diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 54eadd542fa..570d331b44d 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -637,6 +637,32 @@ def license_check(ctx, ignore_directory): ctx.exit(int(failed)) +@dev_group.command('test-version-lock') +@click.argument('branches', nargs=-1, required=True) +@click.option('--remote', '-r', default='origin', help='Override the remote from "origin"') +def test_version_lock(branches: tuple, remote: str): + """Simulate the incremental step in the version locking to find version change violations.""" + git = utils.make_git('-C', '.') + current_branch = git('rev-parse', '--abbrev-ref', 'HEAD') + + try: + click.echo(f'iterating lock process for branches: {branches}') + for branch in branches: + click.echo(branch) + git('checkout', f'{remote}/{branch}') + subprocess.check_call(['python', '-m', 'detection_rules', 'dev', 'build-release', '-u']) + + finally: + diff = git('--no-pager', 'diff', get_etc_path('version.lock.json')) + outfile = Path(get_path()).joinpath('lock-diff.txt') + outfile.write_text(diff) + click.echo(f'diff saved to {outfile}') + + click.echo('reverting changes in version.lock') + git('checkout', '-f') + git('checkout', current_branch) + + @dev_group.command('package-stats') @click.option('--token', '-t', help='GitHub token to search API authenticated (may exceed threshold without auth)') @click.option('--threads', default=50, help='Number of threads to download rules from GitHub') diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index db7bbc894f7..5af530de841 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,10682 +1,11383 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "fc9d05639917fdd13a3a474200a618648fe3dbd6fbc059714179e692544d1354", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "dedf2a77f86a3ecebeba40e8a1f54e713510e09384f2ca228c8adb9cc6322490", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "fc9d05639917fdd13a3a474200a618648fe3dbd6fbc059714179e692544d1354", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "dedf2a77f86a3ecebeba40e8a1f54e713510e09384f2ca228c8adb9cc6322490", + "type": "query", + "version": 100 }, "00140285-b827-4aee-aa09-8113f58a08f3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "29906b5a42e6ac00b7559596f5c5327de6ca290d9877eb26efb0e61575b5c5e3", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Potential Credential Access via Windows Utilities", - "sha256": "757389a394cb78e03e5c5f4b3cd9410b864d294df7110135dad17b7c13c3f771", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via Windows Utilities", + "sha256": "29906b5a42e6ac00b7559596f5c5327de6ca290d9877eb26efb0e61575b5c5e3", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Potential Credential Access via Windows Utilities", + "sha256": "757389a394cb78e03e5c5f4b3cd9410b864d294df7110135dad17b7c13c3f771", + "type": "eql", + "version": 100 }, "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "System Shells via Services", - "sha256": "5aff2208b89b678394ce6b10523f8a94b9b0f4040e3c3ab34d1fb21eb93b84bc", - "type": "eql", - "version": 15 - } - }, - "rule_name": "System Shells via Services", - "sha256": "f5fca5544409efa9be726ca0e0b1efcc9802cbd29a2890e2f612f30655bc5597", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "System Shells via Services", + "sha256": "5aff2208b89b678394ce6b10523f8a94b9b0f4040e3c3ab34d1fb21eb93b84bc", + "type": "eql", + "version": 15 + } + }, + "rule_name": "System Shells via Services", + "sha256": "f5fca5544409efa9be726ca0e0b1efcc9802cbd29a2890e2f612f30655bc5597", + "type": "eql", + "version": 100 }, "0136b315-b566-482f-866c-1d8e2477ba16": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "c72d8f82f106bf83eb7d5f9d25f896f0ed189396d6e2d1c852d98474a64beb90", - "type": "query", - "version": 5 - } - }, - "rule_name": "Microsoft 365 User Restricted from Sending Email", - "sha256": "e9e1b5a4251f0147cfd30074afa7a9cd6b88518af2163ff18c40fa4f156203c7", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "c72d8f82f106bf83eb7d5f9d25f896f0ed189396d6e2d1c852d98474a64beb90", + "type": "query", + "version": 5 + } + }, + "rule_name": "Microsoft 365 User Restricted from Sending Email", + "sha256": "e9e1b5a4251f0147cfd30074afa7a9cd6b88518af2163ff18c40fa4f156203c7", + "type": "query", + "version": 100 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "eb3736cefa46a5dcce1de0ed5fa67788a24a1b819b872293ce195cdd9010cef3", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "77073d8d75f01751ef31afeb74cef13a1aa5fd817622767399143a4a9e32b788", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "eb3736cefa46a5dcce1de0ed5fa67788a24a1b819b872293ce195cdd9010cef3", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS Redshift Cluster Creation", + "sha256": "77073d8d75f01751ef31afeb74cef13a1aa5fd817622767399143a4a9e32b788", + "type": "query", + "version": 100 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "a93161f8d12b12b14db50925d087ef2adf59daafde9fea16c12c215165b50a87", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Cookies Theft via Browser Debugging", - "sha256": "f7b2c8b4dbc662b7655d6a22c185a96ded676dfb7bbd01ba1387a147cf49c877", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Cookies Theft via Browser Debugging", + "sha256": "a93161f8d12b12b14db50925d087ef2adf59daafde9fea16c12c215165b50a87", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Cookies Theft via Browser Debugging", + "sha256": "f7b2c8b4dbc662b7655d6a22c185a96ded676dfb7bbd01ba1387a147cf49c877", + "type": "eql", + "version": 100 }, "02a4576a-7480-4284-9327-548a806b5e48": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "546acb2fcf58eef7251c6c37a89278982183bacaa6fdc0fa8d92e496263fcf67", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", - "sha256": "b1de0af156bfc3f36a6e07bfd27aeeea26c2fc55324cef750b6b1795d5ec28eb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "546acb2fcf58eef7251c6c37a89278982183bacaa6fdc0fa8d92e496263fcf67", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", + "sha256": "b1de0af156bfc3f36a6e07bfd27aeeea26c2fc55324cef750b6b1795d5ec28eb", + "type": "eql", + "version": 100 }, "02ea4563-ec10-4974-b7de-12e65aa4f9b3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", - "type": "query", - "version": 3 - } - }, - "rule_name": "Dumping Account Hashes via Built-In Commands", - "sha256": "520a5314864e727b87f4d29ec56a032097bc82fdbda532df5acdb01f02584c73", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Dumping Account Hashes via Built-In Commands", + "sha256": "a2f14309ddc0b7a13f7b019b2b7350407d2752ab0df9f8665af61bc332727e40", + "type": "query", + "version": 3 + } + }, + "rule_name": "Dumping Account Hashes via Built-In Commands", + "sha256": "520a5314864e727b87f4d29ec56a032097bc82fdbda532df5acdb01f02584c73", + "type": "query", + "version": 100 }, "03024bd9-d23f-4ec1-8674-3cf1a21e130b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "4a340d1fec5675d9dfc9c013617fefe21a1a261c35a09dd54144b47d385c4c59", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", - "sha256": "da3bc7996bc722d2de60aae61f129bd3bd430f64ca4c1864d1a6169fd2489769", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "4a340d1fec5675d9dfc9c013617fefe21a1a261c35a09dd54144b47d385c4c59", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", + "sha256": "da3bc7996bc722d2de60aae61f129bd3bd430f64ca4c1864d1a6169fd2489769", + "type": "query", + "version": 100 }, "035889c4-2686-4583-a7df-67f89c292f2c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0", - "type": "threshold", - "version": 7 - } - }, - "rule_name": "High Number of Process and/or Service Terminations", - "sha256": "55455b766db2b90dcbc598a0b7474a3c2b226fcb1d6d03b9f6fe4e80fe170ac4", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "High Number of Process and/or Service Terminations", + "sha256": "502568bda8a45463938048cbebfd2f4b7ebdc9c42d21fb2f5909d98b4b9e8de0", + "type": "threshold", + "version": 7 + } + }, + "rule_name": "High Number of Process and/or Service Terminations", + "sha256": "55455b766db2b90dcbc598a0b7474a3c2b226fcb1d6d03b9f6fe4e80fe170ac4", + "type": "threshold", + "version": 100 }, "0415f22a-2336-45fa-ba07-618a5942e22c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of OpenSSH Binaries", - "sha256": "da887bc33601673a5a00749d1953a98ee66c546948e91f8e746a90e08fa4c049", - "type": "query", - "version": 4 - } - }, - "rule_name": "Modification of OpenSSH Binaries", - "sha256": "89a0895fd018a0cea6c1021f440e565af1bf0442862baf321221bdd278fb133d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of OpenSSH Binaries", + "sha256": "da887bc33601673a5a00749d1953a98ee66c546948e91f8e746a90e08fa4c049", + "type": "query", + "version": 4 + } + }, + "rule_name": "Modification of OpenSSH Binaries", + "sha256": "89a0895fd018a0cea6c1021f440e565af1bf0442862baf321221bdd278fb133d", + "type": "query", + "version": 100 }, "041d4d41-9589-43e2-ba13-5680af75ebc2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "96319d6e8c7e83a6a43aa136270b48ca5bb2f42597e4b2ff315f51a5d3a9647e", - "type": "query", - "version": 10 - } - }, - "rule_name": "Potential DNS Tunneling via Iodine", - "sha256": "36645bca56ad02f128b2c33ccba12fcb05836968e9316539cff9f2446760fd62", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential DNS Tunneling via Iodine", + "sha256": "96319d6e8c7e83a6a43aa136270b48ca5bb2f42597e4b2ff315f51a5d3a9647e", + "type": "query", + "version": 10 + } + }, + "rule_name": "Potential DNS Tunneling via Iodine", + "sha256": "36645bca56ad02f128b2c33ccba12fcb05836968e9316539cff9f2446760fd62", + "type": "query", + "version": 100 }, "04c5a96f-19c5-44fd-9571-a0b033f9086f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "408b65909c88e865f1a0887596f07f4b24a11e39935e929a2c1d3bb91aac1475", - "type": "query", - "version": 5 - } - }, - "rule_name": "Azure AD Global Administrator Role Assigned", - "sha256": "abb80aa2836f715afa34004e9b29a77a38c6bc1e65c576ab21b479e0a638245b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure AD Global Administrator Role Assigned", + "sha256": "408b65909c88e865f1a0887596f07f4b24a11e39935e929a2c1d3bb91aac1475", + "type": "query", + "version": 5 + } + }, + "rule_name": "Azure AD Global Administrator Role Assigned", + "sha256": "abb80aa2836f715afa34004e9b29a77a38c6bc1e65c576ab21b479e0a638245b", + "type": "query", + "version": 100 }, "053a0387-f3b5-4ba5-8245-8002cca2bd08": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "de34faf4f96a549763f00c82b808b22856e14f4190971cb78e017e2d7eccd5c8", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", - "sha256": "09547c03e6129c7949f7f3416adf014489344d5f43d4090c9235bee2730437b1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "sha256": "de34faf4f96a549763f00c82b808b22856e14f4190971cb78e017e2d7eccd5c8", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", + "sha256": "09547c03e6129c7949f7f3416adf014489344d5f43d4090c9235bee2730437b1", + "type": "eql", + "version": 100 }, "0564fb9d-90b9-4234-a411-82a546dc1343": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "a2d10a32b4853413485f5f6915fdcf4c3cdb89c73effacb1ce4f3a76b763ee71", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Microsoft IIS Service Account Password Dumped", - "sha256": "9a71367ce47f6c9a0a69120cf743a61e12ffb4619cdc3e785fa76d2639853d1a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft IIS Service Account Password Dumped", + "sha256": "a2d10a32b4853413485f5f6915fdcf4c3cdb89c73effacb1ce4f3a76b763ee71", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Microsoft IIS Service Account Password Dumped", + "sha256": "9a71367ce47f6c9a0a69120cf743a61e12ffb4619cdc3e785fa76d2639853d1a", + "type": "eql", + "version": 100 }, "05b358de-aa6d-4f6c-89e6-78f74018b43b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "23a86a0bf2473481c76378774eccb40698f45db12ad58515d161e5245bf8cfe7", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Conhost Spawned By Suspicious Parent Process", - "sha256": "778153c9cbb4e140ee288ddea3f425a7b2d00771e7cb4f28d9a9d2f65df0d364", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Conhost Spawned By Suspicious Parent Process", + "sha256": "23a86a0bf2473481c76378774eccb40698f45db12ad58515d161e5245bf8cfe7", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Conhost Spawned By Suspicious Parent Process", + "sha256": "778153c9cbb4e140ee288ddea3f425a7b2d00771e7cb4f28d9a9d2f65df0d364", + "type": "eql", + "version": 100 }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba", - "type": "query", - "version": 8 - } - }, - "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "14216eab6a7b7da3a481da0958407b9c094d4b7397d8893010ab7328ab9080fe", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Interactive Terminal Spawned via Perl", + "sha256": "3f61f0f688bfc61699356e5e7f4973cd0b8836b77900f752f3eca5ea477681ba", + "type": "query", + "version": 8 + } + }, + "rule_name": "Interactive Terminal Spawned via Perl", + "sha256": "14216eab6a7b7da3a481da0958407b9c094d4b7397d8893010ab7328ab9080fe", + "type": "query", + "version": 100 }, "0635c542-1b96-4335-9b47-126582d2c19a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote System Discovery Commands", - "sha256": "1b9982c0a4942993c1bf78121bf735580c62c1fdc406e1ff3ee3e37eee78737c", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Remote System Discovery Commands", - "sha256": "a7de1002d6f143e3652830157f48a969010b4f7702d3c4cb6b40b3b920e438d7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote System Discovery Commands", + "sha256": "1b9982c0a4942993c1bf78121bf735580c62c1fdc406e1ff3ee3e37eee78737c", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Remote System Discovery Commands", + "sha256": "a7de1002d6f143e3652830157f48a969010b4f7702d3c4cb6b40b3b920e438d7", + "type": "eql", + "version": 100 }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "04e0ff561e9cf8e25c144701cc06935d7771c3f428c622d0f58378374eb93d4f", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Potential Evasion via Filter Manager", - "sha256": "7bacbeef7e30a296210ae47a4d89084c9a061c575961862466dac562a92ad356", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Evasion via Filter Manager", + "sha256": "04e0ff561e9cf8e25c144701cc06935d7771c3f428c622d0f58378374eb93d4f", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Potential Evasion via Filter Manager", + "sha256": "7bacbeef7e30a296210ae47a4d89084c9a061c575961862466dac562a92ad356", + "type": "eql", + "version": 100 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "d362fd4092ce222911f1e61fbfbc4b8bb7f5e6d04ea3df0bd31eaeedfaf2006b", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", - "sha256": "bf0429e76fb9c1db6f809649d079add564548ab3be0cde7b59b0927794bb0535", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "sha256": "d362fd4092ce222911f1e61fbfbc4b8bb7f5e6d04ea3df0bd31eaeedfaf2006b", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", + "sha256": "bf0429e76fb9c1db6f809649d079add564548ab3be0cde7b59b0927794bb0535", + "type": "eql", + "version": 100 }, "080bc66a-5d56-4d1f-8071-817671716db9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Browser Child Process", - "sha256": "dc49030353809caf15787143903515263c46d7ff699e8bed72b0e1a145e8cabb", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious Browser Child Process", - "sha256": "c8c015dfbd167f48a9a60a5d31563d4ed0978ec3f582dccf4ed59afaaefc6058", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Browser Child Process", + "sha256": "dc49030353809caf15787143903515263c46d7ff699e8bed72b0e1a145e8cabb", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious Browser Child Process", + "sha256": "c8c015dfbd167f48a9a60a5d31563d4ed0978ec3f582dccf4ed59afaaefc6058", + "type": "eql", + "version": 100 }, "082e3f8c-6f80-485c-91eb-5b112cb79b28": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Launch Agent Creation or Modification and Immediate Loading", - "sha256": "c7b60d3111264b0bd216dd71abd5062c076fb8fb6afd8523f67d6a81b4b8133f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Launch Agent Creation or Modification and Immediate Loading", + "sha256": "7147dbd3f68475c0087ebb6aabbc2b86ebbe5be53eed996c4499c4b12a6efc21", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Launch Agent Creation or Modification and Immediate Loading", + "sha256": "c7b60d3111264b0bd216dd71abd5062c076fb8fb6afd8523f67d6a81b4b8133f", + "type": "eql", + "version": 100 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55", - "type": "query", - "version": 3 - } - }, - "rule_name": "Suspicious Hidden Child Process of Launchd", - "sha256": "e37783a55e181e238dbc63c6e18250cdbf12fb194ca0e8ee4d5df5fdaf6c4042", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Hidden Child Process of Launchd", + "sha256": "ed5affdb15f11894bd6c79489368d13ba7d6be9cb53c34d65c7b30150ef24f55", + "type": "query", + "version": 3 + } + }, + "rule_name": "Suspicious Hidden Child Process of Launchd", + "sha256": "e37783a55e181e238dbc63c6e18250cdbf12fb194ca0e8ee4d5df5fdaf6c4042", + "type": "query", + "version": 100 }, "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { - "rule_name": "TCP Port 8000 Activity to the Internet", - "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", - "type": "query", - "version": 100 + "rule_name": "TCP Port 8000 Activity to the Internet", + "sha256": "d0c6cdede82a9cafacef49dcd6afc1b13383214401be7fbaa3b09ae1fbe9a3fb", + "type": "query", + "version": 100 }, "092b068f-84ac-485d-8a55-7dd9e006715f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "374f2ae1482849fd100fd62cb31c79cefe23ca89d3058ba8f7c0fc5a15b07943", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Creation of Hidden Launch Agent or Daemon", - "sha256": "94b21cc3439ddd578f40b04f3f0760e4017cf7b26b75b0d19bcd7165dcd89880", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation of Hidden Launch Agent or Daemon", + "sha256": "374f2ae1482849fd100fd62cb31c79cefe23ca89d3058ba8f7c0fc5a15b07943", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Creation of Hidden Launch Agent or Daemon", + "sha256": "94b21cc3439ddd578f40b04f3f0760e4017cf7b26b75b0d19bcd7165dcd89880", + "type": "eql", + "version": 100 }, "09443c92-46b3-45a4-8f25-383b028b258d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Termination followed by Deletion", - "sha256": "20e1dc24bf9c03790032ed2c973bd18393bb59ef4dc6b8a87a325485ff436adc", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Process Termination followed by Deletion", - "sha256": "4f300bb1693cdbbb126b71da963cbbc49b9c455dd985f590779304fcd36679ec", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Termination followed by Deletion", + "sha256": "20e1dc24bf9c03790032ed2c973bd18393bb59ef4dc6b8a87a325485ff436adc", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Process Termination followed by Deletion", + "sha256": "4f300bb1693cdbbb126b71da963cbbc49b9c455dd985f590779304fcd36679ec", + "type": "eql", + "version": 100 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { - "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", - "sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", + "sha256": "a49a4358e83bf40e29e9dad1bb8afb6700d89cfe5a5b3e29adaa28e1f3c0b244", + "type": "eql", + "version": 100 }, "09d028a5-dcde-409f-8ae0-557cef1b7082": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "8ee919cb70451c98d111e5e7e7e2f9636a1d0064a49e02e77f997b1b14265537", - "type": "query", - "version": 5 - } - }, - "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", - "sha256": "2c794ea54d9aa3824d1373096ab7db8786f2ca676b66d38be2430c91b38156c9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "sha256": "8ee919cb70451c98d111e5e7e7e2f9636a1d0064a49e02e77f997b1b14265537", + "type": "query", + "version": 5 + } + }, + "rule_name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", + "sha256": "2c794ea54d9aa3824d1373096ab7db8786f2ca676b66d38be2430c91b38156c9", + "type": "query", + "version": 100 }, "0a97b20f-4144-49ea-be32-b540ecc445de": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2", - "type": "query", - "version": 9 - } - }, - "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Malware - Detected - Elastic Endgame", + "sha256": "a721897ba5522f3f80de884490b7ec388a753c8679db97593a1f957a7bff12b2", + "type": "query", + "version": 9 + } + }, + "rule_name": "Malware - Detected - Elastic Endgame", + "sha256": "625e15fc2de85491b9506d68b1852e7faceace28909534416f3fe6df4b4e7506", + "type": "query", + "version": 100 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Anomalous Windows Process Creation", - "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Anomalous Windows Process Creation", - "sha256": "e56af9f20aeb3c799f9f604360002ecd00c37feb5a712e6ffd320b7248621010", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Anomalous Windows Process Creation", + "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Anomalous Windows Process Creation", + "sha256": "e56af9f20aeb3c799f9f604360002ecd00c37feb5a712e6ffd320b7248621010", + "type": "machine_learning", + "version": 100 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "User account exposed to Kerberoasting", - "sha256": "ce5ff6004e5f73f7ba93d2299282f773bc858aeacefa8f3cc3385f6eadd25086", - "type": "query", - "version": 5 - } - }, - "rule_name": "User account exposed to Kerberoasting", - "sha256": "83f7382ba03556568e6ccdea4af57e3323b8f4d337eca24c65ecdcf0042b672e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "User account exposed to Kerberoasting", + "sha256": "ce5ff6004e5f73f7ba93d2299282f773bc858aeacefa8f3cc3385f6eadd25086", + "type": "query", + "version": 5 + } + }, + "rule_name": "User account exposed to Kerberoasting", + "sha256": "83f7382ba03556568e6ccdea4af57e3323b8f4d337eca24c65ecdcf0042b672e", + "type": "query", + "version": 100 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Peripheral Device Discovery", - "sha256": "f24ca9a1f60d75defed517b7817577335a4262fbb3b7ed6b226eaea2c3c5e0ce", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Peripheral Device Discovery", - "sha256": "62bc9a1a7397ad3195956c7328708fb582678451ffe3cc782b1f85979b5bdf97", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Peripheral Device Discovery", + "sha256": "f24ca9a1f60d75defed517b7817577335a4262fbb3b7ed6b226eaea2c3c5e0ce", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Peripheral Device Discovery", + "sha256": "62bc9a1a7397ad3195956c7328708fb582678451ffe3cc782b1f85979b5bdf97", + "type": "eql", + "version": 100 }, "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { - "min_stack_version": "8.3", - "previous": { - "8.0": { - "rule_name": "Threat Intel Indicator Match", - "sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718", - "type": "threat_match", - "version": 5 - } - }, - "rule_name": "Threat Intel Indicator Match", - "sha256": "08f8c238c50a92a88dbe751e24ae2b5cd38585ae57a0f026efa6cd46dbc395ec", - "type": "threat_match", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.0": { + "max_allowable_version": 99, + "rule_name": "Threat Intel Indicator Match", + "sha256": "deec30795d7a848bc2ea99f29ec0e44c0d2cf9debfb593a497c818011477c718", + "type": "threat_match", + "version": 5 + } + }, + "rule_name": "Threat Intel Indicator Match", + "sha256": "08f8c238c50a92a88dbe751e24ae2b5cd38585ae57a0f026efa6cd46dbc395ec", + "type": "threat_match", + "version": 100 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "f6eacd7c05b07f07ea615052aa4f672c47f4ff237bab83ee299daa65484ff83a", - "type": "query", - "version": 5 - } - }, - "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", - "sha256": "056521254f96e10279453630789e55bfcef8712bebc713ebd993a79d6c3e449f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "f6eacd7c05b07f07ea615052aa4f672c47f4ff237bab83ee299daa65484ff83a", + "type": "query", + "version": 5 + } + }, + "rule_name": "O365 Exchange Suspicious Mailbox Right Delegation", + "sha256": "056521254f96e10279453630789e55bfcef8712bebc713ebd993a79d6c3e449f", + "type": "query", + "version": 100 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Nping Process Activity", - "sha256": "249b51758445451417eec4803297e5a0a2451bf859faf040db420301a8db3d2e", - "type": "query", - "version": 10 - } - }, - "rule_name": "Nping Process Activity", - "sha256": "9f2fd2cb49e759ae75d0606c5366e6428c399477ff22602ed62aeadcaf07dc6a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Nping Process Activity", + "sha256": "249b51758445451417eec4803297e5a0a2451bf859faf040db420301a8db3d2e", + "type": "query", + "version": 10 + } + }, + "rule_name": "Nping Process Activity", + "sha256": "9f2fd2cb49e759ae75d0606c5366e6428c399477ff22602ed62aeadcaf07dc6a", + "type": "query", + "version": 100 }, "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "d5d64a8e365a6086e3eb761be4e4722395cb58969f220252263994c9d2a86241", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Execution of File Written or Modified by Microsoft Office", - "sha256": "8081e5edd181ca6ef4de519993eac692fb9e13b7a8331f493d8b5cba63d6678b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution of File Written or Modified by Microsoft Office", + "sha256": "d5d64a8e365a6086e3eb761be4e4722395cb58969f220252263994c9d2a86241", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Execution of File Written or Modified by Microsoft Office", + "sha256": "8081e5edd181ca6ef4de519993eac692fb9e13b7a8331f493d8b5cba63d6678b", + "type": "eql", + "version": 100 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SharePoint Malware File Upload", - "sha256": "fd74b2c8aa258d63dfa815857d9150709e02798bba6f9903829af995d2d27d5b", - "type": "query", - "version": 5 - } - }, - "rule_name": "SharePoint Malware File Upload", - "sha256": "ec2339c33ce001404d50de90459e83490814a70cbe7257722192be7908277b0d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SharePoint Malware File Upload", + "sha256": "fd74b2c8aa258d63dfa815857d9150709e02798bba6f9903829af995d2d27d5b", + "type": "query", + "version": 5 + } + }, + "rule_name": "SharePoint Malware File Upload", + "sha256": "ec2339c33ce001404d50de90459e83490814a70cbe7257722192be7908277b0d", + "type": "query", + "version": 100 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Service Account Key Creation", - "sha256": "9c70b737fec17aa177eea51e4447e68f4f484f94b407ee4bacf654c6c8be1f7e", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Service Account Key Creation", - "sha256": "da7d7509d3e20b62dd84274dde1294efce3201c3c1d270c12cbd05940378df7b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Service Account Key Creation", + "sha256": "9c70b737fec17aa177eea51e4447e68f4f484f94b407ee4bacf654c6c8be1f7e", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Service Account Key Creation", + "sha256": "da7d7509d3e20b62dd84274dde1294efce3201c3c1d270c12cbd05940378df7b", + "type": "query", + "version": 100 }, "0e79980b-4250-4a50-a509-69294c14e84b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "MsBuild Making Network Connections", - "sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15", - "type": "eql", - "version": 10 - } - }, - "rule_name": "MsBuild Making Network Connections", - "sha256": "040a83a4a14d69dbfba9c759b3726e57989f4b3fdbb1b9b8e4333ff9e4a37ba7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "MsBuild Making Network Connections", + "sha256": "0168b3528c17247ed5631843306c3123c740bbb190605452493031a938421f15", + "type": "eql", + "version": 10 + } + }, + "rule_name": "MsBuild Making Network Connections", + "sha256": "040a83a4a14d69dbfba9c759b3726e57989f4b3fdbb1b9b8e4333ff9e4a37ba7", + "type": "eql", + "version": 100 }, "0f616aee-8161-4120-857e-742366f5eeb3": { - "rule_name": "PowerShell spawning Cmd", - "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", - "type": "query", - "version": 100 + "rule_name": "PowerShell spawning Cmd", + "sha256": "02b0c2f928a762f61da9b493780d5fe36255c5565093c0d59db3776340a7b2be", + "type": "query", + "version": 100 }, "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "8fcce021f112699cc2b8bdd61edaaf16d26633221793e2f64a8d2b45d395e21e", - "type": "threshold", - "version": 6 - } - }, - "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", - "sha256": "adbb844008cf9c493562c5309080461156e41dda2c575e5b11cade5ee1a4a642", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "8fcce021f112699cc2b8bdd61edaaf16d26633221793e2f64a8d2b45d395e21e", + "type": "threshold", + "version": 6 + } + }, + "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", + "sha256": "adbb844008cf9c493562c5309080461156e41dda2c575e5b11cade5ee1a4a642", + "type": "threshold", + "version": 100 }, "0ff84c42-873d-41a2-a4ed-08d74d352d01": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", - "type": "query", - "version": 3 - } - }, - "rule_name": "Privilege Escalation via Root Crontab File Modification", - "sha256": "a1abb66bb89a9724aa3a92789e8f5e667f5c0d2a37ba66e76aea86e582544c95", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Privilege Escalation via Root Crontab File Modification", + "sha256": "2149a008d62b8e6a983abd178158948e2c370183a4e070931806ebd07b620ec7", + "type": "query", + "version": 3 + } + }, + "rule_name": "Privilege Escalation via Root Crontab File Modification", + "sha256": "a1abb66bb89a9724aa3a92789e8f5e667f5c0d2a37ba66e76aea86e582544c95", + "type": "query", + "version": 100 }, "10754992-28c7-4472-be5b-f3770fd04f2d": { - "rule_name": "Linux Restricted Shell Breakout via awk Commands", - "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via awk Commands", + "sha256": "d712972fb7e71daddbd2b5ced9e9845171a1e544e0e981d72fa350f743dec969", + "type": "eql", + "version": 100 }, "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "WebProxy Settings Modification", - "sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c", - "type": "query", - "version": 4 - } - }, - "rule_name": "WebProxy Settings Modification", - "sha256": "bfc1d542142473400cc94fe152f8c04cc7de3bd98303778df2b0d5a58750559e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "WebProxy Settings Modification", + "sha256": "5ceeed56054e254ddd1b7d9f6d34b66810422a1b885570227b5b24b1df1f5a1c", + "type": "query", + "version": 4 + } + }, + "rule_name": "WebProxy Settings Modification", + "sha256": "bfc1d542142473400cc94fe152f8c04cc7de3bd98303778df2b0d5a58750559e", + "type": "query", + "version": 100 }, "11013227-0301-4a8c-b150-4db924484475": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Abnormally Large DNS Response", - "sha256": "72179393e4eaeb676c7ddec38aa17e29cdb602ddbac0b4b4c2727b39bbbd33c4", - "type": "query", - "version": 9 - } - }, - "rule_name": "Abnormally Large DNS Response", - "sha256": "51a774df9bf521db4ca5be0359b8f57f565c222434338eab826b87bb2135c9ac", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Abnormally Large DNS Response", + "sha256": "72179393e4eaeb676c7ddec38aa17e29cdb602ddbac0b4b4c2727b39bbbd33c4", + "type": "query", + "version": 9 + } + }, + "rule_name": "Abnormally Large DNS Response", + "sha256": "51a774df9bf521db4ca5be0359b8f57f565c222434338eab826b87bb2135c9ac", + "type": "query", + "version": 100 }, "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "9c71d67d03bb28988290278d67be14ad1ed058623cd9989b68da55945b0884d6", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", - "sha256": "a15b96e8d941bb34de5bb1cb20c05f46756bd2696a7b23366a894956b4dc78d7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", + "sha256": "9c71d67d03bb28988290278d67be14ad1ed058623cd9989b68da55945b0884d6", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Potential DLL SideLoading via Trusted Microsoft Programs", + "sha256": "a15b96e8d941bb34de5bb1cb20c05f46756bd2696a7b23366a894956b4dc78d7", + "type": "eql", + "version": 100 }, "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "f93caaaa0c67c047837860a3ee7f31fbe03b3df7af0f7fb2c29658c22dbb89a5", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", - "sha256": "d79170d1d2dc733f23fa76b4fa85341b05c92bf574721045be851326dbee79d9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "sha256": "f93caaaa0c67c047837860a3ee7f31fbe03b3df7af0f7fb2c29658c22dbb89a5", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", + "sha256": "d79170d1d2dc733f23fa76b4fa85341b05c92bf574721045be851326dbee79d9", + "type": "eql", + "version": 100 }, "119c8877-8613-416d-a98a-96b6664ee73a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Snapshot Export", - "sha256": "14d892036447ee2dc39a6709bd9e0d3257e7f26fc746c067ed110d862c0688b8", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS RDS Snapshot Export", - "sha256": "e54ac76da02c0772971016966fa9829510ed25a8cb2ef4a0b535cc85c50836cb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "14d892036447ee2dc39a6709bd9e0d3257e7f26fc746c067ed110d862c0688b8", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS RDS Snapshot Export", + "sha256": "e54ac76da02c0772971016966fa9829510ed25a8cb2ef4a0b535cc85c50836cb", + "type": "query", + "version": 100 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { - "rule_name": "AWS RDS Snapshot Export", - "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", - "type": "query", - "version": 100 + "rule_name": "AWS RDS Snapshot Export", + "sha256": "dc07a6005a4da8eea9b23185abaf24f9db9fbe2271e4c8ddc3f39f020a9ea3d0", + "type": "query", + "version": 100 }, "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "50288dc2ce260ad28cbd659c5050727cc77e2dd0725409ad7443869e47bcd52c", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Third-party Backup Files Deleted via Unexpected Process", - "sha256": "419591e43cc4c101c42c537120a98b26c5a6760abfb24f6bba8fddbd20d524fc", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Third-party Backup Files Deleted via Unexpected Process", + "sha256": "50288dc2ce260ad28cbd659c5050727cc77e2dd0725409ad7443869e47bcd52c", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Third-party Backup Files Deleted via Unexpected Process", + "sha256": "419591e43cc4c101c42c537120a98b26c5a6760abfb24f6bba8fddbd20d524fc", + "type": "eql", + "version": 100 }, "12051077-0124-4394-9522-8f4f4db1d674": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "7b9f296c6822ee18168d7c4ab63f9d12781ebe9c8704290c6e4bbbf250b1da44", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", - "sha256": "fb16c3f709b5cc59f4ead250115bfdac9b328fea01c4e6c8b25664e4e65d8122", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "7b9f296c6822ee18168d7c4ab63f9d12781ebe9c8704290c6e4bbbf250b1da44", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS Route 53 Domain Transfer Lock Disabled", + "sha256": "fb16c3f709b5cc59f4ead250115bfdac9b328fea01c4e6c8b25664e4e65d8122", + "type": "query", + "version": 100 }, "120559c6-5e24-49f4-9e30-8ffe697df6b9": { - "rule_name": "User Discovery via Whoami", - "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", - "type": "query", - "version": 100 + "rule_name": "User Discovery via Whoami", + "sha256": "226bffc8f05628ba3e39c84344b42aff68d3c0a8ad10612929d4cb704d902d3e", + "type": "query", + "version": 100 }, "125417b8-d3df-479f-8418-12d7e034fee3": { - "rule_name": "Attempt to Disable IPTables or Firewall", - "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", - "type": "query", - "version": 100 + "rule_name": "Attempt to Disable IPTables or Firewall", + "sha256": "7852c6d19ed6216fb60c46fdeffb6d109d509b83ed076aab9240c57540fc2960", + "type": "query", + "version": 100 }, "12a2f15d-597e-4334-88ff-38a02cb1330b": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "344dd45b89887d9f6037e782a5c6e321a7e348581f1372c4180b8b5e2aad81e9", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Suspicious Self-Subject Review", - "sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "344dd45b89887d9f6037e782a5c6e321a7e348581f1372c4180b8b5e2aad81e9", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Suspicious Self-Subject Review", + "sha256": "9849f3733be1f4f160704b38909e60354493b106e233d0fb46bbad606d4cf8c8", + "type": "query", + "version": 100 }, "12cbf709-69e8-4055-94f9-24314385c27e": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "1944874623a3c0eb94b6c60e923f345644329467a5e2b4d450710fa23af51940", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Pod Created With HostNetwork", - "sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "1944874623a3c0eb94b6c60e923f345644329467a5e2b4d450710fa23af51940", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Pod Created With HostNetwork", + "sha256": "5d921734039fe405b0c6592212c7e3019f5b13cd5364c1387b30211aebcd0f31", + "type": "query", + "version": 100 }, "12f07955-1674-44f7-86b5-c35da0a6f41a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "14dee3b14b6f395041ed83582c528b803b220c3528665d1da4a1bc87de358524", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious Cmd Execution via WMI", - "sha256": "b0ee983787f62183b3667f7047688f963bc0295b3724df34227e4b3f3a78000a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Cmd Execution via WMI", + "sha256": "14dee3b14b6f395041ed83582c528b803b220c3528665d1da4a1bc87de358524", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious Cmd Execution via WMI", + "sha256": "b0ee983787f62183b3667f7047688f963bc0295b3724df34227e4b3f3a78000a", + "type": "eql", + "version": 100 }, "1327384f-00f3-44d5-9a8c-2373ba071e92": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "dd487bb51dcb9f39021bc76a62c8cd0821d1d6a83f7dcbfa4995e6fdb51914f7", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "0defd980c5f36ab6de665344d2af0fd49f0d9df73599ea799119f808f1debef0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "dd487bb51dcb9f39021bc76a62c8cd0821d1d6a83f7dcbfa4995e6fdb51914f7", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "0defd980c5f36ab6de665344d2af0fd49f0d9df73599ea799119f808f1debef0", + "type": "eql", + "version": 100 }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Rare User Logon", - "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Rare User Logon", - "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Rare User Logon", + "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Rare User Logon", + "sha256": "2cee5f1ed8eb3e96b51fe2e95091998e361671f08e86aee4e30f60585529cd00", + "type": "machine_learning", + "version": 100 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { - "rule_name": "SQL Traffic to the Internet", - "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", - "type": "query", - "version": 100 + "rule_name": "SQL Traffic to the