diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 8fb71559133..e165008a240 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.11,8.12,8.13,8.14,8.15,8.16' + default: '8.12,8.13,8.14,8.15,8.16,8.17' jobs: pr: diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 0df0fe10c99..69377a884c5 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -63,6 +63,8 @@ f'[![ATT&CK navigator coverage](https://img.shields.io/badge/ATT&CK-Navigator-red.svg)]({NAVIGATOR_URL})' ) RULES_CONFIG = parse_rules_config() +# The base package version that we will start to include all versions of historical rules +BASE_PKG_VERSION = Version(major=8, minor=17, patch=0) def get_github_token() -> Optional[str]: @@ -124,7 +126,19 @@ def build_release(ctx: click.Context, config_file, update_version_lock: bool, ge registry_data['conditions']['kibana.version'].strip("^")) sde = SecurityDetectionEngine() historical_rules = sde.load_integration_assets(previous_pkg_version) - limited_historical_rules = sde.keep_latest_versions(historical_rules) + current_pkg_version = Version.parse(registry_data['version']) + # pre-release versions are not included in the version comparison + # Version 8.17.0-beta.1 is considered lower than 8.17.0 + current_pkg_version_no_prerelease = Version(major=current_pkg_version.major, + minor=current_pkg_version.minor, patch=current_pkg_version.patch) + if current_pkg_version_no_prerelease >= BASE_PKG_VERSION: + click.echo(f'[+] Adding all historical rule versions in our release package for version \ + {current_pkg_version_no_prerelease}') + limited_historical_rules = historical_rules + else: + click.echo(f'[+] Limit historical rule versions in our release package for version \ + {current_pkg_version_no_prerelease}') + limited_historical_rules = sde.keep_latest_versions(historical_rules) package.add_historical_rules(limited_historical_rules, registry_data['version']) click.echo(f'[+] Adding historical rules from {previous_pkg_version} package') diff --git a/detection_rules/etc/api_schemas/8.17/8.17.base.json b/detection_rules/etc/api_schemas/8.17/8.17.base.json new file mode 100644 index 00000000000..23138b13640 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.eql.json b/detection_rules/etc/api_schemas/8.17/8.17.eql.json new file mode 100644 index 00000000000..30f489eed55 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.esql.json b/detection_rules/etc/api_schemas/8.17/8.17.esql.json new file mode 100644 index 00000000000..b3e42f35b45 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json b/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json new file mode 100644 index 00000000000..7b1b42c2223 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json b/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json new file mode 100644 index 00000000000..c0d7d437f87 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.query.json b/detection_rules/etc/api_schemas/8.17/8.17.query.json new file mode 100644 index 00000000000..408c8bbb9dd --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json b/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json new file mode 100644 index 00000000000..f10aa0d859e --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.threshold.json b/detection_rules/etc/api_schemas/8.17/8.17.threshold.json new file mode 100644 index 00000000000..58469621412 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 7319f76f84f..0b5991536e8 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Thu Nov 7 12:14:04 2024" + "saved_date": "Mon Dec 9 14:04:15 2024" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v16.0.0.json.gz b/detection_rules/etc/attack-v16.0.0.json.gz deleted file mode 100644 index 5f1975e50c4..00000000000 Binary files a/detection_rules/etc/attack-v16.0.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v16.1.0.json.gz b/detection_rules/etc/attack-v16.1.0.json.gz new file mode 100644 index 00000000000..e54564e9cc5 Binary files /dev/null and b/detection_rules/etc/attack-v16.1.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index ce63796e567..9af8cc2f84d 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.16.1.json.gz b/detection_rules/etc/beats_schemas/v8.16.1.json.gz new file mode 100644 index 00000000000..6a4eb8ccfe7 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.16.1.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 905ff8cf971..2caceddfdc1 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index bcf5bf604d0..a12f1699bc2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index cfa290a41d3..e55b43a6f05 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 43c5e3bf75c..0ff8ab3f150 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 0c0b37e4f42..be4d764da19 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 8e1acf49537..c82393ecea6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 04070f9b941..13c43208077 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index d0a18e4eec8..636d7e05c50 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 046214be755..89a2995c50a 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 8df9c52f0ad..a8ab3b1d957 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 6fd71b5d619..eb5f0d3299c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index bcfbaee40e3..6accc696764 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index ab12a418933..0ee8d7c7dda 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index 5eb6d4c2fbf..b0a7260d2b0 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 0b9ca1bee9a..89fc4e8d780 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 912bf6664bf..ae93e149b05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index beca84ebdf8..668028e4707 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index d15510f8b8e..128bb4364a5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 7fcc254d4b3..a6cb6faac39 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index a9785d3dc0c..eea2a180a7a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index c07dbbdf574..f9ee6296f56 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index a0016d1dc4d..4bbd44f8f8c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 0ac20a7187c..74a914ebafc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 08b8a7666f3..4c5bd969367 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz similarity index 99% rename from detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz rename to detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 477b3b2df78..5e2b335b792 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz new file mode 100644 index 00000000000..66873892357 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 9e44e737182..2f470ec3048 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 67e6d128f7e..a6fe8b2c9bf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 556c77d9c10..eb57e0496f3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index a85f08eb1da..162f15df116 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index aae0c046adc..a83426a711e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 0a1dddcce31..1f1431f8397 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 823292663e3..b71c3e3fc02 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index b53add1cec0..71da355a153 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 67d79071621..dea732c4154 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index d19f713a226..be2e79f0020 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 4e3f3e3fb25..1429268aef7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 4eba2b019e0..3e79b4500d5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index afdf1bff9c6..b4721f3c061 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 37ff4d2c644..57f70a7b256 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index bf86b83bce0..64d8ac05cdb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index ce6a189ed87..f893a8f8f01 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 09853480ddf..ff4e6ec0e5f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 247dc05f2ca..1414b55a70e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index ddec8fa9d13..d78cbd8975d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index ee38260986c..8aae66e3896 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 8fd6b016231..b6c87f8eec1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index a8fd7e59c91..13681619cd9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index e2930c1287e..7c5a511a298 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 4d39c36d8d0..12a7eee8c03 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 72b3c8f78e0..42931dac2c4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index bfdb9783a72..8e71ea9eded 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index d44a31cf8c6..e1b1b5a27c9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 35861963316..ce17fcaef19 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 3a05cf4c4a4..2de2e9ba2a4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 62ebcec021b..c1e3c63f2a3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index a19554c37ec..d263134c85d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 60f6599f4d0..d92899978e9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 7514023643a..47155a41f66 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 4abf68038ce..03093f6b411 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz new file mode 100644 index 00000000000..43fa1b0eb21 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 7f8628d00f9..3b8487dab15 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 26dccdd7a17..f0aea01d839 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index 7216e4b95bd..a72de41bf9a 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -3,7 +3,7 @@ package: maturity: - production log_deprecated: true - name: '8.17' + name: '8.18' registry_data: categories: - security @@ -12,7 +12,7 @@ package: capabilities: - security subscription: basic - kibana.version: ^8.17.0 + kibana.version: ^8.18.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -27,5 +27,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.17.0-beta.1 + version: 8.18.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 98032662917..a46104d8679 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -82,12 +82,12 @@ # ecs: "8.10.0" # endgame: "8.4.0" -## Supported +# "8.11.0": +# beats: "8.11.2" +# ecs: "8.11.0" +# endgame: "8.4.0" -"8.11.0": - beats: "8.11.2" - ecs: "8.11.0" - endgame: "8.4.0" +## Supported "8.12.0": beats: "8.12.2" @@ -110,11 +110,16 @@ endgame: "8.4.0" "8.16.0": - beats: "8.15.3" - ecs: "8.11.0" + beats: "8.16.1" + ecs: "8.16.0" endgame: "8.4.0" "8.17.0": - beats: "8.15.3" - ecs: "8.11.0" + beats: "8.16.1" + ecs: "8.16.0" + endgame: "8.4.0" + +"8.18.0": + beats: "8.16.1" + ecs: "8.16.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 6731bd55b43..9ccf673985c 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,24 +1,31 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "type": "query", + "version": 311 } }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", "type": "query", - "version": 310 + "version": 411 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", @@ -41,7 +48,7 @@ "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "System Shells via Services", "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", @@ -86,25 +93,25 @@ "version": 7 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", - "version": 103 + "version": 204 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", @@ -118,20 +125,20 @@ "version": 207 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", - "version": 103 + "version": 204 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -142,7 +149,7 @@ "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", @@ -176,7 +183,7 @@ "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "High Number of Process and/or Service Terminations", "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", @@ -234,7 +241,7 @@ "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", @@ -261,7 +268,6 @@ "version": 102 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { - "min_stack_version": "8.12", "rule_name": "User Added to the Admin Group", "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", "type": "eql", @@ -270,7 +276,7 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", @@ -292,7 +298,7 @@ "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", @@ -308,7 +314,7 @@ "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", @@ -343,7 +349,7 @@ "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", @@ -359,7 +365,7 @@ "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "System Time Discovery", "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", @@ -381,7 +387,7 @@ "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", @@ -404,7 +410,7 @@ "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", @@ -420,7 +426,7 @@ "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", @@ -441,20 +447,20 @@ "version": 312 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 104, + "8.12": { + "max_allowable_version": 205, "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", "type": "eql", - "version": 5 + "version": 106 } }, "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", + "sha256": "d8a91efd007be1ed16d117fe17458c7361f18450b73e73083ee88ec02bf6d049", "type": "eql", - "version": 105 + "version": 206 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -465,7 +471,7 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", @@ -512,7 +518,7 @@ "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", @@ -557,20 +563,20 @@ "version": 110 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "Member Removed From GitHub Organization", "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", - "version": 103 + "version": 204 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -605,19 +611,12 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", - "type": "query", - "version": 6 - }, "8.12": { - "max_allowable_version": 207, + "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", "type": "query", - "version": 108 + "version": 7 } }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", @@ -634,7 +633,7 @@ "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", @@ -650,7 +649,7 @@ "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "User account exposed to Kerberoasting", "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", @@ -712,7 +711,7 @@ "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Peripheral Device Discovery", "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", @@ -769,21 +768,28 @@ "type": "eql", "version": 111 }, + "0e1af929-42ed-4262-a846-55a7c54e7c84": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", + "sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e", + "type": "esql", + "version": 1 + }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", - "version": 103 + "version": 204 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -800,7 +806,7 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "MsBuild Making Network Connections", "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", @@ -834,7 +840,7 @@ "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", @@ -880,7 +886,7 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", @@ -896,7 +902,7 @@ "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", @@ -931,7 +937,7 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 113, "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", @@ -947,7 +953,7 