + "rule_name": "Azure AD Global Administrator Role Assigned", + "sha256": "fd3270ab237a24dde97ddba5bd81bde19c086742e131a59117fa0e610f05bef9", + "type": "query", + "version": 102 + }, + "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { + "min_stack_version": "8.12", + "rule_name": "User Added to the Admin Group", + "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", + "type": "eql", + "version": 1 + }, + "053a0387-f3b5-4ba5-8245-8002cca2bd08": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "ae7b800eac312f398df8ba82f12abc2529bb704c4185f69948be3617af2847fb", - "type": "eql", - "version": 211 - }, - "054db96b-fd34-43b3-9af2-587b3bd33964": { - "rule_name": "Systemd-udevd Rule File Creation", - "sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570", + "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", "type": "eql", - "version": 7 - }, - "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", - "type": "eql", - "version": 114 - } - }, + "version": 111 + } + }, + "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "sha256": "ae7b800eac312f398df8ba82f12abc2529bb704c4185f69948be3617af2847fb", + "type": "eql", + "version": 211 + }, + "054db96b-fd34-43b3-9af2-587b3bd33964": { + "rule_name": "Systemd-udevd Rule File Creation", + "sha256": "12d9feafcc88441dac8a47687708fa8fb7bf194076d084b80efd2128b97a5570", + "type": "eql", + "version": 7 + }, + "0564fb9d-90b9-4234-a411-82a546dc1343": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add", + "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", "type": "eql", - "version": 214 - }, - "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "ccb2ff57c3244f25002537f1dc77486f9eafdcdbd670e3f6c41a50749f80121d", - "type": "eql", - "version": 210 - } - }, + "version": 114 + } + }, + "rule_name": "Microsoft IIS Service Account Password Dumped", + "sha256": "b2f9992729bc05c1ad61753e6a581826cfdbf50a5cfe644cf620c534e0ee0add", + "type": "eql", + "version": 214 + }, + "05b358de-aa6d-4f6c-89e6-78f74018b43b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e", + "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", "type": "eql", - "version": 310 - }, - "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { - "rule_name": "Tainted Kernel Module Load", - "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", - "type": "query", - "version": 4 - }, - "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { - "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", - "type": "query", - "version": 108 - }, - "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Remote System Discovery Commands", - "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", - "type": "eql", - "version": 114 - } - }, + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Conhost Spawned By Suspicious Parent Process", + "sha256": "ccb2ff57c3244f25002537f1dc77486f9eafdcdbd670e3f6c41a50749f80121d", + "type": "eql", + "version": 210 + } + }, + "rule_name": "Conhost Spawned By Suspicious Parent Process", + "sha256": "de972a03d58e0257614b0bd101a01763a9c8905bf07a6d5a97b16871115da13e", + "type": "eql", + "version": 310 + }, + "05cad2fb-200c-407f-b472-02ea8c9e5e4a": { + "rule_name": "Tainted Kernel Module Load", + "sha256": "ce113c2fec8fb1bd012edc6533530b5ebe0b8145fa062e4e77c0a909435c6bf4", + "type": "query", + "version": 4 + }, + "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { + "rule_name": "Interactive Terminal Spawned via Perl", + "sha256": "e7a0bce29457ba5f1e9159d5e17e7344da87a83b390be4e989e842573acca754", + "type": "query", + "version": 108 + }, + "0635c542-1b96-4335-9b47-126582d2c19a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Remote System Discovery Commands", - "sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06", + "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", "type": "eql", - "version": 214 - }, - "06568a02-af29-4f20-929c-f3af281e41aa": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "System Time Discovery", - "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", - "type": "eql", - "version": 10 - } - }, + "version": 114 + } + }, + "rule_name": "Remote System Discovery Commands", + "sha256": "8385d01edb4859b073dd968c3ed428bdc9f20bb184869f14eb4f42692a0abe06", + "type": "eql", + "version": 214 + }, + "06568a02-af29-4f20-929c-f3af281e41aa": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "System Time Discovery", - "sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f", + "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", "type": "eql", - "version": 110 - }, - "0678bc9c-b71a-433b-87e6-2f664b6b3131": { - "rule_name": "Unusual Remote File Size", - "sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105", - "type": "machine_learning", - "version": 4 - }, - "06a7a03c-c735-47a6-a313-51c354aef6c3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "042f24758999dd875c2a6d26e28f71851c30b509b0ea5f898455dd21afc4bc81", - "type": "eql", - "version": 109 - } - }, + "version": 10 + } + }, + "rule_name": "System Time Discovery", + "sha256": "91c3723d6e06feb5696fb366c36fe16394766a895529e478dcfcc8ccbaddc71f", + "type": "eql", + "version": 110 + }, + "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "rule_name": "Unusual Remote File Size", + "sha256": "86c63dfc5a14108858c1a668088b651845e888e1dfa6764e364d7193cda1e105", + "type": "machine_learning", + "version": 4 + }, + "06a7a03c-c735-47a6-a313-51c354aef6c3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", - "sha256": "6e3972e93f2fc5d5ec11f458986e7b791eba2286bc5dc2a2a7a228068018518e", + "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", "type": "eql", - "version": 209 - }, - "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", - "type": "eql", - "version": 113 - } - }, + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, + "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", + "sha256": "042f24758999dd875c2a6d26e28f71851c30b509b0ea5f898455dd21afc4bc81", + "type": "eql", + "version": 109 + } + }, + "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", + "sha256": "dec496b372a0c9557658a4e9e0df8160dac454df7fd61ff83f0ab2d0eecfcbd1", + "type": "eql", + "version": 210 + }, + "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", - "sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c", + "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", "type": "eql", - "version": 213 - }, - "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "75622c12c2b3910b87a6b069b747a11dd444908ee4ed676472e167c4347fb1b4", - "type": "eql", - "version": 211 - } - }, + "version": 113 + } + }, + "rule_name": "Potential Evasion via Filter Manager", + "sha256": "3a61aa859d4dd430becb99b7310d8f43570207832557eedf3e2684c3180cd10c", + "type": "eql", + "version": 213 + }, + "074464f9-f30d-4029-8c03-0ed237fffec7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "d297a7eaddaf187a3a04f1b9893ba3b5b536cabacd35af1dc214fadfd3573c3f", + "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", "type": "eql", - "version": 311 - }, - "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "sha256": "75622c12c2b3910b87a6b069b747a11dd444908ee4ed676472e167c4347fb1b4", "type": "eql", - "version": 3 - }, - "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { - "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", - "type": "threshold", - "version": 7 - }, - "07b1ef73-1fde-4a49-a34a-5dd40011b076": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", - "type": "eql", - "version": 8 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747", - "type": "eql", - "version": 212 - } - }, + "version": 211 + } + }, + "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "sha256": "69ba5e2f0de8ccc7766ab1484193e28e740b07a10fcb6f6f37899158d8f1dd24", + "type": "eql", + "version": 312 + }, + "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", + "type": "eql", + "version": 4 + }, + "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { + "rule_name": "Suspicious Proc Pseudo File System Enumeration", + "sha256": "9dfcd341fcbfb91ac853a20da424eeb340c470adbfda7667e5f86e796de58ce5", + "type": "threshold", + "version": 7 + }, + "07b1ef73-1fde-4a49-a34a-5dd40011b076": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "cba44e5f0b785c8ff69b139d209a7e10ae87452830da92efee001b69f5a95d51", - "type": "eql", - "version": 312 - }, - "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { - "rule_name": "Google Drive Ownership Transferred via Google Workspace", - "sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32", - "type": "query", - "version": 107 - }, - "080bc66a-5d56-4d1f-8071-817671716db9": { - "rule_name": "Suspicious Browser Child Process", - "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", "type": "eql", - "version": 107 - }, - "082e3f8c-6f80-485c-91eb-5b112cb79b28": { - "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", + "version": 9 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "1d581fab9894150d93b9290184613601916238ed613aed8f033ba029c6d7f747", "type": "eql", - "version": 106 - }, - "083fa162-e790-4d85-9aeb-4fea04188adb": { - "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", - "type": "query", - "version": 106 - }, - "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "First Time Seen Removable Device", - "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", - "type": "new_terms", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "First Time Seen Removable Device", - "sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6", - "type": "new_terms", - "version": 109 - } - }, + "version": 212 + } + }, + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "cba44e5f0b785c8ff69b139d209a7e10ae87452830da92efee001b69f5a95d51", + "type": "eql", + "version": 312 + }, + "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { + "rule_name": "Google Drive Ownership Transferred via Google Workspace", + "sha256": "9ef2074f6e701f2d706ccfe7165569007fc670532ed8a720905e2fbff4754a32", + "type": "query", + "version": 107 + }, + "080bc66a-5d56-4d1f-8071-817671716db9": { + "rule_name": "Suspicious Browser Child Process", + "sha256": "1678ce85ef34f778c0a71b6aec184f3f30550c0c641544c922f4ae9eee9dd5be", + "type": "eql", + "version": 107 + }, + "082e3f8c-6f80-485c-91eb-5b112cb79b28": { + "rule_name": "Launch Agent Creation or Modification and Immediate Loading", + "sha256": "e27de95651bbdd93ef96aab3c00d5d496a005ac796a8a277a28331ad9552a879", + "type": "eql", + "version": 106 + }, + "083fa162-e790-4d85-9aeb-4fea04188adb": { + "rule_name": "Suspicious Hidden Child Process of Launchd", + "sha256": "997d8ce81fcbd8b47fa77b50434bd99ba1c4606f6d935a4af76098e5d9c28ece", + "type": "query", + "version": 106 + }, + "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", - "sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58", + "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", + "type": "new_terms", + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, + "rule_name": "First Time Seen Removable Device", + "sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6", "type": "new_terms", - "version": 209 - }, - "089db1af-740d-4d84-9a5b-babd6de143b0": { - "rule_name": "Windows Account or Group Discovery", - "sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0", - "type": "eql", - "version": 5 - }, - "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { - "rule_name": "TCP Port 8000 Activity to the Internet", - "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", - "type": "query", - "version": 100 - }, - "092b068f-84ac-485d-8a55-7dd9e006715f": { - "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", - "type": "eql", - "version": 107 - }, - "09443c92-46b3-45a4-8f25-383b028b258d": { - "rule_name": "Process Termination followed by Deletion", - "sha256": "8628999b147b10ff30f618a79c4aee2123744abc0e2bb05cc8c98d11017145ad", - "type": "eql", "version": 109 - }, - "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "rule_name": "Member Removed From GitHub Organization", - "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", - "type": "eql", - "version": 1 - }, - "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { - "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", - "sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244", - "type": "eql", - "version": 100 - }, - "09bc6c90-7501-494d-b015-5d988dc3f233": { - "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", - "sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff", - "type": "eql", - "version": 5 - }, - "09d028a5-dcde-409f-8ae0-557cef1b7082": { - "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", - "type": "query", - "version": 102 - }, - "0a97b20f-4144-49ea-be32-b540ecc445de": { - "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", - "type": "query", - "version": 103 - }, - "0ab319ef-92b8-4c7f-989b-5de93c852e93": { - "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", - "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", + } + }, + "rule_name": "First Time Seen Removable Device", + "sha256": "20d5ab4b426cb84f65b990fde4a3011164e908b124f4c961646afae8d6e73a58", + "type": "new_terms", + "version": 209 + }, + "089db1af-740d-4d84-9a5b-babd6de143b0": { + "rule_name": "Windows Account or Group Discovery", + "sha256": "345611059c1ff3167364a9fd80b7f975c8cef14393238750bfa8c6207ab12bd0", + "type": "eql", + "version": 5 + }, + "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { + "rule_name": "TCP Port 8000 Activity to the Internet", + "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", + "type": "query", + "version": 100 + }, + "092b068f-84ac-485d-8a55-7dd9e006715f": { + "rule_name": "Creation of Hidden Launch Agent or Daemon", + "sha256": "bd61ec617f7cc0e401d2a89073a35ae316baab560f044fda528a0a38bbd2c993", + "type": "eql", + "version": 107 + }, + "09443c92-46b3-45a4-8f25-383b028b258d": { + "rule_name": "Process Termination followed by Deletion", + "sha256": "07259ee65eed64efa83cd67f2944378c9f5eac6af8a0d950ddf46fd06505c613", + "type": "eql", + "version": 110 + }, + "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "rule_name": "Member Removed From GitHub Organization", + "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", + "type": "eql", + "version": 2 + }, + "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { + "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", + "sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244", + "type": "eql", + "version": 100 + }, + "09bc6c90-7501-494d-b015-5d988dc3f233": { + "rule_name": "File Creation, Execution and Self-Deletion in Suspicious Directory", + "sha256": "ba5ece96c45f82ec3deddbb0311dc407ea0a8234e9dea257649d0cd4014c2eff", + "type": "eql", + "version": 5 + }, + "09d028a5-dcde-409f-8ae0-557cef1b7082": { + "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "sha256": "08faf9e24053c3b8463889e3c47cec194c8acedaad33ce17bc7acd6ac50c3a53", + "type": "query", + "version": 102 + }, + "0a97b20f-4144-49ea-be32-b540ecc445de": { + "rule_name": "Malware - Detected - Elastic Endgame", + "sha256": "6e5837c5ce6d6866ed28e8c33e2bd9945580de7462f25874b585d7f96997daa2", + "type": "query", + "version": 103 + }, + "0ab319ef-92b8-4c7f-989b-5de93c852e93": { + "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", + "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", + "type": "query", + "version": 5 + }, + "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, + "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", "type": "query", - "version": 5 - }, - "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", - "type": "query", - "version": 6 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", - "type": "query", - "version": 108 - } - }, + "version": 6 + }, + "8.12": { + "max_allowable_version": 207, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891", + "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", "type": "query", - "version": 208 - }, - "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { - "rule_name": "Yum Package Manager Plugin File Creation", - "sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559", - "type": "eql", - "version": 4 - }, - "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Anomalous Windows Process Creation", - "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", - "type": "machine_learning", - "version": 108 - } - }, + "version": 108 + } + }, + "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", + "sha256": "1a79fc397af3f12c7da606036342d1b41b7d2b17df4a446cd98e618b4e7e9891", + "type": "query", + "version": 208 + }, + "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { + "rule_name": "Yum Package Manager Plugin File Creation", + "sha256": "b6b6b3ca5a1b00c1c9c2963e11de9416eb551dc1cae810218908a0530dee3559", + "type": "eql", + "version": 4 + }, + "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", - "sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0", + "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", "type": "machine_learning", - "version": 208 - }, - "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "User account exposed to Kerberoasting", - "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", - "type": "query", - "version": 113 - } - }, + "version": 108 + } + }, + "rule_name": "Anomalous Windows Process Creation", + "sha256": "acdcc7db7bd1b750efe71ad345cb5a5475fd227ac91ab85cc7c45383df0d9eb0", + "type": "machine_learning", + "version": 208 + }, + "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "User account exposed to Kerberoasting", - "sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af", + "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", "type": "query", - "version": 213 - }, - "0b79f5c0-2c31-4fea-86cd-e62644278205": { - "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", - "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", - "type": "eql", - "version": 1 - }, - "0b803267-74c5-444d-ae29-32b5db2d562a": { - "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", - "type": "eql", - "version": 6 - }, - "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 101, - "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088", - "type": "eql", - "version": 3 - } - }, + "version": 113 + } + }, + "rule_name": "User account exposed to Kerberoasting", + "sha256": "4b5cbd7460298bb5d01a57eea52921d5400e6071d98b2cb6ec940f3fdcc3d2af", + "type": "query", + "version": 213 + }, + "0b79f5c0-2c31-4fea-86cd-e62644278205": { + "rule_name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", + "sha256": "ba7852357719e494be81332b6d01118f5355863b002a850e69704188995ec8c6", + "type": "eql", + "version": 1 + }, + "0b803267-74c5-444d-ae29-32b5db2d562a": { + "rule_name": "Potential Shell via Wildcard Injection Detected", + "sha256": "9379617540e2ec131f85bb616170f340ca96c8e809e9754dfd7cba46a7f361e9", + "type": "eql", + "version": 6 + }, + "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 101, "rule_name": "Attempt to Establish VScode Remote Tunnel", - "sha256": "e3e0dae0ba3379b0f1c16cff9934161e82104fc80d18f14fcf96ae61dcd3e44e", + "sha256": "d6fa3f4e6eefb62df2be718d0947e519176fb25f046497c15158ef5116ca4088", "type": "eql", - "version": 103 - }, - "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { - "rule_name": "Processes with Trailing Spaces", - "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", + "version": 3 + } + }, + "rule_name": "Attempt to Establish VScode Remote Tunnel", + "sha256": "a41786ebd2dfbb03c42ea6bf3fdc405509199a39d2c76596d2106580b4e85706", + "type": "eql", + "version": 104 + }, + "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { + "rule_name": "Processes with Trailing Spaces", + "sha256": "29769b5de5c0ab41be457818db9d6f387037ff6423addf05789011df15cbf286", + "type": "eql", + "version": 2 + }, + "0c1e8fda-4f09-451e-bc77-a192b6cbfc32": { + "rule_name": "Potential Hex Payload Execution", + "sha256": "b50ace78d817688a156f23beb890b4697291938d084ca42129f8ecf1dcb8b0b0", + "type": "eql", + "version": 1 + }, + "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { + "rule_name": "Threat Intel IP Address Indicator Match", + "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", + "type": "threat_match", + "version": 7 + }, + "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Peripheral Device Discovery", + "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", "type": "eql", - "version": 2 - }, - "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { - "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", - "type": "threat_match", - "version": 7 - }, - "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Peripheral Device Discovery", - "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Peripheral Device Discovery", - "sha256": "e9e92aa8e1ad67d6a76c1d863117e5661cf826a76f886d086ccb881e82884a23", - "type": "eql", - "version": 210 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, "rule_name": "Peripheral Device Discovery", - "sha256": "095ced38f5d8365117c7fd844123668aa20dcb1683c28790b493a833297764c3", + "sha256": "e9e92aa8e1ad67d6a76c1d863117e5661cf826a76f886d086ccb881e82884a23", "type": "eql", - "version": 310 - }, - "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { - "rule_name": "Deprecated - Threat Intel Indicator Match", - "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", - "type": "threat_match", - "version": 204 - }, - "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { - "min_stack_version": "8.13", - "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "9d97ad923ffa94a4d3255c94fdc54a132bb5032c08ba7d8ac2dc07f13d80a998", - "type": "esql", - "version": 3 - }, - "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", - "type": "query", - "version": 206 - }, - "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { - "rule_name": "Multiple Alerts Involving a User", - "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", - "type": "threshold", - "version": 3 - }, - "0d69150b-96f8-467c-a86d-a67a3378ce77": { - "rule_name": "Nping Process Activity", - "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "version": 210 + } + }, + "rule_name": "Peripheral Device Discovery", + "sha256": "5c9eb5418f67e5344018b20070d77c09629e1a8fd55f8bdf09e6f4d8e14b8d43", + "type": "eql", + "version": 311 + }, + "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { + "rule_name": "Deprecated - Threat Intel Indicator Match", + "sha256": "ec5023dc861db76d527d73f0343ba6a97b38c94f47aaa698929029d922d98e6a", + "type": "threat_match", + "version": 204 + }, + "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", + "sha256": "dbe1ee653e8649143a8b2aa6c43f5f5661b1bbccfd106614feb092ddd050d25b", + "type": "esql", + "version": 4 + }, + "0ce6487d-8069-4888-9ddd-61b52490cebc": { + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "68fc02b03cbb322ff078a6a531807bf5fe21ae93726dad1ea16c11ed71d4c746", + "type": "query", + "version": 206 + }, + "0d160033-fab7-4e72-85a3-3a9d80c8bff7": { + "rule_name": "Multiple Alerts Involving a User", + "sha256": "43984fe31af84306a2a8266b867a70c8b185159a7419988e7211ff4a74fde252", + "type": "threshold", + "version": 3 + }, + "0d69150b-96f8-467c-a86d-a67a3378ce77": { + "rule_name": "Nping Process Activity", + "sha256": "b3f71d6cd3a2c3a2f492e825c65e78db5b3faa4eefed530678b5c504496230ec", + "type": "eql", + "version": 108 + }, + "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { + "rule_name": "Execution of File Written or Modified by Microsoft Office", + "sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4", + "type": "eql", + "version": 111 + }, + "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", + "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", + "type": "new_terms", + "version": 2 + }, + "0e52157a-8e96-4a95-a6e3-5faae5081a74": { + "rule_name": "SharePoint Malware File Upload", + "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", + "type": "query", + "version": 206 + }, + "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { + "rule_name": "GCP Service Account Key Creation", + "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", + "type": "query", + "version": 104 + }, + "0e79980b-4250-4a50-a509-69294c14e84b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "MsBuild Making Network Connections", + "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", "type": "eql", - "version": 108 - }, - "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { - "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "e5c5f267f119e9874c5b19c097244a7253714352e28e2fcc353b74d5c36bb3e4", + "version": 110 + } + }, + "rule_name": "MsBuild Making Network Connections", + "sha256": "bf7179d1b47194100baad37ed0a523ce816c9844de775a252e0c6a98cd5d3ebf", + "type": "eql", + "version": 210 + }, + "0f4d35e4-925e-4959-ab24-911be207ee6f": { + "rule_name": "rc.local/rc.common File Creation", + "sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5", + "type": "eql", + "version": 114 + }, + "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { + "rule_name": "Netcat Listener Established via rlwrap", + "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "type": "eql", + "version": 3 + }, + "0f616aee-8161-4120-857e-742366f5eeb3": { + "rule_name": "PowerShell spawning Cmd", + "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", + "type": "query", + "version": 100 + }, + "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", + "type": "threshold", + "version": 210 + } + }, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698", + "type": "threshold", + "version": 310 + }, + "0ff84c42-873d-41a2-a4ed-08d74d352d01": { + "rule_name": "Privilege Escalation via Root Crontab File Modification", + "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", + "type": "query", + "version": 106 + }, + "10445cf0-0748-11ef-ba75-f661ea17fbcc": { + "rule_name": "AWS IAM Login Profile Added to User", + "sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd", + "type": "query", + "version": 2 + }, + "10754992-28c7-4472-be5b-f3770fd04f2d": { + "rule_name": "Linux Restricted Shell Breakout via awk Commands", + "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", + "type": "eql", + "version": 100 + }, + "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { + "rule_name": "WebProxy Settings Modification", + "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", + "type": "query", + "version": 206 + }, + "11013227-0301-4a8c-b150-4db924484475": { + "rule_name": "Abnormally Large DNS Response", + "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", + "type": "query", + "version": 105 + }, + "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", "type": "eql", "version": 111 - }, - "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", - "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", - "type": "new_terms", - "version": 1 - }, - "0e52157a-8e96-4a95-a6e3-5faae5081a74": { - "rule_name": "SharePoint Malware File Upload", - "sha256": "815889da8ead699edd9b19124c697cd9038a641d065cf2dbfef062e81dfb5393", - "type": "query", - "version": 206 - }, - "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { - "rule_name": "GCP Service Account Key Creation", - "sha256": "ffe1bc8de6ff95c0fd9bb67fb93eace9b0ba96055cbf863fe0286dd7b033061b", + } + }, + "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", + "sha256": "e8f11b08f41d0af660c26c82752b4d5344f91cdc0fc98514b43577e6477977d6", + "type": "eql", + "version": 211 + }, + "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", + "type": "eql", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "sha256": "aa018af3ba1144c484d88c95f262455130c03245c19a0d48b1f9e314be08333b", + "type": "eql", + "version": 212 + } + }, + "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "sha256": "cd4ff3a06fa4ded3c35daf6785753a17cb5582a6ae1ad4a06a341c03c74b12a5", + "type": "eql", + "version": 312 + }, + "119c8877-8613-416d-a98a-96b6664ee73a": { + "rule_name": "AWS RDS Snapshot Export", + "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", + "type": "query", + "version": 206 + }, + "119c8877-8613-416d-a98a-96b6664ee73a5": { + "rule_name": "AWS RDS Snapshot Export", + "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", + "type": "query", + "version": 100 + }, + "11dd9713-0ec6-4110-9707-32daae1ee68c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 113, + "rule_name": "PowerShell Script with Token Impersonation Capabilities", + "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", "type": "query", - "version": 104 - }, - "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "MsBuild Making Network Connections", - "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", - "type": "eql", - "version": 110 - } - }, - "rule_name": "MsBuild Making Network Connections", - "sha256": "bf7179d1b47194100baad37ed0a523ce816c9844de775a252e0c6a98cd5d3ebf", + "version": 14 + } + }, + "rule_name": "PowerShell Script with Token Impersonation Capabilities", + "sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24", + "type": "query", + "version": 114 + }, + "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Third-party Backup Files Deleted via Unexpected Process", + "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", "type": "eql", - "version": 210 - }, - "0f4d35e4-925e-4959-ab24-911be207ee6f": { - "rule_name": "rc.local/rc.common File Creation", - "sha256": "28070d788626c94266ca156adfce5e6d58d48df08e6103e0cfc4c1b1e7bb8ab5", + "version": 113 + } + }, + "rule_name": "Third-party Backup Files Deleted via Unexpected Process", + "sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e", + "type": "eql", + "version": 213 + }, + "12051077-0124-4394-9522-8f4f4db1d674": { + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", + "type": "query", + "version": 206 + }, + "120559c6-5e24-49f4-9e30-8ffe697df6b9": { + "rule_name": "User Discovery via Whoami", + "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", + "type": "query", + "version": 100 + }, + "1224da6c-0326-4b4f-8454-68cdc5ae542b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, + "rule_name": "Suspicious Windows Process Cluster Spawned by a User", + "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Suspicious Windows Process Cluster Spawned by a User", + "sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9", + "type": "machine_learning", + "version": 107 + }, + "1251b98a-ff45-11ee-89a1-f661ea17fbce": { + "rule_name": "AWS Lambda Function Created or Updated", + "sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17", + "type": "query", + "version": 2 + }, + "125417b8-d3df-479f-8418-12d7e034fee3": { + "rule_name": "Attempt to Disable IPTables or Firewall", + "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", + "type": "query", + "version": 100 + }, + "128468bf-cab1-4637-99ea-fdf3780a4609": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Suspicious Lsass Process Access", + "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", "type": "eql", - "version": 114 - }, - "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { - "rule_name": "Netcat Listener Established via rlwrap", - "sha256": "1f0f4f689d14c5e8a3b4843b2eeaad564fbc252458ad52473fa7fdcee3d19147", + "version": 107 + } + }, + "rule_name": "Suspicious Lsass Process Access", + "sha256": "c7b2febcd7a93457f53f7d4c52aad131a4116e9f93d76437d261111f09423eca", + "type": "eql", + "version": 208 + }, + "12a2f15d-597e-4334-88ff-38a02cb1330b": { + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", + "type": "query", + "version": 203 + }, + "12cbf709-69e8-4055-94f9-24314385c27e": { + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff", + "type": "query", + "version": 204 + }, + "12de29d4-bbb0-4eef-b687-857e8a163870": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", + "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", "type": "eql", "version": 3 - }, - "0f616aee-8161-4120-857e-742366f5eeb3": { - "rule_name": "PowerShell spawning Cmd", - "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", - "type": "query", - "version": 100 - }, - "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 309, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", - "type": "threshold", - "version": 210 - } - }, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "b6fe17ae61cabf399f3502a59bd831e6a43b9d29f19787c3623981dc44eec698", - "type": "threshold", - "version": 310 - }, - "0ff84c42-873d-41a2-a4ed-08d74d352d01": { - "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "77aa00047d7d61f2d5e30b916036032f69c56b68731a43c72c0c8f18adf55895", - "type": "query", - "version": 106 - }, - "10445cf0-0748-11ef-ba75-f661ea17fbcc": { - "rule_name": "AWS IAM Login Profile Added to User", - "sha256": "dff5cd6124560d135f2d7393f7c92da107c6f1993843cabdc031a2c21f69d7fd", - "type": "query", - "version": 2 - }, - "10754992-28c7-4472-be5b-f3770fd04f2d": { - "rule_name": "Linux Restricted Shell Breakout via awk Commands", - "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", - "type": "eql", - "version": 100 - }, - "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { - "rule_name": "WebProxy Settings Modification", - "sha256": "aea77c71f5a15f5ba810f2f316aef50e4fa6948ad6b4e6b1c77449fd584157af", - "type": "query", - "version": 206 - }, - "11013227-0301-4a8c-b150-4db924484475": { - "rule_name": "Abnormally Large DNS Response", - "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", - "type": "query", - "version": 105 - }, - "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", - "type": "eql", - "version": 111 - } - }, - "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", - "sha256": "e8f11b08f41d0af660c26c82752b4d5344f91cdc0fc98514b43577e6477977d6", + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", + "sha256": "4bbc3bd2b9452e05e7e5829db2c77881e9bd34accc89ae0ee089e96ed991a0d0", "type": "eql", - "version": 211 - }, - "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "aa018af3ba1144c484d88c95f262455130c03245c19a0d48b1f9e314be08333b", - "type": "eql", - "version": 212 - } - }, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "cd4ff3a06fa4ded3c35daf6785753a17cb5582a6ae1ad4a06a341c03c74b12a5", + "version": 103 + } + }, + "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", + "sha256": "20059209c3052442c7ed5c5a377f07f5900366dd533db5b237c40a4f03968c49", + "type": "eql", + "version": 203 + }, + "12f07955-1674-44f7-86b5-c35da0a6f41a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Suspicious Cmd Execution via WMI", + "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", "type": "eql", - "version": 312 - }, - "119c8877-8613-416d-a98a-96b6664ee73a": { - "rule_name": "AWS RDS Snapshot Export", - "sha256": "a00e77547551b6a8212c1d2b2c97be59f34bacf51a65366e59724bb0f5d3060c", - "type": "query", - "version": 206 - }, - "119c8877-8613-416d-a98a-96b6664ee73a5": { - "rule_name": "AWS RDS Snapshot Export", - "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", - "type": "query", - "version": 100 - }, - "11dd9713-0ec6-4110-9707-32daae1ee68c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 113, - "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", - "type": "query", - "version": 14 - } - }, - "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "5da4a9373dd0e7d3e939dc5815ae14c28a0fedadefabad3b85e2e059b5cc1a24", - "type": "query", - "version": 114 - }, - "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", - "type": "eql", - "version": 113 - } - }, - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "529c6c9afcecffe9bc1f09b979a34bc926f72b18aae363094788855893224f4e", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Suspicious Cmd Execution via WMI", + "sha256": "fe4ba438fce303e2daf224812c4bd214f595f651161a5e587cc2d2e50dda76ee", "type": "eql", "version": 213 - }, - "12051077-0124-4394-9522-8f4f4db1d674": { - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "15feead7d77394bd6bf71dd30d81329b1fbca72fbffc872a6f07f0b3a696b0d7", - "type": "query", - "version": 206 - }, - "120559c6-5e24-49f4-9e30-8ffe697df6b9": { - "rule_name": "User Discovery via Whoami", - "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", - "type": "query", - "version": 100 - }, - "1224da6c-0326-4b4f-8454-68cdc5ae542b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Suspicious Windows Process Cluster Spawned by a User", - "sha256": "a979104cf9cc45e2deefe33c7763b2f7452f1cce582e84c1036d8659251e76e9", - "type": "machine_learning", - "version": 107 - }, - "1251b98a-ff45-11ee-89a1-f661ea17fbce": { - "rule_name": "AWS Lambda Function Created or Updated", - "sha256": "034e4008a61db1376ed832a2c197463f0db3f4a325e879f200fc0180f30cdc17", - "type": "query", - "version": 2 - }, - "125417b8-d3df-479f-8418-12d7e034fee3": { - "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", - "type": "query", - "version": 100 - }, - "128468bf-cab1-4637-99ea-fdf3780a4609": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Suspicious Lsass Process Access", - "sha256": "442cf18ed651c8aba9811e20dc1914b269b109be72853907b8aebcc456350727", - "type": "eql", - "version": 207 - }, - "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "88110d27337692c0a9c75ea40f6f8f7a3d14cb6e22a5864992d0ca94879b45ec", - "type": "query", - "version": 203 - }, - "12cbf709-69e8-4055-94f9-24314385c27e": { - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "6f467e2189a55fb44966834223c32fb6509c57dd21bcdff69b4f6e2ec920aeff", - "type": "query", - "version": 204 - }, - "12de29d4-bbb0-4eef-b687-857e8a163870": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "4bbc3bd2b9452e05e7e5829db2c77881e9bd34accc89ae0ee089e96ed991a0d0", - "type": "eql", - "version": 103 - } - }, - "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", - "sha256": "20059209c3052442c7ed5c5a377f07f5900366dd533db5b237c40a4f03968c49", - "type": "eql", - "version": 203 - }, - "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "fe4ba438fce303e2daf224812c4bd214f595f651161a5e587cc2d2e50dda76ee", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "ffb0938ac97f8eba47d5dc88a25b9eeba50863b0e11ef4b6a54f6bca84795f2a", + } + }, + "rule_name": "Suspicious Cmd Execution via WMI", + "sha256": "2948ee0b531e8ccedd058b6ffb287bbd8285049d41818d9af4a814c1705e8765", + "type": "eql", + "version": 314 + }, + "1327384f-00f3-44d5-9a8c-2373ba071e92": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", "type": "eql", - "version": 313 - }, - "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "88943865100dbcb63138fc9fc3e1c81fcd227f586956038e529e688b71384ceb", - "type": "eql", - "version": 311 - } - }, + "version": 109 + }, + "8.13": { + "max_allowable_version": 410, "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "9ffa543a06d0f2ad3662845e6fa645986ce32abf6fdd1a341eb3cb92a2c2e4c2", + "sha256": "88943865100dbcb63138fc9fc3e1c81fcd227f586956038e529e688b71384ceb", "type": "eql", - "version": 411 - }, - "138c5dd5-838b-446e-b1ac-c995c7f8108a": { - "rule_name": "Rare User Logon", - "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", - "type": "machine_learning", - "version": 105 - }, - "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", - "type": "threshold", - "version": 7 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853", - "type": "threshold", - "version": 107 - } - }, + "version": 311 + } + }, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "9ffa543a06d0f2ad3662845e6fa645986ce32abf6fdd1a341eb3cb92a2c2e4c2", + "type": "eql", + "version": 411 + }, + "138c5dd5-838b-446e-b1ac-c995c7f8108a": { + "rule_name": "Rare User Logon", + "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", + "type": "machine_learning", + "version": 105 + }, + "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", - "sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd", + "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", "type": "threshold", - "version": 207 - }, - "139c7458-566a-410c-a5cd-f80238d6a5cd": { - "rule_name": "SQL Traffic to the Internet", - "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", - "type": "query", - "version": 100 - }, - "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { - "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", - "sha256": "6f94ca87d3b3519fd810a9fdc1a9a04afdea58ca913b4b4dc9e9be63ed77cec0", - "type": "eql", - "version": 8 - }, - "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { - "rule_name": "Azure External Guest User Invitation", - "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", - "type": "query", - "version": 102 - }, - "143cb236-0956-4f42-a706-814bcaa0cf5a": { - "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113", - "type": "query", - "version": 104 - }, - "14dab405-5dd9-450c-8106-72951af2391f": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Office Test Registry Persistence", - "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", - "type": "eql", - "version": 3 - } - }, + "version": 7 + }, + "8.13": { + "max_allowable_version": 206, + "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", + "sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853", + "type": "threshold", + "version": 107 + } + }, + "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", + "sha256": "d0a42671292f00c27195e313455fdfaba1fec838c135fe4e95baf80fe9fe68bd", + "type": "threshold", + "version": 207 + }, + "139c7458-566a-410c-a5cd-f80238d6a5cd": { + "rule_name": "SQL Traffic to the Internet", + "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", + "type": "query", + "version": 100 + }, + "13e908b9-7bf0-4235-abc9-b5deb500d0ad": { + "rule_name": "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score", + "sha256": "6f94ca87d3b3519fd810a9fdc1a9a04afdea58ca913b4b4dc9e9be63ed77cec0", + "type": "eql", + "version": 8 + }, + "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { + "rule_name": "Azure External Guest User Invitation", + "sha256": "c606c9477a2fa88e6a1b70468ffa95df50528629745068026ef6c9758caadaf1", + "type": "query", + "version": 102 + }, + "143cb236-0956-4f42-a706-814bcaa0cf5a": { + "rule_name": "RPC (Remote Procedure Call) from the Internet", + "sha256": "6f7487c7e356c40aec2caceb15dce0977070fac0869a8f73757b0d4986b15113", + "type": "query", + "version": 104 + }, + "14dab405-5dd9-450c-8106-72951af2391f": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", - "sha256": "e0673b4aff07f3de4b7256ce50a44e6147759d3281b639adae677dff72feecbc", + "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", "type": "eql", - "version": 103 - }, - "14de811c-d60f-11ec-9fd7-f661ea17fbce": { - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", - "type": "query", - "version": 203 - }, - "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "6349c839b9198d37d576fd976eaa2f85e6034f8ba89204b451ff0d11467cde5b", - "type": "eql", - "version": 211 - } - }, + "version": 3 + } + }, + "rule_name": "Office Test Registry Persistence", + "sha256": "e0673b4aff07f3de4b7256ce50a44e6147759d3281b639adae677dff72feecbc", + "type": "eql", + "version": 103 + }, + "14de811c-d60f-11ec-9fd7-f661ea17fbce": { + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "2e20c515d2b1304091833efa5d5f19b38c4f1eaa4f2a5b3cdee64f89ed7bf4a9", + "type": "query", + "version": 203 + }, + "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "cd5c53102463d73641cecf06ff0109725f62f522ecbaba20de251787a79cb33f", + "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", "type": "eql", - "version": 311 - }, - "1502a836-84b2-11ef-b026-f661ea17fbcc": { - "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", - "type": "new_terms", - "version": 1 - }, - "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { - "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", - "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", - "type": "query", - "version": 1 - }, - "1542fa53-955e-4330-8e4d-b2d812adeb5f": { - "rule_name": "Execution from a Removable Media with Network Connection", - "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Potential Persistence via Time Provider Modification", + "sha256": "6349c839b9198d37d576fd976eaa2f85e6034f8ba89204b451ff0d11467cde5b", "type": "eql", - "version": 3 - }, - "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", - "type": "eql", - "version": 112 - } - }, + "version": 211 + } + }, + "rule_name": "Potential Persistence via Time Provider Modification", + "sha256": "cd5c53102463d73641cecf06ff0109725f62f522ecbaba20de251787a79cb33f", + "type": "eql", + "version": 311 + }, + "1502a836-84b2-11ef-b026-f661ea17fbcc": { + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", + "type": "new_terms", + "version": 2 + }, + "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { + "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", + "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", + "type": "query", + "version": 1 + }, + "1542fa53-955e-4330-8e4d-b2d812adeb5f": { + "rule_name": "Execution from a Removable Media with Network Connection", + "sha256": "08e49b310aebe20ea4da9f40fb9ce90e74aecdd6f957b972419ec258f95a26b4", + "type": "eql", + "version": 3 + }, + "15a8ba77-1c13-4274-88fe-6bd14133861e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "14ea5e0fd126666fbc1f42f74fc27465bd18827b6a4a7aa6eb91a8a20c82dea1", + "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", "type": "eql", - "version": 212 - }, - "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "afb44f5ed406ccfb9c40513c5e774867e961f22a9ac007320d0a4c1c31fb8cc0", - "type": "eql", - "version": 213 - } - }, + "version": 112 + } + }, + "rule_name": "Scheduled Task Execution at Scale via GPO", + "sha256": "14ea5e0fd126666fbc1f42f74fc27465bd18827b6a4a7aa6eb91a8a20c82dea1", + "type": "eql", + "version": 212 + }, + "15c0b7a7-9c34-4869-b25b-fa6518414899": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "2542d9b49d33a3a2cd984c4eceaba94d653941c813ce89378a852f95263ed281", - "type": "eql", - "version": 313 - }, - "15dacaa0-5b90-466b-acab-63435a59701a": { - "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", + "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", "type": "eql", - "version": 107 - }, - "160896de-b66f-42cb-8fef-20f53a9006ea": { - "rule_name": "Potential Container Escape via Modified release_agent File", - "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Remote File Download via Desktopimgdownldr Utility", + "sha256": "afb44f5ed406ccfb9c40513c5e774867e961f22a9ac007320d0a4c1c31fb8cc0", "type": "eql", - "version": 1 - }, - "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { - "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", - "type": "query", - "version": 102 - }, - "166727ab-6768-4e26-b80c-948b228ffc06": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "File Creation Time Changed", - "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", - "type": "eql", - "version": 5 - } - }, + "version": 213 + } + }, + "rule_name": "Remote File Download via Desktopimgdownldr Utility", + "sha256": "43674c0e7d244957e0cecaf069f23652cb12fe5bee0b6d2dfb54c4bf6bd9160f", + "type": "eql", + "version": 314 + }, + "15dacaa0-5b90-466b-acab-63435a59701a": { + "rule_name": "Virtual Private Network Connection Attempt", + "sha256": "52e3e7aa2ff5aaa21a773c0bc30319fdc45efdaaba99697504cbe1d2d2fd12a0", + "type": "eql", + "version": 107 + }, + "160896de-b66f-42cb-8fef-20f53a9006ea": { + "rule_name": "Potential Container Escape via Modified release_agent File", + "sha256": "198ac6af38569c23460312f45acfeb0bb1489a5761ed5536c026e9b6f8154ac3", + "type": "eql", + "version": 1 + }, + "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { + "rule_name": "Azure Automation Runbook Created or Modified", + "sha256": "d63660127e37638852d3943a3f02745a9d7ecf28ffba3fd3d314558d66fa3633", + "type": "query", + "version": 102 + }, + "166727ab-6768-4e26-b80c-948b228ffc06": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "File Creation Time Changed", - "sha256": "b50d36dbfeb9c4de02bafa12ca2bfce4a438b1ba628cf3c02d4f726079e3e1b8", - "type": "eql", - "version": 105 - }, - "16904215-2c95-4ac8-bf5c-12354e047192": { - "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", - "type": "query", - "version": 106 - }, - "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "rule_name": "AWS IAM Group Creation", - "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", - "type": "query", - "version": 206 - }, - "16a52c14-7883-47af-8745-9357803f0d4c": { - "rule_name": "Component Object Model Hijacking", - "sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4", + "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", "type": "eql", - "version": 114 - }, - "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", - "type": "eql", - "version": 111 - } - }, + "version": 5 + } + }, + "rule_name": "File Creation Time Changed", + "sha256": "b50d36dbfeb9c4de02bafa12ca2bfce4a438b1ba628cf3c02d4f726079e3e1b8", + "type": "eql", + "version": 105 + }, + "16904215-2c95-4ac8-bf5c-12354e047192": { + "rule_name": "Potential Kerberos Attack via Bifrost", + "sha256": "a410bedff2a62e53036e60647e7db0a18a0cc64c1bb6e0f0e225395665a9be6d", + "type": "query", + "version": 106 + }, + "169f3a93-efc7-4df2-94d6-0d9438c310d1": { + "rule_name": "AWS IAM Group Creation", + "sha256": "4620f71e7445e4762398530b8020b93c31a36073051ab2f0820f982f55d43df1", + "type": "query", + "version": 206 + }, + "16a52c14-7883-47af-8745-9357803f0d4c": { + "rule_name": "Component Object Model Hijacking", + "sha256": "b0696bdb5caeee166adb282c9d5183cbe4347a8d2fed7807235f3e34d613d7a4", + "type": "eql", + "version": 114 + }, + "16fac1a1-21ee-4ca6-b720-458e3855d046": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "3a76496d25961498c7105d4962f1c5a68168264eadc61c4c51b20c602177f4d8", + "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", "type": "eql", - "version": 211 - }, - "1719ee47-89b8-4407-9d55-6dff2629dd4c": { - "rule_name": "Persistence via a Windows Installer", - "sha256": "20685cfaedd2fe2b3471f27dca9cdbd6794180b2a0fe8045a0e6eef35ebd9c56", - "type": "eql", - "version": 1 - }, - "17261da3-a6d0-463c-aac8-ea1718afcd20": { - "min_stack_version": "8.13", - "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "5abf4615f62030d3a184e6fe17870ade81d48468036f5321f9f7944060e87488", - "type": "esql", - "version": 2 - }, - "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Username", - "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", - "type": "machine_learning", - "version": 107 - } - }, + "version": 111 + } + }, + "rule_name": "Startup/Logon Script added to Group Policy Object", + "sha256": "3a76496d25961498c7105d4962f1c5a68168264eadc61c4c51b20c602177f4d8", + "type": "eql", + "version": 211 + }, + "1719ee47-89b8-4407-9d55-6dff2629dd4c": { + "rule_name": "Persistence via a Windows Installer", + "sha256": "20685cfaedd2fe2b3471f27dca9cdbd6794180b2a0fe8045a0e6eef35ebd9c56", + "type": "eql", + "version": 1 + }, + "17261da3-a6d0-463c-aac8-ea1718afcd20": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", + "sha256": "03de244ffc1915c80ee82688449c357f1f23252b911b441563cb5f95106f963e", + "type": "esql", + "version": 3 + }, + "1781d055-5c66-4adf-9c59-fc0fa58336a5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Unusual Windows Username", - "sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a", + "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", "type": "machine_learning", - "version": 207 - }, - "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Service", - "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", - "type": "machine_learning", - "version": 106 - } - }, + "version": 107 + } + }, + "rule_name": "Unusual Windows Username", + "sha256": "2aa54fb200fbc2dc2a08134e4047e7d738718526afc740d255f2d4122be23a8a", + "type": "machine_learning", + "version": 207 + }, + "1781d055-5c66-4adf-9c71-fc0fa58338c7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Unusual Windows Service", - "sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c", + "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", "type": "machine_learning", - "version": 206 - }, - "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Suspicious Powershell Script", - "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", - "type": "machine_learning", - "version": 107 - } - }, + "version": 106 + } + }, + "rule_name": "Unusual Windows Service", + "sha256": "aeb4741bd8e4ad54e3207d4a0c8f74feb21e04a61c42cca74da415224a2af13c", + "type": "machine_learning", + "version": 206 + }, + "1781d055-5c66-4adf-9d60-fc0fa58337b6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", - "sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601", + "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", "type": "machine_learning", - "version": 207 - }, - "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", - "type": "machine_learning", - "version": 106 - } - }, + "version": 107 + } + }, + "rule_name": "Suspicious Powershell Script", + "sha256": "14d8f45b942a560b3b14732c25e7974f73d292f45a4e7918d19e53176371a601", + "type": "machine_learning", + "version": 207 + }, + "1781d055-5c66-4adf-9d82-fc0fa58449c8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0", + "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", "type": "machine_learning", - "version": 206 - }, - "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Remote User", - "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", - "type": "machine_learning", - "version": 106 - } - }, + "version": 106 + } + }, + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "e1c5e226e528ca5b94b5043313893ac737e6f289a6c7021011cbccbac374b8a0", + "type": "machine_learning", + "version": 206 + }, + "1781d055-5c66-4adf-9e93-fc0fa69550c9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", - "sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb", + "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", "type": "machine_learning", - "version": 206 - }, - "17b0a495-4d9f-414c-8ad0-92f018b8e001": { - "rule_name": "Systemd Service Created", - "sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a", - "type": "eql", - "version": 15 - }, - "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", - "type": "eql", - "version": 110 - } - }, + "version": 106 + } + }, + "rule_name": "Unusual Windows Remote User", + "sha256": "1c6ce3b862feb23ee131c82cda24b91a71c155b8cfbc57d8deadf6782dc324eb", + "type": "machine_learning", + "version": 206 + }, + "17b0a495-4d9f-414c-8ad0-92f018b8e001": { + "rule_name": "Systemd Service Created", + "sha256": "b60b8f6f9625053ab6af246ddc30eb490e456bda7f66464b769de74b3309378a", + "type": "eql", + "version": 15 + }, + "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", - "sha256": "ace9eeca0b1a6ebcd4b65d9e2ae4bd2f36b8947c516f5d108e7f2e714efc8ddf", + "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", "type": "eql", - "version": 210 - }, - "17e68559-b274-4948-ad0b-f8415bb31126": { - "rule_name": "Unusual Network Destination Domain Name", - "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", - "type": "machine_learning", - "version": 104 - }, - "181f6b23-3799-445e-9589-0018328a9e46": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "2c618a1e42c7a15f0b94f84bedbef7c477dfa17b3cac3d42205bf6cde5202f00", - "type": "eql", - "version": 101 - } - }, + "version": 110 + } + }, + "rule_name": "Renamed Utility Executed with Short Program Name", + "sha256": "ace9eeca0b1a6ebcd4b65d9e2ae4bd2f36b8947c516f5d108e7f2e714efc8ddf", + "type": "eql", + "version": 210 + }, + "17e68559-b274-4948-ad0b-f8415bb31126": { + "rule_name": "Unusual Network Destination Domain Name", + "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", + "type": "machine_learning", + "version": 104 + }, + "181f6b23-3799-445e-9589-0018328a9e46": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", - "sha256": "684159701e9e3176c8ca83b06107285ec6e1aab78f1d1794866e3aa38cfaa963", - "type": "eql", - "version": 201 - }, - "184dfe52-2999-42d9-b9d1-d1ca54495a61": { - "rule_name": "GCP Logging Sink Modification", - "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", - "type": "query", - "version": 104 - }, - "1859ce38-6a50-422b-a5e8-636e231ea0cd": { - "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", - "sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e", + "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", "type": "eql", - "version": 100 - }, - "185c782e-f86a-11ee-9d9f-f661ea17fbce": { - "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", - "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", - "type": "threshold", "version": 1 - }, - "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { - "rule_name": "Spike in Number of Connections Made to a Destination IP", - "sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de", - "type": "machine_learning", - "version": 4 - }, - "192657ba-ab0e-4901-89a2-911d611eee98": { - "rule_name": "Potential Persistence via File Modification", - "sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0", - "type": "eql", - "version": 4 - }, - "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { - "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", - "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", + }, + "8.13": { + "max_allowable_version": 200, + "rule_name": "Script Execution via Microsoft HTML Application", + "sha256": "2c618a1e42c7a15f0b94f84bedbef7c477dfa17b3cac3d42205bf6cde5202f00", "type": "eql", - "version": 4 - }, - "19be0164-63d2-11ef-8e38-f661ea17fbce": { - "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", - "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", - "type": "esql", - "version": 2 - }, - "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "rule_name": "Rare AWS Error Code", - "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", - "type": "machine_learning", - "version": 209 - }, - "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { - "rule_name": "Spike in Number of Processes in an RDP Session", - "sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4", - "type": "machine_learning", - "version": 4 - }, - "1a289854-5b78-49fe-9440-8a8096b1ab50": { - "rule_name": "Suspicious Network Tool Launched Inside A Container", - "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", + "version": 101 + } + }, + "rule_name": "Script Execution via Microsoft HTML Application", + "sha256": "684159701e9e3176c8ca83b06107285ec6e1aab78f1d1794866e3aa38cfaa963", + "type": "eql", + "version": 201 + }, + "184dfe52-2999-42d9-b9d1-d1ca54495a61": { + "rule_name": "GCP Logging Sink Modification", + "sha256": "f831f5412e30676ce24c068dcaf3521ab6be818cb202bca3625fb0f61ea6c3b2", + "type": "query", + "version": 104 + }, + "1859ce38-6a50-422b-a5e8-636e231ea0cd": { + "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", + "sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e", + "type": "eql", + "version": 100 + }, + "185c782e-f86a-11ee-9d9f-f661ea17fbce": { + "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", + "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", + "type": "threshold", + "version": 1 + }, + "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "rule_name": "Spike in Number of Connections Made to a Destination IP", + "sha256": "c06e03682393f75d7f4e7c47efac0a2a3bdc53865089656f9628b0e2129f33de", + "type": "machine_learning", + "version": 4 + }, + "192657ba-ab0e-4901-89a2-911d611eee98": { + "rule_name": "Potential Persistence via File Modification", + "sha256": "abc2a9316141b799f35032d6ce4594520d1990765d3886ffe188c594fafd59a0", + "type": "eql", + "version": 4 + }, + "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { + "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", + "sha256": "1fd050c07f8fd38281dde31dc1bba3256181b411f576fcaa07b6ff077393de1f", + "type": "eql", + "version": 4 + }, + "19be0164-63d2-11ef-8e38-f661ea17fbce": { + "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", + "sha256": "80afc7e88ead296e54b8f63975fb596c9442153984a4652479ae2d868e1e14e7", + "type": "esql", + "version": 2 + }, + "19de8096-e2b0-4bd8-80c9-34a820813fff": { + "rule_name": "Rare AWS Error Code", + "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", + "type": "machine_learning", + "version": 209 + }, + "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "rule_name": "Spike in Number of Processes in an RDP Session", + "sha256": "c02ce126b5e2476c4b0957b0c3ef37a9b2dba70091c0f7164a46bc10a7ebdcd4", + "type": "machine_learning", + "version": 4 + }, + "1a289854-5b78-49fe-9440-8a8096b1ab50": { + "rule_name": "Suspicious Network Tool Launched Inside A Container", + "sha256": "e456a59a32e02e71884dee04e925140b321a34650d49651cf7216610213066fc", + "type": "eql", + "version": 2 + }, + "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { + "rule_name": "Azure Application Credential Modification", + "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", + "type": "query", + "version": 102 + }, + "1a6075b0-7479-450e-8fe7-b8b8438ac570": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Execution of COM object via Xwizard", + "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", "type": "eql", - "version": 2 - }, - "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { - "rule_name": "Azure Application Credential Modification", - "sha256": "e08f14b9002ce52664d169dc98fd7a2d3fd3dd0e24933ce44ec2f0cc93f14b7a", - "type": "query", - "version": 102 - }, - "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, "rule_name": "Execution of COM object via Xwizard", - "sha256": "cd42a38d9a6e35812d8c106382547d304b5b560c92518647d4dc73dfd75cc02f", + "sha256": "378075d3770551eeae56e8ea53ab1cd46b454659bb893501cf1d289db20b6fb4", "type": "eql", - "version": 311 - }, - "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", - "type": "query", - "version": 209 - }, - "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "User Account Creation", - "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "User Account Creation", - "sha256": "0f3e13b35064dbdad29e0f2b80895fc844346955c595402ce66bd632d1e1e524", - "type": "eql", - "version": 210 - } - }, + "version": 211 + } + }, + "rule_name": "Execution of COM object via Xwizard", + "sha256": "45e3cf83135b3ec25c35cb029422968d7a5094dea02895e0490145fa04586340", + "type": "eql", + "version": 312 + }, + "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "79a7a700b91ee492ba34e1584212dbac2ee5766b96b03f09c67c80be60c7726b", + "type": "query", + "version": 209 + }, + "1aa9181a-492b-4c01-8b16-fa0735786b2b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "User Account Creation", - "sha256": "01ae0a88fbfecdcec6712e6a4ef9a69613fb3e2b2b0bfb81428dfff2860a0f2e", - "type": "eql", - "version": 310 - }, - "1b0b4818-5655-409b-9c73-341cac4bb73f": { - "rule_name": "Process Created with a Duplicated Token", - "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", - "type": "eql", - "version": 3 - }, - "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { - "rule_name": "Connection to Internal Network via Telnet", - "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", "type": "eql", - "version": 107 - }, - "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", - "type": "query", - "version": 206 - }, - "1c27fa22-7727-4dd3-81c0-de6da5555feb": { - "rule_name": "Potential Internal Linux SSH Brute Force Detected", - "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", - "type": "eql", - "version": 11 - }, - "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { - "rule_name": "Potential Process Injection from Malicious Document", - "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", - "type": "eql", - "version": 2 - }, - "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", - "type": "query", - "version": 212 - }, - "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368", - "type": "eql", - "version": 116 - }, - "1c966416-60c1-436b-bfd0-e002fddbfd89": { - "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", - "type": "query", - "version": 102 - }, - "1ca62f14-4787-4913-b7af-df11745a49da": { - "rule_name": "New GitHub App Installed", - "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "User Account Creation", + "sha256": "0f3e13b35064dbdad29e0f2b80895fc844346955c595402ce66bd632d1e1e524", "type": "eql", - "version": 1 - }, - "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", - "type": "eql", - "version": 108 - } - }, + "version": 210 + } + }, + "rule_name": "User Account Creation", + "sha256": "9af12b0253eeb5e99e162b69240851ba05f9a54cc8abecb25c973288e57cf7e5", + "type": "eql", + "version": 311 + }, + "1b0b4818-5655-409b-9c73-341cac4bb73f": { + "rule_name": "Process Created with a Duplicated Token", + "sha256": "8a3f85e624e03fc489be5ae5c3c3392fc053e5e5eed530158a04ccdf5754e802", + "type": "eql", + "version": 3 + }, + "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { + "rule_name": "Connection to Internal Network via Telnet", + "sha256": "803c07bf24bc75956c52cc55234f63d9d5a1f1212b218d05190d23eb47d81f2e", + "type": "eql", + "version": 107 + }, + "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "4ec77baf3f125b101b58f9cdec2c125de10cdb0a80f5c9112906dc0be6b3480d", + "type": "query", + "version": 206 + }, + "1c27fa22-7727-4dd3-81c0-de6da5555feb": { + "rule_name": "Potential Internal Linux SSH Brute Force Detected", + "sha256": "346faa48fc37e53ed0faaaa6a2bee5597d92a0306565cfad61329c29b22f7516", + "type": "eql", + "version": 11 + }, + "1c5a04ae-d034-41bf-b0d8-96439b5cc774": { + "rule_name": "Potential Process Injection from Malicious Document", + "sha256": "cf0f3605f0acb1cc600d240d90683e7996a55174af3ca9f770db65371eb95bc1", + "type": "eql", + "version": 2 + }, + "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", + "type": "query", + "version": 212 + }, + "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { + "rule_name": "Suspicious File Creation in /etc for Persistence", + "sha256": "ae500dfb91fef53e60123090127f7daaf307a63a988ad01fc07d30ed8c8fc368", + "type": "eql", + "version": 116 + }, + "1c966416-60c1-436b-bfd0-e002fddbfd89": { + "rule_name": "Azure Kubernetes Rolebindings Created", + "sha256": "d86625ab5e731436d6846810c232431aafe71ea4ce7684c0f5ad7b03709bb6ce", + "type": "query", + "version": 102 + }, + "1ca62f14-4787-4913-b7af-df11745a49da": { + "rule_name": "New GitHub App Installed", + "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", + "type": "eql", + "version": 2 + }, + "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "413e3eff92ab72f06e4cef563d06cb6fee44cc7c59fd54e342da4d6097e914b6", + "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", "type": "eql", - "version": 208 - }, - "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { - "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", - "type": "query", - "version": 3 - }, - "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", - "type": "eql", - "version": 110 - } - }, + "version": 108 + } + }, + "rule_name": "Incoming Execution via WinRM Remote Shell", + "sha256": "413e3eff92ab72f06e4cef563d06cb6fee44cc7c59fd54e342da4d6097e914b6", + "type": "eql", + "version": 208 + }, + "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", + "type": "query", + "version": 4 + }, + "1d276579-3380-4095-ad38-e596a01bc64f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", - "sha256": "6f27265db635c4e5a27af29fa64198dfa96b707802e5ccc7cba6609498d3543e", - "type": "eql", - "version": 210 - }, - "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { - "rule_name": "AWS IAM Roles Anywhere Profile Creation", - "sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d", - "type": "query", - "version": 2 - }, - "1d72d014-e2ab-4707-b056-9b96abe7b511": { - "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", + "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", "type": "eql", - "version": 108 - }, - "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", - "type": "query", - "version": 9 - } - }, + "version": 110 + } + }, + "rule_name": "Remote File Download via Script Interpreter", + "sha256": "6f27265db635c4e5a27af29fa64198dfa96b707802e5ccc7cba6609498d3543e", + "type": "eql", + "version": 210 + }, + "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { + "rule_name": "AWS IAM Roles Anywhere Profile Creation", + "sha256": "becc05324f5f605086badfd23a1e969801e19931eb7ae06312657e19eac4175d", + "type": "query", + "version": 2 + }, + "1d72d014-e2ab-4707-b056-9b96abe7b511": { + "rule_name": "External IP Lookup from Non-Browser Process", + "sha256": "912ddc841c0eace4d5cc31a814d86a6177d5f51e6038d37bde4b9ed37ee62433", + "type": "eql", + "version": 108 + }, + "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", - "sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc", + "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", "type": "query", - "version": 109 - }, - "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "ab6031b77ee7e33386e09b6709ad7d1ab82280dbfda90557b8d4b617f07ee4a2", - "type": "eql", - "version": 210 - } - }, + "version": 9 + } + }, + "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", + "sha256": "0787e6065fa1eb22d7f0b4ae1c97a7da2bd3d32393f320be448e93e2df69dddc", + "type": "query", + "version": 109 + }, + "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "f531aa3819b2ecf3069db2edc19fa8def3cc00f245f452b9a8d0b7c174532a8a", + "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", "type": "eql", - "version": 310 - }, - "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { - "rule_name": "Suspicious Inter-Process Communication via Outlook", - "sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "sha256": "ab6031b77ee7e33386e09b6709ad7d1ab82280dbfda90557b8d4b617f07ee4a2", "type": "eql", - "version": 7 - }, - "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", - "type": "eql", - "version": 108 - } - }, + "version": 210 + } + }, + "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "sha256": "efc56fdcfe6bda16119359923755ab32f6703b8de3c44f536d1335dabbd59c93", + "type": "eql", + "version": 311 + }, + "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1": { + "rule_name": "Suspicious Inter-Process Communication via Outlook", + "sha256": "181668624cb2b4bcc36606deec8dd31b109407ea7b1591438578d01cdce15dce", + "type": "eql", + "version": 7 + }, + "1defdd62-cd8d-426e-a246-81a37751bb2b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d", - "type": "eql", - "version": 208 - }, - "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { - "rule_name": "Potential Linux Hack Tool Launched", - "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", "type": "eql", - "version": 4 - }, - "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", - "type": "query", - "version": 6 - }, - "8.12": { - "max_allowable_version": 208, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", - "type": "query", - "version": 109 - } - }, + "version": 108 + } + }, + "rule_name": "Execution of File Written or Modified by PDF Reader", + "sha256": "86f5fcf575f0f6c1addf031e30cf8e4bf984916f511300021ddd5d036bf4792d", + "type": "eql", + "version": 208 + }, + "1df1152b-610a-4f48-9d7a-504f6ee5d9da": { + "rule_name": "Potential Linux Hack Tool Launched", + "sha256": "c45877265f7039d3e1d666f7844b61798b2b176867b0b221c503ffb8e52ce0ae", + "type": "eql", + "version": 4 + }, + "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f", + "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", "type": "query", - "version": 209 - }, - "1e0b832e-957e-43ae-b319-db82d228c908": { - "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", + "version": 6 + }, + "8.12": { + "max_allowable_version": 208, + "rule_name": "PowerShell Script with Discovery Capabilities", + "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", "type": "query", - "version": 102 - }, - "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Creation of a DNS-Named Record", - "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", - "type": "eql", - "version": 3 - } - }, + "version": 109 + } + }, + "rule_name": "PowerShell Script with Discovery Capabilities", + "sha256": "54e718a88b4a68d227e6b66b126f993aa778b036deb6f8be5b61951c298f111f", + "type": "query", + "version": 209 + }, + "1e0b832e-957e-43ae-b319-db82d228c908": { + "rule_name": "Azure Storage Account Key Regenerated", + "sha256": "49bb6b71d6e597de0157a424d93fdb4690ae7ad2586b8d725a627878c02edc1e", + "type": "query", + "version": 102 + }, + "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", - "sha256": "5accab0498d68d3aea14b3f15cb0cfde813706bc712ed95d37e68281a4e3750c", + "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", "type": "eql", - "version": 103 - }, - "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Creation of SettingContent-ms Files", - "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", - "type": "eql", - "version": 6 - } - }, + "version": 3 + } + }, + "rule_name": "Creation of a DNS-Named Record", + "sha256": "5accab0498d68d3aea14b3f15cb0cfde813706bc712ed95d37e68281a4e3750c", + "type": "eql", + "version": 103 + }, + "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Creation of SettingContent-ms Files", - "sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6", + "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", "type": "eql", - "version": 106 - }, - "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", - "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", - "type": "new_terms", - "version": 1 - }, - "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { - "rule_name": "Unusual Sudo Activity", - "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", - "type": "machine_learning", - "version": 104 - }, - "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", - "type": "query", - "version": 10 - } - }, + "version": 6 + } + }, + "rule_name": "Creation of SettingContent-ms Files", + "sha256": "ff8663b5c757bb323d6d9af69fd2819865654af9bb2de2359009d0cb368ec2a6", + "type": "eql", + "version": 106 + }, + "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", + "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", + "type": "new_terms", + "version": 2 + }, + "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { + "rule_name": "Unusual Sudo Activity", + "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", + "type": "machine_learning", + "version": 104 + }, + "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", - "sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9", + "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", "type": "query", - "version": 110 - }, - "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "AWS Signin Single Factor Console Login with Federated User", - "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f", - "type": "esql", - "version": 2 - }, - "1f460f12-a3cf-4105-9ebb-f788cc63f365": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", - "type": "eql", - "version": 4 - } - }, + "version": 10 + } + }, + "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", + "sha256": "eeebabf5497517642690f0b238295c5f9f09396305832e4b067a3d788067bee9", + "type": "query", + "version": 110 + }, + "1f45720e-5ea8-11ef-90d2-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS Signin Single Factor Console Login with Federated User", + "sha256": "5615d41bfc71884b3d207932c4421f434757b249aa207250e50b97b10d25315f", + "type": "esql", + "version": 2 + }, + "1f460f12-a3cf-4105-9ebb-f788cc63f365": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Unusual Process Execution on WBEM Path", - "sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa", + "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", "type": "eql", - "version": 104 - }, - "1faec04b-d902-4f89-8aff-92cd9043c16f": { - "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", - "type": "machine_learning", - "version": 104 - }, - "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", - "type": "eql", - "version": 113 - } - }, + "version": 4 + } + }, + "rule_name": "Unusual Process Execution on WBEM Path", + "sha256": "13b48a7591f9b468f310bbdcd36b045d671d36396a0d86129881eb16289c32fa", + "type": "eql", + "version": 104 + }, + "1faec04b-d902-4f89-8aff-92cd9043c16f": { + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", + "type": "machine_learning", + "version": 104 + }, + "1fe3b299-fbb5-4657-a937-1d746f2c711a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "edb91b7c64bd8e744fac58ccc66f711fb22f4daf41dde169c4e8be954d4d2b81", + "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", "type": "eql", - "version": 213 - }, - "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { - "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", - "type": "query", - "version": 103 - }, - "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "c69929f38a28448280307676118534bb0928728d16c0269577d27e957d21011e", - "type": "eql", - "version": 211 - } - }, + "version": 113 + } + }, + "rule_name": "Unusual Network Activity from a Windows System Binary", + "sha256": "edb91b7c64bd8e744fac58ccc66f711fb22f4daf41dde169c4e8be954d4d2b81", + "type": "eql", + "version": 213 + }, + "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { + "rule_name": "Exploit - Detected - Elastic Endgame", + "sha256": "fc5bc7344b50468b39f14fc82c958267c265618e2278cadaecafa7a7f1dab9a2", + "type": "query", + "version": 103 + }, + "201200f1-a99b-43fb-88ed-f65a45c4972c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", - "sha256": "63b4d6cf8d045fdc59f45b055ddd0a9cfb4bd72a3370dcbfc9267b4d2bdd7d0a", + "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", "type": "eql", - "version": 311 - }, - "202829f6-0271-4e88-b882-11a655c590d4": { - "rule_name": "Executable Masquerading as Kernel Process", - "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Suspicious .NET Code Compilation", + "sha256": "c69929f38a28448280307676118534bb0928728d16c0269577d27e957d21011e", "type": "eql", - "version": 3 - }, - "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "1e793bac94cf744476de8ec10572545b6000ddfafffe37170ddb870c9b5c8d94", - "type": "eql", - "version": 211 - } - }, + "version": 211 + } + }, + "rule_name": "Suspicious .NET Code Compilation", + "sha256": "1a866e733aa7ce66be8425aa24bf02efd91c98b7dce86a22fab32584ef096ac1", + "type": "eql", + "version": 312 + }, + "202829f6-0271-4e88-b882-11a655c590d4": { + "rule_name": "Executable Masquerading as Kernel Process", + "sha256": "6ad1b642bad962d9940a85ca08a1032187176ae60ef68d10052b7a025ecdea46", + "type": "eql", + "version": 3 + }, + "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Creation or Modification of Root Certificate", - "sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a", + "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", "type": "eql", - "version": 311 - }, - "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", - "type": "query", - "version": 206 - }, - "20457e4f-d1de-4b92-ae69-142e27a4342a": { - "rule_name": "Suspicious Web Browser Sensitive File Access", - "sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Creation or Modification of Root Certificate", + "sha256": "1e793bac94cf744476de8ec10572545b6000ddfafffe37170ddb870c9b5c8d94", "type": "eql", - "version": 209 - }, - "205b52c4-9c28-4af4-8979-935f3278d61a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "606f8fb96e10d28c3f078e71f4be2fa3c1806eac4331c217010c3e5404457407", - "type": "eql", - "version": 102 - } - }, + "version": 211 + } + }, + "rule_name": "Creation or Modification of Root Certificate", + "sha256": "4271caa450f1e1e8420eee5f49d3481396358bdee6fa3480756e5ce91adde73a", + "type": "eql", + "version": 311 + }, + "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "140169be7f1e330d6e6068d329d4de47c02db8df773930e4ae57f7e5f36c9297", + "type": "query", + "version": 206 + }, + "20457e4f-d1de-4b92-ae69-142e27a4342a": { + "rule_name": "Suspicious Web Browser Sensitive File Access", + "sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd", + "type": "eql", + "version": 209 + }, + "205b52c4-9c28-4af4-8979-935f3278d61a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", - "sha256": "dedd11f2f7e4c43edba25c00b1deddb8fcd93f7c17a384a0ff0e086781d74caa", - "type": "eql", - "version": 202 - }, - "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", - "type": "eql", - "version": 111 - } - }, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "8f0e6c0741fc802300e26ea71da63f8ece28e9b054d35e452de4e7d78bc634a5", + "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", "type": "eql", - "version": 