Internet", + "sha256": "26fce2242bdb3d7341ec772772151eae5dfe28e3f14a60bbe586e0d5d5842ad7", + "type": "query", + "version": 100 }, "141e9b3a-ff37-4756-989d-05d7cbf35b0e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure External Guest User Invitation", - "sha256": "884e2787044397ab5139c3a166b7ef487915885576122d86d3eee5fa26cb6b31", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure External Guest User Invitation", - "sha256": "f9c5b6690acc93fdfe6cae2fcb31a08572101d7f9ad2a27ba86ef235972c5386", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure External Guest User Invitation", + "sha256": "884e2787044397ab5139c3a166b7ef487915885576122d86d3eee5fa26cb6b31", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure External Guest User Invitation", + "sha256": "f9c5b6690acc93fdfe6cae2fcb31a08572101d7f9ad2a27ba86ef235972c5386", + "type": "query", + "version": 100 }, "143cb236-0956-4f42-a706-814bcaa0cf5a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068", - "type": "query", - "version": 13 - } - }, - "rule_name": "RPC (Remote Procedure Call) from the Internet", - "sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "RPC (Remote Procedure Call) from the Internet", + "sha256": "8fb78fd8caf9f2c543f7a8496f9d8f54d2c309b521d9b3f1d1afb9174b6c6068", + "type": "query", + "version": 13 + } + }, + "rule_name": "RPC (Remote Procedure Call) from the Internet", + "sha256": "2b983663df2e83acf552a0e23cf64c89b7d02608e47827e831a7f83301eb1157", + "type": "query", + "version": 100 }, "14de811c-d60f-11ec-9fd7-f661ea17fbce": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "939f1dfae51e5df729029c2bf9c6cd64c211afd38624b26e0878e4e9f0623956", - "type": "query", - "version": 4 - } - }, - "rule_name": "Kubernetes User Exec into Pod", - "sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "939f1dfae51e5df729029c2bf9c6cd64c211afd38624b26e0878e4e9f0623956", + "type": "query", + "version": 4 + } + }, + "rule_name": "Kubernetes User Exec into Pod", + "sha256": "a00465734be3cc8c51d1068bd7d2d6fd67cc0144a3f4b11d969411083176df00", + "type": "query", + "version": 100 }, "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Persistence via Time Provider Modification", - "sha256": "27438d7546fe2773040ae8a26f1fa92ee7e93b3e006a0ab001dc3efae0168ffb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Persistence via Time Provider Modification", + "sha256": "babbc6287d174b837d32ddc45d7233af2a2325136cdd66ffb0cae01ff942611d", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Persistence via Time Provider Modification", + "sha256": "27438d7546fe2773040ae8a26f1fa92ee7e93b3e006a0ab001dc3efae0168ffb", + "type": "eql", + "version": 100 }, "15a8ba77-1c13-4274-88fe-6bd14133861e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "a37caa10322b243e5b1aa27c757d8348af9ac05dff0d4f48a54774f68c207385", - "type": "query", - "version": 7 - } - }, - "rule_name": "Scheduled Task Execution at Scale via GPO", - "sha256": "a02b14e0e4eecfb1f00811d8373dea27f41819134a1027b66d37d6cce4eb9696", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Scheduled Task Execution at Scale via GPO", + "sha256": "a37caa10322b243e5b1aa27c757d8348af9ac05dff0d4f48a54774f68c207385", + "type": "query", + "version": 7 + } + }, + "rule_name": "Scheduled Task Execution at Scale via GPO", + "sha256": "a02b14e0e4eecfb1f00811d8373dea27f41819134a1027b66d37d6cce4eb9696", + "type": "query", + "version": 100 }, "15c0b7a7-9c34-4869-b25b-fa6518414899": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "8d3046d9ab68612adecfa2ba45a822de6d59c106baa88cb919d7f814adef7705", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Remote File Download via Desktopimgdownldr Utility", - "sha256": "027f4016e7b011b1e1775524d011db0f3409297811bda118d962948325c35783", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Download via Desktopimgdownldr Utility", + "sha256": "8d3046d9ab68612adecfa2ba45a822de6d59c106baa88cb919d7f814adef7705", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Remote File Download via Desktopimgdownldr Utility", + "sha256": "027f4016e7b011b1e1775524d011db0f3409297811bda118d962948325c35783", + "type": "eql", + "version": 100 }, "15dacaa0-5b90-466b-acab-63435a59701a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "ab01939284a35f49a970a029c0ae49717b8c8a40df7d14e420432cf17423300a", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Virtual Private Network Connection Attempt", - "sha256": "566aa4b686e805e853bdb4bcf1a3b3cd30eb2fdbc53133ba6e14e335be05c76c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Virtual Private Network Connection Attempt", + "sha256": "ab01939284a35f49a970a029c0ae49717b8c8a40df7d14e420432cf17423300a", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Virtual Private Network Connection Attempt", + "sha256": "566aa4b686e805e853bdb4bcf1a3b3cd30eb2fdbc53133ba6e14e335be05c76c", + "type": "eql", + "version": 100 }, "16280f1e-57e6-4242-aa21-bb4d16f13b2f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "5856d870c5052798edc3f6128683f5e39e62d60519ada98556b15fef9fc2df55", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Automation Runbook Created or Modified", - "sha256": "e426eaaece53a6e1fe40d5348cd2ace438e66ba4d7326ad7eacc7d36cda6e99e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Automation Runbook Created or Modified", + "sha256": "5856d870c5052798edc3f6128683f5e39e62d60519ada98556b15fef9fc2df55", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Automation Runbook Created or Modified", + "sha256": "e426eaaece53a6e1fe40d5348cd2ace438e66ba4d7326ad7eacc7d36cda6e99e", + "type": "query", + "version": 100 }, "16904215-2c95-4ac8-bf5c-12354e047192": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7", - "type": "query", - "version": 4 - } - }, - "rule_name": "Potential Kerberos Attack via Bifrost", - "sha256": "1afc6126931ab43c5110fd5d9ba95ea05796a4d206503e8cbe3324101648997b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Kerberos Attack via Bifrost", + "sha256": "82021c6bdc0d1e0276714a56622c6195c0745e9c8d37dfa3e179111be9f3c8f7", + "type": "query", + "version": 4 + } + }, + "rule_name": "Potential Kerberos Attack via Bifrost", + "sha256": "1afc6126931ab43c5110fd5d9ba95ea05796a4d206503e8cbe3324101648997b", + "type": "query", + "version": 100 }, "169f3a93-efc7-4df2-94d6-0d9438c310d1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Group Creation", - "sha256": "e40e6fa8910826f514e017875dad384599cb9360369e8f04f154bb76879db2ba", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS IAM Group Creation", - "sha256": "3bc9921d9f20ce54ad8f1812f5f46671210c22f202b04699b27ec8b4d1a9d831", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Group Creation", + "sha256": "e40e6fa8910826f514e017875dad384599cb9360369e8f04f154bb76879db2ba", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS IAM Group Creation", + "sha256": "3bc9921d9f20ce54ad8f1812f5f46671210c22f202b04699b27ec8b4d1a9d831", + "type": "query", + "version": 100 }, "16a52c14-7883-47af-8745-9357803f0d4c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Component Object Model Hijacking", - "sha256": "5898cbcb8ba124f960428a6f5171e59b41b955310aa5d055f300dc1a341c1b4f", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Component Object Model Hijacking", - "sha256": "c428fc531a25f1681bb3a26b13b8cf56b29d6c87093b3a8f14a7a6d49dc16219", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Component Object Model Hijacking", + "sha256": "5898cbcb8ba124f960428a6f5171e59b41b955310aa5d055f300dc1a341c1b4f", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Component Object Model Hijacking", + "sha256": "c428fc531a25f1681bb3a26b13b8cf56b29d6c87093b3a8f14a7a6d49dc16219", + "type": "eql", + "version": 100 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "2dbe2743cfdae34c434469eef59b198bcabab7f9fe1700cea7401f78495d4755", - "type": "query", - "version": 7 - } - }, - "rule_name": "Startup/Logon Script added to Group Policy Object", - "sha256": "17e0c2bd35bde2a29a13b0c3601999bb1555fead5b45f0b11654ff859da8c8b6", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Startup/Logon Script added to Group Policy Object", + "sha256": "2dbe2743cfdae34c434469eef59b198bcabab7f9fe1700cea7401f78495d4755", + "type": "query", + "version": 7 + } + }, + "rule_name": "Startup/Logon Script added to Group Policy Object", + "sha256": "17e0c2bd35bde2a29a13b0c3601999bb1555fead5b45f0b11654ff859da8c8b6", + "type": "query", + "version": 100 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Username", - "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Unusual Windows Username", - "sha256": "8f1da2c97c296b4e212e5aacd5a608a1043a71c6de193a0568f82e09fc04cb6e", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Username", + "sha256": "15ad86ffb8402c2acabbd69bc91cf276320fbefe605de2f336f02d46936242a4", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Unusual Windows Username", + "sha256": "8f1da2c97c296b4e212e5aacd5a608a1043a71c6de193a0568f82e09fc04cb6e", + "type": "machine_learning", + "version": 100 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Service", - "sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Unusual Windows Service", - "sha256": "526315821ea6ac3e9449850d95215a802bdacb4518640f64f454e99f6cf6f251", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Service", + "sha256": "2056eb4358a68b426256be231c045180bdc5ed38f6ea5b6f8140d1656c102a7d", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Unusual Windows Service", + "sha256": "526315821ea6ac3e9449850d95215a802bdacb4518640f64f454e99f6cf6f251", + "type": "machine_learning", + "version": 100 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Powershell Script", - "sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Suspicious Powershell Script", - "sha256": "62f1e3313ee3c9dbac1fa73f2238367424ff02754a4d740f973cdac6901e53a1", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Powershell Script", + "sha256": "460a16a595ce6ae95c9edea03ef73004bc7c7308105aa6c9ea445cbde9af7acd", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Suspicious Powershell Script", + "sha256": "62f1e3313ee3c9dbac1fa73f2238367424ff02754a4d740f973cdac6901e53a1", + "type": "machine_learning", + "version": 100 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "e46cdedd322a3698ace70334ffe46355b69407965f560634a7857023937319b4", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "f379e94cb9af607a023c169713f9d08359187394314686ae5e0c9e90c0cfc475", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Unusual Windows User Privilege Elevation Activity", + "sha256": "e46cdedd322a3698ace70334ffe46355b69407965f560634a7857023937319b4", + "type": "machine_learning", + "version": 100 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Remote User", - "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual Windows Remote User", - "sha256": "139ece349432479b389dbad5de09391bcb55c55f5fe0e4a9d97c27079deea3f6", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Remote User", + "sha256": "56324808be7511810a3929fc18e87820ab588197a384e84b772bc3f2addc8841", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Windows Remote User", + "sha256": "139ece349432479b389dbad5de09391bcb55c55f5fe0e4a9d97c27079deea3f6", + "type": "machine_learning", + "version": 100 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Execution - Short Program Name", - "sha256": "a49a574d1dd2dc2b3e273604ba9444652782dad8165b44003650a266a3d8c831", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious Execution - Short Program Name", - "sha256": "f7a9602afd5c320d4f7e786cd81b89a06f9813891f1de9f73386345415fe17c2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Execution - Short Program Name", + "sha256": "a49a574d1dd2dc2b3e273604ba9444652782dad8165b44003650a266a3d8c831", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious Execution - Short Program Name", + "sha256": "f7a9602afd5c320d4f7e786cd81b89a06f9813891f1de9f73386345415fe17c2", + "type": "eql", + "version": 100 }, "17e68559-b274-4948-ad0b-f8415bb31126": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Network Destination Domain Name", - "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Unusual Network Destination Domain Name", - "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Network Destination Domain Name", + "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Unusual Network Destination Domain Name", + "sha256": "4f247c995b369cacb22a5734b72185bd8dc067b58972e3e959245d9bf0d391ab", + "type": "machine_learning", + "version": 100 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Logging Sink Modification", - "sha256": "f543b8cf2fdff969c2280c9426bcef331857717573fa30ecfdcfba95c8283625", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Logging Sink Modification", - "sha256": "1ffcdba13e67968ded072af5594a58c0106a9e12220cdbfa2f363a02344c80bb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Logging Sink Modification", + "sha256": "f543b8cf2fdff969c2280c9426bcef331857717573fa30ecfdcfba95c8283625", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Logging Sink Modification", + "sha256": "1ffcdba13e67968ded072af5594a58c0106a9e12220cdbfa2f363a02344c80bb", + "type": "query", + "version": 100 }, "1859ce38-6a50-422b-a5e8-636e231ea0cd": { - "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", - "sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", + "sha256": "7e7de93079eef0b085e35930659004f7dc4b966ad722932b86b82c762d627e1e", + "type": "eql", + "version": 100 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Rare AWS Error Code", - "sha256": "6b29390c6c450c02027712c15174d3241eadf50fd00e80be20970e8d2385f21a", - "type": "machine_learning", - "version": 10 - } - }, - "rule_name": "Rare AWS Error Code", - "sha256": "f2e04304395ab90b7580429890cf7e2e7ebe4d09c2a1777927222375f31c1bbc", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Rare AWS Error Code", + "sha256": "6b29390c6c450c02027712c15174d3241eadf50fd00e80be20970e8d2385f21a", + "type": "machine_learning", + "version": 10 + } + }, + "rule_name": "Rare AWS Error Code", + "sha256": "f2e04304395ab90b7580429890cf7e2e7ebe4d09c2a1777927222375f31c1bbc", + "type": "machine_learning", + "version": 100 }, "1a36cace-11a7-43a8-9a10-b497c5a02cd3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Application Credential Modification", - "sha256": "08c7be0a262c66e42f4a684e6a3250d4686374b71f6fa817d9cf0b369eacdf81", - "type": "query", - "version": 7 - } - }, - "rule_name": "Azure Application Credential Modification", - "sha256": "2fc3c7af40f9acc3751831430f8b577e68ea3fc5381cafbdc8bfd17298b1ab66", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Application Credential Modification", + "sha256": "08c7be0a262c66e42f4a684e6a3250d4686374b71f6fa817d9cf0b369eacdf81", + "type": "query", + "version": 7 + } + }, + "rule_name": "Azure Application Credential Modification", + "sha256": "2fc3c7af40f9acc3751831430f8b577e68ea3fc5381cafbdc8bfd17298b1ab66", + "type": "query", + "version": 100 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution of COM object via Xwizard", - "sha256": "f914b30a66a3801986631b2260c2b0be902fee7f3f9e9ea83082a555276b833e", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Execution of COM object via Xwizard", - "sha256": "44257ec40965e6ab0a48e4394db0bff1ea0ef3f7d5d3b41bb5d0fa409457be82", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution of COM object via Xwizard", + "sha256": "f914b30a66a3801986631b2260c2b0be902fee7f3f9e9ea83082a555276b833e", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Execution of COM object via Xwizard", + "sha256": "44257ec40965e6ab0a48e4394db0bff1ea0ef3f7d5d3b41bb5d0fa409457be82", + "type": "eql", + "version": 100 }, "1aa8fa52-44a7-4dae-b058-f3333b91c8d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "fd4a95d88aee2bbce7a930bef232433c82600847adb3624342557eb85672f1c2", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS CloudTrail Log Suspended", - "sha256": "6d33570b7f5f13b7bfa3455e553534f7e704a74e0a7d562b402478fab02b9809", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "fd4a95d88aee2bbce7a930bef232433c82600847adb3624342557eb85672f1c2", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS CloudTrail Log Suspended", + "sha256": "6d33570b7f5f13b7bfa3455e553534f7e704a74e0a7d562b402478fab02b9809", + "type": "query", + "version": 100 }, "1aa9181a-492b-4c01-8b16-fa0735786b2b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "User Account Creation", - "sha256": "1891ff7763da99e8748a754e4c9ea618908a0273d1dae964934e27ac482dcb2e", - "type": "eql", - "version": 14 - } - }, - "rule_name": "User Account Creation", - "sha256": "ce771b5fe692673c9406f8817adb67945f35fca9271439cd07325d772d3781eb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "User Account Creation", + "sha256": "1891ff7763da99e8748a754e4c9ea618908a0273d1dae964934e27ac482dcb2e", + "type": "eql", + "version": 14 + } + }, + "rule_name": "User Account Creation", + "sha256": "ce771b5fe692673c9406f8817adb67945f35fca9271439cd07325d772d3781eb", + "type": "eql", + "version": 100 }, "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Connection to Internal Network via Telnet", - "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Connection to Internal Network via Telnet", - "sha256": "75c7280b4e96dec3da01270b1605656b1b566c914736d730a68aa1697c57d408", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Connection to Internal Network via Telnet", + "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Connection to Internal Network via Telnet", + "sha256": "75c7280b4e96dec3da01270b1605656b1b566c914736d730a68aa1697c57d408", + "type": "eql", + "version": 100 }, "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "3ac35392968bc4bfe1ec662a9d0b96fd14d0f58c60be9132d68c95fc85b635c9", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS ElastiCache Security Group Modified or Deleted", - "sha256": "f22b89997980f0f7bb68c6d90afb377a6248cbe72383c35af9fc8a7b1cdf1b63", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "3ac35392968bc4bfe1ec662a9d0b96fd14d0f58c60be9132d68c95fc85b635c9", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS ElastiCache Security Group Modified or Deleted", + "sha256": "f22b89997980f0f7bb68c6d90afb377a6248cbe72383c35af9fc8a7b1cdf1b63", + "type": "query", + "version": 100 }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "d00d3e8f0516c4848290f845aa45897ed6207d1a3f9b71738aaa821f9c3805fd", - "type": "query", - "version": 8 - } - }, - "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "b7cc5fbc078c10128f2bcbe13b7c4c861d3a9ed2810e6a42b2ae2d8cf7de2471", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "d00d3e8f0516c4848290f845aa45897ed6207d1a3f9b71738aaa821f9c3805fd", + "type": "query", + "version": 8 + } + }, + "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", + "sha256": "b7cc5fbc078c10128f2bcbe13b7c4c861d3a9ed2810e6a42b2ae2d8cf7de2471", + "type": "query", + "version": 100 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "f48c4a2437aad0de0ff36c4dfeff61ccdccf6df20dc3ceb3cba6c9400244e0ea", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "c9f1b420b573a482228ed4337a8bac1aadde7b219789cdc2c90905d136f28b26", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious File Creation in /etc for Persistence", + "sha256": "f48c4a2437aad0de0ff36c4dfeff61ccdccf6df20dc3ceb3cba6c9400244e0ea", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious File Creation in /etc for Persistence", + "sha256": "c9f1b420b573a482228ed4337a8bac1aadde7b219789cdc2c90905d136f28b26", + "type": "eql", + "version": 100 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "2717595854d57fdf2727a0361b9f0d549070644843408b2e19e67e30e64a546e", - "type": "query", - "version": 4 - } - }, - "rule_name": "Azure Kubernetes Rolebindings Created", - "sha256": "c1d21aa629ba82e68861ad58ac66781556f69ca6897fdc739676ae92cb5d530c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Kubernetes Rolebindings Created", + "sha256": "2717595854d57fdf2727a0361b9f0d549070644843408b2e19e67e30e64a546e", + "type": "query", + "version": 4 + } + }, + "rule_name": "Azure Kubernetes Rolebindings Created", + "sha256": "c1d21aa629ba82e68861ad58ac66781556f69ca6897fdc739676ae92cb5d530c", + "type": "query", + "version": 100 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Incoming Execution via WinRM Remote Shell", - "sha256": "56c7c664e2231aae0f28ffeaebfd255b0ccd630664c396f8b269c2922e5eda24", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Incoming Execution via WinRM Remote Shell", + "sha256": "668b31747084485dad1344c6ae9695fbb86ac6b3c11bc427b08cce2b1e9cf791", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Incoming Execution via WinRM Remote Shell", + "sha256": "56c7c664e2231aae0f28ffeaebfd255b0ccd630664c396f8b269c2922e5eda24", + "type": "eql", + "version": 100 }, "1d276579-3380-4095-ad38-e596a01bc64f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Remote File Download via Script Interpreter", - "sha256": "5c856b88cd99da9cc3234fbb92474ade21790debb6b3f9cea3084dfbab5ac401", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Download via Script Interpreter", + "sha256": "85ae33aa6ea9da5d75b1566ea17607b7675b777fa6a3bbea99899cee587b85e5", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Remote File Download via Script Interpreter", + "sha256": "5c856b88cd99da9cc3234fbb92474ade21790debb6b3f9cea3084dfbab5ac401", + "type": "eql", + "version": 100 }, "1d72d014-e2ab-4707-b056-9b96abe7b511": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "676c2d4dfe1aa314a6f063884871cc7fd0e04da8d7e3182b2b6eaae113e6f86f", - "type": "eql", - "version": 11 - } - }, - "rule_name": "External IP Lookup from Non-Browser Process", - "sha256": "16796f9d1d8e8bbc8f8adaeb103a3e40551ccd80dfa261da294bb638fe2e8996", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "External IP Lookup from Non-Browser Process", + "sha256": "676c2d4dfe1aa314a6f063884871cc7fd0e04da8d7e3182b2b6eaae113e6f86f", + "type": "eql", + "version": 11 + } + }, + "rule_name": "External IP Lookup from Non-Browser Process", + "sha256": "16796f9d1d8e8bbc8f8adaeb103a3e40551ccd80dfa261da294bb638fe2e8996", + "type": "eql", + "version": 100 }, "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "2bc46ca9cbee507967b5dccfac7f86142c08d85ba6d3151747c404858da10b74", - "type": "eql", - "version": 10 - } - }, - "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", - "sha256": "5131fde7ee1d9a7ab0bf8e5af795722e91d8700dcad6afbc10007bc8518bc09f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "sha256": "2bc46ca9cbee507967b5dccfac7f86142c08d85ba6d3151747c404858da10b74", + "type": "eql", + "version": 10 + } + }, + "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", + "sha256": "5131fde7ee1d9a7ab0bf8e5af795722e91d8700dcad6afbc10007bc8518bc09f", + "type": "eql", + "version": 100 }, "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Execution of File Written or Modified by PDF Reader", - "sha256": "f9c0f46093535eefb2c93305395d28e6913ee6c36ed641767b2daec212a19962", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution of File Written or Modified by PDF Reader", + "sha256": "f12a62cb3e7043b37dd8cc3bffbfdeb5a191ac0e33d733d4644b245ac3c8d252", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Execution of File Written or Modified by PDF Reader", + "sha256": "f9c0f46093535eefb2c93305395d28e6913ee6c36ed641767b2daec212a19962", + "type": "eql", + "version": 100 }, "1e0b832e-957e-43ae-b319-db82d228c908": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "9a24ad9aff9d1b7e5f0dd32ef47be286477cbe4f2695b212eb665007066eba72", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Storage Account Key Regenerated", - "sha256": "bef3f0b6705e193153c99d5f218502cca9f9cc83ec6d4131a6a5801931050919", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Storage Account Key Regenerated", + "sha256": "9a24ad9aff9d1b7e5f0dd32ef47be286477cbe4f2695b212eb665007066eba72", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Storage Account Key Regenerated", + "sha256": "bef3f0b6705e193153c99d5f218502cca9f9cc83ec6d4131a6a5801931050919", + "type": "query", + "version": 100 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Sudo Activity", - "sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Sudo Activity", - "sha256": "9d82b230918f0db964b2f2e07fca49ec284c7105c28d58018a4d322e5893bca0", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Sudo Activity", + "sha256": "ea35fdcda2944c1f32b9212d1a678d78dbb16552282224aaba7c0cf16fd29716", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Sudo Activity", + "sha256": "9d82b230918f0db964b2f2e07fca49ec284c7105c28d58018a4d322e5893bca0", + "type": "machine_learning", + "version": 100 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "0aec86484ab498ecfb07296e0217a2b218976158fc0c2d60ed1d7afa05fbeee4", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Unusual Linux User Calling the Metadata Service", + "sha256": "0aec86484ab498ecfb07296e0217a2b218976158fc0c2d60ed1d7afa05fbeee4", + "type": "machine_learning", + "version": 100 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "d2af4370e5ccb4aabdb1f4ce6b028ddd92fca5b5d6970163ee44af539b870b4e", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Unusual Network Activity from a Windows System Binary", - "sha256": "9ec3a78cfe0b7eab7c138ac49a884c224a00491d0b64c0eee4dbd12493d33e8f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Network Activity from a Windows System Binary", + "sha256": "d2af4370e5ccb4aabdb1f4ce6b028ddd92fca5b5d6970163ee44af539b870b4e", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Unusual Network Activity from a Windows System Binary", + "sha256": "9ec3a78cfe0b7eab7c138ac49a884c224a00491d0b64c0eee4dbd12493d33e8f", + "type": "eql", + "version": 100 }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "e3f47d3e8da634596dad903884e6404a7bd1ca78392299f700ef679f0d8844b9", - "type": "query", - "version": 10 - } - }, - "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "95bb907bc085874a3566cc325863a188bd1ac263ddbc008b39980f9e3ff2fd0c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Exploit - Detected - Elastic Endgame", + "sha256": "e3f47d3e8da634596dad903884e6404a7bd1ca78392299f700ef679f0d8844b9", + "type": "query", + "version": 10 + } + }, + "rule_name": "Exploit - Detected - Elastic Endgame", + "sha256": "95bb907bc085874a3566cc325863a188bd1ac263ddbc008b39980f9e3ff2fd0c", + "type": "query", + "version": 100 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "107eb5a4de0ac13cbd117ad1de8746519602749dc797b311ab7bc596399090fc", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Suspicious .NET Code Compilation", - "sha256": "97dc8e7e9d6f7c4863906556b2bf8afa6d1deb8b3274c2f5345b42fd092752ed", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious .NET Code Compilation", + "sha256": "107eb5a4de0ac13cbd117ad1de8746519602749dc797b311ab7bc596399090fc", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Suspicious .NET Code Compilation", + "sha256": "97dc8e7e9d6f7c4863906556b2bf8afa6d1deb8b3274c2f5345b42fd092752ed", + "type": "eql", + "version": 100 }, "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "1832ded92050593610491cfc98ef5d0e93dd09d196b802ee1637443001ac3ff4", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Creation or Modification of Root Certificate", - "sha256": "f74c750f35a340377bdedd1e030b78774573d90db73e7f7d4fc56b32a00198c6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation or Modification of Root Certificate", + "sha256": "1832ded92050593610491cfc98ef5d0e93dd09d196b802ee1637443001ac3ff4", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Creation or Modification of Root Certificate", + "sha256": "f74c750f35a340377bdedd1e030b78774573d90db73e7f7d4fc56b32a00198c6", + "type": "eql", + "version": 100 }, "2045567e-b0af-444a-8c0b-0b6e2dae9e13": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "41835cffbde1bc4c8def4abccce017a21640bc560e4e697c6436a6dbaa30ac34", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS Route 53 Domain Transferred to Another Account", - "sha256": "55fc97b8c86d4bb2f2f3e6223d1c095fd7f23b4a7660daf7731df2327b94b208", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "41835cffbde1bc4c8def4abccce017a21640bc560e4e697c6436a6dbaa30ac34", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS Route 53 Domain Transferred to Another Account", + "sha256": "55fc97b8c86d4bb2f2f3e6223d1c095fd7f23b4a7660daf7731df2327b94b208", + "type": "query", + "version": 100 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Access of Stored Browser Credentials", - "sha256": "cc35011933319f19d5d25465cfc6b0b777e0e2c92545b9bd6d47bddd4b8ef7f3", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Access of Stored Browser Credentials", - "sha256": "c4dd5556b1c735614208838e4d7793a0f092cc395477556e31e689ba5af55d42", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Access of Stored Browser Credentials", + "sha256": "cc35011933319f19d5d25465cfc6b0b777e0e2c92545b9bd6d47bddd4b8ef7f3", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Access of Stored Browser Credentials", + "sha256": "c4dd5556b1c735614208838e4d7793a0f092cc395477556e31e689ba5af55d42", + "type": "eql", + "version": 100 }, "208dbe77-01ed-4954-8d44-1e5751cb20de": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "65e99f073be3045a2ed201ca6b6bf32304b1beb501977a009056ee034859e4ec", - "type": "eql", - "version": 5 - } - }, - "rule_name": "LSASS Memory Dump Handle Access", - "sha256": "382d58e6dfe06d1311617f60fd4a251a23cbb5d63ada9943fb89552b5f26411e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "LSASS Memory Dump Handle Access", + "sha256": "65e99f073be3045a2ed201ca6b6bf32304b1beb501977a009056ee034859e4ec", + "type": "eql", + "version": 5 + } + }, + "rule_name": "LSASS Memory Dump Handle Access", + "sha256": "382d58e6dfe06d1311617f60fd4a251a23cbb5d63ada9943fb89552b5f26411e", + "type": "eql", + "version": 100 }, "20dc4620-3b68-4269-8124-ca5091e00ea8": { - "rule_name": "Auditd Max Login Sessions", - "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", - "type": "query", - "version": 100 + "rule_name": "Auditd Max Login Sessions", + "sha256": "70f4efe66d78f8696efee5cf24c949aa421b1983ddb6a69944cae1e300da5a37", + "type": "query", + "version": 100 }, "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116", - "type": "query", - "version": 4 - } - }, - "rule_name": "SSH Authorized Keys File Modification", - "sha256": "d500e69859e54562c62e1d060e19821d90edced817327043356d83080d8ab622", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "422509485dcdfc86588db158efa6b71aa506a3a040879ef9d58ff360d9254116", + "type": "query", + "version": 4 + } + }, + "rule_name": "SSH Authorized Keys File Modification", + "sha256": "d500e69859e54562c62e1d060e19821d90edced817327043356d83080d8ab622", + "type": "query", + "version": 100 }, "22599847-5d13-48cb-8872-5796fee8692b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SUNBURST Command and Control Activity", - "sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e", - "type": "eql", - "version": 8 - } - }, - "rule_name": "SUNBURST Command and Control Activity", - "sha256": "d33d74f0f5ed0b09a671003ee7a1672cf041ce88e69b9ca69e539dc48869e839", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SUNBURST Command and Control Activity", + "sha256": "4f224e42287dded2b371f213fd94adea7581f4ea593ef8efe14731814f32b26e", + "type": "eql", + "version": 8 + } + }, + "rule_name": "SUNBURST Command and Control Activity", + "sha256": "d33d74f0f5ed0b09a671003ee7a1672cf041ce88e69b9ca69e539dc48869e839", + "type": "eql", + "version": 100 }, "227dc608-e558-43d9-b521-150772250bae": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "da31d6058850df2e14149234ccfb8f750ccfd1179d4a777dcf2986d6bed1c948", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS S3 Bucket Configuration Deletion", - "sha256": "868f9f8ea7f28d0c9c45f1ef70b0a9a30d72ee674afdc28546b4d8fd7c378dca", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "da31d6058850df2e14149234ccfb8f750ccfd1179d4a777dcf2986d6bed1c948", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS S3 Bucket Configuration Deletion", + "sha256": "868f9f8ea7f28d0c9c45f1ef70b0a9a30d72ee674afdc28546b4d8fd7c378dca", + "type": "query", + "version": 100 }, "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Shell via Web Server", - "sha256": "ad845b271a9ada61e663ccdc1032f4d9c07f07ce757333abfa7b481455026e2d", - "type": "query", - "version": 12 - } - }, - "rule_name": "Potential Shell via Web Server", - "sha256": "7002c42afeb6def92d223533bc109ec84aa817ee6a3f7601504388ec649824c1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Shell via Web Server", + "sha256": "ad845b271a9ada61e663ccdc1032f4d9c07f07ce757333abfa7b481455026e2d", + "type": "query", + "version": 12 + } + }, + "rule_name": "Potential Shell via Web Server", + "sha256": "7002c42afeb6def92d223533bc109ec84aa817ee6a3f7601504388ec649824c1", + "type": "query", + "version": 100 }, "2326d1b2-9acf-4dee-bd21-867ea7378b4d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "6d0b3a0e08e8e535f4a76760347d2d8c15e7887ae3ac62a39f1dd16b9b27115d", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Storage Bucket Permissions Modification", - "sha256": "13bad850d4d56d9537080bd08d7cf1323cf5493cac34d11400e2586808177847", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Storage Bucket Permissions Modification", + "sha256": "6d0b3a0e08e8e535f4a76760347d2d8c15e7887ae3ac62a39f1dd16b9b27115d", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Storage Bucket Permissions Modification", + "sha256": "13bad850d4d56d9537080bd08d7cf1323cf5493cac34d11400e2586808177847", + "type": "query", + "version": 100 }, "2339f03c-f53f-40fa-834b-40c5983fc41f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Kernel module load via insmod", - "sha256": "2c8e5266ab5da1541a55c06d3c261f4a64776941bebe6315ba84a0f6dd0cad62", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Kernel module load via insmod", - "sha256": "02e8ecab9ea6ac8987cdfc3b60e19da17b4ec3615f5a93874ab3308f26429e5a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Kernel module load via insmod", + "sha256": "2c8e5266ab5da1541a55c06d3c261f4a64776941bebe6315ba84a0f6dd0cad62", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Kernel module load via insmod", + "sha256": "02e8ecab9ea6ac8987cdfc3b60e19da17b4ec3615f5a93874ab3308f26429e5a", + "type": "eql", + "version": 100 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "b993dccca52b5d4477a99f7ef9be23ebd2ff8f22e6186ed8f9b33a6b3cb1156b", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Lateral Movement via Startup Folder", - "sha256": "9ad1a9c3f452322adba0046955b76a13b0b567ebd9c842ed48fce9b18dfc57e3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Lateral Movement via Startup Folder", + "sha256": "b993dccca52b5d4477a99f7ef9be23ebd2ff8f22e6186ed8f9b33a6b3cb1156b", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Lateral Movement via Startup Folder", + "sha256": "9ad1a9c3f452322adba0046955b76a13b0b567ebd9c842ed48fce9b18dfc57e3", + "type": "eql", + "version": 100 }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "7602867c71364d35f82ca94e41c81d3d9f612df26487ff881a23b5545d15836b", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Blob Container Access Level Modification", - "sha256": "d51872339b331d3547a459099f4407a540ce502c4bf2039f54fd5e157d7f7fc8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Blob Container Access Level Modification", + "sha256": "7602867c71364d35f82ca94e41c81d3d9f612df26487ff881a23b5545d15836b", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Blob Container Access Level Modification", + "sha256": "d51872339b331d3547a459099f4407a540ce502c4bf2039f54fd5e157d7f7fc8", + "type": "query", + "version": 100 }, "265db8f5-fc73-4d0d-b434-6483b56372e2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "819355eaae5de0d1efaf7e63f85a97b5c3f010d3afeff305b789336f94202b64", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistence via Update Orchestrator Service Hijack", - "sha256": "c26b7c08065554bbc3fd0106cdbc29198287f6f8784575135b2d2fcefdabf6d2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Update Orchestrator Service Hijack", + "sha256": "819355eaae5de0d1efaf7e63f85a97b5c3f010d3afeff305b789336f94202b64", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistence via Update Orchestrator Service Hijack", + "sha256": "c26b7c08065554bbc3fd0106cdbc29198287f6f8784575135b2d2fcefdabf6d2", + "type": "eql", + "version": 100 }, "26edba02-6979-4bce-920a-70b080a7be81": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "6800b997e4c2e3b643fe0522e8af631880e58d352b074b99f40bf8fb49b14314", - "type": "query", - "version": 4 - } - }, - "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", - "sha256": "eabd3d3d0f64bb20f419339688944736fd47405cae20f898a43ec2fc85b01de5", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", + "sha256": "6800b997e4c2e3b643fe0522e8af631880e58d352b074b99f40bf8fb49b14314", + "type": "query", + "version": 4 + } + }, + "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", + "sha256": "eabd3d3d0f64bb20f419339688944736fd47405cae20f898a43ec2fc85b01de5", + "type": "query", + "version": 100 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "c4f5f357386b15ba28af1de205a888deaf0e001d60f39435751bee223fbc3cb7", - "type": "threshold", - "version": 10 - } - }, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "9401b75236db68cd9cc6b95298e0c058e8bddfbc598bfe19ac9d3821904450c7", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "c4f5f357386b15ba28af1de205a888deaf0e001d60f39435751bee223fbc3cb7", + "type": "threshold", + "version": 10 + } + }, + "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", + "sha256": "9401b75236db68cd9cc6b95298e0c058e8bddfbc598bfe19ac9d3821904450c7", + "type": "threshold", + "version": 100 }, "272a6484-2663-46db-a532-ef734bf9a796": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "065b6a9a53f1b0d420bf42e2a57ce12b9f77684422e6dd59b66a0ad77e2b9aab", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Transport Rule Modification", - "sha256": "f0d2392b5756282cd0987d6dc90550d4680e9718bfe0e97ba517f6c619e22cfc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "065b6a9a53f1b0d420bf42e2a57ce12b9f77684422e6dd59b66a0ad77e2b9aab", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Transport Rule