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", @@ -975,7 +981,7 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", @@ -1003,7 +1009,7 @@ "128468bf-cab1-4637-99ea-fdf3780a4609": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", @@ -1031,7 +1037,7 @@ "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", @@ -1054,7 +1060,7 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", @@ -1077,7 +1083,7 @@ "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", @@ -1106,7 +1112,7 @@ "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", @@ -1153,7 +1159,7 @@ "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", @@ -1175,7 +1181,7 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", @@ -1196,20 +1202,27 @@ "version": 311 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", "type": "new_terms", "version": 3 + }, + "8.14": { + "max_allowable_version": 203, + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "type": "new_terms", + "version": 104 } }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", "type": "new_terms", - "version": 103 + "version": 204 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -1226,7 +1239,7 @@ "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", @@ -1242,7 +1255,7 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", @@ -1283,7 +1296,7 @@ "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", @@ -1317,7 +1330,7 @@ "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", @@ -1346,7 +1359,7 @@ "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Username", "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", @@ -1362,7 +1375,7 @@ "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Service", "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", @@ -1378,7 +1391,7 @@ "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", @@ -1394,7 +1407,7 @@ "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", @@ -1410,7 +1423,7 @@ "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", @@ -1432,7 +1445,7 @@ "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", @@ -1454,7 +1467,7 @@ "181f6b23-3799-445e-9589-0018328a9e46": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", @@ -1543,7 +1556,7 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", @@ -1572,7 +1585,7 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "User Account Creation", "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", @@ -1624,9 +1637,9 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", + "sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d", "type": "query", - "version": 212 + "version": 213 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Suspicious File Creation in /etc for Persistence", @@ -1641,25 +1654,25 @@ "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "New GitHub App Installed", "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", - "version": 103 + "version": 204 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", @@ -1673,25 +1686,32 @@ "version": 208 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", "type": "query", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "type": "query", + "version": 106 } }, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", "type": "query", - "version": 105 + "version": 206 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", @@ -1719,7 +1739,7 @@ "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", @@ -1735,7 +1755,7 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", @@ -1764,7 +1784,7 @@ "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", @@ -1786,19 +1806,12 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 105, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", - "type": "query", - "version": 6 - }, "8.12": { - "max_allowable_version": 208, + "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", "type": "query", - "version": 109 + "version": 7 } }, "rule_name": "PowerShell Script with Discovery Capabilities", @@ -1815,7 +1828,7 @@ "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", @@ -1831,7 +1844,7 @@ "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Creation of SettingContent-ms Files", "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", @@ -1845,20 +1858,20 @@ "version": 106 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", - "version": 103 + "version": 204 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -1869,7 +1882,7 @@ "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", @@ -1892,7 +1905,7 @@ "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", @@ -1914,7 +1927,7 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", @@ -1936,7 +1949,7 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", @@ -1965,7 +1978,7 @@ "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Creation or Modification of Root Certificate", "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", @@ -2000,7 +2013,7 @@ "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", @@ -2023,7 +2036,7 @@ "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", @@ -2063,7 +2076,7 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", @@ -2125,7 +2138,7 @@ "version": 3 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -2133,33 +2146,40 @@ "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "type": "esql", + "version": 103 } }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", - "version": 103 + "version": 203 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 104, + "8.12": { + "max_allowable_version": 205, "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", "type": "eql", - "version": 5 + "version": 106 } }, "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", - "version": 105 + "version": 206 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Lateral Movement via Startup Folder", "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", @@ -2182,7 +2202,7 @@ "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", @@ -2214,20 +2234,27 @@ "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", "type": "query", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "type": "query", + "version": 106 } }, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", "type": "query", - "version": 105 + "version": 206 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -2238,7 +2265,7 @@ "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", @@ -2260,7 +2287,7 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", @@ -2280,6 +2307,13 @@ "type": "eql", "version": 312 }, + "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Topic Blocks Detected", + "sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d", + "type": "esql", + "version": 1 + }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", @@ -2301,7 +2335,7 @@ "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", @@ -2317,19 +2351,12 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", - "type": "query", - "version": 5 - }, "8.12": { - "max_allowable_version": 207, + "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", "type": "query", - "version": 108 + "version": 6 } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -2352,7 +2379,7 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", @@ -2380,7 +2407,7 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", @@ -2403,7 +2430,7 @@ "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", @@ -2453,10 +2480,20 @@ "version": 6 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { + "min_stack_version": "8.16", + "previous": { + "8.12": { + "max_allowable_version": 104, + "rule_name": "Privilege Escalation via SUID/SGID", + "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "type": "eql", + "version": 5 + } + }, "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7", "type": "eql", - "version": 3 + "version": 105 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", @@ -2473,7 +2510,7 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", @@ -2496,7 +2533,7 @@ "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", @@ -2519,19 +2556,12 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 310, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", - "type": "new_terms", - "version": 211 - }, "8.12": { - "max_allowable_version": 414, + "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", "type": "new_terms", - "version": 315 + "version": 212 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2540,20 +2570,27 @@ "version": 415 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", "type": "query", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "type": "query", + "version": 105 } }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", "type": "query", - "version": 104 + "version": 205 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2588,7 +2625,7 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", @@ -2611,7 +2648,7 @@ "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", @@ -2634,7 +2671,7 @@ "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", @@ -2650,7 +2687,7 @@ "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", @@ -2673,7 +2710,7 @@ "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", @@ -2702,7 +2739,7 @@ "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", @@ -2730,7 +2767,7 @@ "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", @@ -2753,7 +2790,7 @@ "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", @@ -2769,7 +2806,7 @@ "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Potential Process Injection via PowerShell", "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", @@ -2785,7 +2822,7 @@ "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Accessing Outlook Data Files", "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", @@ -2799,9 +2836,9 @@ "version": 105 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", @@ -2814,12 +2851,19 @@ "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", "version": 103 + }, + "8.14": { + "max_allowable_version": 302, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "type": "esql", + "version": 203 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", - "version": 203 + "version": 303 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2830,7 +2874,7 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Creation of a Hidden Local User Account", "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", @@ -2859,7 +2903,7 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", @@ -2893,7 +2937,7 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", @@ -2957,7 +3001,7 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", @@ -2983,6 +3027,13 @@ "type": "query", "version": 104 }, + "3216949c-9300-4c53-b57a-221e364c6457": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Word Policy Blocks Detected", + "sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17", + "type": "esql", + "version": 1 + }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", @@ -3004,7 +3055,7 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", @@ -3033,7 +3084,7 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", @@ -3084,20 +3135,20 @@ "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 101, + "8.12": { + "max_allowable_version": 202, "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "sha256": "660476227e525d314ca01414cb724faceba46253e12dc63cc24f8ed8e5014fd5", "type": "eql", - "version": 2 + "version": 103 } }, "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b", "type": "eql", - "version": 102 + "version": 203 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -3120,7 +3171,7 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Port Forwarding Rule Addition", "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", @@ -3156,7 +3207,7 @@ "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", @@ -3197,7 +3248,7 @@ "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", @@ -3260,25 +3311,32 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "type": "query", + "version": 311 } }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", "type": "query", - "version": 310 + "version": 411 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", @@ -3336,7 +3394,7 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", @@ -3365,7 +3423,7 @@ "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", @@ -3394,7 +3452,7 @@ "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", @@ -3426,20 +3484,20 @@ "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", - "version": 103 + "version": 204 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3450,7 +3508,7 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", @@ -3473,7 +3531,7 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", @@ -3502,7 +3560,7 @@ "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", @@ -3525,19 +3583,12 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", - "type": "query", - "version": 5 - }, "8.12": { - "max_allowable_version": 207, + "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", "type": "query", - "version": 108 + "version": 6 } }, "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -3566,7 +3617,7 @@ "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", @@ -3607,7 +3658,7 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", @@ -3630,7 +3681,7 @@ "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", @@ -3688,7 +3739,7 @@ "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", @@ -3702,25 +3753,25 @@ "version": 107 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "GitHub User Blocked From Organization", "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", - "version": 103 + "version": 204 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", @@ -3755,7 +3806,7 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", @@ -3776,20 +3827,20 @@ "version": 313 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", - "version": 103 + "version": 204 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -3823,25 +3874,32 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "type": "threshold", + "version": 312 } }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", "type": "threshold", - "version": 311 + "version": 412 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", @@ -3875,7 +3933,7 @@ "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", @@ -3898,7 +3956,7 @@ "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", @@ -3920,7 +3978,7 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", @@ -3954,7 +4012,7 @@ "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Windows Event Logs Cleared", "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", @@ -3970,7 +4028,7 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", @@ -3986,7 +4044,7 @@ "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", @@ -4009,7 +4067,7 @@ "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", @@ -4056,7 +4114,7 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", @@ -4084,7 +4142,7 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", @@ -4119,7 +4177,7 @@ "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", @@ -4177,7 +4235,7 @@ "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Process Discovery Using Built-in Tools", "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", @@ -4217,7 +4275,7 @@ "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", @@ -4258,7 +4316,7 @@ "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", @@ -4281,7 +4339,7 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", @@ -4315,7 +4373,7 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", @@ -4338,7 +4396,7 @@ "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", @@ -4360,7 +4418,7 @@ "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", @@ -4383,7 +4441,7 @@ "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", @@ -4397,32 +4455,39 @@ "version": 209 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", "type": "query", - "version": 209 + "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "type": "query", + "version": 310 } }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", "type": "query", - "version": 309 + "version": 410 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", - "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc", + "rule_name": "Unusual High Confidence Content Filter Blocks Detected", + "sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e", "type": "esql", - "version": 4 + "version": 5 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", @@ -4443,20 +4508,27 @@ "version": 313 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", "type": "threshold", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "type": "threshold", + "version": 106 } }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", "type": "threshold", - "version": 105 + "version": 206 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -4467,7 +4539,7 @@ "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows System Information Discovery", "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", @@ -4489,7 +4561,7 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", @@ -4524,7 +4596,7 @@ "5188c68e-d3de-4e96-994d-9e242269446f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", @@ -4553,7 +4625,7 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", @@ -4593,7 +4665,7 @@ "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", @@ -4657,7 +4729,7 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious PDF Reader Child Process", "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", @@ -4680,7 +4752,7 @@ "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", @@ -4696,7 +4768,7 @@ "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", @@ -4712,19 +4784,12 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", - "type": "query", - "version": 8 - }, "8.12": { - "max_allowable_version": 209, + "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", "type": "query", - "version": 110 + "version": 9 } }, "rule_name": "Exchange Mailbox Export via PowerShell", @@ -4735,7 +4800,7 @@ "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", @@ -4751,7 +4816,7 @@ "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", @@ -4767,7 +4832,7 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", @@ -4789,7 +4854,7 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", @@ -4803,25 +4868,32 @@ "version": 107 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", "type": "eql", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "type": "eql", + "version": 105 } }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", "type": "eql", - "version": 104 + "version": 205 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", @@ -4855,19 +4927,12 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 209, - "rule_name": "PowerShell PSReflect Script", - "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", - "type": "query", - "version": 110 - }, "8.12": { - "max_allowable_version": 312, + "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", "type": "query", - "version": 213 + "version": 111 } }, "rule_name": "PowerShell PSReflect Script", @@ -4902,7 +4967,7 @@ "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", @@ -4918,7 +4983,7 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", @@ -4934,7 +4999,7 @@ "57bfa0a9-37c0-44d6-b724-54bf16787492": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", @@ -4957,7 +5022,7 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", @@ -4980,7 +5045,7 @@ "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "RDP Enabled via Registry", "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", @@ -5051,7 +5116,7 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", @@ -5098,7 +5163,7 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", @@ -5145,7 +5210,7 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", @@ -5180,7 +5245,7 @@ "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", @@ -5196,7 +5261,7 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 112, "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", @@ -5236,7 +5301,7 @@ "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", @@ -5252,7 +5317,7 @@ "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "User Added to Privileged Group", "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", @@ -5268,7 +5333,7 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", @@ -5297,7 +5362,7 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", @@ -5313,7 +5378,7 @@ "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", @@ -5366,7 +5431,7 @@ "5f2f463e-6997-478c-8405-fb41cc283281": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential File Download via a Headless Browser", "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", @@ -5413,7 +5478,7 @@ "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", @@ -5427,25 +5492,25 @@ "version": 208 }, "61336fe6-c043-4743-ab6e-41292f439603": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "New User Added To GitHub Organization", "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", - "version": 103 + "version": 204 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", @@ -5461,19 +5526,12 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 212, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", - "type": "query", - "version": 113 - }, "8.12": { - "max_allowable_version": 315, + "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", "type": "query", - "version": 216 + "version": 114 } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -5490,7 +5548,7 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", @@ -5504,25 +5562,32 @@ "version": 212 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", "type": "threshold", "version": 5 + }, + "8.14": { + "max_allowable_version": 205, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "type": "threshold", + "version": 106 } }, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", "type": "threshold", - "version": 105 + "version": 206 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", @@ -5544,7 +5609,7 @@ "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Account Configured with Never-Expiring Password", "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", @@ -5596,7 +5661,7 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", @@ -5642,7 +5707,7 @@ "65432f4a-e716-4cc1-ab11-931c4966da2d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", @@ -5681,25 +5746,32 @@ "version": 6 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", "type": "new_terms", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "type": "new_terms", + "version": 105 } }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", "type": "new_terms", - "version": 104 + "version": 205 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", @@ -5739,7 +5811,7 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", @@ -5753,20 +5825,27 @@ "version": 113 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", "type": "query", - "version": 309 + "version": 410 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", @@ -5775,20 +5854,27 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", "type": "query", - "version": 309 + "version": 410 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5811,7 +5897,7 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", @@ -5838,25 +5924,32 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "type": "query", + "version": 309 } }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", "type": "query", - "version": 308 + "version": 409 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", @@ -5885,7 +5978,7 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", @@ -5907,7 +6000,7 @@ "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", @@ -5929,7 +6022,7 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", @@ -5951,9 +6044,9 @@ "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "min_stack_version": "8.13", "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "0007bd73ca11b0b6f5300662fa4863050840bc67ef764048a14b63a4a6e1c038", + "sha256": "c0b79735104a736c418ffcbe21e0292334ad5d5ed9c425c75d5d0aaad52463f0", "type": "esql", - "version": 4 + "version": 5 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -5970,7 +6063,7 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", @@ -6011,7 +6104,7 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", @@ -6034,7 +6127,7 @@ "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", @@ -6069,7 +6162,7 @@ "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", @@ -6091,7 +6184,7 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", @@ -6112,25 +6205,25 @@ "version": 308 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "GitHub Repo Created", "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", - "version": 103 + "version": 204 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", @@ -6158,7 +6251,7 @@ "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", @@ -6174,7 +6267,7 @@ "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", @@ -6190,7 +6283,7 @@ "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", @@ -6212,7 +6305,7 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", @@ -6228,7 +6321,7 @@ "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Security Software Discovery using WMIC", "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", @@ -6256,7 +6349,7 @@ "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", @@ -6276,20 +6369,27 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", "type": "new_terms", "version": 4 + }, + "8.14": { + "max_allowable_version": 204, + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "type": "new_terms", + "version": 105 } }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", "type": "new_terms", - "version": 104 + "version": 205 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -6318,7 +6418,7 @@ "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", @@ -6358,7 +6458,7 @@ "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", @@ -6381,7 +6481,7 @@ "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", @@ -6420,20 +6520,27 @@ "version": 3 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", "type": "query", - "version": 309 + "version": 410 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -6450,7 +6557,7 @@ "730ed57d-ae0f-444f-af50-78708b57edd5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", @@ -6485,7 +6592,7 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", @@ -6556,7 +6663,7 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", @@ -6578,7 +6685,7 @@ "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", @@ -6600,7 +6707,7 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", @@ -6623,7 +6730,7 @@ "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", @@ -6694,7 +6801,7 @@ "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", @@ -6753,7 +6860,7 @@ "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", @@ -6776,7 +6883,7 @@ "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", @@ -6828,7 +6935,7 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Windows Network Enumeration", "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", @@ -6850,7 +6957,7 @@ "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", @@ -6920,20 +7027,13 @@ "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", "version": 4 }, - "8.12": { - "max_allowable_version": 203, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", - "type": "eql", - "version": 105 - }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", @@ -6956,7 +7056,7 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", @@ -7003,7 +7103,7 @@ "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", @@ -7025,7 +7125,7 @@ "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", @@ -7059,7 +7159,7 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", @@ -7088,19 +7188,12 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 210, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", - "type": "query", - "version": 111 - }, "8.12": { - "max_allowable_version": 313, + "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", "type": "query", - "version": 214 + "version": 112 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", @@ -7111,7 +7204,7 @@ "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", @@ -7151,7 +7244,7 @@ "83bf249e-4348-47ba-9741-1202a09556ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", @@ -7186,7 +7279,7 @@ "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", @@ -7214,7 +7307,7 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", @@ -7272,7 +7365,7 @@ "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Enumeration of Administrator Accounts", "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", @@ -7330,7 +7423,7 @@ "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", @@ -7346,7 +7439,7 @@ "894326d2-56c0-4342-b553-4abfaf421b5b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", @@ -7368,7 +7461,7 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", @@ -7384,7 +7477,7 @@ "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", @@ -7410,36 +7503,43 @@ "version": 6 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", "type": "eql", "version": 6 + }, + "8.14": { + "max_allowable_version": 206, + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "type": "eql", + "version": 107 } }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", "type": "eql", - "version": 106 + "version": 207 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "GitHub PAT Access Revoked", "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", - "version": 103 + "version": 204 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", @@ -7450,7 +7550,7 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", @@ -7464,20 +7564,27 @@ "version": 208 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", "type": "query", - "version": 309 + "version": 410 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -7494,7 +7601,7 @@ "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", @@ -7517,7 +7624,7 @@ "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", @@ -7552,7 +7659,7 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", @@ -7623,7 +7730,7 @@ "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", @@ -7652,7 +7759,7 @@ "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Bitsadmin Activity", "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", @@ -7668,7 +7775,7 @@ "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", @@ -7690,7 +7797,7 @@ "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", @@ -7736,7 +7843,7 @@ "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "InstallUtil Activity", "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", @@ -7786,27 +7893,30 @@ "version": 104 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { + "min_stack_version": "8.13", + "previous": { + "8.12": { + "max_allowable_version": 100, + "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", + "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", + "type": "threshold", + "version": 1 + } + }, "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "sha256": "dfae7535f5caafed8358bc16a68a6a501122ec05eae29c1f291da2416cad5ca9", "type": "threshold", - "version": 1 + "version": 101 }, "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 107, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", - "type": "query", - "version": 8 - }, "8.12": { - "max_allowable_version": 209, + "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", "type": "query", - "version": 110 + "version": 9 } }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", @@ -7817,7 +7927,7 @@ "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", @@ -7833,7 +7943,7 @@ "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", @@ -7867,7 +7977,7 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", @@ -7883,7 +7993,7 @@ "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", @@ -7930,7 +8040,7 @@ "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", @@ -7951,7 +8061,7 @@ "version": 210 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -7959,12 +8069,19 @@ "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "type": "esql", + "version": 103 } }, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", - "version": 103 + "version": 203 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -7975,7 +8092,7 @@ "951779c2-82ad-4a6c-82b8-296c1f691449": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", @@ -7991,7 +8108,7 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Remote Scheduled Task Creation", "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", @@ -8007,7 +8124,7 @@ "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", @@ -8021,7 +8138,7 @@ "version": 210 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { "8.13": { "max_allowable_version": 102, @@ -8029,12 +8146,19 @@ "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", "version": 3 + }, + "8.14": { + "max_allowable_version": 202, + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "type": "esql", + "version": 103 } }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", - "version": 103 + "version": 203 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", @@ -8055,20 +8179,27 @@ "version": 112 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Create Okta API Token", "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", "type": "query", - "version": 308 + "version": 409 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -8085,7 +8216,7 @@ "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", @@ -8123,25 +8254,32 @@ "version": 207 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", "type": "eql", "version": 212 + }, + "8.14": { + "max_allowable_version": 412, + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "type": "eql", + "version": 313 } }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", "type": "eql", - "version": 312 + "version": 413 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", @@ -8206,7 +8344,7 @@ "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", @@ -8252,7 +8390,7 @@ "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", @@ -8268,7 +8406,7 @@ "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", @@ -8320,7 +8458,7 @@ "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", @@ -8343,7 +8481,7 @@ "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", @@ -8371,25 +8509,25 @@ "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 104, + "8.12": { + "max_allowable_version": 205, "rule_name": "GitHub Owner Role Granted To User", "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", "type": "eql", - "version": 5 + "version": 106 } }, "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", - "version": 105 + "version": 206 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", @@ -8418,7 +8556,7 @@ "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", @@ -8440,7 +8578,7 @@ "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", @@ -8462,7 +8600,7 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", @@ -8497,7 +8635,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", @@ -8513,7 +8651,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", @@ -8536,7 +8674,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", @@ -8552,7 +8690,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", @@ -8568,7 +8706,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", @@ -8584,7 +8722,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", @@ -8624,7 +8762,7 @@ "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Potential Credential Access via DCSync", "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", @@ -8652,7 +8790,7 @@ "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", @@ -8680,7 +8818,7 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", @@ -8702,7 +8840,7 @@ "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", @@ -8718,7 +8856,7 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", @@ -8765,7 +8903,7 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", @@ -8800,7 +8938,7 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", @@ -8816,7 +8954,7 @@ "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", @@ -8899,7 +9037,7 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious MS Office Child Process", "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", @@ -8946,7 +9084,7 @@ "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", @@ -9023,7 +9161,7 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", @@ -9057,7 +9195,7 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remotely Started Services via RPC", "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", @@ -9098,7 +9236,7 @@ "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", @@ -9120,7 +9258,7 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", @@ -9149,7 +9287,7 @@ "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Outlook Home Page Registry Modification", "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", @@ -9172,7 +9310,7 @@ "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", @@ -9200,7 +9338,7 @@ "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", @@ -9234,7 +9372,7 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", @@ -9257,7 +9395,7 @@ "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", @@ -9298,7 +9436,7 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", @@ -9344,7 +9482,7 @@ "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", @@ -9385,7 +9523,7 @@ "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", @@ -9425,7 +9563,7 @@ "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", @@ -9467,7 +9605,7 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Network Share Discovery", "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", @@ -9489,7 +9627,7 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", @@ -9511,7 +9649,7 @@ "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", @@ -9539,7 +9677,7 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", @@ -9562,7 +9700,7 @@ "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", @@ -9597,7 +9735,7 @@ "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "At.exe Command Lateral Movement", "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", @@ -9611,20 +9749,27 @@ "version": 105 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", "type": "query", - "version": 309 + "version": 410 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", @@ -9635,7 +9780,7 @@ "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Clearing Windows Console History", "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", @@ -9658,7 +9803,7 @@ "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", @@ -9693,7 +9838,7 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", @@ -9709,7 +9854,7 @@ "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", @@ -9732,7 +9877,7 @@ "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", @@ -9752,20 +9897,27 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", "type": "query", - "version": 309 + "version": 410 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9774,20 +9926,27 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "type": "query", + "version": 309 } }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", "type": "query", - "version": 308 + "version": 409 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -9798,7 +9957,7 @@ "b8386923-b02c-4b94-986a-d223d9b01f88": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", @@ -9814,7 +9973,7 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", @@ -9837,7 +9996,7 @@ "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", @@ -9853,7 +10012,7 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", @@ -9876,7 +10035,7 @@ "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", @@ -9917,7 +10076,7 @@ "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", @@ -9939,7 +10098,7 @@ "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", @@ -9968,7 +10127,7 @@ "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", @@ -9996,7 +10155,7 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", @@ -10096,7 +10255,7 @@ "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "PowerShell Keylogging Script", "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", @@ -10112,7 +10271,7 @@ "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", @@ -10128,7 +10287,7 @@ "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", @@ -10150,7 +10309,7 @@ "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", @@ -10182,7 +10341,7 @@ "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", @@ -10204,7 +10363,7 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", @@ -10245,7 +10404,7 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", @@ -10267,7 +10426,7 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", @@ -10287,6 +10446,13 @@ "type": "eql", "version": 310 }, + "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM Login Profile Added for Root", + "sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1", + "type": "esql", + "version": 1 + }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", @@ -10302,7 +10468,7 @@ "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", @@ -10348,7 +10514,7 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", @@ -10389,7 +10555,7 @@ "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", @@ -10417,7 +10583,7 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", @@ -10446,7 +10612,7 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", @@ -10469,7 +10635,7 @@ "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", @@ -10498,7 +10664,7 @@ "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Attempted Private Key Access", "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", @@ -10514,7 +10680,7 @@ "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Service Path Modification via sc.exe", "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", @@ -10530,7 +10696,7 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", @@ -10559,7 +10725,7 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", @@ -10575,7 +10741,7 @@ "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", @@ -10598,7 +10764,7 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", @@ -10627,7 +10793,7 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", @@ -10661,36 +10827,50 @@ "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", "type": "query", - "version": 309 + "version": 410 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", "type": "query", - "version": 308 + "version": 409 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -10701,7 +10881,7 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", @@ -10723,7 +10903,7 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual File Modification by dns.exe", "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", @@ -10787,7 +10967,7 @@ "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", @@ -10810,7 +10990,7 @@ "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", @@ -10891,9 +11071,9 @@ "version": 106 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Multiple Okta Client Addresses for a Single User Session", "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", @@ -10906,12 +11086,19 @@ "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", "version": 104 + }, + "8.14": { + "max_allowable_version": 303, + "rule_name": "Multiple Device Token Hashes for Single Okta Session", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "type": "esql", + "version": 204 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", - "version": 204 + "version": 304 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -10932,20 +11119,27 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "type": "query", + "version": 311 } }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", "type": "query", - "version": 310 + "version": 411 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10954,20 +11148,27 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "type": "query", + "version": 310 } }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", "type": "query", - "version": 309 + "version": 410 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10994,53 +11195,60 @@ "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", "type": "eql", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "type": "eql", + "version": 312 } }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", "type": "eql", - "version": 311 + "version": 412 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", "type": "query", "version": 210 + }, + "8.14": { + "max_allowable_version": 410, + "rule_name": "Okta User Session Impersonation", + "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "type": "query", + "version": 311 } }, "rule_name": "Okta User Session Impersonation", "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", "type": "query", - "version": 310 + "version": 411 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 110, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", - "type": "query", - "version": 11 - }, "8.12": { - "max_allowable_version": 212, + "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", "type": "query", - "version": 113 + "version": 12 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", @@ -11055,25 +11263,25 @@ "version": 2 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", - "version": 103 + "version": 204 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", @@ -11120,7 +11328,7 @@ "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", @@ -11161,7 +11369,7 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Registry Persistence via AppInit DLL", "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", @@ -11184,7 +11392,7 @@ "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", @@ -11237,7 +11445,7 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", @@ -11260,7 +11468,7 @@ "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Clearing Windows Event Logs", "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", @@ -11283,7 +11491,7 @@ "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", @@ -11299,7 +11507,7 @@ "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", @@ -11325,20 +11533,27 @@ "version": 1 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "type": "query", + "version": 309 } }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", "type": "query", - "version": 308 + "version": 409 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -11379,7 +11594,7 @@ "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", @@ -11400,25 +11615,32 @@ "version": 308 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", "type": "query", - "version": 309 + "version": 410 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", @@ -11458,7 +11680,7 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 113, "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", @@ -11480,7 +11702,7 @@ "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Modification of WDigest Security Provider", "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", @@ -11496,7 +11718,7 @@ "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", @@ -11573,7 +11795,7 @@ "d93e61db-82d6-4095-99aa-714988118064": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", @@ -11596,7 +11818,7 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", @@ -11619,7 +11841,7 @@ "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", @@ -11642,7 +11864,7 @@ "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", @@ -11671,7 +11893,7 @@ "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", @@ -11693,7 +11915,7 @@ "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", @@ -11715,7 +11937,7 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", @@ -11738,7 +11960,7 @@ "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", @@ -11791,7 +12013,7 @@ "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", @@ -11820,7 +12042,7 @@ "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", @@ -11843,7 +12065,7 @@ "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", @@ -11878,7 +12100,7 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", @@ -11908,7 +12130,7 @@ "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", @@ -11949,7 +12171,7 @@ "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", @@ -11996,7 +12218,7 @@ "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", @@ -12031,7 +12253,7 @@ "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", @@ -12047,7 +12269,7 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", @@ -12061,20 +12283,27 @@ "version": 109 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "type": "threshold", + "version": 312 } }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", "type": "threshold", - "version": 311 + "version": 412 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -12133,19 +12362,12 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.14", "previous": { - "8.11": { - "max_allowable_version": 211, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", - "type": "query", - "version": 112 - }, "8.12": { - "max_allowable_version": 315, + "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", "type": "query", - "version": 216 + "version": 113 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", @@ -12160,7 +12382,6 @@ "version": 4 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { - "min_stack_version": "8.12", "rule_name": "Suspicious pbpaste High Volume Activity", "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", "type": "eql", @@ -12181,7 +12402,7 @@ "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", @@ -12204,7 +12425,7 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", @@ -12232,7 +12453,7 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", @@ -12267,7 +12488,7 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", @@ -12289,7 +12510,7 @@ "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", @@ -12303,25 +12524,32 @@ "version": 105 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", "type": "query", - "version": 309 + "version": 410 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", @@ -12337,7 +12565,7 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", @@ -12375,20 +12603,27 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Possible Okta DoS Attack", + "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "type": "query", + "version": 309 } }, "rule_name": "Possible Okta DoS Attack", "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", "type": "query", - "version": 308 + "version": 409 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -12411,7 +12646,7 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", @@ -12427,7 +12662,7 @@ "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", @@ -12455,7 +12690,7 @@ "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", @@ -12496,7 +12731,7 @@ "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", @@ -12512,7 +12747,7 @@ "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", @@ -12535,7 +12770,7 @@ "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", @@ -12561,20 +12796,27 @@ "version": 107 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", "type": "threshold", "version": 211 + }, + "8.14": { + "max_allowable_version": 411, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "type": "threshold", + "version": 312 } }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", "type": "threshold", - "version": 311 + "version": 412 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", @@ -12591,7 +12833,7 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", @@ -12644,7 +12886,7 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", @@ -12684,7 +12926,7 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", @@ -12700,7 +12942,7 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", @@ -12728,7 +12970,7 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", @@ -12751,7 +12993,7 @@ "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "IIS HTTP Logging Disabled", "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", @@ -12774,7 +13016,7 @@ "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", @@ -12833,7 +13075,7 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "AdFind Command Activity", "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", @@ -12854,25 +13096,32 @@ "version": 314 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", "type": "query", "version": 209 + }, + "8.14": { + "max_allowable_version": 409, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "type": "query", + "version": 310 } }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", "type": "query", - "version": 309 + "version": 410 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", @@ -12899,25 +13148,32 @@ "version": 6 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", "type": "query", "version": 106 + }, + "8.14": { + "max_allowable_version": 306, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "type": "query", + "version": 207 } }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", "type": "query", - "version": 206 + "version": 307 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", @@ -12969,7 +13225,7 @@ "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Whoami Process Activity", "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", @@ -12991,7 +13247,7 @@ "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", @@ -13011,20 +13267,27 @@ "version": 108 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "type": "query", + "version": 309 } }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", "type": "query", - "version": 308 + "version": 409 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -13071,7 +13334,7 @@ "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Service Path Modification", "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", @@ -13096,10 +13359,17 @@ "type": "eql", "version": 110 }, + "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", + "sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c", + "type": "esql", + "version": 1 + }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", @@ -13122,7 +13392,7 @@ "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Creation", "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", @@ -13163,7 +13433,7 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", @@ -13210,7 +13480,7 @@ "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", @@ -13239,7 +13509,7 @@ "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", @@ -13280,7 +13550,7 @@ "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Windows Script Executing PowerShell", "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", @@ -13309,7 +13579,7 @@ "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", @@ -13332,7 +13602,7 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", @@ -13348,7 +13618,7 @@ "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "WMIC Remote Command", "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", @@ -13370,7 +13640,7 @@ "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", @@ -13398,7 +13668,7 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", @@ -13427,7 +13697,7 @@ "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", @@ -13492,7 +13762,7 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", @@ -13521,7 +13791,7 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", @@ -13556,7 +13826,7 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", @@ -13579,7 +13849,7 @@ "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", @@ -13595,7 +13865,7 @@ "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", @@ -13609,20 +13879,20 @@ "version": 101 }, "f94e898e-94f1-4545-8923-03e4b2866211": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", - "version": 103 + "version": 204 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -13639,7 +13909,7 @@ "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", @@ -13662,7 +13932,7 @@ "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", @@ -13676,25 +13946,32 @@ "version": 110 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.14", + "min_stack_version": "8.15", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", "type": "query", "version": 208 + }, + "8.14": { + "max_allowable_version": 408, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "type": "query", + "version": 309 } }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", "type": "query", - "version": 308 + "version": 409 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", @@ -13729,7 +14006,7 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", @@ -13764,7 +14041,7 @@ "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", @@ -13778,20 +14055,20 @@ "version": 208 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", "type": "threshold", - "version": 3 + "version": 104 } }, "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", + "sha256": "aa706a6df1832c500f882ba46028eb2732a866b5e6335c33fd62c18d90a7d870", "type": "threshold", - "version": 103 + "version": 204 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13808,7 +14085,7 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", @@ -13829,20 +14106,20 @@ "version": 309 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", "type": "new_terms", - "version": 3 + "version": 104 } }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", - "version": 103 + "version": 204 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", @@ -13851,20 +14128,20 @@ "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "min_stack_version": "8.12", + "min_stack_version": "8.13", "previous": { - "8.11": { - "max_allowable_version": 102, + "8.12": { + "max_allowable_version": 203, "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", "type": "eql", - "version": 3 + "version": 104 } }, "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", - "version": 103 + "version": 204 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", @@ -13881,7 +14158,7 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", @@ -13904,7 +14181,7 @@ "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", @@ -13927,7 +14204,7 @@ "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", @@ -13962,7 +14239,7 @@ "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", @@ -13978,7 +14255,7 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", @@ -13994,7 +14271,7 @@ "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", @@ -14029,7 +14306,7 @@ "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", @@ -14088,7 +14365,7 @@ "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", @@ -14115,9 +14392,19 @@ "version": 104 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { + "min_stack_version": "8.16", + "previous": { + "8.12": { + "max_allowable_version": 106, + "rule_name": "Potential Sudo Token Manipulation via Process Injection", + "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "type": "eql", + "version": 7 + } + }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca", "type": "eql", - "version": 5 + "version": 107 } } \ No newline at end of file diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py index bb4de061352..3ce6e4f353e 100644 --- a/detection_rules/rule_validators.py +++ b/detection_rules/rule_validators.py @@ -17,6 +17,7 @@ from semver import Version import kql +import click from . import ecs, endgame from .config import CUSTOM_RULES_DIR, load_current_package_version, parse_rules_config @@ -371,7 +372,9 @@ def validate(self, data: "QueryRuleData", meta: RuleMeta, max_attempts: int = 10 # auto add the field and re-validate self.auto_add_field(validation_checks["stack"], data.index_or_dataview[0]) else: - raise ValueError(f"Error in both stack and integrations checks: {validation_checks}") + click.echo(f"Stack Error Trace: {validation_checks["stack"]}") + click.echo(f"Integrations Error Trace: {validation_checks["integrations"]}") + raise ValueError("Error in both stack and integrations checks") else: break diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index edd79e39faa..a303c365ea3 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -287,6 +287,24 @@ def migrate_to_8_14(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.15") +def migrate_to_8_15(version: Version, api_contents: dict) -> dict: + """Default migration for 8.15.""" + return strip_additional_properties(version, api_contents) + + +@migrate("8.16") +def migrate_to_8_16(version: Version, api_contents: dict) -> dict: + """Default migration for 8.16.""" + return strip_additional_properties(version, api_contents) + + +@migrate("8.17") +def migrate_to_8_17(version: Version, api_contents: dict) -> dict: + """Default migration for 8.17.