From 14be79f51dbb13f488452f2ad7bddb5f03cfcbb7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 13 Oct 2023 15:10:49 -0400 Subject: [PATCH] Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3183) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 2b0735024ea40ec2d20be0dda1d6f3cdfa23f60a) --- detection_rules/etc/version.lock.json | 917 ++++++++++++++++---------- 1 file changed, 575 insertions(+), 342 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 4c3f0d389b8..5f60b8849a6 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,9 +2,9 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", + "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", "type": "query", - "version": 105 + "version": 106 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.3", @@ -37,16 +37,16 @@ "015cca13-8832-49ac-a01b-a396114809f6": { "min_stack_version": "8.3", "rule_name": "AWS Redshift Cluster Creation", - "sha256": "7a1faa4c3dfde300711d7bb69b6a93b8e64a3d33cc83a37a3d5cfcf6d9b09b2d", + "sha256": "b1c8e121fb4363f74d0c8928f3335aa2f374919f5257a9f4b17483773c49f348", "type": "query", - "version": 103 + "version": 104 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", - "sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2", + "sha256": "a149d3ca79d319960c0d9e727ba65ff5e3350567e7f234907d03d7927621b13d", "type": "threshold", - "version": 2 + "version": 3 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", @@ -130,9 +130,9 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.3", "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "242d70865b8ccc44b23dc4c85ec781e9f6de7966acae6376216fe6157df81b72", + "sha256": "900e474f07b795dfe109f252a2d4a9069cdb9a8471cde0a8e19a36b84f3797ba", "type": "eql", - "version": 106 + "version": 107 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.3", @@ -158,16 +158,23 @@ "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.3", "rule_name": "Remote System Discovery Commands", - "sha256": "21369e608f88a1ea5dcd90d5365bba2e9a909fabf973ed66e37e9136f5f0699a", + "sha256": "43d5cfda7bb1c28139045da08dfbda821d56fd45af89f05a4cf932a0b7eee839", "type": "eql", - "version": 108 + "version": 109 }, "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.3", "rule_name": "System Time Discovery", - "sha256": "8534280f701e221bc1312804c5bf3de446a2ef36dd62d6e9bc6e3bb765c9cf76", + "sha256": "79c7e1897310a5fff8e9aa62c967679ae8fb0f6681b13c0fd66289142de0e1d6", "type": "eql", - "version": 4 + "version": 5 + }, + "0678bc9c-b71a-433b-87e6-2f664b6b3131": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Size", + "sha256": "ad214cde675085b61786dcd969409c869ca6ea48663d0b5227356ec6b1bd906e", + "type": "machine_learning", + "version": 1 }, "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.3", @@ -258,9 +265,9 @@ "089db1af-740d-4d84-9a5b-babd6de143b0": { "min_stack_version": "8.3", "rule_name": "Windows Account or Group Discovery", - "sha256": "9c4c3dc22f5ae081c7fce7c1cb6523dabdd5affb3e5b4ffce5fe00ec5dd65815", + "sha256": "bb76e59c53a0b50ac513121a9591fecea2eac83851584542c8860bb511c0785f", "type": "eql", - "version": 2 + "version": 3 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { "rule_name": "TCP Port 8000 Activity to the Internet", @@ -312,9 +319,9 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "6292561dbd089951c5f89ea4611e1d54d55397b493aa93f8cdba5c3e5f7e09fa", + "sha256": "c33b0262570792c916921cd4645eb950802579016d010a5a0c5672fa4007efc8", "type": "query", - "version": 1 + "version": 2 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.3", @@ -398,9 +405,9 @@ "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { "min_stack_version": "8.3", "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "b2d0f5656de26bb1163ed5edbb9bf90bde8a599b310b94c0eb3e629ddc0b93a3", + "sha256": "a66ec71c96a9c0d09c09ad1d94067327b19e7db5411461bda17ce482fff03de5", "type": "eql", - "version": 106 + "version": 107 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "min_stack_version": "8.3", @@ -484,16 +491,16 @@ "11013227-0301-4a8c-b150-4db924484475": { "min_stack_version": "8.3", "rule_name": "Abnormally Large DNS Response", - "sha256": "7ae8452448297fae3af27315e9a0cd50e7419f0dec791237656f8859df113c3f", + "sha256": "a8cf0f414de9d2716b4dbf0198d541bf88a0777aefe1be83c09fc6f472d86721", "type": "query", - "version": 104 + "version": 105 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.3", "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "6ed2244e093a1870d45df1482662e4f762ce4734090878e0a1d1a06e9675b775", + "sha256": "ab39fe136a7992f299f43bce78b299f1c1491092730e5d6a4c4bf4d3f9231935", "type": "eql", - "version": 105 + "version": 106 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.3", @@ -505,9 +512,9 @@ "119c8877-8613-416d-a98a-96b6664ee73a": { "min_stack_version": "8.3", "rule_name": "AWS RDS Snapshot Export", - "sha256": "d7c79adde1bf89e2a7544eec2729c0b5c45c62fdcdd5f00090d28e5cb73f6da7", + "sha256": "8ad9d6381bc6ad8046516f5f50cdc304ccb0958161af21a171928b95088b6b17", "type": "query", - "version": 103 + "version": 104 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -518,9 +525,9 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Token Impersonation Capabilities", - "sha256": "f455fef003011587f2e1a56fce94b03276f7155952af5cd091a8eadf88a62e68", + "sha256": "d41a56fd39249f9a8ecaea4b7739a996efe8bbd66aa4165345951de99ac2d102", "type": "query", - "version": 7 + "version": 8 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.3", @@ -532,9 +539,9 @@ "12051077-0124-4394-9522-8f4f4db1d674": { "min_stack_version": "8.3", "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "845e16fdf9dd59a0ee37658ad41a83a6149e5487422dac763de90cde6aad227f", + "sha256": "ee7d0fde7179ecae486163263d6baf71e90dd5e6048b4db1674a4d4eff6f2975", "type": "query", - "version": 103 + "version": 104 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { "rule_name": "User Discovery via Whoami", @@ -640,9 +647,9 @@ "143cb236-0956-4f42-a706-814bcaa0cf5a": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "54422260766b12b7477aec8acb27085b1eae0a36285553d26e5730bce422e7a9", + "sha256": "9b392ee77e47d008944419960e03112af84f3ccc7b043af0c2d16d636e610214", "type": "query", - "version": 102 + "version": 103 }, "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.3", @@ -719,9 +726,9 @@ "169f3a93-efc7-4df2-94d6-0d9438c310d1": { "min_stack_version": "8.3", "rule_name": "AWS IAM Group Creation", - "sha256": "b742e26488a024ca917c76ed8b6d78e38bceaf88b12ac5a184cba21816858e5c", + "sha256": "b97182b40fec27cf6728746f838be74ee2cf5ebee183fc5d0f6eaf338b7d90a3", "type": "query", - "version": 103 + "version": 104 }, "16a52c14-7883-47af-8745-9357803f0d4c": { "min_stack_version": "8.3", @@ -806,6 +813,13 @@ "type": "eql", "version": 100 }, + "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Connections Made to a Destination IP", + "sha256": "92faf5914bec5a5a185f949112f5ff576d15fd69a5f405d73697602768830d77", + "type": "machine_learning", + "version": 1 + }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "min_stack_version": "8.3", "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -816,9 +830,16 @@ "19de8096-e2b0-4bd8-80c9-34a820813fff": { "min_stack_version": "8.3", "rule_name": "Rare AWS Error Code", - "sha256": "36fb7f357ab4c1d87f38a2a9f453fb1093c959582b23dda8d3071db185b7d65d", + "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", "type": "machine_learning", - "version": 106 + "version": 107 + }, + "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Processes in an RDP Session", + "sha256": "c3869d7536ca507bf986047bad80507a729751302776f5a258810c9a9814c2de", + "type": "machine_learning", + "version": 1 }, "1a289854-5b78-49fe-9440-8a8096b1ab50": { "min_stack_version": "8.8", @@ -844,9 +865,9 @@ "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { "min_stack_version": "8.3", "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "e728282d89ab6116e74d508a075da4f9a1388ba2da235fd87605b4ad580312f0", + "sha256": "dd01a147a8898a4f6c696c83a4c436bf0325ab7552a03039d7cd71ff0b6c00dc", "type": "query", - "version": 106 + "version": 107 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.3", @@ -865,9 +886,9 @@ "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { "min_stack_version": "8.3", "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "bcef75f6d49bb03184f9398613ed080bc7bd2279da99afaa50ba68d3a99f3b4c", + "sha256": "95e2cb6322ef7b2d7bc2fc96460cbfcb4c76f0eb17351a134c783936996adab0", "type": "query", - "version": 103 + "version": 104 }, "1c27fa22-7727-4dd3-81c0-de6da5555feb": { "min_stack_version": "8.3", @@ -897,6 +918,13 @@ "type": "query", "version": 102 }, + "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.3", + "rule_name": "New GitHub App Installed", + "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "type": "eql", + "version": 1 + }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.3", "rule_name": "Incoming Execution via WinRM Remote Shell", @@ -914,9 +942,9 @@ "1d72d014-e2ab-4707-b056-9b96abe7b511": { "min_stack_version": "8.3", "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "b1a5f097c5ad6885bbd55d4375fd72cfc09507c502321b80aec6edfe33bc3a75", + "sha256": "d08e975b8630d786933967d9de847dfbdd6fc6a5447715691a1a27ee3b22198a", "type": "eql", - "version": 106 + "version": 107 }, "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.3", @@ -949,9 +977,9 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "3dccbfd612147d0714339a1a2d6ad16efe695f6d5d9ea764a595cec716beff1b", + "sha256": "e1abdaaaa56dcd60699f61e183b6ee3d637065363a4aef48e49785d0f3d52a12", "type": "query", - "version": 2 + "version": 3 }, "1e0b832e-957e-43ae-b319-db82d228c908": { "min_stack_version": "8.3", @@ -1026,9 +1054,9 @@ "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { "min_stack_version": "8.3", "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "cd100d12464b46b1f170d8e6b26ed144023ba52b4077a97354a6a9fcbabf7465", + "sha256": "7512cf97f8885a42febe293ecc8c04d77f6369d4ba87372fcd3ef38a204f9af3", "type": "query", - "version": 103 + "version": 104 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.3", @@ -1095,9 +1123,9 @@ "227dc608-e558-43d9-b521-150772250bae": { "min_stack_version": "8.3", "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "ad8600664f0e0704b136c9959aec90beb90d433fd1457d49adc4e920ad882f17", + "sha256": "7804226b0da1b8d6dde3bbfed024feab1da6c23e091dfa55852b50309f4dd9fe", "type": "query", - "version": 104 + "version": 105 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { "min_stack_version": "8.3", @@ -1120,6 +1148,20 @@ "type": "eql", "version": 105 }, + "2377946d-0f01-4957-8812-6878985f515d": { + "min_stack_version": "8.9", + "rule_name": "Remote File Creation on a Sensitive Directory", + "sha256": "d175835a59f26f5a7a7607eec8ec9be98bff92a092fcb817859b99170ad0ddd6", + "type": "eql", + "version": 1 + }, + "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.3", + "rule_name": "New GitHub Owner Added", + "sha256": "360c844a728a8074f32947d9ad6d1b26d414b7aafe87847d5b92dc546b8931f5", + "type": "eql", + "version": 1 + }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.3", "rule_name": "Lateral Movement via Startup Folder", @@ -1127,6 +1169,13 @@ "type": "eql", "version": 104 }, + "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39": { + "min_stack_version": "8.3", + "rule_name": "Potential Reverse Shell via Background Process", + "sha256": "e46a905a4613f54e71ebce5fcab1853140ae284c3d0ecc23ad4afa82c5ca69e3", + "type": "eql", + "version": 1 + }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -1172,9 +1221,9 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "2173b0cc2bec6028b91c5b9a051908ca9d6ea87cae8c881a23622b6239e85eee", + "sha256": "2a8ff80cbf124d75571a8831f389c7e67129f89c0f2d1b512133a48bbf0d3478", "type": "query", - "version": 2 + "version": 3 }, "272a6484-2663-46db-a532-ef734bf9a796": { "min_stack_version": "8.3", @@ -1248,9 +1297,9 @@ "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.3", "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "6eafdfc2847d0f8150d36752200d76b3777de7dd46ac7d6c1dab97c2b6afaa67", + "sha256": "f057a319aa5b049290fa8416727ae3ef64bb9ac7779901a61713efe9acef57da", "type": "query", - "version": 103 + "version": 104 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.3", @@ -1267,11 +1316,27 @@ "version": 106 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", + "type": "eql", + "version": 108 + } + }, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "f1ce7be911b34a06915e3f07c41e6e91d314bf37dfb168fb109057d04b56b5c3", - "type": "eql", - "version": 108 + "sha256": "6f6f6175fa206cf7e0c3a47488388561ee39b49bc0b1f18f6baede4fe3ded355", + "type": "new_terms", + "version": 208 + }, + "29ef5686-9b93-433e-91b5-683911094698": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", + "sha256": "18bae187efca3e9942f377e9508ca6f0266f122ab379929ab8d6a0d22dc4a342", + "type": "new_terms", + "version": 1 }, "29f0cf93-d17c-4b12-b4f3-a433800539fa": { "min_stack_version": "8.3", @@ -1401,9 +1466,9 @@ "2e580225-2a58-48ef-938b-572933be06fe": { "min_stack_version": "8.3", "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "09e550845fb86206a91ec5d634e2a5427e344a491c0c76e59a66b6f4a4d4f99e", + "sha256": "e19b7c3823c6e134dd116b5b1562e846ca9d4d847a6e25da14c421165a39d028", "type": "query", - "version": 102 + "version": 103 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.3", @@ -1447,6 +1512,13 @@ "type": "eql", "version": 106 }, + "301571f3-b316-4969-8dd0-7917410030d3": { + "min_stack_version": "8.9", + "rule_name": "Malicious Remote File Creation", + "sha256": "3b64dae20a1caf09073534a22a7e22eb31c7ac6212a08748110048e1e2f0f2f0", + "type": "eql", + "version": 1 + }, "30562697-9859-4ae0-a8c5-dab45d664170": { "min_stack_version": "8.3", "rule_name": "GCP Firewall Rule Creation", @@ -1471,9 +1543,9 @@ "31295df3-277b-4c56-a1fb-84e31b4222a9": { "min_stack_version": "8.3", "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "394278b77c3a54380ee197c9763706f2e530452d5b564a4c0d6b14137d57f87e", + "sha256": "d7b2ec2f04b54fbd827d684086503c9240c5b500bb50c7ba12525842e88890d1", "type": "query", - "version": 102 + "version": 103 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.3", @@ -1499,9 +1571,9 @@ "32923416-763a-4531-bb35-f33b9232ecdb": { "min_stack_version": "8.3", "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "f989ae55a6fdc1e9c9a11c92fd231aa626b1bb662b0a119d8f5cae8d3c0f3577", + "sha256": "7ca9c8daa861f8675fc6d90454ceb1fbbeb55621db753f0ffa615be1509581ea", "type": "query", - "version": 102 + "version": 103 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.3", @@ -1520,9 +1592,9 @@ "333de828-8190-4cf5-8d7c-7575846f6fe0": { "min_stack_version": "8.3", "rule_name": "AWS IAM User Addition to Group", - "sha256": "02db7a25c54c4fbd473ce6ca4a124bfeaba29b63ff68e2d89d4cd27167d6ae7d", + "sha256": "e6dc79527703135b1ce027a5d88baa39dd4c3512d0a5f56a036b8a27eab4ee81", "type": "query", - "version": 106 + "version": 107 }, "33a6752b-da5e-45f8-b13a-5f094c09522f": { "min_stack_version": "8.5", @@ -1555,9 +1627,9 @@ "34fde489-94b0-4500-a76f-b8a157cf9269": { "min_stack_version": "8.3", "rule_name": "Accepted Default Telnet Port Connection", - "sha256": "6fde829b7083578ace3bcf3cb7d8c73a7cc94241c0a398fbc0d6b2ccf1f46505", + "sha256": "5a1c81a6f5119308ed2c419c07cd7d61610c4bf863351341f4f1c5c3d54644b1", "type": "query", - "version": 103 + "version": 104 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { "min_stack_version": "8.3", @@ -1607,6 +1679,13 @@ "type": "eql", "version": 104 }, + "36c48a0c-c63a-4cbc-aee1-8cac87db31a9": { + "min_stack_version": "8.9", + "rule_name": "High Mean of Process Arguments in an RDP Session", + "sha256": "43e809e5064a205d0a1e107068d372415cecef22a677dc5acb3bd91b754772b5", + "type": "machine_learning", + "version": 1 + }, "3728c08d-9b70-456b-b6b8-007c7d246128": { "min_stack_version": "8.3", "rule_name": "Potential Suspicious File Edit", @@ -1617,9 +1696,9 @@ "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "min_stack_version": "8.3", "rule_name": "AWS RDS Security Group Creation", - "sha256": "5b75c7ff3b23af486b2a98aa509dba99b6e5935a1884bcf20ce26298c87a413a", + "sha256": "6ed9dc7097e846293dbf822a322406b46fcbd9d6642245a4dfbc73aabd62537b", "type": "query", - "version": 103 + "version": 104 }, "37994bca-0611-4500-ab67-5588afe73b77": { "min_stack_version": "8.3", @@ -1637,9 +1716,9 @@ "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { "min_stack_version": "8.3", "rule_name": "AWS Execution via System Manager", - "sha256": "2cbc10f8cfc4b487c2e60d03f65c07f3edfffcc2aff4715f233e6dc5d5164c60", + "sha256": "f01c87073629652bd0f1abe3f300881145bb533a262308717ffcc0bab17a3dd0", "type": "query", - "version": 106 + "version": 107 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.3", @@ -1651,9 +1730,9 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.3", "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", + "sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b", "type": "query", - "version": 105 + "version": 106 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.3", @@ -1686,9 +1765,9 @@ "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { "min_stack_version": "8.3", "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "dea5a5643f79a683de4d055fc1e7c3f2444af041cad46e962eea1d3f5f8310d4", + "sha256": "ad7864116d4d41fba90af76f8325d2a86358ed55b0b9be7204d8983cc62b2614", "type": "query", - "version": 103 + "version": 104 }, "39157d52-4035-44a8-9d1a-6f8c5f580a07": { "min_stack_version": "8.3", @@ -1727,9 +1806,9 @@ "3ad49c61-7adc-42c1-b788-732eda2f5abf": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "f452215a79041dee079474e59d224d2fb4c3c03ed44830b5e5d36e4d1ab89007", + "sha256": "75c83bc25b63f6d009bfaa4c5ad8ac726f34d8463a71addc994107e75c6f41e3", "type": "query", - "version": 103 + "version": 104 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { "min_stack_version": "8.3", @@ -1769,16 +1848,23 