Modification", + "sha256": "f0d2392b5756282cd0987d6dc90550d4680e9718bfe0e97ba517f6c619e22cfc", + "type": "query", + "version": 100 }, "2772264c-6fb9-4d9d-9014-b416eed21254": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "089d0ecdbcb613691dc9e414c064213c63e11df6eac4880f3ee5199aa9072446", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Incoming Execution via PowerShell Remoting", - "sha256": "a452d8013223170883e9dfe54e40a70f096c56809ee6f00b4b3b3bed88923cea", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Incoming Execution via PowerShell Remoting", + "sha256": "089d0ecdbcb613691dc9e414c064213c63e11df6eac4880f3ee5199aa9072446", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Incoming Execution via PowerShell Remoting", + "sha256": "a452d8013223170883e9dfe54e40a70f096c56809ee6f00b4b3b3bed88923cea", + "type": "eql", + "version": 100 }, "2783d84f-5091-4d7d-9319-9fceda8fa71b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Firewall Rule Modification", - "sha256": "66e3eceb3d773269f1d0fd6a4e447eacdb2003685a2e44f54df142b50f7dcbac", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Firewall Rule Modification", - "sha256": "fccaa904f802277b7009a410145e95e6124f88c8daaede709907851290d338b1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Firewall Rule Modification", + "sha256": "66e3eceb3d773269f1d0fd6a4e447eacdb2003685a2e44f54df142b50f7dcbac", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Firewall Rule Modification", + "sha256": "fccaa904f802277b7009a410145e95e6124f88c8daaede709907851290d338b1", + "type": "query", + "version": 100 }, "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "2cf5e365a6fd347095c38267456d4deb4f7645f703c0df2c7777da604f4de7db", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Teams External Access Enabled", - "sha256": "59f72647630785fb2d391210c03d5fd612a72ba3a8bfe38c766bb7d53e161432", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "2cf5e365a6fd347095c38267456d4deb4f7645f703c0df2c7777da604f4de7db", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Teams External Access Enabled", + "sha256": "59f72647630785fb2d391210c03d5fd612a72ba3a8bfe38c766bb7d53e161432", + "type": "query", + "version": 100 }, "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Account Password Reset Remotely", - "sha256": "ddef55a84fc5714b3eed06cab34766ed8096ead0f5d7f47aef40646e7c4de3c8", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Account Password Reset Remotely", - "sha256": "366853c0df9537317d7b8251ee2c51f083128394041665377f22dd63ed7104ae", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Account Password Reset Remotely", + "sha256": "ddef55a84fc5714b3eed06cab34766ed8096ead0f5d7f47aef40646e7c4de3c8", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Account Password Reset Remotely", + "sha256": "366853c0df9537317d7b8251ee2c51f083128394041665377f22dd63ed7104ae", + "type": "eql", + "version": 100 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "5176f711c953c51b47e31b596f2230e9cfd42b8195fe45785435a85f712b6fda", - "type": "eql", - "version": 15 - } - }, - "rule_name": "Account Discovery Command via SYSTEM Account", - "sha256": "e8ae7f22635132da7b5bf3533b25a8dc4f4f40bf2f7211baf9eeafdade399681", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Account Discovery Command via SYSTEM Account", + "sha256": "5176f711c953c51b47e31b596f2230e9cfd42b8195fe45785435a85f712b6fda", + "type": "eql", + "version": 15 + } + }, + "rule_name": "Account Discovery Command via SYSTEM Account", + "sha256": "e8ae7f22635132da7b5bf3533b25a8dc4f4f40bf2f7211baf9eeafdade399681", + "type": "eql", + "version": 100 }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "282272412a4945d5f698bd3f4e9469c69c4e54b7270e15886a8e6a3fb00b4bc9", - "type": "query", - "version": 10 - } - }, - "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "27305767d7089a0c2bead91f22c1603ce3948e10ed90397be8c2155689b3ed24", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Exploit - Prevented - Elastic Endgame", + "sha256": "282272412a4945d5f698bd3f4e9469c69c4e54b7270e15886a8e6a3fb00b4bc9", + "type": "query", + "version": 10 + } + }, + "rule_name": "Exploit - Prevented - Elastic Endgame", + "sha256": "27305767d7089a0c2bead91f22c1603ce3948e10ed90397be8c2155689b3ed24", + "type": "query", + "version": 100 }, "28896382-7d4f-4d50-9b72-67091901fd26": { - "rule_name": "Suspicious Process from Conhost", - "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", - "type": "eql", - "version": 100 + "rule_name": "Suspicious Process from Conhost", + "sha256": "166baa4ec5aa318e31032e58e6481323c9332f11eb53f214bfdd71b0ec7e2a79", + "type": "eql", + "version": 100 }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "36dc480e5ec70e4c9af74ef68d2a6fd570f93d92e8df822b4b7545dea44a8cc9", - "type": "query", - "version": 7 - } - }, - "rule_name": "AWS Security Group Configuration Change Detection", - "sha256": "5be1de2e3af44cc0cbc167f1d7f1c90ff48444098d0c24135c9dc6c35e832acc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "36dc480e5ec70e4c9af74ef68d2a6fd570f93d92e8df822b4b7545dea44a8cc9", + "type": "query", + "version": 7 + } + }, + "rule_name": "AWS Security Group Configuration Change Detection", + "sha256": "5be1de2e3af44cc0cbc167f1d7f1c90ff48444098d0c24135c9dc6c35e832acc", + "type": "query", + "version": 100 }, "290aca65-e94d-403b-ba0f-62f320e63f51": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "72859e3a7a189ce94083d0382f1e220a0040974a14e143acd3d47e2ba1f8c8f8", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", - "sha256": "cb7a286a493a075d27124fed9b54fdefbbdffc431f1ab7013cb3cc43a84cb5a6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", + "sha256": "72859e3a7a189ce94083d0382f1e220a0040974a14e143acd3d47e2ba1f8c8f8", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", + "sha256": "cb7a286a493a075d27124fed9b54fdefbbdffc431f1ab7013cb3cc43a84cb5a6", + "type": "eql", + "version": 100 }, "2917d495-59bd-4250-b395-c29409b76086": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "0b3202a976dc29f3f75c66ab052467c3444264673daa31059d3f7d66a50b5132", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", - "sha256": "8cc89a2f3954e9a94d134551b2c7e35824ddb4b0953aec193a7ccde465ac6c28", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", + "sha256": "0b3202a976dc29f3f75c66ab052467c3444264673daa31059d3f7d66a50b5132", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Webshell Detection: Script Process Child of Common Web Processes", + "sha256": "8cc89a2f3954e9a94d134551b2c7e35824ddb4b0953aec193a7ccde465ac6c28", + "type": "eql", + "version": 100 }, "291a0de9-937a-4189-94c0-3e847c8b13e4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "a1e315972da4cc09efd55ced26e8c184ed87d6fb66a809b7e9084bfa8cca6b46", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "2030c51413f73e84fd0d55c42d0dd2900b52766611dc614dd8dd7703db35ced1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "a1e315972da4cc09efd55ced26e8c184ed87d6fb66a809b7e9084bfa8cca6b46", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Enumeration of Privileged Local Groups Membership", + "sha256": "2030c51413f73e84fd0d55c42d0dd2900b52766611dc614dd8dd7703db35ced1", + "type": "eql", + "version": 100 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "c0ee6425ca26e268371a5176086ec5beb58fc8ceae2a33daf00d09b473fc448c", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", - "sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "c0ee6425ca26e268371a5176086ec5beb58fc8ceae2a33daf00d09b473fc448c", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Pod created with a Sensitive hostPath Volume", + "sha256": "178a7bac7a538fcdc72434c1e7d6d9c9f1698802fb94817047bbf1d0f39da540", + "type": "query", + "version": 100 }, "2bf78aa2-9c56-48de-b139-f169bf99cf86": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Adobe Hijack Persistence", - "sha256": "b178ab23fa3f6c3794d7488ad3ced9780881fa75a10c9608be3649149c5b7a1b", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Adobe Hijack Persistence", - "sha256": "5a2f33680f5d3113713dd626971011549b97cc2b4350b07969eb59c02e9ee152", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Adobe Hijack Persistence", + "sha256": "b178ab23fa3f6c3794d7488ad3ced9780881fa75a10c9608be3649149c5b7a1b", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Adobe Hijack Persistence", + "sha256": "5a2f33680f5d3113713dd626971011549b97cc2b4350b07969eb59c02e9ee152", + "type": "eql", + "version": 100 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "46ccc5f940c4ecc1081a55bc5b907463b5f4a03443c2584c7ff5d4444897c325", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Windows Defender Exclusions Added via PowerShell", - "sha256": "088e485e3d1aeb759eb92a66555505e50734785025cc47355e17829f84d82169", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Defender Exclusions Added via PowerShell", + "sha256": "46ccc5f940c4ecc1081a55bc5b907463b5f4a03443c2584c7ff5d4444897c325", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Windows Defender Exclusions Added via PowerShell", + "sha256": "088e485e3d1aeb759eb92a66555505e50734785025cc47355e17829f84d82169", + "type": "eql", + "version": 100 }, "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "a50a568f3977633c70f5057540c6eb4a81c8426cf8b417ec8d4d2be3fc4cd1f3", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", - "sha256": "9800bb69eecbff93889cc684d748b20774e825ee009dcc9cfddc9c0c0393e7e5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", + "sha256": "a50a568f3977633c70f5057540c6eb4a81c8426cf8b417ec8d4d2be3fc4cd1f3", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", + "sha256": "9800bb69eecbff93889cc684d748b20774e825ee009dcc9cfddc9c0c0393e7e5", + "type": "eql", + "version": 100 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumeration of Kernel Modules", - "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", - "type": "query", - "version": 8 - } - }, - "rule_name": "Enumeration of Kernel Modules", - "sha256": "03683b876a96a5fe0dd98bb1c35c92bcdae7b8a549404c7c78008beb2242f655", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumeration of Kernel Modules", + "sha256": "f78114d6df86b5c2843abb41b8c64f807f94962e9ac46f1e19b5775d401ce38b", + "type": "query", + "version": 8 + } + }, + "rule_name": "Enumeration of Kernel Modules", + "sha256": "03683b876a96a5fe0dd98bb1c35c92bcdae7b8a549404c7c78008beb2242f655", + "type": "query", + "version": 100 }, "2dd480be-1263-4d9c-8672-172928f6789a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "b769e06899d9619b0a54a288034e007dcc8ea8a8401422cf67dba285e087b633", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Suspicious Process Access via Direct System Call", - "sha256": "bc4e5b17b420342831d86fc15f5d8cef6867bf094c8f2724fac70a4b7ed13bc0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "b769e06899d9619b0a54a288034e007dcc8ea8a8401422cf67dba285e087b633", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Suspicious Process Access via Direct System Call", + "sha256": "bc4e5b17b420342831d86fc15f5d8cef6867bf094c8f2724fac70a4b7ed13bc0", + "type": "eql", + "version": 100 }, "2de10e77-c144-4e69-afb7-344e7127abd0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "9427e6829127b009d4e0423ca57d1ef4fa2e36f94ee01872755bcb8028c4135a", - "type": "threshold", - "version": 7 - } - }, - "rule_name": "O365 Excessive Single Sign-On Logon Errors", - "sha256": "b02f5f9fa6087a2849f387d80535cd323b4f97862415a4ecc8f09d0aed319468", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "9427e6829127b009d4e0423ca57d1ef4fa2e36f94ee01872755bcb8028c4135a", + "type": "threshold", + "version": 7 + } + }, + "rule_name": "O365 Excessive Single Sign-On Logon Errors", + "sha256": "b02f5f9fa6087a2849f387d80535cd323b4f97862415a4ecc8f09d0aed319468", + "type": "threshold", + "version": 100 }, "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "8acf72dc610beddfe319ee7a8c6fb03105880620d6c3c0d1a9863e0370b598e3", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Renamed AutoIt Scripts Interpreter", - "sha256": "5c32cbb481613e7aaa4f329f37af1c5f6e0b9085744a72a79a6cdc7ab4d208eb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Renamed AutoIt Scripts Interpreter", + "sha256": "8acf72dc610beddfe319ee7a8c6fb03105880620d6c3c0d1a9863e0370b598e3", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Renamed AutoIt Scripts Interpreter", + "sha256": "5c32cbb481613e7aaa4f329f37af1c5f6e0b9085744a72a79a6cdc7ab4d208eb", + "type": "eql", + "version": 100 }, "2e29e96a-b67c-455a-afe4-de6183431d0d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "cc671371e4839eb14f885ef52c5e4762055d1a8fd43f3bdd3f2b209cbbddbcdd", - "type": "query", - "version": 8 - } - }, - "rule_name": "Potential Process Injection via PowerShell", - "sha256": "309aecd37f11dd3b2be99b60a7cdd396aa3fe063de5b5661080c78eb6431c22b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Process Injection via PowerShell", + "sha256": "cc671371e4839eb14f885ef52c5e4762055d1a8fd43f3bdd3f2b209cbbddbcdd", + "type": "query", + "version": 8 + } + }, + "rule_name": "Potential Process Injection via PowerShell", + "sha256": "309aecd37f11dd3b2be99b60a7cdd396aa3fe063de5b5661080c78eb6431c22b", + "type": "query", + "version": 100 }, "2e580225-2a58-48ef-938b-572933be06fe": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", - "type": "query", - "version": 6 - } - }, - "rule_name": "Halfbaked Command and Control Beacon", - "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Halfbaked Command and Control Beacon", + "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", + "type": "query", + "version": 6 + } + }, + "rule_name": "Halfbaked Command and Control Beacon", + "sha256": "85ef581fbbbf8ee9caeac93bf4e6a8fb80e01ff41ddc66b44474e8ddd9c66954", + "type": "query", + "version": 100 }, "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "db902f8c25b3bb1600a3e7e89328228a086bbda8655946640882d39f011d2162", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Creation of a Hidden Local User Account", - "sha256": "b1bc45715ad3f67d0873f1022390ee9e80f1d55f616dea411a2a50739a1e271d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation of a Hidden Local User Account", + "sha256": "db902f8c25b3bb1600a3e7e89328228a086bbda8655946640882d39f011d2162", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Creation of a Hidden Local User Account", + "sha256": "b1bc45715ad3f67d0873f1022390ee9e80f1d55f616dea411a2a50739a1e271d", + "type": "eql", + "version": 100 }, "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "b8e4625040554d5c1f2451a70b6f3e297aa34486444490e23fe522132ac22254", - "type": "query", - "version": 5 - } - }, - "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "sha256": "6d93060f9b9e8a8cef362846ea83b74bbfd9356f08524feb784b76ba45cd90ea", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Kubernetes Rolebindings Created or Patched", + "sha256": "b8e4625040554d5c1f2451a70b6f3e297aa34486444490e23fe522132ac22254", + "type": "query", + "version": 5 + } + }, + "rule_name": "GCP Kubernetes Rolebindings Created or Patched", + "sha256": "6d93060f9b9e8a8cef362846ea83b74bbfd9356f08524feb784b76ba45cd90ea", + "type": "query", + "version": 100 }, "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "783f7f7d5000b69b13e7a69593dcfa30f5a6f3718b7709cc35c9a861f5e79aac", - "type": "query", - "version": 9 - } - }, - "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", - "sha256": "8c3c41ca109dd2dea80139090de9ce09e5fae9f0a5e0318894115d944a8dd281", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "sha256": "783f7f7d5000b69b13e7a69593dcfa30f5a6f3718b7709cc35c9a861f5e79aac", + "type": "query", + "version": 9 + } + }, + "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", + "sha256": "8c3c41ca109dd2dea80139090de9ce09e5fae9f0a5e0318894115d944a8dd281", + "type": "query", + "version": 100 }, "2f8a1226-5720-437d-9c20-e0029deb6194": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Disable Syslog Service", - "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Disable Syslog Service", - "sha256": "3007982e48712f1a2dce9b7569e767c68d4325b6964c8ecb84df17d31245deb0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Disable Syslog Service", + "sha256": "dfe5b7e2dfdfef3b551d95c11686821ad9a6ac5e23d9c1fdf901d716bc7969e6", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Disable Syslog Service", + "sha256": "3007982e48712f1a2dce9b7569e767c68d4325b6964c8ecb84df17d31245deb0", + "type": "query", + "version": 100 }, "2fba96c0-ade5-4bce-b92f-a5df2509da3f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "7cfa769e4622b0dcaa8fd6d4d1dfab115f59e2ad039c747fb202045f037bc07c", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Startup Folder Persistence via Unsigned Process", - "sha256": "ba6e81101e448cdaa0f2968b2b2f589da1939eeb5f26681d43e8df9462235880", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Startup Folder Persistence via Unsigned Process", + "sha256": "7cfa769e4622b0dcaa8fd6d4d1dfab115f59e2ad039c747fb202045f037bc07c", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Startup Folder Persistence via Unsigned Process", + "sha256": "ba6e81101e448cdaa0f2968b2b2f589da1939eeb5f26681d43e8df9462235880", + "type": "eql", + "version": 100 }, "2ffa1f1e-b6db-47fa-994b-1512743847eb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "c63aadf9db63ccaf7ddbf7b7161c6cee10ab37bc1bfd97c9dcdfd673409e876d", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Windows Defender Disabled via Registry Modification", - "sha256": "343cfcace027b26bad90dbe6afee1851712f4891b988d569df88061f6dd33a46", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Defender Disabled via Registry Modification", + "sha256": "c63aadf9db63ccaf7ddbf7b7161c6cee10ab37bc1bfd97c9dcdfd673409e876d", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Windows Defender Disabled via Registry Modification", + "sha256": "343cfcace027b26bad90dbe6afee1851712f4891b988d569df88061f6dd33a46", + "type": "eql", + "version": 100 }, "30562697-9859-4ae0-a8c5-dab45d664170": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Firewall Rule Creation", - "sha256": "ff221c9a9ebc80ae9b08b0f866baa376ad28f3c06c3745cddbd372115ad46b77", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Firewall Rule Creation", - "sha256": "2efaa38f1a46d34342b330869668b129aa0e7132c81917d956eb81ae46cda437", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Firewall Rule Creation", + "sha256": "ff221c9a9ebc80ae9b08b0f866baa376ad28f3c06c3745cddbd372115ad46b77", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Firewall Rule Creation", + "sha256": "2efaa38f1a46d34342b330869668b129aa0e7132c81917d956eb81ae46cda437", + "type": "query", + "version": 100 }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e", - "type": "query", - "version": 5 - } - }, - "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Agent Spoofing - Mismatched Agent ID", + "sha256": "d067277b6d08d5e3fe395beecf2eb4a88a5ca6ae5691b52a1d334bae5e23661e", + "type": "query", + "version": 5 + } + }, + "rule_name": "Agent Spoofing - Mismatched Agent ID", + "sha256": "10c613afa51415b16d20d908959aff6312558e02c66d990e5bed76cd9736396f", + "type": "query", + "version": 100 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "943fea62ed46d1726416acf34d120b55397d708ea2908776307bfd1cc2ef6bb4", - "type": "query", - "version": 8 - } - }, - "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", - "sha256": "1979684ec4fdb9241b70f9812314315e8c66b3b3520c99d68078a4dd7359b551", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", + "sha256": "943fea62ed46d1726416acf34d120b55397d708ea2908776307bfd1cc2ef6bb4", + "type": "query", + "version": 8 + } + }, + "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", + "sha256": "1979684ec4fdb9241b70f9812314315e8c66b3b3520c99d68078a4dd7359b551", + "type": "query", + "version": 100 }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "364cb88794750124cf291c05db0ec791a411800f8b5a0892215efa1b21ac7168", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Bypass UAC via Event Viewer", - "sha256": "068c92f5c8e30f0c69131ac3eaee0a607fea95ece60e0a1df3bb995f43f679c4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Bypass UAC via Event Viewer", + "sha256": "364cb88794750124cf291c05db0ec791a411800f8b5a0892215efa1b21ac7168", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Bypass UAC via Event Viewer", + "sha256": "068c92f5c8e30f0c69131ac3eaee0a607fea95ece60e0a1df3bb995f43f679c4", + "type": "eql", + "version": 100 }, "3202e172-01b1-4738-a932-d024c514ba72": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "d733a231bb4bb41883ff22688ac80673160772a01a9cb0a01d30d6f82de76a83", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Pub/Sub Topic Deletion", - "sha256": "9d9731baf6e3c9b5ce561a821f35e3b7a5bbe2531d5d49245b03d4afefd8a489", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Pub/Sub Topic Deletion", + "sha256": "d733a231bb4bb41883ff22688ac80673160772a01a9cb0a01d30d6f82de76a83", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Pub/Sub Topic Deletion", + "sha256": "9d9731baf6e3c9b5ce561a821f35e3b7a5bbe2531d5d49245b03d4afefd8a489", + "type": "query", + "version": 100 }, "323cb487-279d-4218-bcbd-a568efe930c6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Network Watcher Deletion", - "sha256": "95f906464f7aea6a76e1cb3ac05699945bc15d2fe8449f4971b45ce615ccc662", - "type": "query", - "version": 9 - } - }, - "rule_name": "Azure Network Watcher Deletion", - "sha256": "9a41e06817347a17572dc03234248e5e26d5ab8c057eb554ce6d670e15fb83dd", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Network Watcher Deletion", + "sha256": "95f906464f7aea6a76e1cb3ac05699945bc15d2fe8449f4971b45ce615ccc662", + "type": "query", + "version": 9 + } + }, + "rule_name": "Azure Network Watcher Deletion", + "sha256": "9a41e06817347a17572dc03234248e5e26d5ab8c057eb554ce6d670e15fb83dd", + "type": "query", + "version": 100 }, "32923416-763a-4531-bb35-f33b9232ecdb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181", - "type": "query", - "version": 13 - } - }, - "rule_name": "RPC (Remote Procedure Call) to the Internet", - "sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "RPC (Remote Procedure Call) to the Internet", + "sha256": "a24945bab294eaacfcf22ab684f83b21b48698fc1861f44d1ac9c1c11fc23181", + "type": "query", + "version": 13 + } + }, + "rule_name": "RPC (Remote Procedure Call) to the Internet", + "sha256": "6e1b6cf51240cf453c37dad7191ec4cdc1fb33672d8965a73e4a0bfd65b82ec0", + "type": "query", + "version": 100 }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Program Files Directory Masquerading", - "sha256": "c2b106c6d1f8fe88d7d17a876ffb805d98a7ff98312c1a0b063079ade73aace4", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Program Files Directory Masquerading", - "sha256": "5385a0f0781bc406c13e7ece8fa9d16b8c126277b4b7b7e32401885937073810", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Program Files Directory Masquerading", + "sha256": "c2b106c6d1f8fe88d7d17a876ffb805d98a7ff98312c1a0b063079ade73aace4", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Program Files Directory Masquerading", + "sha256": "5385a0f0781bc406c13e7ece8fa9d16b8c126277b4b7b7e32401885937073810", + "type": "eql", + "version": 100 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "cad3761270f406d3de6f1b31a7af654c06ff4ad72de8f0cc56f72056b56bb3c1", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "11e1b412fb1d15937ec2238742035c4c44f6f2e6263fd772b5ec902b2e596f22", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "cad3761270f406d3de6f1b31a7af654c06ff4ad72de8f0cc56f72056b56bb3c1", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "11e1b412fb1d15937ec2238742035c4c44f6f2e6263fd772b5ec902b2e596f22", + "type": "eql", + "version": 100 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM User Addition to Group", - "sha256": "c9c22a0c2b777489ba4b3aa4c246cf6aaffaebdae98094cdd4039d9331d30f9c", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS IAM User Addition to Group", - "sha256": "82558f0d69b0a23d533d2ab57d661a858cb205ac3257196f4984150373f3078c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "c9c22a0c2b777489ba4b3aa4c246cf6aaffaebdae98094cdd4039d9331d30f9c", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS IAM User Addition to Group", + "sha256": "82558f0d69b0a23d533d2ab57d661a858cb205ac3257196f4984150373f3078c", + "type": "query", + "version": 100 }, "33f306e8-417c-411b-965c-c2812d6d3f4d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Download via PowerShell", - "sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Remote File Download via PowerShell", - "sha256": "bb480a0099fe3a0a60f3446c0106054446235abfab255fa49d6801aaefbd319c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Download via PowerShell", + "sha256": "ce6834d9dafd66f45445b3fb0a4245eed24500579f2af85682e5e6571a13435e", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Remote File Download via PowerShell", + "sha256": "bb480a0099fe3a0a60f3446c0106054446235abfab255fa49d6801aaefbd319c", + "type": "eql", + "version": 100 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Telnet Port Activity", - "sha256": "3dd4a438c915920e6ddb0a5212603af5d94fb8a6b51a32f223d930d7e3becb89", - "type": "query", - "version": 11 - }, - "8.2": { - "rule_name": "Telnet Port Activity", - "sha256": "b0bdfa73639226fb83eadc0303ad1801e0707743f96a36209aa58228d3bf6a89", - "type": "query", - "version": 14 - } - }, - "rule_name": "Telnet Port Activity", - "sha256": "51ac5d0b9e729adae08b0ac327ccba30881f6e1f4f2922f64df9fb2e88c9575c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 13, + "rule_name": "Telnet Port Activity", + "sha256": "3dd4a438c915920e6ddb0a5212603af5d94fb8a6b51a32f223d930d7e3becb89", + "type": "query", + "version": 11 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Telnet Port Activity", + "sha256": "b0bdfa73639226fb83eadc0303ad1801e0707743f96a36209aa58228d3bf6a89", + "type": "query", + "version": 14 + } + }, + "rule_name": "Telnet Port Activity", + "sha256": "51ac5d0b9e729adae08b0ac327ccba30881f6e1f4f2922f64df9fb2e88c9575c", + "type": "query", + "version": 100 }, "35330ba2-c859-4c98-8b7f-c19159ea0e58": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0", - "type": "query", - "version": 3 - } - }, - "rule_name": "Execution via Electron Child Process Node.js Module", - "sha256": "c02355a58778b3164e47eb2fe4dcca11c95bd0b4829fc967ca23e910651ee41b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution via Electron Child Process Node.js Module", + "sha256": "244d04452b6c549e3bdb8a09990c159076e5b753b56ecd32209f2812d411b7f0", + "type": "query", + "version": 3 + } + }, + "rule_name": "Execution via Electron Child Process Node.js Module", + "sha256": "c02355a58778b3164e47eb2fe4dcca11c95bd0b4829fc967ca23e910651ee41b", + "type": "query", + "version": 100 }, "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Port Forwarding Rule Addition", - "sha256": "8bc206952bdfb0f4a3e80173859884ddc65ed10c87622cf11b8a074a6d6bb7b7", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "2faacebac328480c1a53b3958e1f5bed2b09a2c0d641f75e17937a491033b986", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "8bc206952bdfb0f4a3e80173859884ddc65ed10c87622cf11b8a074a6d6bb7b7", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "2faacebac328480c1a53b3958e1f5bed2b09a2c0d641f75e17937a491033b986", + "type": "eql", + "version": 100 }, "35df0dd8-092d-4a83-88c1-5151a804f31b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "7c5a48d477f750354508c02ec3d9004066b56b5ce2c688d01d44c7cd329e9787", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Unusual Parent-Child Relationship", - "sha256": "af8852b1023601234ff897b8f5d1eeb58d02cb81ee32f46547b91478cddbba5d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Parent-Child Relationship", + "sha256": "7c5a48d477f750354508c02ec3d9004066b56b5ce2c688d01d44c7cd329e9787", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Unusual Parent-Child Relationship", + "sha256": "af8852b1023601234ff897b8f5d1eeb58d02cb81ee32f46547b91478cddbba5d", + "type": "eql", + "version": 100 }, "35f86980-1fb1-4dff-b311-3be941549c8d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Traffic to Rare Destination Country", + "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Network Traffic to Rare Destination Country", + "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a", + "type": "machine_learning", + "version": 100 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { - "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", - "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", - "type": "eql", - "version": 100 + "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", + "sha256": "b7b6b739b9fc792afe27f022163d52b96501aec86dff5a7aa67b1ca17ecd47b3", + "type": "eql", + "version": 100 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Started from Process ID (PID) File", - "sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Process Started from Process ID (PID) File", - "sha256": "e8ea41815ee4f0e3001c542877739a0c31993fd8f340a30c227e83e1227a5b44", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Started from Process ID (PID) File", + "sha256": "fb229621998495e7b0380c1bc096587e6dd9344371b3f2be0cfc6c4dcca4c3d8", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Process Started from Process ID (PID) File", + "sha256": "e8ea41815ee4f0e3001c542877739a0c31993fd8f340a30c227e83e1227a5b44", + "type": "eql", + "version": 100 }, "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Suspicious ImagePath Service Creation", - "sha256": "ac78614bd3094562a1560a2ade267a06ee2169a3a4863bcd4b011c3b3ce89fb5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious ImagePath Service Creation", + "sha256": "7aa10957a516fe37a541e25ea0eb405baa887338b7cd95b080d7cb5f496e3eee", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Suspicious ImagePath Service Creation", + "sha256": "ac78614bd3094562a1560a2ade267a06ee2169a3a4863bcd4b011c3b3ce89fb5", + "type": "eql", + "version": 100 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Security Group Creation", - "sha256": "25100adc67a2737ddd09ab2dd8c635399ad873710c0242f0e6afa3e58e3d979c", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS RDS Security Group Creation", - "sha256": "722a66f40e6153b12544431635f167f5dbd5b4edf250e483143ed9e6e8301d9c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "25100adc67a2737ddd09ab2dd8c635399ad873710c0242f0e6afa3e58e3d979c", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS RDS Security Group Creation", + "sha256": "722a66f40e6153b12544431635f167f5dbd5b4edf250e483143ed9e6e8301d9c", + "type": "query", + "version": 100 }, "37994bca-0611-4500-ab67-5588afe73b77": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "c7cc75526928d591ed126201c83d478b9222386698b765bee0f764952c683a1f", - "type": "query", - "version": 6 - } - }, - "rule_name": "Azure Active Directory High Risk Sign-in", - "sha256": "b38cf7790741aad498341ee0f143101b6fcdd430c2e9b740e3659e14a28946a5", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Active Directory High Risk Sign-in", + "sha256": "c7cc75526928d591ed126201c83d478b9222386698b765bee0f764952c683a1f", + "type": "query", + "version": 6 + } + }, + "rule_name": "Azure Active Directory High Risk Sign-in", + "sha256": "b38cf7790741aad498341ee0f143101b6fcdd430c2e9b740e3659e14a28946a5", + "type": "query", + "version": 100 }, "37b0816d-af40-40b4-885f-bb162b3c88a9": { - "rule_name": "Anomalous Kernel Module Activity", - "sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12", - "type": "machine_learning", - "version": 100 + "rule_name": "Anomalous Kernel Module Activity", + "sha256": "d514b94eb1d1b1d05bf21aff148b4318ba2188538a2407bb9737943370627c12", + "type": "machine_learning", + "version": 100 }, "37b211e8-4e2f-440f-86d8-06cc8f158cfa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Execution via System Manager", - "sha256": "3b588a6ca2d1186405396678aac45e8c22ad34e9a2cd091dcdb7ef3dae53bfbf", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS Execution via System Manager", - "sha256": "8ab164b34bcbb449f1040d1b4d9427a14ca110ae445c752316da2dc962700ffc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Execution via System Manager", + "sha256": "3b588a6ca2d1186405396678aac45e8c22ad34e9a2cd091dcdb7ef3dae53bfbf", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS Execution via System Manager", + "sha256": "8ab164b34bcbb449f1040d1b4d9427a14ca110ae445c752316da2dc962700ffc", + "type": "query", + "version": 100 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "045d8e7502b926e26ab18b5c5f28ed08e69a2ea66c929a788fa41fa077a9b994", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "0f62ad3d834ac68f9bc2f1c6da360fcb4c24fee9c535a20031898b873915dfe8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Finder Sync Plugin Registered and Enabled", + "sha256": "045d8e7502b926e26ab18b5c5f28ed08e69a2ea66c929a788fa41fa077a9b994", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Finder Sync Plugin Registered and Enabled", + "sha256": "0f62ad3d834ac68f9bc2f1c6da360fcb4c24fee9c535a20031898b873915dfe8", + "type": "eql", + "version": 100 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "13da5f81dbdb334792b90ef620648df28a3b0cb81086b956da96c3011943b7d2", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "6f055cbfbd5e2282e57c78b9a1b0cb8851f7960e4ffb18c2b3f239167c504e8a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "13da5f81dbdb334792b90ef620648df28a3b0cb81086b956da96c3011943b7d2", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "6f055cbfbd5e2282e57c78b9a1b0cb8851f7960e4ffb18c2b3f239167c504e8a", + "type": "query", + "version": 100 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Connection via Certutil", - "sha256": "e2a886833c9313e5ed1648b2cd0aa48e43a796ee388021298e7f72833fdfc449", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Network Connection via Certutil", - "sha256": "8619d4e24d08fdef2c26f7eaaa74b278e714d775103212fbb572036668ae542d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Connection via Certutil", + "sha256": "e2a886833c9313e5ed1648b2cd0aa48e43a796ee388021298e7f72833fdfc449", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Network Connection via Certutil", + "sha256": "8619d4e24d08fdef2c26f7eaaa74b278e714d775103212fbb572036668ae542d", + "type": "eql", + "version": 100 }, "38948d29-3d5d-42e3-8aec-be832aaaf8eb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "0911285f8149632adde696e8aafb25cceed0b7fff1a508891c1b8ed5e9dac922", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Prompt for Credentials with OSASCRIPT", - "sha256": "7e4e0d093d72157a60ebe588dea5f0e2bb25ab83834a0b02dd15fc010edb4096", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "0911285f8149632adde696e8aafb25cceed0b7fff1a508891c1b8ed5e9dac922", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Prompt for Credentials with OSASCRIPT", + "sha256": "7e4e0d093d72157a60ebe588dea5f0e2bb25ab83834a0b02dd15fc010edb4096", + "type": "eql", + "version": 100 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "13224c93738cb87ff2afafd59555be1bb67d931a78e830dc523f190e8f57379b", - "type": "query", - "version": 8 - } - }, - "rule_name": "User Added as Owner for Azure Service Principal", - "sha256": "b8c7fa9f080b3a7a21e60f4baefcbb3e150b711a42e292383bd3411f7d8ab75c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "User Added as Owner for Azure Service Principal", + "sha256": "13224c93738cb87ff2afafd59555be1bb67d931a78e830dc523f190e8f57379b", + "type": "query", + "version": 8 + } + }, + "rule_name": "User Added as Owner for Azure Service Principal", + "sha256": "b8c7fa9f080b3a7a21e60f4baefcbb3e150b711a42e292383bd3411f7d8ab75c", + "type": "query", + "version": 100 }, "39144f38-5284-4f8e-a2ae-e3fd628d90b0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "5807817c0cf3d448a595125d017ba9fb9d059f06cb6e042ba576786a3ed1adcd", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS EC2 Network Access Control List Creation", - "sha256": "17ad9da50d17efe58810988b1954391a488d33a2e6e9fc2f1f7eba3d8b0b3b5a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "5807817c0cf3d448a595125d017ba9fb9d059f06cb6e042ba576786a3ed1adcd", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS EC2 Network Access Control List Creation", + "sha256": "17ad9da50d17efe58810988b1954391a488d33a2e6e9fc2f1f7eba3d8b0b3b5a", + "type": "query", + "version": 100 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "56ea439ae2b7c5e6b41ca7f0768cc34d29247563a1d2d643811d659e054f7fed", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Persistence via Microsoft Outlook VBA", - "sha256": "9e863b4c0ef5e0a4b580beca53c9f874fa881da45e1bcb5072b9a9c32a0583f9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Microsoft Outlook VBA", + "sha256": "56ea439ae2b7c5e6b41ca7f0768cc34d29247563a1d2d643811d659e054f7fed", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Persistence via Microsoft Outlook VBA", + "sha256": "9e863b4c0ef5e0a4b580beca53c9f874fa881da45e1bcb5072b9a9c32a0583f9", + "type": "eql", + "version": 100 }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48", - "type": "threshold", - "version": 7 - } - }, - "rule_name": "Potential DNS Tunneling via NsLookup", - "sha256": "e8d5b9ae224dcfc8a91f31fa09aaa10122e856cd35facf81a2d70027ff2b00e2", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential DNS Tunneling via NsLookup", + "sha256": "a242912740790ad096664c63b49e11e932516bbf3e5a54b0b58a023d4c426a48", + "type": "threshold", + "version": 7 + } + }, + "rule_name": "Potential DNS Tunneling via NsLookup", + "sha256": "e8d5b9ae224dcfc8a91f31fa09aaa10122e856cd35facf81a2d70027ff2b00e2", + "type": "threshold", + "version": 100 }, "3a86e085-094c-412d-97ff-2439731e59cb": { - "rule_name": "Setgid Bit Set via chmod", - "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", - "type": "query", - "version": 100 + "rule_name": "Setgid Bit Set via chmod", + "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", + "type": "query", + "version": 100 }, "3ad49c61-7adc-42c1-b788-732eda2f5abf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c", - "type": "query", - "version": 13 - } - }, - "rule_name": "VNC (Virtual Network Computing) to the Internet", - "sha256": "bde58cd0b520e18ffcf878245612b971304555cd5cf8ebd760f85f88f56d7843", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "VNC (Virtual Network Computing) to the Internet", + "sha256": "c4676a3d068513cb10f5aa0250eff137b1a106243c2fcd7d9b1d6297c293ed1c", + "type": "query", + "version": 13 + } + }, + "rule_name": "VNC (Virtual Network Computing) to the Internet", + "sha256": "bde58cd0b520e18ffcf878245612b971304555cd5cf8ebd760f85f88f56d7843", + "type": "query", + "version": 100 }, "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "c9c718b423aee91718c0bf62f1ab14a94fe7cce3c1049c045276b5fd699561ba", - "type": "query", - "version": 4 - } - }, - "rule_name": "Azure Full Network Packet Capture Detected", - "sha256": "ab00bf952be5af8b57e616263c15d1e95b0863f6a879d70d63100a34566ee8ca", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Full Network Packet Capture Detected", + "sha256": "c9c718b423aee91718c0bf62f1ab14a94fe7cce3c1049c045276b5fd699561ba", + "type": "query", + "version": 4 + } + }, + "rule_name": "Azure Full Network Packet Capture Detected", + "sha256": "ab00bf952be5af8b57e616263c15d1e95b0863f6a879d70d63100a34566ee8ca", + "type": "query", + "version": 100 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c", - "type": "query", - "version": 9 - } - }, - "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Malware - Prevented - Elastic Endgame", + "sha256": "008ca865a5c7a86ce57350c20eed12f164ec20344bf2ac5aa30ba2ac6569884c", + "type": "query", + "version": 9 + } + }, + "rule_name": "Malware - Prevented - Elastic Endgame", + "sha256": "c68b4300522aeae03fc3516d2d25931b932ecde33cb71de6e93d31c77490ef3d", + "type": "query", + "version": 100 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "f81811cb000b7963e364dacd66eb8b69a136a29dc8855ecddb89d21d0041d617", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "1c2f64afb040fbda999b1925ab0ee45c9d59b73d38ac1619be8afbe85553a818", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "f81811cb000b7963e364dacd66eb8b69a136a29dc8855ecddb89d21d0041d617", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "1c2f64afb040fbda999b1925ab0ee45c9d59b73d38ac1619be8afbe85553a818", + "type": "eql", + "version": 100 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "e164f1dead9cc83510d1756090ae6dfc77c8dcbfca29674471aa62232dad8c8f", - "type": "eql", - "version": 9 - } - }, - "rule_name": "NTDS or SAM Database File Copied", - "sha256": "0f1389e561dd415dbf6768875f965cdaa2645f07949d8f62f18e5e4f722468cd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "NTDS or SAM Database File Copied", + "sha256": "e164f1dead9cc83510d1756090ae6dfc77c8dcbfca29674471aa62232dad8c8f", + "type": "eql", + "version": 9 + } + }, + "rule_name": "NTDS or SAM Database File Copied", + "sha256": "0f1389e561dd415dbf6768875f965cdaa2645f07949d8f62f18e5e4f722468cd", + "type": "eql", + "version": 100 }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Network Port Activity", - "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual Linux Network Port Activity", - "sha256": "1000f8d810e8053e982148bf3c89a01161b070ee8107e63e90cf68a25bb11a6f", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Network Port Activity", + "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Linux Network Port Activity", + "sha256": "1000f8d810e8053e982148bf3c89a01161b070ee8107e63e90cf68a25bb11a6f", + "type": "machine_learning", + "version": 100 }, "3e002465-876f-4f04-b016-84ef48ce7e5d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "7497a090423e0f4dd6e82f7b22d4ebad6e46169ed406d3333c309368388ba902", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS CloudTrail Log Updated", - "sha256": "45f58b5b1054e9f025c799101ac3c87b050379818ddb6e57f557398a30367ebe", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "7497a090423e0f4dd6e82f7b22d4ebad6e46169ed406d3333c309368388ba902", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS CloudTrail Log Updated", + "sha256": "45f58b5b1054e9f025c799101ac3c87b050379818ddb6e57f557398a30367ebe", + "type": "query", + "version": 100 }, "3e3d15c6-1509-479a-b125-21718372157e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Emond Child Process", - "sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious Emond Child Process", - "sha256": "819375f19b32e2e448e4a6d6c790da158e547f395e990731f98ac61df0932c8a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Emond Child Process", + "sha256": "60ad0bc321eee4f3d4d9a5346985b65aa95105034d55525170670faa700a9663", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious Emond Child Process", + "sha256": "819375f19b32e2e448e4a6d6c790da158e547f395e990731f98ac61df0932c8a", + "type": "eql", + "version": 100 }, "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "c912293b3805322572fe2894ed6cb070418e166e88d9c9d44065e3e7a8fa9373", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Privilege Escalation via Named Pipe Impersonation", - "sha256": "5bcacdc2a7f872a967066f3497b12c82638bc3a659a27706adbff5cc5783eafc", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Privilege Escalation via Named Pipe Impersonation", + "sha256": "c912293b3805322572fe2894ed6cb070418e166e88d9c9d44065e3e7a8fa9373", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Privilege Escalation via Named Pipe Impersonation", + "sha256": "5bcacdc2a7f872a967066f3497b12c82638bc3a659a27706adbff5cc5783eafc", + "type": "eql", + "version": 100 }, "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "3d971d8d3f05861e0d92880b25c50c248d3638001e5fbd8e6ec0e690c5b1b2a6", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Suspicious Process Creation CallTrace", - "sha256": "5d37b23cecbcecb6fd4e89491b1741f8d1d15b13b2474436e1fd5dadbd1b836f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "3d971d8d3f05861e0d92880b25c50c248d3638001e5fbd8e6ec0e690c5b1b2a6", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Suspicious Process Creation CallTrace", + "sha256": "5d37b23cecbcecb6fd4e89491b1741f8d1d15b13b2474436e1fd5dadbd1b836f", + "type": "eql", + "version": 100 }, "3efee4f0-182a-40a8-a835-102c68a4175d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "0bf5a30ac72fec595c33431fa1e1bdc2925b1dd387b50d13e0a43796998c58b1", - "type": "threshold", - "version": 9 - } - }, - "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", - "sha256": "9698e2683dc852a3ac02802f639b1e88431d9633813aaceb33b693c1312499df", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "0bf5a30ac72fec595c33431fa1e1bdc2925b1dd387b50d13e0a43796998c58b1", + "type": "threshold", + "version": 9 + } + }, + "rule_name": "Potential Password Spraying of Microsoft 365 User Accounts", + "sha256": "9698e2683dc852a3ac02802f639b1e88431d9633813aaceb33b693c1312499df", + "type": "threshold", + "version": 100 }, "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "bb434ddf7feb733a486db86a3bae859e6dacf37ab4f237124aee3545eab372f5", - "type": "query", - "version": 4 - } - }, - "rule_name": "CyberArk Privileged Access Security Error", - "sha256": "a4cc55d9e2adab88e3dd79bef6dfb423e37db0a5132b1fc6bf861eff6c99bbd2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "CyberArk Privileged Access Security Error", + "sha256": "bb434ddf7feb733a486db86a3bae859e6dacf37ab4f237124aee3545eab372f5", + "type": "query", + "version": 4 + } + }, + "rule_name": "CyberArk Privileged Access Security Error", + "sha256": "a4cc55d9e2adab88e3dd79bef6dfb423e37db0a5132b1fc6bf861eff6c99bbd2", + "type": "query", + "version": 100 }, "3f3f9fe2-d095-11ec-95dc-f661ea17fbce": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "ecb4904f46329f1d5fb6bfc35aecf483751ef689a4287ddd8b45c72ffaa7d4e5", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Binary Executed from Shared Memory Directory", - "sha256": "4067a8e393f6e03857fee7e7fda027859affe06da2e0069a5a88d4abe6b15bc0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Binary Executed from Shared Memory Directory", + "sha256": "ecb4904f46329f1d5fb6bfc35aecf483751ef689a4287ddd8b45c72ffaa7d4e5", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Binary Executed from Shared Memory Directory", + "sha256": "4067a8e393f6e03857fee7e7fda027859affe06da2e0069a5a88d4abe6b15bc0", + "type": "eql", + "version": 100 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Unusual Persistence via Services Registry", - "sha256": "148105c8e3a9db85c29adf3f477245aa6162c8b71b330ca7533cee54cf8653a2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Persistence via Services Registry", + "sha256": "9d7ea3e58be2ab3e6c229d05df37c0f1dc248bdbd5e68c0fb8665051eac97e01", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Unusual Persistence via Services Registry", + "sha256": "148105c8e3a9db85c29adf3f477245aa6162c8b71b330ca7533cee54cf8653a2", + "type": "eql", + "version": 100 }, "416697ae-e468-4093-a93d-59661fa619ec": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "e3169a15a582ed381d71ec7441f39b94e7b70ef75eeb2f899062384c1bcdbc2d", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Control Panel Process with Unusual Arguments", - "sha256": "c6484020fa29382b8f864d5b5a4bbbbbad1c7ada1c9e3e9334a4e76f607accee", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Control Panel Process with Unusual Arguments", + "sha256": "e3169a15a582ed381d71ec7441f39b94e7b70ef75eeb2f899062384c1bcdbc2d", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Control Panel Process with Unusual Arguments", + "sha256": "c6484020fa29382b8f864d5b5a4bbbbbad1c7ada1c9e3e9334a4e76f607accee", + "type": "eql", + "version": 100 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "EggShell Backdoor Execution", - "sha256": "5ffb48fcc0228a90e171449a6aba484182df9781408e5c1306a4217261769daf", - "type": "query", - "version": 4 - } - }, - "rule_name": "EggShell Backdoor Execution", - "sha256": "44504d76da97f26af49a5fbced5268cdb10bb46e8ef93dc1d6da2710e79c0b67", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "EggShell Backdoor Execution", + "sha256": "5ffb48fcc0228a90e171449a6aba484182df9781408e5c1306a4217261769daf", + "type": "query", + "version": 4 + } + }, + "rule_name": "EggShell Backdoor Execution", + "sha256": "44504d76da97f26af49a5fbced5268cdb10bb46e8ef93dc1d6da2710e79c0b67", + "type": "query", + "version": 100 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4", - "type": "query", - "version": 3 - } - }, - "rule_name": "Potential Hidden Local User Account Creation", - "sha256": "3a997b22b42280486c04c40ba96145e2c6142071ea7c4bdbf15093b798c3a5ca", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Hidden Local User Account Creation", + "sha256": "e37a197e231dd5c778e7e2eba8094aeb962e5ce1fd3f101370d7c0dbc2a24ff4", + "type": "query", + "version": 3 + } + }, + "rule_name": "Potential Hidden Local User Account Creation", + "sha256": "3a997b22b42280486c04c40ba96145e2c6142071ea7c4bdbf15093b798c3a5ca", + "type": "query", + "version": 100 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "47d01123e73660000a53d24eb5e14dd39a5c983cc1c554abd5436125dbb7e3b6", - "type": "threshold", - "version": 8 - } - }, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "a45a3f38b8831ccd84dd07383145d7045a99f2c01c9d243a92f34cb0c21dfbb7", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "47d01123e73660000a53d24eb5e14dd39a5c983cc1c554abd5436125dbb7e3b6", + "type": "threshold", + "version": 8 + } + }, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "a45a3f38b8831ccd84dd07383145d7045a99f2c01c9d243a92f34cb0c21dfbb7", + "type": "threshold", + "version": 100 }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Login Activity", - "sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849", - "type": "machine_learning", - "version": 4 - } - }, - "rule_name": "Unusual Login Activity", - "sha256": "c0354cedd39286c9d93efd09fc08c489dcc534a65e4e8914c873908ab4a052bc", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Login Activity", + "sha256": "3f35fdeeb2a9009f7f98d3094d9923caff8ad61e07dbaeb0f483e5de46092849", + "type": "machine_learning", + "version": 4 + } + }, + "rule_name": "Unusual Login Activity", + "sha256": "c0354cedd39286c9d93efd09fc08c489dcc534a65e4e8914c873908ab4a052bc", + "type": "machine_learning", + "version": 100 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d", - "type": "query", - "version": 9 - } - }, - "rule_name": "Web Application Suspicious Activity: No User Agent", - "sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Web Application Suspicious Activity: No User Agent", + "sha256": "e4e4fed016f2f7f95e0547e9880feb0a83a077b476bc20dd27ac1cd3a58b577d", + "type": "query", + "version": 9 + } + }, + "rule_name": "Web Application Suspicious Activity: No User Agent", + "sha256": "56755b194b100eeda470eb0855c654fe20b327e1b99fdbecaa104209728e5b4b", + "type": "query", + "version": 100 }, "440e2db4-bc7f-4c96-a068-65b78da59bde": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "cfb507a36698d0446c774fc7ef06ef4b5de6d367ca531d909f6f096e95896ba1", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Startup Persistence by a Suspicious Process", - "sha256": "618ba466fd4613c40dac45fb5cae32a15e17dee64a222afcc72e6188f29f04d5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Startup Persistence by a Suspicious Process", + "sha256": "cfb507a36698d0446c774fc7ef06ef4b5de6d367ca531d909f6f096e95896ba1", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Startup Persistence by a Suspicious Process", + "sha256": "618ba466fd4613c40dac45fb5cae32a15e17dee64a222afcc72e6188f29f04d5", + "type": "eql", + "version": 100 }, "445a342e-03fb-42d0-8656-0367eb2dead5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Path Activity", - "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual Windows Path Activity", - "sha256": "96e95f6a002908e770ee8dc9e06b3f4955d02ace7a630a562d77630e0f51b2f7", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Path Activity", + "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Windows Path Activity", + "sha256": "96e95f6a002908e770ee8dc9e06b3f4955d02ace7a630a562d77630e0f51b2f7", + "type": "machine_learning", + "version": 100 }, "453f659e-0429-40b1-bfdb-b6957286e04b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "f3d686edf2d9ca3878005a30ce88485d9ef2a2120659c70763d60dca188661b9", - "type": "query", - "version": 10 - } - }, - "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "57da49505fa7a935e774a271cd364bf67750bc8021808efebe06fbdec618e335", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Permission Theft - Prevented - Elastic Endgame", + "sha256": "f3d686edf2d9ca3878005a30ce88485d9ef2a2120659c70763d60dca188661b9", + "type": "query", + "version": 10 + } + }, + "rule_name": "Permission Theft - Prevented - Elastic Endgame", + "sha256": "57da49505fa7a935e774a271cd364bf67750bc8021808efebe06fbdec618e335", + "type": "query", + "version": 100 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Event Logs Cleared", - "sha256": "7485e3272dcc60566ca499afce5cf1f87ab84c039d427a4ed6a522fd0a7d1bc0", - "type": "query", - "version": 6 - } - }, - "rule_name": "Windows Event Logs Cleared", - "sha256": "851e423813f44b73b33848927aea154be22e62daf4ecdd3379a6879149a06908", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Event Logs Cleared", + "sha256": "7485e3272dcc60566ca499afce5cf1f87ab84c039d427a4ed6a522fd0a7d1bc0", + "type": "query", + "version": 6 + } + }, + "rule_name": "Windows Event Logs Cleared", + "sha256": "851e423813f44b73b33848927aea154be22e62daf4ecdd3379a6879149a06908", + "type": "query", + "version": 100 }, "45d273fb-1dca-457d-9855-bcb302180c21": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "ac2eca72a473716bdda62693b2f9724aeadb537a5476776b76e8191eb71e12cc", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Encrypting Files with WinRar or 7z", - "sha256": "cb63bfb0c61803088becb44b9c3f8f1bc73e2260f0eea157a700f69a7437295d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Encrypting Files with WinRar or 7z", + "sha256": "ac2eca72a473716bdda62693b2f9724aeadb537a5476776b76e8191eb71e12cc", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Encrypting Files with WinRar or 7z", + "sha256": "cb63bfb0c61803088becb44b9c3f8f1bc73e2260f0eea157a700f69a7437295d", + "type": "eql", + "version": 100 }, "4630d948-40d4-4cef-ac69-4002e29bc3db": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "e42e40c2baa181d6c3f51c29b3ad19394bba3709da075d2c61d17bf16d393bb9", - "type": "eql", - "version": 13 - }, - "8.2": { - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "6f997eb7cf9d5091b1747d41b5ca87f485f9515b7a8ea120ee5dc1f143d9d810", - "type": "eql", - "version": 16 - } - }, - "rule_name": "Adding Hidden File Attribute via Attrib", - "sha256": "c69087be2366174103a5ac765084b05b5947745b58ca65590f709b73faabf6f7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 15, + "rule_name": "Adding Hidden File Attribute via Attrib", + "sha256": "e42e40c2baa181d6c3f51c29b3ad19394bba3709da075d2c61d17bf16d393bb9", + "type": "eql", + "version": 13 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Adding Hidden File Attribute via Attrib", + "sha256": "6f997eb7cf9d5091b1747d41b5ca87f485f9515b7a8ea120ee5dc1f143d9d810", + "type": "eql", + "version": 16 + } + }, + "rule_name": "Adding Hidden File Attribute via Attrib", + "sha256": "c69087be2366174103a5ac765084b05b5947745b58ca65590f709b73faabf6f7", + "type": "eql", + "version": 100 }, "4682fd2c-cfae-47ed-a543-9bed37657aa6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Potential Local NTLM Relay via HTTP", - "sha256": "f4ab7f933e115ff4e59ee64e8991fa6759313388c71e4933b0ce7a29249a420d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "2fb5a3528f28bea1d5629229379f286d3d7b2c4dd003ee69343bb3ac9a1944b8", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Potential Local NTLM Relay via HTTP", + "sha256": "f4ab7f933e115ff4e59ee64e8991fa6759313388c71e4933b0ce7a29249a420d", + "type": "eql", + "version": 100 }, "46f804f5-b289-43d6-a881-9387cf594f75": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Process For a Linux Host", - "sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Unusual Process For a Linux Host", - "sha256": "dd683127f834182f5df0f60d7a3e94dc4e45b4c40f7852a7e4bd07f9bd32c77a", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Process For a Linux Host", + "sha256": "5dec41bb8c572f24b5a47b3903e2d4e2fd9bfe5a6a86789f0b50c1c52d956af6", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Unusual Process For a Linux Host", + "sha256": "dd683127f834182f5df0f60d7a3e94dc4e45b4c40f7852a7e4bd07f9bd32c77a", + "type": "machine_learning", + "version": 100 }, "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "9d24cbe6c80544c362d427e1b23f7acef6a8dc871e8b89160ec935e35eeedd53", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", - "sha256": "9f2eeac234c93833d2f21839fbf0d7cc29501c7141357383639dfc7bff2f9e5e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "sha256": "9d24cbe6c80544c362d427e1b23f7acef6a8dc871e8b89160ec935e35eeedd53", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", + "sha256": "9f2eeac234c93833d2f21839fbf0d7cc29501c7141357383639dfc7bff2f9e5e", + "type": "eql", + "version": 100 }, "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { - "rule_name": "Execution via Regsvcs/Regasm", - "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", - "type": "query", - "version": 100 + "rule_name": "Execution via Regsvcs/Regasm", + "sha256": "fa283dded0764ed89000be343cbbb926c659d742d2cf19d15ad5c5680a096578", + "type": "query", + "version": 100 }, "47f76567-d58a-4fed-b32b-21f571e28910": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "f7ddac7735b02e68cd1d642a6db3d68fd155364d19743b482f51b26decb0e61d", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Apple Script Execution followed by Network Connection", - "sha256": "c4a4740940d540c128e334dea8de089fb468e43885cf8cbeebddf8cb6381353c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Apple Script Execution followed by Network Connection", + "sha256": "f7ddac7735b02e68cd1d642a6db3d68fd155364d19743b482f51b26decb0e61d", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Apple Script Execution followed by Network Connection", + "sha256": "c4a4740940d540c128e334dea8de089fb468e43885cf8cbeebddf8cb6381353c", + "type": "eql", + "version": 100 }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "496bfb9b3f67c01e4e370424e21a9a6ea701f672c17bd05201f5ac349e788564", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", - "sha256": "eedcebd26e0ea78144cccb5eba1db658364ecf34d96bf34bda790995783e79f9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "sha256": "496bfb9b3f67c01e4e370424e21a9a6ea701f672c17bd05201f5ac349e788564", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", + "sha256": "eedcebd26e0ea78144cccb5eba1db658364ecf34d96bf34bda790995783e79f9", + "type": "eql", + "version": 100 }, "48d7f54d-c29e-4430-93a9-9db6b5892270": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "5d1cbe92ec650c7766655f7a43846444576f39f460ebd7fbbba20175343861bd", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Unexpected Child Process of macOS Screensaver Engine", - "sha256": "f30fa0ea64208788e3d3960717149f32a46631f77e2d2e964069e88491cb3de6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unexpected Child Process of macOS Screensaver Engine", + "sha256": "5d1cbe92ec650c7766655f7a43846444576f39f460ebd7fbbba20175343861bd", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Unexpected Child Process of macOS Screensaver Engine", + "sha256": "f30fa0ea64208788e3d3960717149f32a46631f77e2d2e964069e88491cb3de6", + "type": "eql", + "version": 100 }, "48ec9452-e1fd-4513-a376-10a1a26d2c83": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", - "type": "query", - "version": 3 - } - }, - "rule_name": "Potential Persistence via Periodic Tasks", - "sha256": "cf16c66a3b6953e016f2e40edbee489e97e385816b8241818bd2184769ecddf4", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Persistence via Periodic Tasks", + "sha256": "6cc74d6a74abae157494c559cbc80c499212df19327c2345e899fc8d77a1a089", + "type": "query", + "version": 3 + } + }, + "rule_name": "Potential Persistence via Periodic Tasks", + "sha256": "cf16c66a3b6953e016f2e40edbee489e97e385816b8241818bd2184769ecddf4", + "type": "query", + "version": 100 }, "493834ca-f861-414c-8602-150d5505b777": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", - "type": "threshold", - "version": 4 - } - }, - "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "sha256": "829bb3432a7664715c5b96c2be6d56e4f957db320f71657203632e61e44b6fe0", + "type": "threshold", + "version": 4 + } + }, + "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", + "sha256": "c0189c96284facaab70cb39582539f6df586acf5eaa01b3c326823c643b90a68", + "type": "threshold", + "version": 100 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", - "type": "query", - "version": 6 - } - }, - "rule_name": "Possible FIN7 DGA Command and Control Behavior", - "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Possible FIN7 DGA Command and Control Behavior", + "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", + "type": "query", + "version": 6 + } + }, + "rule_name": "Possible FIN7 DGA Command and Control Behavior", + "sha256": "38a9ef4430e706f69e3f25e3775ef9ab5247933a6448daed8075c460dd5d4369", + "type": "query", + "version": 100 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "31b403ff6fa07ce7ed4ab81d3c6554a1563e623e1b134195b20053548660cddd", - "type": "eql", - "version": 15 - } - }, - "rule_name": "Disable Windows Firewall Rules via Netsh", - "sha256": "86416e631a84457792ada6cecb10e4dc761dff8a81cc06e0dbfbe21ff1efd6fc", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Disable Windows Firewall Rules via Netsh", + "sha256": "31b403ff6fa07ce7ed4ab81d3c6554a1563e623e1b134195b20053548660cddd", + "type": "eql", + "version": 15 + } + }, + "rule_name": "Disable Windows Firewall Rules via Netsh", + "sha256": "86416e631a84457792ada6cecb10e4dc761dff8a81cc06e0dbfbe21ff1efd6fc", + "type": "eql", + "version": 100 }, "4bd1c1af-79d4-4d37-9efa-6e0240640242": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "6192e34c6abd68cbba835735bd7136ea29ded5dc353ae9ccf07cc693f0c679e7", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Unusual Process Execution Path - Alternate Data Stream", - "sha256": "ebc1e9be7060855bb004538d48a77dc3f757edda38e56820190dea71ded529da", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Process Execution Path - Alternate Data Stream", + "sha256": "6192e34c6abd68cbba835735bd7136ea29ded5dc353ae9ccf07cc693f0c679e7", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Unusual Process Execution Path - Alternate Data Stream", + "sha256": "ebc1e9be7060855bb004538d48a77dc3f757edda38e56820190dea71ded529da", + "type": "eql", + "version": 100 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "3ed8a98d1ef9c21203e4ec08b63e50526e3000773836588648145b0b130d7f44", - "type": "threshold", - "version": 6 - } - }, - "rule_name": "AWS Management Console Brute Force of Root User Identity", - "sha256": "163a5f3b46f7f1b2e2d69b4b4a8f2e222a05a8629f7d156e4396434ddac22480", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "3ed8a98d1ef9c21203e4ec08b63e50526e3000773836588648145b0b130d7f44", + "type": "threshold", + "version": 6 + } + }, + "rule_name": "AWS Management Console Brute Force of Root User Identity", + "sha256": "163a5f3b46f7f1b2e2d69b4b4a8f2e222a05a8629f7d156e4396434ddac22480", + "type": "threshold", + "version": 100 }, "4da13d6e-904f-4636-81d8-6ab14b4e6ae9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e", - "type": "query", - "version": 4 - } - }, - "rule_name": "Attempt to Disable Gatekeeper", - "sha256": "b439aeedce5e2ddd54f3d1c6402159147520ca3e3598273f235dbcc01c58a6fb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Disable Gatekeeper", + "sha256": "4c07864c9de0c88831a1a1b704628a56126012edebf132cb12045866c2d0f24e", + "type": "query", + "version": 4 + } + }, + "rule_name": "Attempt to Disable Gatekeeper", + "sha256": "b439aeedce5e2ddd54f3d1c6402159147520ca3e3598273f235dbcc01c58a6fb", + "type": "query", + "version": 100 }, "4de76544-f0e5-486a-8f84-eae0b6063cdc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "d3c7114cd8a47dc33281f4f4f124e0b3ddb9b16021a2a26d7ac01b8a3ce8dc31", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", - "sha256": "8a9495706a1456c58669b4d529cddec0e636b13416a3f2e94e9d71cc65519af4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", + "sha256": "d3c7114cd8a47dc33281f4f4f124e0b3ddb9b16021a2a26d7ac01b8a3ce8dc31", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", + "sha256": "8a9495706a1456c58669b4d529cddec0e636b13416a3f2e94e9d71cc65519af4", + "type": "eql", + "version": 100 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "c86bcd9cdb30e9d9ac9367c672dd7e6025fa45e77981d513a20dc812028f7af3", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", - "sha256": "6fa750938202f64ef8627ffb8933cba171b5045d30c9da22bdba053d91006275", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "sha256": "c86bcd9cdb30e9d9ac9367c672dd7e6025fa45e77981d513a20dc812028f7af3", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", + "sha256": "6fa750938202f64ef8627ffb8933cba171b5045d30c9da22bdba053d91006275", + "type": "eql", + "version": 100 }, "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Script Object Execution", - "sha256": "129776c510bb194a778681da82bc2c956b71ac053f38dea10117b4985192b247", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious Script Object Execution", - "sha256": "49382356d4adbc6bb524642f92342b9e146aef2e257c41170ce74bb06684808a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Script Object Execution", + "sha256": "129776c510bb194a778681da82bc2c956b71ac053f38dea10117b4985192b247", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious Script Object Execution", + "sha256": "49382356d4adbc6bb524642f92342b9e146aef2e257c41170ce74bb06684808a", + "type": "eql", + "version": 100 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "ee5d812977b79c71b85e4e55336fcc15c2d20188d2b5fcd9ac21b6fd496817ab", - "type": "query", - "version": 5 - } - }, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "99bc1263ad19d3e5bfe36418f450b76f8a7271baf25aa74c58f567e37a3dfbde", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "ee5d812977b79c71b85e4e55336fcc15c2d20188d2b5fcd9ac21b6fd496817ab", + "type": "query", + "version": 5 + } + }, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "99bc1263ad19d3e5bfe36418f450b76f8a7271baf25aa74c58f567e37a3dfbde", + "type": "query", + "version": 100 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "7cb63a043aff02554c012274584ff7ff80fc6723a0d6c1f983206c216fd55eb0", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Execution via TSClient Mountpoint", - "sha256": "76b4b534df6142578ba17c139387f4338044983089f60686dda68091177e7b3b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution via TSClient Mountpoint", + "sha256": "7cb63a043aff02554c012274584ff7ff80fc6723a0d6c1f983206c216fd55eb0", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Execution via TSClient Mountpoint", + "sha256": "76b4b534df6142578ba17c139387f4338044983089f60686dda68091177e7b3b", + "type": "eql", + "version": 100 }, "513f0ffd-b317-4b9c-9494-92ce861f22c7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "57dbd74bfd822602da425403e0a3c431ecdb96eac9008a235f5225a553549e1f", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "42e78cb6dc476edd74a7a4cc77231752fc728d27210f318e6353352c95418fa2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "57dbd74bfd822602da425403e0a3c431ecdb96eac9008a235f5225a553549e1f", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "42e78cb6dc476edd74a7a4cc77231752fc728d27210f318e6353352c95418fa2", + "type": "eql", + "version": 100 }, "514121ce-c7b6-474a-8237-68ff71672379": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "b48aa189d57f533507819f12b46f526cb6d7ab0c49bcdf4ebf4d1de29b2c34c5", - "type": "query", - "version": 9 - } - }, - "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", - "sha256": "7c6ef54fd34285ddd5858959918293e868ea67da752bd3df50269d11f5ebd881", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "b48aa189d57f533507819f12b46f526cb6d7ab0c49bcdf4ebf4d1de29b2c34c5", + "type": "query", + "version": 9 + } + }, + "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", + "sha256": "7c6ef54fd34285ddd5858959918293e868ea67da752bd3df50269d11f5ebd881", + "type": "query", + "version": 100 }, "51859fa0-d86b-4214-bf48-ebb30ed91305": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Logging Sink Deletion", - "sha256": "48a7d8bc2c9f506512eeea79d30612f16df12aa5dca84286fd93f7fb9d885976", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Logging Sink Deletion", - "sha256": "c2aa4f7692508f3df54b9878b13d7b677da0a4a8a274930ecf8d50d53faa4e59", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Logging Sink Deletion", + "sha256": "48a7d8bc2c9f506512eeea79d30612f16df12aa5dca84286fd93f7fb9d885976", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Logging Sink Deletion", + "sha256": "c2aa4f7692508f3df54b9878b13d7b677da0a4a8a274930ecf8d50d53faa4e59", + "type": "query", + "version": 100 }, "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Incoming DCOM Lateral Movement with MMC", - "sha256": "587a34e68e4cdea134965146959fd12b2739ade64e6df2b2ec43fe25b3cab661", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Incoming DCOM Lateral Movement with MMC", + "sha256": "7add00e6f6097cc99daf7fcee026068a09e75a93763bd1b69733f2bc73d53aa4", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Incoming DCOM Lateral Movement with MMC", + "sha256": "587a34e68e4cdea134965146959fd12b2739ade64e6df2b2ec43fe25b3cab661", + "type": "eql", + "version": 100 }, "523116c0-d89d-4d7c-82c2-39e6845a78ef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "afd6a56c29475450e04c09eaf498ce483ade18d2de1b79d09af2820957f0073a", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS GuardDuty Detector Deletion", - "sha256": "2b436fd7d94632c5c485759103c5abdc1e13947c23ddeab67e8de989041d751a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "afd6a56c29475450e04c09eaf498ce483ade18d2de1b79d09af2820957f0073a", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS GuardDuty Detector Deletion", + "sha256": "2b436fd7d94632c5c485759103c5abdc1e13947c23ddeab67e8de989041d751a", + "type": "query", + "version": 100 }, "52376a86-ee86-4967-97ae-1a05f55816f0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "1bd60ae858ac0dcb98eab6ad5625674d60d39feb72b2c399e8f9deccd5440abe", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "8f07ff6673c541fa5e2d2463e6d68a789818b436ea225ec919255f063408bc7d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "sha256": "1bd60ae858ac0dcb98eab6ad5625674d60d39feb72b2c399e8f9deccd5440abe", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", + "sha256": "8f07ff6673c541fa5e2d2463e6d68a789818b436ea225ec919255f063408bc7d", + "type": "eql", + "version": 100 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "3985e64b901dcf6691814ebd08009710ba3dd6a53bed60613bdedffd86599cfc", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Unusual Network Connection via RunDLL32", - "sha256": "1ccbdedae874405695c758eb5671221d5d68d6e5cf552c9b384f03e35a694a04", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Network Connection via RunDLL32", + "sha256": "3985e64b901dcf6691814ebd08009710ba3dd6a53bed60613bdedffd86599cfc", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Unusual Network Connection via RunDLL32", + "sha256": "1ccbdedae874405695c758eb5671221d5d68d6e5cf552c9b384f03e35a694a04", + "type": "eql", + "version": 100 }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Network Activity", - "sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18", - "type": "machine_learning", - "version": 6 - } - }, - "rule_name": "Unusual Linux Network Activity", - "sha256": "f5304548d6e36152f1e8a35019086b17cb71276fcf3b12fec97aebb69fe3be01", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Network Activity", + "sha256": "64ae86b5af4ca19baebe75a2791db256410a0bb32de52364fffef246f551bc18", + "type": "machine_learning", + "version": 6 + } + }, + "rule_name": "Unusual Linux Network Activity", + "sha256": "f5304548d6e36152f1e8a35019086b17cb71276fcf3b12fec97aebb69fe3be01", + "type": "machine_learning", + "version": 100 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { - "rule_name": "Unusual Linux Web Activity", - "sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad", - "type": "machine_learning", - "version": 100 + "rule_name": "Unusual Linux Web Activity", + "sha256": "a25a0fe20cc7cdd9b940f1455c54b3cbd54a07d575ec8d8b6219b61af322aaad", + "type": "machine_learning", + "version": 100 }, "52afbdc5-db15-596e-bc35-f5707f820c4b": { - "rule_name": "Unusual Linux Network Service", - "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", - "type": "machine_learning", - "version": 100 + "rule_name": "Unusual Linux Network Service", + "sha256": "af448b51ebd531a54c02ae19fc4cc63deef15eb691efcc957764e26879b9a87c", + "type": "machine_learning", + "version": 100 }, "530178da-92ea-43ce-94c2-8877a826783d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious CronTab Creation or Modification", - "sha256": "062b13896295f8591981d3fe3d6a617fcda96d8775f2a127e30637c4a6980dcd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious CronTab Creation or Modification", + "sha256": "d3884fdedd271fd8ef68a5e1be9cd5b96f723566fb795594d2c41cdfd708cf0e", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious CronTab Creation or Modification", + "sha256": "062b13896295f8591981d3fe3d6a617fcda96d8775f2a127e30637c4a6980dcd", + "type": "eql", + "version": 100 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "3619ee48c368bfefcad2d7adc1df941162570787ba6b770591b8c394d54b3e7d", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "a7f06a11fbee770dc0fca658213ecdb0694efb4e85b3a8a8827003c2f3adb3ff", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "3619ee48c368bfefcad2d7adc1df941162570787ba6b770591b8c394d54b3e7d", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS EFS File System or Mount Deleted", + "sha256": "a7f06a11fbee770dc0fca658213ecdb0694efb4e85b3a8a8827003c2f3adb3ff", + "type": "query", + "version": 100 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "63ed88064a1f87a0c2789942216e2610e00be3801d98465816e698d1a33c0230", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Diagnostic Settings Deletion", - "sha256": "b653fc13f628033560da2a89e872042c5b76e3cc0bad743e4cdb89a5b772b2f1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Diagnostic Settings Deletion", + "sha256": "63ed88064a1f87a0c2789942216e2610e00be3801d98465816e698d1a33c0230", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Diagnostic Settings Deletion", + "sha256": "b653fc13f628033560da2a89e872042c5b76e3cc0bad743e4cdb89a5b772b2f1", + "type": "query", + "version": 100 }, "53a26770-9cbd-40c5-8b57-61d01a325e14": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "1a29db0563afdb6e7013b41d66732f8655e1cf56d8a9d96bbec53e38fe9499ff", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Suspicious PDF Reader Child Process", - "sha256": "ed2c9370862e7e9588290bd1220308cffac1b348546fd5baffd11deb67d9fa07", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious PDF Reader Child Process", + "sha256": "1a29db0563afdb6e7013b41d66732f8655e1cf56d8a9d96bbec53e38fe9499ff", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Suspicious PDF Reader Child Process", + "sha256": "ed2c9370862e7e9588290bd1220308cffac1b348546fd5baffd11deb67d9fa07", + "type": "eql", + "version": 100 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "53219ff8987584e6547f9575812b0376420e95da290d5f3e600c864516a5d0d4", - "type": "eql", - "version": 8 - }, - "8.2": { - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "eab90afc9e1bee717a0f2d2c8d444c6ea131d22bdee7de0f594f43235e7286bc", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Uncommon Registry Persistence Change", - "sha256": "9abd5d3af10ecbecf7097de410e7f9366a89300eeba98ce8036fb7c6144c53cf", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 10, + "rule_name": "Uncommon Registry Persistence Change", + "sha256": "53219ff8987584e6547f9575812b0376420e95da290d5f3e600c864516a5d0d4", + "type": "eql", + "version": 8 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Uncommon Registry Persistence Change", + "sha256": "eab90afc9e1bee717a0f2d2c8d444c6ea131d22bdee7de0f594f43235e7286bc", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Uncommon