211 - }, - "20dc4620-3b68-4269-8124-ca5091e00ea8": { - "rule_name": "Auditd Max Login Sessions", - "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", - "type": "query", - "version": 100 - }, - "210d4430-b371-470e-b879-80b7182aa75e": { - "rule_name": "Mofcomp Activity", - "sha256": "24767f239b58cf2f9a38e146bdaa0a55fecd129ffe91463505059fbd12c61ccd", + "version": 2 + }, + "8.13": { + "max_allowable_version": 201, + "rule_name": "Werfault ReflectDebugger Persistence", + "sha256": "606f8fb96e10d28c3f078e71f4be2fa3c1806eac4331c217010c3e5404457407", "type": "eql", - "version": 3 - }, - "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { - "rule_name": "Potential Reverse Shell via Child", - "sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853", + "version": 102 + } + }, + "rule_name": "Werfault ReflectDebugger Persistence", + "sha256": "dedd11f2f7e4c43edba25c00b1deddb8fcd93f7c17a384a0ff0e086781d74caa", + "type": "eql", + "version": 202 + }, + "208dbe77-01ed-4954-8d44-1e5751cb20de": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "LSASS Memory Dump Handle Access", + "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", "type": "eql", - "version": 3 - }, - "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { - "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", - "sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354", - "type": "new_terms", - "version": 5 - }, - "220be143-5c67-4fdb-b6ce-dd6826d024fd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", - "type": "eql", - "version": 8 - } - }, + "version": 111 + } + }, + "rule_name": "LSASS Memory Dump Handle Access", + "sha256": "8f0e6c0741fc802300e26ea71da63f8ece28e9b054d35e452de4e7d78bc634a5", + "type": "eql", + "version": 211 + }, + "20dc4620-3b68-4269-8124-ca5091e00ea8": { + "rule_name": "Auditd Max Login Sessions", + "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", + "type": "query", + "version": 100 + }, + "210d4430-b371-470e-b879-80b7182aa75e": { + "rule_name": "Mofcomp Activity", + "sha256": "c154de44212ce97be6bf2064228454a7baeb68ef036313f325ecbef08dfb1184", + "type": "eql", + "version": 4 + }, + "2138bb70-5a5e-42fd-be5e-b38edf6a6777": { + "rule_name": "Potential Reverse Shell via Child", + "sha256": "52be9ea43b199f813b9c25ab2637afd7569a16c06703b7dc7f5151925b0b2853", + "type": "eql", + "version": 3 + }, + "21bafdf0-cf17-11ed-bd57-f661ea17fbcc": { + "rule_name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", + "sha256": "5123093932b6f544cf28a9f7f30a22658848fa12289e7f1c21584d21a79e2354", + "type": "new_terms", + "version": 5 + }, + "220be143-5c67-4fdb-b6ce-dd6826d024fd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", - "sha256": "30c368664c1bd007c6f25e8f4815c47ba84d8626a03680a17f4d9e672cd6b61d", - "type": "eql", - "version": 108 - }, - "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9", - "type": "new_terms", - "version": 206 - }, - "22599847-5d13-48cb-8872-5796fee8692b": { - "rule_name": "SUNBURST Command and Control Activity", - "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", - "type": "eql", - "version": 108 - }, - "227dc608-e558-43d9-b521-150772250bae": { - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", - "type": "query", - "version": 207 - }, - "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { - "rule_name": "Potential Shell via Web Server", - "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", - "type": "query", - "version": 105 - }, - "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { - "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", - "type": "query", - "version": 104 - }, - "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "rule_name": "Kernel Module Load via insmod", - "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", - "type": "eql", - "version": 110 - }, - "2377946d-0f01-4957-8812-6878985f515d": { - "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", - "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", + "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", "type": "eql", - "version": 2 - }, - "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { - "rule_name": "Unknown Execution of Binary with RWX Memory Region", - "sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa", - "type": "new_terms", - "version": 3 - }, - "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", - "type": "esql", - "version": 3 - }, - "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "rule_name": "New GitHub Owner Added", - "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "version": 8 + } + }, + "rule_name": "Full User-Mode Dumps Enabled System-Wide", + "sha256": "30c368664c1bd007c6f25e8f4815c47ba84d8626a03680a17f4d9e672cd6b61d", + "type": "eql", + "version": 108 + }, + "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "5950490a263aef327d0d6b9b4f9c83dd9eeb655207043afab349082a0d04e0e9", + "type": "new_terms", + "version": 206 + }, + "22599847-5d13-48cb-8872-5796fee8692b": { + "rule_name": "SUNBURST Command and Control Activity", + "sha256": "28c3a8e43a93472d905579b46b496842487fb7c462bf01bdbde7cdc16361b2e7", + "type": "eql", + "version": 108 + }, + "227dc608-e558-43d9-b521-150772250bae": { + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "c893799e9c59f2c1403b0350b301a705c63a0d1c86f201f9b1effafd647a7629", + "type": "query", + "version": 207 + }, + "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { + "rule_name": "Potential Shell via Web Server", + "sha256": "95829ac14cae4f4c82e003be08372f6c44edc266c796409e6971824d0be747f1", + "type": "query", + "version": 105 + }, + "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { + "rule_name": "GCP Storage Bucket Permissions Modification", + "sha256": "278f8d56c3932a208c4873795aa99690d1d05550d1e099c6fcdb6f6fca729604", + "type": "query", + "version": 104 + }, + "2339f03c-f53f-40fa-834b-40c5983fc41f": { + "rule_name": "Kernel Module Load via insmod", + "sha256": "f93a7445bd58a5432583f328a212f267f6b995da0635115c18ac935a208acd5d", + "type": "eql", + "version": 110 + }, + "2377946d-0f01-4957-8812-6878985f515d": { + "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", + "sha256": "6a0b13ec054468e1055fdcc971c3fbc84f6f9054c828eca4d3c0fa648b9c5fb4", + "type": "eql", + "version": 2 + }, + "23bcd283-2bc0-4db2-81d4-273fc051e5c0": { + "rule_name": "Unknown Execution of Binary with RWX Memory Region", + "sha256": "3f418fe503710182cb6ee9cfde5fad9281638f086f4441f882e8c13dbfdaccaa", + "type": "new_terms", + "version": 3 + }, + "23f18264-2d6d-11ef-9413-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "type": "esql", + "version": 3 + }, + "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "rule_name": "New GitHub Owner Added", + "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", + "type": "eql", + "version": 4 + }, + "25224a80-5a4a-4b8a-991e-6ab390465c4f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Lateral Movement via Startup Folder", + "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", "type": "eql", - "version": 3 - }, - "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "2fa971d8349cceea534e945ac39e6dc74a0af458533c1ccbca9f544f5f4b2a7c", - "type": "eql", - "version": 209 - } - }, + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, "rule_name": "Lateral Movement via Startup Folder", - "sha256": "274df472a867247fc2de690c81bfcb03b32b4ed67e0cc46c3a64d40fd0231c44", - "type": "eql", - "version": 309 - }, - "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", - "type": "query", - "version": 4 - } - }, + "sha256": "2fa971d8349cceea534e945ac39e6dc74a0af458533c1ccbca9f544f5f4b2a7c", + "type": "eql", + "version": 209 + } + }, + "rule_name": "Lateral Movement via Startup Folder", + "sha256": "274df472a867247fc2de690c81bfcb03b32b4ed67e0cc46c3a64d40fd0231c44", + "type": "eql", + "version": 309 + }, + "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", - "sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb", + "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", "type": "query", - "version": 104 - }, - "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { - "rule_name": "Potential Reverse Shell via Background Process", - "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", - "type": "eql", "version": 4 - }, - "25d917c4-aa3c-4111-974c-286c0312ff95": { - "rule_name": "Network Activity Detected via Kworker", - "sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b", - "type": "new_terms", - "version": 6 - }, - "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { - "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", - "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", - "type": "query", - "version": 1 - }, - "260486ee-7d98-11ee-9599-f661ea17fbcd": { - "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", - "type": "query", - "version": 3 - }, - "2605aa59-29ac-4662-afad-8d86257c7c91": { - "rule_name": "Potential Suspicious DebugFS Root Device Access", - "sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7", - "type": "eql", - "version": 6 - }, - "263481c8-1e9b-492e-912d-d1760707f810": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", - "type": "eql", - "version": 2 - } - }, + } + }, + "rule_name": "Potential PowerShell HackTool Script by Author", + "sha256": "01735177fce51c42923f16c612bbf247992c18fbc96e57a1b72c571807c334eb", + "type": "query", + "version": 104 + }, + "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "rule_name": "Potential Reverse Shell via Background Process", + "sha256": "0ffb76c84bbd4407b32cb3cde060faa39ff1aca7f3f59d031d45d7e449cb74d5", + "type": "eql", + "version": 4 + }, + "25d917c4-aa3c-4111-974c-286c0312ff95": { + "rule_name": "Network Activity Detected via Kworker", + "sha256": "6c823634705c69de0120c2254520b0a79b53891b3f5af608fab3f07a2f04ec3b", + "type": "new_terms", + "version": 6 + }, + "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { + "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", + "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", + "type": "query", + "version": 1 + }, + "260486ee-7d98-11ee-9599-f661ea17fbcd": { + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", + "type": "query", + "version": 4 + }, + "2605aa59-29ac-4662-afad-8d86257c7c91": { + "rule_name": "Potential Suspicious DebugFS Root Device Access", + "sha256": "c48d98b19af215d3015bf2ae376ddaf8e9cf52396b7d8c7ecc202a8dd07e6ca7", + "type": "eql", + "version": 6 + }, + "263481c8-1e9b-492e-912d-d1760707f810": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", - "sha256": "42c3946d99b19b6c84dd284fe024b606c61cd8cbf26ccf17a957a92f9ac8f441", + "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", "type": "eql", - "version": 102 - }, - "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { - "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", - "type": "query", - "version": 102 - }, - "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e", - "type": "eql", - "version": 212 - } - }, + "version": 2 + } + }, + "rule_name": "Potential Relay Attack against a Domain Controller", + "sha256": "42c3946d99b19b6c84dd284fe024b606c61cd8cbf26ccf17a957a92f9ac8f441", + "type": "eql", + "version": 102 + }, + "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { + "rule_name": "Azure Blob Container Access Level Modification", + "sha256": "b8c9984ea50176ed7e98738246a92b5729623ecdef068b256bd5deae26c26534", + "type": "query", + "version": 102 + }, + "265db8f5-fc73-4d0d-b434-6483b56372e2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441", - "type": "eql", - "version": 312 - }, - "26a726d7-126e-4267-b43d-e9a70bfdee1e": { - "rule_name": "Potential Defense Evasion via Doas", - "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", "type": "eql", - "version": 1 - }, - "26b01043-4f04-4d2f-882a-5a1d2e95751b": { - "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Persistence via Update Orchestrator Service Hijack", + "sha256": "535792c8a18d108f65af67d434bd5befcc35f6422b87accce90f5cf7fcda3f7e", "type": "eql", - "version": 7 - }, - "26edba02-6979-4bce-920a-70b080a7be81": { - "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", - "type": "query", - "version": 105 - }, - "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 308, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", - "type": "esql", - "version": 210 - } - }, + "version": 212 + } + }, + "rule_name": "Persistence via Update Orchestrator Service Hijack", + "sha256": "63d4edaeb49856654125035d9376493bf4182f432dffc0f6dd69eef84bf81441", + "type": "eql", + "version": 312 + }, + "26a726d7-126e-4267-b43d-e9a70bfdee1e": { + "rule_name": "Potential Defense Evasion via Doas", + "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", + "type": "eql", + "version": 1 + }, + "26b01043-4f04-4d2f-882a-5a1d2e95751b": { + "rule_name": "Privileges Elevation via Parent Process PID Spoofing", + "sha256": "fe01406a8aba7ef1783b900ebd444367f6c97053baf29469fd03f5fe099c7517", + "type": "eql", + "version": 7 + }, + "26edba02-6979-4bce-920a-70b080a7be81": { + "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", + "sha256": "81486e6269e07586e44c0e2e31d679dd20a6c335f856a8adad10143d41b7ada7", + "type": "query", + "version": 105 + }, + "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70", + "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", "type": "esql", - "version": 311 - }, - "27071ea3-e806-4697-8abc-e22c92aa4293": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", - "type": "query", - "version": 5 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", - "type": "query", - "version": 108 - } - }, + "version": 210 + } + }, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "defedded1b250e59f79608e335fc198ae97d2dcae4a0ac4386e61630388a1c70", + "type": "esql", + "version": 311 + }, + "27071ea3-e806-4697-8abc-e22c92aa4293": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9", + "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", "type": "query", - "version": 208 - }, - "2724808c-ba5d-48b2-86d2-0002103df753": { - "rule_name": "Attempt to Clear Kernel Ring Buffer", - "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", - "type": "eql", "version": 5 - }, - "272a6484-2663-46db-a532-ef734bf9a796": { - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", + }, + "8.12": { + "max_allowable_version": 207, + "rule_name": "PowerShell Script with Archive Compression Capabilities", + "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", "type": "query", - "version": 206 - }, - "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", - "type": "eql", - "version": 109 - } - }, + "version": 108 + } + }, + "rule_name": "PowerShell Script with Archive Compression Capabilities", + "sha256": "4a3e6bf68329d70f058be24f7904ce234a26b57c38972ad33ff103a9e00f78a9", + "type": "query", + "version": 208 + }, + "2724808c-ba5d-48b2-86d2-0002103df753": { + "rule_name": "Attempt to Clear Kernel Ring Buffer", + "sha256": "25e2ab660e4188ceba62e4820957228cb86abad97ae790a7202ba5b2531e345f", + "type": "eql", + "version": 5 + }, + "272a6484-2663-46db-a532-ef734bf9a796": { + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "4901f8288ffd58d58227242aedd0caaab898038617870ffef05e9c235a9a082e", + "type": "query", + "version": 206 + }, + "2772264c-6fb9-4d9d-9014-b416eed21254": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "30c7423c5023c7e2a06f2b998a346e1a90ca192c24819613312d92d5f7e37117", + "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", "type": "eql", - "version": 209 - }, - "2783d84f-5091-4d7d-9319-9fceda8fa71b": { - "rule_name": "GCP Firewall Rule Modification", - "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", - "type": "query", - "version": 104 - }, - "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", - "type": "query", - "version": 206 - }, - "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 215, - "rule_name": "Account Password Reset Remotely", - "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", - "type": "eql", - "version": 116 - } - }, + "version": 109 + } + }, + "rule_name": "Incoming Execution via PowerShell Remoting", + "sha256": "30c7423c5023c7e2a06f2b998a346e1a90ca192c24819613312d92d5f7e37117", + "type": "eql", + "version": 209 + }, + "2783d84f-5091-4d7d-9319-9fceda8fa71b": { + "rule_name": "GCP Firewall Rule Modification", + "sha256": "7f903b4ec5008e277d2c4f30f030c9063155c7624b7938ba5d57635458cfbbdf", + "type": "query", + "version": 104 + }, + "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "0cb5f4c7faf103570f876bb43508577a2927c58a22ed1b35c609f2d195630f56", + "type": "query", + "version": 206 + }, + "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", - "sha256": "8adb8b82a3d53207484f625914ee09d91378639f23dfaf99e0c5e4e504e7323b", + "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", "type": "eql", - "version": 216 - }, - "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { - "min_stack_version": "8.13", - "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977", - "type": "esql", - "version": 2 - }, - "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", - "type": "eql", - "version": 111 - } - }, + "version": 116 + } + }, + "rule_name": "Account Password Reset Remotely", + "sha256": "8adb8b82a3d53207484f625914ee09d91378639f23dfaf99e0c5e4e504e7323b", + "type": "eql", + "version": 216 + }, + "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { + "min_stack_version": "8.13", + "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", + "sha256": "f869eb5fd1ce73193d75b85ad5bee9347325c5b60329c8274b00d1807a867977", + "type": "esql", + "version": 2 + }, + "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4", - "type": "eql", - "version": 211 - }, - "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { - "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", - "type": "query", - "version": 103 - }, - "28738f9f-7427-4d23-bc69-756708b5f624": { - "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", - "type": "eql", - "version": 8 - }, - "28896382-7d4f-4d50-9b72-67091901fd26": { - "rule_name": "Suspicious Process from Conhost", - "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", - "type": "eql", - "version": 100 - }, - "28bc620d-b2f7-4132-b372-f77953881d05": { - "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", - "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", - "type": "eql", - "version": 2 - }, - "28d39238-0c01-420a-b77a-24e5a7378663": { - "rule_name": "Sudo Command Enumeration Detected", - "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", - "type": "eql", - "version": 6 - }, - "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { - "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", "type": "eql", - "version": 3 - }, - "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { - "rule_name": "Shell Configuration Creation or Modification", - "sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6", + "version": 111 + } + }, + "rule_name": "Account Discovery Command via SYSTEM Account", + "sha256": "2b775cfcd03f8ddcaab836d20fc03e2cd95cd89e3e8e729f6f6ea92f1e16bca4", + "type": "eql", + "version": 211 + }, + "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { + "rule_name": "Exploit - Prevented - Elastic Endgame", + "sha256": "72767580ec9592b48af7b23c8f44b94bf3c619c87d45496757413417e9238c4d", + "type": "query", + "version": 103 + }, + "28738f9f-7427-4d23-bc69-756708b5f624": { + "rule_name": "Suspicious File Changes Activity Detected", + "sha256": "a5b402b3a9e4d3ba808b853c5d78107f40d164ba390a347ef0ac078afaa5cc67", + "type": "eql", + "version": 8 + }, + "28896382-7d4f-4d50-9b72-67091901fd26": { + "rule_name": "Suspicious Process from Conhost", + "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", + "type": "eql", + "version": 100 + }, + "288a198e-9b9b-11ef-a0a8-f661ea17fbcd": { + "rule_name": "AWS STS Role Assumption by User", + "sha256": "2988f8c5e5774464830730c7672f895c27574e37db7a0dd42027d9e4617f69f4", + "type": "new_terms", + "version": 1 + }, + "28bc620d-b2f7-4132-b372-f77953881d05": { + "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", + "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", + "type": "eql", + "version": 2 + }, + "28d39238-0c01-420a-b77a-24e5a7378663": { + "rule_name": "Sudo Command Enumeration Detected", + "sha256": "0f36e67505607bcb3888b92df081e70b54c5e239c9e0ed3345f8f8736beed326", + "type": "eql", + "version": 6 + }, + "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { + "rule_name": "Privilege Escalation via SUID/SGID", + "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "type": "eql", + "version": 3 + }, + "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { + "rule_name": "Shell Configuration Creation or Modification", + "sha256": "82a1df00e80a4d2e8c1cbcdef1cbc52c47bca472993056876a09f27981ed2fe6", + "type": "eql", + "version": 5 + }, + "29052c19-ff3e-42fd-8363-7be14d7c5469": { + "rule_name": "AWS EC2 Security Group Configuration Change", + "sha256": "48882709d629f366aa2742f2930bda9d8520aa354b7a9df6ecb07e58d3ce6a95", + "type": "query", + "version": 207 + }, + "290aca65-e94d-403b-ba0f-62f320e63f51": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, + "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", + "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", "type": "eql", - "version": 5 - }, - "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "193c2c66e45942d40a519ed5a0c174f69daf4d7c4057ce0af2cc77baa1e9658c", - "type": "query", - "version": 206 - }, - "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "d5889d6fb11d2ccc008cab9342767cacc97ce35cad65e947b0e808f8dd323e78", - "type": "eql", - "version": 214 - } - }, + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "0009d24657fc07cc0be3737e7b18671fb60664e1848e108ed20dea12aa670f81", + "sha256": "d5889d6fb11d2ccc008cab9342767cacc97ce35cad65e947b0e808f8dd323e78", "type": "eql", - "version": 314 - }, - "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "a8eb3f78278925242ed765acb2a2d0e95ccd361a73e67ba655fb6137b82acfb7", - "type": "eql", - "version": 315 - } - }, + "version": 214 + } + }, + "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", + "sha256": "891e2a84a8bee293f84e2d2d2fb5755a5677ceb079a6adbd7cd800fd88b6a889", + "type": "eql", + "version": 315 + }, + "2917d495-59bd-4250-b395-c29409b76086": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", + "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", + "type": "eql", + "version": 112 + }, + "8.13": { + "max_allowable_version": 414, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "ea39706be956a8bf3162d982e74f0d222e65efbc0f700e70bef5307eaeddb38f", - "type": "eql", - "version": 415 - }, - "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 310, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", - "type": "new_terms", - "version": 211 - }, - "8.12": { - "max_allowable_version": 414, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", - "type": "new_terms", - "version": 315 - } - }, + "sha256": "a8eb3f78278925242ed765acb2a2d0e95ccd361a73e67ba655fb6137b82acfb7", + "type": "eql", + "version": 315 + } + }, + "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", + "sha256": "e685ec880f93003d916f83c558301d788cc0671883fab6eebc79fe744f7c4c2b", + "type": "eql", + "version": 416 + }, + "291a0de9-937a-4189-94c0-3e847c8b13e4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d", + "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", "type": "new_terms", - "version": 415 - }, - "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { - "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", - "type": "query", - "version": 2 - }, - "29ef5686-9b93-433e-91b5-683911094698": { - "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", - "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "version": 211 + }, + "8.12": { + "max_allowable_version": 414, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", "type": "new_terms", - "version": 1 - }, - "29f0cf93-d17c-4b12-b4f3-a433800539fa": { - "rule_name": "Linux SSH X11 Forwarding", - "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "version": 315 + } + }, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "6b9ddb99af8aebdf137ebdbc012a627a5c96f21ad7dfab54a26dc16d5763ed3d", + "type": "new_terms", + "version": 415 + }, + "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", + "type": "query", + "version": 3 + }, + "29ef5686-9b93-433e-91b5-683911094698": { + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", + "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "type": "new_terms", + "version": 1 + }, + "29f0cf93-d17c-4b12-b4f3-a433800539fa": { + "rule_name": "Linux SSH X11 Forwarding", + "sha256": "2562c461d5762274c7090f399cda06176716c846f045c4ba9c5d60ad1d63df91", + "type": "eql", + "version": 4 + }, + "2a692072-d78d-42f3-a48a-775677d79c4e": { + "rule_name": "Potential Code Execution via Postgresql", + "sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4", + "type": "eql", + "version": 7 + }, + "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7", + "type": "query", + "version": 204 + }, + "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { + "rule_name": "ESXI Discovery via Grep", + "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "type": "eql", + "version": 7 + }, + "2bf78aa2-9c56-48de-b139-f169bf99cf86": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Adobe Hijack Persistence", + "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", "type": "eql", - "version": 4 - }, - "2a692072-d78d-42f3-a48a-775677d79c4e": { - "rule_name": "Potential Code Execution via Postgresql", - "sha256": "31193d1ef0348a443dc4c9605b4f62d6242633a24281f63b10519a48bb6178b4", + "version": 113 + }, + "8.13": { + "max_allowable_version": 413, + "rule_name": "Adobe Hijack Persistence", + "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", "type": "eql", - "version": 7 - }, - "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "dc8b0a2fc0d7fa52084bd9ff94ef01de5dbafce96fa29a0e89c89ef27ab8e9a7", - "type": "query", - "version": 204 - }, - "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4": { - "rule_name": "ESXI Discovery via Grep", - "sha256": "93e259e4c84d6f482879c952380259c33794efa042c0d5141a382f91661b8880", + "version": 314 + } + }, + "rule_name": "Adobe Hijack Persistence", + "sha256": "98e76c4e7dfdfd6f4b1bbc860b8d1ded5399f58cf113baa58e96cbb4c2c34f65", + "type": "eql", + "version": 414 + }, + "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Windows Defender Exclusions Added via PowerShell", + "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", "type": "eql", - "version": 7 - }, - "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Adobe Hijack Persistence", - "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Adobe Hijack Persistence", - "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", - "type": "eql", - "version": 314 - } - }, - "rule_name": "Adobe Hijack Persistence", - "sha256": "98e76c4e7dfdfd6f4b1bbc860b8d1ded5399f58cf113baa58e96cbb4c2c34f65", - "type": "eql", - "version": 414 - }, - "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "035b963e8b20d330a6df9c8b7bf1ff3812c17492b17c6f32dea5100d031289e9", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "a7e8e8b38be195c0705bc2968acc7bbb8804c6cf66bcee95c6234139cfafd1e7", + "sha256": "035b963e8b20d330a6df9c8b7bf1ff3812c17492b17c6f32dea5100d031289e9", "type": "eql", - "version": 312 - }, - "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", - "type": "eql", - "version": 110 - } - }, + "version": 212 + } + }, + "rule_name": "Windows Defender Exclusions Added via PowerShell", + "sha256": "ba6ccf2fd7102484bab3ab16542b8c07903d577a967904103c08bbfde581d055", + "type": "eql", + "version": 313 + }, + "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "9cb101dff02725a228ac6abd8ec38be725b6f0375a41b27f1ce6e446fa009463", + "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", "type": "eql", - "version": 210 - }, - "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Potential Foxmail Exploitation", - "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Potential Foxmail Exploitation", - "sha256": "677b62dc3502ba3192802220e5c25de4e44c1c068cc4cbb54124820c29ce13f2", - "type": "eql", - "version": 101 - } - }, + "version": 110 + } + }, + "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", + "sha256": "9cb101dff02725a228ac6abd8ec38be725b6f0375a41b27f1ce6e446fa009463", + "type": "eql", + "version": 210 + }, + "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "Potential Foxmail Exploitation", + "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", + "type": "eql", + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, "rule_name": "Potential Foxmail Exploitation", - "sha256": "eba357ab838c551e781786c61a2f8f3d1abd1c0d0cbd0b8676d8853d49125daf", - "type": "eql", - "version": 201 - }, - "2d62889e-e758-4c5e-b57e-c735914ee32a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "a80f52e2d0f126a7c18db7078056274ede0a847de4047bf98ab6fdeb58beef17", - "type": "eql", - "version": 101 - } - }, + "sha256": "677b62dc3502ba3192802220e5c25de4e44c1c068cc4cbb54124820c29ce13f2", + "type": "eql", + "version": 101 + } + }, + "rule_name": "Potential Foxmail Exploitation", + "sha256": "2cbfc9b78f91dc490e73a2fda8ca38737b819a786d7912db3d0dee69983a971d", + "type": "eql", + "version": 202 + }, + "2d62889e-e758-4c5e-b57e-c735914ee32a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", - "sha256": "f343d88c98d36193572a1726eef142417d8f9af99eb57da610bd75e4c1a79d9d", + "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", "type": "eql", - "version": 201 - }, - "2d8043ed-5bda-4caf-801c-c1feb7410504": { - "rule_name": "Enumeration of Kernel Modules", - "sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c", - "type": "new_terms", - "version": 210 - }, - "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 310, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", - "type": "eql", - "version": 211 - } - }, + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, + "rule_name": "Suspicious PowerShell Execution via Windows Scripts", + "sha256": "a80f52e2d0f126a7c18db7078056274ede0a847de4047bf98ab6fdeb58beef17", + "type": "eql", + "version": 101 + } + }, + "rule_name": "Suspicious PowerShell Execution via Windows Scripts", + "sha256": "f343d88c98d36193572a1726eef142417d8f9af99eb57da610bd75e4c1a79d9d", + "type": "eql", + "version": 201 + }, + "2d8043ed-5bda-4caf-801c-c1feb7410504": { + "rule_name": "Enumeration of Kernel Modules", + "sha256": "e476a54ff58dbe2b9ad2df9aa0a9e110cdaa9b7f6adea0b3fa77bd0f4638913c", + "type": "new_terms", + "version": 210 + }, + "2dd480be-1263-4d9c-8672-172928f6789a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "ddbbefc59783e983723d68990ec3bed4228de396458b94ed38fdc10ade8d9c9d", + "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", "type": "eql", - "version": 311 - }, - "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { - "rule_name": "Potential SSH-IT SSH Worm Downloaded", - "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "version": 211 + } + }, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "ddbbefc59783e983723d68990ec3bed4228de396458b94ed38fdc10ade8d9c9d", + "type": "eql", + "version": 311 + }, + "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea": { + "rule_name": "Potential SSH-IT SSH Worm Downloaded", + "sha256": "b15d311e27e1605b59979cfacff8ed02534809f2ac3067c91d6f252b9c99532c", + "type": "eql", + "version": 3 + }, + "2de10e77-c144-4e69-afb7-344e7127abd0": { + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", + "type": "threshold", + "version": 207 + }, + "2de87d72-ee0c-43e2-b975-5f0b029ac600": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, + "rule_name": "Wireless Credential Dumping using Netsh Command", + "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", "type": "eql", - "version": 3 - }, - "2de10e77-c144-4e69-afb7-344e7127abd0": { - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "a6c2623e22edf439212d0065ea3329407e43fdc9756008e2a6cc39150c927f46", - "type": "threshold", - "version": 207 - }, - "2de87d72-ee0c-43e2-b975-5f0b029ac600": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "903805e8cc42654adfa662e19eab1b40069bf11b67935e85d3d175c3a969514a", - "type": "eql", - "version": 109 - } - }, + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, "rule_name": "Wireless Credential Dumping using Netsh Command", - "sha256": "2c9249a8cdc94c2f22bb519e4eb2380b783b3fc305a1f406eea8838fe77d2513", + "sha256": "903805e8cc42654adfa662e19eab1b40069bf11b67935e85d3d175c3a969514a", "type": "eql", - "version": 209 - }, - "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", - "type": "eql", - "version": 111 - } - }, + "version": 109 + } + }, + "rule_name": "Wireless Credential Dumping using Netsh Command", + "sha256": "1e0176ef079975e1f7800254fbb79354318b4765c236b9cbb67f9ade42b3fa4f", + "type": "eql", + "version": 210 + }, + "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "868e3c2f1a196ebbc4dd930f064d4c6b6e935ec882160043674baf64605134b0", + "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", "type": "eql", - "version": 211 - }, - "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", - "type": "query", - "version": 113 - } - }, + "version": 111 + } + }, + "rule_name": "Renamed AutoIt Scripts Interpreter", + "sha256": "868e3c2f1a196ebbc4dd930f064d4c6b6e935ec882160043674baf64605134b0", + "type": "eql", + "version": 211 + }, + "2e29e96a-b67c-455a-afe4-de6183431d0d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Potential Process Injection via PowerShell", - "sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855", + "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", "type": "query", - "version": 213 - }, - "2e311539-cd88-4a85-a301-04f38795007c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Accessing Outlook Data Files", - "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", - "type": "eql", - "version": 5 - } - }, + "version": 113 + } + }, + "rule_name": "Potential Process Injection via PowerShell", + "sha256": "7e0cc4f4c58256634c207a3b45ff788e4f9970f7e0b9436f55f186c002437855", + "type": "query", + "version": 213 + }, + "2e311539-cd88-4a85-a301-04f38795007c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "Accessing Outlook Data Files", - "sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378", + "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", "type": "eql", - "version": 105 - }, - "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", - "type": "threshold", - "version": 1 - } - }, + "version": 5 + } + }, + "rule_name": "Accessing Outlook Data Files", + "sha256": "cbd45fc062e5bcef6a93a19f9d01b6f8d1fcd038fff47b19a5adb99569cdd378", + "type": "eql", + "version": 105 + }, + "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", - "type": "esql", - "version": 103 - }, - "2e580225-2a58-48ef-938b-572933be06fe": { - "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", - "type": "query", - "version": 104 - }, - "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "a3f55a20eb34eb9f050c14ebec723bf8910a29329d76e98fee0fa59c90d5d247", - "type": "eql", - "version": 211 - } - }, + "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "type": "threshold", + "version": 1 + } + }, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "type": "esql", + "version": 103 + }, + "2e580225-2a58-48ef-938b-572933be06fe": { + "rule_name": "Halfbaked Command and Control Beacon", + "sha256": "67f17bb4543d663bbd223adf3ed78c7e8f5018d561d5600b0b835ed24d9a6174", + "type": "query", + "version": 104 + }, + "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Creation of a Hidden Local User Account", - "sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2", + "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", "type": "eql", - "version": 311 - }, - "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", - "type": "query", - "version": 101 - }, - "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", - "type": "query", - "version": 112 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Creation of a Hidden Local User Account", + "sha256": "a3f55a20eb34eb9f050c14ebec723bf8910a29329d76e98fee0fa59c90d5d247", + "type": "eql", + "version": 211 + } + }, + "rule_name": "Creation of a Hidden Local User Account", + "sha256": "19b7467f53896db1e8c5f00dde89e1ac429dc7e8125d433e5c4aac81a6f41de2", + "type": "eql", + "version": 311 + }, + "2f0bae2d-bf20-4465-be86-1311addebaa3": { + "rule_name": "GCP Kubernetes Rolebindings Created or Patched", + "sha256": "bd0cfcd18ddea0b9730c52e91f2de67a9b343831ce2a5351233e44a328498830", + "type": "query", + "version": 101 + }, + "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8", + "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", "type": "query", - "version": 212 - }, - "2f8a1226-5720-437d-9c20-e0029deb6194": { - "rule_name": "Attempt to Disable Syslog Service", - "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", - "type": "eql", - "version": 110 - }, - "2f95540c-923e-4f57-9dae-de30169c68b9": { - "rule_name": "Suspicious /proc/maps Discovery", - "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", - "type": "eql", - "version": 2 - }, - "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { - "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", - "type": "eql", - "version": 109 - }, - "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 214, - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", - "type": "eql", - "version": 115 - } - }, + "version": 112 + } + }, + "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "sha256": "f30a726cc8233f0fd47f045cc06753a16529142e73e25f7f2f0a62d4321894c8", + "type": "query", + "version": 212 + }, + "2f8a1226-5720-437d-9c20-e0029deb6194": { + "rule_name": "Attempt to Disable Syslog Service", + "sha256": "b1a7d12998e1efd7ea299012dcf84947b7b732b5d5acaf875515adc5e0289cf9", + "type": "eql", + "version": 110 + }, + "2f95540c-923e-4f57-9dae-de30169c68b9": { + "rule_name": "Suspicious /proc/maps Discovery", + "sha256": "ceb64517a4f38ec0b520e88bfd10c759040ae2fc573d8712c77889e56afddd93", + "type": "eql", + "version": 2 + }, + "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { + "rule_name": "Startup Folder Persistence via Unsigned Process", + "sha256": "16889344ca9108bf590521debc5e7f4f79d260b86172b2f1df97f6014b9e5813", + "type": "eql", + "version": 109 + }, + "2ffa1f1e-b6db-47fa-994b-1512743847eb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 214, "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02", - "type": "eql", - "version": 215 - }, - "301571f3-b316-4969-8dd0-7917410030d3": { - "rule_name": "Malicious Remote File Creation", - "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", - "type": "eql", - "version": 1 - }, - "30562697-9859-4ae0-a8c5-dab45d664170": { - "rule_name": "GCP Firewall Rule Creation", - "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", - "type": "query", - "version": 104 - }, - "30b5bb96-c7db-492c-80e9-1eab00db580b": { - "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22", - "type": "eql", - "version": 2 - }, - "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { - "rule_name": "ESXI Timestomping using Touch Command", - "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", - "type": "eql", - "version": 8 - }, - "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { - "rule_name": "Network Connection via Sudo Binary", - "sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385", + "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", + "type": "eql", + "version": 115 + } + }, + "rule_name": "Windows Defender Disabled via Registry Modification", + "sha256": "2fc498a71ba2f88f7d63796eca1ee83dbe34d62673590eba2f4b869845a5cb02", + "type": "eql", + "version": 215 + }, + "301571f3-b316-4969-8dd0-7917410030d3": { + "rule_name": "Malicious Remote File Creation", + "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", + "type": "eql", + "version": 1 + }, + "30562697-9859-4ae0-a8c5-dab45d664170": { + "rule_name": "GCP Firewall Rule Creation", + "sha256": "bb0dfe6b9f2f4b9ceed60017b384a9ec5cdb5c52df95261b4b306681aa1f7a1e", + "type": "query", + "version": 104 + }, + "30b5bb96-c7db-492c-80e9-1eab00db580b": { + "rule_name": "AWS S3 Object Versioning Suspended", + "sha256": "16e9f3ed67d6796c3a8d6b7fae2c3432ecec1180bccc33240b81d05c0d654d22", + "type": "eql", + "version": 2 + }, + "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { + "rule_name": "ESXI Timestomping using Touch Command", + "sha256": "3aded99ffea86675df0ab0f003bf86c0e5a794828e77b17812a3f979d0fb70ea", + "type": "eql", + "version": 8 + }, + "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { + "rule_name": "Network Connection via Sudo Binary", + "sha256": "b469b8c3a65e085d1a09370ef4bf02f1feb2e98f438d6af4c42d1495c1959385", + "type": "eql", + "version": 3 + }, + "30fbf4db-c502-4e68-a239-2e99af0f70da": { + "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", + "sha256": "a0060f1d4d4a006b66f4dad527c7bf963002cf71864a361f0c45f7959030f08f", + "type": "new_terms", + "version": 3 + }, + "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { + "rule_name": "Agent Spoofing - Mismatched Agent ID", + "sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129", + "type": "query", + "version": 102 + }, + "31295df3-277b-4c56-a1fb-84e31b4222a9": { + "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", + "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", + "type": "query", + "version": 104 + }, + "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, + "rule_name": "Bypass UAC via Event Viewer", + "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", "type": "eql", - "version": 3 - }, - "30fbf4db-c502-4e68-a239-2e99af0f70da": { - "rule_name": "AWS STS GetCallerIdentity API Called for the First Time", - "sha256": "d6f20b6a3603f9833ff11f6068def92a2747b680d1ce4c78ffb5eda220b55347", - "type": "new_terms", - "version": 2 - }, - "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "ec70ea76f2b63b214733972e4c42caadfa150fe1b0efa06b5d369bdcf5d80129", - "type": "query", - "version": 102 - }, - "31295df3-277b-4c56-a1fb-84e31b4222a9": { - "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "7aca9860d8b4e2d6a3c826f3c89aad15a3ccef60bdb18f3a6c0e5d9d5eb96446", - "type": "query", - "version": 104 - }, - "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "3a5ba368eb9c20041f39f0ccb099b88622f09abeeca8836f0978e004928922e6", - "type": "eql", - "version": 214 - } - }, + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, "rule_name": "Bypass UAC via Event Viewer", - "sha256": "6deb463106a96f5bb1be9b6d736dd4e0e0bc07999455a8bf3be05dc471592a70", + "sha256": "3a5ba368eb9c20041f39f0ccb099b88622f09abeeca8836f0978e004928922e6", "type": "eql", - "version": 314 - }, - "3202e172-01b1-4738-a932-d024c514ba72": { - "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", - "type": "query", - "version": 104 - }, - "32300431-c2d5-432d-8ec8-0e03f9924756": { - "rule_name": "Network Connection from Binary with RWX Memory Region", - "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", + "version": 214 + } + }, + "rule_name": "Bypass UAC via Event Viewer", + "sha256": "7636e829317fb6054a6324982a7342705e13d8712bd9297b1e16195419b0edbb", + "type": "eql", + "version": 315 + }, + "3202e172-01b1-4738-a932-d024c514ba72": { + "rule_name": "GCP Pub/Sub Topic Deletion", + "sha256": "124b074b61fa892959b957078f6b0ce22d6fc14dfa12721b099e26e56784daa0", + "type": "query", + "version": 104 + }, + "32300431-c2d5-432d-8ec8-0e03f9924756": { + "rule_name": "Network Connection from Binary with RWX Memory Region", + "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", + "type": "eql", + "version": 3 + }, + "323cb487-279d-4218-bcbd-a568efe930c6": { + "rule_name": "Azure Network Watcher Deletion", + "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", + "type": "query", + "version": 102 + }, + "32923416-763a-4531-bb35-f33b9232ecdb": { + "rule_name": "RPC (Remote Procedure Call) to the Internet", + "sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3", + "type": "query", + "version": 104 + }, + "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Program Files Directory Masquerading", + "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", "type": "eql", - "version": 3 - }, - "323cb487-279d-4218-bcbd-a568efe930c6": { - "rule_name": "Azure Network Watcher Deletion", - "sha256": "2639a17ce5e5d5cbfafd00c48a0d20d73a8f7fd26a389a962808a2d552c1cd1a", - "type": "query", - "version": 102 - }, - "32923416-763a-4531-bb35-f33b9232ecdb": { - "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "bd14c9e18b459c255249f0f5e5e5d3fb94b2c32186ea0e40eb3847cf3da62ac3", - "type": "query", - "version": 104 - }, - "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Program Files Directory Masquerading", - "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Program Files Directory Masquerading", - "sha256": "b971172eccda841cf458753c2173ec71dad386098f0aecce8d402912cc50f630", - "type": "eql", - "version": 211 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Program Files Directory Masquerading", - "sha256": "4175fbfd3a9fc161dd2cd47b730ae75ccf86d2b23315efacf1ae36222ecd18b1", + "sha256": "b971172eccda841cf458753c2173ec71dad386098f0aecce8d402912cc50f630", "type": "eql", - "version": 311 - }, - "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { - "rule_name": "Microsoft 365 Portal Login from Rare Location", - "sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02", - "type": "new_terms", - "version": 2 - }, - "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "52d170ebae7e61e5c4726ce76d29b5b2e9d7026e32a550e9d5012f02f0e50f8d", - "type": "eql", - "version": 315 - } - }, + "version": 211 + } + }, + "rule_name": "Program Files Directory Masquerading", + "sha256": "7118d989ba0d5e6e0b2a80bb486a7a93738b35454c185aa6edf9e558ca1662d3", + "type": "eql", + "version": 312 + }, + "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { + "rule_name": "Microsoft 365 Portal Login from Rare Location", + "sha256": "3e3186fdaf81508055217cd52ac7b74d8c88bda2fca0eca7f8e1b3b573b7cd02", + "type": "new_terms", + "version": 2 + }, + "32f4675e-6c49-4ace-80f9-97c9259dca2e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ae26181671ae6bbae944ada800c4e297894d392c89e550410c8815a1c1be2bdc", - "type": "eql", - "version": 415 - }, - "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "rule_name": "AWS IAM User Addition to Group", - "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", - "type": "query", - "version": 209 - }, - "33a6752b-da5e-45f8-b13a-5f094c09522f": { - "rule_name": "ESXI Discovery via Find", - "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", "type": "eql", - "version": 7 - }, - "33f306e8-417c-411b-965c-c2812d6d3f4d": { - "rule_name": "Remote File Download via PowerShell", - "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", - "type": "eql", - "version": 110 - }, - "342f834b-21a6-41bf-878c-87d116eba3ee": { - "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", - "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", - "type": "eql", - "version": 1 - }, - "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "version": 112 + }, + "8.13": { + "max_allowable_version": 414, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "52d170ebae7e61e5c4726ce76d29b5b2e9d7026e32a550e9d5012f02f0e50f8d", "type": "eql", - "version": 2 - }, - "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { - "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "cf3130f23b44875cbdc95a497a47b56ca8d3eddfd51b8275318b17028b7f5e56", - "type": "new_terms", - "version": 1 - }, - "34fde489-94b0-4500-a76f-b8a157cf9269": { - "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a", - "type": "query", - "version": 106 - }, - "35330ba2-c859-4c98-8b7f-c19159ea0e58": { - "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", - "type": "query", - "version": 106 - }, - "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 412, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "a5d70c0995622fa1e034a975d14f87929c6bb6032e2a8b710c5619638eeddef7", - "type": "eql", - "version": 313 - } - }, + "version": 315 + } + }, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "647dc0c3fd2b8dffd212c282c77861aaa9c16dc0a23e442c48d168eb333f8ae7", + "type": "eql", + "version": 416 + }, + "3302835b-0049-4004-a325-660b1fba1f67": { + "rule_name": "Directory Creation in /bin directory", + "sha256": "f412ce479acffee82949aed77160fece5ab382dbec5d754ae3c3fdf213e61712", + "type": "eql", + "version": 1 + }, + "333de828-8190-4cf5-8d7c-7575846f6fe0": { + "rule_name": "AWS IAM User Addition to Group", + "sha256": "5797f109e144dd874da2cd92796142c3e024058b0b7239fa006a719364423b46", + "type": "query", + "version": 209 + }, + "33a6752b-da5e-45f8-b13a-5f094c09522f": { + "rule_name": "ESXI Discovery via Find", + "sha256": "5ffb9a4076c8b9782893429052beeb256ac381d1d57cd0267fc84f9f5df944df", + "type": "eql", + "version": 7 + }, + "33f306e8-417c-411b-965c-c2812d6d3f4d": { + "rule_name": "Remote File Download via PowerShell", + "sha256": "a468cf285aeec523223067030229793d4769bc5659502779d939657e57a77976", + "type": "eql", + "version": 110 + }, + "342f834b-21a6-41bf-878c-87d116eba3ee": { + "rule_name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", + "sha256": "80a1285a2fc10cd2a83830beb16066febaf04201e827216516c4e4dc9b47ade6", + "type": "eql", + "version": 1 + }, + "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "rule_name": "GitHub Repository Deleted", + "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "type": "eql", + "version": 2 + }, + "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { + "rule_name": "AWS CLI Command with Custom Endpoint URL", + "sha256": "cf3130f23b44875cbdc95a497a47b56ca8d3eddfd51b8275318b17028b7f5e56", + "type": "new_terms", + "version": 1 + }, + "34fde489-94b0-4500-a76f-b8a157cf9269": { + "rule_name": "Accepted Default Telnet Port Connection", + "sha256": "d4d536d179c2456b42cc7463e03bb7cc9e7f6b8fc478a861c31138ba803c957a", + "type": "query", + "version": 106 + }, + "35330ba2-c859-4c98-8b7f-c19159ea0e58": { + "rule_name": "Execution via Electron Child Process Node.js Module", + "sha256": "e62ff0708c98fc9c3f113e773084f58a137eabb8da806c25c3871f0131fd7934", + "type": "query", + "version": 106 + }, + "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Port Forwarding Rule Addition", - "sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19", + "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", "type": "eql", - "version": 413 - }, - "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { - "rule_name": "Spike in Bytes Sent to an External Device", - "sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58", - "type": "machine_learning", - "version": 4 - }, - "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { - "min_stack_version": "8.13", - "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88", - "type": "esql", - "version": 2 - }, - "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "ec66f5859b414a64af3fb50ecdd42328868c38c15d769091fbe8b212c4bfeb46", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "911ca4fcfaf0c8906e205138f89bc9fd236ad0acee66234ca9e43d5183baf44e", + "version": 111 + }, + "8.13": { + "max_allowable_version": 412, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "a5d70c0995622fa1e034a975d14f87929c6bb6032e2a8b710c5619638eeddef7", "type": "eql", "version": 313 - }, - "35f86980-1fb1-4dff-b311-3be941549c8d": { - "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", - "type": "machine_learning", - "version": 104 - }, - "3605a013-6f0c-4f7d-88a5-326f5be262ec": { - "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", - "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", + } + }, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "1cc79e2c4f68e45ffdf9e7e58a3a627ca8fd4f5577008f4af3b2e0cc353dcd19", + "type": "eql", + "version": 413 + }, + "35a3b253-eea8-46f0-abd3-68bdd47e6e3d": { + "rule_name": "Spike in Bytes Sent to an External Device", + "sha256": "7f778783d142f64fbf3be96cbd7c5059a658dce8b1986144a77ebac82f8c9a58", + "type": "machine_learning", + "version": 4 + }, + "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { + "min_stack_version": "8.13", + "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", + "sha256": "b8a5a3e5d42986cc6784293804bea5aa15d3f3062fce2ed4740680f384718d88", + "type": "esql", + "version": 2 + }, + "35df0dd8-092d-4a83-88c1-5151a804f31b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Unusual Parent-Child Relationship", + "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", "type": "eql", - "version": 100 - }, - "3688577a-d196-11ec-90b0-f661ea17fbce": { - "rule_name": "Process Started from Process ID (PID) File", - "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Unusual Parent-Child Relationship", + "sha256": "ec66f5859b414a64af3fb50ecdd42328868c38c15d769091fbe8b212c4bfeb46", "type": "eql", - "version": 109 - }, - "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "d70480df37508e5a424c838ac5ccc1002758e722ac2e3a8fdb58ba327ec88eaf", - "type": "eql", - "version": 209 - } - }, + "version": 213 + } + }, + "rule_name": "Unusual Parent-Child Relationship", + "sha256": "d4084427ba4202e29ea9d52ef3f7dbf75c97b4a6f1a10725f786c723d5659016", + "type": "eql", + "version": 314 + }, + "35f86980-1fb1-4dff-b311-3be941549c8d": { + "rule_name": "Network Traffic to Rare Destination Country", + "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", + "type": "machine_learning", + "version": 104 + }, + "3605a013-6f0c-4f7d-88a5-326f5be262ec": { + "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", + "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", + "type": "eql", + "version": 100 + }, + "3688577a-d196-11ec-90b0-f661ea17fbce": { + "rule_name": "Process Started from Process ID (PID) File", + "sha256": "299fc2aae27ca710fe1c8e92af61046ea6040c245173fc7572644fa2aa4a9b1e", + "type": "eql", + "version": 109 + }, + "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "6cb28ae624dbac6a4d47e720907a77cdf089d5b190a6cc3bbbc2cc16990dd488", + "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", "type": "eql", - "version": 309 - }, - "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { - "rule_name": "High Mean of Process Arguments in an RDP Session", - "sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780", - "type": "machine_learning", - "version": 4 - }, - "3728c08d-9b70-456b-b6b8-007c7d246128": { - "rule_name": "Potential Suspicious File Edit", - "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "version": 110 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Suspicious ImagePath Service Creation", + "sha256": "d70480df37508e5a424c838ac5ccc1002758e722ac2e3a8fdb58ba327ec88eaf", "type": "eql", - "version": 5 - }, - "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "rule_name": "AWS RDS Security Group Creation", - "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", - "type": "query", - "version": 206 - }, - "37994bca-0611-4500-ab67-5588afe73b77": { - "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", - "type": "query", - "version": 105 - }, - "37b0816d-af40-40b4-885f-bb162b3c88a9": { - "rule_name": "Anomalous Kernel Module Activity", - "sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12", - "type": "machine_learning", - "version": 100 - }, - "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "rule_name": "AWS Execution via System Manager", - "sha256": "5262f35d3a77b7ea661f2c08269986f36b47c9e01836ec71acf45e6f3653b88e", - "type": "query", "version": 209 - }, - "37f638ea-909d-4f94-9248-edd21e4a9906": { - "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", - "type": "eql", - "version": 206 - }, - "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", - "type": "query", - "version": 208 - }, - "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 214, - "rule_name": "Network Connection via Certutil", - "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", - "type": "eql", - "version": 115 - } - }, + } + }, + "rule_name": "Suspicious ImagePath Service Creation", + "sha256": "6cb28ae624dbac6a4d47e720907a77cdf089d5b190a6cc3bbbc2cc16990dd488", + "type": "eql", + "version": 309 + }, + "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "rule_name": "High Mean of Process Arguments in an RDP Session", + "sha256": "702a6f3a2433e5ad66e4dd17b555c7bc979578f8248e27744f421e12791d0780", + "type": "machine_learning", + "version": 4 + }, + "3728c08d-9b70-456b-b6b8-007c7d246128": { + "rule_name": "Potential Suspicious File Edit", + "sha256": "bf74f549ef8c05505839770cb6d64489d48d766df1312cd3524c9d65450352dd", + "type": "eql", + "version": 5 + }, + "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { + "rule_name": "AWS RDS Security Group Creation", + "sha256": "a980e64d0ef17442e319eed703e3dc756434170c637087afded818fc1942c2e0", + "type": "query", + "version": 206 + }, + "37994bca-0611-4500-ab67-5588afe73b77": { + "rule_name": "Azure Active Directory High Risk Sign-in", + "sha256": "81cfc0cf1d22eac182fb2dbed83295eb880bff4c46b583ac7a02667c2bd7140a", + "type": "query", + "version": 105 + }, + "37b0816d-af40-40b4-885f-bb162b3c88a9": { + "rule_name": "Anomalous Kernel Module Activity", + "sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12", + "type": "machine_learning", + "version": 100 + }, + "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { + "rule_name": "AWS SSM `SendCommand` Execution by Rare User", + "sha256": "eaca01a4eabb8830d6e1829229535613f1f61dd22c301080198653b3cbbff971", + "type": "new_terms", + "version": 210 + }, + "37f638ea-909d-4f94-9248-edd21e4a9906": { + "rule_name": "Finder Sync Plugin Registered and Enabled", + "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", + "type": "eql", + "version": 206 + }, + "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", + "type": "query", + "version": 209 + }, + "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", - "sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071", - "type": "eql", - "version": 215 - }, - "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063", - "type": "eql", - "version": 208 - }, - "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { - "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", - "sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d", - "type": "threshold", - "version": 2 - }, - "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { - "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", - "type": "query", - "version": 102 - }, - "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { - "rule_name": "External User Added to Google Workspace Group", - "sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc", - "type": "eql", - "version": 3 - }, - "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", - "type": "query", - "version": 206 - }, - "39157d52-4035-44a8-9d1a-6f8c5f580a07": { - "rule_name": "Downloaded Shortcut Files", - "sha256": "3734901c2dbce0d6f0b119ddff90fe866f68c2fc432c33ef166921f6ba83c1fd", - "type": "eql", - "version": 3 - }, - "393ef120-63d1-11ef-8e38-f661ea17fbce": { - "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "b524ff31b8e1861ed00678a96b6e3ac6e6ae60868b6a7c3f8e7127a5c07756b3", - "type": "esql", - "version": 2 - }, - "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", - "type": "eql", - "version": 107 - }, - "8.13": { - "max_allowable_version": 306, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "fbccc75ff02a26ccb579fc912dbe3bf5e26a7b1c0e7f2084425a15d680bda382", - "type": "eql", - "version": 207 - } - }, + "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", + "type": "eql", + "version": 115 + } + }, + "rule_name": "Network Connection via Certutil", + "sha256": "a46ff963d1341267dc84e8cae348751c9602db28818d086bdbc2d06646e63071", + "type": "eql", + "version": 215 + }, + "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "4082dec3872831be075b4437114dd49a7322440fc0f7650a4de37632a9a6b063", + "type": "eql", + "version": 208 + }, + "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { + "rule_name": "Microsoft 365 Portal Logins from Impossible Travel Locations", + "sha256": "b27504fdf50603f2d3b2d98b424475dd42fa3e57f3331ab23a5b8290dde2302d", + "type": "threshold", + "version": 2 + }, + "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { + "rule_name": "User Added as Owner for Azure Service Principal", + "sha256": "0366d38e25390f27d5a88679fdeb1186fa00482024bab6e37b84f6d6ee4bdf2f", + "type": "query", + "version": 102 + }, + "38f384e0-aef8-11ed-9a38-f661ea17fbcc": { + "rule_name": "External User Added to Google Workspace Group", + "sha256": "c3493126c9accd6f626f2aa40ab74be96a664b87ceabce37843cf4e29b8414bc", + "type": "eql", + "version": 3 + }, + "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "e91381a670fa911026a21863f0f82af1de6b7d106b32bea4d783d4e2c8ceddee", + "type": "query", + "version": 206 + }, + "39157d52-4035-44a8-9d1a-6f8c5f580a07": { + "rule_name": "Downloaded Shortcut Files", + "sha256": "3734901c2dbce0d6f0b119ddff90fe866f68c2fc432c33ef166921f6ba83c1fd", + "type": "eql", + "version": 3 + }, + "393ef120-63d1-11ef-8e38-f661ea17fbce": { + "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", + "sha256": "c17aaffab1800f50439ea947e5d83bad847542dce0fa3a035bff758b4b41d5a6", + "type": "esql", + "version": 3 + }, + "397945f3-d39a-4e6f-8bcb-9656c2031438": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "33de23d497e65bf6580cc0881d00591732c13e58e5e35d309d5a9bc28346b5de", + "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", "type": "eql", - "version": 307 - }, - "39c06367-b700-4380-848a-cab06e7afede": { - "rule_name": "Systemd Generator Created", - "sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b", + "version": 107 + }, + "8.13": { + "max_allowable_version": 306, + "rule_name": "Persistence via Microsoft Outlook VBA", + "sha256": "fbccc75ff02a26ccb579fc912dbe3bf5e26a7b1c0e7f2084425a15d680bda382", "type": "eql", - "version": 3 - }, - "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "d12e9ea8b95150ad9d1665a105aed34e99914c20b08bab4f9397c47f325e4c10", - "type": "eql", - "version": 211 - } - }, + "version": 207 + } + }, + "rule_name": "Persistence via Microsoft Outlook VBA", + "sha256": "33de23d497e65bf6580cc0881d00591732c13e58e5e35d309d5a9bc28346b5de", + "type": "eql", + "version": 307 + }, + "39c06367-b700-4380-848a-cab06e7afede": { + "rule_name": "Systemd Generator Created", + "sha256": "b336dcc55cb6d9c74fd8f467faab033cf4e5c408d97b06a750b73840b1ba098b", + "type": "eql", + "version": 3 + }, + "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "d871f50940eccfb6ba880998b63207b59ad3a087325d70f116c2cd1933b25a2b", + "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", "type": "eql", - "version": 311 - }, - "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { - "rule_name": "Suspicious Module Loaded by LSASS", - "sha256": "372861b3a0dbd56bd07c70db72fade23ea4a42e3e23bb7f2abdcb213da4ebc17", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Potential DNS Tunneling via NsLookup", + "sha256": "d12e9ea8b95150ad9d1665a105aed34e99914c20b08bab4f9397c47f325e4c10", "type": "eql", - "version": 9 - }, - "3a657da0-1df2-11ef-a327-f661ea17fbcc": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", - "type": "threat_match", - "version": 3 - } - }, + "version": 211 + } + }, + "rule_name": "Potential DNS Tunneling via NsLookup", + "sha256": "d871f50940eccfb6ba880998b63207b59ad3a087325d70f116c2cd1933b25a2b", + "type": "eql", + "version": 311 + }, + "3a6001a0-0939-4bbe-86f4-47d8faeb7b97": { + "rule_name": "Suspicious Module Loaded by LSASS", + "sha256": "372861b3a0dbd56bd07c70db72fade23ea4a42e3e23bb7f2abdcb213da4ebc17", + "type": "eql", + "version": 9 + }, + "3a657da0-1df2-11ef-a327-f661ea17fbcc": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Rapid7 Threat Command CVEs Correlation", - "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", + "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", "type": "threat_match", - "version": 103 - }, - "3a86e085-094c-412d-97ff-2439731e59cb": { - "rule_name": "Setgid Bit Set via chmod", - "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", - "type": "query", - "version": 100 - }, - "3ad49c61-7adc-42c1-b788-732eda2f5abf": { - "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f", - "type": "query", - "version": 105 - }, - "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { - "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", - "type": "query", - "version": 103 - }, - "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "rule_name": "First Occurrence of IP Address For GitHub User", - "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", - "type": "new_terms", - "version": 1 - }, - "3b382770-efbb-44f4-beed-f5e0a051b895": { - "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", - "type": "query", - "version": 103 - }, - "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 412, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", - "type": "eql", - "version": 313 - } - }, + "version": 3 + } + }, + "rule_name": "Rapid7 Threat Command CVEs Correlation", + "sha256": "84bf983155b5e76077e32a0adf47cc76be94453dbd39a996d7cb55b112a6eb99", + "type": "threat_match", + "version": 103 + }, + "3a86e085-094c-412d-97ff-2439731e59cb": { + "rule_name": "Setgid Bit Set via chmod", + "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", + "type": "query", + "version": 100 + }, + "3ad49c61-7adc-42c1-b788-732eda2f5abf": { + "rule_name": "VNC (Virtual Network Computing) to the Internet", + "sha256": "7201f6b6243d0d0dc0eac73fe827a1ffb624b049a65a51c6841c687ffe51721f", + "type": "query", + "version": 105 + }, + "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { + "rule_name": "Azure Full Network Packet Capture Detected", + "sha256": "5ff3c05e76cc5d8d9d4be4f532e57b7f4b864c7b441e409db8c6424396b0030d", + "type": "query", + "version": 103 + }, + "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "rule_name": "First Occurrence of IP Address For GitHub User", + "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", + "type": "new_terms", + "version": 2 + }, + "3b382770-efbb-44f4-beed-f5e0a051b895": { + "rule_name": "Malware - Prevented - Elastic Endgame", + "sha256": "6f120439816dc0fbb5966bc6163654d86dd3d1325de8e31e9b58acc704fca442", + "type": "query", + "version": 103 + }, + "3b47900d-e793-49e8-968f-c90dc3526aa1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", + "type": "eql", + "version": 111 + }, + "8.13": { + "max_allowable_version": 412, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "6607d2b148d51566de12ce0fadb3f13c90bb62e32b04a73759da7217d76f611a", - "type": "eql", - "version": 413 - }, - "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "7dbd101cfc60e0f4febc19c31533e12bb0a1abb9ecb7563306f9f11e42d65fdf", - "type": "eql", - "version": 214 - } - }, + "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", + "type": "eql", + "version": 313 + } + }, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "6607d2b148d51566de12ce0fadb3f13c90bb62e32b04a73759da7217d76f611a", + "type": "eql", + "version": 413 + }, + "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", - "sha256": "17375113ba13393a64db26a7683b9f618cb54439f17d0677f616fa7544bc9db0", + "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", "type": "eql", - "version": 314 - }, - "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { - "rule_name": "Unusual Linux Network Port Activity", - "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", - "type": "machine_learning", - "version": 104 - }, - "3d00feab-e203-4acc-a463-c3e15b7e9a73": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "73219570f39fd74e63d334cf190ecad1456cf55d17635400acccced12f4145db", - "type": "eql", - "version": 102 - } - }, + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "NTDS or SAM Database File Copied", + "sha256": "7dbd101cfc60e0f4febc19c31533e12bb0a1abb9ecb7563306f9f11e42d65fdf", + "type": "eql", + "version": 214 + } + }, + "rule_name": "NTDS or SAM Database File Copied", + "sha256": "efc4be7065fb21dda602cb05f908b052088f468c4d5895557352b0bb7b435b0b", + "type": "eql", + "version": 315 + }, + "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { + "rule_name": "Unusual Linux Network Port Activity", + "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", + "type": "machine_learning", + "version": 104 + }, + "3d00feab-e203-4acc-a463-c3e15b7e9a73": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "ScreenConnect Server Spawning Suspicious Processes", + "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", + "type": "eql", + "version": 3 + }, + "8.13": { + "max_allowable_version": 201, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", - "sha256": "6e800b824cce6a1bf774140e7902e7b2ef98ba0f6bd73599ea605965c9ffc0fd", - "type": "eql", - "version": 202 - }, - "3d3aa8f9-12af-441f-9344-9f31053e316d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", - "type": "query", - "version": 5 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", - "type": "query", - "version": 108 - } - }, + "sha256": "73219570f39fd74e63d334cf190ecad1456cf55d17635400acccced12f4145db", + "type": "eql", + "version": 102 + } + }, + "rule_name": "ScreenConnect Server Spawning Suspicious Processes", + "sha256": "152d719bdeb4edfad363cab37bbcfc8cba76396e6167e9191f3cee7e4ea76042", + "type": "eql", + "version": 203 + }, + "3d3aa8f9-12af-441f-9344-9f31053e316d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb", + "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", "type": "query", - "version": 208 - }, - "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", + "version": 5 + }, + "8.12": { + "max_allowable_version": 207, + "rule_name": "PowerShell Script with Log Clear Capabilities", + "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", "type": "query", - "version": 209 - }, - "3e0561b5-3fac-4461-84cc-19163b9aaa61": { - "rule_name": "Spike in Number of Connections Made from a Source IP", - "sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f", - "type": "machine_learning", - "version": 4 - }, - "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", - "type": "eql", - "version": 7 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "80ec99e7e9c7ceb86a2819a92409d1afbf4232a8603b961b1c2a06d3d5fec295", - "type": "eql", - "version": 107 - } - }, + "version": 108 + } + }, + "rule_name": "PowerShell Script with Log Clear Capabilities", + "sha256": "3eb8a1947715938780e819d71334fd11a170328f2310ffc13b69fc69fdf047fb", + "type": "query", + "version": 208 + }, + "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { + "rule_name": "AWS SNS Email Subscription by Rare User", + "sha256": "3782f3b4a3f1178ef89a11153e95f81c46ce674abc47b6c266753a0216a05c5c", + "type": "new_terms", + "version": 1 + }, + "3e002465-876f-4f04-b016-84ef48ce7e5d": { + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "3f2192854f2b83093646d34a7cf62799413c920c797225c07eb86ab7f8021262", + "type": "query", + "version": 209 + }, + "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "rule_name": "Spike in Number of Connections Made from a Source IP", + "sha256": "12c6038b69842f3fafbe9f2dd9630e0d41734d2b8678ebefe442944fe4a7595f", + "type": "machine_learning", + "version": 4 + }, + "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", - "sha256": "ed255a3528818035e55fb704799e92c28c150eb25062d2a1f17bcb57f7606766", + "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", "type": "eql", - "version": 207 - }, - "3e12a439-d002-4944-bc42-171c0dcb9b96": { - "rule_name": "Kernel Driver Load", - "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", - "type": "eql", - "version": 4 - }, - "3e3d15c6-1509-479a-b125-21718372157e": { - "rule_name": "Suspicious Emond Child Process", - "sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064", + "version": 7 + }, + "8.13": { + "max_allowable_version": 206, + "rule_name": "Suspicious Execution via Windows Subsystem for Linux", + "sha256": "80ec99e7e9c7ceb86a2819a92409d1afbf4232a8603b961b1c2a06d3d5fec295", "type": "eql", "version": 107 - }, - "3e441bdb-596c-44fd-8628-2cfdf4516ada": { - "rule_name": "Potential Remote File Execution via MSIEXEC", - "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", + } + }, + "rule_name": "Suspicious Execution via Windows Subsystem for Linux", + "sha256": "ed255a3528818035e55fb704799e92c28c150eb25062d2a1f17bcb57f7606766", + "type": "eql", + "version": 207 + }, + "3e12a439-d002-4944-bc42-171c0dcb9b96": { + "rule_name": "Kernel Driver Load", + "sha256": "0d805e30368d7d1a1c774e0e29386cb807ff617bc0d294c11a6ecf97e9cf3bdc", + "type": "eql", + "version": 4 + }, + "3e3d15c6-1509-479a-b125-21718372157e": { + "rule_name": "Suspicious Emond Child Process", + "sha256": "b6aae2c2f1319d6dfcfceea3d42f2c90a421b25587e321a4bcc543da9488b064", + "type": "eql", + "version": 107 + }, + "3e441bdb-596c-44fd-8628-2cfdf4516ada": { + "rule_name": "Potential Remote File Execution via MSIEXEC", + "sha256": "f427e7262f3caaa30fad3f63a14f32e77e72e8e8606381f64c7b2b3718fe7684", + "type": "eql", + "version": 3 + }, + "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Privilege Escalation via Named Pipe Impersonation", + "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", "type": "eql", - "version": 3 - }, - "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "495df18eb2e7fce9cab92e0daa1a6fc851b024af00ffe18364998f6349b22c9c", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "acfc0f36e793b4b4726ceea4832fbb4d8e2965976fb2954ee2fef5dcbd325ac8", + "sha256": "495df18eb2e7fce9cab92e0daa1a6fc851b024af00ffe18364998f6349b22c9c", "type": "eql", - "version": 311 - }, - "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 307, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", - "type": "eql", - "version": 208 - } - }, + "version": 211 + } + }, + "rule_name": "Privilege Escalation via Named Pipe Impersonation", + "sha256": "b3772a465fb94393a11a17110e5399564938138ce5e9a99952cecc8c7740c048", + "type": "eql", + "version": 312 + }, + "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22", + "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", "type": "eql", - "version": 308 - }, - "3efee4f0-182a-40a8-a835-102c68a4175d": { - "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f", - "type": "threshold", "version": 208 - }, - "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { - "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", - "type": "query", - "version": 102 - }, - "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { - "rule_name": "Potential Protocol Tunneling via Chisel Client", - "sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420", - "type": "eql", - "version": 6 - }, - "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { - "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", - "type": "eql", - "version": 110 - }, - "3f4d7734-2151-4481-b394-09d7c6c91f75": { - "rule_name": "Process Discovery via Built-In Applications", - "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", - "type": "eql", - "version": 3 - }, - "3f4e2dba-828a-452a-af35-fe29c5e78969": { - "rule_name": "Unusual Time or Day for an RDP Session", - "sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16", - "type": "machine_learning", - "version": 4 - }, - "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { - "rule_name": "DNF Package Manager Plugin File Creation", - "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", - "type": "eql", - "version": 3 - }, - "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a User", - "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", - "type": "machine_learning", - "version": 7 - } - }, + } + }, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "be4f79a2a38ca61332f643c365ce4e3776f3ff9a73f6887ef1aa6d67d5153a22", + "type": "eql", + "version": 308 + }, + "3efee4f0-182a-40a8-a835-102c68a4175d": { + "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "c09ce2275e72c5a75e225116c8c826d92590b06eb5436727ccb663673b9b077f", + "type": "threshold", + "version": 208 + }, + "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { + "rule_name": "CyberArk Privileged Access Security Error", + "sha256": "c386d6369ab49aa1ccb5c14a29f84d5f2856b09ca44e9d53418a1477ace1a37a", + "type": "query", + "version": 102 + }, + "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd": { + "rule_name": "Potential Protocol Tunneling via Chisel Client", + "sha256": "4cf0ffba6ff6f1228756a6782ad1152b613568a74869d6299a2bedf9881f9420", + "type": "eql", + "version": 6 + }, + "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { + "rule_name": "Binary Executed from Shared Memory Directory", + "sha256": "6fe016ba390e8dc87666f4ef0c548568711ad0404b3acab74fedccdc68e0880d", + "type": "eql", + "version": 110 + }, + "3f4d7734-2151-4481-b394-09d7c6c91f75": { + "rule_name": "Process Discovery via Built-In Applications", + "sha256": "a1d18add228db670e888de746acabb7856747a256b80bf999d0e0b8829193b07", + "type": "eql", + "version": 3 + }, + "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "rule_name": "Unusual Time or Day for an RDP Session", + "sha256": "da80ff0e6020c1f4b703d597ce09ad294629d13d57cddce31f7eac0eb7d51f16", + "type": "machine_learning", + "version": 4 + }, + "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { + "rule_name": "DNF Package Manager Plugin File Creation", + "sha256": "9b7debfbc518927643432a23e5b412f09c4bb9379485e844cf368b99ac7ebfbc", + "type": "eql", + "version": 3 + }, + "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", - "sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e", + "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", "type": "machine_learning", - "version": 107 - }, - "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "rule_name": "GitHub User Blocked From Organization", - "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", - "type": "eql", - "version": 1 - }, - "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "189be13789b4fe9c8186eb9792601f98902e9e4f771519b7b2fa1a3730ac9783", - "type": "eql", - "version": 210 - } - }, + "version": 7 + } + }, + "rule_name": "Unusual Process Spawned by a User", + "sha256": "201e146529ae1e7eeb0af4b0bc377ec5381676db3b1d5027332f45a8027f195e", + "type": "machine_learning", + "version": 107 + }, + "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "rule_name": "GitHub User Blocked From Organization", + "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", + "type": "eql", + "version": 2 + }, + "403ef0d3-8259-40c9-a5b6-d48354712e49": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", - "sha256": "d4f0b0b8e409cfc73e748281d83319870c4576cc95f3859d8935524d3bc92af0", + "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", "type": "eql", - "version": 310 - }, - "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { - "rule_name": "Suspicious Modprobe File Event", - "sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c", - "type": "new_terms", - "version": 108 - }, - "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { - "rule_name": "Unix Socket Connection", - "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Unusual Persistence via Services Registry", + "sha256": "189be13789b4fe9c8186eb9792601f98902e9e4f771519b7b2fa1a3730ac9783", "type": "eql", - "version": 3 - }, - "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "ef575bc7d7acfcd5bbcb58ad8207b7e652bf99f488da62ebd21d3f1f263c804c", - "type": "eql", - "version": 212 - } - }, + "version": 210 + } + }, + "rule_name": "Unusual Persistence via Services Registry", + "sha256": "d4f0b0b8e409cfc73e748281d83319870c4576cc95f3859d8935524d3bc92af0", + "type": "eql", + "version": 310 + }, + "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { + "rule_name": "Suspicious Modprobe File Event", + "sha256": "d4f1d5fc1a70a2e0a60cefc3b2923c55452347f28b90e20a3625f397c32db48c", + "type": "new_terms", + "version": 108 + }, + "41284ba3-ed1a-4598-bfba-a97f75d9aba2": { + "rule_name": "Unix Socket Connection", + "sha256": "36c91409f9ebf48e88b25078d6bd2b3b73f9800c2e99335803ecbcbaa0ec45f0", + "type": "eql", + "version": 3 + }, + "416697ae-e468-4093-a93d-59661fa619ec": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "00558d1f8478ce1a7c47c0cfea9695a8dae18f75e5018e480d62d984186e26ad", - "type": "eql", - "version": 312 - }, - "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "rule_name": "First Occurrence of User-Agent For a GitHub User", - "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", - "type": "new_terms", - "version": 1 - }, - "41824afb-d68c-4d0e-bfee-474dac1fa56e": { - "rule_name": "EggShell Backdoor Execution", - "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", - "type": "query", - "version": 103 - }, - "4182e486-fc61-11ee-a05d-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account", - "sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f", - "type": "esql", - "version": 2 - }, - "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { - "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", - "type": "query", - "version": 106 - }, - "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { - "rule_name": "Mount Launched Inside a Privileged Container", - "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", + "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", "type": "eql", - "version": 1 - }, - "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { - "rule_name": "Interactive Exec Command Launched Against A Running Container", - "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Control Panel Process with Unusual Arguments", + "sha256": "ef575bc7d7acfcd5bbcb58ad8207b7e652bf99f488da62ebd21d3f1f263c804c", "type": "eql", - "version": 2 - }, - "42bf698b-4738-445b-8231-c834ddefd8a0": { - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", - "type": "threshold", - "version": 209 - }, - "42eeee3d-947f-46d3-a14d-7036b962c266": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Process Creation via Secondary Logon", - "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", - "type": "eql", - "version": 10 - } - }, + "version": 212 + } + }, + "rule_name": "Control Panel Process with Unusual Arguments", + "sha256": "00d4df4d402cbc68f54277c6595937da99601194d0c3c14f55b63bc2480f3d53", + "type": "eql", + "version": 313 + }, + "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "rule_name": "First Occurrence of User-Agent For a GitHub User", + "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", + "type": "new_terms", + "version": 2 + }, + "41824afb-d68c-4d0e-bfee-474dac1fa56e": { + "rule_name": "EggShell Backdoor Execution", + "sha256": "a000d7946f2d9c6608fef001a71aa8b626b93b668a56cb558aae7b94e49089cb", + "type": "query", + "version": 103 + }, + "4182e486-fc61-11ee-a05d-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS EC2 EBS Snapshot Shared with Another Account", + "sha256": "7f8925fab74497cb1c5a5be27e5fdd45c850feed6f57c4fd2e0f5997d9648c6f", + "type": "esql", + "version": 2 + }, + "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { + "rule_name": "Potential Hidden Local User Account Creation", + "sha256": "41e2911f06e94357105e93c803ee44dbd7f4ec32bd8d4913fd5154123b4b677a", + "type": "query", + "version": 106 + }, + "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { + "rule_name": "Mount Launched Inside a Privileged Container", + "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", + "type": "eql", + "version": 1 + }, + "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": { + "rule_name": "Interactive Exec Command Launched Against A Running Container", + "sha256": "3e2d9d02297e6659a2e22c12019c924caed14914e8e223416d9275a1c232f063", + "type": "eql", + "version": 2 + }, + "42bf698b-4738-445b-8231-c834ddefd8a0": { + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", + "type": "threshold", + "version": 210 + }, + "42eeee3d-947f-46d3-a14d-7036b962c266": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", - "sha256": "6674dfbc494de648492942264a74378878bd65349a373567ab79725690c27aba", + "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", "type": "eql", - "version": 110 - }, - "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { - "rule_name": "Unusual Login Activity", - "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", - "type": "machine_learning", - "version": 104 - }, - "43303fd4-4839-4e48-b2b2-803ab060758d": { - "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", - "type": "query", - "version": 101 - }, - "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { - "rule_name": "Linux User Added to Privileged Group", - "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "version": 10 + } + }, + "rule_name": "Process Creation via Secondary Logon", + "sha256": "6674dfbc494de648492942264a74378878bd65349a373567ab79725690c27aba", + "type": "eql", + "version": 110 + }, + "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { + "rule_name": "Unusual Login Activity", + "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", + "type": "machine_learning", + "version": 104 + }, + "43303fd4-4839-4e48-b2b2-803ab060758d": { + "rule_name": "Web Application Suspicious Activity: No User Agent", + "sha256": "dba7037fea9889f8f9bb14d8bc56ff2eb114acab0af17a595d777e53783c3919", + "type": "query", + "version": 101 + }, + "43d6ec12-2b1c-47b5-8f35-e9de65551d3b": { + "rule_name": "Linux User Added to Privileged Group", + "sha256": "b36dd6fcfb99d97dac139862308b9eacab7435ef10661b56e29a24b22eebdf4e", + "type": "eql", + "version": 8 + }, + "440e2db4-bc7f-4c96-a068-65b78da59bde": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Startup Persistence by a Suspicious Process", + "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", "type": "eql", - "version": 8 - }, - "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "55097fe7650ccd542aec1b7f2aa6cbd2363a7907f40ad5d19c69854a09f8a21e", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "d22e1212d466beeea462d473302315e0145664ef7364a5d7055e1e499b1d1543", + "sha256": "55097fe7650ccd542aec1b7f2aa6cbd2363a7907f40ad5d19c69854a09f8a21e", "type": "eql", - "version": 311 - }, - "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Unusual Windows Path Activity", - "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", - "type": "machine_learning", - "version": 107 - } - }, + "version": 211 + } + }, + "rule_name": "Startup Persistence by a Suspicious Process", + "sha256": "d22e1212d466beeea462d473302315e0145664ef7364a5d7055e1e499b1d1543", + "type": "eql", + "version": 311 + }, + "445a342e-03fb-42d0-8656-0367eb2dead5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", - "sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4", + "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", "type": "machine_learning", - "version": 207 - }, - "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { - "rule_name": "Potential Masquerading as VLC DLL", - "sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5", - "type": "eql", - "version": 4 - }, - "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", - "type": "eql", - "version": 11 - } - }, + "version": 107 + } + }, + "rule_name": "Unusual Windows Path Activity", + "sha256": "041957d983301e74d0e06438e1ee8ac7badf8dd542f3a501ad94e29ad6bf27e4", + "type": "machine_learning", + "version": 207 + }, + "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { + "rule_name": "Potential Masquerading as VLC DLL", + "sha256": "7b04571af013a3c9cdefd27690c4a402e9f3399a0a5f61ccf9eb8180fe968af5", + "type": "eql", + "version": 4 + }, + "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", - "sha256": "05a22c3ee9741e987667e6487211254de88c897b90832c45430c18a6b4582a38", - "type": "eql", - "version": 111 - }, - "453183fa-f903-11ee-8e88-f661ea17fbce": { - "rule_name": "Route53 Resolver Query Log Configuration Deleted", - "sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0", - "type": "query", - "version": 2 - }, - "453f659e-0429-40b1-bfdb-b6957286e04b": { - "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", - "type": "query", - "version": 103 - }, - "4577ef08-61d1-4458-909f-25a4b10c87fe": { - "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed", + "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", "type": "eql", - "version": 2 - }, - "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Windows Event Logs Cleared", - "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", - "type": "query", - "version": 111 - } - }, + "version": 11 + } + }, + "rule_name": "Multiple Vault Web Credentials Read", + "sha256": "05a22c3ee9741e987667e6487211254de88c897b90832c45430c18a6b4582a38", + "type": "eql", + "version": 111 + }, + "453183fa-f903-11ee-8e88-f661ea17fbce": { + "rule_name": "Route53 Resolver Query Log Configuration Deleted", + "sha256": "fe85472e289bd363341d59f4b9a362e21110fd6fb58902f400f3575b09f612a0", + "type": "query", + "version": 2 + }, + "453f659e-0429-40b1-bfdb-b6957286e04b": { + "rule_name": "Permission Theft - Prevented - Elastic Endgame", + "sha256": "e125e05070fd9e4879366bc19b3262c739e7820cfa207a0de2ddd94c30c7459a", + "type": "query", + "version": 103 + }, + "4577ef08-61d1-4458-909f-25a4b10c87fe": { + "rule_name": "AWS RDS DB Snapshot Shared with Another Account", + "sha256": "bc96c80774873e20fc93cc0aeb3cc34e08ce5f4b3109b4218de43a44228be7ed", + "type": "eql", + "version": 2 + }, + "45ac4800-840f-414c-b221-53dd36a5aaf7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Windows Event Logs Cleared", - "sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f", + "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", "type": "query", - "version": 211 - }, - "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", - "type": "eql", - "version": 113 - } - }, + "version": 111 + } + }, + "rule_name": "Windows Event Logs Cleared", + "sha256": "868e3d06e6043e63111eb21f96849df3002b2a0f958afc5c12e623b3a3dcff8f", + "type": "query", + "version": 211 + }, + "45d273fb-1dca-457d-9855-bcb302180c21": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "a64ba5725981a049160d9ff4603691b3c940c971be489045e19dc67ddd868b93", + "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", "type": "eql", - "version": 213 - }, - "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "7ad3e21c453191513dfe0e226519ce81d8d70e633876b9c5c611b097850e5c22", - "type": "eql", - "version": 213 - } - }, + "version": 113 + } + }, + "rule_name": "Encrypting Files with WinRar or 7z", + "sha256": "6389d9780340aa3eba76379358bc68062f775f8c23b81e15d7be509e7fcc87b2", + "type": "eql", + "version": 214 + }, + "4630d948-40d4-4cef-ac69-4002e29bc3db": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "4fc923865680bfe12fe3f808fecad559975665ceb54023a7eee7e6e7cfd5f5f0", - "type": "eql", - "version": 313 - }, - "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "70ebcc9b4db135969838d698ab1670f702ef00ddc29111226b7fa8d6b0a95f7e", - "type": "eql", - "version": 210 - } - }, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "c5de5f780155ebdca285c80344c79850785320426194e9e3c6d87ba59585e7b9", + "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", "type": "eql", - "version": 310 - }, - "46f804f5-b289-43d6-a881-9387cf594f75": { - "rule_name": "Unusual Process For a Linux Host", - "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", - "type": "machine_learning", - "version": 105 - }, - "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "rule_name": "System V Init Script Created", - "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Adding Hidden File Attribute via Attrib", + "sha256": "7ad3e21c453191513dfe0e226519ce81d8d70e633876b9c5c611b097850e5c22", "type": "eql", - "version": 13 - }, - "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { - "rule_name": "Sensitive Files Compression Inside A Container", - "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", + "version": 213 + } + }, + "rule_name": "Adding Hidden File Attribute via Attrib", + "sha256": "911870b02ee518a2da8c3f8f090cd4b295555c15a1be6cd1ebc0aa8b569b12e6", + "type": "eql", + "version": 314 + }, + "4682fd2c-cfae-47ed-a543-9bed37657aa6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", "type": "eql", - "version": 2 - }, - "476267ff-e44f-476e-99c1-04c78cb3769d": { - "rule_name": "Cupsd or Foomatic-rip Shell Execution", - "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "70ebcc9b4db135969838d698ab1670f702ef00ddc29111226b7fa8d6b0a95f7e", "type": "eql", - "version": 2 - }, - "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", - "type": "eql", - "version": 111 - } - }, + "version": 210 + } + }, + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "ef467b076c584bc58e0fb6a3391048706f314e25ebb970eb1c7861eaaac4eacc", + "type": "eql", + "version": 311 + }, + "46f804f5-b289-43d6-a881-9387cf594f75": { + "rule_name": "Unusual Process For a Linux Host", + "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", + "type": "machine_learning", + "version": 105 + }, + "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { + "rule_name": "System V Init Script Created", + "sha256": "bffd4c3c138597c1e8697e47dd4862d762e32635fa8b8a20e3272318eea1d034", + "type": "eql", + "version": 13 + }, + "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { + "rule_name": "Sensitive Files Compression Inside A Container", + "sha256": "4e4eac63997eab8b7b05da7301b3f3d904afbc53f9ac2c2789df7ff023df7939", + "type": "eql", + "version": 2 + }, + "476267ff-e44f-476e-99c1-04c78cb3769d": { + "rule_name": "Cupsd or Foomatic-rip Shell Execution", + "sha256": "fb87274ccfb96c0641b3aea5ddf1537d06990126a1c3f7c0406938ea5aaf0f01", + "type": "eql", + "version": 2 + }, + "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "24516e60132d4debae6058458462d958f659d37c82f6f68ae24cb1af134fa428", - "type": "eql", - "version": 211 - }, - "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { - "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", - "type": "query", - "version": 100 - }, - "47f76567-d58a-4fed-b32b-21f571e28910": { - "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", + "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", "type": "eql", - "version": 106 - }, - "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "03e1e388a616fd76a913bb276b36b25a9a92ad0d3421a55ca134c175af61f971", - "type": "eql", - "version": 210 - } - }, + "version": 111 + } + }, + "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "sha256": "24516e60132d4debae6058458462d958f659d37c82f6f68ae24cb1af134fa428", + "type": "eql", + "version": 211 + }, + "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { + "rule_name": "Execution via Regsvcs/Regasm", + "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", + "type": "query", + "version": 100 + }, + "47f76567-d58a-4fed-b32b-21f571e28910": { + "rule_name": "Apple Script Execution followed by Network Connection", + "sha256": "1e70613b9ab01d3e1eabe9dc9ec52bb46b06c551a2bd5f19bc437c35219afd3a", + "type": "eql", + "version": 106 + }, + "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "d51c620a6d64d3c47cc396302fad358524221274849618da6d0a6611bf439910", - "type": "eql", - "version": 310 - }, - "48819484-9826-4083-9eba-1da74cd0eaf2": { - "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", - "sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444", - "type": "new_terms", - "version": 107 - }, - "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { - "rule_name": "Potential Reverse Shell", - "sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a", - "type": "eql", - "version": 9 - }, - "48b6edfc-079d-4907-b43c-baffa243270d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Multiple Logon Failure from the same Source Address", - "sha256": "50742a90a9cfc7318d787fe297c644ba6ff7658ae59bda3650452a451ed3969c", + "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", "type": "eql", "version": 110 - }, - "48d7f54d-c29e-4430-93a9-9db6b5892270": { - "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", - "type": "eql", - "version": 107 - }, - "48ec9452-e1fd-4513-a376-10a1a26d2c83": { - "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", - "type": "query", - "version": 106 - }, - "48f657ee-de4f-477c-aa99-ed88ee7af97a": { - "rule_name": "Remote XSL Script Execution via COM", - "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", - "type": "eql", - "version": 3 - }, - "493834ca-f861-414c-8602-150d5505b777": { - "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", - "type": "threshold", - "version": 102 - }, - "494ebba4-ecb7-4be4-8c6f-654c686549ad": { - "rule_name": "Potential Linux Backdoor User Account Creation", - "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "sha256": "03e1e388a616fd76a913bb276b36b25a9a92ad0d3421a55ca134c175af61f971", "type": "eql", - "version": 8 - }, - "495e5f2e-2480-11ed-bea8-f661ea17fbce": { - "rule_name": "Application Removed from Blocklist in Google Workspace", - "sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562", - "type": "query", - "version": 107 - }, - "4973e46b-a663-41b8-a875-ced16dda2bb0": { - "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", - "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", + "version": 210 + } + }, + "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "sha256": "927864e2de84459226772454150dfa72d9134da990b83c7f61d2f4621e2bd541", + "type": "eql", + "version": 311 + }, + "48819484-9826-4083-9eba-1da74cd0eaf2": { + "rule_name": "Suspicious Microsoft 365 Mail Access by ClientAppId", + "sha256": "33e3379959ca6f93326f5069bb4e5104c77c30f399d41fdb0108d3f4de3d7444", + "type": "new_terms", + "version": 107 + }, + "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { + "rule_name": "Potential Reverse Shell", + "sha256": "5cb666b8db28f6ef91c652488905003a54f688578c1a34017e77b80bc87c153a", + "type": "eql", + "version": 9 + }, + "48b6edfc-079d-4907-b43c-baffa243270d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, + "rule_name": "Multiple Logon Failure from the same Source Address", + "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", "type": "eql", - "version": 3 - }, - "4982ac3e-d0ee-4818-b95d-d9522d689259": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", - "type": "eql", - "version": 6 - } - }, + "version": 10 + } + }, + "rule_name": "Multiple Logon Failure from the same Source Address", + "sha256": "50742a90a9cfc7318d787fe297c644ba6ff7658ae59bda3650452a451ed3969c", + "type": "eql", + "version": 110 + }, + "48d7f54d-c29e-4430-93a9-9db6b5892270": { + "rule_name": "Unexpected Child Process of macOS Screensaver Engine", + "sha256": "14e09fb223671c9a69d290403ce41fb14decb3fa7b322e5cdfee720edf523312", + "type": "eql", + "version": 107 + }, + "48ec9452-e1fd-4513-a376-10a1a26d2c83": { + "rule_name": "Potential Persistence via Periodic Tasks", + "sha256": "195c6ae2218bd1ce6a72411bb052c6c8be490604c24657b057699c3f7302aac6", + "type": "query", + "version": 106 + }, + "48f657ee-de4f-477c-aa99-ed88ee7af97a": { + "rule_name": "Remote XSL Script Execution via COM", + "sha256": "8dcdd68d3f519784397cb030a40cfccbf754fcc330df54ab782ff54a1bed69fc", + "type": "eql", + "version": 3 + }, + "493834ca-f861-414c-8602-150d5505b777": { + "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", + "type": "threshold", + "version": 102 + }, + "494ebba4-ecb7-4be4-8c6f-654c686549ad": { + "rule_name": "Potential Linux Backdoor User Account Creation", + "sha256": "5a9dab10c85e4612a211b8a0462ad02f3b63ea8ebe7964113b4fe4c6cf0ade62", + "type": "eql", + "version": 8 + }, + "495e5f2e-2480-11ed-bea8-f661ea17fbce": { + "rule_name": "Application Removed from Blocklist in Google Workspace", + "sha256": "fa0763bb909c5faa492f63ddf49e52ad217b2ba6495e1ea1f66636550d76c562", + "type": "query", + "version": 107 + }, + "4973e46b-a663-41b8-a875-ced16dda2bb0": { + "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", + "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", + "type": "eql", + "version": 3 + }, + "4982ac3e-d0ee-4818-b95d-d9522d689259": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1", - "type": "eql", - "version": 106 - }, - "4a4e23cf-78a2-449c-bac3-701924c269d3": { - "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536", - "type": "query", - "version": 106 - }, - "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { - "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", - "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", - "type": "eql", - "version": 5 - }, - "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { - "rule_name": "Potential Cross Site Scripting (XSS)", - "sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6", - "type": "eql", - "version": 2 - }, - "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { - "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", - "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", + "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", "type": "eql", "version": 6 - }, - "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "e5e62d3b1a1f58eb079ca908f55105df68b2471d48e53122d47ec5b74afbb1cc", - "type": "eql", - "version": 211 - } - }, + } + }, + "rule_name": "Process Discovery Using Built-in Tools", + "sha256": "24424c58a67a62f2464e7ce3c038697aeb561551b61ba5a2c8bf1cf001674ec1", + "type": "eql", + "version": 106 + }, + "4a4e23cf-78a2-449c-bac3-701924c269d3": { + "rule_name": "Possible FIN7 DGA Command and Control Behavior", + "sha256": "340f1c9b6d0d92fa721456ed567e265ee5b0b193bb96bea2145541912b19c536", + "type": "query", + "version": 106 + }, + "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { + "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", + "sha256": "ead602528c1e965f9015450bec41285bbba8c0d37139735cfbf3eb7e954067ea", + "type": "eql", + "version": 5 + }, + "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { + "rule_name": "Potential Cross Site Scripting (XSS)", + "sha256": "1c0ccb0599efda90d600b1dc8a43d4032bf5ff3cc8f9b8fda6eb750efe93f5e6", + "type": "eql", + "version": 2 + }, + "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { + "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", + "sha256": "a8340e173929cc26fccdb80d23355387d04d41b26c099412fc6542025089e982", + "type": "eql", + "version": 6 + }, + "4b438734-3793-4fda-bd42-ceeada0be8f9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "23b40efefa6ce335003dcfba52518168596121bcc4f4c10d67f37070575d6703", + "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", "type": "eql", - "version": 311 - }, - "4b4e9c99-27ea-4621-95c8-82341bc6e512": { - "rule_name": "Container Workload Protection", - "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", - "type": "query", - "version": 4 - }, - "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { - "rule_name": "ProxyChains Activity", - "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Disable Windows Firewall Rules via Netsh", + "sha256": "e5e62d3b1a1f58eb079ca908f55105df68b2471d48e53122d47ec5b74afbb1cc", "type": "eql", - "version": 4 - }, - "4b95ecea-7225-4690-9938-2a2c0bad9c99": { - "rule_name": "Unusual Process Writing Data to an External Device", - "sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07", - "type": "machine_learning", - "version": 4 - }, - "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "dd78ff329788e32ccfcd11f3331174f609f2a0b868ccfbf47b8d997dbfd30096", - "type": "eql", - "version": 209 - } - }, + "version": 211 + } + }, + "rule_name": "Disable Windows Firewall Rules via Netsh", + "sha256": "b538b62cec3fc16a06ef51cdb6f2a711aa479c82326a61862a3ac9a90238e17a", + "type": "eql", + "version": 312 + }, + "4b4e9c99-27ea-4621-95c8-82341bc6e512": { + "rule_name": "Container Workload Protection", + "sha256": "232d94bfc84f58f133c5ffa086853fc01f635acea7ff1d6298f9d781a383ed24", + "type": "query", + "version": 4 + }, + "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37": { + "rule_name": "ProxyChains Activity", + "sha256": "2997e880be8be8e48bd8066e4736d34483677decfa5262604e7c884d9ff407d3", + "type": "eql", + "version": 4 + }, + "4b95ecea-7225-4690-9938-2a2c0bad9c99": { + "rule_name": "Unusual Process Writing Data to an External Device", + "sha256": "d5d28b9af1ed399604eb5bc1744453ce1f5dbc4839e7650ccf12c30616fe3d07", + "type": "machine_learning", + "version": 4 + }, + "4bd1c1af-79d4-4d37-9efa-6e0240640242": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Unusual Process Execution Path - Alternate Data Stream", + "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", + "type": "eql", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "5b893055ced16813eb2b1e2191c3ee5f85b9bfcfcbd169e3e33d99062a2551b3", - "type": "eql", - "version": 309 - }, - "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "PowerShell Share Enumeration Script", - "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", - "type": "query", - "version": 11 - } - }, + "sha256": "dd78ff329788e32ccfcd11f3331174f609f2a0b868ccfbf47b8d997dbfd30096", + "type": "eql", + "version": 209 + } + }, + "rule_name": "Unusual Process Execution Path - Alternate Data Stream", + "sha256": "fdac8198180b87285d0dce793712e89ac9bdb36ea90ce122de8f4b1095c4dd6f", + "type": "eql", + "version": 310 + }, + "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 110, "rule_name": "PowerShell Share Enumeration Script", - "sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c", + "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", "type": "query", - "version": 111 - }, - "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { - "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "version": 11 + } + }, + "rule_name": "PowerShell Share Enumeration Script", + "sha256": "fdb260cd12a650f01e9663894e62c091eec9d70cfa7d579f4708358a4415dc9c", + "type": "query", + "version": 111 + }, + "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { + "rule_name": "Kernel Load or Unload via Kexec Detected", + "sha256": "12adf24b45b80651b336e5b4671fab85fbc28d4537ec3a96a58e9e0dba18da77", + "type": "eql", + "version": 7 + }, + "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", + "type": "threshold", + "version": 207 + }, + "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { + "rule_name": "Attempt to Disable Gatekeeper", + "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", + "type": "query", + "version": 106 + }, + "4de76544-f0e5-486a-8f84-eae0b6063cdc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", + "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", "type": "eql", - "version": 7 - }, - "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "64dc42dae58d6c7edafe597e4c2cf33845002b02ae71649f5f19a5efe11089c1", - "type": "threshold", - "version": 207 - }, - "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { - "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "af8d10ad0bf3fd9de00ec04cf9ec8786a9deae55c4c5086fd8101b18e5ab22ba", - "type": "query", - "version": 106 - }, - "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "9ba7f7cc43f484c307334745f27743ee4979e2df65bd1bec89add2c10051d0d3", - "type": "eql", - "version": 213 - } - }, + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "deb6ee73230cfd105f0038ae9f260b603d002c75bf5cc3ae51a238172638239f", + "sha256": "9ba7f7cc43f484c307334745f27743ee4979e2df65bd1bec89add2c10051d0d3", "type": "eql", - "version": 313 - }, - "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", - "type": "eql", - "version": 11 - } - }, + "version": 213 + } + }, + "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", + "sha256": "982de592a7f2da640ff2a6006445d12e52090a1180b225e2f943c386641236c7", + "type": "eql", + "version": 314 + }, + "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", - "sha256": "7b0176c520ea313b2012e6843edc760f64652558471e6f971e2b6d86d90116df", + "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", "type": "eql", - "version": 111 - }, - "4ec47004-b34a-42e6-8003-376a123ea447": { - "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", - "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "version": 11 + } + }, + "rule_name": "Multiple Logon Failure Followed by Logon Success", + "sha256": "7b0176c520ea313b2012e6843edc760f64652558471e6f971e2b6d86d90116df", + "type": "eql", + "version": 111 + }, + "4ec47004-b34a-42e6-8003-376a123ea447": { + "rule_name": "Process Spawned from Message-of-the-Day (MOTD)", + "sha256": "dc02518c5ff827d505855e686392c55611d0d5d05b81c9febbb3f9ef60cbbd38", + "type": "eql", + "version": 10 + }, + "4ed493fc-d637-4a36-80ff-ac84937e5461": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", "type": "eql", - "version": 10 - }, - "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "63a4cc656038a44374eeed199a47a67bcf261940a890689a6fe62a4fb2a51010", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "b47c8b75835579d164fabd893226ac44da04bc9a0fb0a5d8a097e9ac9d94917a", + "sha256": "63a4cc656038a44374eeed199a47a67bcf261940a890689a6fe62a4fb2a51010", "type": "eql", - "version": 312 - }, - "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious Script Object Execution", - "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", - "type": "eql", - "version": 109 - } - }, + "version": 212 + } + }, + "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "sha256": "8a21c3a283a81db1aaea226e6ea8bcd2fae151cba2095929d13d00d0ae28b537", + "type": "eql", + "version": 313 + }, + "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", - "sha256": "87be064ac19c5ea66f69f2e2387eea0c3cd7bf236626285df2b76b760f408845", + "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", "type": "eql", - "version": 209 - }, - "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", - "type": "query", - "version": 207 - }, - "4f855297-c8e0-4097-9d97-d653f7e471c4": { - "min_stack_version": "8.13", - "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "3398bec154ac1a626c777596eca4d931feeb50eeaa61584cd602258d98b79e25", - "type": "esql", - "version": 3 - }, - "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d", - "type": "eql", - "version": 212 - } - }, + "version": 109 + } + }, + "rule_name": "Suspicious Script Object Execution", + "sha256": "87be064ac19c5ea66f69f2e2387eea0c3cd7bf236626285df2b76b760f408845", + "type": "eql", + "version": 209 + }, + "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", + "type": "query", + "version": 208 + }, + "4f855297-c8e0-4097-9d97-d653f7e471c4": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Confidence Misconduct Blocks Detected", + "sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc", + "type": "esql", + "version": 4 + }, + "4fe9d835-40e1-452d-8230-17c147cafad8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", - "sha256": "c18c0a517e014572b811a79c2427ada539292d70e5d70db5e1b5dab10c4e52f2", + "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", "type": "eql", - "version": 312 - }, - "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { - "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", - "type": "threshold", - "version": 3 - }, - "51176ed2-2d90-49f2-9f3d-17196428b169": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Windows System Information Discovery", - "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", - "type": "eql", - "version": 8 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Execution via TSClient Mountpoint", + "sha256": "8fcabaf421ead8967729841048f4304562f4719e3d0b887656122fe831a43b9d", + "type": "eql", + "version": 212 + } + }, + "rule_name": "Execution via TSClient Mountpoint", + "sha256": "72eaaba3e4541c4b67787d99cacc0cc2a13b0947f01563d4fb97ee7c1b5230df", + "type": "eql", + "version": 313 + }, + "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", + "type": "threshold", + "version": 4 + }, + "50a2bdea-9876-11ef-89db-f661ea17fbcd": { + "rule_name": "AWS SSM Command Document Created by Rare User", + "sha256": "92832a1d67cc61df5e937f62a495aead9cfcc980486b8d2b754f3416427265aa", + "type": "new_terms", + "version": 1 + }, + "51176ed2-2d90-49f2-9f3d-17196428b169": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Windows System Information Discovery", - "sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0", + "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", "type": "eql", - "version": 108 - }, - "5124e65f-df97-4471-8dcb-8e3953b3ea97": { - "rule_name": "Hidden Files and Directories via Hidden Flag", - "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "version": 8 + } + }, + "rule_name": "Windows System Information Discovery", + "sha256": "547b5b46dd9bf2cdc0c7e62cb41182704197c47de44f9c2f95a3cd12548ddce0", + "type": "eql", + "version": 108 + }, + "5124e65f-df97-4471-8dcb-8e3953b3ea97": { + "rule_name": "Hidden Files and Directories via Hidden Flag", + "sha256": "12f8eb3b4618ce0341401b73c190673b46bb61613acb4341b028e3e4bec093c9", + "type": "eql", + "version": 3 + }, + "513f0ffd-b317-4b9c-9494-92ce861f22c7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", "type": "eql", - "version": 3 - }, - "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 411, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1", - "type": "eql", - "version": 312 - } - }, + "version": 109 + }, + "8.13": { + "max_allowable_version": 411, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "6888e4d8dc2ffc69e0f3b29e7601596b7ed396f3071eb3bf4b22614aec126f6d", + "sha256": "12362423f221d5f78a62ede69455b6acc8926caeb7057ac6af76e9e8663839a1", "type": "eql", - "version": 412 - }, - "514121ce-c7b6-474a-8237-68ff71672379": { - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", - "type": "query", - "version": 206 - }, - "51859fa0-d86b-4214-bf48-ebb30ed91305": { - "rule_name": "GCP Logging Sink Deletion", - "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", - "type": "query", - "version": 104 - }, - "5188c68e-d3de-4e96-994d-9e242269446f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Service DACL Modification via sc.exe", - "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Service DACL Modification via sc.exe", - "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", - "type": "eql", - "version": 103 - } - }, + "version": 312 + } + }, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "6888e4d8dc2ffc69e0f3b29e7601596b7ed396f3071eb3bf4b22614aec126f6d", + "type": "eql", + "version": 412 + }, + "514121ce-c7b6-474a-8237-68ff71672379": { + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "51cc46687ba4f2ec1ce8b6d3af9bcf1d8e6449e6300a2dfde2ec5442af150b87", + "type": "query", + "version": 206 + }, + "51859fa0-d86b-4214-bf48-ebb30ed91305": { + "rule_name": "GCP Logging Sink Deletion", + "sha256": "c9a8ece69b7f242aba612e1ba56c3839f13edb69babaff4ec9dd0f717dbcf827", + "type": "query", + "version": 104 + }, + "5188c68e-d3de-4e96-994d-9e242269446f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", - "sha256": "007f856602a9b0e2fae2e08a3496a5af9b7b1ac9bf61d468d077a4e851258e80", - "type": "eql", - "version": 203 - }, - "51a09737-80f7-4551-a3be-dac8ef5d181a": { - "rule_name": "Tainted Out-Of-Tree Kernel Module Load", - "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", - "type": "query", - "version": 2 - }, - "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", - "type": "eql", - "version": 108 - } - }, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "84c893dffd43871523001e934f53b55aa3560ab0e48927a519cc9890b21e6206", - "type": "eql", - "version": 208 - }, - "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { - "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", + "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", "type": "eql", - "version": 7 - }, - "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", - "type": "query", - "version": 206 - }, - "52376a86-ee86-4967-97ae-1a05f55816f0": { - "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839", + "version": 3 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Service DACL Modification via sc.exe", + "sha256": "bb0ebdc1eaa518a43a85a25951a8d3bb5afc5efe28ed295961a00afbb0f048f4", "type": "eql", - "version": 113 - }, - "5297b7f1-bccd-4611-93fa-ea342a01ff84": { - "rule_name": "Execution via Microsoft DotNet ClickOnce Host", - "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", + "version": 103 + } + }, + "rule_name": "Service DACL Modification via sc.exe", + "sha256": "4966b4c68a294538d5fe7fdd895bf295a7b8220649477a2de843e07ffbbd038b", + "type": "eql", + "version": 204 + }, + "51a09737-80f7-4551-a3be-dac8ef5d181a": { + "rule_name": "Tainted Out-Of-Tree Kernel Module Load", + "sha256": "ade59253fc0de2627984007ba84a2d944a16000aa69c83193c63f1dda8b806fa", + "type": "query", + "version": 2 + }, + "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Incoming DCOM Lateral Movement with MMC", + "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", "type": "eql", - "version": 1 - }, - "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", - "type": "eql", - "version": 109 - } - }, + "version": 108 + } + }, + "rule_name": "Incoming DCOM Lateral Movement with MMC", + "sha256": "84c893dffd43871523001e934f53b55aa3560ab0e48927a519cc9890b21e6206", + "type": "eql", + "version": 208 + }, + "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { + "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", + "sha256": "3a3059d247c0e3ef2e352ab75eb703f91476c8c3f57f2b33c79c545cc0e34325", + "type": "eql", + "version": 7 + }, + "523116c0-d89d-4d7c-82c2-39e6845a78ef": { + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "f4d0bc7c75781581ae0325bb506f235d080a25501776cac6a7268376499066ce", + "type": "query", + "version": 206 + }, + "52376a86-ee86-4967-97ae-1a05f55816f0": { + "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "sha256": "fd77da125fda39b0791110d21e18fe7c21233971339f47f4d46a1f228f048839", + "type": "eql", + "version": 113 + }, + "5297b7f1-bccd-4611-93fa-ea342a01ff84": { + "rule_name": "Execution via Microsoft DotNet ClickOnce Host", + "sha256": "71ef45621a5ba89795ad23007d4a9f50038ad681e75b73c50d4f275e0cd848b7", + "type": "eql", + "version": 1 + }, + "52aaab7b-b51c-441a-89ce-4387b3aea886": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734", + "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", "type": "eql", - "version": 209 - }, - "52afbdc5-db15-485e-bc24-f5707f820c4b": { - "rule_name": "Unusual Linux Network Activity", - "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", - "type": "machine_learning", - "version": 104 - }, - "52afbdc5-db15-485e-bc35-f5707f820c4c": { - "rule_name": "Unusual Linux Web Activity", - "sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad", - "type": "machine_learning", - "version": 100 - }, - "52afbdc5-db15-596e-bc35-f5707f820c4b": { - "rule_name": "Unusual Linux Network Service", - "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", - "type": "machine_learning", - "version": 100 - }, - "530178da-92ea-43ce-94c2-8877a826783d": { - "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", + "version": 109 + } + }, + "rule_name": "Unusual Network Connection via RunDLL32", + "sha256": "6a3129bcebcc413938e081a72c565ac7e9a135830fc1c5c11e4c24f98d29c734", + "type": "eql", + "version": 209 + }, + "52afbdc5-db15-485e-bc24-f5707f820c4b": { + "rule_name": "Unusual Linux Network Activity", + "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", + "type": "machine_learning", + "version": 104 + }, + "52afbdc5-db15-485e-bc35-f5707f820c4c": { + "rule_name": "Unusual Linux Web Activity", + "sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad", + "type": "machine_learning", + "version": 100 + }, + "52afbdc5-db15-596e-bc35-f5707f820c4b": { + "rule_name": "Unusual Linux Network Service", + "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", + "type": "machine_learning", + "version": 100 + }, + "530178da-92ea-43ce-94c2-8877a826783d": { + "rule_name": "Suspicious CronTab Creation or Modification", + "sha256": "a7492fef4099c032e096729ad621e9e19ed59798e0df2a83ef45c381a4d821ab", + "type": "eql", + "version": 106 + }, + "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { + "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", + "sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870", + "type": "new_terms", + "version": 11 + }, + "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", + "type": "query", + "version": 206 + }, + "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { + "rule_name": "Azure Diagnostic Settings Deletion", + "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", + "type": "query", + "version": 102 + }, + "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { + "rule_name": "Statistical Model Detected C2 Beaconing Activity", + "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", + "type": "query", + "version": 6 + }, + "53a26770-9cbd-40c5-8b57-61d01a325e14": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Suspicious PDF Reader Child Process", + "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", "type": "eql", - "version": 106 - }, - "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { - "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "31fdbcd1bcd6c7fd916a92c19c40e5cbe355a75a3b31c97758f5723d31bdf870", - "type": "new_terms", - "version": 11 - }, - "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "f0730064c70db89a626831b93e76595c6003a60060e20198818f45aa1f710990", - "type": "query", - "version": 206 - }, - "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { - "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "d8cf4f99c49156e9bc70819e7e213ddc8254034a37779b4650402dfe6597dce2", - "type": "query", - "version": 102 - }, - "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { - "rule_name": "Statistical Model Detected C2 Beaconing Activity", - "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", - "type": "query", - "version": 6 - }, - "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "756f5cf00ac9cb8da7bcb2c337c9b4e427f52c809e8846acfb481d18cf1e5683", + "sha256": "139f8bfa2c8cbb9183a5192c82ba2adb3fd3f23f81086fb9874e23cdbe7580fd", "type": "eql", - "version": 312 - }, - "53dedd83-1be7-430f-8026-363256395c8b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", - "type": "eql", - "version": 6 - } - }, + "version": 212 + } + }, + "rule_name": "Suspicious PDF Reader Child Process", + "sha256": "f7c792ee12ea5e1c289da3010faa0241087a72374e2a07e9744490d2d732a0f6", + "type": "eql", + "version": 313 + }, + "53dedd83-1be7-430f-8026-363256395c8b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Binary Content Copy via Cmd.exe", - "sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a", + "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", "type": "eql", - "version": 106 - }, - "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", - "type": "eql", - "version": 111 - } - }, + "version": 6 + } + }, + "rule_name": "Binary Content Copy via Cmd.exe", + "sha256": "f031d67ed436433e67086abdfa538113a953bfbf725e3aface9fc9c4cdaeab6a", + "type": "eql", + "version": 106 + }, + "54902e45-3467-49a4-8abc-529f2c8cfb80": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", - "sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef", + "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", "type": "eql", - "version": 211 - }, - "54a81f68-5f2a-421e-8eed-f888278bb712": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", - "type": "query", - "version": 8 - }, - "8.12": { - "max_allowable_version": 209, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", - "type": "query", - "version": 110 - } - }, + "version": 111 + } + }, + "rule_name": "Uncommon Registry Persistence Change", + "sha256": "62ede16d68f9a13f35791ebd4acf967b6a53e167d2211eea0b4a9c9e452339ef", + "type": "eql", + "version": 211 + }, + "54a81f68-5f2a-421e-8eed-f888278bb712": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12", + "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", "type": "query", - "version": 210 - }, - "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", - "type": "eql", - "version": 113 - } - }, + "version": 8 + }, + "8.12": { + "max_allowable_version": 209, + "rule_name": "Exchange Mailbox Export via PowerShell", + "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", + "type": "query", + "version": 110 + } + }, + "rule_name": "Exchange Mailbox Export via PowerShell", + "sha256": "204ae09b3fad4e478789727bf76c2cd45d4b667c9a0d7a140a83d9c4d85bfe12", + "type": "query", + "version": 210 + }, + "54c3d186-0461-4dc3-9b33-2dc5c7473936": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", - "sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e", + "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", "type": "eql", - "version": 213 - }, - "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", - "type": "eql", - "version": 111 - } - }, + "version": 113 + } + }, + "rule_name": "Network Logon Provider Registry Modification", + "sha256": "5132f31e51639151e91e5c3302b4650fc9f619e7eb892a051a03487eb3b5e62e", + "type": "eql", + "version": 213 + }, + "55c2bf58-2a39-4c58-a384-c8b1978153c2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "b6183b74d47d3cfe8b22dcff57a47da7713bc366002dbf9f7979a42bf76f6cc6", + "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", "type": "eql", - "version": 211 - }, - "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "PsExec Network Connection", - "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", - "type": "eql", - "version": 109 - } - }, + "version": 111 + } + }, + "rule_name": "Windows Service Installed via an Unusual Client", + "sha256": "b6183b74d47d3cfe8b22dcff57a47da7713bc366002dbf9f7979a42bf76f6cc6", + "type": "eql", + "version": 211 + }, + "55d551c6-333b-4665-ab7e-5d14a59715ce": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "PsExec Network Connection", - "sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5", - "type": "eql", - "version": 209 - }, - "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { - "rule_name": "Windows Installer with Suspicious Properties", - "sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6", + "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", "type": "eql", - "version": 2 - }, - "56004189-4e69-4a39-b4a9-195329d226e9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Host", - "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", - "type": "machine_learning", - "version": 7 - } - }, + "version": 109 + } + }, + "rule_name": "PsExec Network Connection", + "sha256": "90e3f23709d14c16e8714247d3a94ee747ed3ba8514e76d2416f0bd1e9b650d5", + "type": "eql", + "version": 209 + }, + "55f07d1b-25bc-4a0f-aa0c-05323c1319d0": { + "rule_name": "Windows Installer with Suspicious Properties", + "sha256": "312e779c5096313dd68712aec37a208169b7e7e58d9dc4a1362676776d5745c6", + "type": "eql", + "version": 2 + }, + "56004189-4e69-4a39-b4a9-195329d226e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", - "sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b", + "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", "type": "machine_learning", - "version": 107 - }, - "5610b192-7f18-11ee-825b-f661ea17fbcd": { - "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", - "type": "eql", - "version": 2 - }, - "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", - "type": "query", - "version": 107 - } - }, + "version": 7 + } + }, + "rule_name": "Unusual Process Spawned by a Host", + "sha256": "fc15e14ff5e5b9a4e9791cd5a68b234418e8d305be7f057eb8a3d00248eac66b", + "type": "machine_learning", + "version": 107 + }, + "5610b192-7f18-11ee-825b-f661ea17fbcd": { + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", + "type": "eql", + "version": 3 + }, + "56557cde-d923-4b88-adee-c61b3f3b5dc3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7", - "type": "query", - "version": 207 - }, - "565c2b44-7a21-4818-955f-8d4737967d2e": { - "rule_name": "Potential Admin Group Account Addition", - "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", + "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", "type": "query", - "version": 206 - }, - "565d6ca5-75ba-4c82-9b13-add25353471c": { - "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", - "type": "eql", "version": 107 - }, - "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { - "rule_name": "GCP Logging Bucket Deletion", - "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", - "type": "query", - "version": 104 - }, - "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "PowerShell PSReflect Script", - "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", - "type": "query", - "version": 110 - }, - "8.12": { - "max_allowable_version": 312, - "rule_name": "PowerShell PSReflect Script", - "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", - "type": "query", - "version": 213 - } - }, + } + }, + "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "sha256": "1645e32bd9388cfedd1bbb52f9d608fa1f020e59df807c8c0a24d791979f2fc7", + "type": "query", + "version": 207 + }, + "565c2b44-7a21-4818-955f-8d4737967d2e": { + "rule_name": "Potential Admin Group Account Addition", + "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", + "type": "query", + "version": 206 + }, + "565d6ca5-75ba-4c82-9b13-add25353471c": { + "rule_name": "Dumping of Keychain Content via Security Command", + "sha256": "ccf09271bdf9cd7de53d339b60a06f2e48c9a81fb9907a6f3d26b086d3e524fb", + "type": "eql", + "version": 107 + }, + "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { + "rule_name": "GCP Logging Bucket Deletion", + "sha256": "080210ccfb075c63c43cbbdd386dcf8857830563eb3757d61841656cf2099d2a", + "type": "query", + "version": 104 + }, + "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", - "sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1", - "type": "query", - "version": 313 - }, - "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { - "rule_name": "Execution of an Unsigned Service", - "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", - "type": "new_terms", - "version": 105 - }, - "5700cb81-df44-46aa-a5d7-337798f53eb8": { - "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee", - "type": "query", - "version": 105 - }, - "571afc56-5ed9-465d-a2a9-045f099f6e7e": { - "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", + "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", "type": "query", - "version": 103 - }, - "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", + "version": 110 + }, + "8.12": { + "max_allowable_version": 312, + "rule_name": "PowerShell PSReflect Script", + "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", "type": "query", - "version": 102 - }, - "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "PowerShell MiniDump Script", - "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", - "type": "query", - "version": 110 - } - }, + "version": 213 + } + }, + "rule_name": "PowerShell PSReflect Script", + "sha256": "38589e5b42cc43f6e6b822a37057ab671b1596137a108e3c0f6275bbd7821ad1", + "type": "query", + "version": 313 + }, + "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { + "rule_name": "Execution of an Unsigned Service", + "sha256": "950af04b073c7a2de490bf6fe99a6aea6add2dc983a53d0882b4b3c7263fe0d9", + "type": "new_terms", + "version": 105 + }, + "5700cb81-df44-46aa-a5d7-337798f53eb8": { + "rule_name": "VNC (Virtual Network Computing) from the Internet", + "sha256": "65439f5e4fa7b0f4bbb310547d8239ea649d5818b5ac6338a7b358f2eb0c03ee", + "type": "query", + "version": 105 + }, + "571afc56-5ed9-465d-a2a9-045f099f6e7e": { + "rule_name": "Credential Dumping - Detected - Elastic Endgame", + "sha256": "8bab78d440c061852a74557b6d3192c69d78b18dd0cabb79ef54bf9ae6f27234", + "type": "query", + "version": 103 + }, + "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { + "rule_name": "Azure Virtual Network Device Modified or Deleted", + "sha256": "fe8f8cc7acb845230d488c2148d4c27351978ae3582a05be60a1d7373afa9762", + "type": "query", + "version": 102 + }, + "577ec21e-56fe-4065-91d8-45eb8224fe77": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "PowerShell MiniDump Script", - "sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a", + "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", "type": "query", - "version": 210 - }, - "57bccf1d-daf5-4e1a-9049-ff79b5254704": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", - "type": "eql", - "version": 6 - } - }, + "version": 110 + } + }, + "rule_name": "PowerShell MiniDump Script", + "sha256": "0c2a7186e2aa5916c5889d9d75731f00059da7f8d8306ea8e6cc5ba810f49a4a", + "type": "query", + "version": 210 + }, + "57bccf1d-daf5-4e1a-9049-ff79b5254704": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "File Staged in Root Folder of Recycle Bin", - "sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932", + "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", "type": "eql", - "version": 106 - }, - "57bfa0a9-37c0-44d6-b724-54bf16787492": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "6b33c63d553cab599384d2a06a3cbe2ce79ac5637431a647f3c0b0bd8930e497", - "type": "eql", - "version": 103 - } - }, + "version": 6 + } + }, + "rule_name": "File Staged in Root Folder of Recycle Bin", + "sha256": "1acdc9f8e087369826ba6e49c673137f4634a9a62b94bccf201c13d8d3ce0932", + "type": "eql", + "version": 106 + }, + "57bfa0a9-37c0-44d6-b724-54bf16787492": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", - "sha256": "566037aa998817fc0a251e782f43cec8f2037e67f0fdfe4fc54256563b8a8994", - "type": "eql", - "version": 203 - }, - "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "0a123f7c9ac032b20d904a897c3925725aba31f988722148f34fcec998d5ad9d", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "a1bbd1ee4ec1f39635b5864753f3868771116403b08ccc6fac8668bf3e148963", + "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", "type": "eql", - "version": 313 - }, - "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "RDP Enabled via Registry", - "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "RDP Enabled via Registry", - "sha256": "ad5f6e2a7ed2a334c068a318cce1628f5eba03cc5188384b8936624810b633fa", - "type": "eql", - "version": 212 - } - }, - "rule_name": "RDP Enabled via Registry", - "sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c", + "version": 3 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "DNS Global Query Block List Modified or Disabled", + "sha256": "6b33c63d553cab599384d2a06a3cbe2ce79ac5637431a647f3c0b0bd8930e497", "type": "eql", - "version": 312 - }, - "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { - "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", - "type": "query", "version": 103 - }, - "58bc134c-e8d2-4291-a552-b4b3e537c60b": { - "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40", - "type": "eql", - "version": 109 - }, - "58c6d58b-a0d3-412d-b3b8-0981a9400607": { - "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", + } + }, + "rule_name": "DNS Global Query Block List Modified or Disabled", + "sha256": "566037aa998817fc0a251e782f43cec8f2037e67f0fdfe4fc54256563b8a8994", + "type": "eql", + "version": 203 + }, + "581add16-df76-42bb-af8e-c979bfb39a59": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Deleting Backup Catalogs with Wbadmin", + "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", "type": "eql", - "version": 111 - }, - "5919988c-29e1-4908-83aa-1f087a838f63": { - "rule_name": "File or Directory Deletion Command", - "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Deleting Backup Catalogs with Wbadmin", + "sha256": "0a123f7c9ac032b20d904a897c3925725aba31f988722148f34fcec998d5ad9d", "type": "eql", - "version": 3 - }, - "5930658c-2107-4afc-91af-e0e55b7f7184": { - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", - "type": "query", - "version": 206 - }, - "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "rule_name": "AWS CloudTrail Log Created", - "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", - "type": "query", - "version": 207 - }, - "59756272-1998-4b8c-be14-e287035c4d10": { - "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", - "type": "machine_learning", - "version": 105 - }, - "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "a58979585d4e2dba00ae2bf4cc63ae6bed5e961b9f7644c0dc3fa1cdc1f2a938", - "type": "eql", - "version": 209 - } - }, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "922c50914d6b49f38e49963069b5aded60978873160d1be2e5ac966b0f38d3fe", + "version": 213 + } + }, + "rule_name": "Deleting Backup Catalogs with Wbadmin", + "sha256": "ed7c60dc12bdfa2d20edceb1eae21c05458b5885ec3be1eff755ceba3fab866e", + "type": "eql", + "version": 314 + }, + "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "RDP Enabled via Registry", + "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", "type": "eql", - "version": 309 - }, - "5a3d5447-31c9-409a-aed1-72f9921594fd": { - "rule_name": "Potential Reverse Shell via Java", - "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "RDP Enabled via Registry", + "sha256": "ad5f6e2a7ed2a334c068a318cce1628f5eba03cc5188384b8936624810b633fa", "type": "eql", - "version": 8 - }, - "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { - "rule_name": "ROT Encoded Python Script Execution", - "sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491", + "version": 212 + } + }, + "rule_name": "RDP Enabled via Registry", + "sha256": "8aee0c8639f2f4bee943504b9828ddebae9944ff41119c3a2b4d0fdaa1354f6c", + "type": "eql", + "version": 312 + }, + "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { + "rule_name": "Zoom Meeting with no Passcode", + "sha256": "b3970e307a90b3715cd0032cccccfdf1b0a62c7e414d20462f6f5107916e4bff", + "type": "query", + "version": 103 + }, + "58bc134c-e8d2-4291-a552-b4b3e537c60b": { + "rule_name": "Potential Lateral Tool Transfer via SMB Share", + "sha256": "274d6dd045e0bf970b32a646a70634ee7ddddc23721c1271d9e33bd3da440d40", + "type": "eql", + "version": 109 + }, + "58c6d58b-a0d3-412d-b3b8-0981a9400607": { + "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", + "sha256": "9bae02d3c566f254d62cde13db4662546fcab189c9f3296fa8c3eea79178eb13", + "type": "eql", + "version": 111 + }, + "5919988c-29e1-4908-83aa-1f087a838f63": { + "rule_name": "File or Directory Deletion Command", + "sha256": "2aba7007a379369ba83e88547ca03adac0f28e90a937244de77c2270f5babb4a", + "type": "eql", + "version": 3 + }, + "5930658c-2107-4afc-91af-e0e55b7f7184": { + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "a384ae4e6ee0a0f14a297dd9980b3aae52fcba5a63e3fca63e28559480b62bef", + "type": "query", + "version": 206 + }, + "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { + "rule_name": "AWS CloudTrail Log Created", + "sha256": "04381b6679e1f47a0de7e904dda384c87aaf3b510c9aca6f2045b8f2c4014fa7", + "type": "query", + "version": 207 + }, + "59756272-1998-4b8c-be14-e287035c4d10": { + "rule_name": "Unusual Linux User Discovery Activity", + "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", + "type": "machine_learning", + "version": 105 + }, + "5a138e2e-aec3-4240-9843-56825d0bc569": { + "rule_name": "IPv4/IPv6 Forwarding Activity", + "sha256": "0ac95528a079d01b7adeaa69e09a6ce000a6e52cd17f4fc7984edb24bf715c66", + "type": "eql", + "version": 1 + }, + "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", "type": "eql", - "version": 1 - }, - "5ae02ebc-a5de-4eac-afe6-c88de696477d": { - "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "sha256": "a58979585d4e2dba00ae2bf4cc63ae6bed5e961b9f7644c0dc3fa1cdc1f2a938", "type": "eql", - "version": 2 - }, - "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { - "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", - "type": "query", - "version": 106 - }, - "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "f758d94665be51996867211777d79e6aed92bf1caef03e695a48519325656443", - "type": "eql", - "version": 209 - } - }, + "version": 209 + } + }, + "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "sha256": "922c50914d6b49f38e49963069b5aded60978873160d1be2e5ac966b0f38d3fe", + "type": "eql", + "version": 309 + }, + "5a3d5447-31c9-409a-aed1-72f9921594fd": { + "rule_name": "Potential Reverse Shell via Java", + "sha256": "7679d1b0d0e253dc2747cdf1dff275208029db01cdbf4fd7e77f9070d56861a1", + "type": "eql", + "version": 8 + }, + "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { + "rule_name": "ROT Encoded Python Script Execution", + "sha256": "c0274af6f64a052fd104039c8754ea7aa05eaadab769efc8a98bc62711b2b491", + "type": "eql", + "version": 1 + }, + "5ae02ebc-a5de-4eac-afe6-c88de696477d": { + "rule_name": "Potential Chroot Container Escape via Mount", + "sha256": "b49bf35138ec9338b49af77beb42c3d6ec44d6901dd364fe7aac536e60dfcbfc", + "type": "eql", + "version": 2 + }, + "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { + "rule_name": "Remote SSH Login Enabled via systemsetup Command", + "sha256": "b1baf6af7bac12181427143fe903673699b5df38a14f3a8617a90c981cf52058", + "type": "query", + "version": 106 + }, + "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970", + "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", "type": "eql", - "version": 309 - }, - "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { - "rule_name": "Virtual Machine Fingerprinting", - "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", - "type": "query", - "version": 108 - }, - "5b06a27f-ad72-4499-91db-0c69667bffa5": { - "rule_name": "SUID/SGUID Enumeration Detected", - "sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894", - "type": "eql", - "version": 6 - }, - "5b18eef4-842c-4b47-970f-f08d24004bde": { - "rule_name": "Suspicious which Enumeration", - "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", - "type": "eql", - "version": 7 - }, - "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { - "rule_name": "Potential Masquerading as Browser Process", - "sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Potential Secure File Deletion via SDelete Utility", + "sha256": "f758d94665be51996867211777d79e6aed92bf1caef03e695a48519325656443", "type": "eql", - "version": 5 - }, - "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", - "type": "new_terms", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3", - "type": "new_terms", - "version": 214 - } - }, + "version": 209 + } + }, + "rule_name": "Potential Secure File Deletion via SDelete Utility", + "sha256": "f9cda122a401560f226e7216339accbcc62094bdba84a4debe35fbdecaf48970", + "type": "eql", + "version": 309 + }, + "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { + "rule_name": "Virtual Machine Fingerprinting", + "sha256": "bfc51d0f01ccf26b16f823ba658b02bf6e682d0262d9dfe410d1c9cb06d859c2", + "type": "query", + "version": 108 + }, + "5b06a27f-ad72-4499-91db-0c69667bffa5": { + "rule_name": "SUID/SGUID Enumeration Detected", + "sha256": "ecb48f9b2113ef16a9cf28b12062a7336b1fc1183e11978fa97c5d28f733e894", + "type": "eql", + "version": 6 + }, + "5b18eef4-842c-4b47-970f-f08d24004bde": { + "rule_name": "Suspicious which Enumeration", + "sha256": "5067ebbb2ae7642ec887f660253ec56fa569320fbf62652220280935c9bff570", + "type": "eql", + "version": 7 + }, + "5b9eb30f-87d6-45f4-9289-2bf2024f0376": { + "rule_name": "Potential Masquerading as Browser Process", + "sha256": "78ec9be84e9b6970a121017e012905d15e2e20158762c57da7f514ea4d07c5f2", + "type": "eql", + "version": 5 + }, + "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0", + "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", "type": "new_terms", - "version": 314 - }, - "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", - "type": "query", - "version": 206 - }, - "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { - "rule_name": "Process Capability Enumeration", - "sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a", - "type": "eql", - "version": 2 - }, - "5c602cba-ae00-4488-845d-24de2b6d8055": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", - "type": "query", - "version": 3 - } - }, + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "Suspicious PrintSpooler Service Executable File Creation", + "sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3", + "type": "new_terms", + "version": 214 + } + }, + "rule_name": "Suspicious PrintSpooler Service Executable File Creation", + "sha256": "aeec107590fee9b7eb50ce2c5790e91eebe4152e23c7a16c88cd8371f4e374b0", + "type": "new_terms", + "version": 314 + }, + "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "6c4d3ab01c67010c4dd017c06f34cc2bba3765dc79133e8d5ba8fb7ecd657aa0", + "type": "query", + "version": 206 + }, + "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { + "rule_name": "Process Capability Enumeration", + "sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a", + "type": "eql", + "version": 2 + }, + "5c602cba-ae00-4488-845d-24de2b6d8055": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", - "sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6", + "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", "type": "query", - "version": 103 - }, - "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 112, - "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", - "type": "new_terms", - "version": 13 - } - }, + "version": 3 + } + }, + "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", + "sha256": "e76374e15f51af2dd0d683aacb95c40df7bb4ab2452ca64cab318aa20a1766a6", + "type": "query", + "version": 103 + }, + "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 112, "rule_name": "FirstTime Seen Account Performing DCSync", - "sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8", + "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", "type": "new_terms", - "version": 113 - }, - "5c81fc9d-1eae-437f-ba07-268472967013": { - "rule_name": "Segfault Detected", - "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", - "type": "query", - "version": 1 - }, - "5c895b4f-9133-4e68-9e23-59902175355c": { - "rule_name": "Potential Meterpreter Reverse Shell", - "sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba", - "type": "eql", - "version": 7 - }, - "5c983105-4681-46c3-9890-0c66d05e776b": { - "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", - "type": "machine_learning", - "version": 104 - }, - "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { - "rule_name": "Potential Defense Evasion via PRoot", - "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", - "type": "eql", - "version": 7 - }, - "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", - "type": "eql", - "version": 109 - } - }, + "version": 13 + } + }, + "rule_name": "FirstTime Seen Account Performing DCSync", + "sha256": "60be180da0a4d8a02621f58482c7ddfc3b2fc4815bbd722097bef9ec5bfe45a8", + "type": "new_terms", + "version": 113 + }, + "5c81fc9d-1eae-437f-ba07-268472967013": { + "rule_name": "Segfault Detected", + "sha256": "67588b53b3aa8fcb88b35baa601ae2d44b31ffc590864787f6a46c72bc5b4dc8", + "type": "query", + "version": 1 + }, + "5c895b4f-9133-4e68-9e23-59902175355c": { + "rule_name": "Potential Meterpreter Reverse Shell", + "sha256": "d07f514f10110b37d711bf355d40833340fbbf7701ba0cc4db57f259713e2dba", + "type": "eql", + "version": 7 + }, + "5c983105-4681-46c3-9890-0c66d05e776b": { + "rule_name": "Unusual Linux Process Discovery Activity", + "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", + "type": "machine_learning", + "version": 104 + }, + "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { + "rule_name": "Potential Defense Evasion via PRoot", + "sha256": "74391c2ea26988cdbabaf1fe4da29601278aaa13c64140b557c38e53265b33e4", + "type": "eql", + "version": 7 + }, + "5cd55388-a19c-47c7-8ec4-f41656c2fded": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "7d3bf84b8bde799ef371d4a6327bf8f541afea0300cdbf24763d28eb8f8342b5", + "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", "type": "eql", - "version": 209 - }, - "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "User Added to Privileged Group", - "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", - "type": "eql", - "version": 111 - } - }, + "version": 109 + } + }, + "rule_name": "Outbound Scheduled Task Activity via PowerShell", + "sha256": "7d3bf84b8bde799ef371d4a6327bf8f541afea0300cdbf24763d28eb8f8342b5", + "type": "eql", + "version": 209 + }, + "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "User Added to Privileged Group", - "sha256": "249e80a94140cb17cb1bbbd22fcf7b01c9c149e0bb082822fc0cbec1322f4413", + "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", "type": "eql", - "version": 211 - }, - "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Persistence via PowerShell profile", - "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Persistence via PowerShell profile", - "sha256": "bcfac59564d41ebcb539180ca3a3bf7ce87cc15eef7fe386b497fab430a67572", - "type": "eql", - "version": 109 - } - }, + "version": 111 + } + }, + "rule_name": "User Added to Privileged Group", + "sha256": "249e80a94140cb17cb1bbbd22fcf7b01c9c149e0bb082822fc0cbec1322f4413", + "type": "eql", + "version": 211 + }, + "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", - "sha256": "f3fa333c7f1b7b2d1da2b134f2a3f535c02a04bbe1e29aea9a07f65dc3112f42", + "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", "type": "eql", - "version": 209 - }, - "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { - "rule_name": "Persistence via Login or Logout Hook", - "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, + "rule_name": "Persistence via PowerShell profile", + "sha256": "bcfac59564d41ebcb539180ca3a3bf7ce87cc15eef7fe386b497fab430a67572", "type": "eql", - "version": 107 - }, - "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", - "type": "eql", - "version": 109 - } - }, + "version": 109 + } + }, + "rule_name": "Persistence via PowerShell profile", + "sha256": "f3fa333c7f1b7b2d1da2b134f2a3f535c02a04bbe1e29aea9a07f65dc3112f42", + "type": "eql", + "version": 209 + }, + "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { + "rule_name": "Persistence via Login or Logout Hook", + "sha256": "1c0e0922c06fa8aa81d5e8321d94552753e41e9f939f8cb35940afe5438945d8", + "type": "eql", + "version": 107 + }, + "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "98c90d11775a22fd8b8841c192bba0357583dfff531656d7728cefb2a3cf68fb", + "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", "type": "eql", - "version": 209 - }, - "5d676480-9655-4507-adc6-4eec311efff8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", - "type": "eql", - "version": 3 - } - }, + "version": 109 + } + }, + "rule_name": "Suspicious Execution via Scheduled Task", + "sha256": "98c90d11775a22fd8b8841c192bba0357583dfff531656d7728cefb2a3cf68fb", + "type": "eql", + "version": 209 + }, + "5d676480-9655-4507-adc6-4eec311efff8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", - "sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c", - "type": "eql", - "version": 103 - }, - "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { - "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", + "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", "type": "eql", - "version": 106 - }, - "5e161522-2545-11ed-ac47-f661ea17fbce": { - "rule_name": "Google Workspace 2SV Policy Disabled", - "sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5", - "type": "query", - "version": 107 - }, - "5e552599-ddec-4e14-bad1-28aa42404388": { - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", - "type": "query", - "version": 206 - }, - "5e87f165-45c2-4b80-bfa5-52822552c997": { - "rule_name": "Potential PrintNightmare File Modification", - "sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933", - "type": "eql", - "version": 100 - }, - "5f0234fd-7f21-42af-8391-511d5fd11d5c": { - "min_stack_version": "8.13", - "rule_name": "AWS S3 Bucket Enumeration or Brute Force", - "sha256": "a366e2eee10ae91beb23435fce8669f66873ea66f853247db77a3306a663658e", - "type": "esql", "version": 3 - }, - "5f2f463e-6997-478c-8405-fb41cc283281": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Potential File Download via a Headless Browser", - "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Potential File Download via a Headless Browser", - "sha256": "19a1d06007326123108f50fbfe0508ef28d7ef131ac3e5df567dbdc47aa6ff7a", - "type": "eql", - "version": 102 - } - }, + } + }, + "rule_name": "Unsigned DLL loaded by DNS Service", + "sha256": "1bed4177a477d026c410cae36aa7cc8da677f5a62bab50fb6caced420d1dd57c", + "type": "eql", + "version": 103 + }, + "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { + "rule_name": "Suspicious Automator Workflows Execution", + "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", + "type": "eql", + "version": 106 + }, + "5e161522-2545-11ed-ac47-f661ea17fbce": { + "rule_name": "Google Workspace 2SV Policy Disabled", + "sha256": "e9ecfacffc915053d9856796153aa7ce7cc98c60c95d4de25a4d3f6307b6baa5", + "type": "query", + "version": 107 + }, + "5e4023e7-6357-4061-ae1c-9df33e78c674": { + "rule_name": "Memory Swap Modification", + "sha256": "87f23ecd1afbe1e17093f0f1d038a49132d433f0e99f842a2c1ea2070422022a", + "type": "eql", + "version": 1 + }, + "5e552599-ddec-4e14-bad1-28aa42404388": { + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "92a0588bb516c3bf59cc84e1a9a07051d183c3a54df36ce698c176fe0a02d838", + "type": "query", + "version": 206 + }, + "5e87f165-45c2-4b80-bfa5-52822552c997": { + "rule_name": "Potential PrintNightmare File Modification", + "sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933", + "type": "eql", + "version": 100 + }, + "5f0234fd-7f21-42af-8391-511d5fd11d5c": { + "min_stack_version": "8.13", + "rule_name": "AWS S3 Bucket Enumeration or Brute Force", + "sha256": "e65db1e4cf78b27ce4ca6092bbbb6900c749dbda0d96ee608ec1954757cb9862", + "type": "esql", + "version": 4 + }, + "5f2f463e-6997-478c-8405-fb41cc283281": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Potential File Download via a Headless Browser", - "sha256": "9026c24932c794c5c99b330c34d8d3655acbcb133b5e2423afe687b13bd32e7a", + "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", "type": "eql", - "version": 202 - }, - "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { - "rule_name": "Docker Escape via Nsenter", - "sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678", + "version": 2 + }, + "8.13": { + "max_allowable_version": 201, + "rule_name": "Potential File Download via a Headless Browser", + "sha256": "19a1d06007326123108f50fbfe0508ef28d7ef131ac3e5df567dbdc47aa6ff7a", "type": "eql", - "version": 1 - }, - "60884af6-f553-4a6c-af13-300047455491": { - "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", - "type": "query", "version": 102 - }, - "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { - "rule_name": "Azure Service Principal Addition", - "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", - "type": "query", - "version": 105 - }, - "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", - "type": "query", - "version": 206 - }, - "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Unusual Process Network Connection", - "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", - "type": "eql", - "version": 108 - } - }, + } + }, + "rule_name": "Potential File Download via a Headless Browser", + "sha256": "8a9e091c55b5692d8d0032f78a5e51ffa80b4380ff50f18e6b2b25ad5830ba41", + "type": "eql", + "version": 203 + }, + "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88": { + "rule_name": "Docker Escape via Nsenter", + "sha256": "11c34c854e425416671771fda4ebe364a729e7203d287c32837120c5426ec678", + "type": "eql", + "version": 1 + }, + "60884af6-f553-4a6c-af13-300047455491": { + "rule_name": "Azure Command Execution on Virtual Machine", + "sha256": "7e3e549fc0541f65e9d0ee9df09e5453f76574a9d8b90a03c5b8f905ebe6ce12", + "type": "query", + "version": 102 + }, + "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { + "rule_name": "Azure Service Principal Addition", + "sha256": "786b2ddb2ad2584581e0eeea78d24c23a5647d0a32680f1fa9625b6c06ebbda2", + "type": "query", + "version": 105 + }, + "60f3adec-1df9-4104-9c75-b97d9f078b25": { + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "807f4b28328d1f7ad9211882227887a21f3d288a8ad35dd75b1e3578f37251e9", + "type": "query", + "version": 206 + }, + "610949a1-312f-4e04-bb55-3a79b8c95267": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Unusual Process Network Connection", - "sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee", - "type": "eql", - "version": 208 - }, - "61336fe6-c043-4743-ab6e-41292f439603": { - "rule_name": "New User Added To GitHub Organization", - "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", + "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", "type": "eql", - "version": 1 - }, - "61766ef9-48a5-4247-ad74-3349de7eb2ad": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", - "type": "eql", - "version": 4 - } - }, + "version": 108 + } + }, + "rule_name": "Unusual Process Network Connection", + "sha256": "03650e968a078c275a50bd1b08d8a8390430cdb53c2723595bb0b572350387ee", + "type": "eql", + "version": 208 + }, + "61336fe6-c043-4743-ab6e-41292f439603": { + "rule_name": "New User Added To GitHub Organization", + "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", + "type": "eql", + "version": 2 + }, + "61766ef9-48a5-4247-ad74-3349de7eb2ad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", - "sha256": "1baf1fef6bba99c5ccdc2528a1cf37b50b5fa046a869241e7957bc24910a38d2", + "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", "type": "eql", - "version": 104 - }, - "61ac3638-40a3-44b2-855a-985636ca985e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", - "type": "query", - "version": 113 - }, - "8.12": { - "max_allowable_version": 315, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", - "type": "query", - "version": 216 - } - }, + "version": 4 + } + }, + "rule_name": "Interactive Logon by an Unusual Process", + "sha256": "1baf1fef6bba99c5ccdc2528a1cf37b50b5fa046a869241e7957bc24910a38d2", + "type": "eql", + "version": 104 + }, + "61ac3638-40a3-44b2-855a-985636ca985e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95", + "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", "type": "query", - "version": 316 - }, - "61c31c14-507f-4627-8c31-072556b89a9c": { - "rule_name": "Mknod Process Activity", - "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", + "version": 113 + }, + "8.12": { + "max_allowable_version": 315, + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", "type": "query", - "version": 100 - }, - "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", - "type": "eql", - "version": 112 - } - }, + "version": 216 + } + }, + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "0c8aca13cd27121eb75ba5494b65fc5c53151b4d7a12f3f830916d156f260a95", + "type": "query", + "version": 316 + }, + "61c31c14-507f-4627-8c31-072556b89a9c": { + "rule_name": "Mknod Process Activity", + "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", + "type": "query", + "version": 100 + }, + "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "0025f93aa161653a794f9a26065ea5e0cc28cde56f00267df2baedba016c4e6e", + "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", "type": "eql", - "version": 212 - }, - "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", - "type": "threshold", - "version": 3 - }, - "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", - "type": "eql", - "version": 107 - } - }, + "version": 112 + } + }, + "rule_name": "AdminSDHolder SDProp Exclusion Added", + "sha256": "0025f93aa161653a794f9a26065ea5e0cc28cde56f00267df2baedba016c4e6e", + "type": "eql", + "version": 212 + }, + "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", + "type": "threshold", + "version": 4 + }, + "622ecb68-fa81-4601-90b5-f8cd661e4520": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "469e57d1084b2101124729bd1a24f0d0de9a3ba693867395cb5e2b2747429009", + "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", "type": "eql", - "version": 207 - }, - "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", - "type": "query", - "version": 111 - } - }, + "version": 107 + } + }, + "rule_name": "Incoming DCOM Lateral Movement via MSHTA", + "sha256": "469e57d1084b2101124729bd1a24f0d0de9a3ba693867395cb5e2b2747429009", + "type": "eql", + "version": 207 + }, + "627374ab-7080-4e4d-8316-bef1122444af": { + "rule_name": "Private Key Searching Activity", + "sha256": "cfb8fb1ac5550969ade51696c2cce707ef17cb2ba835b59dde324128fe49a3da", + "type": "eql", + "version": 1 + }, + "62a70f6f-3c37-43df-a556-f64fa475fba2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6", + "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", "type": "query", - "version": 