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.3", "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "26c1661135e8af69b7d550fd193137f635de465260e8fd9c383708024444180c", + "sha256": "ad925532e35677e84cb73970b142002377617338f4574eb6ca4dbd7bfcdb37a7", "type": "query", - "version": 1 + "version": 2 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { "min_stack_version": "8.3", "rule_name": "AWS CloudTrail Log Updated", - "sha256": "c544d2bed3c1f0c3eb62422883fdd5c1a029d8a1e4ade88af0b3aaaa0955dc99", + "sha256": "889bfc3e221a4919949c2b2fab1b12ee9a96a75c27e1e249c243318f7bd81063", "type": "query", - "version": 106 + "version": 107 + }, + "3e0561b5-3fac-4461-84cc-19163b9aaa61": { + "min_stack_version": "8.9", + "rule_name": "Spike in Number of Connections Made from a Source IP", + "sha256": "d02ca6fa6392da7a7d8757ae5757e04feb7e340f9b58af698935f60f077e5b80", + "type": "machine_learning", + "version": 1 }, "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.3", @@ -1852,6 +1938,13 @@ "type": "eql", "version": 2 }, + "3f4e2dba-828a-452a-af35-fe29c5e78969": { + "min_stack_version": "8.9", + "rule_name": "Unusual Time or Day for an RDP Session", + "sha256": "649d4962dc3c27de65026dd648d4e7b0e8285a58920fe69e4994449af66eac61", + "type": "machine_learning", + "version": 1 + }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.3", "rule_name": "Unusual Persistence via Services Registry", @@ -1869,9 +1962,9 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "adeea0cfa04ee8759f832217f19f0ce3d6952e72c717c271909ab099034c8659", + "sha256": "1de1e9aa9030d56c6c6629cd92e3ba65d61bfc9063b76ea2abe412899a224d3f", "type": "eql", - "version": 106 + "version": 107 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "min_stack_version": "8.3", @@ -1897,9 +1990,9 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.3", "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "9ecdb590d2df1959b2b11908911f24308925c345cce10b0370721afd09a2196e", + "sha256": "60954a70897438ce1627fe0aab388688a6c189b04e7eca5543e0c450283c029b", "type": "threshold", - "version": 105 + "version": 106 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.3", @@ -2108,23 +2201,23 @@ "4973e46b-a663-41b8-a875-ced16dda2bb0": { "min_stack_version": "8.6", "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", - "sha256": "b29c0c0615f8cdfe01647648349a42a142712d082bff8d986549ed7b4956c0d7", + "sha256": "9fa82ebadcb5c5f29578c49072ea5d921ce9a8af05291cd755e5c6aefcc422d7", "type": "eql", - "version": 2 + "version": 3 }, "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.3", "rule_name": "Process Discovery Using Built-in Tools", - "sha256": "0f03ec3cf254ddaf2fb897452085888fda783e6d3394923b04505ac968500d17", + "sha256": "37099aca1b1bdce63f77e75103ff60a0d61898af8036c43eaa2f4d672bd326dd", "type": "eql", - "version": 2 + "version": 3 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "min_stack_version": "8.3", "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "4fbdf3bd4ba58ab5558059d13784148c40f700fc0726f9df2b88d02dcd301625", + "sha256": "fb2b93218641d75dfdcf31527ed8c4baa8ab8d79de140128a054b9a7eb67aac0", "type": "query", - "version": 102 + "version": 103 }, "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { "min_stack_version": "8.3", @@ -2192,9 +2285,9 @@ "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "32d9ab18831ca9798b2304547daeb8258a6f8905a01a54c468b20409eee885f6", + "sha256": "c7f85d799207c359e3f84f41c0473858bad893198ffa7f3d8327d153eb0b422c", "type": "threshold", - "version": 103 + "version": 104 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { "min_stack_version": "8.3", @@ -2241,9 +2334,9 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.3", "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", + "sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd", "type": "query", - "version": 104 + "version": 105 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.3", @@ -2255,9 +2348,9 @@ "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.3", "rule_name": "Windows System Information Discovery", - "sha256": "97b96679737e68fddbc04eaf2cdb22e954524acf822f15557c9d8e5de258496c", + "sha256": "2c0c54011671e9e99d2654529520c137188a4bbcf8feb0beb28c196f0525d88e", "type": "eql", - "version": 2 + "version": 3 }, "5124e65f-df97-4471-8dcb-8e3953b3ea97": { "min_stack_version": "8.3", @@ -2297,23 +2390,23 @@ "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux RDP Brute Force Attack Detected", - "sha256": "c3228a5cb84c6e646834e1f6a578e0b7c642d97082d1faf6cb28e94b94553d66", + "sha256": "da0f4a98171700a7be9bdcc51c7e387d476f86016c7d95dd1313f5d899c34fe3", "type": "eql", - "version": 1 + "version": 2 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { "min_stack_version": "8.3", "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "875d325d03aab871f3af655b2a4f09f60421b1863ada9a2e59e415560be70fa6", + "sha256": "238e31f86ad8ffd8ec077358374a122a8c7bbee39ce994f761ad3441be820a9c", "type": "query", - "version": 103 + "version": 104 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "6290c2857ed36cf95047595761ef26fcbd7d025b31e56eb92016113c70d70c5a", + "sha256": "b6f2ca3d5270df9abe50800ebae493a3d6b715de6b3caea02f86fcd29c4f3c7e", "type": "eql", - "version": 108 + "version": 109 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -2358,9 +2451,9 @@ "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.3", "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "dea68832916d128880a091971ddca7401be50c5a91b85315b44276c17c34b3a2", + "sha256": "28f9744c81cfffbf8417f66ee1911ac9da89e9e352c5db4f0af9d725cd73c907", "type": "query", - "version": 103 + "version": 104 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "min_stack_version": "8.3", @@ -2393,9 +2486,9 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.3", "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "7abb75759648c733f8e4b39c60bd36ccf8b431e1fd27097e698724bc33d34e4b", + "sha256": "4258789d2232d8488f2dfcc621c1793b94aa3eb5e24ddc697886a3854fa2e0cc", "type": "query", - "version": 4 + "version": 5 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.3", @@ -2449,23 +2542,32 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.3", "rule_name": "PowerShell PSReflect Script", - "sha256": "443cf0180678565fae6aab3fde53464a3fc6f6161ae2be250b2f29d08e3b1071", + "sha256": "8d62732e2d51a8e4d9e1d8705b48e82534ff622c316a9d2a217a2765ae84e988", "type": "query", - "version": 107 + "version": 108 }, "56fdfcf1-ca7c-4fd9-951d-e215ee26e404": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Execution of an Unsigned Service", + "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", + "type": "eql", + "version": 2 + } + }, "rule_name": "Execution of an Unsigned Service", - "sha256": "d6a1937f8097432a0d45cff0e4c52746877e8dfc576edec64a5e6235c80ca1bc", - "type": "eql", - "version": 2 + "sha256": "de385d99890c067206d3515ec1c99db389d34cf974afb8ad6478deaf0e14f592", + "type": "new_terms", + "version": 102 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { "min_stack_version": "8.3", "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "57330331ceebc76d136b11b9a4aad37660028ce464cffd529f0023ad0a5399b2", + "sha256": "08484b01efb6cd6e700e6ac39d1766a24491ac8d9aee3de5719c03ee0e204a06", "type": "query", - "version": 103 + "version": 104 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "min_stack_version": "8.3", @@ -2547,9 +2649,9 @@ "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { "min_stack_version": "8.3", "rule_name": "AWS CloudTrail Log Created", - "sha256": "0ebf115d87113f0fb8cfb856cf09dd40a7bc00703443d8f5dc149be5cf2d7a26", + "sha256": "84221ea6d1d7084ea241331b852a80ca276abc757430ea68253a3add4daca7a4", "type": "query", - "version": 104 + "version": 105 }, "59756272-1998-4b8c-be14-e287035c4d10": { "min_stack_version": "8.3", @@ -2624,9 +2726,9 @@ "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "min_stack_version": "8.3", "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "353bb55da009500a46a3701adb0b1bb680c718959d2e5969960085c211562f98", + "sha256": "333f27913815c1e4ec223cb266bc34cfadb31ac1a598d1fac7a8de01ac3abd9b", "type": "query", - "version": 103 + "version": 104 }, "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.4", @@ -2891,9 +2993,9 @@ "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { "min_stack_version": "8.3", "rule_name": "Potential Successful Linux FTP Brute Force Attack Detected", - "sha256": "5011350beae3fbee34961ee280dce76139c391e32caf77391b710c0998735d95", + "sha256": "5ee22642a55e0ff14c438cbc0f77b7746f9fe23b533621103b27df8a9b808d40", "type": "eql", - "version": 1 + "version": 2 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "min_stack_version": "8.3", @@ -2926,9 +3028,9 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", + "sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede", "type": "query", - "version": 104 + "version": 105 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "min_stack_version": "8.3", @@ -2940,9 +3042,9 