Registry Persistence Change", + "sha256": "9abd5d3af10ecbecf7097de410e7f9366a89300eeba98ce8036fb7c6144c53cf", + "type": "eql", + "version": 100 }, "54c3d186-0461-4dc3-9b33-2dc5c7473936": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "a5518862b6e142e509712bef3ce38b3512bcaec6a6c764bf34405cba00d25086", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Network Logon Provider Registry Modification", - "sha256": "1762a35e44d0c99be8dd9123b515a8d30fe75580f5dff0ec13401bfdcf3caad8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Logon Provider Registry Modification", + "sha256": "a5518862b6e142e509712bef3ce38b3512bcaec6a6c764bf34405cba00d25086", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Network Logon Provider Registry Modification", + "sha256": "1762a35e44d0c99be8dd9123b515a8d30fe75580f5dff0ec13401bfdcf3caad8", + "type": "eql", + "version": 100 }, "55c2bf58-2a39-4c58-a384-c8b1978153c2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "1466eae5d9a4dbe705623258baa2696cd48caaf9b249634b5aab4f5f05adc0a6", - "type": "query", - "version": 4 - } - }, - "rule_name": "Windows Service Installed via an Unusual Client", - "sha256": "c767cf2974b84a37ed9d7e533c9fc774c5caa31db7573052a133b1077ac19e7e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Service Installed via an Unusual Client", + "sha256": "1466eae5d9a4dbe705623258baa2696cd48caaf9b249634b5aab4f5f05adc0a6", + "type": "query", + "version": 4 + } + }, + "rule_name": "Windows Service Installed via an Unusual Client", + "sha256": "c767cf2974b84a37ed9d7e533c9fc774c5caa31db7573052a133b1077ac19e7e", + "type": "query", + "version": 100 }, "55d551c6-333b-4665-ab7e-5d14a59715ce": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PsExec Network Connection", - "sha256": "f01d40062b8f60a89a6058c159db1f7725d8bf0b9bb3ac2e52cc3cf50f91cfc5", - "type": "eql", - "version": 10 - } - }, - "rule_name": "PsExec Network Connection", - "sha256": "e679a602ffc602772cfe83319e32bea413a15bac34a553b9a78137cedbe4c233", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PsExec Network Connection", + "sha256": "f01d40062b8f60a89a6058c159db1f7725d8bf0b9bb3ac2e52cc3cf50f91cfc5", + "type": "eql", + "version": 10 + } + }, + "rule_name": "PsExec Network Connection", + "sha256": "e679a602ffc602772cfe83319e32bea413a15bac34a553b9a78137cedbe4c233", + "type": "eql", + "version": 100 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e", - "type": "query", - "version": 8 - } - }, - "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", - "sha256": "7c071378e65d8168d8c2e1fa931505caaec90f7a44a9de1fcf80fc35f5d7cd4a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "sha256": "0098059a0c6dca4b880d5b66cc7159ce16ab4e4d41a414d24d52aa3cc16c112e", + "type": "query", + "version": 8 + } + }, + "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", + "sha256": "7c071378e65d8168d8c2e1fa931505caaec90f7a44a9de1fcf80fc35f5d7cd4a", + "type": "query", + "version": 100 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Admin Group Account Addition", - "sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6", - "type": "query", - "version": 3 - } - }, - "rule_name": "Potential Admin Group Account Addition", - "sha256": "1ddb47cf589c553cb8a3f4450f8e5e844f990a768ca5018ecaac3e13574a46ad", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Admin Group Account Addition", + "sha256": "433b4fee2d89c47433742f05b5869e7babde31127f434c8cce50899e14a270a6", + "type": "query", + "version": 3 + } + }, + "rule_name": "Potential Admin Group Account Addition", + "sha256": "1ddb47cf589c553cb8a3f4450f8e5e844f990a768ca5018ecaac3e13574a46ad", + "type": "query", + "version": 100 }, "565d6ca5-75ba-4c82-9b13-add25353471c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "1aae329188f75eb40aa473688626d40da1970b42f828fdff72427020b3a56f1b", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Dumping of Keychain Content via Security Command", - "sha256": "ec21f61f8d8f9880ed6b8bddf1afd429613797e5ba740478a3ecff3670f4b880", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Dumping of Keychain Content via Security Command", + "sha256": "1aae329188f75eb40aa473688626d40da1970b42f828fdff72427020b3a56f1b", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Dumping of Keychain Content via Security Command", + "sha256": "ec21f61f8d8f9880ed6b8bddf1afd429613797e5ba740478a3ecff3670f4b880", + "type": "eql", + "version": 100 }, "5663b693-0dea-4f2e-8275-f1ae5ff2de8e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Logging Bucket Deletion", - "sha256": "0f8d828b75d1d1185fff5eda64e2a044723a8b1aab5c9ed8d15f1087725abb14", - "type": "query", - "version": 10 - } - }, - "rule_name": "GCP Logging Bucket Deletion", - "sha256": "3a3b6ad88408ca05c708936092266de5e85a9a6bb7bf8a82d4b7ff594155fba3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Logging Bucket Deletion", + "sha256": "0f8d828b75d1d1185fff5eda64e2a044723a8b1aab5c9ed8d15f1087725abb14", + "type": "query", + "version": 10 + } + }, + "rule_name": "GCP Logging Bucket Deletion", + "sha256": "3a3b6ad88408ca05c708936092266de5e85a9a6bb7bf8a82d4b7ff594155fba3", + "type": "query", + "version": 100 }, "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell PSReflect Script", - "sha256": "47cef88aac24764140fab221634ab4cac6d1e0fdb9d01f711a40b5c909c57031", - "type": "query", - "version": 7 - } - }, - "rule_name": "PowerShell PSReflect Script", - "sha256": "e83e1f173bc605e47f440c42e553b45dd28cda90abf6497e245678c6a7708458", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell PSReflect Script", + "sha256": "47cef88aac24764140fab221634ab4cac6d1e0fdb9d01f711a40b5c909c57031", + "type": "query", + "version": 7 + } + }, + "rule_name": "PowerShell PSReflect Script", + "sha256": "e83e1f173bc605e47f440c42e553b45dd28cda90abf6497e245678c6a7708458", + "type": "query", + "version": 100 }, "5700cb81-df44-46aa-a5d7-337798f53eb8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab", - "type": "query", - "version": 13 - } - }, - "rule_name": "VNC (Virtual Network Computing) from the Internet", - "sha256": "c577a8ecfea81bf251b4b191c289be058f3d8d696d941c563ff6e4263d258ed9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "VNC (Virtual Network Computing) from the Internet", + "sha256": "c683c0a850432bc2e1bc213062d7340c83c0c8ecc6ce14f521ed262124ce52ab", + "type": "query", + "version": 13 + } + }, + "rule_name": "VNC (Virtual Network Computing) from the Internet", + "sha256": "c577a8ecfea81bf251b4b191c289be058f3d8d696d941c563ff6e4263d258ed9", + "type": "query", + "version": 100 }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "814a6dd8c3abc42543896f44736ed05c0a51994d35d5f413a7cb3d666dc73a5c", - "type": "query", - "version": 10 - } - }, - "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "e9490c3bf59b4ca766d6cfb1d1844fbf2dc71adcb09780c761b527ecff87b428", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Credential Dumping - Detected - Elastic Endgame", + "sha256": "814a6dd8c3abc42543896f44736ed05c0a51994d35d5f413a7cb3d666dc73a5c", + "type": "query", + "version": 10 + } + }, + "rule_name": "Credential Dumping - Detected - Elastic Endgame", + "sha256": "e9490c3bf59b4ca766d6cfb1d1844fbf2dc71adcb09780c761b527ecff87b428", + "type": "query", + "version": 100 }, "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "2dc7f16072cc532537c6fe9627efeb5c18b758fba96416d36c8398993280e858", - "type": "query", - "version": 5 - } - }, - "rule_name": "Azure Virtual Network Device Modified or Deleted", - "sha256": "c478af6a790ea8c0dcd61f3cab330fb1abe6835df82da5a1a6c7c2ad0083c2c3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Virtual Network Device Modified or Deleted", + "sha256": "2dc7f16072cc532537c6fe9627efeb5c18b758fba96416d36c8398993280e858", + "type": "query", + "version": 5 + } + }, + "rule_name": "Azure Virtual Network Device Modified or Deleted", + "sha256": "c478af6a790ea8c0dcd61f3cab330fb1abe6835df82da5a1a6c7c2ad0083c2c3", + "type": "query", + "version": 100 }, "577ec21e-56fe-4065-91d8-45eb8224fe77": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell MiniDump Script", - "sha256": "5ed40da998cd797bc689f43438ef2020370ec0f926c7286b305ba9edbcfcae0b", - "type": "query", - "version": 10 - } - }, - "rule_name": "PowerShell MiniDump Script", - "sha256": "cbdb31457c62480fd5c9dbf50a46f140aafd57d31ee5c2bf92d0baf962a3d480", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell MiniDump Script", + "sha256": "5ed40da998cd797bc689f43438ef2020370ec0f926c7286b305ba9edbcfcae0b", + "type": "query", + "version": 10 + } + }, + "rule_name": "PowerShell MiniDump Script", + "sha256": "cbdb31457c62480fd5c9dbf50a46f140aafd57d31ee5c2bf92d0baf962a3d480", + "type": "query", + "version": 100 }, "581add16-df76-42bb-af8e-c979bfb39a59": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "0bfe91ed225a8f88a48d4a8932529beb3194bda90c9c6c34bf7000ec4d9eb024", - "type": "eql", - "version": 15 - } - }, - "rule_name": "Deleting Backup Catalogs with Wbadmin", - "sha256": "c1aec0b0b33c8a3075935263f0f719b0e21c7ba0bdfe187aab046b2de8a73393", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Deleting Backup Catalogs with Wbadmin", + "sha256": "0bfe91ed225a8f88a48d4a8932529beb3194bda90c9c6c34bf7000ec4d9eb024", + "type": "eql", + "version": 15 + } + }, + "rule_name": "Deleting Backup Catalogs with Wbadmin", + "sha256": "c1aec0b0b33c8a3075935263f0f719b0e21c7ba0bdfe187aab046b2de8a73393", + "type": "eql", + "version": 100 }, "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "RDP Enabled via Registry", - "sha256": "1db0e174745538cf33858bcfbd6624c7214f52df40a4e91ff951ab7b9db7dcf2", - "type": "eql", - "version": 10 - } - }, - "rule_name": "RDP Enabled via Registry", - "sha256": "c78fc2e97a561744176f7e493729c4382c3f7057779a9176829384ebd3c3f2ca", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "RDP Enabled via Registry", + "sha256": "1db0e174745538cf33858bcfbd6624c7214f52df40a4e91ff951ab7b9db7dcf2", + "type": "eql", + "version": 10 + } + }, + "rule_name": "RDP Enabled via Registry", + "sha256": "c78fc2e97a561744176f7e493729c4382c3f7057779a9176829384ebd3c3f2ca", + "type": "eql", + "version": 100 }, "58ac2aa5-6718-427c-a845-5f3ac5af00ba": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b3723887b9bf279cdf495e0de89757e9d1a4490463b6993ccc1e0e387da9b934", - "type": "query", - "version": 7 - } - }, - "rule_name": "Zoom Meeting with no Passcode", - "sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Zoom Meeting with no Passcode", + "sha256": "b3723887b9bf279cdf495e0de89757e9d1a4490463b6993ccc1e0e387da9b934", + "type": "query", + "version": 7 + } + }, + "rule_name": "Zoom Meeting with no Passcode", + "sha256": "b11bda77407059cc54037e469693754321f43bae2e53010ad95944e9a774276a", + "type": "query", + "version": 100 }, "58bc134c-e8d2-4291-a552-b4b3e537c60b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Potential Lateral Tool Transfer via SMB Share", - "sha256": "e90a1e07e34ea2f495f80b818ec08292d02a12b56a1ab8113c893adf20722fb0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Lateral Tool Transfer via SMB Share", + "sha256": "fccdc8cdb7b3ef92b3e30da671101575b76c05c404ebf4657415a612c2f2d490", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Potential Lateral Tool Transfer via SMB Share", + "sha256": "e90a1e07e34ea2f495f80b818ec08292d02a12b56a1ab8113c893adf20722fb0", + "type": "eql", + "version": 100 }, "58c6d58b-a0d3-412d-b3b8-0981a9400607": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "d21a3917238ca1a1a6b8319f592c64861d215606c6120103900ba67cbf643d14", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", - "sha256": "d5594f7b8eedbb5ea3c923cb0cf51ae9618431b335128344238559784e938a87", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", + "sha256": "d21a3917238ca1a1a6b8319f592c64861d215606c6120103900ba67cbf643d14", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Potential Privilege Escalation via InstallerFileTakeOver", + "sha256": "d5594f7b8eedbb5ea3c923cb0cf51ae9618431b335128344238559784e938a87", + "type": "eql", + "version": 100 }, "5930658c-2107-4afc-91af-e0e55b7f7184": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "4aef6221e7182cd1ec1b7a9c4601fcde475bf48061adf1d0248fd6010baf2499", - "type": "query", - "version": 4 - } - }, - "rule_name": "O365 Email Reported by User as Malware or Phish", - "sha256": "77b9e5441d776bd1d4421ba04cf53208030a60a1536147cf517115b3e306aeca", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "4aef6221e7182cd1ec1b7a9c4601fcde475bf48061adf1d0248fd6010baf2499", + "type": "query", + "version": 4 + } + }, + "rule_name": "O365 Email Reported by User as Malware or Phish", + "sha256": "77b9e5441d776bd1d4421ba04cf53208030a60a1536147cf517115b3e306aeca", + "type": "query", + "version": 100 }, "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudTrail Log Created", - "sha256": "93ad2845e0f1417bed42d298695e3e9393252efa42ae1e9207da3138ce39f983", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS CloudTrail Log Created", - "sha256": "064da749510016cbce8588a084602725df9b741e5780994843c512ed98e9640a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "93ad2845e0f1417bed42d298695e3e9393252efa42ae1e9207da3138ce39f983", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS CloudTrail Log Created", + "sha256": "064da749510016cbce8588a084602725df9b741e5780994843c512ed98e9640a", + "type": "query", + "version": 100 }, "59756272-1998-4b8c-be14-e287035c4d10": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux System Owner or User Discovery Activity", - "sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Linux System Owner or User Discovery Activity", - "sha256": "e41fd4f6fee735f8f4d622091922635835073038420494f835501080da741b64", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux System Owner or User Discovery Activity", + "sha256": "4dfce8f9b71d1c1154bcf7d7e227f86a80e23ecf68649d7067d1b9daa21960b3", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Linux System Owner or User Discovery Activity", + "sha256": "e41fd4f6fee735f8f4d622091922635835073038420494f835501080da741b64", + "type": "machine_learning", + "version": 100 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "3f39f6f5177668db2bc706c123caebf4f32fab44956ed321bd067f98e077e866", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", - "sha256": "82cb59512014ab0e01173d569e396665f29f1872f19658346dd205b1c20c2795", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "sha256": "3f39f6f5177668db2bc706c123caebf4f32fab44956ed321bd067f98e077e866", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", + "sha256": "82cb59512014ab0e01173d569e396665f29f1872f19658346dd205b1c20c2795", + "type": "eql", + "version": 100 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "7c73e32e581e8c012be9579704cb4af5639d44af7819e90225394d82f8dfe84a", - "type": "query", - "version": 6 - } - }, - "rule_name": "Remote SSH Login Enabled via systemsetup Command", - "sha256": "7331f31c20c18949ae8238427d264c121096770ea65404d5eb21382668185a67", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote SSH Login Enabled via systemsetup Command", + "sha256": "7c73e32e581e8c012be9579704cb4af5639d44af7819e90225394d82f8dfe84a", + "type": "query", + "version": 6 + } + }, + "rule_name": "Remote SSH Login Enabled via systemsetup Command", + "sha256": "7331f31c20c18949ae8238427d264c121096770ea65404d5eb21382668185a67", + "type": "query", + "version": 100 }, "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "d50e3a802eeb576df60ee993ea3942d6b4ce183cab3c5b63982081fbc72b997d", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Potential Secure File Deletion via SDelete Utility", - "sha256": "29f7f0a29bc15d489a5dd0c181f2a35e41dd3a52f958e9c17556ddb5324eed71", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Secure File Deletion via SDelete Utility", + "sha256": "d50e3a802eeb576df60ee993ea3942d6b4ce183cab3c5b63982081fbc72b997d", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Potential Secure File Deletion via SDelete Utility", + "sha256": "29f7f0a29bc15d489a5dd0c181f2a35e41dd3a52f958e9c17556ddb5324eed71", + "type": "eql", + "version": 100 }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Virtual Machine Fingerprinting", - "sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169", - "type": "query", - "version": 8 - } - }, - "rule_name": "Virtual Machine Fingerprinting", - "sha256": "edd0c1216ffec478441f08a43ab313ac1130cf13b408a8328c878b9093c5f6c3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Virtual Machine Fingerprinting", + "sha256": "9c0208d45564d4542b3d2b8a5bf247de7c1f52fd0d35c92870b6bae1e3a11169", + "type": "query", + "version": 8 + } + }, + "rule_name": "Virtual Machine Fingerprinting", + "sha256": "edd0c1216ffec478441f08a43ab313ac1130cf13b408a8328c878b9093c5f6c3", + "type": "query", + "version": 100 }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "807b3ee056b0f0094cf79aaf7a47f5560f16b4d853b0be14672407c7fb0fda12", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious PrintSpooler Service Executable File Creation", - "sha256": "8138db765525c64d667013ac9c356533d9aec2c7b165f949715bb78b6aa62093", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious PrintSpooler Service Executable File Creation", + "sha256": "807b3ee056b0f0094cf79aaf7a47f5560f16b4d853b0be14672407c7fb0fda12", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious PrintSpooler Service Executable File Creation", + "sha256": "8138db765525c64d667013ac9c356533d9aec2c7b165f949715bb78b6aa62093", + "type": "eql", + "version": 100 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "b5257122319e9bc4edc6da90b4f9ce51f865585667549443dd5a5bc186e8adab", - "type": "query", - "version": 11 - } - }, - "rule_name": "AWS WAF Rule or Rule Group Deletion", - "sha256": "3249161fac88f6cbf8cae454058c7467958169242359eb4fd2fa85c8b8bf00eb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "b5257122319e9bc4edc6da90b4f9ce51f865585667549443dd5a5bc186e8adab", + "type": "query", + "version": 11 + } + }, + "rule_name": "AWS WAF Rule or Rule Group Deletion", + "sha256": "3249161fac88f6cbf8cae454058c7467958169242359eb4fd2fa85c8b8bf00eb", + "type": "query", + "version": 100 }, "5c983105-4681-46c3-9890-0c66d05e776b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "af77025b9a595eb66fc50d24b2dd04472ce63a9aa0ad7a240af00ce76c0c6708", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Process Discovery Activity", + "sha256": "d00b5c874958e60ebea75b76e2ed82104b526c831d61e946c915fd0cc7efa80d", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Linux Process Discovery Activity", + "sha256": "af77025b9a595eb66fc50d24b2dd04472ce63a9aa0ad7a240af00ce76c0c6708", + "type": "machine_learning", + "version": 100 }, "5cd55388-a19c-47c7-8ec4-f41656c2fded": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "0f815b455140ed43bab2a6eb85a0bc7af11f3fb955ce357959ca12408b42e27e", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Outbound Scheduled Task Activity via PowerShell", - "sha256": "d5cdb6d1cae26e1717f9464ba61c0b5c5b6efa44b58e3ca27e9454960f0f410f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Outbound Scheduled Task Activity via PowerShell", + "sha256": "0f815b455140ed43bab2a6eb85a0bc7af11f3fb955ce357959ca12408b42e27e", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Outbound Scheduled Task Activity via PowerShell", + "sha256": "d5cdb6d1cae26e1717f9464ba61c0b5c5b6efa44b58e3ca27e9454960f0f410f", + "type": "eql", + "version": 100 }, "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "5f8c09d4a95f39252ed35586660a9bfb97cec6c902021704d19f8dba94707d9d", - "type": "eql", - "version": 8 - } - }, - "rule_name": "User Added to Privileged Group in Active Directory", - "sha256": "cde8abeb5602cceec08fc0e7415ed285ff46f0c199567dc7b9dc2cc243672fff", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "User Added to Privileged Group in Active Directory", + "sha256": "5f8c09d4a95f39252ed35586660a9bfb97cec6c902021704d19f8dba94707d9d", + "type": "eql", + "version": 8 + } + }, + "rule_name": "User Added to Privileged Group in Active Directory", + "sha256": "cde8abeb5602cceec08fc0e7415ed285ff46f0c199567dc7b9dc2cc243672fff", + "type": "eql", + "version": 100 }, "5d0265bf-dea9-41a9-92ad-48a8dcd05080": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Login or Logout Hook", - "sha256": "6edec2c011265bc7e9989c18ec7b057ec4e790b4dbc45ed26c9800cd87f1888d", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistence via Login or Logout Hook", - "sha256": "64a3d7ac39baa7dd7acfe11e2108403722797ba7a6bb2947e13e27e9fee1aece", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Login or Logout Hook", + "sha256": "6edec2c011265bc7e9989c18ec7b057ec4e790b4dbc45ed26c9800cd87f1888d", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistence via Login or Logout Hook", + "sha256": "64a3d7ac39baa7dd7acfe11e2108403722797ba7a6bb2947e13e27e9fee1aece", + "type": "eql", + "version": 100 }, "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "0c9b6b24a43b7dedc4a80d31fcb597b5c9672a16ff85566b03ac4f05915b07f2", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious Execution via Scheduled Task", - "sha256": "1908805d7cf7cc5350184bc2b93d9b59b0a568bbd07a49387a6ec04c474ab831", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Execution via Scheduled Task", + "sha256": "0c9b6b24a43b7dedc4a80d31fcb597b5c9672a16ff85566b03ac4f05915b07f2", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious Execution via Scheduled Task", + "sha256": "1908805d7cf7cc5350184bc2b93d9b59b0a568bbd07a49387a6ec04c474ab831", + "type": "eql", + "version": 100 }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious Automator Workflows Execution", - "sha256": "d627f089be597dd9d5cd098afcb3df2539500a660d3d0565bdba0b3ec000f8bd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Automator Workflows Execution", + "sha256": "1423cb901db24ee2389356865a804a69d1c5ccd02aca4cf100ca7486f830aee2", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious Automator Workflows Execution", + "sha256": "d627f089be597dd9d5cd098afcb3df2539500a660d3d0565bdba0b3ec000f8bd", + "type": "eql", + "version": 100 }, "5e552599-ddec-4e14-bad1-28aa42404388": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "f58a40f75d1820aa083b0af15229d3a3192bb4cb2c90b6d45852d9531ba86659", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Teams Guest Access Enabled", - "sha256": "c2d44b6e87bf1e7dea9dd3a0d2990194af418603132d5bee07c23b69068e4717", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "f58a40f75d1820aa083b0af15229d3a3192bb4cb2c90b6d45852d9531ba86659", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Teams Guest Access Enabled", + "sha256": "c2d44b6e87bf1e7dea9dd3a0d2990194af418603132d5bee07c23b69068e4717", + "type": "query", + "version": 100 }, "5e87f165-45c2-4b80-bfa5-52822552c997": { - "rule_name": "Potential PrintNightmare File Modification", - "sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933", - "type": "eql", - "version": 100 + "rule_name": "Potential PrintNightmare File Modification", + "sha256": "cce3c92801296f877a7b98b1d40e5eb47cc9843149d203377272809894e0c933", + "type": "eql", + "version": 100 }, "60884af6-f553-4a6c-af13-300047455491": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "e195b4abc35917aed5f150ec5e04b7bfe705c776edd2df6d0d18614aab1231a8", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Command Execution on Virtual Machine", - "sha256": "872a5367783e16ffc634425549afb38612e1eeed5207f97e5d483684f2d93cb9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Command Execution on Virtual Machine", + "sha256": "e195b4abc35917aed5f150ec5e04b7bfe705c776edd2df6d0d18614aab1231a8", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Command Execution on Virtual Machine", + "sha256": "872a5367783e16ffc634425549afb38612e1eeed5207f97e5d483684f2d93cb9", + "type": "query", + "version": 100 }, "60b6b72f-0fbc-47e7-9895-9ba7627a8b50": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Service Principal Addition", - "sha256": "63f8524b34d7396a39558b7b1a71918cb1af0dd94168d585c37e41ebd3e62733", - "type": "query", - "version": 7 - } - }, - "rule_name": "Azure Service Principal Addition", - "sha256": "bf214c9f72e9dfa8ccd2be6ff173e12ad5c7f7bb86c95e731af9fa4fe47605a8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Service Principal Addition", + "sha256": "63f8524b34d7396a39558b7b1a71918cb1af0dd94168d585c37e41ebd3e62733", + "type": "query", + "version": 7 + } + }, + "rule_name": "Azure Service Principal Addition", + "sha256": "bf214c9f72e9dfa8ccd2be6ff173e12ad5c7f7bb86c95e731af9fa4fe47605a8", + "type": "query", + "version": 100 }, "60f3adec-1df9-4104-9c75-b97d9f078b25": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "d4bae7b60e7b8ae9d81564cc05893fe9ab226915e0ba6ae6f588226f2a37981b", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange DLP Policy Removed", - "sha256": "94d03cfbb90d2318be2e5e0e432a60714974dcfcf37b9582f671982a34290fc7", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "d4bae7b60e7b8ae9d81564cc05893fe9ab226915e0ba6ae6f588226f2a37981b", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange DLP Policy Removed", + "sha256": "94d03cfbb90d2318be2e5e0e432a60714974dcfcf37b9582f671982a34290fc7", + "type": "query", + "version": 100 }, "610949a1-312f-4e04-bb55-3a79b8c95267": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Process Network Connection", - "sha256": "b00636e435888cfbac55fabaa232b7ff7792edae939e7fd52cfd7586228f89e4", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Unusual Process Network Connection", - "sha256": "621fd3c91f9762821b765a38822321c8536a7522037ff332ae4f18e0469de7d1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Process Network Connection", + "sha256": "b00636e435888cfbac55fabaa232b7ff7792edae939e7fd52cfd7586228f89e4", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Unusual Process Network Connection", + "sha256": "621fd3c91f9762821b765a38822321c8536a7522037ff332ae4f18e0469de7d1", + "type": "eql", + "version": 100 }, "61ac3638-40a3-44b2-855a-985636ca985e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4260f2832dbbedc282f3767cd8e7776d8a1f4cdc13b5dac16dff8107ea31e1d3", - "type": "query", - "version": 9 - } - }, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "96c86ebf7124b5cf3b983a969ac7334dd3f702d1e63a3a3a98b183f193d4f675", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "4260f2832dbbedc282f3767cd8e7776d8a1f4cdc13b5dac16dff8107ea31e1d3", + "type": "query", + "version": 9 + } + }, + "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", + "sha256": "96c86ebf7124b5cf3b983a969ac7334dd3f702d1e63a3a3a98b183f193d4f675", + "type": "query", + "version": 100 }, "61c31c14-507f-4627-8c31-072556b89a9c": { - "rule_name": "Mknod Process Activity", - "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", - "type": "query", - "version": 100 + "rule_name": "Mknod Process Activity", + "sha256": "9070708b87661e05dc8b0275151d9c928fbf29feacc6b771a10e56eea2ff82ea", + "type": "query", + "version": 100 }, "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "534101b851d9fae2e8255f7a270ca3d66f536b49f133fa7ef49a91d5bfed2816", - "type": "eql", - "version": 5 - } - }, - "rule_name": "AdminSDHolder SDProp Exclusion Added", - "sha256": "384ea747a062c1e6197b9f85283fe5b766e6812db17234c78e527075e8a7a9b2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AdminSDHolder SDProp Exclusion Added", + "sha256": "534101b851d9fae2e8255f7a270ca3d66f536b49f133fa7ef49a91d5bfed2816", + "type": "eql", + "version": 5 + } + }, + "rule_name": "AdminSDHolder SDProp Exclusion Added", + "sha256": "384ea747a062c1e6197b9f85283fe5b766e6812db17234c78e527075e8a7a9b2", + "type": "eql", + "version": 100 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "cc8a4382982924e277e4c3d743dd97006b5d0d444c6c16f0af5bfa54175f1571", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Incoming DCOM Lateral Movement via MSHTA", - "sha256": "ee6e88d5dbeb4c1e83885f6a95bf40c74f4b4f33bada19733a6e4b68694045de", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Incoming DCOM Lateral Movement via MSHTA", + "sha256": "cc8a4382982924e277e4c3d743dd97006b5d0d444c6c16f0af5bfa54175f1571", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Incoming DCOM Lateral Movement via MSHTA", + "sha256": "ee6e88d5dbeb4c1e83885f6a95bf40c74f4b4f33bada19733a6e4b68694045de", + "type": "eql", + "version": 100 }, "62a70f6f-3c37-43df-a556-f64fa475fba2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8", - "type": "query", - "version": 4 - } - }, - "rule_name": "Account Configured with Never-Expiring Password", - "sha256": "323d4cd6580d5345a3d47924597c0d860fb1dba813e9aef86cf76e4558a03349", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Account Configured with Never-Expiring Password", + "sha256": "b11ea0b16c59af178aae7fc5869e311bc7e98918cedba5dcd6693398144c70d8", + "type": "query", + "version": 4 + } + }, + "rule_name": "Account Configured with Never-Expiring Password", + "sha256": "323d4cd6580d5345a3d47924597c0d860fb1dba813e9aef86cf76e4558a03349", + "type": "query", + "version": 100 }, "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Connection via Signed Binary", - "sha256": "80c6dfdcbb866f19a43a66a1fcf01571c849a5d333763e6728b8cc38e96f7ada", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Network Connection via Signed Binary", - "sha256": "00acec77f8acca7e96ad28ab05da1b1784966bb82deab41663edd6da48de0198", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Connection via Signed Binary", + "sha256": "80c6dfdcbb866f19a43a66a1fcf01571c849a5d333763e6728b8cc38e96f7ada", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Network Connection via Signed Binary", + "sha256": "00acec77f8acca7e96ad28ab05da1b1784966bb82deab41663edd6da48de0198", + "type": "eql", + "version": 100 }, "647fc812-7996-4795-8869-9c4ea595fe88": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Anomalous Process For a Linux Population", - "sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Anomalous Process For a Linux Population", - "sha256": "58ad6b8312fa08066d30ca38f7178f10d0af84bc3348a306635a0d5693e495fb", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Anomalous Process For a Linux Population", + "sha256": "c10cfdb233bb94a8778c442480ba3bf3052d77b1a7233987c6c6f02bb88a69b3", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Anomalous Process For a Linux Population", + "sha256": "58ad6b8312fa08066d30ca38f7178f10d0af84bc3348a306635a0d5693e495fb", + "type": "machine_learning", + "version": 100 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257", - "type": "query", - "version": 3 - } - }, - "rule_name": "Modification of Safari Settings via Defaults Command", - "sha256": "66b994ea016c69bcad77e78b66f2b07a8c7f59ac9a7390737f65a0669112fdeb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of Safari Settings via Defaults Command", + "sha256": "1291f8e74a129e13387f515122286762491f4a8a98539f725f35893c9e519257", + "type": "query", + "version": 3 + } + }, + "rule_name": "Modification of Safari Settings via Defaults Command", + "sha256": "66b994ea016c69bcad77e78b66f2b07a8c7f59ac9a7390737f65a0669112fdeb", + "type": "query", + "version": 100 }, "6506c9fd-229e-4722-8f0f-69be759afd2a": { - "rule_name": "Potential PrintNightmare Exploit Registry Modification", - "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", - "type": "eql", - "version": 100 + "rule_name": "Potential PrintNightmare Exploit Registry Modification", + "sha256": "2835937a732bcb071b232eba9fe5f11b5f7ea8c7742eec0640d79cca3fcea621", + "type": "eql", + "version": 100 }, "65f9bccd-510b-40df-8263-334f03174fed": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "013298b6842e5c3da39c9653179dd8e9b62b3dfd4227f34256471cf64bcfe2ee", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Exposed Service Created With Type NodePort", - "sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "013298b6842e5c3da39c9653179dd8e9b62b3dfd4227f34256471cf64bcfe2ee", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Exposed Service Created With Type NodePort", + "sha256": "7bdb29beee19d63add116b929b7806d41ae36881ef9d37390be3331c731bcf28", + "type": "query", + "version": 100 }, "661545b4-1a90-4f45-85ce-2ebd7c6a15d0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "2be9c7475eaf8e2adef7e68471761491a0be92b510e4dee69d85cd0b718d5383", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Attempt to Mount SMB Share via Command Line", - "sha256": "84f79df5885f139cba6c562085915ff612fcc3152820c1f1709a4e03605be755", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Mount SMB Share via Command Line", + "sha256": "2be9c7475eaf8e2adef7e68471761491a0be92b510e4dee69d85cd0b718d5383", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Attempt to Mount SMB Share via Command Line", + "sha256": "84f79df5885f139cba6c562085915ff612fcc3152820c1f1709a4e03605be755", + "type": "eql", + "version": 100 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "WebServer Access Logs Deleted", - "sha256": "aa99ae249849c4fda90d6916ceda488aa0f9804f58c5a7b48457f165f4a2b244", - "type": "eql", - "version": 7 - } - }, - "rule_name": "WebServer Access Logs Deleted", - "sha256": "5404cb14b4ec1009a1ebcc22171f8001feb5e5c5c5d1db44fdd77e44b2000d75", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "WebServer Access Logs Deleted", + "sha256": "aa99ae249849c4fda90d6916ceda488aa0f9804f58c5a7b48457f165f4a2b244", + "type": "eql", + "version": 7 + } + }, + "rule_name": "WebServer Access Logs Deleted", + "sha256": "5404cb14b4ec1009a1ebcc22171f8001feb5e5c5c5d1db44fdd77e44b2000d75", + "type": "eql", + "version": 100 }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "9074d32b67e1ae4dedee47ef68052d2de75e18e968836494eeee7db8ced3559c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Connection to Commonly Abused Web Services", + "sha256": "56d77dd4079675a4b79810d1ca79ee02983c2fb5965c0676e9c831340f0a6262", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Connection to Commonly Abused Web Services", + "sha256": "9074d32b67e1ae4dedee47ef68052d2de75e18e968836494eeee7db8ced3559c", + "type": "eql", + "version": 100 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "61259dfd679962889b178d2d475ed6c0aa30fcd9908b5840c5afa7ced67c9191", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious macOS MS Office Child Process", + "sha256": "2cef3de3b774697cedfbed1c2355f06f346be0ff564bb51e664741418215ed35", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Suspicious macOS MS Office Child Process", + "sha256": "61259dfd679962889b178d2d475ed6c0aa30fcd9908b5840c5afa7ced67c9191", + "type": "eql", + "version": 100 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "1ef55d057c977c919a011ee2c0a5877b55c1b5467523826f3720ee782ceb87f5", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "f349235176eea6fab8f64b9d29af010ac35907d99e524aec451bb7143ea6aa7b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "1ef55d057c977c919a011ee2c0a5877b55c1b5467523826f3720ee782ceb87f5", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "f349235176eea6fab8f64b9d29af010ac35907d99e524aec451bb7143ea6aa7b", + "type": "query", + "version": 100 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "d56428a2ebb97ff26a961b1941691823e9c600e8c7878d6093f1eaa010965ede", - "type": "query", - "version": 6 - } - }, - "rule_name": "O365 Mailbox Audit Logging Bypass", - "sha256": "180540c4dfa973ebb322a17a92f3bd9e1179dca70a52c648ded69003862cc3c9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "d56428a2ebb97ff26a961b1941691823e9c600e8c7878d6093f1eaa010965ede", + "type": "query", + "version": 6 + } + }, + "rule_name": "O365 Mailbox Audit Logging Bypass", + "sha256": "180540c4dfa973ebb322a17a92f3bd9e1179dca70a52c648ded69003862cc3c9", + "type": "query", + "version": 100 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "f2e4b16a361bc69205d6496b1d0ae5cb98c14fdc18dfd120a57d3ed1242393e3", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "7fa1e50559094f15c0d582e8502734500d72a89865f1e7b1da149ef3c6152317", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "f2e4b16a361bc69205d6496b1d0ae5cb98c14fdc18dfd120a57d3ed1242393e3", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "7fa1e50559094f15c0d582e8502734500d72a89865f1e7b1da149ef3c6152317", + "type": "query", + "version": 100 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { - "rule_name": "SMTP to the Internet", - "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", - "type": "query", - "version": 100 + "rule_name": "SMTP to the Internet", + "sha256": "38ddd772b9bc49726619cf527ed48d8871a0611ca88d76d03054c6702456d14d", + "type": "query", + "version": 100 }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "High Number of Process Terminations", - "sha256": "32f86106ce9707e4ba55425d0e257d1a8d98fc30943af2df10ecb86ccedcb082", - "type": "threshold", - "version": 3 - } - }, - "rule_name": "High Number of Process Terminations", - "sha256": "39e37ed6487827c23b34562be8be17f18cff230845a27b6d15181ae44ddbbd7f", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "High Number of Process Terminations", + "sha256": "32f86106ce9707e4ba55425d0e257d1a8d98fc30943af2df10ecb86ccedcb082", + "type": "threshold", + "version": 3 + } + }, + "rule_name": "High Number of Process Terminations", + "sha256": "39e37ed6487827c23b34562be8be17f18cff230845a27b6d15181ae44ddbbd7f", + "type": "threshold", + "version": 100 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { - "rule_name": "Query Registry via reg.exe", - "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", - "type": "eql", - "version": 100 + "rule_name": "Query Registry via reg.exe", + "sha256": "5752b998b95537fedce81850330b693ee3cb9f030b36bf07dba1da9107bd68d9", + "type": "eql", + "version": 100 }, "6839c821-011d-43bd-bd5b-acff00257226": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Image File Execution Options Injection", - "sha256": "0efe7d423a7ebfb1e3d9380de840f4ddbf0f5e4229dacbad6ebd38795ed1fe91", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Image File Execution Options Injection", - "sha256": "92ad976097c575d57f0348ba3df83a1cfa9a84fa0133a855c9f0eaca891d43a6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Image File Execution Options Injection", + "sha256": "0efe7d423a7ebfb1e3d9380de840f4ddbf0f5e4229dacbad6ebd38795ed1fe91", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Image