211 - }, - "62b68eb2-1e47-4da7-85b6-8f478db5b272": { - "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", - "sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed", - "type": "eql", - "version": 5 - }, - "63431796-f813-43af-820b-492ee2efec8e": { - "rule_name": "Network Connection Initiated by SSHD Child Process", - "sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c", - "type": "eql", - "version": 3 - }, - "63c05204-339a-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", - "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", - "type": "query", - "version": 6 - }, - "63c056a0-339a-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Denied Service Account Request", - "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", - "type": "query", - "version": 5 - }, - "63c057cc-339a-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Anonymous Request Authorized", - "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", - "type": "query", - "version": 6 - }, - "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { - "rule_name": "Sensitive Registry Hive Access via RegBack", - "sha256": "5fc949c2d8e00d3580f74fc9c2d044a0ed34182238f186e9c60e3f63df540d87", - "type": "eql", - "version": 2 - }, - "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Signed Binary", - "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", - "type": "eql", - "version": 108 - } - }, + "version": 111 + } + }, + "rule_name": "Account Configured with Never-Expiring Password", + "sha256": "d1a41572216c35257141c8fde9abe70f1cc185ba00383bd8a0a180ce1ce6cbc6", + "type": "query", + "version": 211 + }, + "62b68eb2-1e47-4da7-85b6-8f478db5b272": { + "rule_name": "Potential Non-Standard Port HTTP/HTTPS connection", + "sha256": "5a3fd12529c9c80182c6867d42fd64119b65ce06f0106fb6c46537b9f536d9ed", + "type": "eql", + "version": 5 + }, + "63431796-f813-43af-820b-492ee2efec8e": { + "rule_name": "Network Connection Initiated by SSHD Child Process", + "sha256": "bf0ca3359e6f32c685d719787f6adfd48d96993c3b01c42812464e6aaed5aa1c", + "type": "eql", + "version": 3 + }, + "63c05204-339a-11ed-a261-0242ac120002": { + "rule_name": "Kubernetes Suspicious Assignment of Controller Service Account", + "sha256": "c3c4f5b5422708679b68f0f2fd71e860e9abfdc466e25b9cd35498d8a45cbdab", + "type": "query", + "version": 6 + }, + "63c056a0-339a-11ed-a261-0242ac120002": { + "rule_name": "Kubernetes Denied Service Account Request", + "sha256": "c04f7a46cbbd448139cfef70f2eaf9331faae7a4a1ab9a4a721463034e513e86", + "type": "query", + "version": 5 + }, + "63c057cc-339a-11ed-a261-0242ac120002": { + "rule_name": "Kubernetes Anonymous Request Authorized", + "sha256": "124c7243234a6880e622f6d2f811edd502e2406e6c96ad7066a7306794ced4fd", + "type": "query", + "version": 6 + }, + "63e381a6-0ffe-4afb-9a26-72a59ad16d7b": { + "rule_name": "Sensitive Registry Hive Access via RegBack", + "sha256": "5fc949c2d8e00d3580f74fc9c2d044a0ed34182238f186e9c60e3f63df540d87", + "type": "eql", + "version": 2 + }, + "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", - "sha256": "13ab27af642b6257541d2f7dd40e674512caf3615983668154c3cb69ce92212b", - "type": "eql", - "version": 208 - }, - "640f79d1-571d-4f96-a9af-1194fc8cf763": { - "rule_name": "Dynamic Linker Creation or Modification", - "sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d", - "type": "eql", - "version": 2 - }, - "647fc812-7996-4795-8869-9c4ea595fe88": { - "rule_name": "Anomalous Process For a Linux Population", - "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", - "type": "machine_learning", - "version": 105 - }, - "6482255d-f468-45ea-a5b3-d3a7de1331ae": { - "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", - "type": "query", - "version": 106 - }, - "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { - "rule_name": "Network Connection via Recently Compiled Executable", - "sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac", + "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", "type": "eql", - "version": 6 - }, - "6506c9fd-229e-4722-8f0f-69be759afd2a": { - "rule_name": "Potential PrintNightmare Exploit Registry Modification", - "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", - "type": "eql", - "version": 100 - }, - "65432f4a-e716-4cc1-ab11-931c4966da2d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "41602b6a702f894fa85aeda894b432bf97541e7a789da640b09d1a6ccb020920", - "type": "eql", - "version": 101 - } - }, + "version": 108 + } + }, + "rule_name": "Network Connection via Signed Binary", + "sha256": "13ab27af642b6257541d2f7dd40e674512caf3615983668154c3cb69ce92212b", + "type": "eql", + "version": 208 + }, + "640f79d1-571d-4f96-a9af-1194fc8cf763": { + "rule_name": "Dynamic Linker Creation or Modification", + "sha256": "17626f3f8f0d9413631123ff3710cc6bbd765919f591f8cc4cb0b3ed798fd72d", + "type": "eql", + "version": 2 + }, + "647fc812-7996-4795-8869-9c4ea595fe88": { + "rule_name": "Anomalous Process For a Linux Population", + "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", + "type": "machine_learning", + "version": 105 + }, + "6482255d-f468-45ea-a5b3-d3a7de1331ae": { + "rule_name": "Modification of Safari Settings via Defaults Command", + "sha256": "d6366ceb829546de9ee9785b9be89d03ee27409be5ce45526d3c6041f107f012", + "type": "query", + "version": 106 + }, + "64cfca9e-0f6f-4048-8251-9ec56a055e9e": { + "rule_name": "Network Connection via Recently Compiled Executable", + "sha256": "c2a1edb00dafb062774f8a65b34f761d2c5332b1165d4c2282dab5acdd7baeac", + "type": "eql", + "version": 6 + }, + "6506c9fd-229e-4722-8f0f-69be759afd2a": { + "rule_name": "Potential PrintNightmare Exploit Registry Modification", + "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", + "type": "eql", + "version": 100 + }, + "65432f4a-e716-4cc1-ab11-931c4966da2d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", - "sha256": "f777f01e40e9050b0c782526949a439d855433b0f63892411d709ce8cda391d4", - "type": "eql", - "version": 201 - }, - "65f9bccd-510b-40df-8263-334f03174fed": { - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", - "type": "query", - "version": 203 - }, - "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { - "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", + "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", "type": "eql", - "version": 107 - }, - "6641a5af-fb7e-487a-adc4-9e6503365318": { - "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, + "rule_name": "MsiExec Service Child Process With Network Connection", + "sha256": "41602b6a702f894fa85aeda894b432bf97541e7a789da640b09d1a6ccb020920", "type": "eql", - "version": 6 - }, - "6649e656-6f85-11ef-8876-f661ea17fbcc": { - "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", - "type": "new_terms", - "version": 2 - }, - "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "WebServer Access Logs Deleted", - "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", - "type": "eql", - "version": 107 - } - }, + "version": 101 + } + }, + "rule_name": "MsiExec Service Child Process With Network Connection", + "sha256": "f777f01e40e9050b0c782526949a439d855433b0f63892411d709ce8cda391d4", + "type": "eql", + "version": 201 + }, + "65f9bccd-510b-40df-8263-334f03174fed": { + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "06a18e9f45ffe718b0156f37a7f5dc289078a2410a0e6ecb968b500a0e55378e", + "type": "query", + "version": 203 + }, + "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { + "rule_name": "Attempt to Mount SMB Share via Command Line", + "sha256": "2c9e3ab0668460f3f7e260f9353b575c300c84e6f8cded54fc5d21d659f4dbc4", + "type": "eql", + "version": 107 + }, + "6641a5af-fb7e-487a-adc4-9e6503365318": { + "rule_name": "Suspicious Termination of ESXI Process", + "sha256": "fded063447d8a8cf285be279a1620dacabff131d93f8fe4836a029e9fedf3ce2", + "type": "eql", + "version": 6 + }, + "6649e656-6f85-11ef-8876-f661ea17fbcc": { + "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", + "type": "new_terms", + "version": 3 + }, + "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", - "sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938", - "type": "eql", - "version": 207 - }, - "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { - "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", - "type": "eql", - "version": 7 - }, - "66883649-f908-4a5b-a1e0-54090a1d3a32": { - "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f", + "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", "type": "eql", - "version": 116 - }, - "66c058f3-99f4-4d18-952b-43348f2577a0": { - "rule_name": "Linux Process Hooking via GDB", - "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", - "type": "eql", - "version": 3 - }, - "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { - "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115", - "type": "eql", - "version": 207 - }, - "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 112, - "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", - "type": "query", - "version": 13 - } - }, + "version": 107 + } + }, + "rule_name": "WebServer Access Logs Deleted", + "sha256": "615a81cd545877582b84f8a6524858b3762c49019fa6fc3286e441330c854938", + "type": "eql", + "version": 207 + }, + "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { + "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", + "sha256": "9727c97648fb4b3afac9d4f9c9f0004fc5c2c23794cdd3be99f8df2b6ba1192a", + "type": "eql", + "version": 7 + }, + "66883649-f908-4a5b-a1e0-54090a1d3a32": { + "rule_name": "Connection to Commonly Abused Web Services", + "sha256": "6ee19e30f1b9b03cb860b685a9b64b35926db4749f7f4bec889b9061a34dd99f", + "type": "eql", + "version": 116 + }, + "66c058f3-99f4-4d18-952b-43348f2577a0": { + "rule_name": "Linux Process Hooking via GDB", + "sha256": "fbf357ed1d47b111ab6c612f8c15fd075755ac177461906e07824d7a0df4061d", + "type": "eql", + "version": 3 + }, + "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { + "rule_name": "Suspicious macOS MS Office Child Process", + "sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115", + "type": "eql", + "version": 207 + }, + "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", - "sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b", - "type": "query", - "version": 113 - }, - "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", - "type": "query", - "version": 207 - }, - "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", - "type": "query", - "version": 206 - }, - "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", - "type": "query", - "version": 207 - }, - "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { - "rule_name": "SMTP to the Internet", - "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", + "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", "type": "query", - "version": 100 - }, - "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { - "rule_name": "High Number of Process Terminations", - "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", - "type": "threshold", - "version": 112 - }, - "68113fdc-3105-4cdd-85bb-e643c416ef0b": { - "rule_name": "Query Registry via reg.exe", - "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", - "type": "eql", - "version": 100 - }, - "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Image File Execution Options Injection", - "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Image File Execution Options Injection", - "sha256": "9cd61cbd2e186a7e79c84c63453170d959f8a17ba7f17226d7b751d3eb3401a0", - "type": "eql", - "version": 209 - } - }, + "version": 13 + } + }, + "rule_name": "Modification of the msPKIAccountCredentials", + "sha256": "dc7f9e08e370facf03fd788985647ead45419455fbd6e63b7c489088770b941b", + "type": "query", + "version": 113 + }, + "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", + "type": "query", + "version": 208 + }, + "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "a61d567175526ad5bc735b093f276d0725a0ca9784d8b72754091e0b9abf70bb", + "type": "query", + "version": 206 + }, + "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", + "type": "query", + "version": 208 + }, + "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { + "rule_name": "SMTP to the Internet", + "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", + "type": "query", + "version": 100 + }, + "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { + "rule_name": "High Number of Process Terminations", + "sha256": "d3bd89f023aef73df6cbe19662e02ef77275c87754f04ca44279e2d30f28c5b3", + "type": "threshold", + "version": 112 + }, + "68113fdc-3105-4cdd-85bb-e643c416ef0b": { + "rule_name": "Query Registry via reg.exe", + "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", + "type": "eql", + "version": 100 + }, + "6839c821-011d-43bd-bd5b-acff00257226": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", - "sha256": "a0e0e9db739a9599f432f5b67c38f79f2d78548a4048ada364cc2a77c63ad808", + "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", "type": "eql", - "version": 309 - }, - "684554fc-0777-47ce-8c9b-3d01f198d7f8": { - "rule_name": "New or Modified Federation Domain", - "sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344", - "type": "query", - "version": 207 - }, - "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", - "type": "query", - "version": 206 - }, - "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "5ea5116cd208e91c51260783d73f21acff4cc3285956fefc376e9fae3941f1b9", - "type": "eql", - "version": 211 - } - }, + "version": 110 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Image File Execution Options Injection", + "sha256": "9cd61cbd2e186a7e79c84c63453170d959f8a17ba7f17226d7b751d3eb3401a0", + "type": "eql", + "version": 209 + } + }, + "rule_name": "Image File Execution Options Injection", + "sha256": "a0e0e9db739a9599f432f5b67c38f79f2d78548a4048ada364cc2a77c63ad808", + "type": "eql", + "version": 309 + }, + "684554fc-0777-47ce-8c9b-3d01f198d7f8": { + "rule_name": "New or Modified Federation Domain", + "sha256": "63bfcc3ca67c6279f1ed85c444ec4e840c389f3695e4228ed07f322caf108344", + "type": "query", + "version": 207 + }, + "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", + "type": "query", + "version": 207 + }, + "68921d85-d0dc-48b3-865f-43291ca2c4f2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "2fd641da34b3e33350d5383abc041918e68bc659379ad9165fbe3039f88c757f", + "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", "type": "eql", - "version": 311 - }, - "68994a6c-c7ba-4e82-b476-26a26877adf6": { - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643", - "type": "query", - "version": 207 - }, - "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", - "type": "eql", - "version": 108 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", + "sha256": "5ea5116cd208e91c51260783d73f21acff4cc3285956fefc376e9fae3941f1b9", + "type": "eql", + "version": 211 + } + }, + "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", + "sha256": "ae80e6eef7f02f152d24f72778eb22b6f998fffe08710ced5a60d17513f2ba50", + "type": "eql", + "version": 312 + }, + "68994a6c-c7ba-4e82-b476-26a26877adf6": { + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "6286d75656a1400145ea6bcf0cb02194f46a8678a76395dbace1577060570643", + "type": "query", + "version": 207 + }, + "689b9d57-e4d5-4357-ad17-9c334609d79a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "bb5ce1fe0201d211c3e0ee4e797372019294920771fb9be33e2e03799c925f41", + "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", "type": "eql", - "version": 208 - }, - "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", - "type": "query", - "version": 209 - }, - "68ad737b-f90a-4fe5-bda6-a68fa460044e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", - "type": "eql", - "version": 2 - } - }, + "version": 108 + } + }, + "rule_name": "Scheduled Task Created by a Windows Script", + "sha256": "bb5ce1fe0201d211c3e0ee4e797372019294920771fb9be33e2e03799c925f41", + "type": "eql", + "version": 208 + }, + "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "9cb4442436198c82ac0e0fefebd6627d23a5dcb0db8fc9088a51ab31fc9ea399", + "type": "query", + "version": 209 + }, + "68ad737b-f90a-4fe5-bda6-a68fa460044e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", - "sha256": "ea3607c104e47097033fed5ea9538819d7ee0e258c4956660fe6bdb792e9e9c4", + "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", "type": "eql", - "version": 102 - }, - "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { - "rule_name": "AWS RDS DB Snapshot Created", - "sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31", - "type": "query", - "version": 1 - }, - "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", - "type": "eql", - "version": 110 - } - }, + "version": 2 + } + }, + "rule_name": "Suspicious Access to LDAP Attributes", + "sha256": "ea3607c104e47097033fed5ea9538819d7ee0e258c4956660fe6bdb792e9e9c4", + "type": "eql", + "version": 102 + }, + "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { + "rule_name": "AWS RDS DB Snapshot Created", + "sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31", + "type": "query", + "version": 1 + }, + "68d56fdc-7ffa-4419-8e95-81641bd6f845": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "d9f1796c6d6ad026fc2376b376520d5553dcbd8c64035bb1e86132a90634d94c", + "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", "type": "eql", - "version": 210 - }, - "6951f15e-533c-4a60-8014-a3c3ab851a1b": { - "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", - "type": "query", - "version": 106 - }, - "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { - "min_stack_version": "8.13", - "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "510bb33cd6e4ff669488ead2bbf9cd16c6edfe7b3dc3e34f21ac9bdbd363c379", - "type": "esql", - "version": 3 - }, - "699e9fdb-b77c-4c01-995c-1c15019b9c43": { - "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", - "type": "threat_match", - "version": 204 - }, - "69c116bb-d86f-48b0-857d-3648511a6cac": { - "rule_name": "Suspicious rc.local Error Message", - "sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5", - "type": "query", - "version": 2 - }, - "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Modification of Boot Configuration", - "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Modification of Boot Configuration", - "sha256": "84b303918d680f78c54255bfee90e9c6b45ad43925858f14ee5a3670c8dec812", - "type": "eql", - "version": 210 - } - }, + "version": 110 + } + }, + "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "sha256": "d9f1796c6d6ad026fc2376b376520d5553dcbd8c64035bb1e86132a90634d94c", + "type": "eql", + "version": 210 + }, + "6951f15e-533c-4a60-8014-a3c3ab851a1b": { + "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", + "sha256": "6c3939d29a97cd2645ecc292c9f864da41ba0b3d159eec992c7ef6dec115d08e", + "type": "query", + "version": 106 + }, + "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM User Created Access Keys For Another User", + "sha256": "0007bd73ca11b0b6f5300662fa4863050840bc67ef764048a14b63a4a6e1c038", + "type": "esql", + "version": 4 + }, + "699e9fdb-b77c-4c01-995c-1c15019b9c43": { + "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", + "type": "threat_match", + "version": 204 + }, + "69c116bb-d86f-48b0-857d-3648511a6cac": { + "rule_name": "Suspicious rc.local Error Message", + "sha256": "5ca0e055dc47c8c359d83d3c42388f2d1da1c8bb7fd5b309f29e81d5e4d767d5", + "type": "query", + "version": 2 + }, + "69c251fb-a5d6-4035-b5ec-40438bd829ff": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", - "sha256": "b2c05a97eba046c7caad0bc09646ce54474970cc6b9034189731b9b08c6fc267", + "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", "type": "eql", - "version": 310 - }, - "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", - "type": "query", - "version": 206 - }, - "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { - "rule_name": "Attempt to Disable Auditd Service", - "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Modification of Boot Configuration", + "sha256": "84b303918d680f78c54255bfee90e9c6b45ad43925858f14ee5a3670c8dec812", "type": "eql", - "version": 1 - }, - "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { - "rule_name": "EC2 AMI Shared with Another Account", - "sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1", - "type": "query", - "version": 2 - }, - "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "a5aca0cae7c3d4e2af72e551b196aa734185edb840e64a44250875f56954f40e", - "type": "eql", - "version": 210 - } - }, + "version": 210 + } + }, + "rule_name": "Modification of Boot Configuration", + "sha256": "191ff5cfc3df060d64cd80442331785e547236bc47cde601d473c2839019123c", + "type": "eql", + "version": 311 + }, + "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "a1e54060fd73ea81b4a91323553b6cdec9bd5fb0b973ef8201983c73b45ac3df", + "type": "query", + "version": 206 + }, + "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf": { + "rule_name": "Attempt to Disable Auditd Service", + "sha256": "18dfc5c1f6dcffb90d7eccf1b9512ec335538d410a838cd95c25f0ba6788fc7f", + "type": "eql", + "version": 1 + }, + "6a309864-fc3f-11ee-b8cc-f661ea17fbce": { + "rule_name": "EC2 AMI Shared with Another Account", + "sha256": "0c4ef4f51a8579747372ea43f8369add1855a2c4ca49c0059a91aca3c86b15e1", + "type": "query", + "version": 2 + }, + "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "43459eeea6bab6c7fd87826c312985fcadb070763b879b2c8918b3cec2435895", + "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", "type": "eql", - "version": 310 - }, - "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 415, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce", - "type": "eql", - "version": 316 - } - }, + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Unusual Service Host Child Process - Childless Service", + "sha256": "a5aca0cae7c3d4e2af72e551b196aa734185edb840e64a44250875f56954f40e", + "type": "eql", + "version": 210 + } + }, + "rule_name": "Unusual Service Host Child Process - Childless Service", + "sha256": "43459eeea6bab6c7fd87826c312985fcadb070763b879b2c8918b3cec2435895", + "type": "eql", + "version": 310 + }, + "6aace640-e631-4870-ba8e-5fdda09325db": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "7c970fb736e31c766d17dd9c1adb62a815fdd185c2f003ab7df0e32e985515cc", + "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", "type": "eql", - "version": 416 - }, - "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { - "rule_name": "Suspicious Utility Launched via ProxyChains", - "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "version": 112 + }, + "8.13": { + "max_allowable_version": 415, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "f59e6b0937b1a1ec0da32d1ced5e54224ce51ff3c12f6ef795d4c46104d824ce", "type": "eql", - "version": 7 - }, - "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "rule_name": "Sensitive Files Compression", - "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", - "type": "new_terms", - "version": 208 - }, - "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", - "type": "eql", - "version": 108 - } - }, + "version": 316 + } + }, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "f630ebc0372153fafb100d4dba68e9a37b8c2997eead17632bd5df3bed2843b4", + "type": "eql", + "version": 417 + }, + "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { + "rule_name": "Suspicious Utility Launched via ProxyChains", + "sha256": "d905f66dbe947bfcc9537eb0ce37abd9f10bf4effcffc43e454399feec107fb2", + "type": "eql", + "version": 7 + }, + "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { + "rule_name": "Sensitive Files Compression", + "sha256": "a50308d629258169646a68897f01fed70056c172b984b4d7b643f78da9835e50", + "type": "new_terms", + "version": 208 + }, + "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "81dd8799d02ef1ea7d54b9def9a1ab5cddb29910c2a88f978b310fc8b0b4b232", + "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", "type": "eql", - "version": 208 - }, - "6c6bb7ea-0636-44ca-b541-201478ef6b50": { - "rule_name": "Container Management Utility Run Inside A Container", - "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", - "type": "eql", - "version": 2 - }, - "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "5c11225cdbbc4109678a5ed167332604297fd7074668973d0b0112b3b4052f3a", - "type": "eql", - "version": 208 - } - }, + "version": 108 + } + }, + "rule_name": "Remote Computer Account DnsHostName Update", + "sha256": "81dd8799d02ef1ea7d54b9def9a1ab5cddb29910c2a88f978b310fc8b0b4b232", + "type": "eql", + "version": 208 + }, + "6c6bb7ea-0636-44ca-b541-201478ef6b50": { + "rule_name": "Container Management Utility Run Inside A Container", + "sha256": "34ba8d894c34042f9a4c326daee9871fc209a1e209058b9f6a0f8ad30eeec04d", + "type": "eql", + "version": 2 + }, + "6cd1779c-560f-4b68-a8f1-11009b27fe63": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "2fb47f8769b5103eed7d0e994a27d88daa89b306a570f96a16b4a7143462ea24", + "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", "type": "eql", - "version": 308 - }, - "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "rule_name": "GitHub Repo Created", - "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", + "version": 108 + }, + "8.13": { + "max_allowable_version": 307, + "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", + "sha256": "5c11225cdbbc4109678a5ed167332604297fd7074668973d0b0112b3b4052f3a", "type": "eql", - "version": 1 - }, - "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Unusual Process For a Windows Host", - "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", - "type": "machine_learning", - "version": 111 - } - }, + "version": 208 + } + }, + "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", + "sha256": "2fb47f8769b5103eed7d0e994a27d88daa89b306a570f96a16b4a7143462ea24", + "type": "eql", + "version": 308 + }, + "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "rule_name": "GitHub Repo Created", + "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", + "type": "eql", + "version": 2 + }, + "6d448b96-c922-4adb-b51c-b767f1ea5b76": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", - "sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da", + "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", "type": "machine_learning", - "version": 211 - }, - "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { - "rule_name": "Potential Privilege Escalation via CVE-2023-4911", - "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", - "type": "eql", - "version": 4 - }, - "6ded0996-7d4b-40f2-bf4a-6913e7591795": { - "rule_name": "Root Certificate Installation", - "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", - "type": "eql", - "version": 2 - }, - "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", - "type": "new_terms", - "version": 8 - } - }, + "version": 111 + } + }, + "rule_name": "Unusual Process For a Windows Host", + "sha256": "76043082e1635afa431a0b6ffd9156292fcec2cb34e12c1d3d5f8a4ac354c8da", + "type": "machine_learning", + "version": 211 + }, + "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { + "rule_name": "Potential Privilege Escalation via CVE-2023-4911", + "sha256": "43e59c39d821bf39fd6c407a1be82ae2dc2413f7e5cdf21020ca39f4579609c0", + "type": "eql", + "version": 4 + }, + "6ded0996-7d4b-40f2-bf4a-6913e7591795": { + "rule_name": "Root Certificate Installation", + "sha256": "823b635b9abe083d089b09bad1fedea72c47d6079538298c3c4059448d5226f2", + "type": "eql", + "version": 2 + }, + "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9", + "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", "type": "new_terms", - "version": 108 - }, - "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", - "type": "machine_learning", - "version": 108 - } - }, + "version": 8 + } + }, + "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", + "sha256": "a8bbd1a9cdafc77c48549535f3b93376cad74a043e69ead9323c875d7feb04d9", + "type": "new_terms", + "version": 108 + }, + "6e40d56f-5c0e-4ac6-aece-bee96645b172": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", - "sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9", + "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", "type": "machine_learning", - "version": 208 - }, - "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "AdminSDHolder Backdoor", - "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", - "type": "query", - "version": 110 - } - }, + "version": 108 + } + }, + "rule_name": "Anomalous Process For a Windows Population", + "sha256": "849904e5601ed2b7ca539b15e1b20c3d5fd3a966683bc5a5f0cfa7101f0edcd9", + "type": "machine_learning", + "version": 208 + }, + "6e9130a5-9be6-48e5-943a-9628bfc74b18": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", - "sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360", + "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", "type": "query", - "version": 210 - }, - "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", - "type": "eql", - "version": 207 - }, - "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", - "type": "eql", - "version": 109 - } - }, + "version": 110 + } + }, + "rule_name": "AdminSDHolder Backdoor", + "sha256": "d92aec3ae515b2f1ef5ead2567d90bf9ed286c98404ada51b490d78121809360", + "type": "query", + "version": 210 + }, + "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "3eb0d320290f508310e7c0efbd51d6f2caa9acc4ca1879e192e0cc53658e62bd", + "type": "eql", + "version": 207 + }, + "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "e7158ede633bc5e943fe69d3f0dd3ca7dbbb2dcd7c6be7221419dbeb34619d36", + "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", "type": "eql", - "version": 209 - }, - "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Security Software Discovery using WMIC", - "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", - "type": "eql", - "version": 114 - } - }, + "version": 109 + } + }, + "rule_name": "Potential Windows Error Manager Masquerading", + "sha256": "e7158ede633bc5e943fe69d3f0dd3ca7dbbb2dcd7c6be7221419dbeb34619d36", + "type": "eql", + "version": 209 + }, + "6ea55c81-e2ba-42f2-a134-bccf857ba922": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Security Software Discovery using WMIC", - "sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288", + "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", "type": "eql", - "version": 214 - }, - "6ea71ff0-9e95-475b-9506-2580d1ce6154": { - "rule_name": "DNS Activity to the Internet", - "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", - "type": "query", - "version": 100 - }, - "6ee947e9-de7e-4281-a55d-09289bdf947e": { - "rule_name": "Potential Linux Tunneling and/or Port Forwarding", - "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", - "type": "eql", - "version": 7 - }, - "6f024bde-7085-489b-8250-5957efdf1caf": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", - "type": "eql", - "version": 2 - } - }, + "version": 114 + } + }, + "rule_name": "Security Software Discovery using WMIC", + "sha256": "46ce350a70ad18636cde452bd1c45f325da59e8b2412b135766d037a3944a288", + "type": "eql", + "version": 214 + }, + "6ea71ff0-9e95-475b-9506-2580d1ce6154": { + "rule_name": "DNS Activity to the Internet", + "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", + "type": "query", + "version": 100 + }, + "6ee947e9-de7e-4281-a55d-09289bdf947e": { + "rule_name": "Potential Linux Tunneling and/or Port Forwarding", + "sha256": "e7974fdba41cd2ce4d8ff22447cfab64cec739f3dd5bc0ab0749e92fc578bcf8", + "type": "eql", + "version": 7 + }, + "6f024bde-7085-489b-8250-5957efdf1caf": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", - "sha256": "3a007cf6213892afdb51e38c653b7fbb54d64d355bfe16ae31a77fa323fd5fbd", + "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", "type": "eql", - "version": 102 - }, - "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { - "rule_name": "SSH (Secure Shell) to the Internet", - "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", - "type": "query", - "version": 100 - }, - "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { - "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", - "type": "new_terms", "version": 2 - }, - "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { - "rule_name": "Google Workspace Role Modified", - "sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998", - "type": "query", - "version": 206 - }, - "6f683345-bb10-47a7-86a7-71e9c24fb358": { - "rule_name": "Linux Restricted Shell Breakout via the find command", - "sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6", - "type": "eql", - "version": 100 - }, - "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "f23d0872d802001bbc030b70a5f6be00760eb331e2c1ea06a5e57d15d2e336c9", - "type": "query", - "version": 209 - }, - "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "rule_name": "AWS Config Resource Deletion", - "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", - "type": "query", - "version": 209 - }, - "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", - "type": "eql", - "version": 3 - } - }, + } + }, + "rule_name": "Active Directory Group Modification by SYSTEM", + "sha256": "3a007cf6213892afdb51e38c653b7fbb54d64d355bfe16ae31a77fa323fd5fbd", + "type": "eql", + "version": 102 + }, + "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { + "rule_name": "SSH (Secure Shell) to the Internet", + "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", + "type": "query", + "version": 100 + }, + "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", + "type": "new_terms", + "version": 3 + }, + "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { + "rule_name": "Google Workspace Role Modified", + "sha256": "6de799b5422ffa174ed80888e29825c58384f7591ac7fadce324ff2fdce2a998", + "type": "query", + "version": 206 + }, + "6f683345-bb10-47a7-86a7-71e9c24fb358": { + "rule_name": "Linux Restricted Shell Breakout via the find command", + "sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6", + "type": "eql", + "version": 100 + }, + "7024e2a0-315d-4334-bb1a-441c593e16ab": { + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "b2f7ce631f07fd56f2182a2d89e94a7b72a8f17e0957f25048b089de04c78dec", + "type": "query", + "version": 210 + }, + "7024e2a0-315d-4334-bb1a-552d604f27bc": { + "rule_name": "AWS Config Resource Deletion", + "sha256": "9e3a32ce84c33e0a345a34c6f398fb54f346bd1d0683e6a1dc87f8957b4b140f", + "type": "query", + "version": 209 + }, + "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Suspicious Execution via MSIEXEC", - "sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4", + "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", "type": "eql", - "version": 103 - }, - "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { - "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e", + "version": 3 + } + }, + "rule_name": "Suspicious Execution via MSIEXEC", + "sha256": "ebca825d8f82f3442cf31f625828e5423889ecb4f613cd0a3a06c3e0ca9cd8a4", + "type": "eql", + "version": 103 + }, + "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { + "rule_name": "Persistence via WMI Standard Registry Provider", + "sha256": "48ce070e2534c85222ae42380aff08e9cf1051209120195a41abb438dd4f8f6e", + "type": "eql", + "version": 109 + }, + "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { + "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", + "type": "query", + "version": 106 + }, + "7164081a-3930-11ed-a261-0242ac120002": { + "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", + "sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910", + "type": "query", + "version": 5 + }, + "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", + "type": "new_terms", + "version": 209 + }, + "71bccb61-e19b-452f-b104-79a60e546a95": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 214, + "rule_name": "Unusual File Creation - Alternate Data Stream", + "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", "type": "eql", - "version": 109 - }, - "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { - "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "0ac39c7e21a70ea619a342065d004f5c51d563df631af84fa09a327437843b47", - "type": "query", - "version": 106 - }, - "7164081a-3930-11ed-a261-0242ac120002": { - "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", - "sha256": "32963011dca38553023a0d151758f181bed528bee5ecb5b09ac7e98db6994910", - "type": "query", - "version": 5 - }, - "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "593012691955c843d367110658df0c195a220829f73a237e8fadc2d4b0ce1b40", - "type": "new_terms", - "version": 209 - }, - "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 214, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", - "type": "eql", - "version": 115 - }, - "8.13": { - "max_allowable_version": 314, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "3602a1e97b87858224410b312b908c03fd8de29c7043c6e494f1f906e12bcc30", - "type": "eql", - "version": 215 - } - }, + "version": 115 + }, + "8.13": { + "max_allowable_version": 314, "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "265742cf965a3ba843e506c2a3b295f9cbd5d86e7cd45f85a3135b441230d12e", + "sha256": "3602a1e97b87858224410b312b908c03fd8de29c7043c6e494f1f906e12bcc30", "type": "eql", - "version": 315 - }, - "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", - "type": "eql", - "version": 110 - } - }, + "version": 215 + } + }, + "rule_name": "Unusual File Creation - Alternate Data Stream", + "sha256": "265742cf965a3ba843e506c2a3b295f9cbd5d86e7cd45f85a3135b441230d12e", + "type": "eql", + "version": 315 + }, + "71c5cb27-eca5-4151-bb47-64bc3f883270": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "8225645357459c0d58f7893ad549d29d2962f1d7223312aab7feb5c8b918fc68", + "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", "type": "eql", - "version": 210 - }, - "71d6a53d-abbd-40df-afee-c21fff6aafb0": { - "rule_name": "Suspicious Passwd File Event Action", - "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", + "version": 110 + } + }, + "rule_name": "Suspicious RDP ActiveX Client Loaded", + "sha256": "8225645357459c0d58f7893ad549d29d2962f1d7223312aab7feb5c8b918fc68", + "type": "eql", + "version": 210 + }, + "71d6a53d-abbd-40df-afee-c21fff6aafb0": { + "rule_name": "Suspicious Passwd File Event Action", + "sha256": "e030929c0ce21a679a3931586b3e70cecc18c849100b3ae52bc4374ca17cbcb2", + "type": "eql", + "version": 3 + }, + "71de53ea-ff3b-11ee-b572-f661ea17fbce": { + "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", + "sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb", + "type": "query", + "version": 2 + }, + "721999d0-7ab2-44bf-b328-6e63367b9b29": { + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", + "type": "query", + "version": 206 + }, + "725a048a-88c5-4fc7-8677-a44fc0031822": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", + "sha256": "34978ee634354ab60ca9b666477fc311458de3badb024f148a5005ee0469187b", + "type": "esql", + "version": 3 + }, + "729aa18d-06a6-41c7-b175-b65b739b1181": { + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", + "type": "query", + "version": 208 + }, + "72d33577-f155-457d-aad3-379f9b750c97": { + "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", + "sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6", + "type": "eql", + "version": 100 + }, + "72ed9140-fe9d-4a34-a026-75b50e484b17": { + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", + "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", + "type": "new_terms", + "version": 2 + }, + "730ed57d-ae0f-444f-af50-78708b57edd5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Suspicious JetBrains TeamCity Child Process", + "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", "type": "eql", "version": 3 - }, - "71de53ea-ff3b-11ee-b572-f661ea17fbce": { - "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", - "sha256": "221735c970fc3e380f11afa20a31274e578aab37486d9b912fe880f215412ddb", - "type": "query", - "version": 2 - }, - "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "c4aa9e181be0c938309c1841f3a5de34116bfe2a8a734e1a92fd928af5ef644f", - "type": "query", - "version": 206 - }, - "725a048a-88c5-4fc7-8677-a44fc0031822": { - "min_stack_version": "8.13", - "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "0d8c4f63b2c1118c7f733ba63e750d4be576cc723a90b009d54d738150a26f7b", - "type": "esql", - "version": 2 - }, - "729aa18d-06a6-41c7-b175-b65b739b1181": { - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", - "type": "query", - "version": 207 - }, - "72d33577-f155-457d-aad3-379f9b750c97": { - "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", - "sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6", - "type": "eql", - "version": 100 - }, - "72ed9140-fe9d-4a34-a026-75b50e484b17": { - "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", - "sha256": "b904f25bf5bb414b7b11d0a216395926f40e0ee77abebc5f9b7d19b0e35837d9", - "type": "new_terms", - "version": 2 - }, - "730ed57d-ae0f-444f-af50-78708b57edd5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "e855ed53b4cfc63e2e39c9229565a1c01d7d48221d8070d431e8dc9e876c8f50", - "type": "eql", - "version": 103 - } - }, + }, + "8.13": { + "max_allowable_version": 202, "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "ae1341f2955bd09f391d9e1c7a700bda4d7f98485c0639ce3a9296fd402d7f36", - "type": "eql", - "version": 203 - }, - "7318affb-bfe8-4d50-a425-f617833be160": { - "rule_name": "Potential Execution of rc.local Script", - "sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2", + "sha256": "e855ed53b4cfc63e2e39c9229565a1c01d7d48221d8070d431e8dc9e876c8f50", "type": "eql", - "version": 2 - }, - "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", - "type": "eql", - "version": 112 - } - }, + "version": 103 + } + }, + "rule_name": "Suspicious JetBrains TeamCity Child Process", + "sha256": "ae1341f2955bd09f391d9e1c7a700bda4d7f98485c0639ce3a9296fd402d7f36", + "type": "eql", + "version": 203 + }, + "7318affb-bfe8-4d50-a425-f617833be160": { + "rule_name": "Potential Execution of rc.local Script", + "sha256": "a1de5406513b29e7517ce6db0a932eed198d6f6646dde0fa92bfd7cc13817aa2", + "type": "eql", + "version": 2 + }, + "734239fe-eda8-48c0-bca8-9e3dafd81a88": { + "rule_name": "Curl SOCKS Proxy Activity from Unusual Parent", + "sha256": "335243f27a9e9ed1e3642e492e90d9884c17019a2822331a668c6e48b82c46c4", + "type": "eql", + "version": 1 + }, + "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "c31f8fce3143f7e8eb7fcff3e3855ec68728dbb708d60e35ebc951c8dea7b0a5", - "type": "eql", - "version": 212 - }, - "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { - "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", - "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", - "type": "query", - "version": 206 - }, - "745b0119-0560-43ba-860a-7235dd8cee8d": { - "rule_name": "Unusual Hour for a User to Logon", - "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", - "type": "machine_learning", - "version": 105 - }, - "746edc4c-c54c-49c6-97a1-651223819448": { - "rule_name": "Unusual DNS Activity", - "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", - "type": "machine_learning", - "version": 104 - }, - "7592c127-89fb-4209-a8f6-f9944dfd7e02": { - "rule_name": "Suspicious Sysctl File Event", - "sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1", - "type": "new_terms", - "version": 108 - }, - "75dcb176-a575-4e33-a020-4a52aaa1b593": { - "rule_name": "Service Disabled via Registry Modification", - "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", - "type": "eql", - "version": 3 - }, - "75ee75d8-c180-481c-ba88-ee50129a6aef": { - "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", - "type": "query", - "version": 102 - }, - "76152ca1-71d0-4003-9e37-0983e12832da": { - "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4", - "type": "query", - "version": 104 - }, - "764c8437-a581-4537-8060-1fdb0e92c92d": { - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9", - "type": "query", - "version": 204 - }, - "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 111, - "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Access to a Sensitive LDAP Attribute", - "sha256": "548fe255b858588807657801d2412f86bb23f3f7be4ad873dc10a2106a76466c", + "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", "type": "eql", "version": 112 - }, - "766d3f91-3f12-448c-b65f-20123e9e9e8c": { - "rule_name": "Creation of Hidden Shared Object File", - "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + } + }, + "rule_name": "Potential Modification of Accessibility Binaries", + "sha256": "c31f8fce3143f7e8eb7fcff3e3855ec68728dbb708d60e35ebc951c8dea7b0a5", + "type": "eql", + "version": 212 + }, + "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { + "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", + "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", + "type": "query", + "version": 206 + }, + "745b0119-0560-43ba-860a-7235dd8cee8d": { + "rule_name": "Unusual Hour for a User to Logon", + "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", + "type": "machine_learning", + "version": 105 + }, + "746edc4c-c54c-49c6-97a1-651223819448": { + "rule_name": "Unusual DNS Activity", + "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", + "type": "machine_learning", + "version": 104 + }, + "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { + "min_stack_version": "8.13", + "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", + "sha256": "e302282bacf904630c492f9029228d942da4a53e8c775f0a4d050c1adc149db8", + "type": "esql", + "version": 1 + }, + "7592c127-89fb-4209-a8f6-f9944dfd7e02": { + "rule_name": "Suspicious Sysctl File Event", + "sha256": "d790d709f03bebac3ba27db548f318546cf856374beeabb46c5ced8ee2b2dab1", + "type": "new_terms", + "version": 108 + }, + "75dcb176-a575-4e33-a020-4a52aaa1b593": { + "rule_name": "Service Disabled via Registry Modification", + "sha256": "3f012ac4ed80b6095b899a9a86d030257bd07875599655fa1d5ee4bb8297020a", + "type": "eql", + "version": 3 + }, + "75ee75d8-c180-481c-ba88-ee50129a6aef": { + "rule_name": "Web Application Suspicious Activity: Unauthorized Method", + "sha256": "6888bde4c516f00a56257eb9f46531d38dbadb83d316387c5e20af3390580961", + "type": "query", + "version": 102 + }, + "76152ca1-71d0-4003-9e37-0983e12832da": { + "rule_name": "Potential Privilege Escalation via Sudoers File Modification", + "sha256": "22a8ad00011d5f164b7afb9036e0c5c08d16762e2128190811ec8aafe4886bd4", + "type": "query", + "version": 104 + }, + "764c8437-a581-4537-8060-1fdb0e92c92d": { + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "5ddd8e0de022dc243009f61fe4aed4fd7812fd7d7ce4ff362bb536a2e0dcc1e9", + "type": "query", + "version": 204 + }, + "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 111, + "rule_name": "Access to a Sensitive LDAP Attribute", + "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", "type": "eql", - "version": 110 - }, - "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", - "type": "eql", - "version": 106 - } - }, + "version": 12 + } + }, + "rule_name": "Access to a Sensitive LDAP Attribute", + "sha256": "548fe255b858588807657801d2412f86bb23f3f7be4ad873dc10a2106a76466c", + "type": "eql", + "version": 112 + }, + "766d3f91-3f12-448c-b65f-20123e9e9e8c": { + "rule_name": "Creation of Hidden Shared Object File", + "sha256": "a747be0c57d2283c6230586562f1c075efb7f2962fafced613f3b2c9fb64b8fa", + "type": "eql", + "version": 110 + }, + "76ddb638-abf7-42d5-be22-4a70b0bf7241": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "49a20927f23290c2e144d1b65851802c17c754cff9a811996be6493bd052aa8e", + "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", "type": "eql", - "version": 206 - }, - "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { - "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", + "version": 106 + } + }, + "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "sha256": "49a20927f23290c2e144d1b65851802c17c754cff9a811996be6493bd052aa8e", + "type": "eql", + "version": 206 + }, + "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { + "rule_name": "Potential Reverse Shell via Suspicious Child Process", + "sha256": "6ac453ec6132c64b8a4ca261bc2a4effcf46f9bae6fcc34c97984064110e2953", + "type": "eql", + "version": 9 + }, + "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", "type": "eql", - "version": 9 - }, - "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "b7ab17057206897d65dcad5a62262f342860ce34ca6624af13a3e70326b99e47", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8", - "type": "eql", - "version": 315 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 413, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "1a434a85ff5b56a152e0d0113a98ed1da564de86086c64c2935069b35d97a87d", - "type": "eql", - "version": 415 - }, - "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "2b7e8fa40dba01ec3ca76881d26777d3de3ace0c62af4427698b3bd594bd7195", - "type": "eql", - "version": 213 - } - }, + "sha256": "fa7f0992aba0bdd414251ed673752a12db4ec5e47f27f027e5183b546920abc8", + "type": "eql", + "version": 315 + } + }, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "3de8678662d78c511880c3dfa795b3d501c299cd3f22598f42b4c97f2d48685f", + "type": "eql", + "version": 416 + }, + "770e0c4d-b998-41e5-a62e-c7901fd7f470": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "0a400cf3e99bd74a4344131a99afeb370f4c267c61c4c83464712ec67a68b48a", + "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", "type": "eql", - "version": 313 - }, - "774f5e28-7b75-4a58-b94e-41bf060fdd86": { - "rule_name": "User Added as Owner for Azure Application", - "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", - "type": "query", - "version": 102 - }, - "7787362c-90ff-4b1a-b313-8808b1020e64": { - "rule_name": "UID Elevation from Previously Unknown Executable", - "sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30", - "type": "new_terms", - "version": 4 - }, - "77a3c3df-8ec4-4da4-b758-878f551dee69": { - "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", - "type": "query", - "version": 104 - }, - "781f8746-2180-4691-890c-4c96d11ca91d": { - "rule_name": "Potential Network Sweep Detected", - "sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe", - "type": "threshold", - "version": 8 - }, - "78390eb5-c838-4c1d-8240-69dd7397cfb7": { - "rule_name": "Yum/DNF Plugin Status Discovery", - "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Enumeration Command Spawned via WMIPrvSE", + "sha256": "2b7e8fa40dba01ec3ca76881d26777d3de3ace0c62af4427698b3bd594bd7195", "type": "eql", - "version": 2 - }, - "785a404b-75aa-4ffd-8be5-3334a5a544dd": { - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47", - "type": "query", - "version": 206 - }, - "7882cebf-6cf1-4de3-9662-213aa13e8b80": { - "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", - "type": "query", - "version": 105 - }, - "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "rule_name": "Spike in AWS Error Messages", - "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", - "type": "machine_learning", - "version": 209 - }, - "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "416dce868f1a4876765a41cddaba8d8860afac5cca30502daf254f8f45cb337a", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 304, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996", - "type": "eql", - "version": 206 - } - }, + "version": 213 + } + }, + "rule_name": "Enumeration Command Spawned via WMIPrvSE", + "sha256": "d72d3f14698c4424226b130a2b715c698d3064d3c24a739a0927e48acb0f6aa8", + "type": "eql", + "version": 314 + }, + "774f5e28-7b75-4a58-b94e-41bf060fdd86": { + "rule_name": "User Added as Owner for Azure Application", + "sha256": "b88d2f1b89f2bbf51454db3706d1461b08147f31841aea42ee15726e4632fa26", + "type": "query", + "version": 102 + }, + "7787362c-90ff-4b1a-b313-8808b1020e64": { + "rule_name": "UID Elevation from Previously Unknown Executable", + "sha256": "20a7e5fcb8be7660f1a17f80c4e882a8fc95e82c19a75ad9f1a27620b30bec30", + "type": "new_terms", + "version": 4 + }, + "77a3c3df-8ec4-4da4-b758-878f551dee69": { + "rule_name": "Adversary Behavior - Detected - Elastic Endgame", + "sha256": "0ec924f52296fef94948482d51b8d533eee0455bd3bce573fa522ee3d1c9997d", + "type": "query", + "version": 104 + }, + "781f8746-2180-4691-890c-4c96d11ca91d": { + "rule_name": "Potential Network Sweep Detected", + "sha256": "9121a1422f15efedecd947633f481a8974363778374dfdb1bdcce1b188167fbe", + "type": "threshold", + "version": 8 + }, + "78390eb5-c838-4c1d-8240-69dd7397cfb7": { + "rule_name": "Yum/DNF Plugin Status Discovery", + "sha256": "23a40162c5772a1d921549e7d5a4282e9d4641cc2e228e211d0b185242db9e4a", + "type": "eql", + "version": 2 + }, + "785a404b-75aa-4ffd-8be5-3334a5a544dd": { + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "7872d9e397306a241598eb6172a75adc0608f3f529798a8639c1e86810735b47", + "type": "query", + "version": 206 + }, + "7882cebf-6cf1-4de3-9662-213aa13e8b80": { + "rule_name": "Azure Privilege Identity Management Role Modified", + "sha256": "26c5f67d4d0a686a2580c9991b656cf39bca2ec927dd297487125907f961585e", + "type": "query", + "version": 105 + }, + "78d3d8d9-b476-451d-a9e0-7a5addd70670": { + "rule_name": "Spike in AWS Error Messages", + "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", + "type": "machine_learning", + "version": 209 + }, + "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "1eaf3424c72feb184b48c48ad3da78cb7d02d08e49f2b3be6d1772122c378de4", - "type": "eql", - "version": 306 - }, - "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { - "rule_name": "Suspicious File Renamed via SMB", - "sha256": "b06fe72841e973c578410fa85cc532be47a7199c613e59e094aaefce1e311a48", + "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", "type": "eql", "version": 3 - }, - "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { - "rule_name": "Unsigned DLL Loaded by Svchost", - "sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f", - "type": "eql", - "version": 7 - }, - "79124edf-30a8-4d48-95c4-11522cad94b1": { - "rule_name": "File Compressed or Archived into Common Format", - "sha256": "3d99ad9a8ea1ddbc2a184754459191a84dc56f918bf759be9a52d7649106e44e", - "type": "eql", - "version": 5 - }, - "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { - "rule_name": "Azure Key Vault Modified", - "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", - "type": "query", - "version": 103 - }, - "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { - "rule_name": "SSL Certificate Deletion", - "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + }, + "8.13": { + "max_allowable_version": 304, + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "bcbc70fad2d9c71913c432c46861cb8ff153465af7f9f11ab464014680f13996", "type": "eql", - "version": 1 - }, - "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { - "rule_name": "Potential Masquerading as System32 Executable", - "sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2", + "version": 206 + } + }, + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "b4eea876e31435d0c73ac8768c4954d50f6d10e4862c73652ad1fa9d0faa4464", + "type": "eql", + "version": 307 + }, + "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { + "rule_name": "Suspicious File Renamed via SMB", + "sha256": "b06fe72841e973c578410fa85cc532be47a7199c613e59e094aaefce1e311a48", + "type": "eql", + "version": 3 + }, + "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { + "rule_name": "Unsigned DLL Loaded by Svchost", + "sha256": "bb615c82f76f783f0f58151931932eec4f8b1bab35a8600d646c237df38dcb1f", + "type": "eql", + "version": 7 + }, + "79124edf-30a8-4d48-95c4-11522cad94b1": { + "rule_name": "File Compressed or Archived into Common Format", + "sha256": "3d99ad9a8ea1ddbc2a184754459191a84dc56f918bf759be9a52d7649106e44e", + "type": "eql", + "version": 5 + }, + "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { + "rule_name": "Azure Key Vault Modified", + "sha256": "79a68677542c96b2d8a804e552e8de37560ab6f599a24f9b828d0b1dbbee1a87", + "type": "query", + "version": 103 + }, + "7957f3b9-f590-4062-b9f9-003c32bfc7d6": { + "rule_name": "SSL Certificate Deletion", + "sha256": "89f19de3195f7c7c74cdc64eec4457b9424ec304f8316da04481f0bae74b06ac", + "type": "eql", + "version": 1 + }, + "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47": { + "rule_name": "Potential Masquerading as System32 Executable", + "sha256": "649ff4b679f9f2b569f73ad7717ac48ba0bc93da34b650a7bca46243274b37c2", + "type": "eql", + "version": 5 + }, + "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, + "rule_name": "Potential File Transfer via Certreq", + "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", "type": "eql", - "version": 5 - }, - "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Potential File Transfer via Certreq", - "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Potential File Transfer via Certreq", - "sha256": "c7346c7c1df15029b05df11871734739ec4818f53fd9684c2a583eb85d432fff", - "type": "eql", - "version": 109 - } - }, + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, "rule_name": "Potential File Transfer via Certreq", - "sha256": "5b18986604f4e5baefcc6d93e5bfeee17931a40639b9838d3fe76f3a051e7544", + "sha256": "c7346c7c1df15029b05df11871734739ec4818f53fd9684c2a583eb85d432fff", "type": "eql", - "version": 209 - }, - "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", - "type": "query", - "version": 112 - } - }, + "version": 109 + } + }, + "rule_name": "Potential File Transfer via Certreq", + "sha256": "317afcd5484f4d5ed77732c52136d63141c3af83abc8cc130d698fd7da4ef84c", + "type": "eql", + "version": 210 + }, + "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1", - "type": "query", - "version": 212 - }, - "7a137d76-ce3d-48e2-947d-2747796a78c0": { - "rule_name": "Network Sniffing via Tcpdump", - "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", - "type": "query", - "version": 100 - }, - "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { - "rule_name": "First Occurrence of STS GetFederationToken Request by User", - "sha256": "97ed856d2841e0782bc46e870d33be5ca0ae8b6df0b3ff8f168f828213f57081", - "type": "new_terms", - "version": 1 - }, - "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { - "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", - "type": "eql", - "version": 5 - }, - "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { - "rule_name": "Potential Execution via XZBackdoor", - "sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564", - "type": "eql", - "version": 4 - }, - "7b08314d-47a0-4b71-ae4e-16544176924f": { - "rule_name": "File and Directory Discovery", - "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", - "type": "eql", - "version": 100 - }, - "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", + "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", "type": "query", - "version": 206 - }, - "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Windows Network Enumeration", - "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", - "type": "eql", - "version": 114 - } - }, + "version": 112 + } + }, + "rule_name": "Potential Shadow Credentials added to AD Object", + "sha256": "fcf721e497f059801651f6332bbdc66878edeac4195692fa7e6e402fbabf0fb1", + "type": "query", + "version": 212 + }, + "7a137d76-ce3d-48e2-947d-2747796a78c0": { + "rule_name": "Network Sniffing via Tcpdump", + "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", + "type": "query", + "version": 100 + }, + "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce": { + "rule_name": "First Occurrence of STS GetFederationToken Request by User", + "sha256": "97ed856d2841e0782bc46e870d33be5ca0ae8b6df0b3ff8f168f828213f57081", + "type": "new_terms", + "version": 1 + }, + "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { + "rule_name": "Potential Privilege Escalation through Writable Docker Socket", + "sha256": "59ad5257e309d3192fd55374ef9be4e2d1d4ce96fe0c5e6c568e86d22e05f9a2", + "type": "eql", + "version": 5 + }, + "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { + "rule_name": "Potential Execution via XZBackdoor", + "sha256": "b0577394863a57fc35c75a1748f35f6df69d1e0ae476ef4230fbdcd28d3dc564", + "type": "eql", + "version": 4 + }, + "7b08314d-47a0-4b71-ae4e-16544176924f": { + "rule_name": "File and Directory Discovery", + "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", + "type": "eql", + "version": 100 + }, + "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "eef0353fa501c11cf2bcd5a6676496b4500dd9131341d9cf1578d8a9d51234f4", + "type": "query", + "version": 206 + }, + "7b8bfc26-81d2-435e-965c-d722ee397ef1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Windows Network Enumeration", - "sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f", + "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", "type": "eql", - "version": 214 - }, - "7b981906-86b7-4544-8033-c30ec6eb45fc": { - "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", - "type": "eql", - "version": 1 - }, - "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 307, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", - "type": "eql", - "version": 208 - } - }, + "version": 114 + } + }, + "rule_name": "Windows Network Enumeration", + "sha256": "344dca0a521891ded14c0fa6218e8d742b0d0c478d220c1433bf97273df3b42f", + "type": "eql", + "version": 214 + }, + "7b981906-86b7-4544-8033-c30ec6eb45fc": { + "rule_name": "SELinux Configuration Creation or Renaming", + "sha256": "a858e1300af56137b5117d927e962a8daec649ea7ab5b36f42d2b8c21c72fb40", + "type": "eql", + "version": 1 + }, + "7ba58110-ae13-439b-8192-357b0fcfa9d7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "0bcdd2692369252815bb0b5c45cdfcebaea56683de999dfad868be1f725d9ddd", - "type": "eql", - "version": 308 - }, - "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { - "rule_name": "Tampering of Shell Command-Line History", - "sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529", + "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", "type": "eql", - "version": 107 - }, - "7c2e1297-7664-42bc-af11-6d5d35220b6b": { - "rule_name": "APT Package Manager Configuration File Creation", - "sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a", + "version": 208 + } + }, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "0bcdd2692369252815bb0b5c45cdfcebaea56683de999dfad868be1f725d9ddd", + "type": "eql", + "version": 308 + }, + "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { + "rule_name": "Tampering of Shell Command-Line History", + "sha256": "b29563e9adeb94b3d771f3e0f0316518415fb4312e33347e187c39ba28647529", + "type": "eql", + "version": 107 + }, + "7c2e1297-7664-42bc-af11-6d5d35220b6b": { + "rule_name": "APT Package Manager Configuration File Creation", + "sha256": "c15e188ea1ce6f3177c41bfe4cb9a692bfcdc3416f1af28263ebc1a14ca9404a", + "type": "eql", + "version": 4 + }, + "7caa8e60-2df0-11ed-b814-f661ea17fbce": { + "rule_name": "Google Workspace Bitlocker Setting Disabled", + "sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c", + "type": "query", + "version": 107 + }, + "7ce5e1c7-6a49-45e6-a101-0720d185667f": { + "rule_name": "Git Hook Child Process", + "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", + "type": "eql", + "version": 2 + }, + "7ceb2216-47dd-4e64-9433-cddc99727623": { + "rule_name": "GCP Service Account Creation", + "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", + "type": "query", + "version": 104 + }, + "7d091a76-0737-11ef-8469-f661ea17fbcc": { + "rule_name": "AWS Lambda Layer Added to Existing Function", + "sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da", + "type": "query", + "version": 2 + }, + "7d2c38d7-ede7-4bdf-b140-445906e6c540": { + "rule_name": "Tor Activity to the Internet", + "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", + "type": "query", + "version": 100 + }, + "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { + "rule_name": "SSH Key Generated via ssh-keygen", + "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", + "type": "eql", + "version": 3 + }, + "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { + "rule_name": "Suspicious Kworker UID Elevation", + "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", + "type": "eql", + "version": 2 + }, + "7e23dfef-da2c-4d64-b11d-5f285b638853": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", "version": 4 - }, - "7caa8e60-2df0-11ed-b814-f661ea17fbce": { - "rule_name": "Google Workspace Bitlocker Setting Disabled", - "sha256": "0f41d71ccff8430c3787790e46370c3451a3a92f2faa9b03993b8fba38aee32c", - "type": "query", - "version": 107 - }, - "7ce5e1c7-6a49-45e6-a101-0720d185667f": { - "rule_name": "Git Hook Child Process", - "sha256": "78176482702f10120da2da5c9a3fe712cccd4145cf69ed8b5c4276ecdcd6c052", - "type": "eql", - "version": 2 - }, - "7ceb2216-47dd-4e64-9433-cddc99727623": { - "rule_name": "GCP Service Account Creation", - "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", - "type": "query", - "version": 104 - }, - "7d091a76-0737-11ef-8469-f661ea17fbcc": { - "rule_name": "AWS Lambda Layer Added to Existing Function", - "sha256": "2b5beb7d7435862fd58aef36fbe1c663e0c9dd064e09b122cce712360569c1da", - "type": "query", - "version": 2 - }, - "7d2c38d7-ede7-4bdf-b140-445906e6c540": { - "rule_name": "Tor Activity to the Internet", - "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", - "type": "query", - "version": 100 - }, - "7df3cb8b-5c0c-4228-b772-bb6cd619053c": { - "rule_name": "SSH Key Generated via ssh-keygen", - "sha256": "02a3fbd847f6e988ae119d30af0b3b2c0c31611ed3b77372aa9eb99e8c5bb9cc", - "type": "eql", - "version": 3 - }, - "7dfaaa17-425c-4fe7-bd36-83705fde7c2b": { - "rule_name": "Suspicious Kworker UID Elevation", - "sha256": "1073dde211174d3099a9b8a21931bf6531d2343d6b44d98c0ceabeecc3f29e8a", - "type": "eql", - "version": 2 - }, - "7e23dfef-da2c-4d64-b11d-5f285b638853": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", - "type": "eql", - "version": 4 - }, - "8.12": { - "max_allowable_version": 203, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", - "type": "eql", - "version": 105 - }, - "8.13": { - "max_allowable_version": 304, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043", - "type": "eql", - "version": 206 - } - }, + }, + "8.12": { + "max_allowable_version": 203, "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "09aa0b96928a0da988c7c455ed658d28a685def31b11dd104cab212d9ba3a979", - "type": "eql", - "version": 306 - }, - "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", - "type": "eql", - "version": 109 - } - }, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "95ee9038faef018973ee81cb960175831ba7c20826685ba790ba0f6926232d5d", + "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", - "version": 209 - }, - "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { - "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", - "type": "new_terms", - "version": 102 - }, - "7fb500fa-8e24-4bd1-9480-2a819352602c": { - "rule_name": "Systemd Timer Created", - "sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5", + "version": 105 + }, + "8.13": { + "max_allowable_version": 304, + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "66858a324d0462bd232554434241130f2856843cf22ef73c579c09e3f6e39043", "type": "eql", - "version": 15 - }, - "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", - "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff", - "type": "esql", - "version": 3 - }, - "80084fa9-8677-4453-8680-b891d3c0c778": { - "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a", - "type": "new_terms", - "version": 107 - }, - "800e01be-a7a4-46d0-8de9-69f3c9582b44": { - "rule_name": "Unusual Process Extension", - "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", + "version": 206 + } + }, + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "332111db4905fbf977cb9ea156d2aa394347669370073cd3430efc581d4c41eb", + "type": "eql", + "version": 307 + }, + "7efca3ad-a348-43b2-b544-c93a78a0ef92": { + "rule_name": "Security File Access via Common Utilities", + "sha256": "35fc8b548fcc1523cdea4fa29865704d65b15be3c7601e2a1f778dae2d006575", + "type": "eql", + "version": 1 + }, + "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Suspicious WMIC XSL Script Execution", + "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", "type": "eql", - "version": 4 - }, - "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", - "type": "query", - "version": 3 - } - }, + "version": 109 + } + }, + "rule_name": "Suspicious WMIC XSL Script Execution", + "sha256": "95ee9038faef018973ee81cb960175831ba7c20826685ba790ba0f6926232d5d", + "type": "eql", + "version": 209 + }, + "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "94bb175873a51e3ec94a3d92aec15accba931a59b2ccbcf01c9317f8a3d571ee", + "type": "new_terms", + "version": 102 + }, + "7fb500fa-8e24-4bd1-9480-2a819352602c": { + "rule_name": "Systemd Timer Created", + "sha256": "1e46fd812061270a2231dca8ec5a7ffbddd0a53997cfb62e0d457cac8e0a45d5", + "type": "eql", + "version": 15 + }, + "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", + "sha256": "3e4f1413412bd00822190208d7e8be98fe32aa44ccde5044c2aa42fb5a0be8ff", + "type": "esql", + "version": 3 + }, + "80084fa9-8677-4453-8680-b891d3c0c778": { + "rule_name": "Enumeration of Kernel Modules via Proc", + "sha256": "1cb7f1b40b2b92807f7a8f322a6510de21f99c502327d83b1d2f5865b494e36a", + "type": "new_terms", + "version": 107 + }, + "800e01be-a7a4-46d0-8de9-69f3c9582b44": { + "rule_name": "Unusual Process Extension", + "sha256": "f2022485ae73360b81a2da1364f674781461b179fb259d9734ada6dbe226720a", + "type": "eql", + "version": 4 + }, + "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834", + "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", "type": "query", - "version": 103 - }, - "804a7ac8-fc00-11ee-924b-f661ea17fbce": { - "rule_name": "SSM Session Started to EC2 Instance", - "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", - "type": "new_terms", - "version": 1 - }, - "808291d3-e918-4a3a-86cd-73052a0c9bdc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", - "type": "eql", - "version": 4 - } - }, + "version": 3 + } + }, + "rule_name": "Potential PowerShell Obfuscated Script", + "sha256": "6e71b4ea552314b263198211bc6bc680d060453ac942fe0fe59499562f8ed834", + "type": "query", + "version": 103 + }, + "804a7ac8-fc00-11ee-924b-f661ea17fbce": { + "rule_name": "SSM Session Started to EC2 Instance", + "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", + "type": "new_terms", + "version": 1 + }, + "808291d3-e918-4a3a-86cd-73052a0c9bdc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", - "sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608", + "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", "type": "eql", - "version": 104 - }, - "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "rule_name": "Unusual City For an AWS Command", - "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", - "type": "machine_learning", - "version": 209 - }, - "80c52164-c82a-402c-9964-852533d58be1": { - "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", - "type": "query", - "version": 103 - }, - "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { - "rule_name": "Unusual Remote File Extension", - "sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30", - "type": "machine_learning", "version": 4 - }, - "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "fc4ff95d31809bdc72563ba4251142cb5a33e5239d3cb64a0b877a31f6ba05d4", - "type": "eql", - "version": 210 - } - }, + } + }, + "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", + "sha256": "4a3c5fd150828acc188647d8c5574f0b88da993c4d0abaaa285644ff08021608", + "type": "eql", + "version": 104 + }, + "809b70d3-e2c3-455e-af1b-2626a5a1a276": { + "rule_name": "Unusual City For an AWS Command", + "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", + "type": "machine_learning", + "version": 209 + }, + "80c52164-c82a-402c-9964-852533d58be1": { + "rule_name": "Process Injection - Detected - Elastic Endgame", + "sha256": "42f01902665c666c45de8cafd9cc39c80ab4e28cf87c1e13caab844668cb70be", + "type": "query", + "version": 103 + }, + "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "rule_name": "Unusual Remote File Extension", + "sha256": "d33a4fa7f5db48036701cd4df4e4586b2218d47f930a796097379a4757023e30", + "type": "machine_learning", + "version": 4 + }, + "818e23e6-2094-4f0e-8c01-22d30f3506c6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81", + "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", "type": "eql", - "version": 310 - }, - "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { - "rule_name": "Persistence via Kernel Module Modification", - "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "PowerShell Script Block Logging Disabled", + "sha256": "fc4ff95d31809bdc72563ba4251142cb5a33e5239d3cb64a0b877a31f6ba05d4", + "type": "eql", + "version": 210 + } + }, + "rule_name": "PowerShell Script Block Logging Disabled", + "sha256": "79d56380a744abb989063bf3baad2ba31b19b1d7ceb2de2be8234bf921051f81", + "type": "eql", + "version": 310 + }, + "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { + "rule_name": "Persistence via Kernel Module Modification", + "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", + "type": "query", + "version": 100 + }, + "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", "type": "query", - "version": 100 - }, - "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", - "type": "query", - "version": 111 - }, - "8.12": { - "max_allowable_version": 313, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", - "type": "query", - "version": 214 - } - }, + "version": 111 + }, + "8.12": { + "max_allowable_version": 313, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561", + "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", "type": "query", - "version": 314 - }, - "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", - "type": "eql", - "version": 8 - } - }, + "version": 214 + } + }, + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "320a555df4db198a83d99c9c148c34b4bea3d27beec4d6824ea25b077dfdd561", + "type": "query", + "version": 314 + }, + "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", - "sha256": "b1820c87c951dea5911f8205052ea225bd0591292ca0283895f1242d165ff6c6", - "type": "eql", - "version": 108 - }, - "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { - "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", - "type": "eql", - "version": 207 - }, - "835c0622-114e-40b5-a346-f843ea5d01f1": { - "rule_name": "Potential Linux Local Account Brute Force Detected", - "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", + "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", "type": "eql", - "version": 7 - }, - "83a1931d-8136-46fc-b7b9-2db4f639e014": { - "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", - "type": "query", - "version": 102 - }, - "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { - "rule_name": "Linux Restricted Shell Breakout via the mysql command", - "sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194", - "type": "eql", - "version": 100 - }, - "83bf249e-4348-47ba-9741-1202a09556ad": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "13d53b19535acefeb9018df99a3327de628c8cefdf886e9453b33d0f128fb058", - "type": "eql", - "version": 101 - } - }, + "version": 8 + } + }, + "rule_name": "Temporarily Scheduled Task Creation", + "sha256": "b1820c87c951dea5911f8205052ea225bd0591292ca0283895f1242d165ff6c6", + "type": "eql", + "version": 108 + }, + "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { + "rule_name": "Apple Scripting Execution with Administrator Privileges", + "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", + "type": "eql", + "version": 207 + }, + "835c0622-114e-40b5-a346-f843ea5d01f1": { + "rule_name": "Potential Linux Local Account Brute Force Detected", + "sha256": "135901066ac707836fa9dc5d72517b43f80c3f43f8afdbcd0793ccd7e271f79b", + "type": "eql", + "version": 7 + }, + "83a1931d-8136-46fc-b7b9-2db4f639e014": { + "rule_name": "Azure Kubernetes Pods Deleted", + "sha256": "8c0f9a8ac544e84262204d80e667c90f7e1a0be582cea5152e2d44926f4e72a9", + "type": "query", + "version": 102 + }, + "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { + "rule_name": "Linux Restricted Shell Breakout via the mysql command", + "sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194", + "type": "eql", + "version": 100 + }, + "83bf249e-4348-47ba-9741-1202a09556ad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "82f77cf9b3dc775fc55072cb174488e0de998157ed9d35e10e2b10e559df69a7", + "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", "type": "eql", - "version": 201 - }, - "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { - "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, + "rule_name": "Suspicious Windows Powershell Arguments", + "sha256": "13d53b19535acefeb9018df99a3327de628c8cefdf886e9453b33d0f128fb058", "type": "eql", - "version": 9 - }, - "8446517c-f789-11ee-8ad0-f661ea17fbce": { - "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", - "sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9", - "type": "new_terms", - "version": 3 - }, - "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", - "type": "query", - "version": 7 - } - }, + "version": 101 + } + }, + "rule_name": "Suspicious Windows Powershell Arguments", + "sha256": "13d45d27cdabc4d4143ebc5cccab8fff6f0a87c28bdb2f258d0dab66423371d2", + "type": "eql", + "version": 202 + }, + "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { + "rule_name": "Attempt to Disable IPTables or Firewall", + "sha256": "24507f9fc5eac786e69d16e7a9759e5502f06ae39ca2b0c3baee080c29aed691", + "type": "eql", + "version": 9 + }, + "8446517c-f789-11ee-8ad0-f661ea17fbce": { + "rule_name": "AWS EC2 Admin Credential Fetch via Assumed Role", + "sha256": "7527cb6d613f3cbebb763fc8b4da705569785eb0d5f20552483a9ac4e03c34e9", + "type": "new_terms", + "version": 3 + }, + "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Microsoft Exchange Transport Agent Install Script", - "sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb", + "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", "type": "query", - "version": 107 - }, - "84755a05-78c8-4430-8681-89cd6c857d71": { - "rule_name": "At Job Created or Modified", - "sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e", - "type": "eql", - "version": 2 - }, - "84d1f8db-207f-45ab-a578-921d91c23eb2": { - "rule_name": "Potential Upgrade of Non-interactive Shell", - "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "version": 7 + } + }, + "rule_name": "Microsoft Exchange Transport Agent Install Script", + "sha256": "20a8c64cf10a599a57a3f2adcde2cd11f433b594347d5f01e75ddc591af6b8cb", + "type": "query", + "version": 107 + }, + "84755a05-78c8-4430-8681-89cd6c857d71": { + "rule_name": "At Job Created or Modified", + "sha256": "a987f893268d128252316712332f0deeb89dbfad27ee9595059745bcfc9cfb1e", + "type": "eql", + "version": 2 + }, + "84d1f8db-207f-45ab-a578-921d91c23eb2": { + "rule_name": "Potential Upgrade of Non-interactive Shell", + "sha256": "c13baf680022d32581c0780e31d4ade6009c93d1be12624a3d30060da764f759", + "type": "eql", + "version": 3 + }, + "84da2554-e12a-11ec-b896-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", + "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", "type": "eql", - "version": 3 - }, - "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", - "type": "eql", - "version": 113 - } - }, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "2353acc5032ef21138119a47484cbe074e605bf142fbfbef0777f838ecdc4a4e", - "type": "eql", - "version": 213 - }, - "850d901a-2a3c-46c6-8b22-55398a01aad8": { - "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", - "type": "eql", - "version": 111 - }, - "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481", - "type": "new_terms", - "version": 211 - }, - "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", - "type": "query", - "version": 206 - }, - "863cdf31-7fd3-41cf-a185-681237ea277b": { - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", - "type": "query", - "version": 206 - }, - "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "rule_name": "AWS IAM Group Deletion", - "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", - "type": "query", - "version": 206 - }, - "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { - "rule_name": "Potential Linux Reverse Connection through Port Knocking", - "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", - "type": "eql", - "version": 1 - }, - "870aecc0-cea4-4110-af3f-e02e9b373655": { - "rule_name": "Security Software Discovery via Grep", - "sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78", - "type": "eql", - "version": 110 - }, - "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", - "type": "eql", - "version": 114 - } - }, + "version": 113 + } + }, + "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", + "sha256": "d9c16cda743982a7c6cdbdb8dc28e0a6b4b32544874e6716412faa3814b400a7", + "type": "eql", + "version": 214 + }, + "850d901a-2a3c-46c6-8b22-55398a01aad8": { + "rule_name": "Potential Remote Credential Access via Registry", + "sha256": "a0cd73a2f83a6c1f8fe970bb6a7fab8656fe9e3d8c51d5a9dda9efb1db69ba32", + "type": "eql", + "version": 111 + }, + "852c1f19-68e8-43a6-9dce-340771fe1be3": { + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "361cf289449891a5a01a599005a112612693f0528651e2fd44fd291e2fcf9481", + "type": "new_terms", + "version": 211 + }, + "8623535c-1e17-44e1-aa97-7a0699c3037d": { + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "4f9d972be95e23e9ad2c127a00b66165c3f6c1105dcfef9a0e85a70d2d22b006", + "type": "query", + "version": 206 + }, + "863cdf31-7fd3-41cf-a185-681237ea277b": { + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "3815b7cf0e4aeef5cd0350a18c0f8a1f751b8c21d728875a7268a075a70e2ad9", + "type": "query", + "version": 206 + }, + "867616ec-41e5-4edc-ada2-ab13ab45de8a": { + "rule_name": "AWS IAM Group Deletion", + "sha256": "b52937ff4f6af1e5ccf8b52bf8d378468fdac5dfd53a8b3217833c005c5fa781", + "type": "query", + "version": 206 + }, + "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { + "rule_name": "Potential Linux Reverse Connection through Port Knocking", + "sha256": "b4f46ff74a8794d66683aa38de698de5e35a091b48d03ffa0d9181a578899ddc", + "type": "eql", + "version": 1 + }, + "870aecc0-cea4-4110-af3f-e02e9b373655": { + "rule_name": "Security Software Discovery via Grep", + "sha256": "d4773a9bd42acb66239348d5fe61bd9512fb95f50634dfbfaa1c8f42820b2b78", + "type": "eql", + "version": 110 + }, + "871ea072-1b71-4def-b016-6278b505138d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Enumeration of Administrator Accounts", - "sha256": "5c7d3a39a6b899e71052d3936009a8c390c11166f45e91a7a3aa7f7e17e57963", - "type": "eql", - "version": 214 - }, - "873b5452-074e-11ef-852e-f661ea17fbcc": { - "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", - "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", - "type": "query", - "version": 1 - }, - "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", - "type": "query", - "version": 206 - }, - "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { - "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", - "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", - "type": "query", - "version": 100 - }, - "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { - "rule_name": "Linux Clipboard Activity Detected", - "sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3", - "type": "new_terms", - "version": 5 - }, - "88671231-6626-4e1b-abb7-6e361a171fbb": { - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", - "type": "query", - "version": 206 - }, - "88817a33-60d3-411f-ba79-7c905d865b2a": { - "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e", - "type": "eql", - "version": 108 - }, - "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { - "rule_name": "Potential Sudo Hijacking", - "sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776", + "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", "type": "eql", - "version": 107 - }, - "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", - "type": "eql", - "version": 108 - } - }, + "version": 114 + } + }, + "rule_name": "Enumeration of Administrator Accounts", + "sha256": "a362b8b5e455f372dabfdad53f4b89385185d08f8e4cd581f2d4d3a13bc1a59b", + "type": "eql", + "version": 215 + }, + "873b5452-074e-11ef-852e-f661ea17fbcc": { + "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", + "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", + "type": "query", + "version": 1 + }, + "87594192-4539-4bc4-8543-23bc3d5bd2b4": { + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "2a49cf8319bd2a5a16d2286014217d41ffe4680b5e7a367b131ebf7124853339", + "type": "query", + "version": 206 + }, + "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { + "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", + "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", + "type": "query", + "version": 100 + }, + "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { + "rule_name": "Linux Clipboard Activity Detected", + "sha256": "948181ba2921e5e5ff2e950f272a9fa9cb5797927da206fc67100db0641746f3", + "type": "new_terms", + "version": 5 + }, + "88671231-6626-4e1b-abb7-6e361a171fbb": { + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "1bc2ee513c9a3702d258107ccaa36ce6f728f37804a83afe41ec0386f3386f66", + "type": "query", + "version": 206 + }, + "88817a33-60d3-411f-ba79-7c905d865b2a": { + "rule_name": "Sublime Plugin or Application Script Modification", + "sha256": "c982030d976d5caa598abb973577eca20c6a5f49e0f0b746d31b814e3aada81e", + "type": "eql", + "version": 108 + }, + "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { + "rule_name": "Potential Sudo Hijacking", + "sha256": "48ef2dcad2d1f95fb5e7cd7f890d36ba444b2c045b00f18db67a56565a8fb776", + "type": "eql", + "version": 107 + }, + "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "23ea84a839f5ac5677f5dcd1bd511e1a590fb3a73e3bf7922f0ac80814489841", + "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", "type": "eql", - "version": 208 - }, - "894326d2-56c0-4342-b553-4abfaf421b5b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", - "type": "eql", - "version": 3 - } - }, + "version": 108 + } + }, + "rule_name": "Suspicious WMI Image Load from MS Office", + "sha256": "23ea84a839f5ac5677f5dcd1bd511e1a590fb3a73e3bf7922f0ac80814489841", + "type": "eql", + "version": 208 + }, + "894326d2-56c0-4342-b553-4abfaf421b5b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", - "sha256": "f41675c0e6c71d8ffce61638873343c099dd76784a16afca7fc2bf6896b4ea63", + "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", "type": "eql", - "version": 103 - }, - "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { - "rule_name": "Linux Restricted Shell Breakout via the vi command", - "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", - "type": "eql", - "version": 100 - }, - "897dc6b5-b39f-432a-8d75-d3730d50c782": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", - "type": "eql", - "version": 110 - } - }, + "version": 3 + } + }, + "rule_name": "Potential WPAD Spoofing via DNS Record Creation", + "sha256": "f41675c0e6c71d8ffce61638873343c099dd76784a16afca7fc2bf6896b4ea63", + "type": "eql", + "version": 103 + }, + "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { + "rule_name": "Linux Restricted Shell Breakout via the vi command", + "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", + "type": "eql", + "version": 100 + }, + "897dc6b5-b39f-432a-8d75-d3730d50c782": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "ca38aa28a331bbae9391539b45d46648d9465bbf8261f1320789c780faf60c37", + "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", "type": "eql", - "version": 210 - }, - "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Command Prompt Network Connection", - "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", - "type": "eql", - "version": 108 - } - }, + "version": 110 + } + }, + "rule_name": "Kerberos Traffic from Unusual Process", + "sha256": "ca38aa28a331bbae9391539b45d46648d9465bbf8261f1320789c780faf60c37", + "type": "eql", + "version": 210 + }, + "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", - "sha256": "20e49f8b0cc9cd52d6a4e8878d070cae67b09b9f66c1d604d4d844a1a31a48c1", - "type": "eql", - "version": 208 - }, - "89fa6cb7-6b53-4de2-b604-648488841ab8": { - "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", - "type": "query", - "version": 106 - }, - "8a024633-c444-45c0-a4fe-78128d8c1ab6": { - "rule_name": "Suspicious Symbolic Link Created", - "sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f", - "type": "eql", - "version": 6 - }, - "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { - "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", "type": "eql", - "version": 4 - }, - "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "rule_name": "GitHub PAT Access Revoked", - "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", + "version": 108 + } + }, + "rule_name": "Command Prompt Network Connection", + "sha256": "20e49f8b0cc9cd52d6a4e8878d070cae67b09b9f66c1d604d4d844a1a31a48c1", + "type": "eql", + "version": 208 + }, + "89fa6cb7-6b53-4de2-b604-648488841ab8": { + "rule_name": "Persistence via DirectoryService Plugin Modification", + "sha256": "7e7bfe7e3320055b9e14c1193bb2f5ecf812a4611d29fb12f0f07137bb6dd03b", + "type": "query", + "version": 106 + }, + "8a024633-c444-45c0-a4fe-78128d8c1ab6": { + "rule_name": "Suspicious Symbolic Link Created", + "sha256": "e6768a2a66d26ab7605de86680ec11417c10c845603ad67d0b5768837751b40f", + "type": "eql", + "version": 6 + }, + "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", + "type": "eql", + "version": 5 + }, + "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "rule_name": "GitHub PAT Access Revoked", + "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", + "type": "eql", + "version": 2 + }, + "8a1b0278-0f9a-487d-96bd-d4833298e87a": { + "rule_name": "SUID/SGID Bit Set", + "sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994", + "type": "eql", + "version": 105 + }, + "8a1d4831-3ce6-4859-9891-28931fa6101d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Suspicious Execution from a Mounted Device", + "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", "type": "eql", - "version": 1 - }, - "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "rule_name": "SUID/SGID Bit Set", - "sha256": "3709b15d60903268e4e30eba20dc1d89c099e0aa71b45dcff996484296a8c994", + "version": 108 + } + }, + "rule_name": "Suspicious Execution from a Mounted Device", + "sha256": "2b1670c842dd4482f2d66f4b20ad288dba295639673efae366e467a0b4347eac", + "type": "eql", + "version": 208 + }, + "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", + "type": "query", + "version": 208 + }, + "8acb7614-1d92-4359-bfcf-478b6d9de150": { + "rule_name": "Deprecated - Suspicious JAVA Child Process", + "sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693", + "type": "new_terms", + "version": 209 + }, + "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { + "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", + "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + "type": "eql", + "version": 4 + }, + "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Executable File Creation with Multiple Extensions", + "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", "type": "eql", - "version": 105 - }, - "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", - "type": "eql", - "version": 108 - } - }, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "2b1670c842dd4482f2d66f4b20ad288dba295639673efae366e467a0b4347eac", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Executable File Creation with Multiple Extensions", + "sha256": "a5ba27def82c8a23b306fc36f9fc4d034de167102926baab02506d958ae44b71", "type": "eql", - "version": 208 - }, - "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", - "type": "query", - "version": 207 - }, - "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "rule_name": "Deprecated - Suspicious JAVA Child Process", - "sha256": "70f67ea68d86c6d9def7d34a0d4852b07dae7ec5eb68474317ae5f919775a693", - "type": "new_terms", "version": 209 - }, - "8af5b42f-8d74-48c8-a8d0-6d14b4197288": { - "rule_name": "Potential Sudo Privilege Escalation via CVE-2019-14287", - "sha256": "9f1d8eb4a1676be7fbf66706cbd1e8a9eec262049a93bfc3e771c3d33033f140", + } + }, + "rule_name": "Executable File Creation with Multiple Extensions", + "sha256": "bb22de8a34a7d93efe239f27bf92b15ba453c32860882728ed8eba1e57eba71d", + "type": "eql", + "version": 309 + }, + "8b4f0816-6a65-4630-86a6-c21c179c0d09": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Enable Host Network Discovery via Netsh", + "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", "type": "eql", - "version": 4 - }, - "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "a5ba27def82c8a23b306fc36f9fc4d034de167102926baab02506d958ae44b71", - "type": "eql", - "version": 209 - } - }, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bb22de8a34a7d93efe239f27bf92b15ba453c32860882728ed8eba1e57eba71d", - "type": "eql", - "version": 309 - }, - "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "0233b0c095271e86a61b4f41bb130007b740f4c4e75718f9ca731a3bc4f94511", - "type": "eql", - "version": 210 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "769d89985ccd82d208842d05b7ef66a74b6e169763b90b5a1f4bffaa45620c97", + "sha256": "0233b0c095271e86a61b4f41bb130007b740f4c4e75718f9ca731a3bc4f94511", "type": "eql", - "version": 310 - }, - "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { - "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", - "type": "query", - "version": 102 - }, - "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f", - "type": "query", - "version": 104 - }, - "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8", - "type": "eql", - "version": 212 - } - }, + "version": 210 + } + }, + "rule_name": "Enable Host Network Discovery via Netsh", + "sha256": "1b8dcfb849fbca85f3c0f9347e3081f3c8e4b4f6736756a7de5d88cc31652ce9", + "type": "eql", + "version": 311 + }, + "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { + "rule_name": "Azure Kubernetes Events Deleted", + "sha256": "8a4def186433798cec337c4f9e6b8b1ac62a38ad3789dd570670d22444e74fb9", + "type": "query", + "version": 102 + }, + "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { + "rule_name": "RDP (Remote Desktop Protocol) from the Internet", + "sha256": "6659d5d4a4edaff5a8ca68cbfaf2a04c0158a37d500c6e10acc18c930935370f", + "type": "query", + "version": 104 + }, + "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", - "sha256": "b150ed721a6ec1116190ad1dcfb3db4e6c695a418fcd51fca09e3ab018d7ef3b", - "type": "eql", - "version": 312 - }, - "8c81e506-6e82-4884-9b9a-75d3d252f967": { - "rule_name": "Potential SharpRDP Behavior", - "sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588", + "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", "type": "eql", - "version": 108 - }, - "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { - "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", - "type": "query", - "version": 103 - }, - "8cb84371-d053-4f4f-bce0-c74990e28f28": { - "rule_name": "Potential Successful SSH Brute Force Attack", - "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Unusual Child Process of dns.exe", + "sha256": "38d0941ee472b5919ff202905e616b35d4fcf58b34c86b0f728f3570f8e9d3c8", "type": "eql", - "version": 11 - }, - "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { - "rule_name": "RPM Package Installed by Unusual Parent Process", - "sha256": "024fc49f53a9fd7181c86315420fe4dccfb3bdd681a4137d7cdf9941fcb288fe", - "type": "new_terms", - "version": 1 - }, - "8d366588-cbd6-43ba-95b4-0971c3f906e5": { - "rule_name": "File with Suspicious Extension Downloaded", - "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", + "version": 212 + } + }, + "rule_name": "Unusual Child Process of dns.exe", + "sha256": "8e9cdfcc336ce2f5c05c2db76a514795e03b4b84ef65fb2ccd5d14b90a043f77", + "type": "eql", + "version": 313 + }, + "8c81e506-6e82-4884-9b9a-75d3d252f967": { + "rule_name": "Potential SharpRDP Behavior", + "sha256": "187f18c4d04b8449ae3e946d3e2dfe18c3a5cd4a22ac2f5a20319294fef4e588", + "type": "eql", + "version": 108 + }, + "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { + "rule_name": "Ransomware - Detected - Elastic Endgame", + "sha256": "b84c5e839efdbf68fe7169726ffe8ce015b356dfe0ea25b276db55b22b85d8f2", + "type": "query", + "version": 103 + }, + "8cb84371-d053-4f4f-bce0-c74990e28f28": { + "rule_name": "Potential Successful SSH Brute Force Attack", + "sha256": "eb0397acce03ec5fcb5a10ba7467e1b55e0f73f4a401dfe97878133f487f4483", + "type": "eql", + "version": 11 + }, + "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { + "rule_name": "RPM Package Installed by Unusual Parent Process", + "sha256": "9868139ca7255c94edd8b10c7750af9f9be3e501bb386dce4f46e240eca21bc2", + "type": "new_terms", + "version": 2 + }, + "8d366588-cbd6-43ba-95b4-0971c3f906e5": { + "rule_name": "File with Suspicious Extension Downloaded", + "sha256": "c9d44fd0d41abacd96c54ff4dc4f7a22c34b77b8c64245a7856f8ea12ed3d0b0", + "type": "eql", + "version": 3 + }, + "8d3d0794-c776-476b-8674-ee2e685f6470": { + "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", + "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", + "type": "eql", + "version": 2 + }, + "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { + "rule_name": "Potential Privilege Escalation via PKEXEC", + "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", + "type": "eql", + "version": 108 + }, + "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { + "rule_name": "Azure Automation Runbook Deleted", + "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", + "type": "query", + "version": 102 + }, + "8e2485b6-a74f-411b-bf7f-38b819f3a846": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Potential WSUS Abuse for Lateral Movement", + "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", "type": "eql", "version": 3 - }, - "8d3d0794-c776-476b-8674-ee2e685f6470": { - "rule_name": "Suspicious Interactive Shell Spawned From Inside A Container", - "sha256": "98d9856fbf5ecafe5dad0a89fd9c9d5281e1c02fee5b91a84b352c727f87441e", - "type": "eql", - "version": 2 - }, - "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { - "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "a9c592609916001eeb489115d3ab416659f25485e68e33061d9b0e8903972698", - "type": "eql", - "version": 108 - }, - "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { - "rule_name": "Azure Automation Runbook Deleted", - "sha256": "6c88b863fccfcdd4aa41e1c790530f97914dc652a10e9121e26a28194746179c", - "type": "query", - "version": 102 - }, - "8e2485b6-a74f-411b-bf7f-38b819f3a846": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 203, - "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "3e2c0816b6054ee90afac447a89f0dbd2c8657badf12aedab3b4c1f371c1d799", - "type": "eql", - "version": 104 - } - }, + }, + "8.13": { + "max_allowable_version": 203, "rule_name": "Potential WSUS Abuse for Lateral Movement", - "sha256": "8dee54c3a4dc60f09cb617b41d53d1e981db23fdebb2ae03ea2035230d7f0317", - "type": "eql", - "version": 204 - }, - "8e39f54e-910b-4adb-a87e-494fbba5fb65": { - "rule_name": "Potential Outgoing RDP Connection by Unusual Process", - "sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8", + "sha256": "3e2c0816b6054ee90afac447a89f0dbd2c8657badf12aedab3b4c1f371c1d799", "type": "eql", - "version": 4 - }, - "8eec4df1-4b4b-4502-b6c3-c788714604c9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Bitsadmin Activity", - "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", - "type": "eql", - "version": 5 - } - }, + "version": 104 + } + }, + "rule_name": "Potential WSUS Abuse for Lateral Movement", + "sha256": "6f20b8e3e7b5786f7b0cc4ec248f9c11431df6e0ee30decc8a98078423a583cf", + "type": "eql", + "version": 205 + }, + "8e39f54e-910b-4adb-a87e-494fbba5fb65": { + "rule_name": "Potential Outgoing RDP Connection by Unusual Process", + "sha256": "428b39c4182e10ba307e2d107d34845ceae5b7f6f1e2f036872c3cf1d8cd70e8", + "type": "eql", + "version": 4 + }, + "8eec4df1-4b4b-4502-b6c3-c788714604c9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "Bitsadmin Activity", - "sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86", + "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", "type": "eql", - "version": 105 - }, - "8f242ffb-b191-4803-90ec-0f19942e17fd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", - "type": "eql", - "version": 3 - } - }, + "version": 5 + } + }, + "rule_name": "Bitsadmin Activity", + "sha256": "0eb3d4c886d1825f2f64434cbc2f7f824a2f31eb5a1f37d0c409129c1d89ab86", + "type": "eql", + "version": 105 + }, + "8f242ffb-b191-4803-90ec-0f19942e17fd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", - "sha256": "53543595176dfe8267e4ad2d5a70fdf91eaa2919aa81daf806a9d56daf0fd67a", - "type": "eql", - "version": 103 - }, - "8f3e91c7-d791-4704-80a1-42c160d7aa27": { - "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "2593df86374cf3250f718b43d01f4e492da7574bdf8bc54867aad7fc465a8f60", + "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", "type": "eql", - "version": 108 - }, - "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", - "type": "eql", - "version": 107 - } - }, + "version": 3 + } + }, + "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", + "sha256": "53543595176dfe8267e4ad2d5a70fdf91eaa2919aa81daf806a9d56daf0fd67a", + "type": "eql", + "version": 103 + }, + "8f3e91c7-d791-4704-80a1-42c160d7aa27": { + "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", + "sha256": "2593df86374cf3250f718b43d01f4e492da7574bdf8bc54867aad7fc465a8f60", + "type": "eql", + "version": 108 + }, + "8f919d4b-a5af-47ca-a594-6be59cd924a4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "8e6310e520c4ac17999de81799f5ab21b14bad01162d9cc5aa9bd5a8acd914c8", + "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", "type": "eql", - "version": 207 - }, - "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { - "rule_name": "GCP Service Account Deletion", - "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", - "type": "query", - "version": 104 - }, - "8fed8450-847e-43bd-874c-3bbf0cd425f3": { - "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", - "sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62", - "type": "eql", - "version": 100 - }, - "90169566-2260-4824-b8e4-8615c3b4ed52": { - "rule_name": "Hping Process Activity", - "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", - "type": "eql", - "version": 108 - }, - "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", - "type": "query", - "version": 206 - }, - "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { - "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", - "type": "eql", - "version": 108 - }, - "90babaa8-5216-4568-992d-d4a01a105d98": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "InstallUtil Activity", - "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", - "type": "eql", - "version": 4 - } - }, + "version": 107 + } + }, + "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "sha256": "8e6310e520c4ac17999de81799f5ab21b14bad01162d9cc5aa9bd5a8acd914c8", + "type": "eql", + "version": 207 + }, + "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { + "rule_name": "GCP Service Account Deletion", + "sha256": "3c8184358856969e1362e374b7c72a678a3df1dc9ae082111b0ba80d01a44dcb", + "type": "query", + "version": 104 + }, + "8fed8450-847e-43bd-874c-3bbf0cd425f3": { + "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", + "sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62", + "type": "eql", + "version": 100 + }, + "90169566-2260-4824-b8e4-8615c3b4ed52": { + "rule_name": "Hping Process Activity", + "sha256": "59016f24c9fb4a9e0120058222b3dccfbc94b5d0316a6762207a6eb3fc312a0c", + "type": "eql", + "version": 108 + }, + "9055ece6-2689-4224-a0e0-b04881e1f8ad": { + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "123109fe70f635c2d9a5bae3df07789309b38a6d09b1d892aa2df1bdba5ad241", + "type": "query", + "version": 206 + }, + "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { + "rule_name": "Keychain Password Retrieval via Command Line", + "sha256": "d0daaa99eff7d2f0f8a96916e7c4220209cc9015faebc9be56268cf601ac36b3", + "type": "eql", + "version": 108 + }, + "90babaa8-5216-4568-992d-d4a01a105d98": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "InstallUtil Activity", - "sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7", + "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", "type": "eql", - "version": 104 - }, - "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { - "rule_name": "Auditd Login Attempt at Forbidden Time", - "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", - "type": "query", - "version": 100 - }, - "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { - "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", - "type": "query", - "version": 104 - }, - "91d04cd4-47a9-4334-ab14-084abe274d49": { - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", + "version": 4 + } + }, + "rule_name": "InstallUtil Activity", + "sha256": "9f9c56b567948852bcbe378e570fdf547ce08d08295a8993571cd4b4327af2e7", + "type": "eql", + "version": 104 + }, + "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { + "rule_name": "Auditd Login Attempt at Forbidden Time", + "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", + "type": "query", + "version": 100 + }, + "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { + "rule_name": "GCP Virtual Private Cloud Route Creation", + "sha256": "ef3f13ea53f5eeca327dcdcd4a456b5375942dc90208cc6bced56c5c208eeb79", + "type": "query", + "version": 104 + }, + "91d04cd4-47a9-4334-ab14-084abe274d49": { + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "7bcb7719e201f748986a026ff97c52bfce72b11730f1c15a39516be29c7fe7a1", + "type": "query", + "version": 206 + }, + "91f02f01-969f-4167-8d77-07827ac4cee0": { + "rule_name": "Unusual Web User Agent", + "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", + "type": "machine_learning", + "version": 104 + }, + "91f02f01-969f-4167-8f55-07827ac3acc9": { + "rule_name": "Unusual Web Request", + "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", + "type": "machine_learning", + "version": 104 + }, + "91f02f01-969f-4167-8f66-07827ac3bdd9": { + "rule_name": "DNS Tunneling", + "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", + "type": "machine_learning", + "version": 104 + }, + "929223b4-fba3-4a1c-a943-ec4716ad23ec": { + "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", + "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "type": "threshold", + "version": 1 + }, + "92984446-aefb-4d5e-ad12-598042ca80ba": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, + "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", "type": "query", - "version": 206 - }, - "91f02f01-969f-4167-8d77-07827ac4cee0": { - "rule_name": "Unusual Web User Agent", - "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", - "type": "machine_learning", - "version": 104 - }, - "91f02f01-969f-4167-8f55-07827ac3acc9": { - "rule_name": "Unusual Web Request", - "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", - "type": "machine_learning", - "version": 104 - }, - "91f02f01-969f-4167-8f66-07827ac3bdd9": { - "rule_name": "DNS Tunneling", - "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", - "type": "machine_learning", - "version": 104 - }, - "929223b4-fba3-4a1c-a943-ec4716ad23ec": { - "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", - "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", - "type": "threshold", - "version": 1 - }, - "92984446-aefb-4d5e-ad12-598042ca80ba": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", - "type": "query", - "version": 8 - }, - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", - "type": "query", - "version": 110 - } - }, + "version": 8 + }, + "8.12": { + "max_allowable_version": 209, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4", + "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", "type": "query", - "version": 210 - }, - "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was created", - "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", - "type": "eql", - "version": 9 - } - }, + "version": 110 + } + }, + "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", + "sha256": "ce443a1e91f6122b9fe1c883d2642db0c14a654bf43b938bb85505d24adddda4", + "type": "query", + "version": 210 + }, + "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "A scheduled task was created", - "sha256": "e5b5be0c7d172af228b2b4d7673159c5732796739b2ca948c4486b38d6b867ac", + "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", "type": "eql", - "version": 109 - }, - "92d3a04e-6487-4b62-892d-70e640a590dc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", - "type": "eql", - "version": 4 - } - }, + "version": 9 + } + }, + "rule_name": "A scheduled task was created", + "sha256": "e5b5be0c7d172af228b2b4d7673159c5732796739b2ca948c4486b38d6b867ac", + "type": "eql", + "version": 109 + }, + "92d3a04e-6487-4b62-892d-70e640a590dc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", - "sha256": "7ac59a9ca2f1b45c91bacb9ec313fd3e400a28a06751a9175f3262892e0f96fa", + "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", "type": "eql", - "version": 104 - }, - "93075852-b0f5-4b8b-89c3-a226efae5726": { - "rule_name": "AWS STS Temporary Credentials via AssumeRole", - "sha256": "13767d3266a5abd034b850989f4267218323e93de23074b028f263b2276bb0fc", - "type": "new_terms", - "version": 208 - }, - "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "rule_name": "Sudoers File Modification", - "sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14", - "type": "new_terms", - "version": 205 - }, - "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", - "type": "query", - "version": 209 - }, - "93b22c0a-06a0-4131-b830-b10d5e166ff4": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", - "type": "eql", - "version": 110 - } - }, + "version": 4 + } + }, + "rule_name": "Potential Evasion via Windows Filtering Platform", + "sha256": "7ac59a9ca2f1b45c91bacb9ec313fd3e400a28a06751a9175f3262892e0f96fa", + "type": "eql", + "version": 104 + }, + "93075852-b0f5-4b8b-89c3-a226efae5726": { + "rule_name": "AWS STS Role Assumption by Service", + "sha256": "098648b0ec9a99626b4b9cacd20f79f9028f13d93cda5ddb8c02d9394c758353", + "type": "new_terms", + "version": 209 + }, + "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { + "rule_name": "Sudoers File Modification", + "sha256": "750c2d617d020e994dadb92ce3e0b585d16bbdc097fb24a656bb3e2f95ccae14", + "type": "new_terms", + "version": 205 + }, + "9395fd2c-9947-4472-86ef-4aceb2f7e872": { + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "25e4d08e828c9f763d9f42004a1d8bb865f62993bd8f235e95fc5513208e03a6", + "type": "query", + "version": 209 + }, + "93b22c0a-06a0-4131-b830-b10d5e166ff4": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "7363bf0ec1ba1d14c0e88b63d2dd0597d01dc13ab80fcd01d0ca58e10e232b4e", + "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", "type": "eql", - "version": 210 - }, - "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "e20bede2cf9f7765ae6d20ca1cf0c101e18b2cce36bd1404306fcfbdfc346d4c", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "b5558abe7fd77b3214d07c369401260d1c211b91845eb37e5f92266ebf92ef54", - "type": "eql", - "version": 311 - } - }, + "version": 110 + } + }, + "rule_name": "Suspicious SolarWinds Child Process", + "sha256": "7363bf0ec1ba1d14c0e88b63d2dd0597d01dc13ab80fcd01d0ca58e10e232b4e", + "type": "eql", + "version": 210 + }, + "93c1ce76-494c-4f01-8167-35edfb52f7b1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "af45080cf231cdc384e6d85e2ccc178fd5b9cc69c739e04396373babe9b31ae5", + "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", "type": "eql", - "version": 411 - }, - "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919", - "type": "query", - "version": 206 - }, - "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", - "type": "new_terms", - "version": 204 - }, - "94418745-529f-4259-8d25-a713a6feb6ae": { - "rule_name": "Executable Bit Set for Potential Persistence Script", - "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "version": 109 + }, + "8.13": { + "max_allowable_version": 410, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "b5558abe7fd77b3214d07c369401260d1c211b91845eb37e5f92266ebf92ef54", "type": "eql", - "version": 4 - }, - "947827c6-9ed6-4dec-903e-c856c86e72f3": { - "rule_name": "Creation of Kernel Module", - "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", + "version": 311 + } + }, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "af45080cf231cdc384e6d85e2ccc178fd5b9cc69c739e04396373babe9b31ae5", + "type": "eql", + "version": 411 + }, + "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "3f4c25d945ad4aba614f5d74a31c515d8284fc201547404bee99658f5e3c7919", + "type": "query", + "version": 206 + }, + "93f47b6f-5728-4004-ba00-625083b3dcb0": { + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "1e01d9186d48db4667fa030761b3f63e12f70737f7fb423eb05d385ad1e6db30", + "type": "new_terms", + "version": 204 + }, + "94418745-529f-4259-8d25-a713a6feb6ae": { + "rule_name": "Executable Bit Set for Potential Persistence Script", + "sha256": "74aed1e2b14f06f985dcdda41a9373194206e0d5b6136dc5af2c15f72a430fc0", + "type": "eql", + "version": 4 + }, + "947827c6-9ed6-4dec-903e-c856c86e72f3": { + "rule_name": "Creation of Kernel Module", + "sha256": "567ba4167bba7fcade95c2541b715738b5656e11712923c258d65bf3dc1dd533", + "type": "eql", + "version": 3 + }, + "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, + "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", + "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", "type": "eql", - "version": 3 - }, - "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", - "type": "eql", - "version": 10 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "5d504991acb458ceeb163edfc30f03c2b639725ce90470439bd1854d0c508ea5", - "type": "eql", - "version": 109 - } - }, + "version": 10 + }, + "8.13": { + "max_allowable_version": 208, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", - "sha256": "c4168d04f1c399d2e33033e7cc0ca06158daa086554e7602a7b7458b79ee28f0", + "sha256": "5d504991acb458ceeb163edfc30f03c2b639725ce90470439bd1854d0c508ea5", "type": "eql", - "version": 209 - }, - "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", - "type": "esql", - "version": 3 - }, - "9510add4-3392-11ed-bd01-f661ea17fbce": { - "rule_name": "Google Workspace Custom Gmail Route Created or Modified", - "sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c", - "type": "query", - "version": 107 - }, - "951779c2-82ad-4a6c-82b8-296c1f691449": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", - "type": "query", - "version": 4 - } - }, + "version": 109 + } + }, + "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", + "sha256": "5ac9902c4013c4a43232005924bbd2e3ea5837f3b1fb46536414e31a990e9dfb", + "type": "eql", + "version": 210 + }, + "94e734c0-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "type": "esql", + "version": 3 + }, + "9510add4-3392-11ed-bd01-f661ea17fbce": { + "rule_name": "Google Workspace Custom Gmail Route Created or Modified", + "sha256": "e1f81d655b8ff56cdc39629ce72312cdebdea19e417e5d8a2f82631bf5a3bd6c", + "type": "query", + "version": 107 + }, + "951779c2-82ad-4a6c-82b8-296c1f691449": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", - "sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746", + "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", "type": "query", - "version": 104 - }, - "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Remote Scheduled Task Creation", - "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", - "type": "eql", - "version": 110 - } - }, + "version": 4 + } + }, + "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", + "sha256": "6ec2f6a7128677f6221950458047a3b8e1280a63bea437a60b9c6da72c55d746", + "type": "query", + "version": 104 + }, + "954ee7c8-5437-49ae-b2d6-2960883898e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Remote Scheduled Task Creation", - "sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a", + "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", "type": "eql", - "version": 210 - }, - "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", - "type": "query", - "version": 110 - } - }, + "version": 110 + } + }, + "rule_name": "Remote Scheduled Task Creation", + "sha256": "555f7495d3ea6078d6af2f97c818cae349e64b883f0521ec5b62889f19a47c7a", + "type": "eql", + "version": 210 + }, + "959a7353-1129-4aa7-9084-30746b256a70": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753", + "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", "type": "query", - "version": 210 - }, - "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", - "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", - "type": "esql", - "version": 3 - }, - "9661ed8b-001c-40dc-a777-0983b7b0c91a": { - "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", - "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", + "version": 110 + } + }, + "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", + "sha256": "6dc0584fa3dc988eb1f19f71ae64b7dfdfded3c1db4e5a6a80bb43bcf8778753", + "type": "query", + "version": 210 + }, + "95b99adc-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "type": "esql", + "version": 3 + }, + "9661ed8b-001c-40dc-a777-0983b7b0c91a": { + "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", + "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", + "type": "eql", + "version": 2 + }, + "968ccab9-da51-4a87-9ce2-d3c9782fd759": { + "rule_name": "File made Immutable by Chattr", + "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "type": "eql", + "version": 112 + }, + "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { + "rule_name": "Attempt to Create Okta API Token", + "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", + "type": "query", + "version": 207 + }, + "96d11d31-9a79-480f-8401-da28b194608f": { + "rule_name": "Message-of-the-Day (MOTD) File Creation", + "sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8", + "type": "eql", + "version": 12 + }, + "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", + "type": "eql", + "version": 207 + }, + "97020e61-e591-4191-8a3b-2861a2b887cd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, + "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", + "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", "type": "eql", - "version": 2 - }, - "968ccab9-da51-4a87-9ce2-d3c9782fd759": { - "rule_name": "File made Immutable by Chattr", - "sha256": "554e2d9f8e0757200b05413ef711c554856e94d6e704b08e57b934f69a26ba7c", + "version": 8 + } + }, + "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", + "sha256": "d04ceea45c0ac0f1155e702d8add70dc3c753a765f23720895f180232c65a4a4", + "type": "eql", + "version": 108 + }, + "97314185-2568-4561-ae81-f3e480e5e695": { + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", + "type": "query", + "version": 206 + }, + "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { + "rule_name": "GCP Storage Bucket Configuration Modification", + "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", + "type": "query", + "version": 104 + }, + "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { + "rule_name": "File System Debugger Launched Inside a Privileged Container", + "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", + "type": "eql", + "version": 1 + }, + "979729e7-0c52-4c4c-b71e-88103304a79f": { + "rule_name": "AWS IAM SAML Provider Updated", + "sha256": "4ef7bf5e39de2d55f436f611e2de8f1d905d1ea116d8ff8000753ceb8d2663fc", + "type": "query", + "version": 207 + }, + "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", + "type": "eql", + "version": 211 + }, + "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", "type": "eql", "version": 112 - }, - "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "rule_name": "Attempt to Create Okta API Token", - "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", - "type": "query", - "version": 206 - }, - "96d11d31-9a79-480f-8401-da28b194608f": { - "rule_name": "Message-of-the-Day (MOTD) File Creation", - "sha256": "dee0fa159010c2aba6be29979a0ca7a24423ce4b2897d3bde2f635ddff3fe6c8", + }, + "8.13": { + "max_allowable_version": 413, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee", "type": "eql", - "version": 12 - }, - "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "a4bde834d3628dca2daee592ed3741c7ccd55a25840f58603fdccb98e7368d63", - "type": "eql", - "version": 207 - }, - "97020e61-e591-4191-8a3b-2861a2b887cd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", - "type": "eql", - "version": 8 - } - }, - "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "d04ceea45c0ac0f1155e702d8add70dc3c753a765f23720895f180232c65a4a4", - "type": "eql", - "version": 108 - }, - "97314185-2568-4561-ae81-f3e480e5e695": { - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "9c1981f0822634de6f020d5301b100c703d19724dd486e288398596ff23b18e6", - "type": "query", - "version": 206 - }, - "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { - "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "8898fb2725e12947da9bb2c12a300e9093f6eef9c309b3ff30af48d018501dd6", - "type": "query", - "version": 104 - }, - "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { - "rule_name": "File System Debugger Launched Inside a Privileged Container", - "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", - "type": "eql", - "version": 1 - }, - "979729e7-0c52-4c4c-b71e-88103304a79f": { - "rule_name": "AWS IAM SAML Provider Updated", - "sha256": "4ef7bf5e39de2d55f436f611e2de8f1d905d1ea116d8ff8000753ceb8d2663fc", - "type": "query", - "version": 207 - }, - "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", - "type": "eql", - "version": 210 - }, - "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "caeba78c336bb935017ea2fa0a4a71a5d66c521649882281fff349ee6094c4da", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 413, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "60e026edebd1c4bcfd0580ec04e257e406ecedb6ace76131d14a9bbcad9535ee", - "type": "eql", - "version": 315 - } - }, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "9762b71fbc0bb8d0886f4b4c796d490d1e216a9cb3081ba46310edaa272fdf75", - "type": "eql", - "version": 415 - }, - "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { - "rule_name": "Linux Restricted Shell Breakout via the ssh command", - "sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f", - "type": "eql", - "version": 100 - }, - "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { - "rule_name": "Suspicious Renaming of ESXI Files", - "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", - "type": "eql", - "version": 6 - }, - "97f22dab-84e8-409d-955e-dacd1d31670b": { - "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", - "type": "query", - "version": 100 - }, - "97fc44d3-8dae-4019-ae83-298c3015600f": { - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285", - "type": "eql", - "version": 113 - }, - "980b70a0-c820-11ed-8799-f661ea17fbcc": { - "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", - "sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc", + "version": 315 + } + }, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "3db79975854f188574aa5d5aec5b4fe1e5375be640e0ac15fa02437975ef0d7e", + "type": "eql", + "version": 416 + }, + "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { + "rule_name": "Linux Restricted Shell Breakout via the ssh command", + "sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f", + "type": "eql", + "version": 100 + }, + "97db8b42-69d8-4bf3-9fd4-c69a1d895d68": { + "rule_name": "Suspicious Renaming of ESXI Files", + "sha256": "134cc7f77ddd008b061f698e64cd7b3c5fc67db9adca8e3ecc35436d6136bc39", + "type": "eql", + "version": 6 + }, + "97f22dab-84e8-409d-955e-dacd1d31670b": { + "rule_name": "Base64 Encoding/Decoding Activity", + "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", + "type": "query", + "version": 100 + }, + "97fc44d3-8dae-4019-ae83-298c3015600f": { + "rule_name": "Startup or Run Key Registry Modification", + "sha256": "d8b7b25e2fefe1dc94dd57ee87b2dd576cc089e5d7a78dcb91f493b33e925285", + "type": "eql", + "version": 113 + }, + "980b70a0-c820-11ed-8799-f661ea17fbcc": { + "rule_name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", + "sha256": "13bb60d5c1f5306bc12b67f81f15a38dc8238c2cd154896536269d9668d075cc", + "type": "eql", + "version": 4 + }, + "9822c5a1-1494-42de-b197-487197bb540c": { + "rule_name": "Git Hook Egress Network Connection", + "sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724", + "type": "eql", + "version": 2 + }, + "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { + "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", + "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", + "type": "eql", + "version": 2 + }, + "98843d35-645e-4e66-9d6a-5049acd96ce1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "Indirect Command Execution via Forfiles/Pcalua", + "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", "type": "eql", "version": 4 - }, - "9822c5a1-1494-42de-b197-487197bb540c": { - "rule_name": "Git Hook Egress Network Connection", - "sha256": "8e57b1dbf16d5746922b8edafe41713555a95bb09c7bc1b9f9f63a00bd5c3724", - "type": "eql", - "version": 2 - }, - "986361cd-3dac-47fe-afa1-5c5dd89f2fb4": { - "rule_name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", - "sha256": "9921b21414e5f26b0a92efb35b3aa687685d77a03473e8f2f74e4eb5def0f2c7", - "type": "eql", - "version": 2 - }, - "98843d35-645e-4e66-9d6a-5049acd96ce1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Indirect Command Execution via Forfiles/Pcalua", - "sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa", - "type": "eql", - "version": 104 - }, - "9890ee61-d061-403d-9bf6-64934c51f638": { - "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", - "type": "query", - "version": 104 - }, - "98995807-5b09-4e37-8a54-5cae5dc932d7": { - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", - "type": "query", - "version": 206 - }, - "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", - "type": "query", - "version": 209 - }, - "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { - "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", - "type": "query", - "version": 103 - }, - "99239e7d-b0d4-46e3-8609-acafcf99f68c": { - "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", - "type": "eql", - "version": 107 - }, - "994e40aa-8c85-43de-825e-15f665375ee8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", - "type": "eql", - "version": 10 - } - }, + } + }, + "rule_name": "Indirect Command Execution via Forfiles/Pcalua", + "sha256": "56ee900c3c60566cdad73204b69ff67f4e49dd0fbbf0ad53ddaaf26095c60caa", + "type": "eql", + "version": 104 + }, + "9890ee61-d061-403d-9bf6-64934c51f638": { + "rule_name": "GCP IAM Service Account Key Deletion", + "sha256": "f6e73ab78ecb9bdcafce24cf4de95c3ad91c3b9f84ebde53d8a1184c1145cbff", + "type": "query", + "version": 104 + }, + "98995807-5b09-4e37-8a54-5cae5dc932d7": { + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "e5669429abd5547d912048bcc97739ccf3bfa45d4d74e324d1ab2bfd2076322c", + "type": "query", + "version": 206 + }, + "98fd7407-0bd5-5817-cda0-3fcc33113a56": { + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "0bcbd76d8bc2c0abdaa12111fbc563952e549b58223fb5c1376a1f268453a2c1", + "type": "query", + "version": 209 + }, + "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { + "rule_name": "Process Injection - Prevented - Elastic Endgame", + "sha256": "a02da9b5d7a30fe8e11ecdc06e8302ca4077986141d830dffc5a3ea2af2180fa", + "type": "query", + "version": 103 + }, + "99239e7d-b0d4-46e3-8609-acafcf99f68c": { + "rule_name": "MacOS Installer Package Spawns Network Event", + "sha256": "a13a4be8fd4f869d6387397192b1e56e6ff008c345ae84e5fafd4a4d28697584", + "type": "eql", + "version": 107 + }, + "994e40aa-8c85-43de-825e-15f665375ee8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", - "sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5", + "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", "type": "eql", - "version": 110 - }, - "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 309, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", - "type": "eql", - "version": 210 - } - }, + "version": 10 + } + }, + "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", + "sha256": "85e5f6ced29ac3d6e31d6e1f4a7c0b4f2599e27e53092e952773acedced38cf5", + "type": "eql", + "version": 110 + }, + "9960432d-9b26-409f-972b-839a959e79e2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "4bf6f2a660c85fd28a35ddf6782205584eb0a142d6df00a0777a759911565330", + "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", "type": "eql", - "version": 310 - }, - "999565a2-fc52-4d72-91e4-ba6712c0377e": { - "rule_name": "Access Control List Modification via setfacl", - "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "version": 210 + } + }, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "4bf6f2a660c85fd28a35ddf6782205584eb0a142d6df00a0777a759911565330", + "type": "eql", + "version": 310 + }, + "999565a2-fc52-4d72-91e4-ba6712c0377e": { + "rule_name": "Access Control List Modification via setfacl", + "sha256": "56c8562c3f638627b4748c065a8c8c771c5192aeeafeb828cb96f7150784c66f", + "type": "eql", + "version": 2 + }, + "99c2b626-de44-4322-b1f9-157ca408c17e": { + "rule_name": "Web Server Spawned via Python", + "sha256": "34fe21a4d673170b9d5de7326cc8f18a359a13a6b97d49085d89e96cf0f9952a", + "type": "eql", + "version": 1 + }, + "99dcf974-6587-4f65-9252-d866a3fdfd9c": { + "rule_name": "Spike in Failed Logon Events", + "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", + "type": "machine_learning", + "version": 105 + }, + "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { + "rule_name": "Endpoint Security", + "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", + "type": "query", + "version": 103 + }, + "9a3884d0-282d-45ea-86ce-b9c81100f026": { + "rule_name": "Unsigned BITS Service Client Process", + "sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51", + "type": "eql", + "version": 3 + }, + "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { + "rule_name": "Potential Shadow File Read via Command Line Utilities", + "sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5", + "type": "new_terms", + "version": 209 + }, + "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Suspicious Explorer Child Process", + "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", "type": "eql", - "version": 2 - }, - "99dcf974-6587-4f65-9252-d866a3fdfd9c": { - "rule_name": "Spike in Failed Logon Events", - "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", - "type": "machine_learning", - "version": 105 - }, - "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "rule_name": "Endpoint Security", - "sha256": "3ae0acbbd3b1f49e9a79f6db57b01b04ec80eb8493223e6baa3db0f545a5512d", - "type": "query", - "version": 103 - }, - "9a3884d0-282d-45ea-86ce-b9c81100f026": { - "rule_name": "Unsigned BITS Service Client Process", - "sha256": "4f561717a25dc92b70f5d5b880397f4622d3d9795ea086ac8c70373878c3bc51", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Suspicious Explorer Child Process", + "sha256": "8911b89e1d09588deb7e5a942983225efff7df52cca7afc92f98f0875de1c7e2", "type": "eql", - "version": 3 - }, - "9a3a3689-8ed1-4cdb-83fb-9506db54c61f": { - "rule_name": "Potential Shadow File Read via Command Line Utilities", - "sha256": "aa9fc82aa5324a0f942d1115e319178f8cb830f3e6d3a881a1859865b3768db5", - "type": "new_terms", "version": 209 - }, - "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "8911b89e1d09588deb7e5a942983225efff7df52cca7afc92f98f0875de1c7e2", - "type": "eql", - "version": 209 - } - }, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "155a1370c4fc3154277e3947dd506fb75a99bd378727d59485c4e1947de04ecc", - "type": "eql", - "version": 309 - }, - "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "f3167a9539280f0deb3103a26e2dad2bc7f971e05e60885f5a533db2ba730fa2", - "type": "eql", - "version": 210 - } - }, + } + }, + "rule_name": "Suspicious Explorer Child Process", + "sha256": "155a1370c4fc3154277e3947dd506fb75a99bd378727d59485c4e1947de04ecc", + "type": "eql", + "version": 309 + }, + "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "6c0f3e8a857f02183dd2476acbc51cd2417ad39b9a38013caea85872f6c0495f", + "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", "type": "eql", - "version": 310 - }, - "9aa4be8d-5828-417d-9f54-7cd304571b24": { - "min_stack_version": "8.13", - "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", - "sha256": "60d3dc739bbd0ee15729bae5c658e4b16b0df0df19766cf61c89cd067a1e3526", - "type": "esql", - "version": 3 - }, - "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "rule_name": "GitHub Owner Role Granted To User", - "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Scheduled Tasks AT Command Enabled", + "sha256": "f3167a9539280f0deb3103a26e2dad2bc7f971e05e60885f5a533db2ba730fa2", "type": "eql", - "version": 3 - }, - "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "890f3569bcc29ef77a9be476b20376ebe51917937cb2bde1ca196f0698b6c9ff", - "type": "eql", - "version": 212 - } - }, + "version": 210 + } + }, + "rule_name": "Scheduled Tasks AT Command Enabled", + "sha256": "6c0f3e8a857f02183dd2476acbc51cd2417ad39b9a38013caea85872f6c0495f", + "type": "eql", + "version": 310 + }, + "9aa4be8d-5828-417d-9f54-7cd304571b24": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to User", + "sha256": "19bb01d2bfc28053a0a6ef4bba3cc428e187d1c71998e94cabcc80b2b15ef822", + "type": "esql", + "version": 4 + }, + "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", + "type": "eql", + "version": 4 + }, + "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", - "sha256": "698e2c58267909d3e65b9c7f2f6fae9ca7c278994639b511cc3fdf55e795ace5", + "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", "type": "eql", - "version": 312 - }, - "9b80cb26-9966-44b5-abbf-764fbdbc3586": { - "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", - "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Persistence via WMI Event Subscription", + "sha256": "890f3569bcc29ef77a9be476b20376ebe51917937cb2bde1ca196f0698b6c9ff", "type": "eql", - "version": 4 - }, - "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Hosts File Modified", - "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", - "type": "eql", - "version": 110 - } - }, + "version": 212 + } + }, + "rule_name": "Persistence via WMI Event Subscription", + "sha256": "894cde78d489d010f90f6c225dc210803634f3e1d380a685cea35bd4605694ef", + "type": "eql", + "version": 313 + }, + "9b80cb26-9966-44b5-abbf-764fbdbc3586": { + "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", + "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", + "type": "eql", + "version": 4 + }, + "9c260313-c811-4ec8-ab89-8f6530e0246c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Hosts File Modified", - "sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b", + "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", "type": "eql", - "version": 210 - }, - "9c865691-5599-447a-bac9-b3f2df5f9a9d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", - "type": "eql", - "version": 9 - } - }, + "version": 110 + } + }, + "rule_name": "Hosts File Modified", + "sha256": "6c8889d19257e8545d39010b01b1e721000f32d09695add926dd4b13d378b84b", + "type": "eql", + "version": 210 + }, + "9c5b2382-19d2-4b5d-8f14-9e1631a3acdb": { + "rule_name": "Unusual Interactive Shell Launched from System User", + "sha256": "b203af3a5e4914073b4c50ace39c1cd98fff18e024f1810b36679a1ae394cf3a", + "type": "new_terms", + "version": 1 + }, + "9c865691-5599-447a-bac9-b3f2df5f9a9d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", - "sha256": "9860fa33ea3768742f597c39c25196697991a88b7dc7cf668e73827b1da60387", + "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", "type": "eql", - "version": 109 - }, - "9c951837-7d13-4b0c-be7a-f346623c8795": { - "rule_name": "Potential Enumeration via Active Directory Web Service", - "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", + "version": 9 + } + }, + "rule_name": "Remote Scheduled Task Creation via RPC", + "sha256": "9860fa33ea3768742f597c39c25196697991a88b7dc7cf668e73827b1da60387", + "type": "eql", + "version": 109 + }, + "9c951837-7d13-4b0c-be7a-f346623c8795": { + "rule_name": "Potential Enumeration via Active Directory Web Service", + "sha256": "8e3c38ce419b110b9a63f544e1faf01b054304e08d40cb4e20a08b87e0ef44c1", + "type": "eql", + "version": 2 + }, + "9ccf3ce0-0057-440a-91f5-870c6ad39093": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "Command Shell Activity Started via RunDLL32", + "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", "type": "eql", - "version": 2 - }, - "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "382fed94a5329814298bb2fe0283ed3c63d2c0ff9293e69efad3950dfe08121e", - "type": "eql", - "version": 210 - } - }, + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "71bbd98aa70c506906a99a90cb6f320ba14cfe6276decafe44eb330c1a9e7428", + "sha256": "382fed94a5329814298bb2fe0283ed3c63d2c0ff9293e69efad3950dfe08121e", "type": "eql", - "version": 310 - }, - "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { - "rule_name": "Google Workspace User Group Access Modified to Allow External Access", - "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", - "type": "query", - "version": 104 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { - "rule_name": "Trusted Developer Application Usage", - "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", - "type": "query", - "version": 100 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", - "type": "new_terms", - "version": 211 - } - }, + "version": 210 + } + }, + "rule_name": "Command Shell Activity Started via RunDLL32", + "sha256": "71bbd98aa70c506906a99a90cb6f320ba14cfe6276decafe44eb330c1a9e7428", + "type": "eql", + "version": 310 + }, + "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { + "rule_name": "Google Workspace User Group Access Modified to Allow External Access", + "sha256": "3de5e59006729a058c18b93a17cacead586bbf1a2893756ce0951d59aa5bfdfd", + "type": "query", + "version": 104 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { + "rule_name": "Trusted Developer Application Usage", + "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", + "type": "query", + "version": 100 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360", + "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", "type": "new_terms", - "version": 311 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "1a76f0bbf93f2e947cf44f3a49de094b9821895129e1861a2e6f30b6af1e9ea1", - "type": "eql", - "version": 211 - } - }, + "version": 211 + } + }, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "37eced0f6fbe00d0d4f72c4340aafc08a0e4649d41713d82af3cbe9cdec35360", + "type": "new_terms", + "version": 311 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "559aa22b45bf390bd35d34acc16d6187f09d707a50910ddc4cd9a25d940b90dc", + "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", "type": "eql", - "version": 311 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", - "type": "eql", - "version": 113 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Microsoft Build Engine Started by a System Process", + "sha256": "1a76f0bbf93f2e947cf44f3a49de094b9821895129e1861a2e6f30b6af1e9ea1", + "type": "eql", + "version": 211 + } + }, + "rule_name": "Microsoft Build Engine Started by a System Process", + "sha256": "b231de2975d9c748c61f7f29bd2b82eff7dc7eeb84a3b7e15858428d7acce811", + "type": "eql", + "version": 312 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "e5c954ed07e9fd47ada5f8b7e54e8b4a9dbd25bee53943caa9897ffba3703f10", + "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", "type": "eql", - "version": 213 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", - "type": "eql", - "version": 110 - } - }, + "version": 113 + } + }, + "rule_name": "Microsoft Build Engine Using an Alternate Name", + "sha256": "e5c954ed07e9fd47ada5f8b7e54e8b4a9dbd25bee53943caa9897ffba3703f10", + "type": "eql", + "version": 213 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "402957a0efead0143ad51d2e826e9107da5aef344e559d2c85478257a3aa15b0", + "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", "type": "eql", - "version": 210 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 313, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", - "type": "new_terms", - "version": 214 - } - }, + "version": 110 + } + }, + "rule_name": "Potential Credential Access via Trusted Developer Utility", + "sha256": "402957a0efead0143ad51d2e826e9107da5aef344e559d2c85478257a3aa15b0", + "type": "eql", + "version": 210 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772", + "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", "type": "new_terms", - "version": 314 - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", - "type": "eql", - "version": 107 - } - }, + "version": 214 + } + }, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "11b4fc95052ff2e6c25c718c92d10ff5bfcc0c4e6b2dfce4802d5ff828416772", + "type": "new_terms", + "version": 314 + }, + "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "cb223017b8d3219787c5490b16190472e106e9b56b2efb8d0d5e50af116f48d0", - "type": "eql", - "version": 207 - }, - "9d19ece6-c20e-481a-90c5-ccca596537de": { - "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", - "type": "eql", - "version": 106 - }, - "9d302377-d226-4e12-b54c-1906b5aec4f6": { - "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", - "type": "machine_learning", - "version": 104 - }, - "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { - "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04", - "type": "eql", - "version": 2 - }, - "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { - "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", "type": "eql", - "version": 110 - }, - "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 214, - "rule_name": "Potential Credential Access via DCSync", - "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", - "type": "eql", - "version": 115 - } - }, + "version": 107 + } + }, + "rule_name": "Process Injection by the Microsoft Build Engine", + "sha256": "cb223017b8d3219787c5490b16190472e106e9b56b2efb8d0d5e50af116f48d0", + "type": "eql", + "version": 207 + }, + "9d19ece6-c20e-481a-90c5-ccca596537de": { + "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", + "sha256": "7320bfb081717b130f02dbd9cf9b41a6d9df14eeb6eadaa18a986b64c7a798f8", + "type": "eql", + "version": 106 + }, + "9d302377-d226-4e12-b54c-1906b5aec4f6": { + "rule_name": "Unusual Linux Process Calling the Metadata Service", + "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", + "type": "machine_learning", + "version": 104 + }, + "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { + "rule_name": "AWS RDS DB Instance Made Public", + "sha256": "d5b10fa1230219482d9260c9b3abc29a378aad24325e84d344be2fa223a72b04", + "type": "eql", + "version": 2 + }, + "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { + "rule_name": "Potential Protocol Tunneling via EarthWorm", + "sha256": "0acdc01e1894806e1b2e1a96df91a299f0324172f6e08fa06b75cb6244675079", + "type": "eql", + "version": 110 + }, + "9f962927-1a4f-45f3-a57b-287f2c7029c1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 214, "rule_name": "Potential Credential Access via DCSync", - "sha256": "42787461cd6ccfd67f8830817f8a5a08ce5c23299a470a46c9b4f09e6db3d307", - "type": "eql", - "version": 215 - }, - "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b", - "type": "new_terms", - "version": 211 - }, - "a00681e3-9ed6-447c-ab2c-be648821c622": { - "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", - "type": "new_terms", - "version": 312 - }, - "a02cb68e-7c93-48d1-93b2-2c39023308eb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "A scheduled task was updated", - "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", - "type": "eql", - "version": 9 - } - }, + "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", + "type": "eql", + "version": 115 + } + }, + "rule_name": "Potential Credential Access via DCSync", + "sha256": "42787461cd6ccfd67f8830817f8a5a08ce5c23299a470a46c9b4f09e6db3d307", + "type": "eql", + "version": 215 + }, + "9f9a2a82-93a8-4b1a-8778-1780895626d4": { + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "9c5b42e9d0ce3be94bd99e088bd928d5dd6f6dc750cf9a67b5cb20c6067bdd0b", + "type": "new_terms", + "version": 211 + }, + "a00681e3-9ed6-447c-ab2c-be648821c622": { + "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", + "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", + "type": "new_terms", + "version": 312 + }, + "a02cb68e-7c93-48d1-93b2-2c39023308eb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "A scheduled task was updated", - "sha256": "749ba895080051e4aa8e4a2df55b64ca9fb5e99c35767bb1f288e9c07842211f", - "type": "eql", - "version": 109 - }, - "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { - "rule_name": "Potential Privilege Escalation via Python cap_setuid", - "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", + "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", "type": "eql", - "version": 3 - }, - "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { - "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", - "type": "query", - "version": 105 - }, - "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", - "type": "eql", - "version": 107 - } - }, + "version": 9 + } + }, + "rule_name": "A scheduled task was updated", + "sha256": "749ba895080051e4aa8e4a2df55b64ca9fb5e99c35767bb1f288e9c07842211f", + "type": "eql", + "version": 109 + }, + "a0ddb77b-0318-41f0-91e4-8c1b5528834f": { + "rule_name": "Potential Privilege Escalation via Python cap_setuid", + "sha256": "9771d73d6839772917b03b85707c361b758e7dd2ca3ae4daa997d9f3494564a3", + "type": "eql", + "version": 3 + }, + "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { + "rule_name": "GCP Pub/Sub Topic Creation", + "sha256": "d1f3342fcfc31b466666d2653d511406c8d7118d669a1c5a031be8300152cc93", + "type": "query", + "version": 105 + }, + "a13167f1-eec2-4015-9631-1fee60406dcf": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "539e9bec28c5ba2b0d44bd1a2c646f203f6b4a07abe0fff58707c93fe20a2684", - "type": "eql", - "version": 207 - }, - "a1329140-8de3-4445-9f87-908fb6d824f4": { - "rule_name": "File Deletion via Shred", - "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", "type": "eql", - "version": 109 - }, - "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", - "type": "eql", - "version": 108 - } - }, + "version": 107 + } + }, + "rule_name": "InstallUtil Process Making Network Connections", + "sha256": "539e9bec28c5ba2b0d44bd1a2c646f203f6b4a07abe0fff58707c93fe20a2684", + "type": "eql", + "version": 207 + }, + "a1329140-8de3-4445-9f87-908fb6d824f4": { + "rule_name": "File Deletion via Shred", + "sha256": "7cceb36ddd019047252c9fdd913eef7af8d679620d610af2da4243906b976b48", + "type": "eql", + "version": 109 + }, + "a16612dd-b30e-4d41-86a0-ebe70974ec00": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc", + "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", "type": "eql", - "version": 208 - }, - "a1699af0-8e1e-4ed0-8ec1-89783538a061": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", - "type": "eql", - "version": 8 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "a67ae649a271e68ef17b80ec7a1d6cea6f39d80a5dec0803424fba96df9a9024", - "type": "eql", - "version": 108 - } - }, + "version": 108 + } + }, + "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "sha256": "cbb9883d7a92a6a590c0f8f1280653d30652d6832ac8209e13d9fd8af07494bc", + "type": "eql", + "version": 208 + }, + "a1699af0-8e1e-4ed0-8ec1-89783538a061": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", - "sha256": "0e7f58671c9058c1194ab7cd3b496010e9aa320e5ca20b4bcc8b196c7fafdb4d", + "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", "type": "eql", - "version": 208 - }, - "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { - "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", - "type": "query", - "version": 104 - }, - "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { - "rule_name": "My First Rule", - "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", - "type": "threshold", - "version": 3 - }, - "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { - "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3", + "version": 8 + }, + "8.13": { + "max_allowable_version": 207, + "rule_name": "Windows Subsystem for Linux Distribution Installed", + "sha256": "a67ae649a271e68ef17b80ec7a1d6cea6f39d80a5dec0803424fba96df9a9024", "type": "eql", - "version": 109 - }, - "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { - "rule_name": "Linux Group Creation", - "sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076", + "version": 108 + } + }, + "rule_name": "Windows Subsystem for Linux Distribution Installed", + "sha256": "0e7f58671c9058c1194ab7cd3b496010e9aa320e5ca20b4bcc8b196c7fafdb4d", + "type": "eql", + "version": 208 + }, + "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { + "rule_name": "GCP Virtual Private Cloud Route Deletion", + "sha256": "5830a379ffe8c72546a1ff07b39d70c6d196815e08f8e584828c81640426aa99", + "type": "query", + "version": 104 + }, + "a198fbbd-9413-45ec-a269-47ae4ccf59ce": { + "rule_name": "My First Rule", + "sha256": "0357b6b5d11fb9734295241301e64ac5a4ad73f8fe8919c4fc846366ddc3aa29", + "type": "threshold", + "version": 3 + }, + "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { + "rule_name": "Potential Reverse Shell Activity via Terminal", + "sha256": "93ac22092606053c77aa4f701b17b858a8cae516565cbcfb5a34494b5ade35e3", + "type": "eql", + "version": 109 + }, + "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { + "rule_name": "Linux Group Creation", + "sha256": "93d8a95d1c43dedafd6cece3fab8d0b375e5a15801c84585d037fd2c7f361076", + "type": "eql", + "version": 6 + }, + "a22a09c2-2162-4df0-a356-9aacbeb56a04": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "DNS-over-HTTPS Enabled via Registry", + "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", "type": "eql", - "version": 6 - }, - "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "64d63c9fc9cd61923e9f98811c5823a1bb8a27a525a4b54b969fdd7051bb4649", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "ce9a658724c78ad0fb002e88c88c00891614f43d625181cf23e6541447ff4daf", + "sha256": "64d63c9fc9cd61923e9f98811c5823a1bb8a27a525a4b54b969fdd7051bb4649", "type": "eql", - "version": 311 - }, - "a2795334-2499-11ed-9e1a-f661ea17fbce": { - "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", - "sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722", - "type": "query", - "version": 108 - }, - "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", - "type": "query", - "version": 9 - } - }, + "version": 211 + } + }, + "rule_name": "DNS-over-HTTPS Enabled via Registry", + "sha256": "ce9a658724c78ad0fb002e88c88c00891614f43d625181cf23e6541447ff4daf", + "type": "eql", + "version": 311 + }, + "a22f566b-5b23-4412-880d-c6c957acd321": { + "rule_name": "AWS STS AssumeRole with New MFA Device", + "sha256": "cfb03e9127dfd2a1580d29f64f412173261e28a1c22ca8b51e484f75b870ff8c", + "type": "new_terms", + "version": 1 + }, + "a2795334-2499-11ed-9e1a-f661ea17fbce": { + "rule_name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", + "sha256": "5398047ac13fd35fd8a4c69163e2abbbb71741b093655d3a18a002c62544c722", + "type": "query", + "version": 108 + }, + "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087", + "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", "type": "query", - "version": 109 - }, - "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "2084297807278d91612b5ba01c82c2f10551b23506d0009a391feb6f63287dbf", - "type": "eql", - "version": 208 - } - }, + "version": 9 + } + }, + "rule_name": "PowerShell Mailbox Collection Script", + "sha256": "806757feca7a5f09ea78d6c4344a5b4961a51dbbd7c9779b0fa1d3e24e2f4087", + "type": "query", + "version": 109 + }, + "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", - "sha256": "1bb9e2021e6b0db51906eb89a0556e7513a62b080972cf61ad4b7dd2a7f01e2a", - "type": "eql", - "version": 308 - }, - "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { - "rule_name": "AWS EC2 Instance Interaction with IAM Service", - "sha256": "9e4af5cbfc36dcf4ab18a58a55f1d842bdf17984c316634858daba91f4a597e8", + "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", "type": "eql", - "version": 1 - }, - "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { - "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181", - "type": "eql", - "version": 109 - }, - "a4ec1382-4557-452b-89ba-e413b22ed4b8": { - "rule_name": "Network Connection via Mshta", - "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "version": 108 + }, + "8.13": { + "max_allowable_version": 307, + "rule_name": "Execution via local SxS Shared Module", + "sha256": "2084297807278d91612b5ba01c82c2f10551b23506d0009a391feb6f63287dbf", "type": "eql", - "version": 100 - }, - "a52a9439-d52c-401c-be37-2785235c6547": { - "rule_name": "Netcat Listener Established Inside A Container", - "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", + "version": 208 + } + }, + "rule_name": "Execution via local SxS Shared Module", + "sha256": "1bb9e2021e6b0db51906eb89a0556e7513a62b080972cf61ad4b7dd2a7f01e2a", + "type": "eql", + "version": 308 + }, + "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1": { + "rule_name": "AWS EC2 Instance Interaction with IAM Service", + "sha256": "17e90233a68416b545e9ec60b945d558eea63b417eebcda8d046984ca667b87c", + "type": "eql", + "version": 2 + }, + "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { + "rule_name": "Windows Registry File Creation in SMB Share", + "sha256": "286b04230e047bb8f027f8d352ff9cf1d299235a13c6cac5631f289389314181", + "type": "eql", + "version": 109 + }, + "a4ec1382-4557-452b-89ba-e413b22ed4b8": { + "rule_name": "Network Connection via Mshta", + "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "type": "eql", + "version": 100 + }, + "a52a9439-d52c-401c-be37-2785235c6547": { + "rule_name": "Netcat Listener Established Inside A Container", + "sha256": "8f9886fc92a4c69f14005790f8fdaab0b79bfd94930a6aaadc156c7b8a78e146", + "type": "eql", + "version": 2 + }, + "a577e524-c2ee-47bd-9c5b-e917d01d3276": { + "rule_name": "CAP_SYS_ADMIN Assigned to Binary", + "sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84", + "type": "new_terms", + "version": 2 + }, + "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { + "rule_name": "Potential Reverse Shell via UDP", + "sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0", + "type": "eql", + "version": 7 + }, + "a5f0d057-d540-44f5-924d-c6a2ae92f045": { + "rule_name": "Potential SSH Brute Force Detected on Privileged Account", + "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", + "type": "eql", + "version": 5 + }, + "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", + "type": "query", + "version": 209 + }, + "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { + "rule_name": "Azure Active Directory PowerShell Sign-in", + "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", + "type": "query", + "version": 105 + }, + "a61809f3-fb5b-465c-8bff-23a8a068ac60": { + "rule_name": "Threat Intel Windows Registry Indicator Match", + "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", + "type": "threat_match", + "version": 7 + }, + "a624863f-a70d-417f-a7d2-7a404638d47f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Suspicious MS Office Child Process", + "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", "type": "eql", - "version": 2 - }, - "a577e524-c2ee-47bd-9c5b-e917d01d3276": { - "rule_name": "CAP_SYS_ADMIN Assigned to Binary", - "sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84", - "type": "new_terms", - "version": 2 - }, - "a5eb21b7-13cc-4b94-9fe2-29bb2914e037": { - "rule_name": "Potential Reverse Shell via UDP", - "sha256": "107d9dba2ad9b03f457311eef2f1d29f5c30f692db76b52c0ecb7ad90cb1bba0", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Suspicious MS Office Child Process", + "sha256": "588a86512ac13842f4f3b0dfcf78a653ee96c402aca625c9db1f793666c9479d", "type": "eql", - "version": 7 - }, - "a5f0d057-d540-44f5-924d-c6a2ae92f045": { - "rule_name": "Potential SSH Brute Force Detected on Privileged Account", - "sha256": "38d14b033e79ccc9d9cf97555e15e5132aaa6d8ca72e05d65885ee7bcc2feb22", + "version": 213 + } + }, + "rule_name": "Suspicious MS Office Child Process", + "sha256": "df103b761567aa84a163bf20bed5e548a1a13df931fa93006532bb57e57af65b", + "type": "eql", + "version": 314 + }, + "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { + "rule_name": "AWS S3 Bucket Server Access Logging Disabled", + "sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2", + "type": "eql", + "version": 1 + }, + "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { + "rule_name": "Emond Rules Creation or Modification", + "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", + "type": "eql", + "version": 107 + }, + "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "rule_name": "High Mean of RDP Session Duration", + "sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4", + "type": "machine_learning", + "version": 4 + }, + "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { + "rule_name": "Suspicious Print Spooler SPL File Created", + "sha256": "96b2fcbc3924d11fc9c3eed38fc768bf6f97bfe8fe667f084d210769af057164", + "type": "eql", + "version": 113 + }, + "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Credential Acquisition via Registry Hive Dumping", + "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", "type": "eql", - "version": 5 - }, - "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "232deeb70c03fe09805ae4aedeb77133435af63645bd9833c8d0b945b1f950df", - "type": "query", - "version": 209 - }, - "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { - "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "d50d23ae4c7359047320934418d1041ff10666e02a6ed8bc287366745ae74372", - "type": "query", - "version": 105 - }, - "a61809f3-fb5b-465c-8bff-23a8a068ac60": { - "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", - "type": "threat_match", - "version": 7 - }, - "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "588a86512ac13842f4f3b0dfcf78a653ee96c402aca625c9db1f793666c9479d", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "cf764c28bca15ca56fd0279865cdd2ef349c7dc4fcc6dc872b0bf76342e575fe", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Credential Acquisition via Registry Hive Dumping", + "sha256": "c96159806a102e910abdca6cdd017afdce8fcae45e565867bbd1f7b43abc431b", "type": "eql", - "version": 313 - }, - "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { - "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "468acf9925b683cd43a8c9d55cff0117071c66f66e7c1a1dfe43b164b6cb22a2", + "version": 211 + } + }, + "rule_name": "Credential Acquisition via Registry Hive Dumping", + "sha256": "4aaa0273cb33a2b9fccdcc176011775da2bcc37db98deab6d7b0fb2b9792a8b3", + "type": "eql", + "version": 312 + }, + "a80d96cd-1164-41b3-9852-ef58724be496": { + "rule_name": "Privileged Docker Container Creation", + "sha256": "5550f7f742c87f9bd39c1e4db8db24caee9b67540120dacf5f7b201023626f25", + "type": "new_terms", + "version": 2 + }, + "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { + "rule_name": "Entra ID Device Code Auth with Broker