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/docs/versioning.md b/docs/versioning.md index f2b55e94cdf..3b66e87f37a 100644 --- a/docs/versioning.md +++ b/docs/versioning.md @@ -4,22 +4,22 @@ This document provides detailed information about the different versions that ar ## Current Version -The current version of prebuilt detection rules is `v8.16`. +The current version of prebuilt detection rules is `v8.17`. ## Previous Versions Released The following version(s) are released along with the current version. +- `v8.16` - `v8.15` - `v8.14` -- `v8.13` ### Previous Versions Maintained The following version(s) are maintained along with the current version. +- `v8.13` - `v8.12` -- `v8.11` ## End of Life Policy diff --git a/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md new file mode 100644 index 00000000000..c500c08566b --- /dev/null +++ b/hunting/aws/docs/iam_unusual_access_key_usage_for_user.md @@ -0,0 +1,63 @@ +# AWS IAM Unusual AWS Access Key Usage for User + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment. + +- **UUID:** `18ce3dbc-b1b3-11ef-9e63-f661ea17fbce` +- **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) +- **Language:** `[ES|QL]` +- **Source File:** [AWS IAM Unusual AWS Access Key Usage for User](../queries/iam_unusual_access_key_usage_for_user.toml) + +## Query + +```sql +FROM logs-aws.cloudtrail* +// Limit the search to the last 14 days +| WHERE @timestamp > now() - 14 day +| WHERE + // Filter for successful AWS CloudTrail events + event.dataset == "aws.cloudtrail" + and event.outcome == "success" + + // Filter for AWS CloudTrail events with user identity and access key information + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL + and aws.cloudtrail.resources.arn IS NOT NULL + + // Ignore GetObject events + and event.action NOT IN ("GetObject") + + // Filter out known service roles; expand this as needed + and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*" + +| STATS + // Count the number of events for each daily bucket, user identity, access key, resource, and action + api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action + +// Filter for access keys with less than 2 API calls per day +| WHERE api_counts < 2 +| SORT api_counts ASC +``` + +## Notes + +- Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage. +- Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage. +- Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role. +- If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage. +- If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours. +- Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage. +- If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access. + +## MITRE ATT&CK Techniques + +- [T1078.004](https://attack.mitre.org/techniques/T1078/004) + +## License + +- `Elastic License v2` diff --git a/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml b/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml new file mode 100644 index 00000000000..5703503161b --- /dev/null +++ b/hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml @@ -0,0 +1,51 @@ +[hunt] +author = "Elastic" +description = """ +This hunting query gathers data from AWS CloudTrail logs to identify unusual AWS access key usage for a user. By detecting instances where an access key is used infrequently for a specific AWS event, this query helps identify potential misuse or abuse of AWS access keys. Adversaries may use access keys to gain unauthorized access to AWS resources, exfiltrate data, or perform other malicious activities within the environment. +""" +integration = ["aws.cloudtrail"] +uuid = "18ce3dbc-b1b3-11ef-9e63-f661ea17fbce" +name = "AWS IAM Unusual AWS Access Key Usage for User" +language = ["ES|QL"] +license = "Elastic License v2" +notes = [ +"Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify the user and access key involved in the unusual access key usage.", +"Review the infrequente AWS events (`event.action`), associated with the access key to determine the potential impact of the unusual access key usage.", +"Within AWS, determine is the access key is temporary or permanent and if it is associated with a specific user or role.", +"If the access key is associated with a specific role, review the permissions and policies associated with the role to determine the potential impact of the unusual access key usage.", +"If the access key is associated with an assumed role, review the resources assigned to the role. Consider pivoting on EC2 or Lambda-based roles if identified and examine session metadata within the last 24-hours.", +"Consider reviewing the `source.address` field to identify the IP address of the actor responsible for the unusual access key usage.", +"If the access key is perminant and tied to a user or role, consider rotating the access key to prevent further unauthorized access." +] +mitre = ['T1078.004'] +query = [ +''' +FROM logs-aws.cloudtrail* +// Limit the search to the last 14 days +| WHERE @timestamp > now() - 14 day +| WHERE + // Filter for successful AWS CloudTrail events + event.dataset == "aws.cloudtrail" + and event.outcome == "success" + + // Filter for AWS CloudTrail events with user identity and access key information + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL + and aws.cloudtrail.resources.arn IS NOT NULL + + // Ignore GetObject events + and event.action NOT IN ("GetObject") + + // Filter out known service roles; expand this as needed + and NOT aws.cloudtrail.user_identity.arn LIKE "*AWSServiceRoleForConfig*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*Elastic-Cloud-Security-Posture*" + and NOT aws.cloudtrail.user_identity.arn LIKE "*AmazonSSMRoleForInstancesQuickSetup*" + +| STATS + // Count the number of events for each daily bucket, user identity, access key, resource, and action + api_counts = count(*) by aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action + +// Filter for access keys with less than 2 API calls per day +| WHERE api_counts < 2 +| SORT api_counts ASC +''' +] diff --git a/hunting/index.md b/hunting/index.md index a766fca1856..7b014415d8b 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -4,7 +4,8 @@ Here are the queries currently available: ## aws -- [AWS IAM Customer-Managed Policy Attachment for Privilege Escalation](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL) +- [AWS IAM Customer-Managed Policy Attachment to Existing Roles](./aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md) (ES|QL) +- [AWS IAM Unusual AWS Access Key Usage for User](./aws/docs/iam_unusual_access_key_usage_for_user.md) (ES|QL) - [EC2 Modify Instance Attribute User Data](./aws/docs/ec2_modify_instance_attribute_user_data.md) (ES|QL) - [EC2 Suspicious Get User Password Request](./aws/docs/ec2_suspicious_get_user_password_request.md) (ES|QL) - [High EC2 Instance Deployment Count Attempts by Single User or Role](./aws/docs/ec2_high_instance_deployment_count_attempts.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index e7b44f52e63..ba1152c6d7e 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -365,10 +365,15 @@ aws: mitre: - T1550.001 418baaf2-9ae1-11ef-be63-f661ea17fbcd: - name: AWS IAM Customer-Managed Policy Attachment for Privilege Escalation + name: AWS IAM Customer-Managed Policy Attachment to Existing Roles path: ./aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml mitre: - T1548.005 + 18ce3dbc-b1b3-11ef-9e63-f661ea17fbce: + name: AWS IAM Unusual AWS Access Key Usage for User + path: ./aws/queries/iam_unusual_access_key_usage_for_user.toml + mitre: + - T1078.004 windows: 44e6adc6-e183-4bfa-b06d-db41669641fa: name: Rundll32 Execution Aggregated by Command Line diff --git a/pyproject.toml b/pyproject.toml index 6e8a158f2e7..8ef7db21195 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.2.1" +version = "0.3.6" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml new file mode 100644 index 00000000000..447c69c9399 --- /dev/null +++ b/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml @@ -0,0 +1,151 @@ +[metadata] +creation_date = "2024/12/02" +integration = ["aws"] +maturity = "production" +min_stack_comments = "ES|QL available in technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/12/02" + +[rule] +author = ["Elastic"] +description = """ +Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary +access to the root account, may add a login profile to the root user account to maintain access even if the original +access key is rotated or disabled. +""" +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "AWS IAM Login Profile Added for Root" +note = """ +## Investigating AWS IAM Login Profile Added for Root + +This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment. + +### Possible Investigation Steps + +- **Identify the Source and Context of the Action**: + - Examine the `source.address` field to identify the IP address from which the request originated. + - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region. + - Look at the `user_agent.original` field to identify the tool or browser used for this action. + - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity. + +- **Confirm Root User and Request Details**: + - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions. + - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions. + +- **Analyze the Login Profile Creation**: + - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile. + - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`. + - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse. + +- **Correlate with Other Events**: + - Investigate for related IAM activities, such as: + - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account. + - Unusual data access, privilege escalation, or management console logins. + - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment. + +- **Evaluate Policy and Permissions**: + - Verify the current security policies for the root account: + - Ensure password policies enforce complexity and rotation requirements. + - Check if MFA is enforced on the root account. + - Assess the broader IAM configuration for deviations from least privilege principles. + +### False Positive Analysis + +- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios. + +- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes. + +### Response and Remediation + +- **Immediate Access Review**: + - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized. + - Rotate or disable the credentials associated with the root account to prevent further abuse. + +- **Enhance Monitoring and Alerts**: + - Enable real-time monitoring and alerting for IAM actions involving the root account. + - Increase the logging verbosity for root account activities. + +- **Review and Update Security Policies**: + - Enforce MFA for all administrative actions, including root account usage. + - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary. + +- **Conduct Post-Incident Analysis**: + - Investigate how the credentials for the root account were compromised or misused. + - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring. + +### Additional Resources + +- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html). +""" +risk_score = 73 +rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce" +severity = "high" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail* metadata _id, _version, _index +| where + // filter for CloudTrail logs from IAM + event.dataset == "aws.cloudtrail" + and event.provider == "iam.amazonaws.com" + + // filter for successful CreateLoginProfile API call + and event.action == "CreateLoginProfile" + and event.outcome == "success" + + // filter for Root member account + and aws.cloudtrail.user_identity.type == "Root" + + // filter for an access key existing which sources from AssumeRoot + and aws.cloudtrail.user_identity.access_key_id IS NOT NULL + + // filter on the request parameters not including UserName which assumes self-assignment + and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*" +| keep + @timestamp, + aws.cloudtrail.request_parameters, + aws.cloudtrail.response_elements, + aws.cloudtrail.user_identity.type, + aws.cloudtrail.user_identity.arn, + aws.cloudtrail.user_identity.access_key_id, + cloud.account.id, + event.action, + source.address +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 6679751599d..3832f6765c6 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2024/11/07" +updated_date = "2024/12/10" min_stack_comments = "ES|QL rule type in technical preview as of 8.13" min_stack_version = "8.13.0" @@ -117,7 +117,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.request_parameters, aws.cloudtrail.response_elements, aws.cloudtrail.user_identity.arn, - aws.cloudtrail.user_identity.type, + aws.cloudtrail.user_identity.type ''' [rule.investigation_fields] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml new file mode 100644 index 00000000000..2f985703e57 --- /dev/null +++ b/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2024/11/25" +maturity = "production" +updated_date = "2024/11/25" +min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple +consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration +in order to access sensitive information, or possibly exploit a vulnerability in the system. +""" +false_positives = ["Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails."] +from = "now-60m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session" +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" +] +risk_score = 47 +rule_id = "f2c653b7-7daf-4774-86f2-34cdbd1fc528" +note = """## Triage and analysis + +### Investigating Amazon Bedrock Invocations without Guardrails Detected by a Single User Over a Session. + +Using Amazon Bedrock Guardrails during model invocation is critical for ensuring the safe, reliable, and ethical use of AI models. +Guardrails help manage risks associated with AI usage and ensure the output aligns with desired policies and standards. + +#### Possible investigation steps + +- Identify the user account that caused multiple model violations over a session without desired guardrail configuration and whether it should perform this kind of action. +- Investigate the user activity that might indicate a potential brute force attack. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? +- Examine the account's prompts and responses in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. + +### False positive analysis + +- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. + - Identify any regulatory or legal ramifications related to this activity. +- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +setup = """## Setup + +This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: + +https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html +""" +severity = "medium" +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Resources: Investigation Guide", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws_bedrock.invocation-* +// create time window buckets of 1 minute +| eval time_window = date_trunc(1 minute, @timestamp) +| where gen_ai.guardrail_id is NULL +| KEEP @timestamp, time_window, gen_ai.guardrail_id , user.id +| stats model_invocation_without_guardrails = count() by user.id +| where model_invocation_without_guardrails > 5 +| sort model_invocation_without_guardrails desc +''' diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml index 1661e040f76..d679ce05eac 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml @@ -1,44 +1,44 @@ [metadata] creation_date = "2024/05/05" maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/21" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" min_stack_version = "8.13.0" [rule] author = ["Elastic"] description = """ -Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', -indicating persistent misuse or attempts to probe the model's ethical boundaries. +Detects repeated high-confidence 'BLOCKED' actions coupled with specific 'Content Filter' policy violation having codes such as 'MISCONDUCT', +'HATE', 'SEXUAL', INSULTS', 'PROMPT_ATTACK', 'VIOLENCE' indicating persistent misuse or attempts to probe the model's ethical boundaries. """ false_positives = ["New model deployments.", "Testing updates to compliance policies."] from = "now-60m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Unusual High Confidence Misconduct Blocks Detected" +name = "Unusual High Confidence Content Filter Blocks Detected" references = [ "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security" ] -risk_score = 73 +risk_score = 47 rule_id = "4f855297-c8e0-4097-9d97-d653f7e471c4" note = """## Triage and analysis -### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks. +### Investigating Amazon Bedrock Guardrail High Confidence Content Filter Blocks. Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications. It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices. -Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects, -and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language. +Through Guardrail, organizations can enable Content filter for Hate, Insults, Sexual Violence and Misconduct along with Prompt Attack filters prompts +to prevent the model from generating content on specific, undesired subjects, and they can establish thresholds for harmful content categories. #### Possible investigation steps -- Identify the user account that queried denied topics and whether it should perform this kind of action. +- Identify the user account whose prompts caused high confidence content filter blocks and whether it should perform this kind of action. - Investigate other alerts associated with the user account during the past 48 hours. - Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? - Examine the account's prompts and responses in the last 24 hours. @@ -66,7 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html """ -severity = "high" +severity = "medium" tags = [ "Domain: LLM", "Data Source: AWS Bedrock", @@ -82,9 +82,13 @@ query = ''' from logs-aws_bedrock.invocation-* | MV_EXPAND gen_ai.compliance.violation_code | MV_EXPAND gen_ai.policy.confidence -| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code LIKE "MISCONDUCT" -| keep user.id -| stats high_confidence_blocks = count() by user.id -| where high_confidence_blocks > 5 -| sort high_confidence_blocks desc +| MV_EXPAND gen_ai.policy.name +| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.name == "content_policy" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code IN ("HATE", "MISCONDUCT", "SEXUAL", "INSULTS", "PROMPT_ATTACK", "VIOLENCE") +| keep user.id, gen_ai.compliance.violation_code +| stats block_count_per_violation = count() by user.id, gen_ai.compliance.violation_code +| SORT block_count_per_violation DESC +| keep user.id, gen_ai.compliance.violation_code, block_count_per_violation +| STATS violation_count = SUM(block_count_per_violation) by user.id +| WHERE violation_count > 5 +| SORT violation_count DESC ''' diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml new file mode 100644 index 00000000000..a1436270fc1 --- /dev/null +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2024/11/20" +maturity = "production" +updated_date = "2024/11/20" +min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'sensitive_information_policy', +indicating persistent misuse or attempts to probe the model's denied topics. +""" +false_positives = ["New model deployments.", "Testing updates to compliance policies."] +from = "now-60m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Unusual High Denied Sensitive Information Policy Blocks Detected" +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" +] +risk_score = 47 +rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84" +note = """## Triage and analysis + +### Investigating Amazon Bedrock Guardrail High Sensitive Information Policy Blocks. + +Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications. + +It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices. + +Through Guardrail, organizations can define "sensitive information filters" to prevent the model from generating content on specific, undesired subjects, +and they can establish thresholds for harmful content categories. + +#### Possible investigation steps + +- Identify the user account that queried sensitive information and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? +- Examine the account's prompts and responses in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. + +### False positive analysis + +- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. + - Identify any regulatory or legal ramifications related to this activity. +- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +setup = """## Setup + +This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: + +https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html +""" +severity = "medium" +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws_bedrock.invocation-* +| MV_EXPAND gen_ai.policy.name +| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "sensitive_information_policy" +| keep user.id +| stats sensitive_information_block = count() by user.id +| where sensitive_information_block > 5 +| sort sensitive_information_block desc +''' diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml new file mode 100644 index 00000000000..a16d671f619 --- /dev/null +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2024/11/20" +maturity = "production" +updated_date = "2024/11/20" +min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'topic_policy', +indicating persistent misuse or attempts to probe the model's denied topics. +""" +false_positives = ["New model deployments.", "Testing updates to compliance policies."] +from = "now-60m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Unusual High Denied Topic Blocks Detected" +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" +] +risk_score = 47 +rule_id = "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73" +note = """## Triage and analysis + +### Investigating Amazon Bedrock Guardrail High Denied Topic Blocks. + +Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications. + +It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices. + +Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects, +and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language. + +#### Possible investigation steps + +- Identify the user account that queried denied topics and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? +- Examine the account's prompts and responses in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. + +### False positive analysis + +- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. + - Identify any regulatory or legal ramifications related to this activity. +- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +setup = """## Setup + +This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: + +https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html +""" +severity = "medium" +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws_bedrock.invocation-* +| MV_EXPAND gen_ai.policy.name +| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "topic_policy" +| keep user.id +| stats denied_topics = count() by user.id +| where denied_topics > 5 +| sort denied_topics desc +''' diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml new file mode 100644 index 00000000000..0dc9fb6dfb5 --- /dev/null +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml @@ -0,0 +1,89 @@ +[metadata] +creation_date = "2024/11/20" +maturity = "production" +updated_date = "2024/11/20" +min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'word_policy', +indicating persistent misuse or attempts to probe the model's denied topics. +""" +false_positives = ["New model deployments.", "Testing updates to compliance policies."] +from = "now-60m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Unusual High Word Policy Blocks Detected" +references = [ + "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", + "https://atlas.mitre.org/techniques/AML.T0051", + "https://atlas.mitre.org/techniques/AML.T0054", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" +] +risk_score = 47 +rule_id = "3216949c-9300-4c53-b57a-221e364c6457" +note = """## Triage and analysis + +### Investigating Amazon Bedrock Guardrail High Word Policy Blocks. + +Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications. + +It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices. + +Through Guardrail, organizations can define "word filters" to prevent the model from generating content on profanity, undesired subjects, +and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language. + +#### Possible investigation steps + +- Identify the user account whose prompts contained profanity and whether it should perform this kind of action. +- Investigate other alerts associated with the user account during the past 48 hours. +- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? +- Examine the account's prompts and responses in the last 24 hours. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. + +### False positive analysis + +- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. + - Identify any regulatory or legal ramifications related to this activity. +- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +setup = """## Setup + +This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: + +https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html +""" +severity = "medium" +tags = [ + "Domain: LLM", + "Data Source: AWS Bedrock", + "Data Source: AWS S3", + "Use Case: Policy Violation", + "Mitre Atlas: T0051", + "Mitre Atlas: T0054", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws_bedrock.invocation-* +| MV_EXPAND gen_ai.policy.name +| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "word_policy" +| keep user.id +| stats profanity_words= count() by user.id +| where profanity_words > 5 +| sort profanity_words desc +''' diff --git a/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml b/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml new file mode 100644 index 00000000000..8bb0b88fad1 --- /dev/null +++ b/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml @@ -0,0 +1,158 @@ +[metadata] +creation_date = "2024/12/11" +integration = ["azure"] +maturity = "production" +min_stack_comments = "ES|QL not available until 8.13.0 in technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/12/11" + +[rule] +author = ["Elastic"] +description = """ +Identifies brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password +(TOTP) verification codes. This rule detects high frequency failed TOTP code attempts for a single user in a short +time-span. Adversaries with valid credentials, when attempting to login to Azure portal or other Azure services, may be +prompted to provide a TOTP code as part of the MFA process. If successful, adversaries can bypass MFA and gain +unauthorized access to Azure resources. +""" +false_positives = [ + """ + Based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed + TOTP code attempts in a short time-span. + """, +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Azure Entra MFA TOTP Brute Force Attempts" +note = """## Triage and Analysis + +### Investigating Azure Entra MFA TOTP Brute Force Attempts + +This rule detects high-frequency failed TOTP code attempts for a single user in a short time span. Such behavior could indicate an adversary attempting to bypass multi-factor authentication (MFA) protections using valid credentials. Understanding the context of the user's typical behavior and identifying anomalies in the log data are critical to determining the nature of the activity. + +#### Possible Investigation Steps: + +**Review the Source IP Address**: + - Check the `source.ip` or `azure.signinlogs.caller_ip_address` field. + - Determine if the IP address is associated with the user’s typical login locations. + - Look for unusual geographic patterns or anomalous IP addresses (e.g., proxies, VPNs, or locations outside the user’s normal activity). + +**Analyze User Activity**: + - Identify the user from the `azure.signinlogs.properties.sign_in_identifier` field. + - Determine if the user is currently active from another device or session. Session hijacking could explain parallel activity with failed attempts. + - Review past logs for the user to determine whether MFA failures or other anomalies are consistent or new. + +**Inspect the Authentication Method**: + - Evaluate the `azure.signinlogs.properties.mfa_detail.auth_method` field: `OATH verification code`. + - Confirm if the user typically uses TOTP codes or another MFA method (e.g., push notifications). + - Verify if there are any recent changes to the user’s MFA settings that may explain multiple failed attempts. + +**Evaluate the User Agent**: + - Check the `user_agent.original` field. + - Identify if the user agent matches a typical browser or a potentially malicious script (e.g., Python-based). + - Look for deviations in operating system or browser versions from the user’s normal activity. + +**Analyze Conditional Access Policies**: + - Review the `azure.signinlogs.properties.applied_conditional_access_policies` for enforced grant controls. + - Verify if MFA failures are tied to legitimate security policies (`display_name: Require multifactor authentication for admins`). + +**Correlate with Other Events**: + - Search for other authentication attempts involving the same `azure.signinlogs.caller_ip_address`, `user_principal_name`, or `azure.signinlogs.properties.app_id`. + - Look for suspicious activity patterns, such as password resets, privilege escalation, or account lockouts. + + +#### False Positive Analysis: + +- **Unintentional User Behavior**: + - Verify if the failed attempts could result from the user’s unfamiliarity with TOTP codes or issues with device synchronization. + - Check if the user recently switched MFA methods or devices, which could explain multiple failures. + - Determine if this is whitebox testing or a developer testing MFA integration. + +- **Administrative Actions**: + - Determine if the activity is related to legitimate administrative testing or configuration changes in the MFA system. + +#### Response and Remediation: + +- **Immediate Actions**: + - If proven malicious, lock the affected account temporarily to prevent further unauthorized attempts. + - Notify the user of suspicious activity and validate their access to the account. + - Reset passwords and MFA settings for the affected user to prevent unauthorized access while communicating with the user. + +- **Strengthen Authentication Policies**: + - Ensure conditional access policies are configured to monitor and restrict anomalous login behavior. + - Consider a different MFA method or additional security controls to prevent future bypass attempts. + +- **Monitor and Audit**: + - Implement additional monitoring to track high-frequency authentication failures across the environment. + - Audit historical logs for similar patterns involving other accounts to identify broader threats. + +- **Educate and Train Users**: + - Provide guidance on the secure use of MFA and the importance of recognizing and reporting suspicious activity. +""" +references = [ + "https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass", + "https://learn.microsoft.com/en-us/entra/identity/", + "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins", +] +risk_score = 47 +rule_id = "3fac01b2-b811-11ef-b25b-f661ea17fbce" +setup = """#### Required Azure Entra Sign-In Logs +This rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration. +""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Azure", + "Data Source: Entra ID", + "Data Source: Entra ID Sign-in", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-azure.signinlogs* metadata _id, _version, _index +| where + // filter for Entra Sign-In Logs + event.dataset == "azure.signinlogs" + and azure.signinlogs.operation_name == "Sign-in activity" + + // filter for MFA attempts with OATH conditional access attempts or TOTP + and azure.signinlogs.properties.authentication_requirement == "multiFactorAuthentication" + and azure.signinlogs.properties.mfa_detail.auth_method == "OATH verification code" + + // filter on failures only from brute-force attempts + and azure.signinlogs.properties.conditional_access_status == "failure" + and azure.signinlogs.result_description == "Authentication failed during strong authentication request." +| keep azure.signinlogs.properties.sign_in_identifier +| stats + // aggregate by the sign-in account or principal + failed_totp_code_attempts = count(*) by azure.signinlogs.properties.sign_in_identifier +| where + // filter on high frequency for a single user + failed_totp_code_attempts > 30 +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.001" +name = "Password Guessing" +reference = "https://attack.mitre.org/techniques/T1110/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 8766f39fcf6..da1197ef7a0 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" integration = ["azure", "o365"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/05" [rule] author = ["Elastic"] @@ -87,8 +87,8 @@ query = ''' event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:"Consent to application" or - azure.auditlogs.operation_name:"Consent to application" or - o365.audit.Operation:"Consent to application." + azure.auditlogs.operation_name:"Consent to application" or + event.action:"Consent to application." ) and event.outcome:(Success or success) ''' diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml index c88abb7995e..e47f9f8b57e 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml @@ -49,7 +49,6 @@ Files are scanned on write or deletion, process executables are scanned on execu - Other endpoint security vendors especially with their quarantine folders. - Dynamically generated or compiled executables such as from csc.exe or other compilers. Due to the dynamic nature, each instance will likely have a unique hash and no signer - ### Response and Remediation - Initiate the incident response process based on the outcome of the triage. diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d0846202bfb..9b43b940301 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.dataset == "github.audit" +configuration where event.dataset == "github.audit" and github.category == "protected_branch" and event.type == "change" ''' diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 70c770e0e3e..7bced445fa9 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 08b5c096605..1d14e096df7 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,9 +2,9 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] @@ -31,8 +31,8 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and -github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and +event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and github.repository_public:false ''' diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml index b055bbe42af..aeefde947c4 100644 --- a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2023/12/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 57d22e5c037..10754ac939c 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 287db18a7c2..da383c6b1d6 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,9 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -configuration where event.module == "github" and event.action == "repo.destroy" +configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy" ''' diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 124fd92d323..3046b5e72be 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,9 +2,9 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 79661548925..fae3507ce48 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,9 +2,9 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 25f813764a4..1770c2048f7 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 41fc653de0f..f32685c206e 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 4720f87e525..bef0fbeec1c 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 85a526210bf..42472c51c66 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." -min_stack_version = "8.14.0" -updated_date = "2024/11/27" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +min_stack_version = "8.15.0" +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml index 60db47af6d3..3b118d936c5 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." -min_stack_version = "8.14.0" -updated_date = "2024/11/27" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +min_stack_version = "8.15.0" +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index 516d6309b77..0f89ea844ff 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." -min_stack_version = "8.14.0" -updated_date = "2024/11/27" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +min_stack_version = "8.15.0" +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index a221d291841..c98a8ef41d7 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index 71c0ac2de36..842d8fcac81 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml index 58407a95f08..b7192bba621 100644 --- a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." -min_stack_version = "8.14.0" -updated_date = "2024/11/27" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +min_stack_version = "8.15.0" +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 9dffe4995e6..08bbd737342 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,9 +2,9 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index e10764d06e5..d9e191398dc 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,9 +2,9 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index a393b4768d0..0830aefec4e 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 3c7dc064394..864ddf69f29 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 1bcd9cf4991..7feaeba1c62 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,9 +2,9 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 66bba3713e4..5e2252f7d7f 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 34e3219b7d6..01a7abedc81 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 05dafd11bad..466d26faf82 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 55872118829..3de8db3c817 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 2dd141efcc8..65d4b557659 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 981b9cb1840..c5160d23933 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 3c5a20608a0..d77631d5d89 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 5f1998261a0..bb2ca0b61da 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,9 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d2646e6596f..bcaec277d8a 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 82bd4f14fc3..8a5c7a5a910 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 58a590154ed..816c943f532 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 5b7b92872dd..79b5c489099 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 7864c704eb2..6300d7e24df 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index f68d2784119..b3bfe959584 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index ac5998271b5..3db6e919e6f 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index f3b4e496633..7b3bfb33839 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,9 +2,9 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Austin Songer"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 6c45202679d..1dcfb9ddfb6 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,9 +2,9 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index f9efde51504..0eda4dd19c6 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." -min_stack_version = "8.14.0" -updated_date = "2024/11/27" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +min_stack_version = "8.15.0" +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index bf4051a5f23..7a76c2ed1e6 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index 0cd943dc369..2da36ae59b4 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,9 +2,9 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 296376af7ba..12c7bfaf265 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index e12e60de510..df9e1757100 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 795b1d799f2..1b44c0779b2 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,9 +3,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 5347d0411a6..0260f558495 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 84a97457a26..65649731dde 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,9 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index e7e70c32b17..babed655d21 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index a07e9b1a236..a615d4a5740 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index 096f3a12b77..0dcc92b337c 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,9 +2,9 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index de6588f3a8c..7e5928c730b 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 428a0f1902f..7373dae2b31 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,9 +2,9 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index e44251b069c..91fdc0a6283 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +updated_date = "2024/12/09" +min_stack_version = "8.15.0" +min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index bffea1c2af9..c5e85063fdc 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,7 +2,9 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -updated_date = "2024/10/17" +min_stack_version = "8.16.0" +min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" +updated_date = "2024/12/10" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 83436532a85..ce6f74cdf9b 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,7 +2,9 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +min_stack_version = "8.16.0" +min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" +updated_date = "2024/12/10" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index da9ef6501af..47d760866d1 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,17 +2,15 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -min_stack_comments = "The jamf integration is available for stack versions 8.12 and above" -min_stack_version = "8.12.0" -updated_date = "2024/09/12" +updated_date = "2024/12/09" [transform] [[transform.investigate]] label = "Show events having the same responsible process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" } ] ] @@ -20,24 +18,23 @@ providers = [ label = "Show events having the same parent process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" } ] ] + [rule] author = ["Thijs Xhaflaire"] description = """ -Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information. +Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard +contents, potentially allowing an attacker to harvest user credentials or other sensitive information. """ from = "now-9m" index = ["logs-jamf_protect*", "logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious pbpaste High Volume Activity" -references = [ - "https://www.loobins.io/binaries/pbpaste/" -] note = """## Triage and analysis To investigate `pbpaste` activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps: @@ -69,6 +66,7 @@ To investigate `pbpaste` activity, focus on determining whether the binary is be By thoroughly investigating these aspects of `pbpaste` activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed. """ +references = ["https://www.loobins.io/binaries/pbpaste/"] risk_score = 47 rule_id = "e29599ee-d6ad-46a9-9c6a-dc39f361890d" setup = """## Setup @@ -96,7 +94,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Jamf Protect", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -115,7 +113,6 @@ name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index 09db6531e56..a6e67c46a4c 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,27 +2,25 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -min_stack_comments = "The jamf integration is available for stack versions 8.12 and above" -min_stack_version = "8.12.0" -updated_date = "2024/09/12" +updated_date = "2024/12/09" [transform] [[transform.investigate]] label = "Show events after Privilege Escalation" -relativeFrom = "now" -relativeTo = "now+30m" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" } ] ] +relativeFrom = "now" +relativeTo = "now+30m" [[transform.investigate]] label = "Show events having the same reponsible process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" } ] ] @@ -30,26 +28,20 @@ providers = [ label = "Show events having the same parent process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" } ] ] + [rule] author = ["Thijs Xhaflaire"] -description = """ -Identifies users being added to the admin group. This could be an indication of privilege -escalation activity. -""" +description = "Identifies users being added to the admin group. This could be an indication of privilege\nescalation activity.\n" from = "now-9m" index = ["logs-jamf_protect*"] language = "eql" license = "Elastic License v2" name = "User Added to the Admin Group" -references = [ - "https://www.loobins.io/binaries/dscl/", - "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" -] note = """## Triage and analysis To thoroughly investigate the actions that occurred **after a user was elevated to administrator**, it's essential to conduct a search on the Timeline. This allows you to review and understand the sequence of events that followed the elevation, helping to identify any potentially malicious or unauthorized activities that might have taken place. **Analyzing these actions is crucial for maintaining security and ensuring that the elevation was not exploited for harmful purposes.** @@ -67,6 +59,10 @@ $investigate_0 $investigate_1 $investigate_2 """ +references = [ + "https://www.loobins.io/binaries/dscl/", + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/", +] risk_score = 21 rule_id = "04e65517-16e9-4fc4-b7f1-94dc21ecea0d" setup = """## Setup diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 37de0f6519c..e8ab2101ae1 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index 21b0dea9192..af1fe749b4a 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 7a9ad1b8d54..5aabab32d3c 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index ce5bbee58ce..40ab0a8d88b 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 41e8f17b7c2..46e625fe8c3 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 72a10f4947e..7153494eaa4 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index ebe23150035..4dd48492420 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index d3ef0921de1..60fb77cb60d 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 329431414b5..173fa693fb1 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 6c88eb70515..b9e80d855c5 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index d9f5e827a5a..de9956f7246 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 80920b39d18..15d3b4dfcf7 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index 40f71ba31f9..1e6f93f050b 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index d8d802bb285..70bec844ae0 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,9 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/10" +min_stack_version = "8.13.0" +min_stack_comments = "Breaking change at 8.13.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/tests/test_python_library.py b/tests/test_python_library.py index c82f4349253..3d0ab8b09b6 100644 --- a/tests/test_python_library.py +++ b/tests/test_python_library.py @@ -55,7 +55,7 @@ def test_eql_in_set(self): """, }, } - expected_error_message = r"Error in both stack and integrations checks:.*Unable to compare ip to string.*" + expected_error_message = r"Error in both stack and integrations checks" with self.assertRaisesRegex(ValueError, expected_error_message): rc.load_dict(eql_rule) # Change to appropriate destination.address field