File Execution Options Injection", + "sha256": "92ad976097c575d57f0348ba3df83a1cfa9a84fa0133a855c9f0eaca891d43a6", + "type": "eql", + "version": 100 }, "684554fc-0777-47ce-8c9b-3d01f198d7f8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "New or Modified Federation Domain", - "sha256": "e410d2309f7b7bd1ec6767a6f0d4756716d3d87da15161771420026a2603c7b0", - "type": "query", - "version": 5 - } - }, - "rule_name": "New or Modified Federation Domain", - "sha256": "a58f40a2a2689a462fd3ebcbf5dba55550ecc3cbcfec5949aa2a35892c5afafb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "New or Modified Federation Domain", + "sha256": "e410d2309f7b7bd1ec6767a6f0d4756716d3d87da15161771420026a2603c7b0", + "type": "query", + "version": 5 + } + }, + "rule_name": "New or Modified Federation Domain", + "sha256": "a58f40a2a2689a462fd3ebcbf5dba55550ecc3cbcfec5949aa2a35892c5afafb", + "type": "query", + "version": 100 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "95b23b6dceecf5c37c57266723121ae726f35c91584ae156eeb28b463d118cea", - "type": "query", - "version": 9 - } - }, - "rule_name": "Threat Detected by Okta ThreatInsight", - "sha256": "0ef8f32d6082e1c9bab33717afc8fe1c23e756abe5942df0dde64456026edec1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Threat Detected by Okta ThreatInsight", + "sha256": "95b23b6dceecf5c37c57266723121ae726f35c91584ae156eeb28b463d118cea", + "type": "query", + "version": 9 + } + }, + "rule_name": "Threat Detected by Okta ThreatInsight", + "sha256": "0ef8f32d6082e1c9bab33717afc8fe1c23e756abe5942df0dde64456026edec1", + "type": "query", + "version": 100 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "40892b7e96739d876cf5ef96e0cfcb5df2803f9e217d6c15edfc656d66dfbdd0", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", - "sha256": "06f4a7443048cea7bec58e46f208e942694f415dcc65320caf513b9715052ee6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", + "sha256": "40892b7e96739d876cf5ef96e0cfcb5df2803f9e217d6c15edfc656d66dfbdd0", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", + "sha256": "06f4a7443048cea7bec58e46f208e942694f415dcc65320caf513b9715052ee6", + "type": "eql", + "version": 100 }, "68994a6c-c7ba-4e82-b476-26a26877adf6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "b93cd2bb2b978c4a49aa012e3ba233f122287ffdb705c852467201a2f5818c37", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "b21a45d51ea3f04918d7eeaabb24efea888bc2f7a9c326ed3858bc775f4243e0", - "type": "query", - "version": 15 - } - }, - "rule_name": "Google Workspace Admin Role Assigned to a User", - "sha256": "d9f56f436561f5e8d14e9dce38318bf3e08a582338ac24f244aa054fdbbd0cce", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "b93cd2bb2b978c4a49aa012e3ba233f122287ffdb705c852467201a2f5818c37", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "b21a45d51ea3f04918d7eeaabb24efea888bc2f7a9c326ed3858bc775f4243e0", + "type": "query", + "version": 15 + } + }, + "rule_name": "Google Workspace Admin Role Assigned to a User", + "sha256": "d9f56f436561f5e8d14e9dce38318bf3e08a582338ac24f244aa054fdbbd0cce", + "type": "query", + "version": 100 }, "689b9d57-e4d5-4357-ad17-9c334609d79a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "81a2f954d5b7761177fa3bc11019a2955eef17aab753143bbea9a8bd67bc55a6", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Scheduled Task Created by a Windows Script", - "sha256": "83038e8351824fead44e9aede825e95395ae00d0112346729456aa3350bc23f3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Scheduled Task Created by a Windows Script", + "sha256": "81a2f954d5b7761177fa3bc11019a2955eef17aab753143bbea9a8bd67bc55a6", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Scheduled Task Created by a Windows Script", + "sha256": "83038e8351824fead44e9aede825e95395ae00d0112346729456aa3350bc23f3", + "type": "eql", + "version": 100 }, "68a7a5a5-a2fc-4a76-ba9f-26849de881b4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "f5a7bed82e84d98883e645ca43ca8091e0d6b505c417342c2685bc0bccc55e96", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS CloudWatch Log Group Deletion", - "sha256": "eadaa242e8c74faea653a0d6055f1cd65f796118e32fd864934eff13d33551b7", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "f5a7bed82e84d98883e645ca43ca8091e0d6b505c417342c2685bc0bccc55e96", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS CloudWatch Log Group Deletion", + "sha256": "eadaa242e8c74faea653a0d6055f1cd65f796118e32fd864934eff13d33551b7", + "type": "query", + "version": 100 }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "1c69a26d73e24b3d036b3bb0d2a5d6651123dca79c58a6df26d303222cc3aa19", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", - "sha256": "431cfd25e36329eafa008281313032e48969664302df3523a6f07754afbc677d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "sha256": "1c69a26d73e24b3d036b3bb0d2a5d6651123dca79c58a6df26d303222cc3aa19", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", + "sha256": "431cfd25e36329eafa008281313032e48969664302df3523a6f07754afbc677d", + "type": "eql", + "version": 100 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { - "min_stack_version": "8.3", - "previous": { - "8.0": { - "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832", - "type": "threat_match", - "version": 5 - } - }, - "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", - "sha256": "32f883b9ccda701081df7ad7747f8d7ba939a23f7766b682130f07db73998f6b", - "type": "threat_match", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.0": { + "max_allowable_version": 99, + "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "1c84ee3520f02156a2dd650dff1c95cccd1852054ed6f7ca59a4ce9d278c9832", + "type": "threat_match", + "version": 5 + } + }, + "rule_name": "Threat Intel Filebeat Module (v8.x) Indicator Match", + "sha256": "32f883b9ccda701081df7ad7747f8d7ba939a23f7766b682130f07db73998f6b", + "type": "threat_match", + "version": 100 }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of Boot Configuration", - "sha256": "2103024f5ee4817b2e7dece3748aa9ca71c8a4ee68de02c6ed318bc1377e83e5", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Modification of Boot Configuration", - "sha256": "ebcb54c25c02c260036c1db2f19a1e5b35ec0cb57e6fb5192d5c4dd3052b1805", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of Boot Configuration", + "sha256": "2103024f5ee4817b2e7dece3748aa9ca71c8a4ee68de02c6ed318bc1377e83e5", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Modification of Boot Configuration", + "sha256": "ebcb54c25c02c260036c1db2f19a1e5b35ec0cb57e6fb5192d5c4dd3052b1805", + "type": "eql", + "version": 100 }, "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "94e15d61afdb62ad13547e0aaf3b6702c4e69ffbf47d983b6416ae9e3d6810bd", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS IAM Password Recovery Requested", - "sha256": "7f96125b14edc240bd6bf616955819b7ea9fe7491f8afb0873fbf8d85b7d52ed", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "94e15d61afdb62ad13547e0aaf3b6702c4e69ffbf47d983b6416ae9e3d6810bd", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS IAM Password Recovery Requested", + "sha256": "7f96125b14edc240bd6bf616955819b7ea9fe7491f8afb0873fbf8d85b7d52ed", + "type": "query", + "version": 100 }, "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "3086f0755beef3bc637f52b992f4b001ed10d7155978344d650e9ab12d2b44d5", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Unusual Service Host Child Process - Childless Service", - "sha256": "24a5e2bdad4552a26634f0a392bd7f64231ed12018f430bf08692fac52c206e1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Service Host Child Process - Childless Service", + "sha256": "3086f0755beef3bc637f52b992f4b001ed10d7155978344d650e9ab12d2b44d5", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Unusual Service Host Child Process - Childless Service", + "sha256": "24a5e2bdad4552a26634f0a392bd7f64231ed12018f430bf08692fac52c206e1", + "type": "eql", + "version": 100 }, "6aace640-e631-4870-ba8e-5fdda09325db": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "e5af89fb2a0cdf3e47de3ac1fc26f371b765520be293a2e451e61c793aefb73c", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "88ce3666e6415c05ed475a138a1ad69be67c93f0fdb4dd5a0aba78831e6b4213", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "e5af89fb2a0cdf3e47de3ac1fc26f371b765520be293a2e451e61c793aefb73c", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "88ce3666e6415c05ed475a138a1ad69be67c93f0fdb4dd5a0aba78831e6b4213", + "type": "eql", + "version": 100 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Sensitive Files Compression", - "sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c", - "type": "query", - "version": 3 - } - }, - "rule_name": "Sensitive Files Compression", - "sha256": "1245a54f6eb888b0625cb5d21c2d3f9a32f00bd323cfe849f6c4c6e8bd3dc391", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Sensitive Files Compression", + "sha256": "3d1a0bee2d79c035a599faffc03e74e4b4699b39dbb4418068b003eb6136050c", + "type": "query", + "version": 3 + } + }, + "rule_name": "Sensitive Files Compression", + "sha256": "1245a54f6eb888b0625cb5d21c2d3f9a32f00bd323cfe849f6c4c6e8bd3dc391", + "type": "query", + "version": 100 }, "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Remote Computer Account DnsHostName Update", - "sha256": "6023b238c4eefc97b6a59ca0a23a1985dd52daf852fcbb1d338f183812588e5d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote Computer Account DnsHostName Update", + "sha256": "45706af41dd0e101a3f59b870ba870250864df9ed5c53ce61e227e1027bc6e09", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Remote Computer Account DnsHostName Update", + "sha256": "6023b238c4eefc97b6a59ca0a23a1985dd52daf852fcbb1d338f183812588e5d", + "type": "eql", + "version": 100 }, "6cd1779c-560f-4b68-a8f1-11009b27fe63": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "e08745f50529b4335fb58264f3ee42c749085a6a0c4dcee4d04aa790d386d05d", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", - "sha256": "1c68199cc49bfb97a0ba0c646a90d3b2f73cc356ef13470f54d602b4a0a4f901", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", + "sha256": "e08745f50529b4335fb58264f3ee42c749085a6a0c4dcee4d04aa790d386d05d", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", + "sha256": "1c68199cc49bfb97a0ba0c646a90d3b2f73cc356ef13470f54d602b4a0a4f901", + "type": "eql", + "version": 100 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Process For a Windows Host", - "sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a", - "type": "machine_learning", - "version": 10 - } - }, - "rule_name": "Unusual Process For a Windows Host", - "sha256": "4e2bbfe5f472c1005d61a787175eeeb5392ecfb867b7039df22de58040ae3153", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Process For a Windows Host", + "sha256": "9acf5cf644f0dd40d86fe207e02999cd5ad7cb60a50cb3c648eb7def01929e9a", + "type": "machine_learning", + "version": 10 + } + }, + "rule_name": "Unusual Process For a Windows Host", + "sha256": "4e2bbfe5f472c1005d61a787175eeeb5392ecfb867b7039df22de58040ae3153", + "type": "machine_learning", + "version": 100 }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Anomalous Process For a Windows Population", - "sha256": "0f387df0bf637f8a7cdcac7e35c402a5c25cab0df5667d31c4ed069e209e0acc", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Anomalous Process For a Windows Population", + "sha256": "265db12570310439b937bb99bc1a58f1e6ad99c7bc17a2fcde50e05cf11b03bd", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Anomalous Process For a Windows Population", + "sha256": "0f387df0bf637f8a7cdcac7e35c402a5c25cab0df5667d31c4ed069e209e0acc", + "type": "machine_learning", + "version": 100 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AdminSDHolder Backdoor", - "sha256": "e63135af0e5924b96b28af7b3bf95259660d6458c0e1f94fee88f8d7d23538af", - "type": "query", - "version": 4 - } - }, - "rule_name": "AdminSDHolder Backdoor", - "sha256": "6943781070b2e5afa4e3de92c0c934ba4f784cbb964d00cc9daafd12e86c2af2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AdminSDHolder Backdoor", + "sha256": "e63135af0e5924b96b28af7b3bf95259660d6458c0e1f94fee88f8d7d23538af", + "type": "query", + "version": 4 + } + }, + "rule_name": "AdminSDHolder Backdoor", + "sha256": "6943781070b2e5afa4e3de92c0c934ba4f784cbb964d00cc9daafd12e86c2af2", + "type": "query", + "version": 100 }, "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "82208392d7e64f65ffc52fefb132ec3415dabd2548e78cd6ecfc122a6d9b2090", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Enumeration of Users or Groups via Built-in Commands", - "sha256": "585a781ba81a407c650ab6ef818dd199ba4814404992bc6127a023806ab5ec2c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "82208392d7e64f65ffc52fefb132ec3415dabd2548e78cd6ecfc122a6d9b2090", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Enumeration of Users or Groups via Built-in Commands", + "sha256": "585a781ba81a407c650ab6ef818dd199ba4814404992bc6127a023806ab5ec2c", + "type": "eql", + "version": 100 }, "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Windows Error Manager Masquerading", - "sha256": "5eb2d277fc3beed4ad59ed441f5286ae09f2e33e7dc3f9919fc5b2cc669fd8e2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Windows Error Manager Masquerading", + "sha256": "f7c950372b5e9243c9d6de8b572a1f564290aa2b0f790831d501d5b3a2b460b0", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Windows Error Manager Masquerading", + "sha256": "5eb2d277fc3beed4ad59ed441f5286ae09f2e33e7dc3f9919fc5b2cc669fd8e2", + "type": "eql", + "version": 100 }, "6ea55c81-e2ba-42f2-a134-bccf857ba922": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Security Software Discovery using WMIC", - "sha256": "db29bad908a46be8a59efc119ed564e77fa8ef7c6a4bd2a47fba5e361fa0be25", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Security Software Discovery using WMIC", - "sha256": "2e5f5ac59dea19e7af55d8f5a0db3a0bb5778cead96038507a5ffdce5601ea27", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Security Software Discovery using WMIC", + "sha256": "db29bad908a46be8a59efc119ed564e77fa8ef7c6a4bd2a47fba5e361fa0be25", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Security Software Discovery using WMIC", + "sha256": "2e5f5ac59dea19e7af55d8f5a0db3a0bb5778cead96038507a5ffdce5601ea27", + "type": "eql", + "version": 100 }, "6ea71ff0-9e95-475b-9506-2580d1ce6154": { - "rule_name": "DNS Activity to the Internet", - "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", - "type": "query", - "version": 100 + "rule_name": "DNS Activity to the Internet", + "sha256": "2b8ee3ad95436f33ac0289f2bbc2af3b6582974ac3f7eeb4c557d00df664f622", + "type": "query", + "version": 100 }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { - "rule_name": "SSH (Secure Shell) to the Internet", - "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", - "type": "query", - "version": 100 + "rule_name": "SSH (Secure Shell) to the Internet", + "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", + "type": "query", + "version": 100 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace Role Modified", - "sha256": "9cb9378f77ddd21f125d4bd96ae0f071a38f364c8fd7d446fb6d72144274f37a", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Google Workspace Role Modified", - "sha256": "244dc1f48bcc75832806b71e104f30425388ca2f33f6810e00dd12f2906b426f", - "type": "query", - "version": 15 - } - }, - "rule_name": "Google Workspace Role Modified", - "sha256": "8dc1f19266e88e4e9730b019277e28ce3f4e7f8a2f366b75198d4d752ba789b8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Google Workspace Role Modified", + "sha256": "9cb9378f77ddd21f125d4bd96ae0f071a38f364c8fd7d446fb6d72144274f37a", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace Role Modified", + "sha256": "244dc1f48bcc75832806b71e104f30425388ca2f33f6810e00dd12f2906b426f", + "type": "query", + "version": 15 + } + }, + "rule_name": "Google Workspace Role Modified", + "sha256": "8dc1f19266e88e4e9730b019277e28ce3f4e7f8a2f366b75198d4d752ba789b8", + "type": "query", + "version": 100 }, "6f683345-bb10-47a7-86a7-71e9c24fb358": { - "rule_name": "Linux Restricted Shell Breakout via the find command", - "sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the find command", + "sha256": "7e1c03c53ba1a32b0780b4233a4278668a22939bf80ec896514a0237bbd28eb6", + "type": "eql", + "version": 100 }, "7024e2a0-315d-4334-bb1a-441c593e16ab": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "a4ff0cfaccd58b87eaa594425fccba1ee8ad9372d16c1f8f900f9ad8f064b7f9", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS CloudTrail Log Deleted", - "sha256": "252bd838adede7937aef757f4542fb56c55424aa08f56d9f96c1c3bc9c37f647", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "a4ff0cfaccd58b87eaa594425fccba1ee8ad9372d16c1f8f900f9ad8f064b7f9", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS CloudTrail Log Deleted", + "sha256": "252bd838adede7937aef757f4542fb56c55424aa08f56d9f96c1c3bc9c37f647", + "type": "query", + "version": 100 }, "7024e2a0-315d-4334-bb1a-552d604f27bc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Config Resource Deletion", - "sha256": "43704baff18966de9952e1a0f3c08d898c72c1231d9122fcb2eb2854ef396a56", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS Config Resource Deletion", - "sha256": "b75dd0547cf5415b26f194627721331376b66a9380b020303ab189c3da78130a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Config Resource Deletion", + "sha256": "43704baff18966de9952e1a0f3c08d898c72c1231d9122fcb2eb2854ef396a56", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS Config Resource Deletion", + "sha256": "b75dd0547cf5415b26f194627721331376b66a9380b020303ab189c3da78130a", + "type": "query", + "version": 100 }, "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Persistence via WMI Standard Registry Provider", - "sha256": "b0afbf06b864f7794e0a2be2de337c03e68e9a31fa7b42ea61e11a0de36e4459", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via WMI Standard Registry Provider", + "sha256": "595a864d26763ad72e78a54831b8e6740f1bd90566b5a450046c0ed8824b9e6e", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Persistence via WMI Standard Registry Provider", + "sha256": "b0afbf06b864f7794e0a2be2de337c03e68e9a31fa7b42ea61e11a0de36e4459", + "type": "eql", + "version": 100 }, "70fa1af4-27fd-4f26-bd03-50b6af6b9e24": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "f7b73fb04043a3546f845ee4b9167420e82f46abe62cc0880f760715211d4c57", - "type": "query", - "version": 4 - } - }, - "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", - "sha256": "dad3c106f43e95382e1ad7cbc8f57d5b283df82773ad2e2e92ffb1debeae0f36", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "sha256": "f7b73fb04043a3546f845ee4b9167420e82f46abe62cc0880f760715211d4c57", + "type": "query", + "version": 4 + } + }, + "rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", + "sha256": "dad3c106f43e95382e1ad7cbc8f57d5b283df82773ad2e2e92ffb1debeae0f36", + "type": "query", + "version": 100 }, "717f82c2-7741-4f9b-85b8-d06aeb853f4f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6", - "type": "query", - "version": 4 - } - }, - "rule_name": "Modification of Dynamic Linker Preload Shared Object", - "sha256": "81d0f87832fa695a99b4d76255d2c78f58656da7a1989f1d7fe894cd620db85f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "fe4e4318876cf618a1e21bd9cf33c5e2df2b85efd5b8e7801d31ebdabf213df6", + "type": "query", + "version": 4 + } + }, + "rule_name": "Modification of Dynamic Linker Preload Shared Object", + "sha256": "81d0f87832fa695a99b4d76255d2c78f58656da7a1989f1d7fe894cd620db85f", + "type": "query", + "version": 100 }, "71bccb61-e19b-452f-b104-79a60e546a95": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "a0532649648f730107a0133d1d34ba08d749a89fe702237470c2e9ba8af94ad3", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Unusual File Creation - Alternate Data Stream", - "sha256": "bed2940df4181810e7478b8e19507306d6a16bd56bbf4441e2c50b768bff324a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual File Creation - Alternate Data Stream", + "sha256": "a0532649648f730107a0133d1d34ba08d749a89fe702237470c2e9ba8af94ad3", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Unusual File Creation - Alternate Data Stream", + "sha256": "bed2940df4181810e7478b8e19507306d6a16bd56bbf4441e2c50b768bff324a", + "type": "eql", + "version": 100 }, "71c5cb27-eca5-4151-bb47-64bc3f883270": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "c4f2f189b4b7fd579305f0b3d350ce9691203ef9c69669f8ea8b3be72f875195", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious RDP ActiveX Client Loaded", - "sha256": "91cbf7f2f4a4253fc574c452cf02480f553ca46f167c6750cba1f4bae746b02d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious RDP ActiveX Client Loaded", + "sha256": "c4f2f189b4b7fd579305f0b3d350ce9691203ef9c69669f8ea8b3be72f875195", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious RDP ActiveX Client Loaded", + "sha256": "91cbf7f2f4a4253fc574c452cf02480f553ca46f167c6750cba1f4bae746b02d", + "type": "eql", + "version": 100 }, "721999d0-7ab2-44bf-b328-6e63367b9b29": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "de3533885523c98ef8c93be8721da011f9faaef2f59686ee92c84ad626c929c1", - "type": "query", - "version": 6 - } - }, - "rule_name": "Microsoft 365 Potential ransomware activity", - "sha256": "b91ed8e2d7e1cb283ab6ca4c730174019a360cee3c01a5c6365aedf04ed563a2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "de3533885523c98ef8c93be8721da011f9faaef2f59686ee92c84ad626c929c1", + "type": "query", + "version": 6 + } + }, + "rule_name": "Microsoft 365 Potential ransomware activity", + "sha256": "b91ed8e2d7e1cb283ab6ca4c730174019a360cee3c01a5c6365aedf04ed563a2", + "type": "query", + "version": 100 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "55b7a39561fa69e358537b62420d5479578bc7a658b937d80114bd6e334abce8", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "ca6648edd972ed21401c4098468a62d530987ef7fbaca081fa283b7824b54ee8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "55b7a39561fa69e358537b62420d5479578bc7a658b937d80114bd6e334abce8", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "ca6648edd972ed21401c4098468a62d530987ef7fbaca081fa283b7824b54ee8", + "type": "query", + "version": 100 }, "72d33577-f155-457d-aad3-379f9b750c97": { - "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", - "sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", + "sha256": "1afd2b836cd82dafad139963d4d003d6088aaa83f45791c64cf7c0d7b66198e6", + "type": "eql", + "version": 100 }, "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "12b47e8a1e1df6f0c7239beff9393ef1170c61308c73a09a69f215951937952b", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Potential Modification of Accessibility Binaries", - "sha256": "85bb1aec79329f7e94bcce8357743ed8fd42b459d5ba231131f2838ca6ced383", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Modification of Accessibility Binaries", + "sha256": "12b47e8a1e1df6f0c7239beff9393ef1170c61308c73a09a69f215951937952b", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Potential Modification of Accessibility Binaries", + "sha256": "85bb1aec79329f7e94bcce8357743ed8fd42b459d5ba231131f2838ca6ced383", + "type": "eql", + "version": 100 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "eee473b2a22ea8df57eed1ec8893c9ade87d5b5eb7916d102429055badfe191a", - "type": "query", - "version": 5 - } - }, - "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "552c664af8938d92ac542029a3036de5d0b14b3fbbb8521fe59f46862cea6318", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of Environment Variable via Launchctl", + "sha256": "eee473b2a22ea8df57eed1ec8893c9ade87d5b5eb7916d102429055badfe191a", + "type": "query", + "version": 5 + } + }, + "rule_name": "Modification of Environment Variable via Launchctl", + "sha256": "552c664af8938d92ac542029a3036de5d0b14b3fbbb8521fe59f46862cea6318", + "type": "query", + "version": 100 }, "745b0119-0560-43ba-860a-7235dd8cee8d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Hour for a User to Logon", - "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Hour for a User to Logon", - "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Hour for a User to Logon", + "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Hour for a User to Logon", + "sha256": "1e847948be954f3a3cbfb10357ae89e2badbfd6a8fbe0b16d728d77166473a07", + "type": "machine_learning", + "version": 100 }, "746edc4c-c54c-49c6-97a1-651223819448": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual DNS Activity", - "sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual DNS Activity", - "sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual DNS Activity", + "sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual DNS Activity", + "sha256": "6756a4819c149be09d06dbd77b8d1335be3f2892ec75596b19813f0e151f420e", + "type": "machine_learning", + "version": 100 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6", - "type": "query", - "version": 10 - } - }, - "rule_name": "Web Application Suspicious Activity: Unauthorized Method", - "sha256": "043fb6685ee21c9cd0a6a574ef411cf5548ca2c8913ee806b028c20f53afdd0a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Web Application Suspicious Activity: Unauthorized Method", + "sha256": "7d4448c4595f5cf1ecdfcfde84e6c0bd302004eb1a71c73591e3e339532195e6", + "type": "query", + "version": 10 + } + }, + "rule_name": "Web Application Suspicious Activity: Unauthorized Method", + "sha256": "043fb6685ee21c9cd0a6a574ef411cf5548ca2c8913ee806b028c20f53afdd0a", + "type": "query", + "version": 100 }, "76152ca1-71d0-4003-9e37-0983e12832da": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", - "type": "query", - "version": 3 - } - }, - "rule_name": "Potential Privilege Escalation via Sudoers File Modification", - "sha256": "41bff26d8ac04c3a2f669a13e1b3edfca89037be6c5c41504748ab258705d9f1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privilege Escalation via Sudoers File Modification", + "sha256": "244f9ef115052b03ab17b53de02594d6fb2a47a66970b7f34db63659f0d9ea3f", + "type": "query", + "version": 3 + } + }, + "rule_name": "Potential Privilege Escalation via Sudoers File Modification", + "sha256": "41bff26d8ac04c3a2f669a13e1b3edfca89037be6c5c41504748ab258705d9f1", + "type": "query", + "version": 100 }, "764c8437-a581-4537-8060-1fdb0e92c92d": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "8845c5c341a499cd38d65de796f7a5a18d12bb9527efd90d7c1f1b89c36c02e5", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Pod Created With HostIPC", - "sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "8845c5c341a499cd38d65de796f7a5a18d12bb9527efd90d7c1f1b89c36c02e5", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Pod Created With HostIPC", + "sha256": "9a9a9b859d5aa0b1260420d9cf0d17cf615400af097106fd35f5b1d6af863196", + "type": "query", + "version": 100 }, "766d3f91-3f12-448c-b65f-20123e9e9e8c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation of Hidden Shared Object File", - "sha256": "798005e896c8c1cfbceb44c167fb97fec88162d0f7ed225950029ecf2e355337", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Creation of Hidden Shared Object File", - "sha256": "515cf887d2df46a2a9d6eddbe0174710e688189fe30860fe8d8531f7a8ea45cb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation of Hidden Shared Object File", + "sha256": "798005e896c8c1cfbceb44c167fb97fec88162d0f7ed225950029ecf2e355337", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Creation of Hidden Shared Object File", + "sha256": "515cf887d2df46a2a9d6eddbe0174710e688189fe30860fe8d8531f7a8ea45cb", + "type": "eql", + "version": 100 }, "76ddb638-abf7-42d5-be22-4a70b0bf7241": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "cd03875e5215659d4a9dc647d4349d17c2d6ab4cfe4f196e34f114dc5de5dc93", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", - "sha256": "edaa42397d413323802f1ef7f9875f5de10bed34577f53a332289a143cbc001c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "sha256": "cd03875e5215659d4a9dc647d4349d17c2d6ab4cfe4f196e34f114dc5de5dc93", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", + "sha256": "edaa42397d413323802f1ef7f9875f5de10bed34577f53a332289a143cbc001c", + "type": "eql", + "version": 100 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "b7b15c433fb890a500de66e990cffb64232c3c9983db33dd7ed952206cca6e13", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "1abb2447d34ad3e537afe69f7952979911c10b4ac2de409942b8286690971ba8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "b7b15c433fb890a500de66e990cffb64232c3c9983db33dd7ed952206cca6e13", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "1abb2447d34ad3e537afe69f7952979911c10b4ac2de409942b8286690971ba8", + "type": "eql", + "version": 100 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "e1035282bef10663f92eb6000566f4f1597d215a0cf5cc4b7fe21c95cb248a39", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Enumeration Command Spawned via WMIPrvSE", - "sha256": "51517f9a409f7b6c6a70ee3417cb14f1ec4aa9323d6890a09c720defffd6fba1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumeration Command Spawned via WMIPrvSE", + "sha256": "e1035282bef10663f92eb6000566f4f1597d215a0cf5cc4b7fe21c95cb248a39", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Enumeration Command Spawned via WMIPrvSE", + "sha256": "51517f9a409f7b6c6a70ee3417cb14f1ec4aa9323d6890a09c720defffd6fba1", + "type": "eql", + "version": 100 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "User Added as Owner for Azure Application", - "sha256": "221e88f2a1891057d283196c7aab129be0f5a2eb1f8631fe80e43865e7dbe0bd", - "type": "query", - "version": 8 - } - }, - "rule_name": "User Added as Owner for Azure Application", - "sha256": "703fe0f5612ad2d0a2b2586ea0901b308e6d66e9fb1b42ea07f599eda881a0e9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "User Added as Owner for Azure Application", + "sha256": "221e88f2a1891057d283196c7aab129be0f5a2eb1f8631fe80e43865e7dbe0bd", + "type": "query", + "version": 8 + } + }, + "rule_name": "User Added as Owner for Azure Application", + "sha256": "703fe0f5612ad2d0a2b2586ea0901b308e6d66e9fb1b42ea07f599eda881a0e9", + "type": "query", + "version": 100 }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3", - "type": "query", - "version": 9 - } - }, - "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "0072ff59ca4feee94e2d1c15d48244bba7d6706c23b5fa838b2d80f112d5d3ac", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Adversary Behavior - Detected - Elastic Endgame", + "sha256": "5380f574b8e648c558fa34254366c5e53eed6065c9b0c722b1c458ac26b01ce3", + "type": "query", + "version": 9 + } + }, + "rule_name": "Adversary Behavior - Detected - Elastic Endgame", + "sha256": "0072ff59ca4feee94e2d1c15d48244bba7d6706c23b5fa838b2d80f112d5d3ac", + "type": "query", + "version": 100 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "05659e0fca8bfd5b058797e8189179ad491969abb24b47e22e586ea42c527deb", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "5e45bae76ca5b927ec5755d9bb797b2012a6884ff93d4deb09b0127a0b0e273f", - "type": "query", - "version": 15 - } - }, - "rule_name": "Application Added to Google Workspace Domain", - "sha256": "167624464a44f366b739b360ebb3abbf57ded7a1a0a5477391c335aa6c3a8d50", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "05659e0fca8bfd5b058797e8189179ad491969abb24b47e22e586ea42c527deb", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "5e45bae76ca5b927ec5755d9bb797b2012a6884ff93d4deb09b0127a0b0e273f", + "type": "query", + "version": 15 + } + }, + "rule_name": "Application Added to Google Workspace Domain", + "sha256": "167624464a44f366b739b360ebb3abbf57ded7a1a0a5477391c335aa6c3a8d50", + "type": "query", + "version": 100 }, "7882cebf-6cf1-4de3-9662-213aa13e8b80": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "a72422827c480ac2b9747935d238c62d58f73ac2814b048de4b484e0c71d660f", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Privilege Identity Management Role Modified", - "sha256": "cf5d17d59a760c2a0accc338a57be2d6bfef72f5b5fb4893bb34fc49db576256", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Privilege Identity Management Role Modified", + "sha256": "a72422827c480ac2b9747935d238c62d58f73ac2814b048de4b484e0c71d660f", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Privilege Identity Management Role Modified", + "sha256": "cf5d17d59a760c2a0accc338a57be2d6bfef72f5b5fb4893bb34fc49db576256", + "type": "query", + "version": 100 }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in AWS Error Messages", - "sha256": "106b495c6e5eb5e409cdb8294ecab91a7ebc9dbab945cfcdbedd158cbe87cc46", - "type": "machine_learning", - "version": 12 - } - }, - "rule_name": "Spike in AWS Error Messages", - "sha256": "01aad6090bc10b35e30f2ba738f6102b658567c0f78ad2aea02aa8a87624cc24", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in AWS Error Messages", + "sha256": "106b495c6e5eb5e409cdb8294ecab91a7ebc9dbab945cfcdbedd158cbe87cc46", + "type": "machine_learning", + "version": 12 + } + }, + "rule_name": "Spike in AWS Error Messages", + "sha256": "01aad6090bc10b35e30f2ba738f6102b658567c0f78ad2aea02aa8a87624cc24", + "type": "machine_learning", + "version": 100 }, "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Key Vault Modified", - "sha256": "47a0cc7f95baa26446d9632a6b279c5cc1208bf3b8ba2d27f61cdacdee9edaf4", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Key Vault Modified", - "sha256": "e1212563d20d9bd804d0f0103f0d02843b99ed1512929cf8637d33a1283c7172", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Key Vault Modified", + "sha256": "47a0cc7f95baa26446d9632a6b279c5cc1208bf3b8ba2d27f61cdacdee9edaf4", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Key Vault Modified", + "sha256": "e1212563d20d9bd804d0f0103f0d02843b99ed1512929cf8637d33a1283c7172", + "type": "query", + "version": 100 }, "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "db8f5998b6c1ef6c15dbc8bcdeb7525851f386baa8e20bdefd37f4511f7e6594", - "type": "query", - "version": 5 - } - }, - "rule_name": "Potential Shadow Credentials added to AD Object", - "sha256": "7e3d14629cfafc91401f89e4897f7c7c3af8fd54751dd0047922f11e48777896", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Shadow Credentials added to AD Object", + "sha256": "db8f5998b6c1ef6c15dbc8bcdeb7525851f386baa8e20bdefd37f4511f7e6594", + "type": "query", + "version": 5 + } + }, + "rule_name": "Potential Shadow Credentials added to AD Object", + "sha256": "7e3d14629cfafc91401f89e4897f7c7c3af8fd54751dd0047922f11e48777896", + "type": "query", + "version": 100 }, "7a137d76-ce3d-48e2-947d-2747796a78c0": { - "rule_name": "Network Sniffing via Tcpdump", - "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", - "type": "query", - "version": 100 + "rule_name": "Network Sniffing via Tcpdump", + "sha256": "a1d61d8865b525e77420ddd2744a088b6776dae60edb6673253cd1aeba1fd426", + "type": "query", + "version": 100 }, "7b08314d-47a0-4b71-ae4e-16544176924f": { - "rule_name": "File and Directory Discovery", - "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", - "type": "eql", - "version": 100 + "rule_name": "File and Directory Discovery", + "sha256": "720c1bc79fdb18e1f5ef2fe1e9aa79081b3ca846cdab6f115116d45d72d115b5", + "type": "eql", + "version": 100 }, "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "c27a6ebbde5ed895c419e9247fb27acdbfe2112b70c5ec4cb645f19b9a694f5b", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS ElastiCache Security Group Created", - "sha256": "226ee11ffe057fb5a2ee3b7f350a57d79b5080d0586afb18939eea9ce65ae082", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "c27a6ebbde5ed895c419e9247fb27acdbfe2112b70c5ec4cb645f19b9a694f5b", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS ElastiCache Security Group Created", + "sha256": "226ee11ffe057fb5a2ee3b7f350a57d79b5080d0586afb18939eea9ce65ae082", + "type": "query", + "version": 100 }, "7b8bfc26-81d2-435e-965c-d722ee397ef1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Network Enumeration", - "sha256": "1b6f54e06cc026d118a54820c8a360add1add24912d31ccadd63e7661acaeaa8", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Windows Network Enumeration", - "sha256": "7b40b87ee1a93d70b7e567f0a0198401ed29fdc5a08e73e173aadc29c7852f58", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Network Enumeration", + "sha256": "1b6f54e06cc026d118a54820c8a360add1add24912d31ccadd63e7661acaeaa8", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Windows Network Enumeration", + "sha256": "7b40b87ee1a93d70b7e567f0a0198401ed29fdc5a08e73e173aadc29c7852f58", + "type": "eql", + "version": 100 }, "7ba58110-ae13-439b-8192-357b0fcfa9d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "9af915cd549d5c285a49f42912dac118f64b9faf1c216e1bc345fdd6f7cbbb37", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious LSASS Access via MalSecLogon", - "sha256": "776bdc7d055bc880558ce25ef540c01f38557435a19f04cf3e6aad5190dafa54", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "9af915cd549d5c285a49f42912dac118f64b9faf1c216e1bc345fdd6f7cbbb37", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious LSASS Access via MalSecLogon", + "sha256": "776bdc7d055bc880558ce25ef540c01f38557435a19f04cf3e6aad5190dafa54", + "type": "eql", + "version": 100 }, "7bcbb3ac-e533-41ad-a612-d6c3bf666aba": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Tampering of Bash Command-Line History", - "sha256": "66b54d6084fe3d3ddb4668acbfd676d08cc2735a6554121b7545833db254d29e", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Tampering of Bash Command-Line History", - "sha256": "97b6389a0577016d4c0e86d27d8b77a359c768b9759938f8ed719c5a9a777f3a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Tampering of Bash Command-Line History", + "sha256": "66b54d6084fe3d3ddb4668acbfd676d08cc2735a6554121b7545833db254d29e", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Tampering of Bash Command-Line History", + "sha256": "97b6389a0577016d4c0e86d27d8b77a359c768b9759938f8ed719c5a9a777f3a", + "type": "eql", + "version": 100 }, "7ceb2216-47dd-4e64-9433-cddc99727623": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Service Account Creation", - "sha256": "007c9309e37591fe3ca25816e08d1be1e25944279ed9da43b1285ca58048a188", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Service