Client", + "sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323", + "type": "query", + "version": 1 + }, + "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { + "rule_name": "Web Application Suspicious Activity: POST Request Declined", + "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", + "type": "query", + "version": 102 + }, + "a8aaa49d-9834-462d-bf8f-b1255cebc004": { + "rule_name": "Authentication via Unusual PAM Grantor", + "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", + "type": "new_terms", + "version": 1 + }, + "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { + "rule_name": "Suspicious File Downloaded from Google Drive", + "sha256": "41c537740053f42fad23d5168744e96453f28557cccc97585c0f976a10ef5178", + "type": "eql", + "version": 4 + }, + "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "rule_name": "High Variance in RDP Session Duration", + "sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f", + "type": "machine_learning", + "version": 4 + }, + "a9198571-b135-4a76-b055-e3e5a476fd83": { + "rule_name": "Hex Encoding/Decoding Activity", + "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", + "type": "query", + "version": 100 + }, + "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", + "type": "query", + "version": 206 + }, + "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0", + "type": "query", + "version": 206 + }, + "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Persistence via Hidden Run Key Detected", + "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", "type": "eql", - "version": 1 - }, - "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { - "rule_name": "Emond Rules Creation or Modification", - "sha256": "279439946377684a1551b3d271e82b7225b1323b970f0e63c7a12fc2ba805287", + "version": 109 + } + }, + "rule_name": "Persistence via Hidden Run Key Detected", + "sha256": "4687afae3e7472fed3b420f99cd3124158312bfbab94cd1f7303fda1d1a139bd", + "type": "eql", + "version": 209 + }, + "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { + "rule_name": "IPSEC NAT Traversal Port Activity", + "sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5", + "type": "query", + "version": 105 + }, + "aa8007f0-d1df-49ef-8520-407857594827": { + "rule_name": "GCP IAM Custom Role Creation", + "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", + "type": "query", + "version": 104 + }, + "aa895aea-b69c-4411-b110-8d7599634b30": { + "rule_name": "System Log File Deletion", + "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", + "type": "eql", + "version": 112 + }, + "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Remotely Started Services via RPC", + "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", "type": "eql", - "version": 107 - }, - "a74c60cb-70ee-4629-a127-608ead14ebf1": { - "rule_name": "High Mean of RDP Session Duration", - "sha256": "55ef145cde18d6c08b01ce4ece7f4903351d9bdd131a8453002647a668aaa5c4", + "version": 113 + } + }, + "rule_name": "Remotely Started Services via RPC", + "sha256": "3bca920a328d271bc638274d9265324896cb1635894bb09d8c7628ee499617d2", + "type": "eql", + "version": 213 + }, + "aaab30ec-b004-4191-95e1-4a14387ef6a6": { + "rule_name": "Veeam Backup Library Loaded by Unusual Process", + "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", + "type": "eql", + "version": 2 + }, + "aab184d3-72b3-4639-b242-6597c99d8bca": { + "rule_name": "Threat Intel Hash Indicator Match", + "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", + "type": "threat_match", + "version": 8 + }, + "ab75c24b-2502-43a0-bf7c-e60e662c811e": { + "rule_name": "Remote Execution via File Shares", + "sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd", + "type": "eql", + "version": 114 + }, + "ab8f074c-5565-4bc4-991c-d49770e19fc9": { + "min_stack_version": "8.13", + "rule_name": "AWS S3 Object Encryption Using External KMS Key", + "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0", + "type": "esql", + "version": 2 + }, + "abae61a8-c560-4dbd-acca-1e1438bff36b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", "type": "machine_learning", - "version": 4 - }, - "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { - "rule_name": "Suspicious Print Spooler SPL File Created", - "sha256": "96b2fcbc3924d11fc9c3eed38fc768bf6f97bfe8fe667f084d210769af057164", + "version": 106 + } + }, + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c", + "type": "machine_learning", + "version": 206 + }, + "ac412404-57a5-476f-858f-4e8fbb4f48d8": { + "rule_name": "Potential Persistence via Login Hook", + "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", + "type": "query", + "version": 108 + }, + "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", "type": "eql", "version": 113 - }, - "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "c96159806a102e910abdca6cdd017afdce8fcae45e565867bbd1f7b43abc431b", - "type": "eql", - "version": 211 - } - }, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "c470f250161ea743a21347b40601ded8dc3f080f6906ddfb655cb4e3c2dcfd26", - "type": "eql", - "version": 311 - }, - "a80d96cd-1164-41b3-9852-ef58724be496": { - "rule_name": "Privileged Docker Container Creation", - "sha256": "71a69d4b84ccadbd7640c534e386e6eb4f86321b6bc43973d840f1a936706df4", - "type": "new_terms", - "version": 1 - }, - "a83b3dac-325a-11ef-b3e6-f661ea17fbce": { - "rule_name": "Entra ID Device Code Auth with Broker Client", - "sha256": "1cf36e99756517a71c3c4daeef8d7ed86213399d94ede19cb11a01ad05ef7323", - "type": "query", - "version": 1 - }, - "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { - "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "ebfc9e780da093a1ff6bd51cae7eafadee5cf30f6044a85add7779f17d924a88", - "type": "query", - "version": 102 - }, - "a8aaa49d-9834-462d-bf8f-b1255cebc004": { - "rule_name": "Authentication via Unusual PAM Grantor", - "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", - "type": "new_terms", - "version": 1 - }, - "a8afdce2-0ec1-11ee-b843-f661ea17fbcd": { - "rule_name": "Suspicious File Downloaded from Google Drive", - "sha256": "41c537740053f42fad23d5168744e96453f28557cccc97585c0f976a10ef5178", - "type": "eql", - "version": 4 - }, - "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { - "rule_name": "High Variance in RDP Session Duration", - "sha256": "f40d918cd70e374c3ea932e1a3b6c14fe1d4bea3bc082607586e660708225c9f", - "type": "machine_learning", - "version": 4 - }, - "a9198571-b135-4a76-b055-e3e5a476fd83": { - "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", - "type": "query", - "version": 100 - }, - "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "3d299427823ca14b62de2ac6ceb1e378df0601897aea618d82aaf2ac27a5b9e2", - "type": "query", - "version": 206 - }, - "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "bfd3c37297fa730a13e90c0a7714caceda0b1c853fb40bf1f0137aa00f77bbe0", - "type": "query", - "version": 206 - }, - "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", - "type": "eql", - "version": 109 - } - }, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "4687afae3e7472fed3b420f99cd3124158312bfbab94cd1f7303fda1d1a139bd", - "type": "eql", - "version": 209 - }, - "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { - "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f6ceb7d4ece3477e49b056e9dd3e833f999b2eee034004d015ed34cab40f8df5", - "type": "query", - "version": 105 - }, - "aa8007f0-d1df-49ef-8520-407857594827": { - "rule_name": "GCP IAM Custom Role Creation", - "sha256": "46fafcee6069a185beb2d0fc77d3f39e53b9ec3412f9afdef0e7b642b48e296f", - "type": "query", - "version": 104 - }, - "aa895aea-b69c-4411-b110-8d7599634b30": { - "rule_name": "System Log File Deletion", - "sha256": "caebd910311dc1b958558375bcae2a9bd22b4ef344988046c43684e838d9d350", - "type": "eql", - "version": 112 - }, - "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Remotely Started Services via RPC", - "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", - "type": "eql", - "version": 113 - } - }, - "rule_name": "Remotely Started Services via RPC", - "sha256": "3bca920a328d271bc638274d9265324896cb1635894bb09d8c7628ee499617d2", - "type": "eql", - "version": 213 - }, - "aaab30ec-b004-4191-95e1-4a14387ef6a6": { - "rule_name": "Veeam Backup Library Loaded by Unusual Process", - "sha256": "fae7ffc9ed0b702935ff7bccd87d6ddec3d54d21ce22d4aedb1cbb41d4e584c3", - "type": "eql", - "version": 2 - }, - "aab184d3-72b3-4639-b242-6597c99d8bca": { - "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", - "type": "threat_match", - "version": 8 - }, - "ab75c24b-2502-43a0-bf7c-e60e662c811e": { - "rule_name": "Remote Execution via File Shares", - "sha256": "93c49db43b03637f2c1d053b9f5ebcbd2776f483fe824854fae2ace948d956dd", - "type": "eql", - "version": 114 - }, - "ab8f074c-5565-4bc4-991c-d49770e19fc9": { - "min_stack_version": "8.13", - "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "3aff4d1d49850118022efab0afa8765485da6c1fdc1d96b20d05fca3803b18f0", - "type": "esql", - "version": 2 - }, - "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", - "type": "machine_learning", - "version": 106 - } - }, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "41d9773b53e26197a39fa675ffa40d07b17987dd304c38336693138b0222111c", - "type": "machine_learning", - "version": 206 - }, - "ac412404-57a5-476f-858f-4e8fbb4f48d8": { - "rule_name": "Potential Persistence via Login Hook", - "sha256": "c757a8d19345f645690ffb8634527ad84b35d0195fe82d9ca81ccf57eaf2eef9", - "type": "query", - "version": 108 - }, - "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 414, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "c1b3b8d2072d918930efe998f724cf12942ee022c135971e24778f2c1821eb4f", - "type": "eql", - "version": 315 - } - }, + }, + "8.13": { + "max_allowable_version": 414, "rule_name": "Suspicious WerFault Child Process", - "sha256": "cf59420deb50d843084ffc3320ad39588acb649e55c3c0eb12c54b1d52a3b4aa", + "sha256": "c1b3b8d2072d918930efe998f724cf12942ee022c135971e24778f2c1821eb4f", "type": "eql", - "version": 415 - }, - "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { - "rule_name": "Git Hook Created or Modified", - "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "version": 315 + } + }, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "cf59420deb50d843084ffc3320ad39588acb649e55c3c0eb12c54b1d52a3b4aa", + "type": "eql", + "version": 415 + }, + "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { + "rule_name": "Git Hook Created or Modified", + "sha256": "baf94c030f8649e89628d8d83f0e90cfebbb67da5b711c8a8c4063d48a01cd64", + "type": "eql", + "version": 3 + }, + "ac5a2759-5c34-440a-b0c4-51fe674611d6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "Outlook Home Page Registry Modification", + "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", "type": "eql", - "version": 3 - }, - "ac5a2759-5c34-440a-b0c4-51fe674611d6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Outlook Home Page Registry Modification", - "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Outlook Home Page Registry Modification", - "sha256": "1adad2fbaac61dd3b02e58f8271efb1177aadfc906d7c20a2a30ce2f984ae27d", - "type": "eql", - "version": 101 - } - }, + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, "rule_name": "Outlook Home Page Registry Modification", - "sha256": "02cd6bf4e2e371ef2e60d5a1df762ee51868c135ad78304ce723d27a91a4c7f2", - "type": "eql", - "version": 201 - }, - "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", - "type": "eql", - "version": 1 - } - }, - "rule_name": "WPS Office Exploitation via DLL Hijack", - "sha256": "ffe2ee7667dba6c6d5b6c0f2e759bd20739ce00b74f2ff55cfa78eaac5c6167a", + "sha256": "1adad2fbaac61dd3b02e58f8271efb1177aadfc906d7c20a2a30ce2f984ae27d", "type": "eql", "version": 101 - }, - "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "rule_name": "Unusual AWS Command for a User", - "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", - "type": "machine_learning", - "version": 209 - }, - "ac8805f6-1e08-406c-962e-3937057fa86f": { - "rule_name": "Potential Protocol Tunneling via Chisel Server", - "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", + } + }, + "rule_name": "Outlook Home Page Registry Modification", + "sha256": "02cd6bf4e2e371ef2e60d5a1df762ee51868c135ad78304ce723d27a91a4c7f2", + "type": "eql", + "version": 201 + }, + "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "WPS Office Exploitation via DLL Hijack", + "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", "type": "eql", - "version": 6 - }, - "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", - "type": "query", - "version": 110 - } - }, + "version": 1 + } + }, + "rule_name": "WPS Office Exploitation via DLL Hijack", + "sha256": "ffe2ee7667dba6c6d5b6c0f2e759bd20739ce00b74f2ff55cfa78eaac5c6167a", + "type": "eql", + "version": 101 + }, + "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { + "rule_name": "Unusual AWS Command for a User", + "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", + "type": "machine_learning", + "version": 209 + }, + "ac8805f6-1e08-406c-962e-3937057fa86f": { + "rule_name": "Potential Protocol Tunneling via Chisel Server", + "sha256": "be005130100c74d62f0ae093ffaceedaf8ea816f88d721e2dd68dbaca2bd46c9", + "type": "eql", + "version": 6 + }, + "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0", - "type": "query", - "version": 210 - }, - "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", - "sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e", + "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", "type": "query", - "version": 207 - }, - "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { - "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", + "version": 110 + } + }, + "rule_name": "Potential Invoke-Mimikatz PowerShell Script", + "sha256": "b419d7a1beb994f9b021b2477fb9df633c75879e1523c5d9042f5f83dc1f98e0", + "type": "query", + "version": 210 + }, + "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation", + "sha256": "1afdb4a51d22e7bbfd7e65b403f94fe84c4d5a15c4e64cf97eba18131439801e", + "type": "query", + "version": 207 + }, + "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { + "rule_name": "Potential Command and Control via Internet Explorer", + "sha256": "4e05c9f350a2bf4380ddc180a068d6803b859a53e35e93b341397855f28c5924", + "type": "eql", + "version": 106 + }, + "ace1e989-a541-44df-93a8-a8b0591b63c0": { + "rule_name": "Potential macOS SSH Brute Force Detected", + "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", + "type": "threshold", + "version": 108 + }, + "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Suspicious Managed Code Hosting Process", + "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", "type": "eql", - "version": 106 - }, - "ace1e989-a541-44df-93a8-a8b0591b63c0": { - "rule_name": "Potential macOS SSH Brute Force Detected", - "sha256": "95cd29a163e6b0b1ffbed68a23beef7033446cdbce973aa1bac75d9a31a944d9", - "type": "threshold", "version": 108 - }, - "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "6bedea5ed62553b3faee7de59fc7d5379a82ec9a852980276971dc29d0c0b345", - "type": "eql", - "version": 208 - } - }, + }, + "8.13": { + "max_allowable_version": 307, "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "97248131408cd3ee890ffcfbdeaef327f2375548dbee3818f33ed2834af7156c", - "type": "eql", - "version": 308 - }, - "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "be076a1dbd4f050fe7d76ce1b43d766bf6de4de026ea97dc7ed5bf45358d73cb", - "type": "eql", - "version": 209 - } - }, + "sha256": "6bedea5ed62553b3faee7de59fc7d5379a82ec9a852980276971dc29d0c0b345", + "type": "eql", + "version": 208 + } + }, + "rule_name": "Suspicious Managed Code Hosting Process", + "sha256": "de021f1c7c7f774f5ae581c5a8dcf13e91eaa358742311cabddc983f8bd428e0", + "type": "eql", + "version": 309 + }, + "ad0d2742-9a49-11ec-8d6b-acde48001122": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "68fc80f6136320b3f563fe9b81f8a323dbfd2055d7c5b2c9bda66e910371e4ce", + "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", "type": "eql", - "version": 309 - }, - "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { - "rule_name": "Proxy Port Activity to the Internet", - "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", - "type": "query", - "version": 100 - }, - "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0", - "type": "query", - "version": 206 - }, - "ad5a3757-c872-4719-8c72-12d3f08db655": { - "rule_name": "Openssl Client or Server Activity", - "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Signed Proxy Execution via MS Work Folders", + "sha256": "be076a1dbd4f050fe7d76ce1b43d766bf6de4de026ea97dc7ed5bf45358d73cb", "type": "eql", - "version": 2 - }, - "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", - "type": "query", - "version": 112 - } - }, + "version": 209 + } + }, + "rule_name": "Signed Proxy Execution via MS Work Folders", + "sha256": "c1a7cd36ec3ec749ea82e4039eaf388f2e5733806e0aa2d62166f97dbeeeda22", + "type": "eql", + "version": 310 + }, + "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { + "rule_name": "Proxy Port Activity to the Internet", + "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", + "type": "query", + "version": 100 + }, + "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "6bf9bd74edf549ebf03a9335f3167e0a4f85aaeebdec0d566acfdbc16dd047c0", + "type": "query", + "version": 206 + }, + "ad5a3757-c872-4719-8c72-12d3f08db655": { + "rule_name": "Openssl Client or Server Activity", + "sha256": "5535a4f110cc1281d1ad303fd5f73ab8f18de03b4f7055194c5f86cb79cef0ce", + "type": "eql", + "version": 2 + }, + "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b", - "type": "query", - "version": 212 - }, - "ad88231f-e2ab-491c-8fc6-64746da26cfe": { - "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", + "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", "type": "query", - "version": 106 - }, - "ad959eeb-2b7b-4722-ba08-a45f6622f005": { - "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", - "type": "eql", - "version": 4 - }, - "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { - "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", - "type": "eql", - "version": 110 - }, - "adbfa3ee-777e-4747-b6b0-7bd645f30880": { - "rule_name": "Suspicious Communication App Child Process", - "sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675", - "type": "eql", - "version": 5 - }, - "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { - "rule_name": "Suspicious File Creation via Kworker", - "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "version": 112 + } + }, + "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", + "sha256": "23c56aed37124f4d42a7e066da164226be49cc33c8358d269cb23b54daa61b9b", + "type": "query", + "version": 212 + }, + "ad88231f-e2ab-491c-8fc6-64746da26cfe": { + "rule_name": "Kerberos Cached Credentials Dumping", + "sha256": "b487d846e3b3cce77ab546dffaa06a50544f53ec03293a3bf6ef529123497ae6", + "type": "query", + "version": 106 + }, + "ad959eeb-2b7b-4722-ba08-a45f6622f005": { + "rule_name": "Suspicious APT Package Manager Execution", + "sha256": "4cbd3476d128aad590e86079b7e07f0db490326f4339fd74b5c8b596bee4bc0a", + "type": "eql", + "version": 4 + }, + "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { + "rule_name": "File Transfer or Listener Established via Netcat", + "sha256": "f27e0f720407692607f6eb75d893c29b6331360fec5838edbff6739eea960584", + "type": "eql", + "version": 110 + }, + "adbfa3ee-777e-4747-b6b0-7bd645f30880": { + "rule_name": "Suspicious Communication App Child Process", + "sha256": "e8cf6343472cdfd3a91baaa7aed30214af872b0b163555edc8908ffd5d89a675", + "type": "eql", + "version": 5 + }, + "ae343298-97bc-47bc-9ea2-5f2ad831c16e": { + "rule_name": "Suspicious File Creation via Kworker", + "sha256": "a932bb2a7c777540aee96e3bd9ed937cff8e801ad0e9351bd907f5111f8a94c6", + "type": "eql", + "version": 5 + }, + "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", + "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", "type": "eql", "version": 5 - }, - "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", - "type": "eql", - "version": 5 - }, - "8.13": { - "max_allowable_version": 204, - "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "bc36274c731c5231be458f7c7b13cbefb5bbe0dba08f745f6d3a65c6f02bbbf6", - "type": "eql", - "version": 105 - } - }, + }, + "8.13": { + "max_allowable_version": 204, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", - "sha256": "8b17583a4547a22fa32e210797078688b3ea53cdd67f93494107cbc65d3e69ab", - "type": "eql", - "version": 205 - }, - "aebaa51f-2a91-4f6a-850b-b601db2293f4": { - "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a", - "type": "new_terms", - "version": 9 - }, - "afa135c0-a365-43ab-aa35-fd86df314a47": { - "rule_name": "Unusual User Privilege Enumeration via id", - "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", + "sha256": "bc36274c731c5231be458f7c7b13cbefb5bbe0dba08f745f6d3a65c6f02bbbf6", "type": "eql", - "version": 4 - }, - "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Local Scheduled Task Creation", - "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", - "type": "eql", - "version": 108 - } - }, + "version": 105 + } + }, + "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", + "sha256": "8b17583a4547a22fa32e210797078688b3ea53cdd67f93494107cbc65d3e69ab", + "type": "eql", + "version": 205 + }, + "aebaa51f-2a91-4f6a-850b-b601db2293f4": { + "rule_name": "Shared Object Created or Changed by Previously Unknown Process", + "sha256": "e0f82917421c7696991e4560a68459553d9372473b32461c5f4dfefc5ad1c98a", + "type": "new_terms", + "version": 9 + }, + "af22d970-7106-45b4-b5e3-460d15333727": { + "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", + "sha256": "cb2725c021473f600c5a345ec6f8d3ff117b7ed72f2b96bd4e98d625edcfc640", + "type": "new_terms", + "version": 1 + }, + "afa135c0-a365-43ab-aa35-fd86df314a47": { + "rule_name": "Unusual User Privilege Enumeration via id", + "sha256": "bd4da735535155bf2aaee82b58ad81ff85b1d638c319cf8afe1df6d4bd616123", + "type": "eql", + "version": 4 + }, + "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", - "sha256": "866c1232689b9c39d30a1a03948c4544423e632af7fc8b8b42c69e4a88ca637c", - "type": "eql", - "version": 208 - }, - "afd04601-12fc-4149-9b78-9c3f8fe45d39": { - "rule_name": "Network Activity Detected via cat", - "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", - "type": "eql", - "version": 6 - }, - "afe6b0eb-dd9d-4922-b08a-1910124d524d": { - "rule_name": "Potential Privilege Escalation via Container Misconfiguration", - "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", + "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", "type": "eql", - "version": 5 - }, - "b0046934-486e-462f-9487-0d4cf9e429c6": { - "rule_name": "Timestomping using Touch Command", - "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", - "type": "eql", - "version": 106 - }, - "b00bcd89-000c-4425-b94c-716ef67762f6": { - "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", - "type": "query", - "version": 106 - }, - "b0638186-4f12-48ac-83d2-47e686d08e82": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Netsh Helper DLL", - "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Netsh Helper DLL", - "sha256": "12a75647b89fa1a4bbc61d7654d7f62e6c69fd20f55ad24ff83e672bbb8ca97d", - "type": "eql", - "version": 102 - } - }, + "version": 108 + } + }, + "rule_name": "Local Scheduled Task Creation", + "sha256": "866c1232689b9c39d30a1a03948c4544423e632af7fc8b8b42c69e4a88ca637c", + "type": "eql", + "version": 208 + }, + "afd04601-12fc-4149-9b78-9c3f8fe45d39": { + "rule_name": "Network Activity Detected via cat", + "sha256": "61ed9cf042140481d4d3863f69481333d94ea25e480a8ddd95a5e38cd2fcacb6", + "type": "eql", + "version": 6 + }, + "afe6b0eb-dd9d-4922-b08a-1910124d524d": { + "rule_name": "Potential Privilege Escalation via Container Misconfiguration", + "sha256": "934babb371893cc423e2cc180a7b9c4e145c3477e29880463dee746c5b419b19", + "type": "eql", + "version": 5 + }, + "b0046934-486e-462f-9487-0d4cf9e429c6": { + "rule_name": "Timestomping using Touch Command", + "sha256": "b076ae4e19a317fab6eb05472220dd936a4a3ea6852be8a783f28615c9f21de4", + "type": "eql", + "version": 106 + }, + "b00bcd89-000c-4425-b94c-716ef67762f6": { + "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", + "sha256": "5a871527957ab53227a0f5f906053deded0b332d6195c3e6cfbe9622601b646f", + "type": "query", + "version": 106 + }, + "b0638186-4f12-48ac-83d2-47e686d08e82": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", - "sha256": "54f00272d79b87fe262ae02033486e748e84d4ab22a02b091b094c3cb456d4d5", + "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", "type": "eql", - "version": 202 - }, - "b1773d05-f349-45fb-9850-287b8f92f02d": { - "min_stack_version": "8.13", - "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "2cb4a1af62c34bdc871fd3012417ff9685bdb6c1e8f410c1ed773f8c3845929b", - "type": "esql", "version": 2 - }, - "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { - "rule_name": "Potential Persistence via Cron Job", - "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", - "type": "query", - "version": 100 - }, - "b2318c71-5959-469a-a3ce-3a0768e63b9c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Potential Network Share Discovery", - "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", - "type": "eql", - "version": 6 - } - }, + }, + "8.13": { + "max_allowable_version": 201, + "rule_name": "Netsh Helper DLL", + "sha256": "12a75647b89fa1a4bbc61d7654d7f62e6c69fd20f55ad24ff83e672bbb8ca97d", + "type": "eql", + "version": 102 + } + }, + "rule_name": "Netsh Helper DLL", + "sha256": "54f00272d79b87fe262ae02033486e748e84d4ab22a02b091b094c3cb456d4d5", + "type": "eql", + "version": 202 + }, + "b15a15f2-becf-475d-aa69-45c9e0ff1c49": { + "rule_name": "Hidden Directory Creation via Unusual Parent", + "sha256": "9775897dddd3d5ea2fa72deb33baef8f2737925ad1d5be0ea764df8986e49111", + "type": "eql", + "version": 1 + }, + "b1773d05-f349-45fb-9850-287b8f92f02d": { + "min_stack_version": "8.13", + "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", + "sha256": "b4bb7df60780eda7a7112af699e8f9eeb886859104a14dc0c0e590d88fbdfc26", + "type": "esql", + "version": 3 + }, + "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { + "rule_name": "Potential Persistence via Cron Job", + "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", + "type": "query", + "version": 100 + }, + "b2318c71-5959-469a-a3ce-3a0768e63b9c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Potential Network Share Discovery", - "sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e", + "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", "type": "eql", - "version": 106 - }, - "b240bfb8-26b7-4e5e-924e-218144a3fa71": { - "rule_name": "Spike in Network Traffic", - "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", - "type": "machine_learning", - "version": 104 - }, - "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Remote File Copy via TeamViewer", - "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", - "type": "eql", - "version": 112 - } - }, + "version": 6 + } + }, + "rule_name": "Potential Network Share Discovery", + "sha256": "1eec14e34b78d05d1d54269871b6b0fffff322f1f5bba3508e37ad163c8f498e", + "type": "eql", + "version": 106 + }, + "b240bfb8-26b7-4e5e-924e-218144a3fa71": { + "rule_name": "Spike in Network Traffic", + "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", + "type": "machine_learning", + "version": 104 + }, + "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", - "sha256": "0c04cfa96ede82a6bbb59d8e384474d50b45f25914ae1e80b8f511c08aeb6711", + "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", "type": "eql", - "version": 212 - }, - "b2951150-658f-4a60-832f-a00d1e6c6745": { - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", - "type": "query", - "version": 206 - }, - "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", - "type": "eql", - "version": 108 - } - }, + "version": 112 + } + }, + "rule_name": "Remote File Copy via TeamViewer", + "sha256": "0c04cfa96ede82a6bbb59d8e384474d50b45f25914ae1e80b8f511c08aeb6711", + "type": "eql", + "version": 212 + }, + "b2951150-658f-4a60-832f-a00d1e6c6745": { + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "1dbef7993a821421fc2fa12a51dab4936081be0382afeb3ebd8f36b93c07bdcf", + "type": "query", + "version": 206 + }, + "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", - "sha256": "116a6ad1cd9cb04c665956e8d54a4b226e296be8ffbf0a20f7073e7b6329ed3a", + "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", "type": "eql", - "version": 208 - }, - "b347b919-665f-4aac-b9e8-68369bf2340c": { - "rule_name": "Unusual Linux Username", - "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", - "type": "machine_learning", - "version": 104 - }, - "b36c99af-b944-4509-a523-7e0fad275be1": { - "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1", + "version": 108 + } + }, + "rule_name": "Network Connection via Compiled HTML File", + "sha256": "116a6ad1cd9cb04c665956e8d54a4b226e296be8ffbf0a20f7073e7b6329ed3a", + "type": "eql", + "version": 208 + }, + "b347b919-665f-4aac-b9e8-68369bf2340c": { + "rule_name": "Unusual Linux Username", + "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", + "type": "machine_learning", + "version": 104 + }, + "b36c99af-b944-4509-a523-7e0fad275be1": { + "rule_name": "AWS RDS Snapshot Deleted", + "sha256": "5ef62fe38d22a4511a897c8008ac45dc5666daf58d4330f04538f49decbbeea1", + "type": "eql", + "version": 2 + }, + "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Suspicious Endpoint Security Parent Process", + "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", "type": "eql", - "version": 2 - }, - "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "67351b07df4aa1f47a5962233ac558f0f841b0b99dc69791d778f50a1490b724", - "type": "eql", - "version": 213 - } - }, + "version": 114 + }, + "8.13": { + "max_allowable_version": 312, "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "0cf7c5888e6bd4702f883dc4ba471a0d9c383c885d4588e6fe1a7ff741df7a15", + "sha256": "67351b07df4aa1f47a5962233ac558f0f841b0b99dc69791d778f50a1490b724", "type": "eql", - "version": 313 - }, - "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 208, - "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "8abbd6548883de2d4be1a5b3301cd6db8b4794b27c6795d260aa7bc4563dbf15", - "type": "eql", - "version": 109 - } - }, + "version": 213 + } + }, + "rule_name": "Suspicious Endpoint Security Parent Process", + "sha256": "0cf7c5888e6bd4702f883dc4ba471a0d9c383c885d4588e6fe1a7ff741df7a15", + "type": "eql", + "version": 313 + }, + "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", - "sha256": "e76f39f3230ce3fdd5752f4e51b4dc81e358b9672d2d230ce5fd21bcb2524dfd", + "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", "type": "eql", - "version": 209 - }, - "b4449455-f986-4b5a-82ed-e36b129331f7": { - "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", - "type": "query", - "version": 106 - }, - "b45ab1d2-712f-4f01-a751-df3826969807": { - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", - "type": "query", - "version": 206 - }, - "b483365c-98a8-40c0-92d8-0458ca25058a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "At.exe Command Lateral Movement", - "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", - "type": "eql", - "version": 5 - } - }, - "rule_name": "At.exe Command Lateral Movement", - "sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0", + "version": 9 + }, + "8.13": { + "max_allowable_version": 208, + "rule_name": "Code Signing Policy Modification Through Built-in tools", + "sha256": "8abbd6548883de2d4be1a5b3301cd6db8b4794b27c6795d260aa7bc4563dbf15", "type": "eql", - "version": 105 - }, - "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", - "type": "query", - "version": 207 - }, - "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { - "rule_name": "Potential Privilege Escalation via OverlayFS", - "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", + "version": 109 + } + }, + "rule_name": "Code Signing Policy Modification Through Built-in tools", + "sha256": "40c7f66bf4e89df1d59470f6039032a32e6991959d8e11a12649604b2ba79da1", + "type": "eql", + "version": 210 + }, + "b4449455-f986-4b5a-82ed-e36b129331f7": { + "rule_name": "Potential Persistence via Atom Init Script Modification", + "sha256": "c504a9e2929d88a06087ed97f63cef00dc04803abda6cfbe448c6c7c5a3d9900", + "type": "query", + "version": 106 + }, + "b45ab1d2-712f-4f01-a751-df3826969807": { + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "8d815943419b48862fd4b4d8bf7e7415b72bff58fb7dc7299a2548453ffd2670", + "type": "query", + "version": 206 + }, + "b483365c-98a8-40c0-92d8-0458ca25058a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "At.exe Command Lateral Movement", + "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", "type": "eql", "version": 5 - }, - "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Clearing Windows Console History", - "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Clearing Windows Console History", - "sha256": "2750851ffd550e98d2fa0f4b5654f051e62a2b807d18128b748c136fcfa2d9ce", - "type": "eql", - "version": 212 - } - }, + } + }, + "rule_name": "At.exe Command Lateral Movement", + "sha256": "0faf08d3fdfac536a63dfff97a2abbd6313f1fefaf83540375468e94be91e7a0", + "type": "eql", + "version": 105 + }, + "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", + "type": "query", + "version": 208 + }, + "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { + "rule_name": "Potential Privilege Escalation via OverlayFS", + "sha256": "58bcb45f4849adaa8d78a19d8a371830c27498740c55f3af585b223cd3043f93", + "type": "eql", + "version": 5 + }, + "b5877334-677f-4fb9-86d5-a9721274223b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Clearing Windows Console History", - "sha256": "0340444463c0b755befd7f9253996b18a0c46698ad0212b1487b247f5f70faeb", + "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", "type": "eql", - "version": 312 - }, - "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "f507b4e773a9237e2f79ee6904335b27b7cde346688aeee533fbdf6dfc06bf52", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Clearing Windows Console History", + "sha256": "2750851ffd550e98d2fa0f4b5654f051e62a2b807d18128b748c136fcfa2d9ce", + "type": "eql", + "version": 212 + } + }, + "rule_name": "Clearing Windows Console History", + "sha256": "4895530aff3222c2708c780f6046f091fe54c7f8ae320663a9e360501eaead98", + "type": "eql", + "version": 313 + }, + "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "91f83fdfe648e53be18d0cf288db3be84c510e854ac6ad1e2f24bd8e6a9cce1e", + "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", "type": "eql", - "version": 312 - }, - "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { - "rule_name": "Systemd Service Started by Unusual Parent Process", - "sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4", - "type": "new_terms", - "version": 3 - }, - "b627cd12-dac4-11ec-9582-f661ea17fbcd": { - "rule_name": "Elastic Agent Service Terminated", - "sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "sha256": "f507b4e773a9237e2f79ee6904335b27b7cde346688aeee533fbdf6dfc06bf52", "type": "eql", - "version": 107 - }, - "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", - "type": "eql", - "version": 110 - } - }, + "version": 212 + } + }, + "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "sha256": "a23c2164fc398c84a3801c90a53f1caaa9b506aeb7e2200ced7b22100fbc25bf", + "type": "eql", + "version": 313 + }, + "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { + "rule_name": "Systemd Service Started by Unusual Parent Process", + "sha256": "f7dabab39fc646885b39c4c9afb130a28ee22c77ab5d59c1661931a5024b5ea4", + "type": "new_terms", + "version": 3 + }, + "b627cd12-dac4-11ec-9582-f661ea17fbcd": { + "rule_name": "Elastic Agent Service Terminated", + "sha256": "f3649a0d50320a3030f75006849ddad5a4d2da60d180156464fccb95ead0343d", + "type": "eql", + "version": 107 + }, + "b64b183e-1a76-422d-9179-7b389513e74d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "4f452d9f56b62a85917e5573aa9d6ccec3f73e1f315ed4713033aa6c121baad6", + "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", "type": "eql", - "version": 210 - }, - "b661f86d-1c23-4ce7-a59e-2edbdba28247": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Potential Veeam Credential Access Command", - "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Potential Veeam Credential Access Command", - "sha256": "a781b7d7d5cb0610d58d9d15d1958e44ecdca51bccac374b26439493b44aa19e", - "type": "eql", - "version": 102 - } - }, + "version": 110 + } + }, + "rule_name": "Windows Script Interpreter Executing Process via WMI", + "sha256": "4f452d9f56b62a85917e5573aa9d6ccec3f73e1f315ed4713033aa6c121baad6", + "type": "eql", + "version": 210 + }, + "b661f86d-1c23-4ce7-a59e-2edbdba28247": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", - "sha256": "cb102088ed6f565e84fe1f5f165887d4b2cb9af4237773457916798de4af2415", - "type": "eql", - "version": 202 - }, - "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", - "type": "eql", - "version": 2 - } - }, - "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", - "sha256": "af45308979a39d4eaba7f820d1065c522553f97422f59b37e1ceaa30e384f5b6", + "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", + "type": "eql", + "version": 2 + }, + "8.13": { + "max_allowable_version": 201, + "rule_name": "Potential Veeam Credential Access Command", + "sha256": "a781b7d7d5cb0610d58d9d15d1958e44ecdca51bccac374b26439493b44aa19e", "type": "eql", "version": 102 - }, - "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { - "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", - "type": "query", - "version": 103 - }, - "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", - "type": "query", - "version": 207 - }, - "b7c05aaf-78c2-4558-b069-87fa25973489": { - "rule_name": "Potential Buffer Overflow Attack Detected", - "sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3", - "type": "threshold", - "version": 3 - }, - "b8075894-0b62-46e5-977c-31275da34419": { - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", - "type": "query", - "version": 206 - }, - "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { - "rule_name": "Linux System Information Discovery", - "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", + } + }, + "rule_name": "Potential Veeam Credential Access Command", + "sha256": "72b427f54c6695f023af0e9104a96d6c24a4b1b4656b3ad7c04ec87636e4af2c", + "type": "eql", + "version": 203 + }, + "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", + "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", "type": "eql", - "version": 3 - }, - "b8386923-b02c-4b94-986a-d223d9b01f88": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", - "type": "query", - "version": 8 - } - }, + "version": 2 + } + }, + "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", + "sha256": "af45308979a39d4eaba7f820d1065c522553f97422f59b37e1ceaa30e384f5b6", + "type": "eql", + "version": 102 + }, + "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { + "rule_name": "Azure Event Hub Authorization Rule Created or Updated", + "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", + "type": "query", + "version": 103 + }, + "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", + "type": "query", + "version": 208 + }, + "b7c05aaf-78c2-4558-b069-87fa25973489": { + "rule_name": "Potential Buffer Overflow Attack Detected", + "sha256": "5380c3038a2af299ccd3b033b1406b58964ffa17c1f58df16c2ef6e5cf6cb8f3", + "type": "threshold", + "version": 3 + }, + "b8075894-0b62-46e5-977c-31275da34419": { + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", + "type": "query", + "version": 207 + }, + "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { + "rule_name": "Linux System Information Discovery", + "sha256": "25a7750edeab372fb60402e82e49e3e259e8b0b077e85b3ecc8af17ef77deb61", + "type": "eql", + "version": 3 + }, + "b8386923-b02c-4b94-986a-d223d9b01f88": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "PowerShell Invoke-NinjaCopy script", - "sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552", + "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", "type": "query", - "version": 108 - }, - "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 410, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", - "type": "eql", - "version": 311 - } - }, + "version": 8 + } + }, + "rule_name": "PowerShell Invoke-NinjaCopy script", + "sha256": "654522097bfb8fcc73d4d0e47d8cd853307040171bb5ba29d706f26e17879552", + "type": "query", + "version": 108 + }, + "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", + "type": "eql", + "version": 109 + }, + "8.13": { + "max_allowable_version": 410, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "70fa3063fe97275ef3234d0d360e2fc0cf3d766d16240896482bbe1776f1268f", - "type": "eql", - "version": 411 - }, - "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Network Connection via MsXsl", - "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", - "type": "eql", - "version": 106 - } - }, + "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", + "type": "eql", + "version": 311 + } + }, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "1a2bd980116032f3b23c60f6ff7d330af67914677769ffb5257e3c4586c81cf7", + "type": "eql", + "version": 412 + }, + "b86afe07-0d98-4738-b15d-8d7465f95ff5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", - "sha256": "2a8d4623d634d9ba410321005df48a3d01e6223aae8df69789c9d8d06ba0b095", + "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", "type": "eql", - "version": 206 - }, - "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Kirbi File Creation", - "sha256": "dac2e2c25e7dd1a182070fd822b152f0095457a92cc288cdb320b70210ac5506", - "type": "eql", - "version": 6 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Kirbi File Creation", - "sha256": "d4bb7b621d40378ce8bd39a87d46ccfedd440b733962e100fa3813f738a80a22", - "type": "eql", - "version": 210 - } - }, + "version": 106 + } + }, + "rule_name": "Network Connection via MsXsl", + "sha256": "2a8d4623d634d9ba410321005df48a3d01e6223aae8df69789c9d8d06ba0b095", + "type": "eql", + "version": 206 + }, + "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "Kirbi File Creation", - "sha256": "e23ccc7bab168bff4064f0ed4c08a71d944c449d9c31444c71befe77d7e7f846", + "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", "type": "eql", - "version": 310 - }, - "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "0cf05a58ea4296f5dd53393e3fa87a56decafbc24ed8a95c02173a6278d99696", - "type": "eql", - "version": 209 - } - }, + "version": 7 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Kirbi File Creation", + "sha256": "d4bb7b621d40378ce8bd39a87d46ccfedd440b733962e100fa3813f738a80a22", + "type": "eql", + "version": 210 + } + }, + "rule_name": "Kirbi File Creation", + "sha256": "9c52cab4c0ede53965241d9332ed5d03335a7efa2d96067f2cd95ea3844f3e1b", + "type": "eql", + "version": 311 + }, + "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "214ce6ab3146a3459a0af3b78a456204ac356e19d633e99e5b038f6e42f1306b", + "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", "type": "eql", - "version": 309 - }, - "b910f25a-2d44-47f2-a873-aabdc0d355e6": { - "rule_name": "Chkconfig Service Add", - "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "sha256": "0cf05a58ea4296f5dd53393e3fa87a56decafbc24ed8a95c02173a6278d99696", "type": "eql", - "version": 113 - }, - "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { - "rule_name": "Discovery of Domain Groups", - "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", - "type": "eql", - "version": 2 - }, - "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { - "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", - "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", - "type": "threshold", - "version": 4 - }, - "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", - "type": "eql", - "version": 111 - } - }, + "version": 209 + } + }, + "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "sha256": "214ce6ab3146a3459a0af3b78a456204ac356e19d633e99e5b038f6e42f1306b", + "type": "eql", + "version": 309 + }, + "b910f25a-2d44-47f2-a873-aabdc0d355e6": { + "rule_name": "Chkconfig Service Add", + "sha256": "9c7a8cfb8eca73b67ec15c23255ca9cf126e741100f64dc1894d35746f8b2985", + "type": "eql", + "version": 113 + }, + "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { + "rule_name": "Discovery of Domain Groups", + "sha256": "6858329aa178170f3a6900b8d4233573f6741d68814c2b5ac702c5d76e3ee677", + "type": "eql", + "version": 2 + }, + "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { + "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", + "sha256": "b83cfd125f81b6526b23aac2a53cc883827934288f3bb4ae9a000c705c69cd7c", + "type": "threshold", + "version": 4 + }, + "b9554892-5e0e-424b-83a0-5aef95aa43bf": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "3acd9e9b9d59edb71bdeac456f55d8a99ada6edeb583af312a886c1c4701c997", - "type": "eql", - "version": 211 - }, - "b9666521-4742-49ce-9ddc-b8e84c35acae": { - "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf", + "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", "type": "eql", "version": 111 - }, - "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "bda5b68f6a9ce0faa83bde7e30a5eec3d8841869e427b86112cf0f0a52a6353d", - "type": "eql", - "version": 211 - } - }, + } + }, + "rule_name": "Group Policy Abuse for Privilege Addition", + "sha256": "3acd9e9b9d59edb71bdeac456f55d8a99ada6edeb583af312a886c1c4701c997", + "type": "eql", + "version": 211 + }, + "b9666521-4742-49ce-9ddc-b8e84c35acae": { + "rule_name": "Creation of Hidden Files and Directories via CommandLine", + "sha256": "96c38ecf43de8a4a33c0288d46a9ba72c818241dbfade2a921c8c79a69ed4faf", + "type": "eql", + "version": 111 + }, + "b9960fef-82c6-4816-befa-44745030e917": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9623c43706d421a241ab6b399c014dbf39d8e09e1801bf1e8527980848090a52", + "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", "type": "eql", - "version": 311 - }, - "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { - "rule_name": "File Creation by Cups or Foomatic-rip Child", - "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "SolarWinds Process Disabling Services via Registry", + "sha256": "bda5b68f6a9ce0faa83bde7e30a5eec3d8841869e427b86112cf0f0a52a6353d", "type": "eql", - "version": 1 - }, - "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows Network Activity", - "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", - "type": "machine_learning", - "version": 106 - } - }, + "version": 211 + } + }, + "rule_name": "SolarWinds Process Disabling Services via Registry", + "sha256": "9623c43706d421a241ab6b399c014dbf39d8e09e1801bf1e8527980848090a52", + "type": "eql", + "version": 311 + }, + "b9b14be7-b7f4-4367-9934-81f07d2f63c4": { + "rule_name": "File Creation by Cups or Foomatic-rip Child", + "sha256": "7c771e2cb6b8fc6e241c50beebc9871ffb34e29e2758e25d9042b45a8104f2b4", + "type": "eql", + "version": 1 + }, + "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", - "sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4", + "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", "type": "machine_learning", - "version": 206 - }, - "ba81c182-4287-489d-af4d-8ae834b06040": { - "rule_name": "Kernel Driver Load by non-root User", - "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", - "type": "eql", - "version": 3 - }, - "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", - "type": "eql", - "version": 109 - } - }, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "94ce634225344b3f6df8c3497393fba829c409f0d01520f34d4611a74ed8bea3", - "type": "eql", - "version": 209 - }, - "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { - "rule_name": "Azure Resource Group Deletion", - "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", - "type": "query", - "version": 102 - }, - "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", - "type": "query", - "version": 206 - }, - "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { - "rule_name": "OneDrive Malware File Upload", - "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", - "type": "query", - "version": 206 - }, - "bbaa96b9-f36c-4898-ace2-581acb00a409": { - "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "682e1b59f8cf01d5dd254c5cab6e075ed621000c6059b31845117c2d16a2ba69", - "type": "threshold", - "version": 7 - }, - "bbd1a775-8267-41fa-9232-20e5582596ac": { - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", - "type": "query", - "version": 207 - }, - "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "rule_name": "AWS Root Login Without MFA", - "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", - "type": "query", - "version": 209 - }, - "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { - "rule_name": "GCP Storage Bucket Deletion", - "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", - "type": "query", - "version": 104 - }, - "bc0fc359-68db-421e-a435-348ced7a7f92": { - "rule_name": "Potential Privilege Escalation via Enlightenment", - "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", - "type": "eql", - "version": 2 - }, - "bc1eeacf-2972-434f-b782-3a532b100d67": { - "rule_name": "Attempt to Install Root Certificate", - "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", - "type": "query", "version": 106 - }, - "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { - "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", - "type": "query", - "version": 102 - }, - "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { - "rule_name": "Potential Non-Standard Port SSH connection", - "sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42", - "type": "eql", - "version": 6 - }, - "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { - "rule_name": "File and Directory Permissions Modification", - "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", + } + }, + "rule_name": "Unusual Windows Network Activity", + "sha256": "0a7119838ef1bbfcb9f54801d64f16dd3d98728399c20c2d35f94a5ce6ad4ce4", + "type": "machine_learning", + "version": 206 + }, + "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { + "rule_name": "AWS STS Role Chaining", + "sha256": "58bc4d819e8f3c20c185397da3f15f20e53974723a07372c04ba0d8368367511", + "type": "esql", + "version": 1 + }, + "ba81c182-4287-489d-af4d-8ae834b06040": { + "rule_name": "Kernel Driver Load by non-root User", + "sha256": "8c938c1fdbabd146fcde85cf8129c9bd1bcf1dd989aaf68650cd11bf09181844", + "type": "eql", + "version": 3 + }, + "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", + "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", "type": "eql", - "version": 2 - }, - "bca7d28e-4a48-47b1-adb7-5074310e9a61": { - "rule_name": "GCP Service Account Disabled", - "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", - "type": "query", - "version": 104 - }, - "bcaa15ce-2d41-44d7-a322-918f9db77766": { - "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", - "sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33", - "type": "query", - "version": 5 - }, - "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 214, - "rule_name": "PowerShell Keylogging Script", - "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", - "type": "query", - "version": 115 - } - }, + "version": 109 + } + }, + "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", + "sha256": "94ce634225344b3f6df8c3497393fba829c409f0d01520f34d4611a74ed8bea3", + "type": "eql", + "version": 209 + }, + "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { + "rule_name": "Azure Resource Group Deletion", + "sha256": "d6e81ca3325b8461c497b7a0edcb7ba2a438aaadc2af98f490696891126c3576", + "type": "query", + "version": 102 + }, + "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "8d31ea9768807181a7d1aca8eb47a8f3c015b3412c46ccf6963c5e06b676e834", + "type": "query", + "version": 206 + }, + "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { + "rule_name": "OneDrive Malware File Upload", + "sha256": "b2abdce89d919f7eaeb571349e52d6d14eac86020237f33d935576d9f83954aa", + "type": "query", + "version": 206 + }, + "bbaa96b9-f36c-4898-ace2-581acb00a409": { + "rule_name": "Potential SYN-Based Network Scan Detected", + "sha256": "682e1b59f8cf01d5dd254c5cab6e075ed621000c6059b31845117c2d16a2ba69", + "type": "threshold", + "version": 7 + }, + "bbd1a775-8267-41fa-9232-20e5582596ac": { + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "bfeee6d64b53fd5857ae139679a0455df0d0127f55134eadfdf8053869f558f3", + "type": "query", + "version": 207 + }, + "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { + "rule_name": "AWS Root Login Without MFA", + "sha256": "82c85c3ffc9f5335daf17ae1f400177234e73823fc5f5c563c9c6285a03f1157", + "type": "query", + "version": 209 + }, + "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { + "rule_name": "GCP Storage Bucket Deletion", + "sha256": "56e79003e4ad65163eb8f9aaf96239590b6a756222a60be2d8115a39b4c1a54d", + "type": "query", + "version": 104 + }, + "bc0fc359-68db-421e-a435-348ced7a7f92": { + "rule_name": "Potential Privilege Escalation via Enlightenment", + "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", + "type": "eql", + "version": 2 + }, + "bc1eeacf-2972-434f-b782-3a532b100d67": { + "rule_name": "Attempt to Install Root Certificate", + "sha256": "903b93770a64c71465333adf2e585d4931a592eccfe4eb954cadab052441c972", + "type": "query", + "version": 106 + }, + "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { + "rule_name": "Azure Conditional Access Policy Modified", + "sha256": "cfacc3ddc30a65458618914bcd492cf9fbb25d104b2271afdb3ff3fef7bf0c0c", + "type": "query", + "version": 102 + }, + "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { + "rule_name": "Potential Non-Standard Port SSH connection", + "sha256": "97bc67179bba8f6cfb7b0f1f51016d7a35525d4394522b1dff503b2777675b42", + "type": "eql", + "version": 6 + }, + "bc9e4f5a-e263-4213-a2ac-1edf9b417ada": { + "rule_name": "File and Directory Permissions Modification", + "sha256": "7952e5bdcb6bd4b0314d08e1b8ab86c34ce066c95e0bbe8a056527df93794139", + "type": "eql", + "version": 2 + }, + "bca7d28e-4a48-47b1-adb7-5074310e9a61": { + "rule_name": "GCP Service Account Disabled", + "sha256": "10252c6946a904bb799ac153943817d274319179587022f10240f3e65af79ace", + "type": "query", + "version": 104 + }, + "bcaa15ce-2d41-44d7-a322-918f9db77766": { + "rule_name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", + "sha256": "41097481c1fd5da6e1bd4c66305518ee0a92846e0a69ae89fd936b10338b1c33", + "type": "query", + "version": 5 + }, + "bd2c86a0-8b61-4457-ab38-96943984e889": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 214, "rule_name": "PowerShell Keylogging Script", - "sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b", - "type": "query", - "version": 215 - }, - "bd3d058d-5405-4cee-b890-337f09366ba2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", - "type": "eql", - "version": 5 - } - }, + "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", + "type": "query", + "version": 115 + } + }, + "rule_name": "PowerShell Keylogging Script", + "sha256": "0f29bd06ba330170b8afdddc3f4b34a22926ac6b7ad0ed8cb91586055464778b", + "type": "query", + "version": 215 + }, + "bd3d058d-5405-4cee-b890-337f09366ba2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "Potential Defense Evasion via CMSTP.exe", - "sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095", + "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", "type": "eql", - "version": 105 - }, - "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", - "type": "eql", - "version": 108 - } - }, + "version": 5 + } + }, + "rule_name": "Potential Defense Evasion via CMSTP.exe", + "sha256": "1b379c5cbede7bf2589191a432c64ff0cec22ff6311e672094cd7adfdb312095", + "type": "eql", + "version": 105 + }, + "bd7eefee-f671-494e-98df-f01daf9e5f17": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f", - "type": "eql", - "version": 208 - }, - "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { - "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5", + "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", "type": "eql", - "version": 8 - }, - "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", - "type": "eql", - "version": 109 - } - }, + "version": 108 + } + }, + "rule_name": "Suspicious Print Spooler Point and Print DLL", + "sha256": "db7cf9c80bdb8b5893f2f43e48a7d7df98a942bf350a50d63170ac69fa939a6f", + "type": "eql", + "version": 208 + }, + "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { + "rule_name": "Potential Pspy Process Monitoring Detected", + "sha256": "208ae3e9f868bf1cce7eb02281964c937adbfde045a989a1092be5f6762da5f5", + "type": "eql", + "version": 8 + }, + "bdcf646b-08d4-492c-870a-6c04e3700034": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "648bf202efc778e1ea44b6f4bc7c7ed4bc604a577fcc05f919cf3c4039e47be7", + "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", "type": "eql", - "version": 209 - }, - "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { - "min_stack_version": "8.14", - "previous": { - "8.13": { - "max_allowable_version": 100, - "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "fa9ae9a7e20aab6c162d2e5a0efe0f3abacb8e51ecc0dfde0e1e9ada66b911e5", - "type": "eql", - "version": 1 - } - }, + "version": 109 + } + }, + "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", + "sha256": "648bf202efc778e1ea44b6f4bc7c7ed4bc604a577fcc05f919cf3c4039e47be7", + "type": "eql", + "version": 209 + }, + "bdfaddc4-4438-48b4-bc43-9f5cf8151c46": { + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 100, "rule_name": "Execution via Windows Command Debugging Utility", - "sha256": "b7cf4a9f3ac054f69a8e84d7cca0b502af39e9427a92637acb56243ec2cd859d", + "sha256": "fa9ae9a7e20aab6c162d2e5a0efe0f3abacb8e51ecc0dfde0e1e9ada66b911e5", "type": "eql", - "version": 101 - }, - "bdfebe11-e169-42e3-b344-c5d2015533d3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", - "type": "machine_learning", - "version": 7 - } - }, + "version": 1 + } + }, + "rule_name": "Execution via Windows Command Debugging Utility", + "sha256": "de2a9f336f392f64c5a8f2b0a31498085b0ef328787d7393babf01a457d396ae", + "type": "eql", + "version": 102 + }, + "bdfebe11-e169-42e3-b344-c5d2015533d3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", - "sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470", + "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", "type": "machine_learning", - "version": 107 - }, - "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { - "rule_name": "Unusual Remote File Directory", - "sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116", - "type": "machine_learning", - "version": 4 - }, - "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267", - "type": "eql", - "version": 211 - } - }, + "version": 7 + } + }, + "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", + "sha256": "33fbe922a809500b90b0b747bca167cf62c51e06ababa878a628223092488470", + "type": "machine_learning", + "version": 107 + }, + "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "rule_name": "Unusual Remote File Directory", + "sha256": "7b9570bb0ddabacbeccf2b03bf6ea05d0ed3a286165e5b807313c17531ac9116", + "type": "machine_learning", + "version": 4 + }, + "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "aa92d61a20988fcff096acb8bdefc175bc6a9106afea40c6075279a20c88a82c", + "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", "type": "eql", - "version": 311 - }, - "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "rule_name": "AWS RDS DB Instance Restored", - "sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968", - "type": "eql", - "version": 207 - }, - "bf8c007c-7dee-4842-8e9a-ee534c09d205": { - "rule_name": "System Owner/User Discovery Linux", - "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Searching for Saved Credentials via VaultCmd", + "sha256": "db1f6c9c5239a78f6c915ce9494aaffcf9463f9e6f0dd22ae5f13015228ec267", "type": "eql", - "version": 3 - }, - "bfba5158-1fd6-4937-a205-77d96213b341": { - "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", - "sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e", - "type": "machine_learning", - "version": 4 - }, - "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", - "type": "eql", - "version": 113 - } - }, + "version": 211 + } + }, + "rule_name": "Searching for Saved Credentials via VaultCmd", + "sha256": "f4689b888fd798880d919b9f8ffbd6b0e6a45d941a01ac44077e773d933a4b5b", + "type": "eql", + "version": 312 + }, + "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { + "rule_name": "AWS RDS DB Instance Restored", + "sha256": "0703a09b818a7309df61f2173cfadcdd04899c0f597c70caebec0a6a7a077968", + "type": "eql", + "version": 207 + }, + "bf8c007c-7dee-4842-8e9a-ee534c09d205": { + "rule_name": "System Owner/User Discovery Linux", + "sha256": "b8fb8512af046215fe23d076d16414d669430c692eb57d16eba03ea13e2e03df", + "type": "eql", + "version": 3 + }, + "bfba5158-1fd6-4937-a205-77d96213b341": { + "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", + "sha256": "c3cf350e861be02338f712fd3772691bcefeb7f7d07e9718eec2fbc3476c707e", + "type": "machine_learning", + "version": 4 + }, + "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "68ed471fcd146543d06d0854313cc5aa6f1e0cd02ff5805bce530ea781ab8d55", + "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", "type": "eql", - "version": 213 - }, - "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { - "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", - "type": "eql", - "version": 107 - }, - "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "46f5dedea1c425098d98714b5c270d6a19a1448ac58d30298bfc61ed75871e39", - "type": "eql", - "version": 210 - } - }, + "version": 113 + } + }, + "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "sha256": "68ed471fcd146543d06d0854313cc5aa6f1e0cd02ff5805bce530ea781ab8d55", + "type": "eql", + "version": 213 + }, + "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { + "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "sha256": "5443c5577d436ff7ea5d9802accfe2fff6ea50813a238c85ff0b60dc1a102579", + "type": "eql", + "version": 107 + }, + "c0429aa8-9974-42da-bfb6-53a0a515a145": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "22c604dcead155c536a23f4687ff4c4ff12c55e14328e455fe26c9d245f4db2f", + "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", "type": "eql", - "version": 310 - }, - "c0b9dc99-c696-4779-b086-0d37dc2b3778": { - "rule_name": "Memory Dump File with Unusual Extension", - "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", + "sha256": "46f5dedea1c425098d98714b5c270d6a19a1448ac58d30298bfc61ed75871e39", "type": "eql", - "version": 2 - }, - "c0be5f31-e180-48ed-aa08-96b36899d48f": { - "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", - "type": "query", - "version": 103 - }, - "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", - "type": "query", - "version": 3 - } - }, + "version": 210 + } + }, + "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", + "sha256": "22c604dcead155c536a23f4687ff4c4ff12c55e14328e455fe26c9d245f4db2f", + "type": "eql", + "version": 310 + }, + "c0b9dc99-c696-4779-b086-0d37dc2b3778": { + "rule_name": "Memory Dump File with Unusual Extension", + "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", + "type": "eql", + "version": 2 + }, + "c0be5f31-e180-48ed-aa08-96b36899d48f": { + "rule_name": "Credential Manipulation - Detected - Elastic Endgame", + "sha256": "5bcb1915b28b6a1282d3b512b13b559f6d0256da8db229d9210b4a03f2fe6af3", + "type": "query", + "version": 103 + }, + "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", - "sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4", - "type": "query", - "version": 103 - }, - "c125e48f-6783-41f0-b100-c3bf1b114d16": { - "rule_name": "Suspicious Renaming of ESXI index.html File", - "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", - "type": "eql", - "version": 6 - }, - "c1812764-0788-470f-8e74-eb4a14d47573": { - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", + "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", "type": "query", - "version": 206 - }, - "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { - "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", - "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", - "type": "query", - "version": 2 - }, - "c20cd758-07b1-46a1-b03f-fa66158258b8": { - "rule_name": "Unsigned DLL Loaded by a Trusted Process", - "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", - "type": "eql", - "version": 102 - }, - "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { - "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", - "sha256": "7eaafe9a1859aea975f3a42c61875d9938e374647239d4b28ad396c47e79b439", - "type": "eql", "version": 3 - }, - "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "75e92ba876a46ba416822bbfaaed256d7fa604ac8d9cdcaebf4485f15cd91632", - "type": "eql", - "version": 211 - } - }, + } + }, + "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", + "sha256": "e35fdfd50d3dc2bb04494da7e86463de8df7262df4dc0e66fda0ce85c0784cb4", + "type": "query", + "version": 103 + }, + "c125e48f-6783-41f0-b100-c3bf1b114d16": { + "rule_name": "Suspicious Renaming of ESXI index.html File", + "sha256": "5e8b6b9370d7f11367a4da3f7d0911702117a24814ab84a0bf12ae972ff4c2aa", + "type": "eql", + "version": 6 + }, + "c1812764-0788-470f-8e74-eb4a14d47573": { + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "c3267472104e0888d5c9e55574ae19d07c39c00e8c6a76a01fc766fbb0689f63", + "type": "query", + "version": 206 + }, + "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { + "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", + "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", + "type": "query", + "version": 2 + }, + "c20cd758-07b1-46a1-b03f-fa66158258b8": { + "rule_name": "Unsigned DLL Loaded by a Trusted Process", + "sha256": "0b870b52c44ffcdcdcf7c0775290f7446486c04dc8890ea633df8c1ba33f8a43", + "type": "eql", + "version": 102 + }, + "c24e9a43-f67e-431d-991b-09cdb83b3c0c": { + "rule_name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", + "sha256": "7eaafe9a1859aea975f3a42c61875d9938e374647239d4b28ad396c47e79b439", + "type": "eql", + "version": 3 + }, + "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "d1b1eaa85269233b3a193be5125618f608aa81a9ac5d7df0aa3e93169cc608b2", - "type": "eql", - "version": 311 - }, - "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { - "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", - "type": "machine_learning", - "version": 104 - }, - "c292fa52-4115-408a-b897-e14f684b3cb7": { - "rule_name": "Persistence via Folder Action Script", - "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", + "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", "type": "eql", - "version": 107 - }, - "c296f888-eac6-4543-8da5-b6abb0d3304f": { - "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", - "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Microsoft IIS Connection Strings Decryption", + "sha256": "75e92ba876a46ba416822bbfaaed256d7fa604ac8d9cdcaebf4485f15cd91632", "type": "eql", - "version": 2 - }, - "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Mshta Making Network Connections", - "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", - "type": "eql", - "version": 108 - } - }, + "version": 211 + } + }, + "rule_name": "Microsoft IIS Connection Strings Decryption", + "sha256": "6d389db925ca6ff91bfe40b09dda0749379ddfca071421d7cd921cb6eda3b48c", + "type": "eql", + "version": 312 + }, + "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { + "rule_name": "Unusual Linux Network Connection Discovery", + "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", + "type": "machine_learning", + "version": 104 + }, + "c292fa52-4115-408a-b897-e14f684b3cb7": { + "rule_name": "Persistence via Folder Action Script", + "sha256": "8249dd1544fa4a71d15bdd5d893422c51458d358b8c77ac350b3d7b9ad0d2cfa", + "type": "eql", + "version": 107 + }, + "c296f888-eac6-4543-8da5-b6abb0d3304f": { + "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", + "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", + "type": "eql", + "version": 2 + }, + "c2d90150-0133-451c-a783-533e736c12d7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", - "sha256": "9f77b2b2eebd6e08c007e73536752a8651c85bccde0c72303282ccb671a8ed42", + "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", "type": "eql", - "version": 208 - }, - "c3167e1b-f73c-41be-b60b-87f4df707fe3": { - "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", - "type": "query", - "version": 103 - }, - "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { - "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", - "sha256": "c056bd0c7ba6094f8c2e3dab39e877cd912116a95831c04b4dcd657055f001cb", - "type": "new_terms", - "version": 2 - }, - "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", - "type": "eql", - "version": 107 - }, - "8.13": { - "max_allowable_version": 409, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "3ee641a856aab0e4e1f23e3bb55717a5567eef2d8e52cd2264595fff36224273", - "type": "eql", - "version": 310 - } - }, + "version": 108 + } + }, + "rule_name": "Mshta Making Network Connections", + "sha256": "9f77b2b2eebd6e08c007e73536752a8651c85bccde0c72303282ccb671a8ed42", + "type": "eql", + "version": 208 + }, + "c3167e1b-f73c-41be-b60b-87f4df707fe3": { + "rule_name": "Permission Theft - Detected - Elastic Endgame", + "sha256": "bc09245f3bf048bc8d9e4f1ca381711fc8fa9d71f6533673b7f573f84061f6d5", + "type": "query", + "version": 103 + }, + "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc": { + "rule_name": "AWS SSM `SendCommand` with Run Shell Command Parameters", + "sha256": "0708e23a034fee01df470474eaa8c8f2f7a058631b83a0987e39af15bc538007", + "type": "new_terms", + "version": 3 + }, + "c3b915e0-22f3-4bf7-991d-b643513c722f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "84190df73efbeee30c435b862e6339cd80ea290b44deb8a5717118537039b954", + "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", "type": "eql", - "version": 410 - }, - "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { - "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", + "version": 108 + }, + "8.13": { + "max_allowable_version": 409, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "3ee641a856aab0e4e1f23e3bb55717a5567eef2d8e52cd2264595fff36224273", "type": "eql", - "version": 104 - }, - "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "050a77ee2d2b2c854c6320a07694f747e48b09086e2645e5e46e63cda03729f0", - "type": "eql", - "version": 210 - } - }, + "version": 310 + } + }, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "84190df73efbeee30c435b862e6339cd80ea290b44deb8a5717118537039b954", + "type": "eql", + "version": 410 + }, + "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { + "rule_name": "Potential JAVA/JNDI Exploitation Attempt", + "sha256": "0776cc8251cdbd9e2e2060a17b2300834a0ed4a49489a105abb3c0dd75b19cc8", + "type": "eql", + "version": 104 + }, + "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "dabff7aabb7d6e8170df73899c1190695b5d7a4b5a5a1e63a39b79e39ab5e189", + "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", "type": "eql", - "version": 310 - }, - "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", - "type": "eql", - "version": 107 - }, - "8.13": { - "max_allowable_version": 306, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "8895e76598306332603174aa736fad580b191085cfa16e063a5e68dd62cfd102", - "type": "eql", - "version": 207 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Mounting Hidden or WebDav Remote Shares", + "sha256": "050a77ee2d2b2c854c6320a07694f747e48b09086e2645e5e46e63cda03729f0", + "type": "eql", + "version": 210 + } + }, + "rule_name": "Mounting Hidden or WebDav Remote Shares", + "sha256": "d8d527c314b2a860bfd447d4f890c361324c76dafb9094cb24b83ce8992a998c", + "type": "eql", + "version": 311 + }, + "c4818812-d44f-47be-aaef-4cfb2f9cc799": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "471171679c1f48fa93954b8787198a0094598e326a0f6c24ae1b22c07b40251d", + "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", "type": "eql", - "version": 307 - }, - "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { - "rule_name": "Windows System Network Connections Discovery", - "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", + "version": 107 + }, + "8.13": { + "max_allowable_version": 306, + "rule_name": "Suspicious Print Spooler File Deletion", + "sha256": "8895e76598306332603174aa736fad580b191085cfa16e063a5e68dd62cfd102", "type": "eql", - "version": 4 - }, - "c55badd3-3e61-4292-836f-56209dc8a601": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Attempted Private Key Access", - "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", - "type": "eql", - "version": 6 - } - }, + "version": 207 + } + }, + "rule_name": "Suspicious Print Spooler File Deletion", + "sha256": "471171679c1f48fa93954b8787198a0094598e326a0f6c24ae1b22c07b40251d", + "type": "eql", + "version": 307 + }, + "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { + "rule_name": "Windows System Network Connections Discovery", + "sha256": "9f1ea7adcf3b05426387f5598da3b596e34f4fc1553a4ed33b48ec687a455ed4", + "type": "eql", + "version": 4 + }, + "c55badd3-3e61-4292-836f-56209dc8a601": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Attempted Private Key Access", - "sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9", + "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", "type": "eql", - "version": 106 - }, - "c5677997-f75b-4cda-b830-a75920514096": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Service Path Modification via sc.exe", - "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", - "type": "eql", - "version": 6 - } - }, + "version": 6 + } + }, + "rule_name": "Attempted Private Key Access", + "sha256": "a4672a225e05abdfbd91924298f689eb56da9ff55c0db55ca1f87d7ca8bdd3d9", + "type": "eql", + "version": 106 + }, + "c5677997-f75b-4cda-b830-a75920514096": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Service Path Modification via sc.exe", - "sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa", + "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", "type": "eql", - "version": 106 - }, - "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "d7461fda5a82259331589a9df2a3a7f39630bc5f8e08c25f2190e7f8bfb1ae29", - "type": "eql", - "version": 209 - } - }, + "version": 6 + } + }, + "rule_name": "Service Path Modification via sc.exe", + "sha256": "68a44067c32fb88cc99fc0e545ddfb866037e9bc40ee5f130d2798f03f4e94aa", + "type": "eql", + "version": 106 + }, + "c57f8579-e2a5-4804-847f-f2732edc5156": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "9f78c640ad25e83eafe47ad5226ce12c169358048d03ffb119f9b94df969c3e5", + "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", "type": "eql", - "version": 309 - }, - "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { - "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", - "type": "query", - "version": 104 - }, - "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", - "type": "eql", - "version": 108 - } - }, + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Potential Remote Desktop Shadowing Activity", + "sha256": "d7461fda5a82259331589a9df2a3a7f39630bc5f8e08c25f2190e7f8bfb1ae29", + "type": "eql", + "version": 209 + } + }, + "rule_name": "Potential Remote Desktop Shadowing Activity", + "sha256": "9f78c640ad25e83eafe47ad5226ce12c169358048d03ffb119f9b94df969c3e5", + "type": "eql", + "version": 309 + }, + "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { + "rule_name": "GCP Virtual Private Cloud Network Deletion", + "sha256": "7f47bc00b67f2997890fd47eff9350e23e6effea54914edcbb180c321a553276", + "type": "query", + "version": 104 + }, + "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "7c57916d4cbeb0fde51ef91819b1a5011019694b631ce8c734dd6aae5bede3c6", + "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", "type": "eql", - "version": 208 - }, - "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "71bfefdca279f32dd86cd0b316f2315947b2489ae20e1246bbe17df82f6004e9", - "type": "eql", - "version": 209 - } - }, + "version": 108 + } + }, + "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", + "sha256": "7c57916d4cbeb0fde51ef91819b1a5011019694b631ce8c734dd6aae5bede3c6", + "type": "eql", + "version": 208 + }, + "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", - "sha256": "ae8bc9d069de44bffb8c71f3b18a9843bb54f74eec29f1e1cdd40651771676a0", - "type": "eql", - "version": 309 - }, - "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "234ab55015e205be9f494759489e7407d97a9587f61784858ec614d199b4599e", - "type": "eql", - "version": 211 - } - }, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "185ac449a44617bcfa39ab90ca28744f0bc370fcd6359903d33b33e69bed66a0", + "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", "type": "eql", - "version": 311 - }, - "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { - "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", - "type": "query", - "version": 102 - }, - "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "5ee5259c1f1e782f05ada777a136193574b44d4a693c38ad33781b6996a42ee3", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "5f609011258f8e17f2bb61d565df7a7138f61d3ab3491a6d0bcab5a0e33b1818", - "type": "eql", - "version": 313 - }, - "c6474c34-4953-447a-903e-9fcb7b6661aa": { - "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", - "type": "query", - "version": 100 - }, - "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { - "min_stack_version": "8.13", - "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb", - "type": "esql", - "version": 2 - }, - "c749e367-a069-4a73-b1f2-43a3798153ad": { - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", - "type": "query", - "version": 207 - }, - "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", - "type": "query", - "version": 206 - }, - "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { - "rule_name": "Egress Connection from Entrypoint in Container", - "sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Installation of Custom Shim Databases", + "sha256": "71bfefdca279f32dd86cd0b316f2315947b2489ae20e1246bbe17df82f6004e9", "type": "eql", - "version": 1 - }, - "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "2ec487d2c8aa01cad9488f877c4a770ba69fb9065a728c79edf06e8c31aaf20f", + "version": 209 + } + }, + "rule_name": "Installation of Custom Shim Databases", + "sha256": "ae8bc9d069de44bffb8c71f3b18a9843bb54f74eec29f1e1cdd40651771676a0", + "type": "eql", + "version": 309 + }, + "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Microsoft Build Engine Started by an Office Application", + "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", "type": "eql", - "version": 207 - }, - "c7908cac-337a-4f38-b50d-5eeb78bdb531": { - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1", - "type": "query", - "version": 204 - }, - "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", - "type": "eql", - "version": 111 - } - }, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "84418134bc5c4c6ecc1151adcb9fbc62839c51dd865a24dc270d5f1d3dc50363", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Microsoft Build Engine Started by an Office Application", + "sha256": "234ab55015e205be9f494759489e7407d97a9587f61784858ec614d199b4599e", "type": "eql", "version": 211 - }, - "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { - "rule_name": "Spike in Network Traffic To a Country", - "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", - "type": "machine_learning", - "version": 105 - }, - "c81cefcb-82b9-4408-a533-3c3df549e62d": { - "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", - "type": "query", - "version": 