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.3", "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", + "sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de", "type": "query", - "version": 104 + "version": 105 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -2980,9 +3082,9 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.3", "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", + "sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8", "type": "query", - "version": 103 + "version": 104 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.3", @@ -3017,9 +3119,9 @@ "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { "min_stack_version": "8.3", "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "2e8fdc6b595399328a680fc066469a0edae5a41684f4190a837deaa8adf32ae4", + "sha256": "6c4325ced0b53d29535ee5afd746cd09fd120823f660b5bd3518ca50fadca146", "type": "query", - "version": 106 + "version": 107 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.3", @@ -3031,9 +3133,9 @@ "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "min_stack_version": "8.3", "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "1bcb655a06d0561e1f4f6e9466d148178ddf1edc310aa5b738f246db479c1afd", + "sha256": "62a819dfff5aff4d9a71c1af4dbee137aa6d96683a906088769effac0fdbd8b1", "type": "query", - "version": 3 + "version": 4 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "min_stack_version": "8.5", @@ -3061,9 +3163,9 @@ "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { "min_stack_version": "8.3", "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "d16a1105cf83086a436f452d32fd1564076c4a7425498c922ca33cdcd2246c17", + "sha256": "31f084b4192870ca6c93d341a1f9e6d9eecaaefe046fcf6687209ec23866edf3", "type": "query", - "version": 103 + "version": 104 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.3", @@ -3121,6 +3223,13 @@ "type": "machine_learning", "version": 107 }, + "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { + "min_stack_version": "8.6", + "rule_name": "Potential Privilege Escalation via CVE-2023-4911", + "sha256": "cc466d496fd9e306e2a0e4ea3c56d690ff0737b1e3c1506daef475f41db91d6d", + "type": "eql", + "version": 1 + }, "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.4", "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", @@ -3159,9 +3268,9 @@ "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.3", "rule_name": "Security Software Discovery using WMIC", - "sha256": "a1ae41d886802078065a49f39d3cccfc069db47d2052a9950cf0421e0187f9c5", + "sha256": "b04895b23aa183e955eac132fe6354b74ae1aea8ce27da447add04c52d265774", "type": "eql", - "version": 106 + "version": 107 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { "rule_name": "DNS Activity to the Internet", @@ -3207,16 +3316,16 @@ "7024e2a0-315d-4334-bb1a-441c593e16ab": { "min_stack_version": "8.3", "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "e4aa3aadf0d7e757977d5c02a31cae6d4ece731bc3478fec172e92a10c8f3ee1", + "sha256": "6eb194ad10e7ea8d3c8547593a150c60eda885a07be0a3dc57dab3dc0d993314", "type": "query", - "version": 106 + "version": 107 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { "min_stack_version": "8.3", "rule_name": "AWS Config Resource Deletion", - "sha256": "e3f3358d38d5992c002d140012811e59a1ff80898107891dfbb67758d36adfc0", + "sha256": "16521ebadcb6ecd1ffe3b12756c604b96cf8b5daedd95eeec1e1fd2eef096dd9", "type": "query", - "version": 106 + "version": 107 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { "min_stack_version": "8.3", @@ -3270,9 +3379,9 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.3", "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", + "sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354", "type": "query", - "version": 104 + "version": 105 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -3280,6 +3389,13 @@ "type": "eql", "version": 100 }, + "72ed9140-fe9d-4a34-a026-75b50e484b17": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Signal Alert with Unusual Process Executable", + "sha256": "76e9e3a24fb77bafe1b7f5cf3730c4024c32f045d85de9b0857bae7a8716b2df", + "type": "new_terms", + "version": 1 + }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.3", "rule_name": "Potential Modification of Accessibility Binaries", @@ -3362,9 +3478,9 @@ "766d3f91-3f12-448c-b65f-20123e9e9e8c": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Shared Object File", - "sha256": "1d6f35d59421b7701973891ca9762db50f5dd087b3feb9e9e384ee927cdf1d36", + "sha256": "33f5cbe72ef839be364b1ccf59d5c1a66fbc6991676d75779148d8b4bc812310", "type": "eql", - "version": 105 + "version": 106 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.3", @@ -3390,9 +3506,9 @@ "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.3", "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "3efbbd83a3795ef381af8172fedb8209e077505df6097622483b3275060f8be7", + "sha256": "863f7c79c8a07dbe9f74d5dd1ecb111219e82a3039c95ed6d56de800b2e13c69", "type": "eql", - "version": 106 + "version": 107 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "min_stack_version": "8.3", @@ -3411,9 +3527,9 @@ "781f8746-2180-4691-890c-4c96d11ca91d": { "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", - "sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2", + "sha256": "806ccc4e0580c650a06132653d58575846b22fd3cc308288981b794a63972905", "type": "threshold", - "version": 2 + "version": 3 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", @@ -3441,9 +3557,9 @@ "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "min_stack_version": "8.3", "rule_name": "Spike in AWS Error Messages", - "sha256": "333cdaf4a1706f9d4a7935d233bb7a28147712b8edf36e3500c61433a2cbee57", + "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", "type": "machine_learning", - "version": 106 + "version": 107 }, "78ef0c95-9dc2-40ac-a8da-5deb6293a14e": { "min_stack_version": "8.4", @@ -3452,6 +3568,13 @@ "type": "eql", "version": 4 }, + "79124edf-30a8-4d48-95c4-11522cad94b1": { + "min_stack_version": "8.3", + "rule_name": "File Compressed or Archived into Common Format", + "sha256": "ffc63f1281c5daf184121bec10deda5e91670f64baeaf47d2ee5336649bf2c78", + "type": "eql", + "version": 1 + }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { "min_stack_version": "8.3", "rule_name": "Azure Key Vault Modified", @@ -3502,16 +3625,16 @@ "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { "min_stack_version": "8.3", "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "388613f453ad59a0b5a1346925a88c2ea72963b1a7a4ba77f510bdb527a655a4", + "sha256": "05d7545eb5be8c088900939645d5a75858e48029b72b2926c878627697576a85", "type": "query", - "version": 103 + "version": 104 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.3", "rule_name": "Windows Network Enumeration", - "sha256": "ef35c00c8f160878d607315e984c5aecf6fdca5f36d9db988c29e88f76d00270", + "sha256": "1a74ce8fd55ca323682377fbd4e17aa7c7cbe45b23fc743465ff882304fff104", "type": "eql", - "version": 106 + "version": 107 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.8", @@ -3573,11 +3696,20 @@ "version": 105 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 100, + "rule_name": "Discovery of Internet Capabilities via Built-in Tools", + "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", + "type": "eql", + "version": 1 + } + }, "rule_name": "Discovery of Internet Capabilities via Built-in Tools", - "sha256": "a411322e3fd22e1fe67ca9c54dd4c5ecb965751365aebb4c0c9d7b4e3aa67a66", - "type": "eql", - "version": 1 + "sha256": "bc8f0cbcbf93a3e84a7433c81cb3997b0f23a2d6b1a1df28e3828f0fe7f1ac50", + "type": "new_terms", + "version": 101 }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", @@ -3603,9 +3735,9 @@ "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", "rule_name": "Unusual City For an AWS Command", - "sha256": "51f5b37af37f1f4ec180b1de7aac38ca7d77afc0e1f44dfe6122eb8605e3adab", + "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", "type": "machine_learning", - "version": 106 + "version": 107 }, "80c52164-c82a-402c-9964-852533d58be1": { "min_stack_version": "8.3", @@ -3614,6 +3746,13 @@ "type": "query", "version": 101 }, + "814d96c7-2068-42aa-ba8e-fe0ddd565e2e": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Extension", + "sha256": "1eaf7e432793ec71e4a6924b5d8e2f95b30b4b8042f8aaeee43aed4a24050610", + "type": "machine_learning", + "version": 1 + }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.3", "rule_name": "PowerShell Script Block Logging Disabled", @@ -3630,9 +3769,9 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "663ce5702cc916692b79094fb7c51dcad29f2f3687f8085ce74b1f699219eb1e", + "sha256": "2a512f65b3d174a8cea1e7d419378e4fb46c850bc7e3a514409f3093ae43dc92", "type": "query", - "version": 108 + "version": 109 }, "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.3", @@ -3685,9 +3824,9 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.3", "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "5a3c03a8465e2bd10bcaa699af57945cf361af5ca71be2662c20a6746a5b4960", + "sha256": "ff711eea051615cadd16874b875330acd62c7aaf5fb10e2db0d36c1f15799712", "type": "eql", - "version": 