Account Creation", - "sha256": "785c10b62b59333a0f88d46a496dead6b5f7a450baf28951b38c53c1f5596014", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Service Account Creation", + "sha256": "007c9309e37591fe3ca25816e08d1be1e25944279ed9da43b1285ca58048a188", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Service Account Creation", + "sha256": "785c10b62b59333a0f88d46a496dead6b5f7a450baf28951b38c53c1f5596014", + "type": "query", + "version": 100 }, "7d2c38d7-ede7-4bdf-b140-445906e6c540": { - "rule_name": "Tor Activity to the Internet", - "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", - "type": "query", - "version": 100 + "rule_name": "Tor Activity to the Internet", + "sha256": "a795f581489be91fab79b53ab0afee754fd43c0655cde52c08dd70983c606cb1", + "type": "query", + "version": 100 }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "1c6eb53bb3fe9a161a80405a8261bedc5d20b5358713447a8db60cd32ca6f117", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Suspicious WMIC XSL Script Execution", - "sha256": "3543c058d99e4ede8932d890d7b74e90ef57744f8b2eaecd967e5f8346cd8d3a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious WMIC XSL Script Execution", + "sha256": "1c6eb53bb3fe9a161a80405a8261bedc5d20b5358713447a8db60cd32ca6f117", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Suspicious WMIC XSL Script Execution", + "sha256": "3543c058d99e4ede8932d890d7b74e90ef57744f8b2eaecd967e5f8346cd8d3a", + "type": "eql", + "version": 100 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual City For an AWS Command", - "sha256": "16e7dd99135fbaa3f9f1b584df44a7e0f234188ddcf848e797c8936a7e80d3cf", - "type": "machine_learning", - "version": 10 - } - }, - "rule_name": "Unusual City For an AWS Command", - "sha256": "5b046d0bbb1b9a2875e3298548e9a76f720dafff820a848849c754e0a43ed6d2", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual City For an AWS Command", + "sha256": "16e7dd99135fbaa3f9f1b584df44a7e0f234188ddcf848e797c8936a7e80d3cf", + "type": "machine_learning", + "version": 10 + } + }, + "rule_name": "Unusual City For an AWS Command", + "sha256": "5b046d0bbb1b9a2875e3298548e9a76f720dafff820a848849c754e0a43ed6d2", + "type": "machine_learning", + "version": 100 }, "80c52164-c82a-402c-9964-852533d58be1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "4e779ccf1f49a38c2de417875a39930a1324e6ee7368de9a614db42b476ba077", - "type": "query", - "version": 10 - } - }, - "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "61983f7e0e2a5a6846f2e64148a468e508bffa658f0914904759ddedd3c8b1ce", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Injection - Detected - Elastic Endgame", + "sha256": "4e779ccf1f49a38c2de417875a39930a1324e6ee7368de9a614db42b476ba077", + "type": "query", + "version": 10 + } + }, + "rule_name": "Process Injection - Detected - Elastic Endgame", + "sha256": "61983f7e0e2a5a6846f2e64148a468e508bffa658f0914904759ddedd3c8b1ce", + "type": "query", + "version": 100 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "45b135d716bf1684bcd549aab366c94aa3d640bbf603da35656891bf733ed7cd", - "type": "eql", - "version": 6 - } - }, - "rule_name": "PowerShell Script Block Logging Disabled", - "sha256": "b6672245265d500ac777de607d8edf6b31aa2bceade6a79152a97d283673274d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Script Block Logging Disabled", + "sha256": "45b135d716bf1684bcd549aab366c94aa3d640bbf603da35656891bf733ed7cd", + "type": "eql", + "version": 6 + } + }, + "rule_name": "PowerShell Script Block Logging Disabled", + "sha256": "b6672245265d500ac777de607d8edf6b31aa2bceade6a79152a97d283673274d", + "type": "eql", + "version": 100 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { - "rule_name": "Persistence via Kernel Module Modification", - "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", - "type": "query", - "version": 100 + "rule_name": "Persistence via Kernel Module Modification", + "sha256": "6d2938fb1e03fb76895197f4565a860e7c346b8cba3ac5bc612938f6af910d86", + "type": "query", + "version": 100 }, "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "ac0a5aab69c72adf4afd406b14b4627ac2efe4b584ed0b6fd3c71df98e0dad55", - "type": "query", - "version": 7 - } - }, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "14de188f0368c8113c85bd365c39d0989d1cf10ed21e6b6ba1efd219c805c7fb", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "ac0a5aab69c72adf4afd406b14b4627ac2efe4b584ed0b6fd3c71df98e0dad55", + "type": "query", + "version": 7 + } + }, + "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", + "sha256": "14de188f0368c8113c85bd365c39d0989d1cf10ed21e6b6ba1efd219c805c7fb", + "type": "query", + "version": 100 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "304b9c056fef81640d1eec475c5d66b9689826093aac96f3581e293750584219", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "8bdb1ce979fcefabbfaa0f4dee8b269cec0e1e7ef1d333a502ce6f17eea56cde", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Apple Scripting Execution with Administrator Privileges", + "sha256": "304b9c056fef81640d1eec475c5d66b9689826093aac96f3581e293750584219", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Apple Scripting Execution with Administrator Privileges", + "sha256": "8bdb1ce979fcefabbfaa0f4dee8b269cec0e1e7ef1d333a502ce6f17eea56cde", + "type": "eql", + "version": 100 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "027ba090d0505871c507a51754723e8256895b8ed102083aa2b05b93e2d31e24", - "type": "query", - "version": 6 - } - }, - "rule_name": "Azure Kubernetes Pods Deleted", - "sha256": "b991a10d5e4c961fbac48a5a9eaab802246deca8ee74ad44255110504a225183", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Kubernetes Pods Deleted", + "sha256": "027ba090d0505871c507a51754723e8256895b8ed102083aa2b05b93e2d31e24", + "type": "query", + "version": 6 + } + }, + "rule_name": "Azure Kubernetes Pods Deleted", + "sha256": "b991a10d5e4c961fbac48a5a9eaab802246deca8ee74ad44255110504a225183", + "type": "query", + "version": 100 }, "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { - "rule_name": "Linux Restricted Shell Breakout via the mysql command", - "sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the mysql command", + "sha256": "6a7fe2a2002dc6de66039a88c6f06a12e5ca7e45752690720ccd33d86d321194", + "type": "eql", + "version": 100 }, "84da2554-e12a-11ec-b896-f661ea17fbcd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "0e089d3ca893acb3dc41493b56c47678ee8a9c31af770e7cbbdb13b477b3e118", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", - "sha256": "92200cf156380f7b3bb3a4686ebe6468ddf7c36e9b1ee3ceded13c3987906e0e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", + "sha256": "0e089d3ca893acb3dc41493b56c47678ee8a9c31af770e7cbbdb13b477b3e118", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", + "sha256": "92200cf156380f7b3bb3a4686ebe6468ddf7c36e9b1ee3ceded13c3987906e0e", + "type": "eql", + "version": 100 }, "850d901a-2a3c-46c6-8b22-55398a01aad8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "ae690790275a04d830343066d6671002a9a95f939102986b9711e1291616442b", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Remote Credential Access via Registry", - "sha256": "8aa38a9a88715acf22617286f18cf3b682130ccd1d625fe5f0439c81e60be69c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Remote Credential Access via Registry", + "sha256": "ae690790275a04d830343066d6671002a9a95f939102986b9711e1291616442b", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Remote Credential Access via Registry", + "sha256": "8aa38a9a88715acf22617286f18cf3b682130ccd1d625fe5f0439c81e60be69c", + "type": "eql", + "version": 100 }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "fbcec5e3319f343869931abf427186d400817f3564e7f2720236072d6113e9bf", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "d7c091b6f97197896f2feb40ff590004aadc49d47645dce62abd86354d7a278b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "fbcec5e3319f343869931abf427186d400817f3564e7f2720236072d6113e9bf", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Suspicious PowerShell Engine ImageLoad", + "sha256": "d7c091b6f97197896f2feb40ff590004aadc49d47645dce62abd86354d7a278b", + "type": "eql", + "version": 100 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "2c624a60350aacfd7edbee02670148038cf139f25cd0248f61f2c975e8015141", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS EC2 Network Access Control List Deletion", - "sha256": "c6e59ebe85ab003df21fbcd6bad692bcdc76fe6c2b28629a40a6fa9c8918795e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "2c624a60350aacfd7edbee02670148038cf139f25cd0248f61f2c975e8015141", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS EC2 Network Access Control List Deletion", + "sha256": "c6e59ebe85ab003df21fbcd6bad692bcdc76fe6c2b28629a40a6fa9c8918795e", + "type": "query", + "version": 100 }, "863cdf31-7fd3-41cf-a185-681237ea277b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "ff70e69014113484cc022ae28d71a4b3bee57090c3cec63a2d6e92e9aa22f53e", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS RDS Security Group Deletion", - "sha256": "f39be5f1084cc1ef95308f704a479690c24f61bce88d207ea29b7c6fcfb93708", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "ff70e69014113484cc022ae28d71a4b3bee57090c3cec63a2d6e92e9aa22f53e", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS RDS Security Group Deletion", + "sha256": "f39be5f1084cc1ef95308f704a479690c24f61bce88d207ea29b7c6fcfb93708", + "type": "query", + "version": 100 }, "867616ec-41e5-4edc-ada2-ab13ab45de8a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Group Deletion", - "sha256": "b2a945b0a9a01661e2e49cb626d4fa31a86548be87e638f40e983ee01fafd9dd", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS IAM Group Deletion", - "sha256": "be3cafda2f1bc4c15c32214ed64b86374b01e2ba135956915942b0ee2158a900", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Group Deletion", + "sha256": "b2a945b0a9a01661e2e49cb626d4fa31a86548be87e638f40e983ee01fafd9dd", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS IAM Group Deletion", + "sha256": "be3cafda2f1bc4c15c32214ed64b86374b01e2ba135956915942b0ee2158a900", + "type": "query", + "version": 100 }, "870aecc0-cea4-4110-af3f-e02e9b373655": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Security Software Discovery via Grep", - "sha256": "842aa69813b8f9b0e5dea1537e9c52e707457bf22191d5e1525aa2e6b14cb5c7", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Security Software Discovery via Grep", - "sha256": "b55b1241816124ff03a9d5d57583bcdf421dff533215d423116d1863b8103de1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Security Software Discovery via Grep", + "sha256": "842aa69813b8f9b0e5dea1537e9c52e707457bf22191d5e1525aa2e6b14cb5c7", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Security Software Discovery via Grep", + "sha256": "b55b1241816124ff03a9d5d57583bcdf421dff533215d423116d1863b8103de1", + "type": "eql", + "version": 100 }, "871ea072-1b71-4def-b016-6278b505138d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "c84189dae6dd27a858b984c28e71eaab51ea763f33d1f2751c03e187debf384b", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Enumeration of Administrator Accounts", - "sha256": "06e3c5026a6339436c2ba8655621ebb2da7d12585ebd09d0971dacc7a5d5d350", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enumeration of Administrator Accounts", + "sha256": "c84189dae6dd27a858b984c28e71eaab51ea763f33d1f2751c03e187debf384b", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Enumeration of Administrator Accounts", + "sha256": "06e3c5026a6339436c2ba8655621ebb2da7d12585ebd09d0971dacc7a5d5d350", + "type": "eql", + "version": 100 }, "87594192-4539-4bc4-8543-23bc3d5bd2b4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "b5a9c1b1250bc364e28b68fbb0d9f068648ea66105469377e7797470547d8859", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS EventBridge Rule Disabled or Deleted", - "sha256": "367010706d34877b7145c84d93da5e24a1de26743ac66c62886d3c3dd795c7ee", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "b5a9c1b1250bc364e28b68fbb0d9f068648ea66105469377e7797470547d8859", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS EventBridge Rule Disabled or Deleted", + "sha256": "367010706d34877b7145c84d93da5e24a1de26743ac66c62886d3c3dd795c7ee", + "type": "query", + "version": 100 }, "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { - "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", - "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", - "type": "query", - "version": 100 + "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", + "sha256": "b6ea4d4c77b8c1ed584826fd5828493dc1a33eee3546be3a15f540a56a9dc9f7", + "type": "query", + "version": 100 }, "88671231-6626-4e1b-abb7-6e361a171fbb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "511c1fd76c1b2e36d3bfcbdba847fdef7fac66c36378a5c88d8f22b1a07e0dd3", - "type": "query", - "version": 5 - } - }, - "rule_name": "Microsoft 365 Global Administrator Role Assigned", - "sha256": "7ccdd0dd55b42d0243844e56404c0100052c1390d25e282a878032c8e2fcd758", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "511c1fd76c1b2e36d3bfcbdba847fdef7fac66c36378a5c88d8f22b1a07e0dd3", + "type": "query", + "version": 5 + } + }, + "rule_name": "Microsoft 365 Global Administrator Role Assigned", + "sha256": "7ccdd0dd55b42d0243844e56404c0100052c1390d25e282a878032c8e2fcd758", + "type": "query", + "version": 100 }, "88817a33-60d3-411f-ba79-7c905d865b2a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "7023870a232e75c229fce7670d936c9514f231294f18ef242f5084e928730d68", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Sublime Plugin or Application Script Modification", - "sha256": "a47894d9a0ff5b4f453fdf5c5d2b60462f4f97413cff355a619f6b620598454c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Sublime Plugin or Application Script Modification", + "sha256": "7023870a232e75c229fce7670d936c9514f231294f18ef242f5084e928730d68", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Sublime Plugin or Application Script Modification", + "sha256": "a47894d9a0ff5b4f453fdf5c5d2b60462f4f97413cff355a619f6b620598454c", + "type": "eql", + "version": 100 }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "e26456a31031a0df8d8fc53b2a116ea9983241ae39b61fda256b5dc1e11abb6d", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious WMI Image Load from MS Office", - "sha256": "a3ff7380f0b662c46ffcecab91e7b40b2ce4e9a74f19ea3aea29841af035b55c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious WMI Image Load from MS Office", + "sha256": "e26456a31031a0df8d8fc53b2a116ea9983241ae39b61fda256b5dc1e11abb6d", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious WMI Image Load from MS Office", + "sha256": "a3ff7380f0b662c46ffcecab91e7b40b2ce4e9a74f19ea3aea29841af035b55c", + "type": "eql", + "version": 100 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { - "rule_name": "Linux Restricted Shell Breakout via the vi command", - "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the vi command", + "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", + "type": "eql", + "version": 100 }, "897dc6b5-b39f-432a-8d75-d3730d50c782": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "1fe268f03a22f4fe8ba24b86ca8cd99917884f39b92761d8d1e16b440e8d6569", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Kerberos Traffic from Unusual Process", - "sha256": "9f205a5f4f70064f2c0001faffa2c6e2bbec9efd880ab8f16cb9586acdeb5341", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Kerberos Traffic from Unusual Process", + "sha256": "1fe268f03a22f4fe8ba24b86ca8cd99917884f39b92761d8d1e16b440e8d6569", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Kerberos Traffic from Unusual Process", + "sha256": "9f205a5f4f70064f2c0001faffa2c6e2bbec9efd880ab8f16cb9586acdeb5341", + "type": "eql", + "version": 100 }, "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Command Prompt Network Connection", - "sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Command Prompt Network Connection", - "sha256": "84fdbb4742f2acb8edc70958e3a9125b7e482b54f5c67b93d6bbf49a257dbe54", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Command Prompt Network Connection", + "sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Command Prompt Network Connection", + "sha256": "84fdbb4742f2acb8edc70958e3a9125b7e482b54f5c67b93d6bbf49a257dbe54", + "type": "eql", + "version": 100 }, "89fa6cb7-6b53-4de2-b604-648488841ab8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "e39e5487a503cf505c04da8ed3950d7af41af80b4f115ded879c6444e77acca0", - "type": "query", - "version": 4 - } - }, - "rule_name": "Persistence via DirectoryService Plugin Modification", - "sha256": "96a0b0230fc9db59d3bbe901162cbb19f4c0898514b124c9d953865bc23d00ac", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via DirectoryService Plugin Modification", + "sha256": "e39e5487a503cf505c04da8ed3950d7af41af80b4f115ded879c6444e77acca0", + "type": "query", + "version": 4 + } + }, + "rule_name": "Persistence via DirectoryService Plugin Modification", + "sha256": "96a0b0230fc9db59d3bbe901162cbb19f4c0898514b124c9d953865bc23d00ac", + "type": "query", + "version": 100 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", - "type": "query", - "version": 8 - } - }, - "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Setuid / Setgid Bit Set via chmod", + "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", + "type": "query", + "version": 8 + } + }, + "rule_name": "Setuid / Setgid Bit Set via chmod", + "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c", + "type": "query", + "version": 100 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "a47d7783b08ae45cc48a096ac462b7ba64c071e4c726814bd2735c55d0b2291b", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Suspicious Execution from a Mounted Device", - "sha256": "a14388f014f4a6c633e0cc343258648222fd922ac09432bef340615503fa4136", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Execution from a Mounted Device", + "sha256": "a47d7783b08ae45cc48a096ac462b7ba64c071e4c726814bd2735c55d0b2291b", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Suspicious Execution from a Mounted Device", + "sha256": "a14388f014f4a6c633e0cc343258648222fd922ac09432bef340615503fa4136", + "type": "eql", + "version": 100 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "9ec0f9d2f6a790cc8b9a48259789ce126d9bc5b6f99c22ce8663bd21fe54ae13", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "96efba52fe6cbf544a08722635a44c05c5cd7eb8c7d96bbd84a59de1856a7235", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "9ec0f9d2f6a790cc8b9a48259789ce126d9bc5b6f99c22ce8663bd21fe54ae13", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "96efba52fe6cbf544a08722635a44c05c5cd7eb8c7d96bbd84a59de1856a7235", + "type": "query", + "version": 100 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious JAVA Child Process", - "sha256": "8c9d449f2d77918beb11a47ac69141e08ec8a0314266c3487cc5b7914f919d42", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious JAVA Child Process", - "sha256": "219a9bedef498436f26a9467c7d9398c0a8a656e2740e60d9768074407878031", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "8c9d449f2d77918beb11a47ac69141e08ec8a0314266c3487cc5b7914f919d42", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious JAVA Child Process", + "sha256": "219a9bedef498436f26a9467c7d9398c0a8a656e2740e60d9768074407878031", + "type": "eql", + "version": 100 }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "c0ff885682d6b3a8ec3a61fa4c7eb513fccf86a4e34a3689415a52bd739b8956", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "d28a3ed999a5ef5a95a6710b2f118f6bfbeb31aee477de537ec2854e09560190", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Executable File Creation with Multiple Extensions", + "sha256": "c0ff885682d6b3a8ec3a61fa4c7eb513fccf86a4e34a3689415a52bd739b8956", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Executable File Creation with Multiple Extensions", + "sha256": "d28a3ed999a5ef5a95a6710b2f118f6bfbeb31aee477de537ec2854e09560190", + "type": "eql", + "version": 100 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "de11f1daa80d49b74fadb3068f2107bfd866a31171b32101127721fc105fd299", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Enable Host Network Discovery via Netsh", - "sha256": "73fa1cce891ee006c32650991843135e8c3b22297fcce1f98242f3b4f1d70504", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Enable Host Network Discovery via Netsh", + "sha256": "de11f1daa80d49b74fadb3068f2107bfd866a31171b32101127721fc105fd299", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Enable Host Network Discovery via Netsh", + "sha256": "73fa1cce891ee006c32650991843135e8c3b22297fcce1f98242f3b4f1d70504", + "type": "eql", + "version": 100 }, "8b64d36a-1307-4b2e-a77b-a0027e4d27c8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "aaf8e61e49cd5a9a2ff6c9ac5d61ee70922bbd40d5e949421e3eb7c1957da874", - "type": "query", - "version": 7 - } - }, - "rule_name": "Azure Kubernetes Events Deleted", - "sha256": "44a51581dbc42a7f4e2970a5c54d8ba2c713d95e75fd6ddfecc281f479a5c5db", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Kubernetes Events Deleted", + "sha256": "aaf8e61e49cd5a9a2ff6c9ac5d61ee70922bbd40d5e949421e3eb7c1957da874", + "type": "query", + "version": 7 + } + }, + "rule_name": "Azure Kubernetes Events Deleted", + "sha256": "44a51581dbc42a7f4e2970a5c54d8ba2c713d95e75fd6ddfecc281f479a5c5db", + "type": "query", + "version": 100 }, "8c1bdde8-4204-45c0-9e0c-c85ca3902488": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283", - "type": "query", - "version": 13 - }, - "8.2": { - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "e8b7d833a2cad5ad92e04ba43b572eb374e775daa2ec9fa71f72a4b5cad614ee", - "type": "query", - "version": 16 - } - }, - "rule_name": "RDP (Remote Desktop Protocol) from the Internet", - "sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 15, + "rule_name": "RDP (Remote Desktop Protocol) from the Internet", + "sha256": "b6d7ad4ee2f11ab3ed8aa4bcee08a462a4b3aa3790ae27abd86cee6d921e3283", + "type": "query", + "version": 13 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "RDP (Remote Desktop Protocol) from the Internet", + "sha256": "e8b7d833a2cad5ad92e04ba43b572eb374e775daa2ec9fa71f72a4b5cad614ee", + "type": "query", + "version": 16 + } + }, + "rule_name": "RDP (Remote Desktop Protocol) from the Internet", + "sha256": "be36f608696a60e995e56d51f29baa67f2cd8c36c86cec71f6f5ff21c6d89d3f", + "type": "query", + "version": 100 }, "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "c05edecd41eae1c1e746556cd00877c32ee249c380954c34ee4f81b5facfbfc6", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Unusual Child Process of dns.exe", - "sha256": "9c404dc9b94bb1c1201ffebf5e20d6cc0efe55784bf9ddd376c74a252a141bfd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Child Process of dns.exe", + "sha256": "c05edecd41eae1c1e746556cd00877c32ee249c380954c34ee4f81b5facfbfc6", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Unusual Child Process of dns.exe", + "sha256": "9c404dc9b94bb1c1201ffebf5e20d6cc0efe55784bf9ddd376c74a252a141bfd", + "type": "eql", + "version": 100 }, "8c81e506-6e82-4884-9b9a-75d3d252f967": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential SharpRDP Behavior", - "sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Potential SharpRDP Behavior", - "sha256": "7e7bbd2c569226b70cda6e733d18bfc562c365b277d44e266722b6098cead46a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential SharpRDP Behavior", + "sha256": "307795e6c1dce173407f17f57c65d0c530dc24e20c18e78b37e93b7d5d78180b", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Potential SharpRDP Behavior", + "sha256": "7e7bbd2c569226b70cda6e733d18bfc562c365b277d44e266722b6098cead46a", + "type": "eql", + "version": 100 }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", - "type": "query", - "version": 10 - } - }, - "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Ransomware - Detected - Elastic Endgame", + "sha256": "8fba9c51ee81de527fa5ed0c36181b73cd00b2bbab183c0e26834e693659d001", + "type": "query", + "version": 10 + } + }, + "rule_name": "Ransomware - Detected - Elastic Endgame", + "sha256": "365dff69e83d18e0698a913577e00d9e8342b03e502853d5eda7de1dcf0bb907", + "type": "query", + "version": 100 }, "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "8b35059e3e2c9c1cfabfbd9ae383daa10e26ff3840e20952d4805a3bdb73db8e", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Potential Privilege Escalation via PKEXEC", - "sha256": "223f8d3c41ecfe859e3acfb203079fc170fe27b1c4bd4a22c29947bf238f6e0e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privilege Escalation via PKEXEC", + "sha256": "8b35059e3e2c9c1cfabfbd9ae383daa10e26ff3840e20952d4805a3bdb73db8e", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Potential Privilege Escalation via PKEXEC", + "sha256": "223f8d3c41ecfe859e3acfb203079fc170fe27b1c4bd4a22c29947bf238f6e0e", + "type": "eql", + "version": 100 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Automation Runbook Deleted", - "sha256": "c93cbe263234d1244103ea203ea11ca8c8bfedf4031665aee1d47cacc8de0ced", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Automation Runbook Deleted", - "sha256": "c75a4d4e912c35047aa88e39420ae638bfb0405fc11623f2798583bf1a78492e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Automation Runbook Deleted", + "sha256": "c93cbe263234d1244103ea203ea11ca8c8bfedf4031665aee1d47cacc8de0ced", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Automation Runbook Deleted", + "sha256": "c75a4d4e912c35047aa88e39420ae638bfb0405fc11623f2798583bf1a78492e", + "type": "query", + "version": 100 }, "8f3e91c7-d791-4704-80a1-42c160d7aa27": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", - "sha256": "b12dee32921ca6ff7c7b390a19ac0d2ee3e7e956d2c1efba79587c42ebc20e7e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", + "sha256": "d86d494f83bb131dff1bf75fc9fa8952846c3deae9f7e3d60f8446ce5d58f19e", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Potential Port Monitor or Print Processor Registration Abuse", + "sha256": "b12dee32921ca6ff7c7b390a19ac0d2ee3e7e956d2c1efba79587c42ebc20e7e", + "type": "eql", + "version": 100 }, "8f919d4b-a5af-47ca-a594-6be59cd924a4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", - "sha256": "863c82226f43772f3533a4f83705f1cb95f11bc1167ee249118194ae6d742fcb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "sha256": "174652de3ab002293cc1eadd63c13f80a580f0b8310bc45a2ac6cfda75241c3d", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", + "sha256": "863c82226f43772f3533a4f83705f1cb95f11bc1167ee249118194ae6d742fcb", + "type": "eql", + "version": 100 }, "8fb75dda-c47a-4e34-8ecd-34facf7aad13": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Service Account Deletion", - "sha256": "284ee563a01f7f29092045e4942635becdd0589c17ffe37a8c962b9ebfbffb3f", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Service Account Deletion", - "sha256": "d057eb6c8a3ff17bc8ab962565bc7a4f09b724c09fd6fd9feb05ac0ef07b6fe0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Service Account Deletion", + "sha256": "284ee563a01f7f29092045e4942635becdd0589c17ffe37a8c962b9ebfbffb3f", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Service Account Deletion", + "sha256": "d057eb6c8a3ff17bc8ab962565bc7a4f09b724c09fd6fd9feb05ac0ef07b6fe0", + "type": "query", + "version": 100 }, "8fed8450-847e-43bd-874c-3bbf0cd425f3": { - "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", - "sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", + "sha256": "7e88fe635274dd47f23d744bd4b8fb482ab86c8b1b6db9434d64ab40c7edbb62", + "type": "eql", + "version": 100 }, "90169566-2260-4824-b8e4-8615c3b4ed52": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Hping Process Activity", - "sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3", - "type": "query", - "version": 10 - } - }, - "rule_name": "Hping Process Activity", - "sha256": "00e01283ce7ee80900ef97b32f84db309d42d308bdaee6ed1ecc46212a47bc75", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Hping Process Activity", + "sha256": "b67a5ad8438ca5f03153173607bd3e2f12cf73ba352e1f3d094c85dfc7c1e7c3", + "type": "query", + "version": 10 + } + }, + "rule_name": "Hping Process Activity", + "sha256": "00e01283ce7ee80900ef97b32f84db309d42d308bdaee6ed1ecc46212a47bc75", + "type": "query", + "version": 100 }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "97bd59f5a9a96e0511ded5a2da4b36c10c6d31ab327079de9f57d4e5d4a7c67c", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "fccbd85c5ef8509fcdf0af7ff50d8075a6de27f496059da1d4e794064128683d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "97bd59f5a9a96e0511ded5a2da4b36c10c6d31ab327079de9f57d4e5d4a7c67c", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS Deletion of RDS Instance or Cluster", + "sha256": "fccbd85c5ef8509fcdf0af7ff50d8075a6de27f496059da1d4e794064128683d", + "type": "query", + "version": 100 }, "9092cd6c-650f-4fa3-8a8a-28256c7489c9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "ce59e6b81e04017b34df77cfe4c51e18af5013272bba925a081c6fb0ee665fa9", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Keychain Password Retrieval via Command Line", - "sha256": "bc1b529f9188d6b978a977217a53aa17210410e1741a348c6579d6f879fcfaff", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Keychain Password Retrieval via Command Line", + "sha256": "ce59e6b81e04017b34df77cfe4c51e18af5013272bba925a081c6fb0ee665fa9", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Keychain Password Retrieval via Command Line", + "sha256": "bc1b529f9188d6b978a977217a53aa17210410e1741a348c6579d6f879fcfaff", + "type": "eql", + "version": 100 }, "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { - "rule_name": "Auditd Login Attempt at Forbidden Time", - "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", - "type": "query", - "version": 100 + "rule_name": "Auditd Login Attempt at Forbidden Time", + "sha256": "0410b9e68a9f6e6086c24a72980f090d2a0e09ff9961adc13895613c2bb15cad", + "type": "query", + "version": 100 }, "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "cc8b23dc9d3e030eed1a44e8cad432bb0390a7e48ee21309fc4343fb3dc2b463", - "type": "query", - "version": 10 - } - }, - "rule_name": "GCP Virtual Private Cloud Route Creation", - "sha256": "34a1db159c380f672b99ce5fa36d2d08d218ff0a52d4d7f61b049fed345154f4", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Virtual Private Cloud Route Creation", + "sha256": "cc8b23dc9d3e030eed1a44e8cad432bb0390a7e48ee21309fc4343fb3dc2b463", + "type": "query", + "version": 10 + } + }, + "rule_name": "GCP Virtual Private Cloud Route Creation", + "sha256": "34a1db159c380f672b99ce5fa36d2d08d218ff0a52d4d7f61b049fed345154f4", + "type": "query", + "version": 100 }, "91d04cd4-47a9-4334-ab14-084abe274d49": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "63de1e69153fc3e3aa0522cbbf59b284da031bdd9b6141e5cad92dbc5aa4277f", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS WAF Access Control List Deletion", - "sha256": "93a8abf17df4faa81fa3dcf2a4da451cf18650e46bb92662dabff5f425fab8cd", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "63de1e69153fc3e3aa0522cbbf59b284da031bdd9b6141e5cad92dbc5aa4277f", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS WAF Access Control List Deletion", + "sha256": "93a8abf17df4faa81fa3dcf2a4da451cf18650e46bb92662dabff5f425fab8cd", + "type": "query", + "version": 100 }, "91f02f01-969f-4167-8d77-07827ac4cee0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Web User Agent", - "sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual Web User Agent", - "sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Web User Agent", + "sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Web User Agent", + "sha256": "04f5138c01040d8e441e9dd1c46ec058c99e1aae3bc6bc217dc6ae2d1354b9ab", + "type": "machine_learning", + "version": 100 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Web Request", - "sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "Unusual Web Request", - "sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Web Request", + "sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "Unusual Web Request", + "sha256": "8ed90c2e6f751d96d7d953b317e17a7bd9fbe0af3d71eced67c8497f0e4652e9", + "type": "machine_learning", + "version": 100 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "DNS Tunneling", - "sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89", - "type": "machine_learning", - "version": 5 - } - }, - "rule_name": "DNS Tunneling", - "sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "DNS Tunneling", + "sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89", + "type": "machine_learning", + "version": 5 + } + }, + "rule_name": "DNS Tunneling", + "sha256": "875fae8098689680444090f64ddee11724bd70f2235662b4a3a3ded028769a89", + "type": "machine_learning", + "version": 100 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "077973b9dba0ebc75ab5c34f0b0075aa5b1517cd247e99e8b66588aadd499dc2", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "7a748c5b733bb3376d6c9c0535838c0de1cf5effdfe0f3343404aed88a5a20e9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "077973b9dba0ebc75ab5c34f0b0075aa5b1517cd247e99e8b66588aadd499dc2", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", + "sha256": "7a748c5b733bb3376d6c9c0535838c0de1cf5effdfe0f3343404aed88a5a20e9", + "type": "query", + "version": 100 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Sudoers File Modification", - "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", - "type": "query", - "version": 9 - } - }, - "rule_name": "Sudoers File Modification", - "sha256": "746c04754fc565aeca79758d77314d0ef46c01a45ed9ab811fb72476ca97cdf6", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Sudoers File Modification", + "sha256": "05ff439f67984de234a47b20f014bdbbcef5f63a6cb769333c50dc9f71995478", + "type": "query", + "version": 9 + } + }, + "rule_name": "Sudoers File Modification", + "sha256": "746c04754fc565aeca79758d77314d0ef46c01a45ed9ab811fb72476ca97cdf6", + "type": "query", + "version": 100 }, "9395fd2c-9947-4472-86ef-4aceb2f7e872": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "07653926c326ccebd08700b72fc84eaa740a6ba547802368f559a7d9aabca3aa", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS VPC Flow Logs Deletion", - "sha256": "6ee1d2e0528d3db2c17ac7633cecd1ae6680dd8e7ebeb17778114fda474dd8d8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "07653926c326ccebd08700b72fc84eaa740a6ba547802368f559a7d9aabca3aa", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS VPC Flow Logs Deletion", + "sha256": "6ee1d2e0528d3db2c17ac7633cecd1ae6680dd8e7ebeb17778114fda474dd8d8", + "type": "query", + "version": 100 }, "93b22c0a-06a0-4131-b830-b10d5e166ff4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "4f928cce10435e844d606a37b9aabd2dc953c04bb8322a2a391ea2490c7a701a", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious SolarWinds Child Process", - "sha256": "c06d1b7e2037801fb0a08f1652feee62f12cfc5352b980ae9f22a33bc2b11b96", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious SolarWinds Child Process", + "sha256": "4f928cce10435e844d606a37b9aabd2dc953c04bb8322a2a391ea2490c7a701a", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious SolarWinds Child Process", + "sha256": "c06d1b7e2037801fb0a08f1652feee62f12cfc5352b980ae9f22a33bc2b11b96", + "type": "eql", + "version": 100 }, "93c1ce76-494c-4f01-8167-35edfb52f7b1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "e4e3fbfe5541801f14ee027a2cc2e56362676fee8a2785c86d5c7b1c0ed7f083", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "1e955bf6b29adf56d2b56d5c217ced6c481af84fb549f5640325bd1d4eeebb65", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "e4e3fbfe5541801f14ee027a2cc2e56362676fee8a2785c86d5c7b1c0ed7f083", + "type": "eql", + "version": 100 }, "93e63c3e-4154-4fc6-9f86-b411e0987bbf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "5ec1e79923aaa0e99aabed335419a6c200972553ebdd4d99139bdb5bee03c8e6", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "213d54562eb126f314c2a6e1a102b4d4987ee2333524f5466bcf10b27609a92e", - "type": "query", - "version": 15 - } - }, - "rule_name": "Google Workspace Admin Role Deletion", - "sha256": "aeae7ce32f48766371322897bfbc3da7e4c5c5b9c1f6d5f7221bad6887a9d88a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "5ec1e79923aaa0e99aabed335419a6c200972553ebdd4d99139bdb5bee03c8e6", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "213d54562eb126f314c2a6e1a102b4d4987ee2333524f5466bcf10b27609a92e", + "type": "query", + "version": 15 + } + }, + "rule_name": "Google Workspace Admin Role Deletion", + "sha256": "aeae7ce32f48766371322897bfbc3da7e4c5c5b9c1f6d5f7221bad6887a9d88a", + "type": "query", + "version": 100 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3", - "type": "query", - "version": 4 - } - }, - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "dd0ca369a9139acbeff7e2b85409159201385a84c6b9f5fa58d25f543b319251", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "4cff5c6b85db6da429555825630fa7972dbb0f8ac152b594c6c107ec398cc9e3", + "type": "query", + "version": 4 + } + }, + "rule_name": "Modification of Standard Authentication Module or Configuration", + "sha256": "dd0ca369a9139acbeff7e2b85409159201385a84c6b9f5fa58d25f543b319251", + "type": "query", + "version": 100 }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote Scheduled Task Creation", - "sha256": "6160a0f0792097e86209482cea32782afd35428338b00cb36c0fe15245637629", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Remote Scheduled Task Creation", - "sha256": "33f55756c5eb02716d08d9c2ba5fc6078a766a919114bf7029a0feb10b105993", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote Scheduled Task Creation", + "sha256": "6160a0f0792097e86209482cea32782afd35428338b00cb36c0fe15245637629", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Remote Scheduled Task Creation", + "sha256": "33f55756c5eb02716d08d9c2ba5fc6078a766a919114bf7029a0feb10b105993", + "type": "eql", + "version": 100 }, "959a7353-1129-4aa7-9084-30746b256a70": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "214e7786508b17298b4d5e4ca8a3b769a671e4fd6ffcf746bb954095ec2d5bed", - "type": "query", - "version": 