107 - }, - "c82b2bd8-d701-420c-ba43-f11a155b681a": { - "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad", - "type": "query", - "version": 104 - }, - "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { - "rule_name": "SMB Connections via LOLBin or Untrusted Process", - "sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318", + } + }, + "rule_name": "Microsoft Build Engine Started by an Office Application", + "sha256": "e8f809976fd19dc1921f285ff28a22407baf1aac6f21a7d4d2b1377a3770de14", + "type": "eql", + "version": 312 + }, + "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { + "rule_name": "CyberArk Privileged Access Security Recommended Monitor", + "sha256": "13f4c23dbe61be7af51b9b4e4a27b192c9305f1caa67119f4ea89ac89792737f", + "type": "query", + "version": 102 + }, + "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "Remote File Download via MpCmdRun", + "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", "type": "eql", - "version": 112 - }, - "c85eb82c-d2c8-485c-a36f-534f914b7663": { - "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Remote File Download via MpCmdRun", + "sha256": "5ee5259c1f1e782f05ada777a136193574b44d4a693c38ad33781b6996a42ee3", "type": "eql", - "version": 105 - }, - "c87fca17-b3a9-4e83-b545-f30746c53920": { - "rule_name": "Nmap Process Activity", - "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", - "type": "query", - "version": 100 - }, - "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { - "rule_name": "Parent Process PID Spoofing", - "sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4", + "version": 213 + } + }, + "rule_name": "Remote File Download via MpCmdRun", + "sha256": "a8f43c737d22256ef316daf60178182defb4bff24396c497fb6d3b777514ab10", + "type": "eql", + "version": 314 + }, + "c6474c34-4953-447a-903e-9fcb7b6661aa": { + "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", + "type": "query", + "version": 100 + }, + "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { + "min_stack_version": "8.13", + "rule_name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", + "sha256": "6ab179e3a47d3f25210c43b3d5af0d43eb7a3cac375c01c3181c75c095864ccb", + "type": "esql", + "version": 2 + }, + "c749e367-a069-4a73-b1f2-43a3798153ad": { + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", + "type": "query", + "version": 208 + }, + "c74fd275-ab2c-4d49-8890-e2943fa65c09": { + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", + "type": "query", + "version": 207 + }, + "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { + "rule_name": "Egress Connection from Entrypoint in Container", + "sha256": "316a1006bad5109ad8ef036d4b8ba5142bcc0cd4822c7c4c0e3f4852e1860f20", + "type": "eql", + "version": 1 + }, + "c7894234-7814-44c2-92a9-f7d851ea246a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Unusual Network Connection via DllHost", + "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", "type": "eql", "version": 107 - }, - "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { - "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9", + } + }, + "rule_name": "Unusual Network Connection via DllHost", + "sha256": "2ec487d2c8aa01cad9488f877c4a770ba69fb9065a728c79edf06e8c31aaf20f", + "type": "eql", + "version": 207 + }, + "c7908cac-337a-4f38-b50d-5eeb78bdb531": { + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "3220434ae7ebd56669033cb648bf9d422b8aec1fb59053d8472bcb7a69abf1a1", + "type": "query", + "version": 204 + }, + "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Unusual File Modification by dns.exe", + "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", "type": "eql", - "version": 10 - }, - "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d67260cfe20ef2ee8eb9e8acf13d36352e2608a38716e5270b57bd531fec9191", - "type": "eql", - "version": 213 - } - }, + "version": 111 + } + }, + "rule_name": "Unusual File Modification by dns.exe", + "sha256": "84418134bc5c4c6ecc1151adcb9fbc62839c51dd865a24dc270d5f1d3dc50363", + "type": "eql", + "version": 211 + }, + "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { + "rule_name": "Spike in Network Traffic To a Country", + "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", + "type": "machine_learning", + "version": 105 + }, + "c81cefcb-82b9-4408-a533-3c3df549e62d": { + "rule_name": "Persistence via Docker Shortcut Modification", + "sha256": "8e087bd16e3f663e5c0dd49d81cd2d8d302ffeabec5dc9bc31693752e7e6ed37", + "type": "query", + "version": 107 + }, + "c82b2bd8-d701-420c-ba43-f11a155b681a": { + "rule_name": "SMB (Windows File Sharing) Activity to the Internet", + "sha256": "801e97235c25019c80a78237b5ef98ff66883e7e236ae9ff293f74ec6ae09aad", + "type": "query", + "version": 104 + }, + "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { + "rule_name": "SMB Connections via LOLBin or Untrusted Process", + "sha256": "5d272b19dcb9cdb2beaf0e6124ebad3b1ecfd48dab9d60987f7ef8bc5bab5318", + "type": "eql", + "version": 112 + }, + "c85eb82c-d2c8-485c-a36f-534f914b7663": { + "rule_name": "Virtual Machine Fingerprinting via Grep", + "sha256": "a8a7e92874d6888c32575ca236fb263ec128596d8a4d510a265b8fad36cb1827", + "type": "eql", + "version": 105 + }, + "c87fca17-b3a9-4e83-b545-f30746c53920": { + "rule_name": "Nmap Process Activity", + "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", + "type": "query", + "version": 100 + }, + "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { + "rule_name": "Parent Process PID Spoofing", + "sha256": "b829c4a07bfb5c509b1c4bd6241656300dcb169905e9882e8e5c905f621f03d4", + "type": "eql", + "version": 107 + }, + "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { + "rule_name": "Potential Linux Ransomware Note Creation Detected", + "sha256": "beed8f315f35277cafc2f3c69e1efaa6dbb44c60c2a4898cb869bbccef4035c9", + "type": "eql", + "version": 10 + }, + "c8b150f0-0164-475b-a75e-74b47800a9ff": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "d560617a0b7c26d4a8f02dc76d6e3f106206eddf439a88ea24de0dc33126e896", + "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", "type": "eql", - "version": 313 - }, - "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "d5e6366373a4f2a5a6d949519a1a95eb5bb692aeee5d81396c80291f549e176d", - "type": "eql", - "version": 212 - } - }, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "291a964b6de01ca5f0dec6394722c383f8c6f30b742ba35271d0a415e4d88ff1", - "type": "eql", - "version": 312 - }, - "c9482bfa-a553-4226-8ea2-4959bd4f7923": { - "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391", - "type": "eql", - "version": 6 - }, - "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { - "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", - "type": "query", - "version": 103 - }, - "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", - "type": "query", - "version": 206 - }, - "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { - "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", - "sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647", - "type": "eql", - "version": 9 - }, - "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { - "rule_name": "Auditd Login from Forbidden Location", - "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", - "type": "query", - "version": 100 - }, - "cac91072-d165-11ec-a764-f661ea17fbce": { - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9", - "type": "new_terms", - "version": 214 - }, - "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0", - "type": "query", - "version": 208 - }, - "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { - "rule_name": "Suspicious Calendar File Modification", - "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", - "type": "query", - "version": 106 - }, - "cc16f774-59f9-462d-8b98-d27ccd4519ec": { - "rule_name": "Process Discovery via Tasklist", - "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", - "type": "query", - "version": 100 - }, - "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { - "rule_name": "Attempt to Enable the Root Account", - "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", - "type": "query", - "version": 106 - }, - "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.13", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Multiple Okta Client Addresses for a Single User Session", - "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", - "type": "threshold", - "version": 2 - } - }, - "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", - "type": "esql", - "version": 104 - }, - "cc653d77-ddd2-45b1-9197-c75ad19df66c": { - "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", - "sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751", - "type": "machine_learning", - "version": 4 - }, - "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { - "rule_name": "Google Workspace User Organizational Unit Changed", - "sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861", - "type": "query", - "version": 107 - }, - "cc89312d-6f47-48e4-a87c-4977bd4633c3": { - "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", - "type": "query", - "version": 104 - }, - "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", - "type": "query", - "version": 208 - }, - "ccc55af4-9882-4c67-87b4-449a7ae8079c": { - "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", - "type": "eql", - "version": 105 - }, - "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", - "type": "query", - "version": 207 - }, - "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { - "rule_name": "Socat Process Activity", - "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", - "type": "query", - "version": 100 - }, - "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { - "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", - "type": "machine_learning", - "version": 104 - }, - "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { - "rule_name": "Kernel Module Removal", - "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "version": 114 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Suspicious Startup Shell Folder Modification", + "sha256": "d67260cfe20ef2ee8eb9e8acf13d36352e2608a38716e5270b57bd531fec9191", "type": "eql", - "version": 110 - }, - "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { - "rule_name": "Downloaded URL Files", - "sha256": "96627951c8f79991a7e7ad2d73372aa5abe51ca5b57851c08dd650ab77f12760", + "version": 213 + } + }, + "rule_name": "Suspicious Startup Shell Folder Modification", + "sha256": "d560617a0b7c26d4a8f02dc76d6e3f106206eddf439a88ea24de0dc33126e896", + "type": "eql", + "version": 313 + }, + "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Disabling Windows Defender Security Settings via PowerShell", + "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", "type": "eql", - "version": 3 - }, - "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "version": 113 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Disabling Windows Defender Security Settings via PowerShell", + "sha256": "d5e6366373a4f2a5a6d949519a1a95eb5bb692aeee5d81396c80291f549e176d", "type": "eql", - "version": 209 - }, - "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "rule_name": "Okta User Session Impersonation", - "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "version": 212 + } + }, + "rule_name": "Disabling Windows Defender Security Settings via PowerShell", + "sha256": "83f572dcc38a77f73655b953ffcf03ce0b0b5d017a8528b7163012096212f4f7", + "type": "eql", + "version": 313 + }, + "c9482bfa-a553-4226-8ea2-4959bd4f7923": { + "rule_name": "Potential Masquerading as Communication Apps", + "sha256": "de1eb0970073590a08bf755681e729281d7d797a171493a9134023136554d391", + "type": "eql", + "version": 6 + }, + "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { + "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", + "sha256": "0c167eb4f05fabb720f52a987923b25796c8f0a3bffbd753aa699a1c8a8e26b3", + "type": "query", + "version": 103 + }, + "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "35f6d54b3e3c26169e00e55122b6e68ac8018946a2b9dd31d26fdb36faa90d82", + "type": "query", + "version": 206 + }, + "ca98c7cf-a56e-4057-a4e8-39603f7f0389": { + "rule_name": "Unsigned DLL Side-Loading from a Suspicious Folder", + "sha256": "0f0023fc74fadd22887ee74c13f93f0c5174f8b66d140965587e4972eb2d3647", + "type": "eql", + "version": 9 + }, + "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { + "rule_name": "Auditd Login from Forbidden Location", + "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", + "type": "query", + "version": 100 + }, + "cac91072-d165-11ec-a764-f661ea17fbce": { + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "a8cbba8e757bacc0d4a491555d42b7d66a7d1eec1394da1a8f1cddfd82cf5bb9", + "type": "new_terms", + "version": 214 + }, + "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "9cb65197a2a807ee18542e7b91472f606e5474f4bddf8b96b4ae78bf72a1a3d0", + "type": "query", + "version": 208 + }, + "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { + "rule_name": "Suspicious Calendar File Modification", + "sha256": "662489a94a180344e4b3e1c2aa679d4fe1ec51f91387a216835b0e11a14db9da", + "type": "query", + "version": 106 + }, + "cc16f774-59f9-462d-8b98-d27ccd4519ec": { + "rule_name": "Process Discovery via Tasklist", + "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", + "type": "query", + "version": 100 + }, + "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { + "rule_name": "Attempt to Enable the Root Account", + "sha256": "c2c3f92e6fb953e4f0338ffe25751df1ae713c9f7e8460ce2addfd9d8bf8e59d", + "type": "query", + "version": 106 + }, + "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { + "min_stack_version": "8.13", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "Multiple Okta Client Addresses for a Single User Session", + "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", + "type": "threshold", + "version": 2 + } + }, + "rule_name": "Multiple Device Token Hashes for Single Okta Session", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "type": "esql", + "version": 104 + }, + "cc653d77-ddd2-45b1-9197-c75ad19df66c": { + "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", + "sha256": "332626f80c0a809547d1b86248b4ac5acc33ad7dd090fb4c94596b699126f751", + "type": "machine_learning", + "version": 4 + }, + "cc6a8a20-2df2-11ed-8378-f661ea17fbce": { + "rule_name": "Google Workspace User Organizational Unit Changed", + "sha256": "8457814fe9b8ebb61a453ee3027bcd060740b1a39f87c180f5897bf3d8fbc861", + "type": "query", + "version": 107 + }, + "cc89312d-6f47-48e4-a87c-4977bd4633c3": { + "rule_name": "GCP Pub/Sub Subscription Deletion", + "sha256": "be76246406041025864af7eeea3c9600ab406bf778763b00a6ea6e6489240408", + "type": "query", + "version": 104 + }, + "cc92c835-da92-45c9-9f29-b4992ad621a0": { + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", + "type": "query", + "version": 209 + }, + "ccc55af4-9882-4c67-87b4-449a7ae8079c": { + "rule_name": "Potential Process Herpaderping Attempt", + "sha256": "7358d900c0332bbc2ea6bd00db02a9d7ce7199fcbd5ffea5cce60caf11cc99c2", + "type": "eql", + "version": 105 + }, + "cd16fb10-0261-46e8-9932-a0336278cdbe": { + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", + "type": "query", + "version": 208 + }, + "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { + "rule_name": "Socat Process Activity", + "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", + "type": "query", + "version": 100 + }, + "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { + "rule_name": "Anomalous Linux Compiler Activity", + "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", + "type": "machine_learning", + "version": 104 + }, + "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { + "rule_name": "Kernel Module Removal", + "sha256": "4899db29eec2e7c875e0f09ddbaf04bd8c73d3e360259279916f0e08c135ecb7", + "type": "eql", + "version": 110 + }, + "cd82e3d6-1346-4afd-8f22-38388bbf34cb": { + "rule_name": "Downloaded URL Files", + "sha256": "96627951c8f79991a7e7ad2d73372aa5abe51ca5b57851c08dd650ab77f12760", + "type": "eql", + "version": 3 + }, + "cd89602e-9db0-48e3-9391-ae3bf241acd8": { + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", + "type": "eql", + "version": 210 + }, + "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { + "rule_name": "Okta User Session Impersonation", + "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", + "type": "query", + "version": 209 + }, + "cde1bafa-9f01-4f43-a872-605b678968b0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 110, + "rule_name": "Potential PowerShell HackTool Script by Function Names", + "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", "type": "query", - "version": 208 - }, - "cde1bafa-9f01-4f43-a872-605b678968b0": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", - "type": "query", - "version": 11 - }, - "8.12": { - "max_allowable_version": 212, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", - "type": "query", - "version": 113 - } - }, + "version": 11 + }, + "8.12": { + "max_allowable_version": 212, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c", + "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", "type": "query", - "version": 213 - }, - "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { - "rule_name": "Shadow File Modification", - "sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe", - "type": "eql", - "version": 2 - }, - "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", - "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", - "type": "new_terms", - "version": 1 - }, - "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "3124a4ec07d5162829476ceebb62530a7ed736152f13b37c55791b32ecf351b4", - "type": "eql", - "version": 210 - } - }, + "version": 113 + } + }, + "rule_name": "Potential PowerShell HackTool Script by Function Names", + "sha256": "6262fc93d9b9ad2723c123c69d5d878e62bdec2dc156698f9ad18a818677df0c", + "type": "query", + "version": 213 + }, + "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { + "rule_name": "Shadow File Modification", + "sha256": "ab59547a675e69ef560b0060dc95a158b1e98d40da959d1e6102a4474c39afbe", + "type": "eql", + "version": 2 + }, + "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", + "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", + "type": "new_terms", + "version": 2 + }, + "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "a0d2d3fc3a0d36e2c8a85457519340a7f9b1f5d9d02f25ddfe2d2dd8140f26a6", + "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", "type": "eql", - "version": 310 - }, - "cf53f532-9cc9-445a-9ae7-fced307ec53c": { - "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", - "type": "query", - "version": 105 - }, - "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c", - "type": "query", - "version": 206 - }, - "cf575427-0839-4c69-a9e6-99fde02606f3": { - "rule_name": "Unusual Discovery Activity by User", - "sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230", - "type": "new_terms", - "version": 2 - }, - "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { - "rule_name": "Trap Signals Execution", - "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "sha256": "3124a4ec07d5162829476ceebb62530a7ed736152f13b37c55791b32ecf351b4", "type": "eql", - "version": 2 - }, - "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "bb4695e9b2608cae2d13b3bd01ab45072258c75394dfc44f816bf2516ec760d7", - "type": "eql", - "version": 214 - } - }, + "version": 210 + } + }, + "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "sha256": "306a951d4400b5b1612097ba11a9eeaaa71e1d40a54b3f80d5a82ad3660c4b84", + "type": "eql", + "version": 311 + }, + "cf53f532-9cc9-445a-9ae7-fced307ec53c": { + "rule_name": "Cobalt Strike Command and Control Beacon", + "sha256": "ddb4b9d7e2f95d26c85ab37fb9696c58aa1f937e5f4788214b8711b988206967", + "type": "query", + "version": 105 + }, + "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "f9935260008893683196e7baade711c8c71a9faf9ece159608690d70c3a3e57c", + "type": "query", + "version": 206 + }, + "cf575427-0839-4c69-a9e6-99fde02606f3": { + "rule_name": "Unusual Discovery Activity by User", + "sha256": "dafdfd21513074cd259693095b1481af24714117026e81c38a454cfa19780230", + "type": "new_terms", + "version": 2 + }, + "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { + "rule_name": "Trap Signals Execution", + "sha256": "1a696ba4be544120eb0807e5df6957584e991663b97f6a7176337094b9cd85b4", + "type": "eql", + "version": 2 + }, + "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "c89e2ffe082dc78f5ead10fa743f39ea35e1333b8a50a74298ef5d9b66ff1397", - "type": "eql", - "version": 314 - }, - "cffbaf47-9391-4e09-a83c-1f27d7474826": { - "rule_name": "Archive File with Unusual Extension", - "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", + "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", "type": "eql", - "version": 2 - }, - "d00f33e7-b57d-4023-9952-2db91b1767c4": { - "rule_name": "Namespace Manipulation Using Unshare", - "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "Execution from Unusual Directory - Command Line", + "sha256": "bb4695e9b2608cae2d13b3bd01ab45072258c75394dfc44f816bf2516ec760d7", "type": "eql", - "version": 9 - }, - "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { - "rule_name": "AWS Credentials Searched For Inside A Container", - "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", + "version": 214 + } + }, + "rule_name": "Execution from Unusual Directory - Command Line", + "sha256": "c89e2ffe082dc78f5ead10fa743f39ea35e1333b8a50a74298ef5d9b66ff1397", + "type": "eql", + "version": 314 + }, + "cffbaf47-9391-4e09-a83c-1f27d7474826": { + "rule_name": "Archive File with Unusual Extension", + "sha256": "18c93a2cdc51a8d42ddeac46edeabbdc0d991b52e2dd4e74054eba59583adee3", + "type": "eql", + "version": 2 + }, + "d00f33e7-b57d-4023-9952-2db91b1767c4": { + "rule_name": "Namespace Manipulation Using Unshare", + "sha256": "258bf65e5da42c0bef720f575c963343ace055871316f6bba6ec31b60869c06e", + "type": "eql", + "version": 9 + }, + "d0b0f3ed-0b37-44bf-adee-e8cb7de92767": { + "rule_name": "AWS Credentials Searched For Inside A Container", + "sha256": "27918dd9cf339832d9efc37e0b589ce887eae09959450ae8a4297df5ba0f040e", + "type": "eql", + "version": 1 + }, + "d0e159cf-73e9-40d1-a9ed-077e3158a855": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Registry Persistence via AppInit DLL", + "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", "type": "eql", - "version": 1 - }, - "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "a6887e5edda607f541eedcf84f05242bf6d66840c91d08ea1cf84fc80283fa70", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "fe172ebb9b9cc09ac3418473f8bbbe1fd438fc8c7f5e2711984cb8c781070f18", + "sha256": "a6887e5edda607f541eedcf84f05242bf6d66840c91d08ea1cf84fc80283fa70", "type": "eql", - "version": 311 - }, - "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "37145c723b473d65d0bb500dc4e602e9be53c701bebccba958554a5992032cba", - "type": "eql", - "version": 212 - } - }, + "version": 211 + } + }, + "rule_name": "Registry Persistence via AppInit DLL", + "sha256": "fe172ebb9b9cc09ac3418473f8bbbe1fd438fc8c7f5e2711984cb8c781070f18", + "type": "eql", + "version": 311 + }, + "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "0032ac5971625bf82af8edbd4867f0bcd1904f0bcfaabec7e8fea3f149f96ea1", - "type": "eql", - "version": 312 - }, - "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { - "rule_name": "Expired or Revoked Driver Loaded", - "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", + "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", "type": "eql", - "version": 5 - }, - "d197478e-39f0-4347-a22f-ba654718b148": { - "rule_name": "Compression DLL Loaded by Unusual Process", - "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", + "version": 113 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Symbolic Link to Shadow Copy Created", + "sha256": "37145c723b473d65d0bb500dc4e602e9be53c701bebccba958554a5992032cba", "type": "eql", - "version": 3 - }, - "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { - "rule_name": "AWS EC2 Instance Console Login via Assumed Role", - "sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a", + "version": 212 + } + }, + "rule_name": "Symbolic Link to Shadow Copy Created", + "sha256": "3034865be9da254728b4d1468ec5c2ffa3dfc305f180a77e47c5b69a916508fa", + "type": "eql", + "version": 313 + }, + "d12bac54-ab2a-4159-933f-d7bcefa7b61d": { + "rule_name": "Expired or Revoked Driver Loaded", + "sha256": "ea840a544f731bf59d6e9ef5ab6773395bd85b0b68618e2116a391972ab21fa2", + "type": "eql", + "version": 5 + }, + "d197478e-39f0-4347-a22f-ba654718b148": { + "rule_name": "Compression DLL Loaded by Unusual Process", + "sha256": "e50bbd58e226d8bbd59de277de10019d3228aabae3308cc310c43c5f89b1c0ce", + "type": "eql", + "version": 3 + }, + "d1e5e410-3e34-412e-9b1f-dd500b3b55cd": { + "rule_name": "AWS EC2 Instance Console Login via Assumed Role", + "sha256": "16a5255bebd2dbea413bcd674ddbbe9fc7c0e8a6c372b513b9a452bba2274d8a", + "type": "eql", + "version": 1 + }, + "d2053495-8fe7-4168-b3df-dad844046be3": { + "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", + "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", + "type": "query", + "version": 100 + }, + "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { + "rule_name": "Potential Microsoft Office Sandbox Evasion", + "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", + "type": "query", + "version": 106 + }, + "d31f183a-e5b1-451b-8534-ba62bca0b404": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Disabling User Account Control via Registry Modification", + "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", "type": "eql", - "version": 1 - }, - "d2053495-8fe7-4168-b3df-dad844046be3": { - "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", - "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", - "type": "query", - "version": 100 - }, - "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { - "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "60d547919df01902f6d9894993e128a708f3086fe89e9058b7ff57338d0a5fa2", - "type": "query", - "version": 106 - }, - "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "b4d0f51e31276b87a2d2f365694f02f3826550163ef41d500b69e5a188479123", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab", + "sha256": "b4d0f51e31276b87a2d2f365694f02f3826550163ef41d500b69e5a188479123", "type": "eql", - "version": 312 - }, - "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Clearing Windows Event Logs", - "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Clearing Windows Event Logs", - "sha256": "6d45b9b9acf8b31cca0f0c7d70ffd9e42c69b4f9ddbc0db1fa912fc154bf735a", - "type": "eql", - "version": 214 - } - }, + "version": 212 + } + }, + "rule_name": "Disabling User Account Control via Registry Modification", + "sha256": "daa4ee75ef9d319d9fe60c708f314fa2358cc48334270374e0b5c8222d5352ab", + "type": "eql", + "version": 312 + }, + "d331bbe2-6db4-4941-80a5-8270db72eb61": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Clearing Windows Event Logs", - "sha256": "da7c92b63bc775ac8b930332bb11d8661f9d350626a051f351b38097dba4692e", - "type": "eql", - "version": 314 - }, - "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Remote Windows Service Installed", - "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Remote Windows Service Installed", - "sha256": "7483da5c5a66152f79d48484ff586847c93f9cd9f44c51048e4dcdfbbf18bc12", - "type": "eql", - "version": 107 - }, - "d3551433-782f-4e22-bbea-c816af2d41c6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", - "type": "eql", - "version": 4 - } - }, - "rule_name": "WMI WBEMTEST Utility Execution", - "sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50", - "type": "eql", - "version": 104 - }, - "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { - "rule_name": "Shell Execution via Apple Scripting", - "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", - "type": "eql", - "version": 107 - }, - "d488f026-7907-4f56-ad51-742feb3db01c": { - "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55", + "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", "type": "eql", - "version": 1 - }, - "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", - "type": "query", - "version": 206 - }, - "d49cc73f-7a16-4def-89ce-9fc7127d7820": { - "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", - "type": "query", - "version": 102 - }, - "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { - "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", - "type": "machine_learning", - "version": 104 - }, - "d4b73fa0-9d43-465e-b8bf-50230da6718b": { - "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", - "type": "machine_learning", - "version": 104 - }, - "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { - "rule_name": "Linux init (PID 1) Secret Dump via GDB", - "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "Clearing Windows Event Logs", + "sha256": "6d45b9b9acf8b31cca0f0c7d70ffd9e42c69b4f9ddbc0db1fa912fc154bf735a", "type": "eql", - "version": 6 - }, - "d55436a8-719c-445f-92c4-c113ff2f9ba5": { - "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", - "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", + "version": 214 + } + }, + "rule_name": "Clearing Windows Event Logs", + "sha256": "10c1f03793fcb8bad9555616905d87289a0f11c3a96622a566e66223f9df88a3", + "type": "eql", + "version": 315 + }, + "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, + "rule_name": "Remote Windows Service Installed", + "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", "type": "eql", - "version": 5 - }, - "d55abdfb-5384-402b-add4-6c401501b0c3": { - "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", - "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", + "version": 7 + } + }, + "rule_name": "Remote Windows Service Installed", + "sha256": "7483da5c5a66152f79d48484ff586847c93f9cd9f44c51048e4dcdfbbf18bc12", + "type": "eql", + "version": 107 + }, + "d3551433-782f-4e22-bbea-c816af2d41c6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "WMI WBEMTEST Utility Execution", + "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", "type": "eql", - "version": 3 - }, - "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "ccd6f0e1dc7444cd01f7f1273379600f001c8ba2608cd8c1e4744f5de3f677a1", - "type": "eql", - "version": 208 - } - }, + "version": 4 + } + }, + "rule_name": "WMI WBEMTEST Utility Execution", + "sha256": "5f491cb250197e96f8b04303127d25ac73bfa4d6a8c4f391c9557212b28adb50", + "type": "eql", + "version": 104 + }, + "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { + "rule_name": "Shell Execution via Apple Scripting", + "sha256": "71aae69ea3a3fbd1d8e627c5d0fd9b6f7a01313216ddf8c23df060835c0864fd", + "type": "eql", + "version": 107 + }, + "d488f026-7907-4f56-ad51-742feb3db01c": { + "rule_name": "AWS S3 Bucket Replicated to Another Account", + "sha256": "fc10d87ef74b91aafdf6f789f6c0f7602e2a1f222d20a3433c18424042268f55", + "type": "eql", + "version": 1 + }, + "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", + "type": "query", + "version": 207 + }, + "d49cc73f-7a16-4def-89ce-9fc7127d7820": { + "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", + "sha256": "f10cb94a414e6983ebdaa36e5c4a332a76a4d06134043937967fdf2e2faa2cc7", + "type": "query", + "version": 102 + }, + "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { + "rule_name": "Unusual Linux System Information Discovery Activity", + "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", + "type": "machine_learning", + "version": 104 + }, + "d4b73fa0-9d43-465e-b8bf-50230da6718b": { + "rule_name": "Unusual Source IP for a User to Logon from", + "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", + "type": "machine_learning", + "version": 104 + }, + "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { + "rule_name": "Linux init (PID 1) Secret Dump via GDB", + "sha256": "809e2c52ca587a80879385c7226866c574d86e366a6787b0b1e8df77a8763e06", + "type": "eql", + "version": 6 + }, + "d55436a8-719c-445f-92c4-c113ff2f9ba5": { + "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", + "sha256": "4408eb01f3714ecf0f5cee312dafd363a2fbbc4a368846ab78b257fdcfef9924", + "type": "eql", + "version": 5 + }, + "d55abdfb-5384-402b-add4-6c401501b0c3": { + "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", + "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", + "type": "eql", + "version": 3 + }, + "d563aaba-2e72-462b-8658-3e5ea22db3a6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "b882bc3921a13712f0db559c292b13772f12aaeb5673711e227685ccad9e7c56", + "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", "type": "eql", - "version": 308 - }, - "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", - "type": "query", - "version": 207 - }, - "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Service Command Lateral Movement", - "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Service Command Lateral Movement", - "sha256": "17f85cbe91c6b5fdcfe53a17b2b99e0ecb72d024dd472cbc509963acec2b5ace", + "version": 109 + }, + "8.13": { + "max_allowable_version": 307, + "rule_name": "Privilege Escalation via Windir Environment Variable", + "sha256": "ccd6f0e1dc7444cd01f7f1273379600f001c8ba2608cd8c1e4744f5de3f677a1", "type": "eql", - "version": 207 - }, - "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { - "rule_name": "Unusual DPKG Execution", - "sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891", + "version": 208 + } + }, + "rule_name": "Privilege Escalation via Windir Environment Variable", + "sha256": "b882bc3921a13712f0db559c292b13772f12aaeb5673711e227685ccad9e7c56", + "type": "eql", + "version": 308 + }, + "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", + "type": "query", + "version": 208 + }, + "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Service Command Lateral Movement", + "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", "type": "eql", - "version": 2 - }, - "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", - "type": "query", - "version": 209 - }, - "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { - "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", - "type": "query", - "version": 105 - }, - "d6450d4e-81c6-46a3-bd94-079886318ed5": { - "rule_name": "Strace Process Activity", - "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", - "type": "query", - "version": 100 - }, - "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 113, - "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", - "type": "eql", - "version": 14 - } - }, + "version": 107 + } + }, + "rule_name": "Service Command Lateral Movement", + "sha256": "17f85cbe91c6b5fdcfe53a17b2b99e0ecb72d024dd472cbc509963acec2b5ace", + "type": "eql", + "version": 207 + }, + "d6241c90-99f2-44db-b50f-299b6ebd7ee9": { + "rule_name": "Unusual DPKG Execution", + "sha256": "24402d8ab6122a577c5617dca6a28ef35fbfe7ce2ff4051aaed28f9fd8640891", + "type": "eql", + "version": 2 + }, + "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "44a8abff6921cf217c396e51cf30499d8bee7d8f1544fa02f7d9e093e6648578", + "type": "query", + "version": 209 + }, + "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { + "rule_name": "GCP Pub/Sub Subscription Creation", + "sha256": "981abcaff8eaa4e947885a8b6e60edb877602e6ec2974994837ffbf18e7085b4", + "type": "query", + "version": 105 + }, + "d6450d4e-81c6-46a3-bd94-079886318ed5": { + "rule_name": "Strace Process Activity", + "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", + "type": "query", + "version": 100 + }, + "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 113, "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e", + "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", "type": "eql", - "version": 114 - }, - "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", - "type": "query", - "version": 206 - }, - "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Modification of WDigest Security Provider", - "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", - "type": "eql", - "version": 111 - } - }, + "version": 14 + } + }, + "rule_name": "System Information Discovery via Windows Command Shell", + "sha256": "a509788cd40ec1f0f0af9c860a4dbb6f77a05421428008e91c1619cf410ee20e", + "type": "eql", + "version": 114 + }, + "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "e1c61b6847b137835d630c3eba3b8bf7a5da03bf08a0e81a27ca46637b093b91", + "type": "query", + "version": 206 + }, + "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Modification of WDigest Security Provider", - "sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049", + "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", "type": "eql", - "version": 211 - }, - "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "7c19ee463ecfc62c87fee685189cb441ee9abfb2ea897009a6c11ee131b6ede9", - "type": "eql", - "version": 212 - } - }, + "version": 111 + } + }, + "rule_name": "Modification of WDigest Security Provider", + "sha256": "b9a559838a1a99dc2394f88550d8bf2acd150203179bbe5aa432e9d0d8569049", + "type": "eql", + "version": 211 + }, + "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", - "sha256": "77c21b9b410cee41f6e0b1d217e10eed16c3bbbc67814275f8cd5e86195f03ef", - "type": "eql", - "version": 312 - }, - "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", - "type": "query", - "version": 206 - }, - "d74d6506-427a-4790-b170-0c2a6ddac799": { - "rule_name": "Suspicious Memory grep Activity", - "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", "type": "eql", - "version": 3 - }, - "d75991f2-b989-419d-b797-ac1e54ec2d61": { - "rule_name": "SystemKey Access via Command Line", - "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", - "type": "query", - "version": 206 - }, - "d76b02ef-fc95-4001-9297-01cb7412232f": { - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Command Execution via SolarWinds Process", + "sha256": "7c19ee463ecfc62c87fee685189cb441ee9abfb2ea897009a6c11ee131b6ede9", "type": "eql", - "version": 110 - }, - "d79c4b2a-6134-4edd-86e6-564a92a933f9": { - "rule_name": "Azure Blob Permissions Modification", - "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", - "type": "query", - "version": 103 - }, - "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "rule_name": "Spike in Logon Events", - "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", - "type": "machine_learning", - "version": 104 - }, - "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { - "rule_name": "SMTP on Port 26/TCP", - "sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365", - "type": "query", - "version": 105 - }, - "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { - "rule_name": "Untrusted Driver Loaded", - "sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d", + "version": 212 + } + }, + "rule_name": "Command Execution via SolarWinds Process", + "sha256": "17eea5871c73f5fb356a051968d7cb36bd835774aeff070acb752283235c8009", + "type": "eql", + "version": 313 + }, + "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "8ac44c71af4271eb13db4ef37b755bdfb7b4c9aa8f3ec7041a7a2ec06b98482d", + "type": "query", + "version": 206 + }, + "d74d6506-427a-4790-b170-0c2a6ddac799": { + "rule_name": "Suspicious Memory grep Activity", + "sha256": "62d90a376ed43ac65cbd84ee0b7d37b598d450de07cfde82408db98cfee04d6a", + "type": "eql", + "version": 3 + }, + "d75991f2-b989-419d-b797-ac1e54ec2d61": { + "rule_name": "SystemKey Access via Command Line", + "sha256": "6459c63e59f54f94e12abb17883b4ae2c8a99424f6e2c321c1647d47ce81c091", + "type": "query", + "version": 206 + }, + "d76b02ef-fc95-4001-9297-01cb7412232f": { + "rule_name": "Interactive Terminal Spawned via Python", + "sha256": "06fed263415e4ac3e3f062be3c0bc968c640a3632e4588fd2a405dbdac73f541", + "type": "eql", + "version": 110 + }, + "d79c4b2a-6134-4edd-86e6-564a92a933f9": { + "rule_name": "Azure Blob Permissions Modification", + "sha256": "4721b8fe47efb148dfe195f28255209d453662590443eac3aeb27c0ef998640f", + "type": "query", + "version": 103 + }, + "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { + "rule_name": "Spike in Logon Events", + "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", + "type": "machine_learning", + "version": 104 + }, + "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { + "rule_name": "SMTP on Port 26/TCP", + "sha256": "fafc9b93a08a48425d81e9b8d77c65427d4a0059c9002836e7cd43db72fb0365", + "type": "query", + "version": 105 + }, + "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { + "rule_name": "Untrusted Driver Loaded", + "sha256": "c22a4b5aaf9a5211781fbafa109ec85e7094f3b473efa585e2dafa6bd86b481d", + "type": "eql", + "version": 9 + }, + "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "45efd7d53f83838ba357aa1bfb387f4c2489612adc924437d1f1953cf68c6d7f", + "type": "query", + "version": 210 + }, + "d93e61db-82d6-4095-99aa-714988118064": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "NTDS Dump via Wbadmin", + "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", "type": "eql", - "version": 9 - }, - "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "e70bcba5f981ab9bc5d058baf0631ea65c4172e55502ae1f6b6fceeca1035906", - "type": "query", - "version": 209 - }, - "d93e61db-82d6-4095-99aa-714988118064": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "NTDS Dump via Wbadmin", - "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "NTDS Dump via Wbadmin", - "sha256": "9a7aecff18c2b2c03fb09f108eb19cf4062741ef26df0abd91a13a980b793f8d", - "type": "eql", - "version": 102 - } - }, + "version": 2 + }, + "8.13": { + "max_allowable_version": 201, "rule_name": "NTDS Dump via Wbadmin", - "sha256": "da0375405787b7e9308681e6f7ca529a7dd8726d68244eb50f9c45554538ffd8", - "type": "eql", - "version": 202 - }, - "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "b0c3e97ff9361dd6edacb9ed48e4b541387b984a265fa98d119adee51577458d", - "type": "eql", - "version": 212 - } - }, + "sha256": "9a7aecff18c2b2c03fb09f108eb19cf4062741ef26df0abd91a13a980b793f8d", + "type": "eql", + "version": 102 + } + }, + "rule_name": "NTDS Dump via Wbadmin", + "sha256": "0c9ca98240f1da76e24997c3f0e416ba94169679df7c594faaded88c0928357d", + "type": "eql", + "version": 203 + }, + "d99a037b-c8e2-47a5-97b9-170d076827c4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "64c170707179932670e4c90bb93e82a0d7905860ae9d5bb8277b7d69b4b9b941", + "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", "type": "eql", - "version": 312 - }, - "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "4100ea91fd5746ceabc0b3056bf622961cb4e56a6733775ccb8b74fc1394d4ff", - "type": "eql", - "version": 101 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Volume Shadow Copy Deletion via PowerShell", + "sha256": "b0c3e97ff9361dd6edacb9ed48e4b541387b984a265fa98d119adee51577458d", + "type": "eql", + "version": 212 + } + }, + "rule_name": "Volume Shadow Copy Deletion via PowerShell", + "sha256": "21e3bb58844ec1cf781a8dc4fabc5dd00365515d481779308fbe721a11082c50", + "type": "eql", + "version": 313 + }, + "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "Suspicious Windows Command Shell Arguments", + "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", + "type": "eql", + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, "rule_name": "Suspicious Windows Command Shell Arguments", - "sha256": "f14448c067e0a0e0be1f51976cbc11fff0b37b0f5da3205c8afde1ae167e0eec", - "type": "eql", - "version": 201 - }, - "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", - "type": "eql", - "version": 11 - }, - "8.13": { - "max_allowable_version": 210, - "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "d9efb6f5bfab991a95e185da00b9c3797f891983b8b396c9d7dbf292e759abe7", - "type": "eql", - "version": 111 - } - }, + "sha256": "4100ea91fd5746ceabc0b3056bf622961cb4e56a6733775ccb8b74fc1394d4ff", + "type": "eql", + "version": 101 + } + }, + "rule_name": "Suspicious Windows Command Shell Arguments", + "sha256": "f14448c067e0a0e0be1f51976cbc11fff0b37b0f5da3205c8afde1ae167e0eec", + "type": "eql", + "version": 201 + }, + "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", - "sha256": "cf52711a1189dd89d5cc0b35fc53b8cf7cf58f927144ecd794a969dd6245ad54", + "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", "type": "eql", - "version": 211 - }, - "da7f5803-1cd4-42fd-a890-0173ae80ac69": { - "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", - "sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797", - "type": "query", - "version": 5 - }, - "da87eee1-129c-4661-a7aa-57d0b9645fad": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Suspicious Service was Installed in the System", - "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", - "type": "eql", - "version": 10 - } - }, + "version": 11 + }, + "8.13": { + "max_allowable_version": 210, + "rule_name": "Code Signing Policy Modification Through Registry", + "sha256": "d9efb6f5bfab991a95e185da00b9c3797f891983b8b396c9d7dbf292e759abe7", + "type": "eql", + "version": 111 + } + }, + "rule_name": "Code Signing Policy Modification Through Registry", + "sha256": "cf52711a1189dd89d5cc0b35fc53b8cf7cf58f927144ecd794a969dd6245ad54", + "type": "eql", + "version": 211 + }, + "da7f5803-1cd4-42fd-a890-0173ae80ac69": { + "rule_name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", + "sha256": "84e89ef6464acb25c59d3bbb6ebd82d470bd3a6ad2ea4cb023ea9406ce17b797", + "type": "query", + "version": 5 + }, + "da87eee1-129c-4661-a7aa-57d0b9645fad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", - "sha256": "4a237b6a951c3e4530bac7e5c14e1b5270fc7263a9cc7b53c6355f05422701df", + "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", "type": "eql", - "version": 110 - }, - "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { - "rule_name": "Linux Restricted Shell Breakout via the gcc command", - "sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443", - "type": "eql", - "version": 100 - }, - "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", - "type": "new_terms", - "version": 6 - } - }, + "version": 10 + } + }, + "rule_name": "Suspicious Service was Installed in the System", + "sha256": "4a237b6a951c3e4530bac7e5c14e1b5270fc7263a9cc7b53c6355f05422701df", + "type": "eql", + "version": 110 + }, + "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { + "rule_name": "Linux Restricted Shell Breakout via the gcc command", + "sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443", + "type": "eql", + "version": 100 + }, + "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", - "sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e", + "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", "type": "new_terms", - "version": 106 - }, - "dafa3235-76dc-40e2-9f71-1773b96d24cf": { - "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", - "type": "query", - "version": 105 - }, - "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "ea295acc9a2c0d920da2e8cd84ded801c713a06ad473c948126091def230b5ad", - "type": "eql", - "version": 103 - } - }, + "version": 6 + } + }, + "rule_name": "Potential Pass-the-Hash (PtH) Attempt", + "sha256": "605a26973cce40e167abba5375124060d5ae04432693969be8b5bee370e4185e", + "type": "new_terms", + "version": 106 + }, + "dafa3235-76dc-40e2-9f71-1773b96d24cf": { + "rule_name": "Multi-Factor Authentication Disabled for an Azure User", + "sha256": "9bec414579dbdeb0c1a10611d7a97fa166af67379b6b69855a360097da1cc0ee", + "type": "query", + "version": 105 + }, + "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", - "sha256": "452e5fbee79ceeb158518545ac367412757396a660f25ecf4e8940a04976f311", - "type": "eql", - "version": 203 - }, - "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", - "type": "eql", - "version": 7 - }, - "8.13": { - "max_allowable_version": 206, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "7d866450dcc8e535903a7e7d28333859b7c1e5b20cf243b9885c0ba2fd3e3bfa", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Execution via Windows Subsystem for Linux", - "sha256": "7981314a2fc100fb3be838b93ea65cb085b475a293dea507778e78b2f7b1a924", + "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", + "type": "eql", + "version": 3 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Network-Level Authentication (NLA) Disabled", + "sha256": "ea295acc9a2c0d920da2e8cd84ded801c713a06ad473c948126091def230b5ad", "type": "eql", - "version": 207 - }, - "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { - "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", - "type": "query", "version": 103 - }, - "dc0b7782-0df0-47ff-8337-db0d678bdb66": { - "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", - "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + } + }, + "rule_name": "Network-Level Authentication (NLA) Disabled", + "sha256": "452e5fbee79ceeb158518545ac367412757396a660f25ecf4e8940a04976f311", + "type": "eql", + "version": 203 + }, + "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, + "rule_name": "Execution via Windows Subsystem for Linux", + "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", "type": "eql", - "version": 5 - }, - "dc61f382-dc0c-4cc0-a845-069f2a071704": { - "rule_name": "Git Hook Command Execution", - "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "version": 7 + }, + "8.13": { + "max_allowable_version": 206, + "rule_name": "Execution via Windows Subsystem for Linux", + "sha256": "7d866450dcc8e535903a7e7d28333859b7c1e5b20cf243b9885c0ba2fd3e3bfa", "type": "eql", - "version": 2 - }, - "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { - "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", - "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", - "type": "threat_match", - "version": 100 - }, - "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { - "rule_name": "Potential Hidden Process via Mount Hidepid", - "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "version": 107 + } + }, + "rule_name": "Execution via Windows Subsystem for Linux", + "sha256": "d238242db88c4dffe3b45b6338748daa6638b409ae25dcebf555dc5fbd22ef37", + "type": "eql", + "version": 208 + }, + "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { + "rule_name": "Credential Dumping - Prevented - Elastic Endgame", + "sha256": "5de5038a06b13f9d4d0b252316c5fc2a6d92c60d65cf8613bdde5c1514f4bd65", + "type": "query", + "version": 103 + }, + "dc0b7782-0df0-47ff-8337-db0d678bdb66": { + "rule_name": "Suspicious Content Extracted or Decompressed via Funzip", + "sha256": "e56d02dd6b3a5cd288516467c111539cbe759ada556ffe40e5d4f26a0e9c6ee0", + "type": "eql", + "version": 5 + }, + "dc61f382-dc0c-4cc0-a845-069f2a071704": { + "rule_name": "Git Hook Command Execution", + "sha256": "343b1b3846b8995220cd5a2462610b56200a929f418593766ed4d6be59d611c6", + "type": "eql", + "version": 2 + }, + "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { + "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", + "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", + "type": "threat_match", + "version": 100 + }, + "dc71c186-9fe4-4437-a4d0-85ebb32b8204": { + "rule_name": "Potential Hidden Process via Mount Hidepid", + "sha256": "69570f9ed79d40fc1f9217930bb3117b6392d515cdf063f8cde02c53c6e7f60c", + "type": "eql", + "version": 9 + }, + "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Volume Shadow Copy Deletion via WMIC", + "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", "type": "eql", - "version": 9 - }, - "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "fd5c86759b6948c95d8e08768f9293bd265a8dc55d2351badc0205d0b356c28a", + "sha256": "fc94eadae513c2cc5d7926f9b29162dc04e94539951f7b86fd3bdd9832ca46db", "type": "eql", - "version": 312 - }, - "dca28dee-c999-400f-b640-50a081cc0fd1": { - "rule_name": "Unusual Country For an AWS Command", - "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", - "type": "machine_learning", - "version": 209 - }, - "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Suspicious Execution from INET Cache", - "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Suspicious Execution from INET Cache", - "sha256": "ff4e6f8fc8ffdad46c9ca8403e225098989a5548343270fe5420b6a1021d3fbf", - "type": "eql", - "version": 103 - } - }, + "version": 212 + } + }, + "rule_name": "Volume Shadow Copy Deletion via WMIC", + "sha256": "6c79aab936e1fe25141e3e984b8d2113e9aa91ff99605c1bfd90084361126379", + "type": "eql", + "version": 313 + }, + "dca28dee-c999-400f-b640-50a081cc0fd1": { + "rule_name": "Unusual Country For an AWS Command", + "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", + "type": "machine_learning", + "version": 209 + }, + "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", - "sha256": "9fe609a27578043ce5a54c344bbfaf7ba455059baf2c7328e2f8fc75aa64a7f9", - "type": "eql", - "version": 203 - }, - "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", - "type": "eql", - "version": 8 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "db373be5d72255dcfc03d21367e6a23f15576fe50874ec53d75ff7edf26e222d", - "type": "eql", - "version": 108 - } - }, + "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", + "type": "eql", + "version": 3 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Suspicious Execution from INET Cache", + "sha256": "ff4e6f8fc8ffdad46c9ca8403e225098989a5548343270fe5420b6a1021d3fbf", + "type": "eql", + "version": 103 + } + }, + "rule_name": "Suspicious Execution from INET Cache", + "sha256": "6a04f4ffaa5c40018c58ab7ef7d0b4986d678da98c9dd78706e4c645c8bc71a5", + "type": "eql", + "version": 204 + }, + "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", - "sha256": "8da0e99bdac5b5db0f8b7533c911559e37c2c92cb9e7a9dc3a728ba859d9ff4a", + "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", "type": "eql", - "version": 208 - }, - "dd52d45a-4602-4195-9018-ebe0f219c273": { - "rule_name": "Network Connections Initiated Through XDG Autostart Entry", - "sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6", + "version": 8 + }, + "8.13": { + "max_allowable_version": 207, + "rule_name": "Attempt to Install Kali Linux via WSL", + "sha256": "db373be5d72255dcfc03d21367e6a23f15576fe50874ec53d75ff7edf26e222d", "type": "eql", - "version": 3 - }, - "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { - "rule_name": "Reverse Shell Created via Named Pipe", - "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", + "version": 108 + } + }, + "rule_name": "Attempt to Install Kali Linux via WSL", + "sha256": "eb5782b9024f97b13ced9ed9a27e3af47b54101824f8592c383c4fa46f18bcb1", + "type": "eql", + "version": 209 + }, + "dd52d45a-4602-4195-9018-ebe0f219c273": { + "rule_name": "Network Connections Initiated Through XDG Autostart Entry", + "sha256": "9d09534c9e25cb62cc2ac0983ac2a41afb47c19dfec4625145ed0922d5c490d6", + "type": "eql", + "version": 3 + }, + "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { + "rule_name": "Reverse Shell Created via Named Pipe", + "sha256": "d8b4bfe2baa5dc7735769bd51e37b1b139c521ec70d2ce8db325a4d6e409f82c", + "type": "eql", + "version": 6 + }, + "ddab1f5f-7089-44f5-9fda-de5b11322e77": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "NullSessionPipe Registry Modification", + "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", "type": "eql", - "version": 6 - }, - "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "6581546aba5c9cbdb29e1998c5b3ce1a10bba7abbbdf5036de332cc395e4d74b", - "type": "eql", - "version": 210 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 309, "rule_name": "NullSessionPipe Registry Modification", - "sha256": "50633d69f921b67ff24e8f6a63aef23b74ed335c0104445871dbc3945e3af63c", + "sha256": "6581546aba5c9cbdb29e1998c5b3ce1a10bba7abbbdf5036de332cc395e4d74b", "type": "eql", - "version": 310 - }, - "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { - "min_stack_version": "8.13", - "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", - "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e", - "type": "esql", - "version": 3 - }, - "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608", - "type": "eql", - "version": 212 - } - }, + "version": 210 + } + }, + "rule_name": "NullSessionPipe Registry Modification", + "sha256": "50633d69f921b67ff24e8f6a63aef23b74ed335c0104445871dbc3945e3af63c", + "type": "eql", + "version": 310 + }, + "dde13d58-bc39-4aa0-87fd-b4bdbf4591da": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to Role", + "sha256": "400a598f9f5f9aa9ee82ed31b38bfeea4491ad833f44cc808bb637777e55b74e", + "type": "esql", + "version": 3 + }, + "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a", + "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", "type": "eql", - "version": 312 - }, - "debff20a-46bc-4a4d-bae5-5cdd14222795": { - "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Unusual Child Process from a System Virtual Process", + "sha256": "a7b99e7aa7cbd5a81b8013087a2b9fccead7841f4219882418dcbd63763d3608", "type": "eql", - "version": 110 - }, - "ded09d02-0137-4ccc-8005-c45e617e8d4c": { - "rule_name": "Query Registry using Built-in Tools", - "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", - "type": "new_terms", - "version": 105 - }, - "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { - "rule_name": "First Time Seen Driver Loaded", - "sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8", - "type": "new_terms", - "version": 8 - }, - "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", - "type": "machine_learning", - "version": 106 - } - }, + "version": 212 + } + }, + "rule_name": "Unusual Child Process from a System Virtual Process", + "sha256": "cbc93e8df0c9561bcf71aa5c1c047699a17c624200c322609b788853594cca6a", + "type": "eql", + "version": 312 + }, + "debff20a-46bc-4a4d-bae5-5cdd14222795": { + "rule_name": "Base16 or Base32 Encoding/Decoding Activity", + "sha256": "a7f6c2c79e782df9aa8415605d72b36e28ac9b0ab828b6077ede6a98958a6977", + "type": "eql", + "version": 110 + }, + "ded09d02-0137-4ccc-8005-c45e617e8d4c": { + "rule_name": "Query Registry using Built-in Tools", + "sha256": "f96c303f816b1dd2758c8f7dd096711bacc5b826d610127acd0e425a321579cd", + "type": "new_terms", + "version": 105 + }, + "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { + "rule_name": "First Time Seen Driver Loaded", + "sha256": "1faad3f27c89ce87b1a4f9ba8d28fcd968f1da207d94216c3e71a09884db6eb8", + "type": "new_terms", + "version": 8 + }, + "df197323-72a8-46a9-a08e-3f5b04a4a97a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3", + "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", "type": "machine_learning", - "version": 206 - }, - "df26fd74-1baa-4479-b42e-48da84642330": { - "rule_name": "Azure Automation Account Created", - "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", - "type": "query", - "version": 102 - }, - "df6f62d9-caab-4b88-affa-044f4395a1e0": { - "rule_name": "Dynamic Linker Copy", - "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "version": 106 + } + }, + "rule_name": "Unusual Windows User Calling the Metadata Service", + "sha256": "d328e86d5da5551f9015b551689158237ac673a65a0d2980967ff93f1b9638b3", + "type": "machine_learning", + "version": 206 + }, + "df26fd74-1baa-4479-b42e-48da84642330": { + "rule_name": "Azure Automation Account Created", + "sha256": "b82b8d83b12f049d275d3f1d78e61640c6b772c160ca3844d5e09df9cf465669", + "type": "query", + "version": 102 + }, + "df6f62d9-caab-4b88-affa-044f4395a1e0": { + "rule_name": "Dynamic Linker Copy", + "sha256": "c492826e8eb6d6b4fbae1dfc5820adbdcbc847d6f88fbf1e57c06d347b0d6c4f", + "type": "eql", + "version": 109 + }, + "df7fda76-c92b-4943-bc68-04460a5ea5ba": { + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251", + "type": "query", + "version": 204 + }, + "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", + "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1", + "type": "esql", + "version": 3 + }, + "df959768-b0c9-4d45-988c-5606a2be8e5a": { + "rule_name": "Unusual Process Execution - Temp", + "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", + "type": "query", + "version": 100 + }, + "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Potential privilege escalation via CVE-2022-38028", + "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", "type": "eql", - "version": 109 - }, - "df7fda76-c92b-4943-bc68-04460a5ea5ba": { - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "0aa047864e74cf8a18fe9dd039cc10fc1cfadcd1b2b98de5cfedf9afe1c98251", - "type": "query", - "version": 204 - }, - "df919b5e-a0f6-4fd8-8598-e3ce79299e3b": { - "min_stack_version": "8.13", - "rule_name": "AWS IAM AdministratorAccess Policy Attached to Group", - "sha256": "87f99fdccd4153758ed878449ec6d1fd72e56f20cd92bda5b802fe99fd9856e1", - "type": "esql", "version": 3 - }, - "df959768-b0c9-4d45-988c-5606a2be8e5a": { - "rule_name": "Unusual Process Execution - Temp", - "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", - "type": "query", - "version": 100 - }, - "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", - "type": "eql", - "version": 3 - }, - "8.13": { - "max_allowable_version": 202, - "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "7b6acf6b548474373227dfe0d95525762951ea112531f064e226bb790080e8b1", - "type": "eql", - "version": 103 - } - }, + }, + "8.13": { + "max_allowable_version": 202, "rule_name": "Potential privilege escalation via CVE-2022-38028", - "sha256": "d0fe93377143f6c21a5d7bacce642eca85c15341cbdd34b6b4254173a819008c", - "type": "eql", - "version": 203 - }, - "e00b8d49-632f-4dc6-94a5-76153a481915": { - "rule_name": "Delayed Execution via Ping", - "sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb", + "sha256": "7b6acf6b548474373227dfe0d95525762951ea112531f064e226bb790080e8b1", "type": "eql", - "version": 3 - }, - "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { - "rule_name": "Azure Firewall Policy Deletion", - "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", - "type": "query", - "version": 102 - }, - "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", - "type": "eql", - "version": 108 - } - }, + "version": 103 + } + }, + "rule_name": "Potential privilege escalation via CVE-2022-38028", + "sha256": "d0fe93377143f6c21a5d7bacce642eca85c15341cbdd34b6b4254173a819008c", + "type": "eql", + "version": 203 + }, + "e00b8d49-632f-4dc6-94a5-76153a481915": { + "rule_name": "Delayed Execution via Ping", + "sha256": "da0cf4affe1558ec93cbb7b96eac795d58a8770bcb564ff0b2021a7f7622eceb", + "type": "eql", + "version": 3 + }, + "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { + "rule_name": "Azure Firewall Policy Deletion", + "sha256": "fbf370e089437f900b3701b3d7a7af66a118801719201fe03fbfea44438802c0", + "type": "query", + "version": 102 + }, + "e052c845-48d0-4f46-8a13-7d0aba05df82": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "d73db62405efc39a8ad58641974ba0785e0ae2f01440c19c88e84e81a194593a", + "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", "type": "eql", - "version": 208 - }, - "e0881d20-54ac-457f-8733-fe0bc5d44c55": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", - "type": "eql", - "version": 9 - } - }, + "version": 108 + } + }, + "rule_name": "KRBTGT Delegation Backdoor", + "sha256": "d73db62405efc39a8ad58641974ba0785e0ae2f01440c19c88e84e81a194593a", + "type": "eql", + "version": 208 + }, + "e0881d20-54ac-457f-8733-fe0bc5d44c55": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275", - "type": "eql", - "version": 109 - }, - "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", - "type": "threshold", - "version": 209 - }, - "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { - "rule_name": "Potentially Suspicious Process Started via tmux or screen", - "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", - "type": "eql", - "version": 5 - }, - "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { - "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", - "type": "eql", - "version": 100 - }, - "e0f36de1-0342-453d-95a9-a068b257b053": { - "rule_name": "Azure Event Hub Deletion", - "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", - "type": "query", - "version": 102 - }, - "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "rule_name": "AWS Route Table Created", - "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", - "type": "query", - "version": 207 - }, - "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "rule_name": "AWS RDS Cluster Creation", - "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", - "type": "query", - "version": 206 - }, - "e19e64ee-130e-4c07-961f-8a339f0b8362": { - "rule_name": "Connection to External Network via Telnet", - "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", "type": "eql", - "version": 107 - }, - "e1db8899-97c1-4851-8993-3a3265353601": { - "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", - "sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb", - "type": "machine_learning", - "version": 4 - }, - "e2258f48-ba75-4248-951b-7c885edf18c2": { - "rule_name": "Suspicious Mining Process Creation Event", - "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", - "type": "eql", - "version": 6 - }, - "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { - "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", - "type": "machine_learning", - "version": 105 - }, - "e26f042e-c590-4e82-8e05-41e81bd822ad": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", - "type": "query", - "version": 112 - }, - "8.12": { - "max_allowable_version": 315, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", - "type": "query", - "version": 216 - } - }, + "version": 9 + } + }, + "rule_name": "System Service Discovery through built-in Windows Utilities", + "sha256": "d82fcf936af322fa2da05ceac8ec3a4994a372bf58f8664d1345e0dddc57d275", + "type": "eql", + "version": 109 + }, + "e08ccd49-0380-4b2b-8d71-8000377d6e49": { + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", + "type": "threshold", + "version": 210 + }, + "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { + "rule_name": "Potentially Suspicious Process Started via tmux or screen", + "sha256": "bbc79c31a49dbadfd95c068a4bae83f11457d10bd83b3a13b598049767cb3119", + "type": "eql", + "version": 5 + }, + "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { + "rule_name": "Whitespace Padding in Process Command Line", + "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", + "type": "eql", + "version": 100 + }, + "e0f36de1-0342-453d-95a9-a068b257b053": { + "rule_name": "Azure Event Hub Deletion", + "sha256": "a2ecaf7e5ffeba64be9df560b78b9046a7dd8803d4d3e1f50854456965291dc7", + "type": "query", + "version": 102 + }, + "e12c0318-99b1-44f2-830c-3a38a43207ca": { + "rule_name": "AWS Route Table Created", + "sha256": "862abfa5c379d1e32f01d1c6199755c9de4bfcd13eaf1b23d019ae40ccde21c5", + "type": "query", + "version": 207 + }, + "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { + "rule_name": "AWS RDS Cluster Creation", + "sha256": "3971b630a9892ede07636cbd4aafedb6e0a66eb9a58e95bca937fd3d473486f6", + "type": "query", + "version": 206 + }, + "e19e64ee-130e-4c07-961f-8a339f0b8362": { + "rule_name": "Connection to External Network via Telnet", + "sha256": "aca0eb0c2cc280c1e11e840c13fbdf1d68c10d4842912b4d5f2c41f27ca376c5", + "type": "eql", + "version": 107 + }, + "e1db8899-97c1-4851-8993-3a3265353601": { + "rule_name": "Potential Data Exfiltration Activity to an Unusual ISO Code", + "sha256": "18d369e85745dfad874fe33bb6e7faff482e843a231c6c456cd2668d675040bb", + "type": "machine_learning", + "version": 4 + }, + "e2258f48-ba75-4248-951b-7c885edf18c2": { + "rule_name": "Suspicious Mining Process Creation Event", + "sha256": "e91422636467edf05da152b15ace87fb9f957102bab6ef22a1f413c45c076dc9", + "type": "eql", + "version": 6 + }, + "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { + "rule_name": "Spike in Successful Logon Events from a Source IP", + "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", + "type": "machine_learning", + "version": 105 + }, + "e26f042e-c590-4e82-8e05-41e81bd822ad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8", + "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", "type": "query", - "version": 316 - }, - "e28b8093-833b-4eda-b877-0873d134cf3c": { - "rule_name": "Network Traffic Capture via CAP_NET_RAW", - "sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45", - "type": "new_terms", - "version": 4 - }, - "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { - "min_stack_version": "8.12", - "rule_name": "Suspicious pbpaste High Volume Activity", - "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", - "type": "eql", - "version": 1 - }, - "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "rule_name": "AWS Management Console Root Login", - "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", + "version": 112 + }, + "8.12": { + "max_allowable_version": 315, + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", "type": "query", - "version": 209 - }, - "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { - "rule_name": "System Network Connections Discovery", - "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", + "version": 216 + } + }, + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "ca835ae54902b43b43600be560e50e3ec172b5bab2d1419520717665a9b443e8", + "type": "query", + "version": 316 + }, + "e28b8093-833b-4eda-b877-0873d134cf3c": { + "rule_name": "Network Traffic Capture via CAP_NET_RAW", + "sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45", + "type": "new_terms", + "version": 4 + }, + "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { + "min_stack_version": "8.12", + "rule_name": "Suspicious pbpaste High Volume Activity", + "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", + "type": "eql", + "version": 1 + }, + "e2a67480-3b79-403d-96e3-fdd2992c50ef": { + "rule_name": "AWS Management Console Root Login", + "sha256": "e92692113a5e54b3929b90730de141b010fbf55f4a52a1d77e548a78cc361ecd", + "type": "query", + "version": 209 + }, + "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { + "rule_name": "System Network Connections Discovery", + "sha256": "e18cba651376cfe6e9941e9849b0b35efb04d877fd885ad2d8e410d9690633d1", + "type": "eql", + "version": 3 + }, + "e2e0537d-7d8f-4910-a11d-559bcf61295a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, + "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", + "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", "type": "eql", - "version": 3 - }, - "e2e0537d-7d8f-4910-a11d-559bcf61295a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", - "type": "eql", - "version": 8 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "e20728e2d7fdb11e0c89fe8b59339217c06311f3e887ecc68c878ac02e342c43", - "type": "eql", - "version": 108 - } - }, + "version": 8 + }, + "8.13": { + "max_allowable_version": 207, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", - "sha256": "786192214f5d5aa5c9b0b3cf5ea01355c4eacc8d7205094da7d7c6d3de2d4636", + "sha256": "e20728e2d7fdb11e0c89fe8b59339217c06311f3e887ecc68c878ac02e342c43", "type": "eql", - "version": 208 - }, - "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", - "type": "eql", - "version": 112 - } - }, + "version": 108 + } + }, + "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", + "sha256": "e700c3aa1868cdab411187bb9463c15130cb104b333c4aeca0f322d52bfbe885", + "type": "eql", + "version": 209 + }, + "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b", + "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", "type": "eql", - "version": 212 - }, - "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { - "rule_name": "GCP IAM Role Deletion", - "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", - "type": "query", - "version": 104 - }, - "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "b2ec162d5e1153e3aec75388d239610723efecf8e84f07bed191977174467f88", - "type": "eql", - "version": 211 - } - }, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "6802342503cc7dea85c431b23963aff34f661e1e9d97e48e9a1cfbc687b231b1", - "type": "eql", - "version": 311 - }, - "e3c27562-709a-42bd-82f2-3ed926cced19": { - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", - "type": "query", - "version": 206 - }, - "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { - "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", - "type": "query", - "version": 103 - }, - "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", - "type": "eql", - "version": 107 - } - }, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "b96e61601debc0c2b8731cd56031412334418497e035336cb8c471af5f70b60f", + "version": 112 + } + }, + "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", + "sha256": "a02677e7cd9c71dad3cf902389ff330aa11d7e30af8f5186022a8942cbd0a39b", + "type": "eql", + "version": 212 + }, + "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { + "rule_name": "GCP IAM Role Deletion", + "sha256": "81da5ac170cebd66bcbf89e17268d9b7d3559955c522f1623d651961f6419cbe", + "type": "query", + "version": 104 + }, + "e302e6c3-448c-4243-8d9b-d41da70db582": { + "rule_name": "Potential Data Splitting Detected", + "sha256": "e9c73adb2c1f6cce1863d61a9079baab27593eb754bed9dfb7462a2a0e757dfa", + "type": "eql", + "version": 1 + }, + "e3343ab9-4245-4715-b344-e11c56b0a47f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Process Activity via Compiled HTML File", + "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", "type": "eql", - "version": 207 - }, - "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { - "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Process Activity via Compiled HTML File", + "sha256": "b2ec162d5e1153e3aec75388d239610723efecf8e84f07bed191977174467f88", "type": "eql", - "version": 114 - }, - "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", - "type": "new_terms", - "version": 5 - } - }, + "version": 211 + } + }, + "rule_name": "Process Activity via Compiled HTML File", + "sha256": "af6bff4d9b0f88e5cadd6ce1f24e77dac8a706d375a23109a8c681c97c6b4706", + "type": "eql", + "version": 312 + }, + "e3c27562-709a-42bd-82f2-3ed926cced19": { + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "7ffafc6db354cba90fcf1ace4d763e22cb051ba2f8ad28c7e9f2cd89ef903525", + "type": "query", + "version": 206 + }, + "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { + "rule_name": "Ransomware - Prevented - Elastic Endgame", + "sha256": "b7d178b2a838a3cb100c12763f21969b20233d489823c43d10e756e079284462", + "type": "query", + "version": 103 + }, + "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, + "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", + "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", + "type": "eql", + "version": 107 + } + }, + "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", + "sha256": "b96e61601debc0c2b8731cd56031412334418497e035336cb8c471af5f70b60f", + "type": "eql", + "version": 207 + }, + "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { + "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "sha256": "782e6ea2ec801b948326c6dde829cf378f884c812681328c4577234da4bf90fa", + "type": "eql", + "version": 114 + }, + "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", - "sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639", + "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", "type": "new_terms", - "version": 105 - }, - "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", - "type": "query", - "version": 207 - }, - "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", - "type": "eql", - "version": 106 - } - }, + "version": 5 + } + }, + "rule_name": "First Time Seen NewCredentials Logon Process", + "sha256": "ffe14ac65dfa2a8820245873c21a9e1c00089649ed9d3be35102f434e3824639", + "type": "new_terms", + "version": 105 + }, + "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", + "type": "query", + "version": 208 + }, + "e4e31051-ee01-4307-a6ee-b21b186958f4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "9eb77e0dda391b5aa9d210c7d318596248ca59b969e138c7cfa6d9a2fcfd72ad", + "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", "type": "eql", - "version": 206 - }, - "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", - "type": "query", - "version": 113 - } - }, + "version": 106 + } + }, + "rule_name": "Service Creation via Local Kerberos Authentication", + "sha256": "9eb77e0dda391b5aa9d210c7d318596248ca59b969e138c7cfa6d9a2fcfd72ad", + "type": "eql", + "version": 206 + }, + "e514d8cd-ed15-4011-84e2-d15147e059f1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb", - "type": "query", - "version": 213 - }, - "e555105c-ba6d-481f-82bb-9b633e7b4827": { - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501", - "type": "query", - "version": 206 - }, - "e56993d2-759c-4120-984c-9ec9bb940fd5": { - "rule_name": "RDP (Remote Desktop Protocol) to the Internet", - "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", - "type": "query", - "version": 100 - }, - "e6c1a552-7776-44ad-ae0f-8746cc07773c": { - "rule_name": "Bash Shell Profile Modification", - "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", - "type": "query", - "version": 104 - }, - "e6c98d38-633d-4b3e-9387-42112cd5ac10": { - "rule_name": "Authorization Plugin Modification", - "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", + "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", "type": "query", - "version": 107 - }, - "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "rule_name": "Possible Okta DoS Attack", - "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", - "type": "query", - "version": 206 - }, - "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { - "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", - "type": "eql", - "version": 107 - }, - "e7075e8d-a966-458e-a183-85cd331af255": { - "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", - "type": "query", - "version": 104 - }, - "e707a7be-cc52-41ac-8ab3-d34b38c20005": { - "rule_name": "Potential Credential Access via Memory Dump File Creation", - "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", - "type": "eql", - "version": 3 - }, - "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 206, - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", - "type": "eql", - "version": 107 - } - }, + "version": 113 + } + }, + "rule_name": "Kerberos Pre-authentication Disabled for User", + "sha256": "aad6c2b791f2afc079b2ed0ef7a166717dc6a09cc6de90722d6ebf150ddc70fb", + "type": "query", + "version": 213 + }, + "e555105c-ba6d-481f-82bb-9b633e7b4827": { + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "c208e0210c900747a4eaa68c93e32df981d3e2f5bb72a17177582c3b6ea60501", + "type": "query", + "version": 206 + }, + "e56993d2-759c-4120-984c-9ec9bb940fd5": { + "rule_name": "RDP (Remote Desktop Protocol) to the Internet", + "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", + "type": "query", + "version": 100 + }, + "e6c1a552-7776-44ad-ae0f-8746cc07773c": { + "rule_name": "Bash Shell Profile Modification", + "sha256": "bc03a7affdb0db7aca8cb74b550750403c0cc22f1f31640dabbcf506dd04b2b3", + "type": "query", + "version": 104 + }, + "e6c98d38-633d-4b3e-9387-42112cd5ac10": { + "rule_name": "Authorization Plugin Modification", + "sha256": "ef208b091fc4ad2aa8c598a1e11c2de761824f498ee049b117285c932936bb8e", + "type": "query", + "version": 107 + }, + "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "rule_name": "Possible Okta DoS Attack", + "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", + "type": "query", + "version": 207 + }, + "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { + "rule_name": "Screensaver Plist File Modified by Unexpected Process", + "sha256": "226d7ec9a8d7ef8ee5497afe3c062dd60f96978b4e83c4327ab07af37b0e5b51", + "type": "eql", + "version": 107 + }, + "e7075e8d-a966-458e-a183-85cd331af255": { + "rule_name": "Default Cobalt Strike Team Server Certificate", + "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", + "type": "query", + "version": 104 + }, + "e707a7be-cc52-41ac-8ab3-d34b38c20005": { + "rule_name": "Potential Credential Access via Memory Dump File