107 + "version": 108 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { "min_stack_version": "8.3", @@ -3697,32 +3836,41 @@ "version": 108 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 207, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", + "type": "eql", + "version": 108 + } + }, "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "765d2c6702b22d625ca9fac30e74684428f6d6a852dd200dff84851fe76dda47", - "type": "eql", - "version": 108 + "sha256": "4c25f7bb1a234052d7a5d22439a6b2ceaf128a052fa764bb1d97b0d2b5928eee", + "type": "new_terms", + "version": 208 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "min_stack_version": "8.3", "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "196c1626443f797df1670e37fe56629d8da2a1b61087cac2f3fab49bd64b5113", + "sha256": "f9a3ba3b45d5b33b1e73c806495b984233a6b2bc200082fc945fa31d8fea41be", "type": "query", - "version": 103 + "version": 104 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { "min_stack_version": "8.3", "rule_name": "AWS RDS Security Group Deletion", - "sha256": "f46878044473b51688032f8944026be841032d83fbab53ebccb6f3bd1056f1a7", + "sha256": "0c9d4de210e608efca7e588b59eeb71ca5f96b5b20c083daee0e8d4035f0cd32", "type": "query", - "version": 103 + "version": 104 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { "min_stack_version": "8.3", "rule_name": "AWS IAM Group Deletion", - "sha256": "950ae30d904242ba798eb1658f1e238720d404743585e155f030dda45d0e05f6", + "sha256": "f4898405685170f2b55f69bcde2b41a0cb8b861ef6040f86e3257bf0abf93383", "type": "query", - "version": 103 + "version": 104 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { "min_stack_version": "8.3", @@ -3734,16 +3882,16 @@ "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.3", "rule_name": "Enumeration of Administrator Accounts", - "sha256": "70ad3fa6e2da2dbfbb0211d6835e6657b3c156417e77b4b8bc33b86c2b69167d", + "sha256": "16de3139ef7299ea2fe5dc3a874629d2079e250e032b7f33ce0250a0b0e931e6", "type": "eql", - "version": 107 + "version": 108 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { "min_stack_version": "8.3", "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "81d56536a960fa83385df001b8186c6a129128d000278be5586476a6d4b9e19b", + "sha256": "bf5d21e0ace96205fd8f8db491ac9d75625ef089e4f5b3499d4a4209268f9719", "type": "query", - "version": 103 + "version": 104 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", @@ -3837,9 +3985,9 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", + "sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b", "type": "query", - "version": 104 + "version": 105 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "min_stack_version": "8.3", @@ -3879,9 +4027,9 @@ "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { "min_stack_version": "8.3", "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "02d2aa1ce970af5dbef685da0cfc51fc7c9d7c82932b13d1b19d8f212a1ba2de", + "sha256": "97a0561922556e3ced27828faed777dc5a0ab1da7843bfef7c19929702a26f4b", "type": "query", - "version": 102 + "version": 103 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.3", @@ -3990,9 +4138,9 @@ "9055ece6-2689-4224-a0e0-b04881e1f8ad": { "min_stack_version": "8.3", "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "637b97f8e4d2c60b80d6427cd89d111d077543e2103cb3a96f9e35e577bd9caa", + "sha256": "52ad2c61bc4217845afa6a13fe3e23cd405324f6bc6779b2ed3a21ecda615e14", "type": "query", - "version": 103 + "version": 104 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { "min_stack_version": "8.3", @@ -4024,9 +4172,9 @@ "91d04cd4-47a9-4334-ab14-084abe274d49": { "min_stack_version": "8.3", "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "4d59ddb17973a139d9be0a601ce33dda6071ea802724f0bd0333d7db8722280c", + "sha256": "ecd61bd19c50c09347fdf33fed3a2f8ec9fc77dec053398a5b62f534e297ebdb", "type": "query", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "min_stack_version": "8.3", @@ -4052,9 +4200,9 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.3", "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "50456decf4f398de8c09653fee24f7eb07663c151fc638cfd1cf7c9584cb733b", + "sha256": "7fe6f04aad78c1165b56664a6e2b192a15c39a1166c3b1e24906d7ff5b91b1f0", "type": "query", - "version": 5 + "version": 6 }, "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.3", @@ -4066,9 +4214,9 @@ "93075852-b0f5-4b8b-89c3-a226efae5726": { "min_stack_version": "8.3", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "2e6053408cd8709eca1ec8f67f1435cba0deae2486a175e0943f710e9ee4e2b3", + "sha256": "b0edd6d0742b92fa2ebe2c3d5ea02c63f8a1edffe0b0f53320b86ed419ab8fb8", "type": "query", - "version": 103 + "version": 104 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "min_stack_version": "8.3", @@ -4080,9 +4228,9 @@ "9395fd2c-9947-4472-86ef-4aceb2f7e872": { "min_stack_version": "8.3", "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "f3c39ae72c93e6c08f938d780fc70f56119ce17eb3ef31cf7645331efed700c3", + "sha256": "408b41a86252884a996ece1031334c7b73d4870202ad4a65c1a74d5392ad3454", "type": "query", - "version": 106 + "version": 107 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.3", @@ -4175,16 +4323,16 @@ "968ccab9-da51-4a87-9ce2-d3c9782fd759": { "min_stack_version": "8.3", "rule_name": "File made Immutable by Chattr", - "sha256": "8de6fbce3edd5e6599051a15eae6429056bb4fae367b3cd3572ece577dc22e1b", + "sha256": "bc300bb67a2279504fbe3225243633c892bbc5b8e695a109b127b1edf673cb5b", "type": "eql", - "version": 106 + "version": 107 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.3", "rule_name": "Attempt to Create Okta API Token", - "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", + "sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9", "type": "query", - "version": 103 + "version": 104 }, "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", @@ -4224,16 +4372,16 @@ "979729e7-0c52-4c4c-b71e-88103304a79f": { "min_stack_version": "8.3", "rule_name": "AWS SAML Activity", - "sha256": "5ccb2e9205c690a15eeb580f91fbced1746f6a12cd487ec983e1bdb8b5f7b33d", + "sha256": "6205667e0b3ffc035feaf7ed17e089eb50ab5ff04926b74e65bb83f73d79af8d", "type": "query", - "version": 103 + "version": 104 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.3", "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", + "sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d", "type": "eql", - "version": 105 + "version": 106 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.3", @@ -4299,9 +4447,9 @@ "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "min_stack_version": "8.3", "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "ed1f4e4296f79824714df9f3010887d3ecd69c44ffbf728bed8d47197ea5e08e", + "sha256": "3c5613df7cc89e9a173b0632a5db11d02b917f05f3c24cb3d44c416a679a4056", "type": "query", - "version": 106 + "version": 107 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "min_stack_version": "8.3", @@ -4377,6 +4525,13 @@ "type": "eql", "version": 105 }, + "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.3", + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "152428a8434461254fd0550779e5f2ff7b906cf27f44936e520219c6c117b748", + "type": "eql", + "version": 1 + }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.3", "rule_name": "Persistence via WMI Event Subscription", @@ -4428,25 +4583,34 @@ "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 204, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", + "type": "eql", + "version": 105 + } + }, "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "a7dda34610cf31fe8bd552ca7b1be438b979f718bba2f25c1bfbe2dcf6e399c2", - "type": "eql", - "version": 105 + "sha256": "b98418a78935c61df5f27bc19586a7013ca07b3044d1a233a8bb38e0258feeff", + "type": "new_terms", + "version": 205 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "69d5523e4e8bd2c582f84b522bfeae185f56d87fb6f698ba3afd72a1722cfc9b", + "sha256": "dbebd3797fdae528a8f432c6944ceb33a92b55466eaf7317a77173ea58b80423", "type": "eql", - "version": 106 + "version": 107 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "b2885bccbc5942ef0b109aafd8cc5f741f11e702109bfce0e316e37c66a45f02", + "sha256": "4487327fd533126e8f007f9eb063741a10c3cf9a07a48399c391f9713e58420c", "type": "eql", - "version": 107 + "version": 108 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.3", @@ -4456,11 +4620,20 @@ "version": 107 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 205, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", + "type": "eql", + "version": 106 + } + }, "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "a31248c2a77ee248c66bc397338932837d26cb27e8d0fe2ecc59cb2fd6705d5d", - "type": "eql", - "version": 106 + "sha256": "1e8c98c86268cb9bdde8af04c845776ed081dd6a07dbfa4b6873755f5d5670dc", + "type": "new_terms", + "version": 206 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.3", @@ -4486,9 +4659,9 @@ "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "min_stack_version": "8.3", "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "18494ff65fcc575a4fe46296da4e82fca3ba729b57b21a1c55c64d81a92924ed", + "sha256": "7bb8484c63f6e1ceb591dc3b6a6aa1e5e3dc34ccfd3d932e3e9c8e1b8e3162be", "type": "eql", - "version": 105 + "version": 106 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.3", @@ -4516,9 +4689,9 @@ } }, "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", - "sha256": "a470900ff108beb4fc2bd4b7b585eab94d9c4069ec2fdc41e3d7b241c6fd4263", + "sha256": "7cd0da2ff3ffb5eb309da5e40ce09ddc719465d69413af21aaa59db60bf569ea", "type": "new_terms", - "version": 206 + "version": 207 }, "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.3", @@ -4616,9 +4789,9 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.3", "rule_name": "PowerShell Mailbox Collection Script", - "sha256": "c26cd675ef7730a95a52e92c7f5bc7144cda7fb9f14144470c96dfe93b036da2", + "sha256": "af441eec9facc8c5fa2be399c6d3a1a2383c4e937ccfca40f8455f599c5d8a24", "type": "query", - "version": 4 + "version": 5 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.3", @@ -4664,9 +4837,9 @@ "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { "min_stack_version": "8.3", "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "76387a6bb7b623af513d1e3379567e01c3efd70a0fbf651fb1361a6a3fb63075", + "sha256": "10f0e0afc0e8f51f1c37dc1a9885a33dd37e56c43f029b3c5865e4983baefb3a", "type": "query", - "version": 106 + "version": 107 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { "min_stack_version": "8.3", @@ -4696,6 +4869,13 @@ "type": "eql", "version": 104 }, + "a74c60cb-70ee-4629-a127-608ead14ebf1": { + "min_stack_version": "8.9", + "rule_name": "High Mean of RDP Session Duration", + "sha256": "da4ddd46272515e372d09fc4efb2d394cba8e054b0ce9bd555adef5a46d91034", + "type": "machine_learning", + "version": 1 + }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { "min_stack_version": "8.3", "rule_name": "Suspicious Print Spooler SPL File Created", @@ -4724,6 +4904,13 @@ "type": "eql", "version": 1 }, + "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { + "min_stack_version": "8.9", + "rule_name": "High Variance in RDP Session Duration", + "sha256": "c0f263fa0ff7d4e7f059e58dd7c707af412cdea311f76703517ce73844a1267a", + "type": "machine_learning", + "version": 1 + }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", @@ -4763,9 +4950,9 @@ "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { "min_stack_version": "8.3", "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "c71a73ed18eadca2c2c082ca0d511745ce0960e56167e3ed59116b93c8b2720c", + "sha256": "8dcd8a517f60e962d4ebf18984358abb4a22823f7b32a4e918d1aa3645fa0fee", "type": "query", - "version": 103 + "version": 104 }, "aa8007f0-d1df-49ef-8520-407857594827": { "min_stack_version": "8.3", @@ -4777,9 +4964,9 @@ "aa895aea-b69c-4411-b110-8d7599634b30": { "min_stack_version": "8.3", "rule_name": "System Log File Deletion", - "sha256": "6fee4b495f1438946191a9f0a5d18e790c19b3546166fa5dc0126a090844c515", + "sha256": "ac41e7af0740df6857011b45aeafd5c04aa1172edb2ee9469e0294726e78cea9", "type": "eql", - "version": 106 + "version": 107 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.3", @@ -4826,9 +5013,9 @@ "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "min_stack_version": "8.3", "rule_name": "Unusual AWS Command for a User", - "sha256": "9f57306030e5ba60d653be67aa9384950045aa7df06b096ce123ae72771cd11a", + "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", "type": "machine_learning", - "version": 106 + "version": 107 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "min_stack_version": "8.3", @@ -5073,9 +5260,9 @@ "b45ab1d2-712f-4f01-a751-df3826969807": { "min_stack_version": "8.3", "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "270622c32893a7ed8bb7c39017bb09133147e3b8af1c8844d93f0150447134ba", + "sha256": "1382976ef19290c1857b535d15facff537acd5d5a33e5575372bef70ba4c9090", "type": "query", - "version": 103 + "version": 104 }, "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.3", @@ -5087,9 +5274,9 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.3", "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", + "sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6", "type": "query", - "version": 104 + "version": 105 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "min_stack_version": "8.3", @@ -5136,16 +5323,16 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", + "sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6", "type": "query", - "version": 104 + "version": 105 }, "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.3", "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", + "sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3", "type": "query", - "version": 103 + "version": 104 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "min_stack_version": "8.3", @@ -5220,9 +5407,9 @@ "b9666521-4742-49ce-9ddc-b8e84c35acae": { "min_stack_version": "8.3", "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "e1cb2516563dc7520157b944c165c5b231a99942cdfcd049f1ef1d3213bf29d1", + "sha256": "b52f9a9d5f0c729e51501205cbd24a63482072973a089b57d59e07a4fab75df7", "type": "eql", - "version": 104 + "version": 105 }, "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.3", @@ -5255,9 +5442,9 @@ "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "min_stack_version": "8.3", "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "2e9848fe420de87afde4a086d63bb5d02bb91f3da348bd0eed54b6f7993a85cd", + "sha256": "60c1a7d5d2cd24c909689b37015df4508b993bdd925b050e1b45df21a23479ba", "type": "query", - "version": 103 + "version": 104 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "min_stack_version": "8.3", @@ -5269,9 +5456,9 @@ "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d", + "sha256": "2b1e4aa7d79164849563312bd9d49b860b58f5f0b4df254ce84a7a65e6a10dfa", "type": "threshold", - "version": 2 + "version": 3 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", @@ -5283,9 +5470,9 @@ "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { "min_stack_version": "8.3", "rule_name": "AWS Root Login Without MFA", - "sha256": "40f1b53ce3bb3464e8d8bbad167820d4d5b70e24358eef7c18c72fcdaf161f26", + "sha256": "8f967af66ccd21f236403f460e274db15d0dab8e769626d091f26ddba123de07", "type": "query", - "version": 106 + "version": 107 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { "min_stack_version": "8.3", @@ -5353,9 +5540,9 @@ "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { "min_stack_version": "8.3", "rule_name": "Potential Pspy Process Monitoring Detected", - "sha256": "3e3047dea72b0e200ecac521c558ec5c07205beb177d77602fbbc760d41b3735", + "sha256": "b1a7f950e8830388985011f13f94ef09e66a8e19ff09652206c060af47049380", "type": "eql", - "version": 1 + "version": 2 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.3", @@ -5364,6 +5551,13 @@ "type": "eql", "version": 105 }, + "be4c5aed-90f5-4221-8bd5-7ab3a4334751": { + "min_stack_version": "8.9", + "rule_name": "Unusual Remote File Directory", + "sha256": "4ed65ee17e5e6a2e754823609612583d0e717cead35636b67da9903546d4f880", + "type": "machine_learning", + "version": 1 + }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.3", "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -5374,9 +5568,9 @@ "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "min_stack_version": "8.3", "rule_name": "AWS RDS Snapshot Restored", - "sha256": "aa3da4102533524658662c93b127d4c25ca56ed19c01be2a8904cd695347b3d6", + "sha256": "31690f503f33025d8d634b7c33d01adff504c8c0cdfbeab6519116149937669e", "type": "query", - "version": 103 + "version": 104 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "min_stack_version": "8.3", @@ -5423,9 +5617,9 @@ "c1812764-0788-470f-8e74-eb4a14d47573": { "min_stack_version": "8.3", "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c8fb1a9316a7bc5541a685e19440d21f4c158350903c4e21b6225360fee8258d", + "sha256": "53d6e6b5dc3942bb911622ffd2582ed4e8a3bff445df0e269aba07ed320f34e8", "type": "query", - "version": 103 + "version": 104 }, "c20cd758-07b1-46a1-b03f-fa66158258b8": { "min_stack_version": "8.3", @@ -5500,9 +5694,9 @@ "c4e9ed3e-55a2-4309-a012-bc3c78dad10a": { "min_stack_version": "8.3", "rule_name": "Windows System Network Connections Discovery", - "sha256": "56bf9828457985099728e90f9046ec5d50ba668e7b911712abec96eaa3d6d665", + "sha256": "16cd4b39c59281f69407d88a2f0bbadab7ac9d1408c9e0c6e5400a92f25898d9", "type": "eql", - "version": 2 + "version": 3 }, "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.3", @@ -5549,9 +5743,9 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.3", "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "8cf1d0abaed488b33ec708608f9a5ba1ec08a67e664df9145ebf1800d2701adb", + "sha256": "a6a7a57d9d9f53170aaca5b52e31fa5987b52d03287d461f35903e7a94f3c49e", "type": "eql", - "version": 106 + "version": 107 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { "min_stack_version": "8.3", @@ -5576,16 +5770,16 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.3", "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", + "sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f", "type": "query", - "version": 104 + "version": 105 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Application", - "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", + "sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32", "type": "query", - "version": 103 + "version": 104 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.3", @@ -5634,9 +5828,9 @@ "c82b2bd8-d701-420c-ba43-f11a155b681a": { "min_stack_version": "8.3", "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "128d5682da221aeffcdc38868dcaa75f484b8b2411f3c7a2eae8881f6e41e861", + "sha256": "6420c0fe2bee67b51779e539f2cfe3b480539c36abf148d1d69db79d6f2e8f67", "type": "query", - "version": 102 + "version": 103 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { "min_stack_version": "8.3", @@ -5798,9 +5992,9 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", + "sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c", "type": "query", - "version": 105 + "version": 106 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "min_stack_version": "8.3", @@ -5812,9 +6006,9 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.3", "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", + "sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f", "type": "query", - "version": 104 + "version": 105 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -5846,23 +6040,23 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", + "sha256": "21e5d78749220436e967eeeb044dd1f1f605e2586c03e609b54561405c40cccf", "type": "query", - "version": 104 + "version": 105 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.3", "rule_name": "Okta User Session Impersonation", - "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", + "sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7", "type": "query", - "version": 105 + "version": 106 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.3", "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "8dd2c1c84b0fc1c9b380b49e3924012569cff3b126def7c497f092a63a057eff", + "sha256": "cb505702842c62bf14d57f592e2da9b793b4232bb14db1dc07ce3ee3dca88d72", "type": "query", - "version": 5 + "version": 6 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.3", @@ -5874,9 +6068,9 @@ "cf53f532-9cc9-445a-9ae7-fced307ec53c": { "min_stack_version": "8.3", "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "d72e36349524c074ac047562258cfce46273ee90ce47cd6b4d7bf6583558e37b", + "sha256": "ae06529dfc51404f2a14651c780e0d62070bf088490bbb3215fdefb56904c4f2", "type": "query", - "version": 103 + "version": 104 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { "min_stack_version": "8.4", @@ -5894,6 +6088,13 @@ "type": "query", "version": 205 }, + "cf575427-0839-4c69-a9e6-99fde02606f3": { + "min_stack_version": "8.6", + "rule_name": "Unusual Discovery Activity by User", + "sha256": "2dec950ffa14b4863a879f391b045196709a774f032c8bc35d8f61ba20e2bfff", + "type": "new_terms", + "version": 1 + }, "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e": { "min_stack_version": "8.3", "rule_name": "Trap Signals Execution", @@ -6001,9 +6202,9 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.3", "rule_name": "Attempt to Delete an Okta Application", - "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", + "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", "type": "query", - "version": 103 + "version": 104 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "min_stack_version": "8.3", @@ -6050,9 +6251,9 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.3", "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", + "sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a", "type": "query", - "version": 104 + "version": 105 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.3", @@ -6064,9 +6265,9 @@ "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { "min_stack_version": "8.3", "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "e7f7445facc4da1f84ee331f6dbbf22337e319df0727349ff958c0f62154fd1f", + "sha256": "5bc55e01a217a6d8069b08e636d1e12080f2a96b645cc68f8f33806d04a820ee", "type": "query", - "version": 106 + "version": 107 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { "min_stack_version": "8.3", @@ -6084,9 +6285,9 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.3", "rule_name": "System Information Discovery via Windows Command Shell", - "sha256": "123d0512c4355047e5fc67352b4ba9a65b7bd2515f7513409a0276a2414ce054", + "sha256": "e19053836a709b816dc84ce8ced0ba8168ccd803d9c077141d35d3a0679f082f", "type": "eql", - "version": 6 + "version": 7 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { "min_stack_version": "8.3", @@ -6147,9 +6348,9 @@ "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "min_stack_version": "8.3", "rule_name": "SMTP on Port 26/TCP", - "sha256": "a83fb857076a042c492fa2affcd6539e499ab52f67b336d1e47854a3e23a13d3", + "sha256": "3816b9a7c573ec98806b9cc52fc8e281cd0559c43a7c7fce52c60f63c8a8eb2f", "type": "query", - "version": 102 + "version": 103 }, "d8ab1ec1-feeb-48b9-89e7-c12e189448aa": { "min_stack_version": "8.3", @@ -6161,9 +6362,9 @@ "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { "min_stack_version": "8.3", "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "3c501df177ec97cc6f46663425f4c04cb979694688cd3bfad27f03a0d8a2ac53", + "sha256": "7e7bcfe14adab55f0ac9ab6478a826ff0dff7b31efe686b94a1bbf30d730bdd6", "type": "query", - "version": 106 + "version": 107 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.3", @@ -6257,9 +6458,9 @@ "dca28dee-c999-400f-b640-50a081cc0fd1": { "min_stack_version": "8.3", "rule_name": "Unusual Country For an AWS Command", - "sha256": "09aabd7cf1fd572c2266143f903d21cbaedb757f619cc17b5f2c78b74e046946", + "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", "type": "machine_learning", - "version": 106 + "version": 107 }, "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.3", @@ -6297,11 +6498,20 @@ "version": 105 }, "ded09d02-0137-4ccc-8005-c45e617e8d4c": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 101, + "rule_name": "Query Registry using Built-in Tools", + "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", + "type": "eql", + "version": 2 + } + }, "rule_name": "Query Registry using Built-in Tools", - "sha256": "b2ee224e76ea602717f6188bd78728ea09a54c1c694fb5041f9d7f0197db8ebd", - "type": "eql", - "version": 2 + "sha256": "1ce3bd6bd9c91187b6ee6941b8adf51a9bc72c81dd5bcc25fe03bd480f1122eb", + "type": "new_terms", + "version": 102 }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "min_stack_version": "8.6", @@ -6370,16 +6580,16 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.3", "rule_name": "System Service Discovery through built-in Windows Utilities", - "sha256": "ff2526e88d22d00ba16eca2c07ec3bec5e06c7785739a7ab842edd79c975943f", + "sha256": "5b07769d45f5a33fcbe539609647986809d75daea1b8aa5874d0ae7f0e6a8892", "type": "eql", - "version": 4 + "version": 5 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.3", "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "71bc21a2e39ae429903f27a300a650a34aed1adfba8e5ce63f527c8362e23d02", + "sha256": "10ee903471646d3de3429f99b45cf5e5d7fadc3fda75e3d87f0d1f495d30f511", "type": "threshold", - "version": 105 + "version": 106 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "min_stack_version": "8.3", @@ -6405,16 +6615,16 @@ "e12c0318-99b1-44f2-830c-3a38a43207ca": { "min_stack_version": "8.3", "rule_name": "AWS Route Table Created", - "sha256": "7bc47ab3f6abaaa3ab9719f0b5584578bde76d5e46e45c4f5930b55727fde835", + "sha256": "4081dda0ac65323a45109124e0222f68584e912ecdc216ad1e2f5b8f9f431afc", "type": "query", - "version": 103 + "version": 104 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { "min_stack_version": "8.3", "rule_name": "AWS RDS Cluster Creation", - "sha256": "1028d9d315c9b25af760a4d81b28115f4bc2ea1653f08740433bc44c0c49ecbf", + "sha256": "064737df50105c6e8c5336eb8537b218f80ef6e29e079214fe8dca37dc5bda32", "type": "query", - "version": 103 + "version": 104 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { "min_stack_version": "8.3", @@ -6447,9 +6657,9 @@ "e2a67480-3b79-403d-96e3-fdd2992c50ef": { "min_stack_version": "8.3", "rule_name": "AWS Management Console Root Login", - "sha256": "b9dd3e3ff50478a62eb78a03bd6f15b075d2c8b5205f36afb4bb4c84ec2aea89", + "sha256": "c4f8568aee037cc76372958fdfc1556649341e70f4d8ffc9a8a3f8c1e5fbe0e6", "type": "query", - "version": 106 + "version": 107 }, "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444": { "min_stack_version": "8.3", @@ -6468,9 +6678,9 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "b8ef093aa90790193389f0a3b2eb27568f9516fec3932bce89da7213cabf2393", + "sha256": "7326c0fdf7b88869ad1306d85488813f482b3ac72e2d30e276978b2d064c29b5", "type": "eql", - "version": 106 + "version": 107 