Creation", + "sha256": "a39d7d4e32b2b06c056764ba041c47a02fd5e39717b5db77d6827117dc870c62", + "type": "eql", + "version": 3 + }, + "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a7f9e12e26f22539b2c1e4f2c784361d72a1bbc261ff0bc1fa9ba30bb48845a1", + "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", "type": "eql", - "version": 207 - }, - "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 205, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", - "type": "eql", - "version": 106 - } - }, + "version": 107 + } + }, + "rule_name": "Execution of Persistent Suspicious Program", + "sha256": "a7f9e12e26f22539b2c1e4f2c784361d72a1bbc261ff0bc1fa9ba30bb48845a1", + "type": "eql", + "version": 207 + }, + "e72f87d0-a70e-4f8d-8443-a6407bc34643": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", "type": "eql", - "version": 206 - }, - "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { - "rule_name": "Potential Windows Session Hijacking via CcmExec", - "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", + "version": 106 + } + }, + "rule_name": "Suspicious WMI Event Subscription Created", + "sha256": "06bda64b32dbb62509ffcf7e3377fab8e420bc69ab7b80f0984dba9a06b99a0c", + "type": "eql", + "version": 206 + }, + "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47": { + "rule_name": "Potential Windows Session Hijacking via CcmExec", + "sha256": "0bb32a27d1f4286cf963fe0af6c21dba8716c0bc8a3b250af1d0b62993eda76a", + "type": "eql", + "version": 1 + }, + "e74d645b-fec6-431e-bf93-ca64a538e0de": { + "rule_name": "Unusual Process For MSSQL Service Accounts", + "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", + "type": "eql", + "version": 4 + }, + "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, + "rule_name": "Unusual Execution via Microsoft Common Console File", + "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", "type": "eql", "version": 1 - }, - "e74d645b-fec6-431e-bf93-ca64a538e0de": { - "rule_name": "Unusual Process For MSSQL Service Accounts", - "sha256": "25ab58cb351438a03b9bae33943b1e2f27038ddab7e44da1138534c0962b40d8", - "type": "eql", - "version": 4 - }, - "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "8aa16b6d5c72cbd8db236cecb394fdb3419409a9334e5de3e489cba322b17da1", - "type": "eql", - "version": 101 - } - }, + }, + "8.13": { + "max_allowable_version": 200, "rule_name": "Unusual Execution via Microsoft Common Console File", - "sha256": "91c9567bb907691834edbcbf81478eea228783238516ba4840d2a6678945a3f7", - "type": "eql", - "version": 201 - }, - "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { - "rule_name": "Potential Linux Credential Dumping via Unshadow", - "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", - "type": "eql", - "version": 8 - }, - "e7cd5982-17c8-4959-874c-633acde7d426": { - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", - "type": "query", - "version": 207 - }, - "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { - "rule_name": "Network Connection by Cups or Foomatic-rip Child", - "sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40", + "sha256": "8aa16b6d5c72cbd8db236cecb394fdb3419409a9334e5de3e489cba322b17da1", "type": "eql", - "version": 1 - }, - "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", - "type": "eql", - "version": 112 - } - }, + "version": 101 + } + }, + "rule_name": "Unusual Execution via Microsoft Common Console File", + "sha256": "91c9567bb907691834edbcbf81478eea228783238516ba4840d2a6678945a3f7", + "type": "eql", + "version": 201 + }, + "e7cb3cfd-aaa3-4d7b-af18-23b89955062c": { + "rule_name": "Potential Linux Credential Dumping via Unshadow", + "sha256": "9f5e4df959c1865722b929f62227913e0415b091e5be48dc94f3037768b94393", + "type": "eql", + "version": 8 + }, + "e7cd5982-17c8-4959-874c-633acde7d426": { + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "811d4c47d79d5e63a6d39a14a0e8c4c6d8bdc81b09f09705f57ce46905ea4112", + "type": "query", + "version": 207 + }, + "e80ee207-9505-49ab-8ca8-bc57d80e2cab": { + "rule_name": "Network Connection by Cups or Foomatic-rip Child", + "sha256": "5537d2a44f881bfebdb8606aac6d5674c620607d55bb4822209da2cb5f3caa40", + "type": "eql", + "version": 1 + }, + "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "9d84a554b92f15502ea0ccfddab98366f884adce501508ea2ebdf867c9e9a168", + "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", "type": "eql", - "version": 212 - }, - "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Installation of Security Support Provider", - "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Installation of Security Support Provider", - "sha256": "3d579bb92fe8249d3708f287ce73068e3e1eb7d3da4d7457b71e6c95ec5e6491", - "type": "eql", - "version": 209 - } - }, + "version": 112 + } + }, + "rule_name": "Service Control Spawned via Script Interpreter", + "sha256": "a674e578cfbef5b95a62b11671aeca823f09b5f2f63129f91f2557fa46d972e4", + "type": "eql", + "version": 213 + }, + "e86da94d-e54b-4fb5-b96c-cecff87e8787": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", - "sha256": "e863b1547c1a211479f64783701a48f31459decaff80471ecc40d7b3f7d64f0d", - "type": "eql", - "version": 309 - }, - "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "a8d0addea981abc201c8075ddf84cc71cf8e889932f1c06e212d64d43a19f083", + "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", "type": "eql", - "version": 107 - }, - "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { - "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Installation of Security Support Provider", + "sha256": "3d579bb92fe8249d3708f287ce73068e3e1eb7d3da4d7457b71e6c95ec5e6491", "type": "eql", - "version": 2 - }, - "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { - "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", - "sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753", - "type": "new_terms", - "version": 107 - }, - "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", - "type": "threshold", "version": 209 - }, - "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", - "type": "query", - "version": 206 - }, - "e92c99b6-c547-4bb6-b244-2f27394bc849": { - "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", - "sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8", - "type": "machine_learning", - "version": 4 - }, - "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "9273914a7b7945fd48d1b65cbaca22cac9b1a363e215a919dfc7d7f2023e6a9b", - "type": "eql", - "version": 211 - } - }, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "3472059c099b888efa866c73f5ebda8a7cdd81a96a7c4c6c01e327c1d1fa2aa6", + } + }, + "rule_name": "Installation of Security Support Provider", + "sha256": "e863b1547c1a211479f64783701a48f31459decaff80471ecc40d7b3f7d64f0d", + "type": "eql", + "version": 309 + }, + "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, + "rule_name": "Host Files System Changes via Windows Subsystem for Linux", + "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", "type": "eql", - "version": 311 - }, - "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { - "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "85a69d2c3599e4ee1bee8122b9a14c0b9148c3db5d510013e18e96dd0f9ec389", + "version": 7 + } + }, + "rule_name": "Host Files System Changes via Windows Subsystem for Linux", + "sha256": "a8d0addea981abc201c8075ddf84cc71cf8e889932f1c06e212d64d43a19f083", + "type": "eql", + "version": 107 + }, + "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { + "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", + "sha256": "14242eb38154b8a8e1a58bf61c0bfb74b5979a402c8daf3ac16d945e00cfd816", + "type": "eql", + "version": 2 + }, + "e9001ee6-2d00-4d2f-849e-b8b1fb05234c": { + "rule_name": "Suspicious System Commands Executed by Previously Unknown Executable", + "sha256": "53547d9a43a3fc0d757d092bb75810899bd2886e9a0ff67b393c97c069bd4753", + "type": "new_terms", + "version": 107 + }, + "e90ee3af-45fc-432e-a850-4a58cf14a457": { + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", + "type": "threshold", + "version": 210 + }, + "e919611d-6b6f-493b-8314-7ed6ac2e413b": { + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "ddfa3e022f23c8689c14e4a4abba71826f9ad576159d7e3d70ee93634965dd8c", + "type": "query", + "version": 206 + }, + "e92c99b6-c547-4bb6-b244-2f27394bc849": { + "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", + "sha256": "97e36f64a18b7742354c75783032d8c937129028e729388f75253413f03292d8", + "type": "machine_learning", + "version": 4 + }, + "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Unusual Executable File Creation by a System Critical Process", + "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", "type": "eql", - "version": 106 - }, - "e9b0902b-c515-413b-b80b-a8dcebc81a66": { - "rule_name": "Spike in Remote File Transfers", - "sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69", - "type": "machine_learning", - "version": 4 - }, - "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { - "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", - "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Unusual Executable File Creation by a System Critical Process", + "sha256": "9273914a7b7945fd48d1b65cbaca22cac9b1a363e215a919dfc7d7f2023e6a9b", "type": "eql", - "version": 100 - }, - "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { - "rule_name": "Azure Automation Webhook Created", - "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", - "type": "query", - "version": 102 - }, - "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { - "rule_name": "SSH (Secure Shell) from the Internet", - "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", - "type": "query", - "version": 100 - }, - "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", - "type": "machine_learning", - "version": 7 - } - }, + "version": 211 + } + }, + "rule_name": "Unusual Executable File Creation by a System Critical Process", + "sha256": "3472059c099b888efa866c73f5ebda8a7cdd81a96a7c4c6c01e327c1d1fa2aa6", + "type": "eql", + "version": 311 + }, + "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { + "rule_name": "Potential LSA Authentication Package Abuse", + "sha256": "85a69d2c3599e4ee1bee8122b9a14c0b9148c3db5d510013e18e96dd0f9ec389", + "type": "eql", + "version": 106 + }, + "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "rule_name": "Spike in Remote File Transfers", + "sha256": "f9cfa49163402d6de09bf8956e320315bd0c937785ed3267ad306470bc834a69", + "type": "machine_learning", + "version": 4 + }, + "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { + "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", + "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", + "type": "eql", + "version": 100 + }, + "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { + "rule_name": "Azure Automation Webhook Created", + "sha256": "064a5bf18acba039757d18c76b42acec87f1e497cf8143bc705af25765204078", + "type": "query", + "version": 102 + }, + "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { + "rule_name": "SSH (Secure Shell) from the Internet", + "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", + "type": "query", + "version": 100 + }, + "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", - "sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336", - "type": "machine_learning", - "version": 107 - }, - "ea248a02-bc47-4043-8e94-2885b19b2636": { - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", - "type": "threshold", - "version": 210 - }, - "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { - "rule_name": "Spike in Firewall Denies", - "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", + "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", "type": "machine_learning", - "version": 104 - }, - "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { - "rule_name": "Suspicious APT Package Manager Network Connection", - "sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f", - "type": "eql", - "version": 4 - }, - "eb079c62-4481-4d6e-9643-3ca499df7aaa": { - "rule_name": "External Alerts", - "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", - "type": "query", - "version": 103 - }, - "eb44611f-62a8-4036-a5ef-587098be6c43": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", - "type": "query", - "version": 6 - } - }, + "version": 7 + } + }, + "rule_name": "Unusual Process Spawned by a Parent Process", + "sha256": "273ab111885b862ada1a91bda7e0c52c082564cfb0bd6c60905f01285ffdc336", + "type": "machine_learning", + "version": 107 + }, + "ea248a02-bc47-4043-8e94-2885b19b2636": { + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "a85c08a5d1c0cadd8fa55b0fa4148eb871692edcabdc994258fd047949fc51c3", + "type": "threshold", + "version": 210 + }, + "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { + "rule_name": "Spike in Firewall Denies", + "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", + "type": "machine_learning", + "version": 104 + }, + "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { + "rule_name": "Suspicious APT Package Manager Network Connection", + "sha256": "805fa189545f981d575ddc36086ba698c6cab425b1ecf2c09c8f857aa7db539f", + "type": "eql", + "version": 4 + }, + "eb079c62-4481-4d6e-9643-3ca499df7aaa": { + "rule_name": "External Alerts", + "sha256": "8abb5aaa7b7120ccd0f4b723b4d43ede8ef4179dfd361a78a77fb3e7501947b6", + "type": "query", + "version": 103 + }, + "eb44611f-62a8-4036-a5ef-587098be6c43": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", - "sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a", + "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", "type": "query", - "version": 106 - }, - "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", - "type": "query", - "version": 113 - } - }, + "version": 6 + } + }, + "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", + "sha256": "452345c390a3f58cffe2ad756b136a031115a28fa4243770374662c6c857f01a", + "type": "query", + "version": 106 + }, + "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8", + "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", "type": "query", - "version": 213 - }, - "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { - "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", - "type": "eql", - "version": 104 - }, - "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { - "rule_name": "Potential Disabling of SELinux", - "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "version": 113 + } + }, + "rule_name": "PowerShell Kerberos Ticket Request", + "sha256": "d7f6edb6af54dfc5d3bce2f5f8cd4bd2b869f751dbfe299e4cff67a302c6cae8", + "type": "query", + "version": 213 + }, + "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { + "rule_name": "Suspicious Network Connection Attempt by Root", + "sha256": "7a02f3f1c3af4c212b9b07f86517b323423c7f03670c51025f5a7ea876473d5e", + "type": "eql", + "version": 104 + }, + "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { + "rule_name": "Potential Disabling of SELinux", + "sha256": "40ab8ab43acdf3a9d7783d20ac3658086a45ff61e1871fe984d77c6a1d3984ef", + "type": "eql", + "version": 110 + }, + "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", "type": "eql", "version": 110 - }, - "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 411, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "68b70fb7a0759edb5d4057074ce39e0a9d16c36f7e65d6fdcdfb8e6872bfbbc7", - "type": "eql", - "version": 312 - } - }, + }, + "8.13": { + "max_allowable_version": 411, "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb", - "type": "eql", - "version": 412 - }, - "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "efe3336c2caa03ca5f2f4c180030a6988719173b020f4ef0b6328548942e1cc0", - "type": "eql", - "version": 211 - } - }, + "sha256": "68b70fb7a0759edb5d4057074ce39e0a9d16c36f7e65d6fdcdfb8e6872bfbbc7", + "type": "eql", + "version": 312 + } + }, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "b5e1dca924f5d9acc2bbfe1082785ef9458b056c40140e162d7526060d6bdbdb", + "type": "eql", + "version": 412 + }, + "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "IIS HTTP Logging Disabled", - "sha256": "6ca7ac7be29bbc0c72cd6e83c0d78ed29003c5bef3a8a9ed922af991e02c2479", + "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", "type": "eql", - "version": 311 - }, - "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4", - "type": "eql", - "version": 213 - } - }, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "IIS HTTP Logging Disabled", + "sha256": "efe3336c2caa03ca5f2f4c180030a6988719173b020f4ef0b6328548942e1cc0", "type": "eql", - "version": 313 - }, - "ec604672-bed9-43e1-8871-cf591c052550": { - "rule_name": "File Made Executable via Chmod Inside A Container", - "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", + "version": 211 + } + }, + "rule_name": "IIS HTTP Logging Disabled", + "sha256": "93b513e8ce449023833b25afd4c092d6d39708e07c92d3169dd2fe80a10617d7", + "type": "eql", + "version": 312 + }, + "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Process Execution from an Unusual Directory", + "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", "type": "eql", - "version": 2 - }, - "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", - "type": "query", - "version": 206 - }, - "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { - "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", - "sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1", + "version": 113 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Process Execution from an Unusual Directory", + "sha256": "7b1ad0930e0d399848cb3814f29f4114d11dc749c1117fe69b11dcfda2aa05d4", "type": "eql", - "version": 2 - }, - "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { - "rule_name": "Executable File with Unusual Extension", - "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", + "version": 213 + } + }, + "rule_name": "Process Execution from an Unusual Directory", + "sha256": "b5ef38fb69f464a4b3a78df77efdff1973928840166119bd81ec4834d944cac2", + "type": "eql", + "version": 313 + }, + "ec604672-bed9-43e1-8871-cf591c052550": { + "rule_name": "File Made Executable via Chmod Inside A Container", + "sha256": "20c2ee6633bad709523ecb7a36a5e666212d251d264feca7543facf2bb56ea54", + "type": "eql", + "version": 2 + }, + "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "98615f87ce24445df876a6f771b6899cfdecbd5028d5167fb5f060c7d2cb44df", + "type": "query", + "version": 206 + }, + "ecc0cd54-608e-11ef-ab6d-f661ea17fbce": { + "rule_name": "Unusual Instance Metadata Service (IMDS) API Request", + "sha256": "61702c8dcf0374f8bb444a8a111fb32779c6ef86dbbfa133ec1fdb56321c8db1", + "type": "eql", + "version": 2 + }, + "ecd4857b-5bac-455e-a7c9-a88b66e56a9e": { + "rule_name": "Executable File with Unusual Extension", + "sha256": "0dbad6fbc2a61e15df204d363878baabb0a87b3aacc37a8ffc8044d8bb20d509", + "type": "eql", + "version": 2 + }, + "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", + "type": "query", + "version": 206 + }, + "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { + "rule_name": "Azure Global Administrator Role Addition to PIM User", + "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", + "type": "query", + "version": 102 + }, + "eda499b8-a073-4e35-9733-22ec71f57f3a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, + "rule_name": "AdFind Command Activity", + "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", "type": "eql", - "version": 2 - }, - "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "597f9aec8295f443a639129b9f673f0e3302a48b8ba1f7a3eab0de937bc34d58", - "type": "query", - "version": 206 - }, - "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { - "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "05eb2cfe7c6c45d6ae432cf2c83e8d0a56cb0a6c5111004de8625830d13ee06c", - "type": "query", - "version": 102 - }, - "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "AdFind Command Activity", - "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "AdFind Command Activity", - "sha256": "39ddeac69ba7e957dbde30dd6afb1b62daefa13143c99fcc1c9131251c2da3f1", - "type": "eql", - "version": 213 - } - }, + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, "rule_name": "AdFind Command Activity", - "sha256": "d863a7596530492c84db5da6466f1f928b659b35bbe664ceec817a51ed6e9f43", + "sha256": "39ddeac69ba7e957dbde30dd6afb1b62daefa13143c99fcc1c9131251c2da3f1", "type": "eql", - "version": 313 - }, - "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", - "type": "query", - "version": 207 - }, - "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", - "type": "eql", - "version": 113 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "bdcf41c9d261562501f02bbc0fdf00741c278f827f8c4b389c9b44351aaa466b", - "type": "eql", - "version": 213 - } - }, + "version": 213 + } + }, + "rule_name": "AdFind Command Activity", + "sha256": "666a39201e6cd023560381806ba6b8b178ce2bc7596b8084f46b63bec57859a2", + "type": "eql", + "version": 314 + }, + "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", + "type": "query", + "version": 208 + }, + "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "15af03b375dfbb577b260c1dc2e173682a9da02d1b5196176f5a97851c45fff2", + "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", "type": "eql", - "version": 313 - }, - "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { - "rule_name": "Linux User Account Creation", - "sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6", + "version": 113 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "ImageLoad via Windows Update Auto Update Client", + "sha256": "bdcf41c9d261562501f02bbc0fdf00741c278f827f8c4b389c9b44351aaa466b", "type": "eql", - "version": 6 - }, - "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "rule_name": "Okta FastPass Phishing Detection", - "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", - "type": "query", - "version": 104 - }, - "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", - "type": "eql", - "version": 109 - } - }, + "version": 213 + } + }, + "rule_name": "ImageLoad via Windows Update Auto Update Client", + "sha256": "b1477cad6a3940c5331b5aac48248d75f2d9628f206c15ca3a83c52a0f2fde0d", + "type": "eql", + "version": 314 + }, + "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { + "rule_name": "Linux User Account Creation", + "sha256": "4af9d5eb4553ab22a10d185542796bf3827c9c57126d958da584089a9b4181a6", + "type": "eql", + "version": 6 + }, + "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", + "type": "query", + "version": 105 + }, + "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", - "sha256": "986186036dc086ae57af371ae59653ca11d16660a1311a709a7137fa6c7e6fd5", - "type": "eql", - "version": 209 - }, - "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { - "rule_name": "Shortcut File Written or Modified on Startup Folder", - "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", - "type": "eql", - "version": 2 - }, - "ee619805-54d7-4c56-ba6f-7717282ddd73": { - "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", - "sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80", - "type": "eql", - "version": 100 - }, - "eea82229-b002-470e-a9e1-00be38b14d32": { - "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", - "type": "eql", - "version": 107 - }, - "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { - "rule_name": "BPF filter applied using TC", - "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", - "type": "eql", - "version": 108 - }, - "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { - "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", - "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", "type": "eql", - "version": 7 - }, - "ef65e82c-d8b4-4895-9824-5f6bc6166804": { - "rule_name": "Potential Container Escape via Modified notify_on_release File", - "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", - "type": "eql", - "version": 1 - }, - "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Whoami Process Activity", - "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", - "type": "eql", - "version": 113 - } - }, + "version": 109 + } + }, + "rule_name": "Unusual Print Spooler Child Process", + "sha256": "986186036dc086ae57af371ae59653ca11d16660a1311a709a7137fa6c7e6fd5", + "type": "eql", + "version": 209 + }, + "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { + "rule_name": "Shortcut File Written or Modified on Startup Folder", + "sha256": "521aaa3ca230327e4d8a00478e8ca676b40727c00d7a32e0e76210c927f99662", + "type": "eql", + "version": 2 + }, + "ee619805-54d7-4c56-ba6f-7717282ddd73": { + "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", + "sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80", + "type": "eql", + "version": 100 + }, + "eea82229-b002-470e-a9e1-00be38b14d32": { + "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", + "sha256": "1650c91ed1f40d868155851c6a47fc4a0d7b9e3acc49ca5a3a94bf02d47454fc", + "type": "eql", + "version": 107 + }, + "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { + "rule_name": "BPF filter applied using TC", + "sha256": "1c7ddc592ac0564b1dd00cf9e28b5abb2f8aab7029e47b5267efa0082a5127a2", + "type": "eql", + "version": 108 + }, + "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311": { + "rule_name": "Potential Linux Credential Dumping via Proc Filesystem", + "sha256": "5fde0d101ad60721c4369e510760dbc8596c6e42f17cccdf2857b69cd04aeeb7", + "type": "eql", + "version": 7 + }, + "ef65e82c-d8b4-4895-9824-5f6bc6166804": { + "rule_name": "Potential Container Escape via Modified notify_on_release File", + "sha256": "9bda21518b9733432c642587f1e1a1beb87b1651d0d838fa1cd342d16bbace04", + "type": "eql", + "version": 1 + }, + "ef862985-3f13-4262-a686-5f357bbb9bc2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Whoami Process Activity", - "sha256": "214f8fb47c57ac54428d1979e50f4e691ccd265637670689bfab291afa11f712", + "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", "type": "eql", - "version": 213 - }, - "ef8cc01c-fc49-4954-a175-98569c646740": { - "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", - "sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca", - "type": "machine_learning", - "version": 4 - }, - "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", - "type": "eql", - "version": 108 - } - }, + "version": 113 + } + }, + "rule_name": "Whoami Process Activity", + "sha256": "214f8fb47c57ac54428d1979e50f4e691ccd265637670689bfab291afa11f712", + "type": "eql", + "version": 213 + }, + "ef8cc01c-fc49-4954-a175-98569c646740": { + "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", + "sha256": "90d364f8a22a46e10400502782f9e63b502856dae193ee242c9df80b475350ca", + "type": "machine_learning", + "version": 4 + }, + "f036953a-4615-4707-a1ca-dc53bf69dcd5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "c27a1557272e16660b29e32abdf339448cda357be42a5df8ff09e7cd7089e867", - "type": "eql", - "version": 208 - }, - "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { - "rule_name": "Suspicious HTML File Creation", - "sha256": "30a4a9a823ba20654cac348d46d6ed2d266e48a105d74d2b07cd97485f45e644", + "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", "type": "eql", "version": 108 - }, - "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", - "type": "query", - "version": 206 - }, - "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { - "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", - "sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39", - "type": "eql", - "version": 109 - }, - "f0bc081a-2346-4744-a6a4-81514817e888": { - "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", - "type": "query", - "version": 102 - }, - "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { - "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", - "type": "query", - "version": 106 - }, - "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { - "rule_name": "Potential Remote Code Execution via Web Server", - "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", - "type": "eql", - "version": 7 - }, - "f18a474c-3632-427f-bcf5-363c994309ee": { - "rule_name": "Process Capability Set via setcap Utility", - "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", - "type": "eql", - "version": 1 - }, - "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { - "rule_name": "Forwarded Google Workspace Security Alert", - "sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04", - "type": "query", - "version": 3 - }, - "f2015527-7c46-4bb9-80db-051657ddfb69": { - "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec", - "type": "eql", - "version": 2 - }, - "f243fe39-83a4-46f3-a3b6-707557a102df": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "Service Path Modification", - "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", - "type": "eql", - "version": 5 - } - }, + } + }, + "rule_name": "Unusual Child Processes of RunDLL32", + "sha256": "c27a1557272e16660b29e32abdf339448cda357be42a5df8ff09e7cd7089e867", + "type": "eql", + "version": 208 + }, + "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { + "rule_name": "Suspicious HTML File Creation", + "sha256": "30a4a9a823ba20654cac348d46d6ed2d266e48a105d74d2b07cd97485f45e644", + "type": "eql", + "version": 108 + }, + "f06414a6-f2a4-466d-8eba-10f85e8abf71": { + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", + "type": "query", + "version": 207 + }, + "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { + "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", + "sha256": "910384ce8b7a90baf6621c861b7a046f4764fa0a712b0a51e2aaf95bc8363a39", + "type": "eql", + "version": 109 + }, + "f0bc081a-2346-4744-a6a4-81514817e888": { + "rule_name": "Azure Alert Suppression Rule Created or Modified", + "sha256": "1dce5b8c0bd067b1f048753efed2565f84b6d4c289bed2adbc7a6bf3f8a89270", + "type": "query", + "version": 102 + }, + "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { + "rule_name": "Execution with Explicit Credentials via Scripting", + "sha256": "ac32250e0d57be9cd4a514aa350f9b0b90ef286c6c75fe6f8ab0e6fc775d76cb", + "type": "query", + "version": 106 + }, + "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": { + "rule_name": "Potential Remote Code Execution via Web Server", + "sha256": "bea6f0f6ac6a7dcc6cc8784ca4831945d99664237de3f781a9336b2a748346f7", + "type": "eql", + "version": 7 + }, + "f18a474c-3632-427f-bcf5-363c994309ee": { + "rule_name": "Process Capability Set via setcap Utility", + "sha256": "d33378c5ef77b55469ab49d5282bcb0e357dc6b4cf3f8ff308937bc39f50f0e2", + "type": "eql", + "version": 1 + }, + "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc": { + "rule_name": "Forwarded Google Workspace Security Alert", + "sha256": "da7ef3b91f3643cdf38700c894afdb9c990e17ed9711f5e4a7e4133589c98b04", + "type": "query", + "version": 3 + }, + "f2015527-7c46-4bb9-80db-051657ddfb69": { + "rule_name": "AWS RDS DB Instance or Cluster Password Modified", + "sha256": "4e740008509defdc52f3ce580a43a0c02b9f679ad77ebf0f4136253adef5b1ec", + "type": "eql", + "version": 2 + }, + "f243fe39-83a4-46f3-a3b6-707557a102df": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, "rule_name": "Service Path Modification", - "sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091", - "type": "eql", - "version": 105 - }, - "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { - "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", - "type": "eql", - "version": 108 - }, - "f28e2be4-6eca-4349-bdd9-381573730c22": { - "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", - "type": "eql", - "version": 110 - }, - "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "SIP Provider Modification", - "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "SIP Provider Modification", - "sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832", - "type": "eql", - "version": 210 - } - }, - "rule_name": "SIP Provider Modification", - "sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72", - "type": "eql", - "version": 310 - }, - "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "14a9d741acb3030e8466bf9a59a206544298e89f5fc3fee49bf83f99a7e052fd", - "type": "eql", - "version": 211 - } - }, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "254a89261a7919cd601e7aa8a8c9aafa993f9a2f38062b4f3f6b1839c39a0993", - "type": "eql", - "version": 311 - }, - "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "rule_name": "AWS RDS Instance Creation", - "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", - "type": "query", - "version": 206 - }, - "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { - "rule_name": "Google Workspace Object Copied to External Drive with App Consent", - "sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58", + "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", "type": "eql", - "version": 7 - }, - "f3403393-1fd9-4686-8f6e-596c58bc00b4": { - "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", - "sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321", - "type": "query", "version": 5 - }, - "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", - "type": "eql", - "version": 110 - } - }, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "f68bad409924e59b8443d6a7bfa105b2b48cb4d88da36172d95d7094cb3a3375", + } + }, + "rule_name": "Service Path Modification", + "sha256": "a707712ab1a8884c4ac8dd000630745507c22979577802994c2e9d0ab4b5e091", + "type": "eql", + "version": 105 + }, + "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { + "rule_name": "Creation of Hidden Login Item via Apple Script", + "sha256": "1d2b9d1b4fb9b805f30bc47377d70694f4ecd0704dfc2df0c47459605af6d2b3", + "type": "eql", + "version": 108 + }, + "f28e2be4-6eca-4349-bdd9-381573730c22": { + "rule_name": "Potential OpenSSH Backdoor Logging Activity", + "sha256": "54bc98f1c6f0db859bc9db57ce3fa7033db199f814bbc55ce03bc6940bd8efe2", + "type": "eql", + "version": 110 + }, + "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, + "rule_name": "SIP Provider Modification", + "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", + "type": "eql", + "version": 110 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "SIP Provider Modification", + "sha256": "d738dfc708658d71ae14be394ef74073c038935186dcd52452963824dcff6832", "type": "eql", "version": 210 - }, - "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { - "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", - "type": "threshold", - "version": 104 - }, - "f3818c85-2207-4b51-8a28-d70fb156ee87": { - "rule_name": "Suspicious Network Connection via systemd", - "sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598", + } + }, + "rule_name": "SIP Provider Modification", + "sha256": "ee278465be6f3dbb091ce5d5a2f86ef626accfc7c850b1fa069f00a2fd0b4b72", + "type": "eql", + "version": 310 + }, + "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", "type": "eql", - "version": 3 - }, - "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { - "rule_name": "Threat Intel URL Indicator Match", - "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", - "type": "threat_match", - "version": 7 - }, - "f41296b4-9975-44d6-9486-514c6f635b2d": { - "rule_name": "Potential curl CVE-2023-38545 Exploitation", - "sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4", + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "14a9d741acb3030e8466bf9a59a206544298e89f5fc3fee49bf83f99a7e052fd", "type": "eql", - "version": 6 - }, - "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "c065074afa1efd59796f42921ce27c145b88b963e7472fa5c5269c74503e3647", - "type": "eql", - "version": 208 - } - }, + "version": 211 + } + }, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "254a89261a7919cd601e7aa8a8c9aafa993f9a2f38062b4f3f6b1839c39a0993", + "type": "eql", + "version": 311 + }, + "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { + "rule_name": "AWS RDS Instance Creation", + "sha256": "3f5bde898da930f0ca76c88c4f89512b9f7ec40d10c291fc472d909c5ef5a166", + "type": "query", + "version": 206 + }, + "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { + "rule_name": "Google Workspace Object Copied to External Drive with App Consent", + "sha256": "3ac6f85158571e7ae9821f8407cf1039e071354f5ae798cd907c077d71b4ef58", + "type": "eql", + "version": 7 + }, + "f3403393-1fd9-4686-8f6e-596c58bc00b4": { + "rule_name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", + "sha256": "5111cc2b59ff5a00ad2e2d02625d13fb2da0a6e5c8a7c7cf41cb0c023d1f0321", + "type": "query", + "version": 5 + }, + "f3475224-b179-4f78-8877-c2bd64c26b88": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, + "rule_name": "WMI Incoming Lateral Movement", + "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", + "type": "eql", + "version": 110 + } + }, + "rule_name": "WMI Incoming Lateral Movement", + "sha256": "f68bad409924e59b8443d6a7bfa105b2b48cb4d88da36172d95d7094cb3a3375", + "type": "eql", + "version": 210 + }, + "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { + "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", + "sha256": "631c70d2bd6a2e4b8162193c9ccb972b673d291a842d7006e0a14643ce29341c", + "type": "threshold", + "version": 104 + }, + "f3818c85-2207-4b51-8a28-d70fb156ee87": { + "rule_name": "Suspicious Network Connection via systemd", + "sha256": "45c7e70c63f0babc04075bb7fcacaf276c43f3f76f27788e95a22486dc947598", + "type": "eql", + "version": 3 + }, + "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { + "rule_name": "Threat Intel URL Indicator Match", + "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", + "type": "threat_match", + "version": 7 + }, + "f401a0e3-5eeb-4591-969a-f435488e7d12": { + "min_stack_version": "8.14", + "rule_name": "Remote Desktop File Opened from Suspicious Path", + "sha256": "cf963b5d775862505a178cb58178b33fb23107afcc00e561160961a865e46b4f", + "type": "eql", + "version": 1 + }, + "f41296b4-9975-44d6-9486-514c6f635b2d": { + "rule_name": "Potential curl CVE-2023-38545 Exploitation", + "sha256": "a4f60de34a9b8854d098412627c483a602372a1752481e4bb94ee32edabdfeb4", + "type": "eql", + "version": 6 + }, + "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "0ceb15eaac8188f45c14c3dd7bead9ba70e09eb4b5f51deb6b9a8c126b63c78b", + "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", "type": "eql", - "version": 308 - }, - "f48ecc44-7d02-437d-9562-b838d2c41987": { - "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a", + "version": 108 + }, + "8.13": { + "max_allowable_version": 307, + "rule_name": "Persistence via Microsoft Office AddIns", + "sha256": "c065074afa1efd59796f42921ce27c145b88b963e7472fa5c5269c74503e3647", "type": "eql", - "version": 2 - }, - "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", - "type": "query", - "version": 113 - } - }, + "version": 208 + } + }, + "rule_name": "Persistence via Microsoft Office AddIns", + "sha256": "0ceb15eaac8188f45c14c3dd7bead9ba70e09eb4b5f51deb6b9a8c126b63c78b", + "type": "eql", + "version": 308 + }, + "f48ecc44-7d02-437d-9562-b838d2c41987": { + "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", + "sha256": "6dc8920fe9a4bc479c93299a5b594945d88909d894d5a90f8997caba441bfa2a", + "type": "eql", + "version": 2 + }, + "f494c678-3c33-43aa-b169-bb3d5198c41d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 212, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b", + "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", "type": "query", - "version": 213 - }, - "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { - "min_stack_version": "8.13", - "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "f613ba59ddc970edf688e657b1f179a4a61355efddd7fc08207b9cdffd329aad", - "type": "esql", - "version": 2 - }, - "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { - "rule_name": "DPKG Package Installed by Unusual Parent Process", - "sha256": "d1fdc0cf4916e52650e3c796851aa1b7ce6f2c33b18b0b7d62594435904c9876", - "type": "new_terms", - "version": 1 - }, - "f52362cd-baf1-4b6d-84be-064efc826461": { - "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", - "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", - "type": "eql", - "version": 100 - }, - "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { - "rule_name": "Suspicious Data Encryption via OpenSSL Utility", - "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", - "type": "eql", - "version": 6 - }, - "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "7d014986e6735e5f5b90c0790e404e69d4e5d64634f6935fb10a34ec72877e05", - "type": "eql", - "version": 212 - } - }, + "version": 113 + } + }, + "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "sha256": "a501daeafd36d21146d80fd784cd66a942aba32df467a451a98e26818a2e661b", + "type": "query", + "version": 213 + }, + "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", + "sha256": "e018ec0346e1abac5468b4f741a4a3036311473e101a7ddf11bca9b702e142c0", + "type": "esql", + "version": 3 + }, + "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { + "rule_name": "DPKG Package Installed by Unusual Parent Process", + "sha256": "c9f84cce8696eb7c2dc198d566da5e106e018e6fe6cd9e016fd243ae72c741b4", + "type": "new_terms", + "version": 2 + }, + "f52362cd-baf1-4b6d-84be-064efc826461": { + "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", + "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", + "type": "eql", + "version": 100 + }, + "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73": { + "rule_name": "Suspicious Data Encryption via OpenSSL Utility", + "sha256": "bdf4940185721379f94bfd3a1c76f556b73371c2533f71f9d815eb09cebf35bc", + "type": "eql", + "version": 6 + }, + "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Windows Script Executing PowerShell", - "sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c", + "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", "type": "eql", - "version": 312 - }, - "f5488ac1-099e-4008-a6cb-fb638a0f0828": { - "rule_name": "SSH Connection Established Inside A Running Container", - "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Windows Script Executing PowerShell", + "sha256": "7d014986e6735e5f5b90c0790e404e69d4e5d64634f6935fb10a34ec72877e05", "type": "eql", - "version": 2 - }, - "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Rare SMB Connection to the Internet", - "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", - "type": "new_terms", - "version": 8 - }, - "8.13": { - "max_allowable_version": 207, - "rule_name": "Rare SMB Connection to the Internet", - "sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d", - "type": "new_terms", - "version": 108 - } - }, + "version": 212 + } + }, + "rule_name": "Windows Script Executing PowerShell", + "sha256": "70e912c507ffd352948a3b3477a1ad50a61cbbd2effc94c80291e684c151ed1c", + "type": "eql", + "version": 312 + }, + "f5488ac1-099e-4008-a6cb-fb638a0f0828": { + "rule_name": "SSH Connection Established Inside A Running Container", + "sha256": "acfdb1c9d79a1ed5b532921e9010c1184da0de54b516f1c0505265cb48c135b7", + "type": "eql", + "version": 2 + }, + "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", - "sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289", + "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", "type": "new_terms", - "version": 208 - }, - "f5861570-e39a-4b8a-9259-abd39f84cb97": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", - "type": "query", - "version": 7 - } - }, + "version": 8 + }, + "8.13": { + "max_allowable_version": 207, + "rule_name": "Rare SMB Connection to the Internet", + "sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d", + "type": "new_terms", + "version": 108 + } + }, + "rule_name": "Rare SMB Connection to the Internet", + "sha256": "d22f0fbb911966cb407185b46199efd05573dd405193ce51ed521b9b72d30289", + "type": "new_terms", + "version": 208 + }, + "f5861570-e39a-4b8a-9259-abd39f84cb97": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "WRITEDAC Access on Active Directory Object", - "sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da", + "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", "type": "query", - "version": 107 - }, - "f59668de-caa0-4b84-94c1-3a1549e1e798": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "WMIC Remote Command", - "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", - "type": "eql", - "version": 7 - } - }, + "version": 7 + } + }, + "rule_name": "WRITEDAC Access on Active Directory Object", + "sha256": "a6c101a1883de891bb4d57551be80870b4826b128ce142cd1118f3aec69e22da", + "type": "query", + "version": 107 + }, + "f59668de-caa0-4b84-94c1-3a1549e1e798": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "WMIC Remote Command", - "sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189", - "type": "eql", - "version": 107 - }, - "f5c005d3-4e17-48b0-9cd7-444d48857f97": { - "rule_name": "Setcap setuid/setgid Capability Set", - "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", "type": "eql", - "version": 6 - }, - "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", - "type": "machine_learning", - "version": 7 - } - }, + "version": 7 + } + }, + "rule_name": "WMIC Remote Command", + "sha256": "3bd84cb33875e0103cc886054ecc28efc9a73d479a6af6ebc8457657b6b35189", + "type": "eql", + "version": 107 + }, + "f5c005d3-4e17-48b0-9cd7-444d48857f97": { + "rule_name": "Setcap setuid/setgid Capability Set", + "sha256": "45c7bf0dabebd2c0f6761522c9e451ba672ebe426611de5c126c314fc0006ffd", + "type": "eql", + "version": 6 + }, + "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", - "sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3", + "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", "type": "machine_learning", - "version": 107 - }, - "f5fb4598-4f10-11ed-bdc3-0242ac120002": { - "rule_name": "Masquerading Space After Filename", - "sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373", - "type": "eql", "version": 7 - }, - "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { - "rule_name": "Account or Group Discovery via Built-In Tools", - "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", - "type": "eql", - "version": 3 - }, - "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "b83dd05aaef86c18fe47f7a8bdc6132a6c0d868069edcc7801fff9dcd7d10428", - "type": "eql", - "version": 210 - } - }, + } + }, + "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", + "sha256": "cd92b6d8bfeeb796c8aa85d4173fc81fada02dcee2eba62947319524f50b8bc3", + "type": "machine_learning", + "version": 107 + }, + "f5fb4598-4f10-11ed-bdc3-0242ac120002": { + "rule_name": "Masquerading Space After Filename", + "sha256": "5f2226e282c0f810754301af6a21ee8303cfc152b5003db4500df84b536cc373", + "type": "eql", + "version": 7 + }, + "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf": { + "rule_name": "Account or Group Discovery via Built-In Tools", + "sha256": "05cfd191e4f07208be892f795fe81b8a10b3b5b50a3a9ab8f03a0c175ef81135", + "type": "eql", + "version": 3 + }, + "f63c8e3c-d396-404f-b2ea-0379d3942d73": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "dd85635dc0d5d6587c65c569fbf10f93b08c529961738e3e27039d95f04d8ee1", + "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", "type": "eql", - "version": 310 - }, - "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { - "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Windows Firewall Disabled via PowerShell", + "sha256": "b83dd05aaef86c18fe47f7a8bdc6132a6c0d868069edcc7801fff9dcd7d10428", "type": "eql", - "version": 2 - }, - "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "d3bf5930d646553b64fceb3142ba60e854e52fe3478bad4d52ce0a606395d9ee", - "type": "eql", - "version": 210 - } - }, + "version": 210 + } + }, + "rule_name": "Windows Firewall Disabled via PowerShell", + "sha256": "94e0a975da6a20b8e5a7088399f5da7561593424d1eb70d66d5a542963808c79", + "type": "eql", + "version": 311 + }, + "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { + "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", + "sha256": "e4f93dc05162bf6cad753a1327db0e023df793034c6204d0b08a1d15f6d23b4b", + "type": "eql", + "version": 2 + }, + "f675872f-6d85-40a3-b502-c0d2ef101e92": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "00b7255c33cc8914ce6b47a7c432c408c993b3aff7e58dc936e518c8dc3ca8e0", + "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", "type": "eql", - "version": 310 - }, - "f683dcdf-a018-4801-b066-193d4ae6c8e5": { - "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", - "type": "query", - "version": 106 - }, - "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { - "rule_name": "System Hosts File Access", - "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Delete Volume USN Journal with Fsutil", + "sha256": "d3bf5930d646553b64fceb3142ba60e854e52fe3478bad4d52ce0a606395d9ee", "type": "eql", - "version": 3 - }, - "f766ffaf-9568-4909-b734-75d19b35cbf4": { - "rule_name": "Azure Service Principal Credentials Added", - "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", - "type": "query", - "version": 102 - }, - "f772ec8a-e182-483c-91d2-72058f76a44c": { - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", - "type": "query", - "version": 209 - }, - "f7769104-e8f9-4931-94a2-68fc04eadec3": { - "rule_name": "SSH Authorized Keys File Modified Inside a Container", - "sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8", + "version": 210 + } + }, + "rule_name": "Delete Volume USN Journal with Fsutil", + "sha256": "81b4cea2ac276f83aaf465ba9217bfeea8d6f63be702f6088801a22b09cb7b77", + "type": "eql", + "version": 311 + }, + "f683dcdf-a018-4801-b066-193d4ae6c8e5": { + "rule_name": "SoftwareUpdate Preferences Modification", + "sha256": "23425b32c0a7615768bc200a5112ac8cddf8adf9387d1c01638d9da18edc500b", + "type": "query", + "version": 106 + }, + "f6d07a70-9ad0-11ef-954f-f661ea17fbcd": { + "rule_name": "AWS IAM Customer-Managed Policy Attached to Role by Rare User", + "sha256": "791121ea6aec69d7039ecb415a62b0a87915433516a225fa0103e30dc1fb3eb9", + "type": "new_terms", + "version": 1 + }, + "f75f65cf-ed04-48df-a7ff-b02a8bfe636e": { + "rule_name": "System Hosts File Access", + "sha256": "075b644099d4072660dea321c36b39eba6a6dd8877852416af7f429753d0e571", + "type": "eql", + "version": 3 + }, + "f766ffaf-9568-4909-b734-75d19b35cbf4": { + "rule_name": "Azure Service Principal Credentials Added", + "sha256": "93799b4dd788cc7cc2a439cc2a75f129676cafe866903105bfe880aa4a466103", + "type": "query", + "version": 102 + }, + "f772ec8a-e182-483c-91d2-72058f76a44c": { + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "9fd21ffae7e6f9944f5abeb3ea4da9d2397f7f3fd140a1aa45f86cdcfe7a92bc", + "type": "query", + "version": 209 + }, + "f7769104-e8f9-4931-94a2-68fc04eadec3": { + "rule_name": "SSH Authorized Keys File Modified Inside a Container", + "sha256": "7447ba66f5bb3a7f75ebfa0ec16f2c79965e3653b03fc3f3a06ec4e7dc27ece8", + "type": "eql", + "version": 3 + }, + "f7a1c536-9ac0-11ef-9911-f661ea17fbcd": { + "rule_name": "AWS IAM Create User via Assumed Role on EC2 Instance", + "sha256": "9d9ea4b2bef0475b57635433aa6c30663d72eb3226baf7e94587e17374f9c08e", + "type": "new_terms", + "version": 1 + }, + "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, + "rule_name": "Persistent Scripts in the Startup Directory", + "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", "type": "eql", - "version": 3 - }, - "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "19dabb4cdeb3093420fb56b9c94ca6687ea7ee3479e605b8b9f331cdff2466c3", - "type": "eql", - "version": 212 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "07caba511c046edeb032f0a4b75979d94cf1cadf75a7bfea159e175815bb0c48", + "sha256": "19dabb4cdeb3093420fb56b9c94ca6687ea7ee3479e605b8b9f331cdff2466c3", "type": "eql", - "version": 312 - }, - "f7c70f2e-4616-439c-85ac-5b98415042fe": { - "rule_name": "Potential Privilege Escalation via Linux DAC permissions", - "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", - "type": "new_terms", - "version": 3 - }, - "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "c4a613fb04e9f97b6a884009449a139ee5a135556512ca5bf96bb5b803db7d8d", - "type": "eql", - "version": 209 - } - }, + "version": 212 + } + }, + "rule_name": "Persistent Scripts in the Startup Directory", + "sha256": "07caba511c046edeb032f0a4b75979d94cf1cadf75a7bfea159e175815bb0c48", + "type": "eql", + "version": 312 + }, + "f7c70f2e-4616-439c-85ac-5b98415042fe": { + "rule_name": "Potential Privilege Escalation via Linux DAC permissions", + "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", + "type": "new_terms", + "version": 3 + }, + "f81ee52c-297e-46d9-9205-07e66931df26": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "41f949b2f55eaabf986b67891e7037a89ce1a7964a42ef6e88352b92d52778bb", + "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", "type": "eql", - "version": 309 - }, - "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { - "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", - "type": "query", - "version": 106 - }, - "f86cd31c-5c7e-4481-99d7-6875a3e31309": { - "rule_name": "Printer User (lp) Shell Execution", - "sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "sha256": "c4a613fb04e9f97b6a884009449a139ee5a135556512ca5bf96bb5b803db7d8d", "type": "eql", - "version": 2 - }, - "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 311, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "f2423851bfbeefbfcda2a745c74dc1370032a6f7cfe9efbc981454ee74130559", - "type": "eql", - "version": 212 - } - }, + "version": 209 + } + }, + "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "sha256": "41f949b2f55eaabf986b67891e7037a89ce1a7964a42ef6e88352b92d52778bb", + "type": "eql", + "version": 309 + }, + "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { + "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "sha256": "7041f9420e055d9a272d6c1c7c3ab02fa9843c80df047af4545b3a625f70fa87", + "type": "query", + "version": 106 + }, + "f86cd31c-5c7e-4481-99d7-6875a3e31309": { + "rule_name": "Printer User (lp) Shell Execution", + "sha256": "6507c4745da0b0264ac93849eb4783ca11447050920d70c87be1c446f2206d74", + "type": "eql", + "version": 2 + }, + "f874315d-5188-4b4a-8521-d1c73093a7e4": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 211, "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc", + "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", "type": "eql", - "version": 312 - }, - "f8822053-a5d2-46db-8c96-d460b12c36ac": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 103, - "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", - "type": "query", - "version": 4 - } - }, + "version": 112 + }, + "8.13": { + "max_allowable_version": 311, + "rule_name": "Modification of AmsiEnable Registry Key", + "sha256": "f2423851bfbeefbfcda2a745c74dc1370032a6f7cfe9efbc981454ee74130559", + "type": "eql", + "version": 212 + } + }, + "rule_name": "Modification of AmsiEnable Registry Key", + "sha256": "0514fd1665b1dca73aee98091741b1265ecf43a5d052dae60fc15595c8f553bc", + "type": "eql", + "version": 312 + }, + "f8822053-a5d2-46db-8c96-d460b12c36ac": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", - "sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5", + "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", "type": "query", - "version": 104 - }, - "f909075d-afc7-42d7-b399-600b94352fd9": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", - "type": "eql", - "version": 1 - } - }, + "version": 4 + } + }, + "rule_name": "Potential Active Directory Replication Account Backdoor", + "sha256": "9302b94451cee85bf6f7911e5a81caad7dad04e6d5d9271549085ee41f25cfe5", + "type": "query", + "version": 104 + }, + "f909075d-afc7-42d7-b399-600b94352fd9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", - "sha256": "c4508dc7b6251d648197e8d7704c8fdafc973a1a99006c1475d76e67e7d195d3", + "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", "type": "eql", - "version": 101 - }, - "f94e898e-94f1-4545-8923-03e4b2866211": { - "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", - "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", - "type": "new_terms", "version": 1 - }, - "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { - "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", - "type": "machine_learning", - "version": 105 - }, - "f95972d3-c23b-463b-89a8-796b3f369b49": { - "rule_name": "Ingress Transfer via Windows BITS", - "sha256": "85e0e9eb2f56d40ea5aa97a05e3c9ef70749ffbf72276dfe626c72d1889217c6", + } + }, + "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", + "sha256": "c4508dc7b6251d648197e8d7704c8fdafc973a1a99006c1475d76e67e7d195d3", + "type": "eql", + "version": 101 + }, + "f94e898e-94f1-4545-8923-03e4b2866211": { + "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", + "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", + "type": "new_terms", + "version": 2 + }, + "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { + "rule_name": "Unusual Linux Network Configuration Discovery", + "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", + "type": "machine_learning", + "version": 105 + }, + "f95972d3-c23b-463b-89a8-796b3f369b49": { + "rule_name": "Ingress Transfer via Windows BITS", + "sha256": "85e0e9eb2f56d40ea5aa97a05e3c9ef70749ffbf72276dfe626c72d1889217c6", + "type": "eql", + "version": 8 + }, + "f97504ac-1053-498f-aeaa-c6d01e76b379": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "Browser Extension Install", + "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", "type": "eql", - "version": 8 - }, - "f97504ac-1053-498f-aeaa-c6d01e76b379": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "Browser Extension Install", - "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", - "type": "eql", - "version": 2 - }, - "8.13": { - "max_allowable_version": 201, - "rule_name": "Browser Extension Install", - "sha256": "33fea2e19640fd39808aae6bf7267174995cc0a7e7973f07a4b21fbb2b842970", - "type": "eql", - "version": 102 - } - }, + "version": 2 + }, + "8.13": { + "max_allowable_version": 201, "rule_name": "Browser Extension Install", - "sha256": "cdd8f7c92285ec6406bbb7e06fef02eb1458895deda96a9bbd299be408be2026", - "type": "eql", - "version": 202 - }, - "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 109, - "rule_name": "Privileged Account Brute Force", - "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", - "type": "eql", - "version": 10 - } - }, + "sha256": "33fea2e19640fd39808aae6bf7267174995cc0a7e7973f07a4b21fbb2b842970", + "type": "eql", + "version": 102 + } + }, + "rule_name": "Browser Extension Install", + "sha256": "cdd8f7c92285ec6406bbb7e06fef02eb1458895deda96a9bbd299be408be2026", + "type": "eql", + "version": 202 + }, + "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", - "sha256": "8237fdea989fedadcbe0c3d264d0f2e33c15879386f11721c8effccb0b5a1d28", + "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", "type": "eql", - "version": 110 - }, - "f994964f-6fce-4d75-8e79-e16ccc412588": { - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", - "type": "query", - "version": 206 - }, - "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", - "type": "eql", - "version": 112 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "c57ede22981de8ec65a677f491d04e110c3dcbe758924fc37fc34e2b031677a2", - "type": "eql", - "version": 211 - } - }, + "version": 10 + } + }, + "rule_name": "Privileged Account Brute Force", + "sha256": "8237fdea989fedadcbe0c3d264d0f2e33c15879386f11721c8effccb0b5a1d28", + "type": "eql", + "version": 110 + }, + "f994964f-6fce-4d75-8e79-e16ccc412588": { + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", + "type": "query", + "version": 207 + }, + "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "34c88c04d439a65572bc586374cc41a23f7dd52471ed85866942f5b668fb4427", - "type": "eql", - "version": 311 - }, - "fa210b61-b627-4e5e-86f4-17e8270656ab": { - "rule_name": "Potential External Linux SSH Brute Force Detected", - "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", + "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", "type": "eql", - "version": 7 - }, - "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { - "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", + "version": 112 + }, + "8.13": { + "max_allowable_version": 310, + "rule_name": "Remote File Copy to a Hidden Share", + "sha256": "c57ede22981de8ec65a677f491d04e110c3dcbe758924fc37fc34e2b031677a2", "type": "eql", - "version": 7 - }, - "fa488440-04cc-41d7-9279-539387bf2a17": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 108, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", - "type": "eql", - "version": 9 - }, - "8.13": { - "max_allowable_version": 312, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "e76797913ea8f33de2a02341ab5af40b4efd31ccdadbb67daf8fcdf5281830bc", - "type": "eql", - "version": 213 - } - }, + "version": 211 + } + }, + "rule_name": "Remote File Copy to a Hidden Share", + "sha256": "e2887448f525e4d2fc06229b8d743d4dca3c5ec090ff66e1b0395b0a14a6ffe1", + "type": "eql", + "version": 312 + }, + "fa210b61-b627-4e5e-86f4-17e8270656ab": { + "rule_name": "Potential External Linux SSH Brute Force Detected", + "sha256": "6dda8a2bc03a2f1abf5953add4cec3b8260ed538e2600de67de2100cad5ddcda", + "type": "eql", + "version": 7 + }, + "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { + "rule_name": "Potential Reverse Shell via Suspicious Binary", + "sha256": "9be49e4bfd023d805ed674227d4aa1c27340b638a40b63092a2d82f22f29d52c", + "type": "eql", + "version": 7 + }, + "fa488440-04cc-41d7-9279-539387bf2a17": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "5593d660090874e775e2dedabd7551d2cd2be7a6c684f617ce9b597f367e5238", + "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", "type": "eql", - "version": 313 - }, - "fac52c69-2646-4e79-89c0-fd7653461010": { - "rule_name": "Potential Disabling of AppArmor", - "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", - "type": "eql", - "version": 7 - }, - "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { - "rule_name": "Potential Masquerading as System32 DLL", - "sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd", + "version": 10 + }, + "8.13": { + "max_allowable_version": 312, + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "e76797913ea8f33de2a02341ab5af40b4efd31ccdadbb67daf8fcdf5281830bc", "type": "eql", - "version": 105 - }, - "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "Network Connection via Registration Utility", - "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", - "type": "eql", - "version": 108 - } - }, + "version": 213 + } + }, + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "5593d660090874e775e2dedabd7551d2cd2be7a6c684f617ce9b597f367e5238", + "type": "eql", + "version": 313 + }, + "fac52c69-2646-4e79-89c0-fd7653461010": { + "rule_name": "Potential Disabling of AppArmor", + "sha256": "e045c3b1003a5042d8b759b06796c80d5f32b4a56185301e5de5bcc2f1d4544e", + "type": "eql", + "version": 7 + }, + "fb01d790-9f74-4e76-97dd-b4b0f7bf6435": { + "rule_name": "Potential Masquerading as System32 DLL", + "sha256": "24ba6424357603cfc73404dbf3312ba7865f04447af416631ded8fec2599f2fd", + "type": "eql", + "version": 105 + }, + "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", - "sha256": "8aae81ad83c8f0921e01112594259350cacae84e8b7a5991c5774c2b12228d7c", + "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", "type": "eql", - "version": 208 - }, - "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", - "type": "threshold", - "version": 1 - }, - "fb9937ce-7e21-46bf-831d-1ad96eac674d": { - "rule_name": "Auditd Max Failed Login Attempts", - "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", - "type": "query", - "version": 100 - }, - "fbd44836-0d69-4004-a0b4-03c20370c435": { - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", - "type": "query", - "version": 206 - }, - "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 208, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", - "type": "eql", - "version": 109 - }, - "8.13": { - "max_allowable_version": 308, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "4ad908e9c0e001298a239314cbd4fc39fb76e0789a62456d4601e31ea266b35e", - "type": "eql", - "version": 209 - } - }, + "version": 108 + } + }, + "rule_name": "Network Connection via Registration Utility", + "sha256": "8aae81ad83c8f0921e01112594259350cacae84e8b7a5991c5774c2b12228d7c", + "type": "eql", + "version": 208 + }, + "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "rule_name": "High Number of Cloned GitHub Repos From PAT", + "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", + "type": "threshold", + "version": 2 + }, + "fb9937ce-7e21-46bf-831d-1ad96eac674d": { + "rule_name": "Auditd Max Failed Login Attempts", + "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", + "type": "query", + "version": 100 + }, + "fbd44836-0d69-4004-a0b4-03c20370c435": { + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "c7844572d3cc0d0be4f3674e5a404de4a1b409abe2c02b40ca56300b06425004", + "type": "query", + "version": 206 + }, + "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "db69f7867e43c1d9991d02ca50a537f1688974ffa821585058e225fa254dfed5", + "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", "type": "eql", - "version": 309 - }, - "fc909baa-fb34-4c46-9691-be276ef4234c": { - "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", - "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", - "type": "new_terms", - "version": 1 - }, - "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { - "rule_name": "User or Group Creation/Modification", - "sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811", + "version": 109 + }, + "8.13": { + "max_allowable_version": 308, + "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "sha256": "4ad908e9c0e001298a239314cbd4fc39fb76e0789a62456d4601e31ea266b35e", "type": "eql", - "version": 3 - }, - "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "rule_name": "GitHub App Deleted", - "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "version": 209 + } + }, + "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "sha256": "db69f7867e43c1d9991d02ca50a537f1688974ffa821585058e225fa254dfed5", + "type": "eql", + "version": 309 + }, + "fc909baa-fb34-4c46-9691-be276ef4234c": { + "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", + "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", + "type": "new_terms", + "version": 2 + }, + "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { + "rule_name": "User or Group Creation/Modification", + "sha256": "d1ea785176a27ff76f628305fa1d57041f59595f8b6e09f99b4b4349c18f1811", + "type": "eql", + "version": 3 + }, + "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "rule_name": "GitHub App Deleted", + "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", + "type": "eql", + "version": 2 + }, + "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { + "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", + "sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9", + "type": "new_terms", + "version": 2 + }, + "fd3fc25e-7c7c-4613-8209-97942ac609f6": { + "rule_name": "Linux Restricted Shell Breakout via the expect command", + "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", + "type": "eql", + "version": 100 + }, + "fd4a992d-6130-4802-9ff8-829b89ae801f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 210, + "rule_name": "Potential Application Shimming via Sdbinst", + "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", "type": "eql", - "version": 1 - }, - "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { - "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", - "sha256": "6e4722f7391334da9fa02d2bfe859e94a1110c6b78b728f62607aaa9380b59e9", - "type": "new_terms", - "version": 2 - }, - "fd3fc25e-7c7c-4613-8209-97942ac609f6": { - "rule_name": "Linux Restricted Shell Breakout via the expect command", - "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", - "type": "eql", - "version": 100 - }, - "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", - "type": "eql", - "version": 111 - }, - "8.13": { - "max_allowable_version": 310, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "0c0fb67b6f1fbc64b54c4eaaaf3982e6abd871234c9d741e32cf6111a4b95348", - "type": "eql", - "version": 211 - } - }, + "version": 111 + }, + "8.13": { + "max_allowable_version": 310, "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "4ffea30266b643b32951f47b96e1c951fdba13e2565ba1255c42f1c24a1ebb8d", + "sha256": "0c0fb67b6f1fbc64b54c4eaaaf3982e6abd871234c9d741e32cf6111a4b95348", "type": "eql", - "version": 311 - }, - "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", - "type": "eql", - "version": 110 - }, - "8.13": { - "max_allowable_version": 309, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "d5f199269d0b8d8ffcb51d4a5be03858a06c561d4d7b5e76ccdb0730fbf5212a", - "type": "eql", - "version": 210 - } - }, + "version": 211 + } + }, + "rule_name": "Potential Application Shimming via Sdbinst", + "sha256": "3a5c29d43ebbadfb3a010e164c997dcdbc2c550226c3129d9f7256ad4204f204", + "type": "eql", + "version": 312 + }, + "fd70c98a-c410-42dc-a2e3-761c71848acf": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", - "sha256": "0671f08b45ce5e4d1a59001f3d09958563aa655e63592371c821192d23093434", + "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", "type": "eql", - "version": 310 - }, - "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 317, - "rule_name": "Svchost spawning Cmd", - "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", - "type": "new_terms", - "version": 218 - }, - "8.13": { - "max_allowable_version": 417, - "rule_name": "Svchost spawning Cmd", - "sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a", - "type": "new_terms", - "version": 318 - } - }, + "version": 110 + }, + "8.13": { + "max_allowable_version": 309, + "rule_name": "Suspicious CertUtil Commands", + "sha256": "d5f199269d0b8d8ffcb51d4a5be03858a06c561d4d7b5e76ccdb0730fbf5212a", + "type": "eql", + "version": 210 + } + }, + "rule_name": "Suspicious CertUtil Commands", + "sha256": "d283778b33a2eb881ef6542154d6a7a4f20f42620f533ab95ac6e3d92989605a", + "type": "eql", + "version": 311 + }, + "fd7a6052-58fa-4397-93c3-4795249ccfa2": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", - "sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83", + "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", "type": "new_terms", - "version": 418 - }, - "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { - "rule_name": "Image Loaded with Invalid Signature", - "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", - "type": "eql", - "version": 2 - }, - "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { - "rule_name": "System Binary Moved or Copied", - "sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39", - "type": "eql", - "version": 13 - }, - "fddff193-48a3-484d-8d35-90bb3d323a56": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", - "type": "query", - "version": 7 - } - }, + "version": 218 + }, + "8.13": { + "max_allowable_version": 417, + "rule_name": "Svchost spawning Cmd", + "sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a", + "type": "new_terms", + "version": 318 + } + }, + "rule_name": "Svchost spawning Cmd", + "sha256": "2140d944bef1c61a87c150671d805d24438ca8fe7e109ef377a97dbc5a4efd83", + "type": "new_terms", + "version": 418 + }, + "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8": { + "rule_name": "Image Loaded with Invalid Signature", + "sha256": "57f89690d7c597efa662064cafabb2dc9dbb9836e554784d682f094d14e69c2d", + "type": "eql", + "version": 2 + }, + "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { + "rule_name": "System Binary Moved or Copied", + "sha256": "49225541197b4b6b4988a3f6f4b5e6540977b229a825bfea0d1292a82a942d39", + "type": "eql", + "version": 13 + }, + "fddff193-48a3-484d-8d35-90bb3d323a56": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", - "sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1", + "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", "type": "query", - "version": 107 - }, - "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 106, - "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", - "type": "query", - "version": 7 - } - }, + "version": 7 + } + }, + "rule_name": "PowerShell Kerberos Ticket Dump", + "sha256": "d2f0a42229c44c3071f0ff420fc676660dd1a831a53634858ff9c59b0df0e7d1", + "type": "query", + "version": 107 + }, + "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 106, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", - "sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b", + "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", "type": "query", - "version": 107 - }, - "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 213, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", - "type": "eql", - "version": 114 - }, - "8.13": { - "max_allowable_version": 313, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "7574ee875c1c9a825dfefa55b0b3b243f5cc25a3f4c7b2a4db8e22dd0cd9b2c5", - "type": "eql", - "version": 214 - } - }, + "version": 7 + } + }, + "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", + "sha256": "8c11dd82f0841066ff7939242c462d6f9ae4ab6375851532b649a5cc2c186c9b", + "type": "query", + "version": 107 + }, + "fe794edd-487f-4a90-b285-3ee54f2af2d3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 213, "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65", - "type": "eql", - "version": 314 - }, - "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { - "rule_name": "Potential Masquerading as Business App Installer", - "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", + "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", "type": "eql", - "version": 4 - }, - "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { - "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", - "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", + "version": 114 + }, + "8.13": { + "max_allowable_version": 313, + "rule_name": "Microsoft Windows Defender Tampering", + "sha256": "7574ee875c1c9a825dfefa55b0b3b243f5cc25a3f4c7b2a4db8e22dd0cd9b2c5", "type": "eql", - "version": 2 - }, - "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 207, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", - "type": "eql", - "version": 108 - }, - "8.13": { - "max_allowable_version": 307, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "02f53b9ca7444dd33ade4085a8403f9f14298ad57e5cad93a2ba6bb6c64fd758", - "type": "eql", - "version": 208 - } - }, + "version": 214 + } + }, + "rule_name": "Microsoft Windows Defender Tampering", + "sha256": "cb03d4fedad0f761b8ee747dbf555bfea74c2931a6f2dd3f82004c0cc1571b65", + "type": "eql", + "version": 314 + }, + "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { + "rule_name": "Potential Masquerading as Business App Installer", + "sha256": "6daf457d7f6fb492b6a132e9f2ef7980cedfe5de8d41148a55b6265379ba80f5", + "type": "eql", + "version": 4 + }, + "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0": { + "rule_name": "Execution via MS VisualStudio Pre/Post Build Events", + "sha256": "f4da580149ea42f56cb5dde277432f33760266a6ae02877f5c9c71a77517fa87", + "type": "eql", + "version": 2 + }, + "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 207, "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56", - "type": "eql", - "version": 308 - }, - "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { - "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b", - "type": "query", - "version": 104 - }, - "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { - "rule_name": "Potential DGA Activity", - "sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758", - "type": "machine_learning", - "version": 5 - }, - "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { - "rule_name": "Cron Job Created or Modified", - "sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90", + "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", "type": "eql", - "version": 14 - }, - "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { - "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824", - "type": "query", - "version": 2 - }, - "ff4599cb-409f-4910-a239-52e4e6f532ff": { - "rule_name": "LSASS Process Access via Windows API", - "sha256": "7d8c295d9d5382ec04a6755af94ef4b2f9e3a87942594dc7a1708854f48db9bf", + "version": 108 + }, + "8.13": { + "max_allowable_version": 307, + "rule_name": "MS Office Macro Security Registry Modifications", + "sha256": "02f53b9ca7444dd33ade4085a8403f9f14298ad57e5cad93a2ba6bb6c64fd758", "type": "eql", - "version": 10 - }, - "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", - "type": "query", - "version": 206 - }, - "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { - "min_stack_version": "8.14", - "previous": { - "8.11": { - "max_allowable_version": 100, - "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", - "type": "eql", - "version": 1 - }, - "8.13": { - "max_allowable_version": 200, - "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "a5dc5c08ba531d44f22ea6769d5c2df16f15453f794a715ed59b46054ce95996", - "type": "eql", - "version": 101 - } - }, + "version": 208 + } + }, + "rule_name": "MS Office Macro Security Registry Modifications", + "sha256": "99cf8e49260a71f7e543cba491822d4fa747aac63b25532628d89de61e7b5e56", + "type": "eql", + "version": 308 + }, + "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { + "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "sha256": "719015ef6c70c2739f12adb7f4e21683f10083d6e8cee6deabba37fcb821f02b", + "type": "query", + "version": 104 + }, + "ff0d807d-869b-4a0d-a493-52bc46d2f1b1": { + "rule_name": "Potential DGA Activity", + "sha256": "a6828508851318616e927d9f819f6d7c5130b830e0f3eba41135daf75ac99758", + "type": "machine_learning", + "version": 5 + }, + "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { + "rule_name": "Cron Job Created or Modified", + "sha256": "b0c6daed3da044ef0e0ce21a69c8b2b1a79c9e7b050b3d2d21597432dc235d90", + "type": "eql", + "version": 14 + }, + "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { + "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", + "sha256": "7842115a7191021a44e61d69bdc1563edc6e9d471a1237af41d228647df07824", + "type": "query", + "version": 2 + }, + "ff4599cb-409f-4910-a239-52e4e6f532ff": { + "rule_name": "LSASS Process Access via Windows API", + "sha256": "7d8c295d9d5382ec04a6755af94ef4b2f9e3a87942594dc7a1708854f48db9bf", + "type": "eql", + "version": 10 + }, + "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "24df1fab9f47005a3dcf144bdd7993c237e1da4de8b6ed8ee44d4513417e0f88", + "type": "query", + "version": 206 + }, + "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", - "sha256": "fdeb2235369b54f09b8e618dfa7db46fc187a691bc5b60955e67e9bfa1d1a008", + "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", "type": "eql", - "version": 201 - }, - "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { - "rule_name": "GCP Firewall Rule Deletion", - "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", - "type": "query", - "version": 104 - }, - "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { - "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "version": 1 + }, + "8.13": { + "max_allowable_version": 200, + "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", + "sha256": "a5dc5c08ba531d44f22ea6769d5c2df16f15453f794a715ed59b46054ce95996", "type": "eql", - "version": 5 - } + "version": 101 + } + }, + "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", + "sha256": "fdeb2235369b54f09b8e618dfa7db46fc187a691bc5b60955e67e9bfa1d1a008", + "type": "eql", + "version": 201 + }, + "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { + "rule_name": "GCP Firewall Rule Deletion", + "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", + "type": "query", + "version": 104 + }, + "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { + "rule_name": "Potential Sudo Token Manipulation via Process Injection", + "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "type": "eql", + "version": 5 + } } \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 0796f6b4c20..8f7c223b9e6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.1.6" +version = "0.1.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"