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { "min_stack_version": "8.3", @@ -6489,9 +6699,9 @@ "e3c27562-709a-42bd-82f2-3ed926cced19": { "min_stack_version": "8.3", "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "dd9a314d7acf050b51fec079eb2ff4d0667d2954a8fe4eee7a86081d7971db12", + "sha256": "58bf1f2fc9acd22be3c161424a77c2a213cf1401372313a2272d73d6af866d41", "type": "query", - "version": 103 + "version": 104 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "min_stack_version": "8.3", @@ -6510,16 +6720,16 @@ "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { "min_stack_version": "8.3", "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "1b8c0a0d497da1a7aa237cea422221680d66e067bd3cb56754342e2426b8456e", + "sha256": "ac660618b2f53220fa549edf8c4bf12df44b42b26daed8102d9f6cd69d0340f7", "type": "eql", - "version": 105 + "version": 106 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.3", "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", + "sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6", "type": "query", - "version": 104 + "version": 105 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.3", @@ -6574,9 +6784,9 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.3", "rule_name": "Possible Okta DoS Attack", - "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", + "sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e", "type": "query", - "version": 103 + "version": 104 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "min_stack_version": "8.3", @@ -6588,9 +6798,9 @@ "e7075e8d-a966-458e-a183-85cd331af255": { "min_stack_version": "8.3", "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "c0e04ce1aa8f8652c9593631d1a9692ea6c265ee388e504ccc1d3c225ad62272", + "sha256": "6bbe76d52fd258b99c66bbf69e3f64060fa0a3112a36cd1c55f44d03d2da9d9e", "type": "query", - "version": 103 + "version": 104 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.3", @@ -6632,9 +6842,9 @@ "e7cd5982-17c8-4959-874c-633acde7d426": { "min_stack_version": "8.3", "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "aac5e30f0f52cc491d255e93c3f1f83cdb0547f9f20b8fe3376704aee6c6f730", + "sha256": "2199bfaa82c73c0e3d8e7c4dd8d7df67b438163716298173157240784ea80fdc", "type": "query", - "version": 103 + "version": 104 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.3", @@ -6667,16 +6877,16 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.3", "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "94f8f87bf5279e92dae5e3f1a86adcc88c5e03a1ddc2d3ee3878b1ef488abd08", + "sha256": "bb06cc2e64669d793dd0ab51b8f596cf9ed9f9454f861ae51504837bb3552d10", "type": "threshold", - "version": 105 + "version": 106 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "min_stack_version": "8.3", "rule_name": "AWS EC2 VM Export Failure", - "sha256": "f5fbdb6dd8db185f84352432e56a887048b7d1bac9936d1c3a3944b9f5ed4d31", + "sha256": "3d6439c0aa3958b93a6dddcf1bd5a4bd85a8a42ea1de077784cbcddffa9842dd", "type": "query", - "version": 103 + "version": 104 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.3", @@ -6692,6 +6902,13 @@ "type": "eql", "version": 104 }, + "e9b0902b-c515-413b-b80b-a8dcebc81a66": { + "min_stack_version": "8.9", + "rule_name": "Spike in Remote File Transfers", + "sha256": "5a680fcc21fa3a04e8559fed157bb4ad2d12ae704220ebfb794b987dd5e7f9ab", + "type": "machine_learning", + "version": 1 + }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", @@ -6714,9 +6931,9 @@ "ea248a02-bc47-4043-8e94-2885b19b2636": { "min_stack_version": "8.3", "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "d8fbba1e46a7add1e78c5e5e8efbbd07526667d98224a35765adf2574e4c6e80", + "sha256": "c03ce8fcb77809e7578333b7e52f0fe9d851c9f6687eb1a7d20a33e2b642ed3f", "type": "threshold", - "version": 106 + "version": 107 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "min_stack_version": "8.3", @@ -6742,9 +6959,9 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "a05367ae65e4b39de37332b4894eb8085397b7fbf86eb16ab1899b6d60beac4d", + "sha256": "19a8d98813f7227deaf511c0d633facc03ce98eca134cbf0ad8d95277312d2bd", "type": "query", - "version": 107 + "version": 108 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { "min_stack_version": "8.3", @@ -6798,9 +7015,9 @@ "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { "min_stack_version": "8.3", "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "507678779aec70fd7d8e6f87c97bad4456c69b88fbf5e1ef2ede267b6c6d356b", + "sha256": "ac0a0d9ae3dd952d42b9953594ccbb2e820c3b3754a613810c6568a3fb3205bc", "type": "query", - "version": 103 + "version": 104 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { "min_stack_version": "8.3", @@ -6819,16 +7036,16 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.3", "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", + "sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c", "type": "query", - "version": 104 + "version": 105 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.3", "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "3482abb380dae16ed856b1c92ebf753d98d655730383b3e1e6329221b64d7f96", + "sha256": "2879ba6dedb4672f2a2edf42d9b51a445ad7e87deafca2d3e115c225361d1e52", "type": "eql", - "version": 106 + "version": 107 }, "edfd5ca9-9d6c-44d9-b615-1e56b920219c": { "min_stack_version": "8.3", @@ -6902,9 +7119,9 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.3", "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", + "sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395", "type": "query", - "version": 103 + "version": 104 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "min_stack_version": "8.3", @@ -6958,9 +7175,9 @@ "f28e2be4-6eca-4349-bdd9-381573730c22": { "min_stack_version": "8.3", "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "181e254a121f95897919759791f5af14565c11aa4ed7bab144e1e9c27400ac8b", + "sha256": "c0d41a9640582655c35bbdf6fd4057c405ea4a82195c458393a2820c413ea5df", "type": "eql", - "version": 105 + "version": 106 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.3", @@ -6979,9 +7196,9 @@ "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { "min_stack_version": "8.3", "rule_name": "AWS RDS Instance Creation", - "sha256": "1b57c3c8d9066a43e2cf1493eb351327278a05bf30471e51460fc99b3134a1c5", + "sha256": "25aeaebf372fd4e468e990590efe81685706f45ab5eb44bb246d187a16a8b6e0", "type": "query", - "version": 103 + "version": 104 }, "f33e68a4-bd19-11ed-b02f-f661ea17fbcc": { "min_stack_version": "8.4", @@ -7011,6 +7228,13 @@ "type": "threat_match", "version": 3 }, + "f41296b4-9975-44d6-9486-514c6f635b2d": { + "min_stack_version": "8.6", + "rule_name": "Potential curl CVE-2023-38545 Exploitation", + "sha256": "9efdc32da856ea0ecfb495756ffd87148d34f4be5d42e19e9839782860cef853", + "type": "eql", + "version": 1 + }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.3", "rule_name": "Persistence via Microsoft Office AddIns", @@ -7118,9 +7342,9 @@ "f772ec8a-e182-483c-91d2-72058f76a44c": { "min_stack_version": "8.3", "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "c61b6a72d80df0fd58791ed1d3826f037ed108533807e6817a707d013f73e4bd", + "sha256": "c58352df4a9adcf9259a2e3656fddae07215b10995a31acba7684366f084e0a9", "type": "query", - "version": 106 + "version": 107 }, "f7769104-e8f9-4931-94a2-68fc04eadec3": { "min_stack_version": "8.8", @@ -7188,9 +7412,9 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.3", "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", + "sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392", "type": "query", - "version": 103 + "version": 104 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.3", @@ -7250,9 +7474,9 @@ "fbd44836-0d69-4004-a0b4-03c20370c435": { "min_stack_version": "8.3", "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "624fbf2987e46d010e6f19338b9a13acbd0fc5afb7c2704f7f5d076d82b9ced4", + "sha256": "e2cf9c3a12bd9ec52910d1a412e540d1f76113ddae474ae4fe22f81ed3aafb15", "type": "query", - "version": 103 + "version": 104 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.3", @@ -7282,11 +7506,20 @@ "version": 106 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 206, + "rule_name": "Svchost spawning Cmd", + "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", + "type": "eql", + "version": 107 + } + }, "rule_name": "Svchost spawning Cmd", - "sha256": "2be5bf0d0a6fe7332e43fa29c1f0701bd1ddd82b98458eb81fbd031b4190ff04", - "type": "eql", - "version": 107 + "sha256": "2cf4b3a4a92c5be889a51b4f1d51c3eab77327b7bf883a2a045d1571d8779e4b", + "type": "new_terms", + "version": 207 }, "fda1d332-5e08-4f27-8a9b-8c802e3292a6": { "min_stack_version": "8.3", @@ -7333,9 +7566,9 @@ "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { "min_stack_version": "8.3", "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "93c635e72bde1b37f08db8fbaab71b57c830ec8a6d88f9d868cad5cae1d4c602", + "sha256": "be298496f5dc80a824431ca74dd636b027fd4a95e5b4cae739b13de1c3dfe055", "type": "query", - "version": 102 + "version": 103 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6",