7 - } - }, - "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", - "sha256": "e19c44c1daf8561a8b42d913b3be8fc7f223a78bb20d2e3fe0370028cffd0e16", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", + "sha256": "214e7786508b17298b4d5e4ca8a3b769a671e4fd6ffcf746bb954095ec2d5bed", + "type": "query", + "version": 7 + } + }, + "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", + "sha256": "e19c44c1daf8561a8b42d913b3be8fc7f223a78bb20d2e3fe0370028cffd0e16", + "type": "query", + "version": 100 }, "968ccab9-da51-4a87-9ce2-d3c9782fd759": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "File made Immutable by Chattr", - "sha256": "ce1de12aa8f7582ef6d3d1846c6d640e0de6fa00d59ce5e60628804490b7c265", - "type": "eql", - "version": 3 - } - }, - "rule_name": "File made Immutable by Chattr", - "sha256": "e43f3cdc4bbdbe9e5728b6989019def26df9a8abd6120e021b94fcb8282d423a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "File made Immutable by Chattr", + "sha256": "ce1de12aa8f7582ef6d3d1846c6d640e0de6fa00d59ce5e60628804490b7c265", + "type": "eql", + "version": 3 + } + }, + "rule_name": "File made Immutable by Chattr", + "sha256": "e43f3cdc4bbdbe9e5728b6989019def26df9a8abd6120e021b94fcb8282d423a", + "type": "eql", + "version": 100 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Create Okta API Token", - "sha256": "f2d80ff8056ed1820ee12746dd418047054568b123e882fb2a027450fd44c366", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "d37cf8c47114dfde946b80c362cb55a4511f183e64c1770ee19c2fe896040498", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "f2d80ff8056ed1820ee12746dd418047054568b123e882fb2a027450fd44c366", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "d37cf8c47114dfde946b80c362cb55a4511f183e64c1770ee19c2fe896040498", + "type": "query", + "version": 100 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "5aeb0b55e7b86fec78236620f91f77e61f892206e3119251b7aa12a048000ff7", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Access to Keychain Credentials Directories", - "sha256": "c81d0a4562879c82842a812bf15248c4c5347dbc0e8c8eb1c25f0025d7fa925b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "5aeb0b55e7b86fec78236620f91f77e61f892206e3119251b7aa12a048000ff7", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Access to Keychain Credentials Directories", + "sha256": "c81d0a4562879c82842a812bf15248c4c5347dbc0e8c8eb1c25f0025d7fa925b", + "type": "eql", + "version": 100 }, "97314185-2568-4561-ae81-f3e480e5e695": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "54ff733ee97e4a165dfd1039fd74be008bf78840b8c7659f031f10c84b5f8f3f", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", - "sha256": "6b0aee250c12113c8634c1a9b4bc83aa88487e2839f2ed15655cb69e22bf2eed", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "54ff733ee97e4a165dfd1039fd74be008bf78840b8c7659f031f10c84b5f8f3f", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Anti-Phish Rule Modification", + "sha256": "6b0aee250c12113c8634c1a9b4bc83aa88487e2839f2ed15655cb69e22bf2eed", + "type": "query", + "version": 100 }, "97359fd8-757d-4b1d-9af1-ef29e4a8680e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "0ef7e8043ff95f5a35ab1e7a0dd0efc69ba23e525c478493718253f936751aed", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Storage Bucket Configuration Modification", - "sha256": "de65ba5837645ec6e9d4f0a7c27f6451405080ded9bd6648c1a1e4f886eebb30", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Storage Bucket Configuration Modification", + "sha256": "0ef7e8043ff95f5a35ab1e7a0dd0efc69ba23e525c478493718253f936751aed", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Storage Bucket Configuration Modification", + "sha256": "de65ba5837645ec6e9d4f0a7c27f6451405080ded9bd6648c1a1e4f886eebb30", + "type": "query", + "version": 100 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS SAML Activity", - "sha256": "812ed9f6bf5c927c2ba6b57066e8ccefe60290e47b5f0adeaf212f4e86625a23", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS SAML Activity", - "sha256": "8e49254aba6e970d5d329ec1049699b7f4bd30761722bf36b85fe29082c145bc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS SAML Activity", + "sha256": "812ed9f6bf5c927c2ba6b57066e8ccefe60290e47b5f0adeaf212f4e86625a23", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS SAML Activity", + "sha256": "8e49254aba6e970d5d329ec1049699b7f4bd30761722bf36b85fe29082c145bc", + "type": "query", + "version": 100 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "6075a54140551e0fd7cc6593ecc1e93225ab830101e2e6f2a85aa8cc63d87e51", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "144ced09d087c3f09d76bfab1e7d3c1f57bdabdd49aa7ba0fe91571060a904e4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "6075a54140551e0fd7cc6593ecc1e93225ab830101e2e6f2a85aa8cc63d87e51", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Abuse of Repeated MFA Push Notifications", + "sha256": "144ced09d087c3f09d76bfab1e7d3c1f57bdabdd49aa7ba0fe91571060a904e4", + "type": "eql", + "version": 100 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Zoom Child Process", - "sha256": "f77318af5a1db73ac10d7dbdfca459aa65435c32e3783ce7986396369e80b14e", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "a2e6e13672acfb9ae9fb203ba3af7a125acd7cc2b39b831d5dc6ec97ff9157d7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "f77318af5a1db73ac10d7dbdfca459aa65435c32e3783ce7986396369e80b14e", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "a2e6e13672acfb9ae9fb203ba3af7a125acd7cc2b39b831d5dc6ec97ff9157d7", + "type": "eql", + "version": 100 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { - "rule_name": "Linux Restricted Shell Breakout via the ssh command", - "sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the ssh command", + "sha256": "835d5b35a441dd1e3abf0c3d4d19ef86039404014b487b05f77cf84e3690073f", + "type": "eql", + "version": 100 }, "97f22dab-84e8-409d-955e-dacd1d31670b": { - "rule_name": "Base64 Encoding/Decoding Activity", - "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", - "type": "query", - "version": 100 + "rule_name": "Base64 Encoding/Decoding Activity", + "sha256": "86fb84d8b0d3b72763c1f25b159b87869dedc4bbea83405c178c095c7f2e66f3", + "type": "query", + "version": 100 }, "97fc44d3-8dae-4019-ae83-298c3015600f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef", - "type": "eql", - "version": 7 - }, - "8.2": { - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "d7812909f8d6b7f07a49520b790a1a5d653f213f6d542753f78f0d29e06b612c", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Startup or Run Key Registry Modification", - "sha256": "0102d2fbd56aff85e3f756c5d1dda370c666da7bfbd93d7b15df837a6af16425", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 9, + "rule_name": "Startup or Run Key Registry Modification", + "sha256": "1827b7a04db141b503dcbe4bdd0c18468ccc43b937e02c76d1f2e7686d2b17ef", + "type": "eql", + "version": 7 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Startup or Run Key Registry Modification", + "sha256": "d7812909f8d6b7f07a49520b790a1a5d653f213f6d542753f78f0d29e06b612c", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Startup or Run Key Registry Modification", + "sha256": "0102d2fbd56aff85e3f756c5d1dda370c666da7bfbd93d7b15df837a6af16425", + "type": "eql", + "version": 100 }, "9890ee61-d061-403d-9bf6-64934c51f638": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "17a8ba105b28a2bef5fc9686588f3e87600600df80e9916169f33fbf80a5eb26", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP IAM Service Account Key Deletion", - "sha256": "04683dc2a0a34273c1d83c833ee0f3446ea94938f360c153b15449e70532f48f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP IAM Service Account Key Deletion", + "sha256": "17a8ba105b28a2bef5fc9686588f3e87600600df80e9916169f33fbf80a5eb26", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP IAM Service Account Key Deletion", + "sha256": "04683dc2a0a34273c1d83c833ee0f3446ea94938f360c153b15449e70532f48f", + "type": "query", + "version": 100 }, "98995807-5b09-4e37-8a54-5cae5dc932d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "7e266e3832b65302b422074a36cfda15fc068b534841ee2e41230749f897d098", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", - "sha256": "bf052babf9f1e5b03d6a841458643cd5adb9fb5799db6ae1e3b70d73ba8e651a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "7e266e3832b65302b422074a36cfda15fc068b534841ee2e41230749f897d098", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Management Group Role Assignment", + "sha256": "bf052babf9f1e5b03d6a841458643cd5adb9fb5799db6ae1e3b70d73ba8e651a", + "type": "query", + "version": 100 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "6e34ebc3b9fb35f0f03651ef649c19d89a83e00ad363000c7c13e4b320b85223", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS EC2 Snapshot Activity", - "sha256": "ecda50c10faaaf69bff555eee2e1e479aa355b2f6e740ac6960e21f796404cb6", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "6e34ebc3b9fb35f0f03651ef649c19d89a83e00ad363000c7c13e4b320b85223", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS EC2 Snapshot Activity", + "sha256": "ecda50c10faaaf69bff555eee2e1e479aa355b2f6e740ac6960e21f796404cb6", + "type": "query", + "version": 100 }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "3026303e47b30c3d7908350f7a4909e7023eeef7c9604e3441805456e92606e4", - "type": "query", - "version": 10 - } - }, - "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "9ab23922eb244147b8146766869d5af8629bcc869464c836e684ad7e387fafe8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Injection - Prevented - Elastic Endgame", + "sha256": "3026303e47b30c3d7908350f7a4909e7023eeef7c9604e3441805456e92606e4", + "type": "query", + "version": 10 + } + }, + "rule_name": "Process Injection - Prevented - Elastic Endgame", + "sha256": "9ab23922eb244147b8146766869d5af8629bcc869464c836e684ad7e387fafe8", + "type": "query", + "version": 100 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "612aeb08fb3d95a693c4e7b636be831969fe9f509515850d81f1c71057b17b76", - "type": "eql", - "version": 7 - } - }, - "rule_name": "MacOS Installer Package Spawns Network Event", - "sha256": "98f5d531bb0bef4a8e0f813f0867bfa395892ed7f1b0406e9cf8539bc36582e0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "MacOS Installer Package Spawns Network Event", + "sha256": "612aeb08fb3d95a693c4e7b636be831969fe9f509515850d81f1c71057b17b76", + "type": "eql", + "version": 7 + } + }, + "rule_name": "MacOS Installer Package Spawns Network Event", + "sha256": "98f5d531bb0bef4a8e0f813f0867bfa395892ed7f1b0406e9cf8539bc36582e0", + "type": "eql", + "version": 100 }, "9960432d-9b26-409f-972b-839a959e79e2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "5e6eb76f79365f2c3e22451f0586b9f7f6f2b725c4025b9e23ef42da22c5f816", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Potential Credential Access via LSASS Memory Dump", - "sha256": "88d2c5f308cc28bcc031d965e8b50aa986c141f50bc673ba4f13d1ecdcfd9758", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "5e6eb76f79365f2c3e22451f0586b9f7f6f2b725c4025b9e23ef42da22c5f816", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Potential Credential Access via LSASS Memory Dump", + "sha256": "88d2c5f308cc28bcc031d965e8b50aa986c141f50bc673ba4f13d1ecdcfd9758", + "type": "eql", + "version": 100 }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Failed Logon Events", - "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Spike in Failed Logon Events", - "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Failed Logon Events", + "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Spike in Failed Logon Events", + "sha256": "7e5b5594bdac57e03898b8c51949acf659ff2c63340b3ac26bd251c9f1556196", + "type": "machine_learning", + "version": 100 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Endpoint Security", - "sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09", - "type": "query", - "version": 5 - } - }, - "rule_name": "Endpoint Security", - "sha256": "7bf646bac0ffe227164e14b9c793a7b89d60415f2b09183abb46c9ec91dd99fd", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Endpoint Security", + "sha256": "35d86aa3177f1e13febf07e1a2921393a63e9661a1a326ef641997855f1eff09", + "type": "query", + "version": 5 + } + }, + "rule_name": "Endpoint Security", + "sha256": "7bf646bac0ffe227164e14b9c793a7b89d60415f2b09183abb46c9ec91dd99fd", + "type": "query", + "version": 100 }, "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Explorer Child Process", - "sha256": "a385464cd3b312a278a6ef28182942b3d46b348e577bccf6b6a8dc675fb8b5db", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious Explorer Child Process", - "sha256": "3e5a528e103efa698882556f4ed88d9486cdc710c282dcbc111ee1649f800b5c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Explorer Child Process", + "sha256": "a385464cd3b312a278a6ef28182942b3d46b348e577bccf6b6a8dc675fb8b5db", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious Explorer Child Process", + "sha256": "3e5a528e103efa698882556f4ed88d9486cdc710c282dcbc111ee1649f800b5c", + "type": "eql", + "version": 100 }, "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "c64956f19906b8c5f1dea22b70e30365ac8dbb583f6003a7793b3c41ca7da876", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Scheduled Tasks AT Command Enabled", - "sha256": "ef6c8c55cdc8943049e6041daeb1fc99ac07f953f19b551643253e8fbf8135c5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Scheduled Tasks AT Command Enabled", + "sha256": "c64956f19906b8c5f1dea22b70e30365ac8dbb583f6003a7793b3c41ca7da876", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Scheduled Tasks AT Command Enabled", + "sha256": "ef6c8c55cdc8943049e6041daeb1fc99ac07f953f19b551643253e8fbf8135c5", + "type": "eql", + "version": 100 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "914798e110d1bb31c1ab9703cc0b301c3f7df6714b71152e6760473b06e849e1", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistence via WMI Event Subscription", - "sha256": "a6dfa186d02163c2d134c0d208d5b58cf4029da56afcf4d70dd221b86240d4e6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via WMI Event Subscription", + "sha256": "914798e110d1bb31c1ab9703cc0b301c3f7df6714b71152e6760473b06e849e1", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistence via WMI Event Subscription", + "sha256": "a6dfa186d02163c2d134c0d208d5b58cf4029da56afcf4d70dd221b86240d4e6", + "type": "eql", + "version": 100 }, "9c260313-c811-4ec8-ab89-8f6530e0246c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Hosts File Modified", - "sha256": "7781b8fa8e3efcefff36f16dedd64ea47131e917b9a753e61c95f86427a03d06", - "type": "eql", - "version": 8 - }, - "8.2": { - "rule_name": "Hosts File Modified", - "sha256": "9d05191a051ba7015c7eba4ce4c876bb0200bbdec3739b249c89f1ce4a60eb99", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Hosts File Modified", - "sha256": "4273fb3ba5f1cf4615c6884ae41611939288cb47837b3a7bf3a8e783523e6399", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 11, + "rule_name": "Hosts File Modified", + "sha256": "7781b8fa8e3efcefff36f16dedd64ea47131e917b9a753e61c95f86427a03d06", + "type": "eql", + "version": 8 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Hosts File Modified", + "sha256": "9d05191a051ba7015c7eba4ce4c876bb0200bbdec3739b249c89f1ce4a60eb99", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Hosts File Modified", + "sha256": "4273fb3ba5f1cf4615c6884ae41611939288cb47837b3a7bf3a8e783523e6399", + "type": "eql", + "version": 100 }, "9ccf3ce0-0057-440a-91f5-870c6ad39093": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "c21df2d07d7f4513ea3c3fd1f60a19ce8dae6d618d45e58cce1d5fe045a5b1dc", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Command Shell Activity Started via RunDLL32", - "sha256": "781600e7729464fbe081f95645735a242176d063824f68bf455d85d748d47d59", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Command Shell Activity Started via RunDLL32", + "sha256": "c21df2d07d7f4513ea3c3fd1f60a19ce8dae6d618d45e58cce1d5fe045a5b1dc", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Command Shell Activity Started via RunDLL32", + "sha256": "781600e7729464fbe081f95645735a242176d063824f68bf455d85d748d47d59", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { - "rule_name": "Trusted Developer Application Usage", - "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", - "type": "query", - "version": 100 + "rule_name": "Trusted Developer Application Usage", + "sha256": "01562e377ae2b4b0c607fb9d5776d0d78e0c2452bfd0ec90c08ff9f99499e349", + "type": "query", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "6f39bcd147321071e27d48d6ee2bc4fcfdb4c5920d0bfa506839c1a81d1ac606", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Microsoft Build Engine Started by a Script Process", - "sha256": "471cc585d9f8ced69466e297ae4f61b9e58ee967a30e25221d97cacf9aa50d3b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "6f39bcd147321071e27d48d6ee2bc4fcfdb4c5920d0bfa506839c1a81d1ac606", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Microsoft Build Engine Started by a Script Process", + "sha256": "471cc585d9f8ced69466e297ae4f61b9e58ee967a30e25221d97cacf9aa50d3b", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "4cd8a6a7070860dbcf09cdc8a2d07796dbbbaba7c4bc67393e3a5868713f6a0e", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Microsoft Build Engine Started by a System Process", - "sha256": "d7934b4d043fcf05073bb18ede97a1177401869f290fa7c7e7db5e66b829d26a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Build Engine Started by a System Process", + "sha256": "4cd8a6a7070860dbcf09cdc8a2d07796dbbbaba7c4bc67393e3a5868713f6a0e", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Microsoft Build Engine Started by a System Process", + "sha256": "d7934b4d043fcf05073bb18ede97a1177401869f290fa7c7e7db5e66b829d26a", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "0aac0eff739e989b3935785a5d9ae953c258b7e29f1dfd87cc6d1b2e06845792", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Microsoft Build Engine Using an Alternate Name", - "sha256": "06d7b068228fbe3b6b0a3b3a08696d011df932e353d6f91ba85d9212ed3b97da", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Build Engine Using an Alternate Name", + "sha256": "0aac0eff739e989b3935785a5d9ae953c258b7e29f1dfd87cc6d1b2e06845792", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Microsoft Build Engine Using an Alternate Name", + "sha256": "06d7b068228fbe3b6b0a3b3a08696d011df932e353d6f91ba85d9212ed3b97da", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "99f644d483aa7e62b116154134e64f342c68588a7e3cf31ec99fa65d355023f3", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Potential Credential Access via Trusted Developer Utility", - "sha256": "b9155f6228e4b16765bf38a9cfda819d204181f27c57a23d9596f20e3864fb69", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via Trusted Developer Utility", + "sha256": "99f644d483aa7e62b116154134e64f342c68588a7e3cf31ec99fa65d355023f3", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Potential Credential Access via Trusted Developer Utility", + "sha256": "b9155f6228e4b16765bf38a9cfda819d204181f27c57a23d9596f20e3864fb69", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "ddd272c7d3025a013cf7b4ff887e8d46913babdb205c31eb9e273a99c32f11ff", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Microsoft Build Engine Started an Unusual Process", - "sha256": "85caae5e6133b35e3c9c96a9a78614f5e463243a06de92ef85ed835c67741173", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "ddd272c7d3025a013cf7b4ff887e8d46913babdb205c31eb9e273a99c32f11ff", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Microsoft Build Engine Started an Unusual Process", + "sha256": "85caae5e6133b35e3c9c96a9a78614f5e463243a06de92ef85ed835c67741173", + "type": "eql", + "version": 100 }, "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b", - "type": "query", - "version": 7 - } - }, - "rule_name": "Process Injection by the Microsoft Build Engine", - "sha256": "bb5a421f93153184544c9cb9f4a30cd1131cf22ec8a8c86860b37ac1a0246faf", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Injection by the Microsoft Build Engine", + "sha256": "f8c58299787763270b2017db703e128e0ac183a555ebf4bb1de27ec2df22c46b", + "type": "query", + "version": 7 + } + }, + "rule_name": "Process Injection by the Microsoft Build Engine", + "sha256": "bb5a421f93153184544c9cb9f4a30cd1131cf22ec8a8c86860b37ac1a0246faf", + "type": "query", + "version": 100 }, "9d19ece6-c20e-481a-90c5-ccca596537de": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "07200d6320009773c3e6531cd1c9c52f580218018e9ed04ebed4dce43a451862", - "type": "eql", - "version": 7 - } - }, - "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", - "sha256": "231ac00d34eed1edd30b109b9b86023f5bfe75192295b0a6a58f006642e8f1c3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", + "sha256": "07200d6320009773c3e6531cd1c9c52f580218018e9ed04ebed4dce43a451862", + "type": "eql", + "version": 7 + } + }, + "rule_name": "LaunchDaemon Creation or Modification and Immediate Loading", + "sha256": "231ac00d34eed1edd30b109b9b86023f5bfe75192295b0a6a58f006642e8f1c3", + "type": "eql", + "version": 100 }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "9243ab3c932d9d5e3c214eaa2b7e38d098a5449a40b12f7e500b06c542217a95", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Process Calling the Metadata Service", + "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Unusual Linux Process Calling the Metadata Service", + "sha256": "9243ab3c932d9d5e3c214eaa2b7e38d098a5449a40b12f7e500b06c542217a95", + "type": "machine_learning", + "version": 100 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "ec8cfaef587d9072c573177fac91a6ab6d196e321bfb0d0f785e0d70aa0782ac", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Protocol Tunneling via EarthWorm", - "sha256": "4db70af1b033320b7eae92f920938b910eede028506cb5b5799c768de3050760", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Protocol Tunneling via EarthWorm", + "sha256": "ec8cfaef587d9072c573177fac91a6ab6d196e321bfb0d0f785e0d70aa0782ac", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Protocol Tunneling via EarthWorm", + "sha256": "4db70af1b033320b7eae92f920938b910eede028506cb5b5799c768de3050760", + "type": "eql", + "version": 100 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via DCSync", - "sha256": "345ac7678d26ee9d3db9adf2161f06a608f43a368ecb4f865a886d5ff757e776", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Credential Access via DCSync", - "sha256": "1de2b45a29f2d8c8e67b319082ac51b835fe7f2122a80d9760652d4c5aa9811c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via DCSync", + "sha256": "345ac7678d26ee9d3db9adf2161f06a608f43a368ecb4f865a886d5ff757e776", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Credential Access via DCSync", + "sha256": "1de2b45a29f2d8c8e67b319082ac51b835fe7f2122a80d9760652d4c5aa9811c", + "type": "eql", + "version": 100 }, "9f9a2a82-93a8-4b1a-8778-1780895626d4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", - "type": "query", - "version": 8 - } - }, - "rule_name": "File Permission Modification in Writable Directory", - "sha256": "481ef8a8984ed57c4209a5c825a9d953d88cbaf2ab24415e1aa5d40e9fb25f6a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "16cfbbcd52c7b8f485e51e3cad277ee20e1a5a59a61059cb884a61e67cc8ba1b", + "type": "query", + "version": 8 + } + }, + "rule_name": "File Permission Modification in Writable Directory", + "sha256": "481ef8a8984ed57c4209a5c825a9d953d88cbaf2ab24415e1aa5d40e9fb25f6a", + "type": "query", + "version": 100 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "6d7151b8ae711435d5a3f87fe51fab04baafb6d64e43e891e98e48fea42f82a8", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS Access Secret in Secrets Manager", - "sha256": "138de80e62be7147988a45f810692ce217f563b1c3af65ba80456ed8a5008d17", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Access Secret in Secrets Manager", + "sha256": "6d7151b8ae711435d5a3f87fe51fab04baafb6d64e43e891e98e48fea42f82a8", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS Access Secret in Secrets Manager", + "sha256": "138de80e62be7147988a45f810692ce217f563b1c3af65ba80456ed8a5008d17", + "type": "query", + "version": 100 }, "a10d3d9d-0f65-48f1-8b25-af175e2594f5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "9e2336e7a793399d9b836af7281b3eee3150e556a4bf5f63b72503db1467bfb5", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Pub/Sub Topic Creation", - "sha256": "ed779b2ab909845631b9060f9683929d4328e5d6adff9fbde0fd678e51558675", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Pub/Sub Topic Creation", + "sha256": "9e2336e7a793399d9b836af7281b3eee3150e556a4bf5f63b72503db1467bfb5", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Pub/Sub Topic Creation", + "sha256": "ed779b2ab909845631b9060f9683929d4328e5d6adff9fbde0fd678e51558675", + "type": "query", + "version": 100 }, "a13167f1-eec2-4015-9631-1fee60406dcf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "49819033aefa5809fe297a7693313d5736b3dd7f1cf9c75b6e2d3bf510ff6379", - "type": "eql", - "version": 7 - } - }, - "rule_name": "InstallUtil Process Making Network Connections", - "sha256": "266648378533ee95c0729e51434e6bd48677358c8a1847eecaebe1024ae1c6bf", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "InstallUtil Process Making Network Connections", + "sha256": "49819033aefa5809fe297a7693313d5736b3dd7f1cf9c75b6e2d3bf510ff6379", + "type": "eql", + "version": 7 + } + }, + "rule_name": "InstallUtil Process Making Network Connections", + "sha256": "266648378533ee95c0729e51434e6bd48677358c8a1847eecaebe1024ae1c6bf", + "type": "eql", + "version": 100 }, "a1329140-8de3-4445-9f87-908fb6d824f4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "File Deletion via Shred", - "sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f", - "type": "query", - "version": 9 - } - }, - "rule_name": "File Deletion via Shred", - "sha256": "801e2c323c982dd5593002ab0b55be430898c3a39a55cbbea3763a78e72b4c9a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "File Deletion via Shred", + "sha256": "f593f43ce7a9f78b7f49de94fbed61766e76d7721abd4ccc86f7b6f4f8edcb4f", + "type": "query", + "version": 9 + } + }, + "rule_name": "File Deletion via Shred", + "sha256": "801e2c323c982dd5593002ab0b55be430898c3a39a55cbbea3763a78e72b4c9a", + "type": "query", + "version": 100 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "5555c7321afa2efb68bb89aa1d082f8724038437b936b26bb609f2993898d85d", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", - "sha256": "cecd8b378d90ff1e7057c45ccaf832fc9744bc8f3776deb97f2c47f3570688a3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "sha256": "5555c7321afa2efb68bb89aa1d082f8724038437b936b26bb609f2993898d85d", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", + "sha256": "cecd8b378d90ff1e7057c45ccaf832fc9744bc8f3776deb97f2c47f3570688a3", + "type": "eql", + "version": 100 }, "a17bcc91-297b-459b-b5ce-bc7460d8f82a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "b5ac65a63f581957f074015ba818a2b1dd5427f1195bdeea848eb558cf8bf62a", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Virtual Private Cloud Route Deletion", - "sha256": "e7fff6d6243de145ee5903dea17c42c8e6503e87b9de5941f5619da8e6e41b1c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Virtual Private Cloud Route Deletion", + "sha256": "b5ac65a63f581957f074015ba818a2b1dd5427f1195bdeea848eb558cf8bf62a", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Virtual Private Cloud Route Deletion", + "sha256": "e7fff6d6243de145ee5903dea17c42c8e6503e87b9de5941f5619da8e6e41b1c", + "type": "query", + "version": 100 }, "a1a0375f-22c2-48c0-81a4-7c2d11cc6856": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "2791d8f9a164a800f5e848c702d3ab0456c8298a4ce580e944cc05531deabe31", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Reverse Shell Activity via Terminal", - "sha256": "2d2d26e1e48f6957ee35a58ab1f10896e7431ccd2fcb5eae32e4a78cc8872927", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Reverse Shell Activity via Terminal", + "sha256": "2791d8f9a164a800f5e848c702d3ab0456c8298a4ce580e944cc05531deabe31", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Reverse Shell Activity via Terminal", + "sha256": "2d2d26e1e48f6957ee35a58ab1f10896e7431ccd2fcb5eae32e4a78cc8872927", + "type": "eql", + "version": 100 }, "a22a09c2-2162-4df0-a356-9aacbeb56a04": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "1e40e74617b19ed7c7e61596961acef067e9aa8e925c41d24e23055b29940180", - "type": "eql", - "version": 6 - } - }, - "rule_name": "DNS-over-HTTPS Enabled via Registry", - "sha256": "bb8d136a1a37fe63e46a4b01dad61dfe6aa7a432add04d5ce631c8e76d26aa14", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "DNS-over-HTTPS Enabled via Registry", + "sha256": "1e40e74617b19ed7c7e61596961acef067e9aa8e925c41d24e23055b29940180", + "type": "eql", + "version": 6 + } + }, + "rule_name": "DNS-over-HTTPS Enabled via Registry", + "sha256": "bb8d136a1a37fe63e46a4b01dad61dfe6aa7a432add04d5ce631c8e76d26aa14", + "type": "eql", + "version": 100 }, "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution via local SxS Shared Module", - "sha256": "046dfc582f23167ace33f512ae4ba61f612f57fc61790894f76d786f60f8ba97", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Execution via local SxS Shared Module", - "sha256": "a4ffef52c49a8018f8c68b0bec5c62af6349a374edc32872c7f6b70907732002", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution via local SxS Shared Module", + "sha256": "046dfc582f23167ace33f512ae4ba61f612f57fc61790894f76d786f60f8ba97", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Execution via local SxS Shared Module", + "sha256": "a4ffef52c49a8018f8c68b0bec5c62af6349a374edc32872c7f6b70907732002", + "type": "eql", + "version": 100 }, "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Windows Registry File Creation in SMB Share", - "sha256": "af1f6b1139386f2e329657d551701f981f64318017ff59baf4c6e63c73e325d9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Registry File Creation in SMB Share", + "sha256": "80d3c23f3267aac09f575e38679ce6ab8784d74f599a8ec2897a6a4bcde48932", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Windows Registry File Creation in SMB Share", + "sha256": "af1f6b1139386f2e329657d551701f981f64318017ff59baf4c6e63c73e325d9", + "type": "eql", + "version": 100 }, "a4ec1382-4557-452b-89ba-e413b22ed4b8": { - "rule_name": "Network Connection via Mshta", - "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", - "type": "eql", - "version": 100 + "rule_name": "Network Connection via Mshta", + "sha256": "233377abf3f67401dc4208d28639241ca34ed38ba30aa4037251b1274fa5bd17", + "type": "eql", + "version": 100 }, "a60326d7-dca7-4fb7-93eb-1ca03a1febbd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "e2f36dfdc3de9b8ddc22f7495e8eb3580b8b1ec1da46bf8d928c199b6aff8d0e", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS IAM Assume Role Policy Update", - "sha256": "b05d32d0c6917831ae121d26c799bac883c5dbaf6f3f4396dbf212d1262fd729", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "e2f36dfdc3de9b8ddc22f7495e8eb3580b8b1ec1da46bf8d928c199b6aff8d0e", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS IAM Assume Role Policy Update", + "sha256": "b05d32d0c6917831ae121d26c799bac883c5dbaf6f3f4396dbf212d1262fd729", + "type": "query", + "version": 100 }, "a605c51a-73ad-406d-bf3a-f24cc41d5c97": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "15f50bdcf18bdc3641481a853f0e2fc7fbe8c854fb6d2d87f02df72ff951989b", - "type": "query", - "version": 7 - } - }, - "rule_name": "Azure Active Directory PowerShell Sign-in", - "sha256": "1a3022edabbf5b967f93873de55b070b0ad03acfe0e64efce9c54ea1600f131a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Active Directory PowerShell Sign-in", + "sha256": "15f50bdcf18bdc3641481a853f0e2fc7fbe8c854fb6d2d87f02df72ff951989b", + "type": "query", + "version": 7 + } + }, + "rule_name": "Azure Active Directory PowerShell Sign-in", + "sha256": "1a3022edabbf5b967f93873de55b070b0ad03acfe0e64efce9c54ea1600f131a", + "type": "query", + "version": 100 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious MS Office Child Process", - "sha256": "e7b0b665d598b698f1d35c1ac96720ec586a4c822557256efcea65f282b86cb6", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Suspicious MS Office Child Process", - "sha256": "420c494d9ba2785bfc5f3d7c42cc41c6c5407d8fa9a1e43c4e1e8736c6d673a6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious MS Office Child Process", + "sha256": "e7b0b665d598b698f1d35c1ac96720ec586a4c822557256efcea65f282b86cb6", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Suspicious MS Office Child Process", + "sha256": "420c494d9ba2785bfc5f3d7c42cc41c6c5407d8fa9a1e43c4e1e8736c6d673a6", + "type": "eql", + "version": 100 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Emond Rules Creation or Modification", - "sha256": "bc7c01fa88f13cae39e43bc396abec202e2b39eb703151c6658fff5bf9e10990", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Emond Rules Creation or Modification", - "sha256": "ca4522efa05af46f5c2d15dce8afad5428e8f9286f6e069e3ab6de47a4b1d518", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Emond Rules Creation or Modification", + "sha256": "bc7c01fa88f13cae39e43bc396abec202e2b39eb703151c6658fff5bf9e10990", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Emond Rules Creation or Modification", + "sha256": "ca4522efa05af46f5c2d15dce8afad5428e8f9286f6e069e3ab6de47a4b1d518", + "type": "eql", + "version": 100 }, "a7ccae7b-9d2c-44b2-a061-98e5946971fa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious PrintSpooler SPL File Created", - "sha256": "c90974ac2dccaf21eef2a449d1974be7945e5716d893050f5f5f707fb76bd13e", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious PrintSpooler SPL File Created", - "sha256": "0c834aa122c687f0bf64b255ca5bb7a8985fdbdacb382132f33c2a85fb9c9623", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious PrintSpooler SPL File Created", + "sha256": "c90974ac2dccaf21eef2a449d1974be7945e5716d893050f5f5f707fb76bd13e", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious PrintSpooler SPL File Created", + "sha256": "0c834aa122c687f0bf64b255ca5bb7a8985fdbdacb382132f33c2a85fb9c9623", + "type": "eql", + "version": 100 }, "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "bef335b8bcaff439fbf5df2b472483b38387be36ac81045d5ee346a6b34930d3", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Credential Acquisition via Registry Hive Dumping", - "sha256": "e88078808ef1cb74258d5e45d00597dac0c94a3f8c88f56648d25f0deb6ebf97", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Credential Acquisition via Registry Hive Dumping", + "sha256": "bef335b8bcaff439fbf5df2b472483b38387be36ac81045d5ee346a6b34930d3", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Credential Acquisition via Registry Hive Dumping", + "sha256": "e88078808ef1cb74258d5e45d00597dac0c94a3f8c88f56648d25f0deb6ebf97", + "type": "eql", + "version": 100 }, "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a", - "type": "query", - "version": 10 - } - }, - "rule_name": "Web Application Suspicious Activity: POST Request Declined", - "sha256": "6dc0831da214e7f4439b66554c58008ae27a2bb42833b0eac6cdea43a111c751", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Web Application Suspicious Activity: POST Request Declined", + "sha256": "1f59c0bfab965460c7fea8706f18a0768cca899c0403ed1110a2d274c6727b1a", + "type": "query", + "version": 10 + } + }, + "rule_name": "Web Application Suspicious Activity: POST Request Declined", + "sha256": "6dc0831da214e7f4439b66554c58008ae27a2bb42833b0eac6cdea43a111c751", + "type": "query", + "version": 100 }, "a9198571-b135-4a76-b055-e3e5a476fd83": { - "rule_name": "Hex Encoding/Decoding Activity", - "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", - "type": "query", - "version": 100 + "rule_name": "Hex Encoding/Decoding Activity", + "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", + "type": "query", + "version": 100 }, "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "8bcb179876e491dc57dcb74d2471a21b560fabcada15d9c803e602b45a1e1e70", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", - "sha256": "0fa1301934edafb9577c165beb4d2f30393a0fe81a044fda94de91e7c9eab302", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "8bcb179876e491dc57dcb74d2471a21b560fabcada15d9c803e602b45a1e1e70", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Safe Link Policy Disabled", + "sha256": "0fa1301934edafb9577c165beb4d2f30393a0fe81a044fda94de91e7c9eab302", + "type": "query", + "version": 100 }, "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "c6815b312e514dde1e95bfba50fc831bfbdd71cde761c45cff9928ddd5251005", - "type": "query", - "version": 13 - }, - "8.0": { - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "c4909172dfd50108f0abed3aba686e685089632adfc228255d684fb7b32e2c7d", - "type": "query", - "version": 16 - } - }, - "rule_name": "Google Workspace Password Policy Modified", - "sha256": "15915846907d1997c423e70f43245b842918bc67bf24503e76a20897f6cdadf0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 15, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "c6815b312e514dde1e95bfba50fc831bfbdd71cde761c45cff9928ddd5251005", + "type": "query", + "version": 13 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "c4909172dfd50108f0abed3aba686e685089632adfc228255d684fb7b32e2c7d", + "type": "query", + "version": 16 + } + }, + "rule_name": "Google Workspace Password Policy Modified", + "sha256": "15915846907d1997c423e70f43245b842918bc67bf24503e76a20897f6cdadf0", + "type": "query", + "version": 100 }, "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "0961c6edc3675ce139252e031dda275f7c2713ef3d76bfa44040aefb2afa7efc", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistence via Hidden Run Key Detected", - "sha256": "f0f8cdb52a52a12089e7390724cc44bee3445821c663cc35e2a63f065df204c8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Hidden Run Key Detected", + "sha256": "0961c6edc3675ce139252e031dda275f7c2713ef3d76bfa44040aefb2afa7efc", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistence via Hidden Run Key Detected", + "sha256": "f0f8cdb52a52a12089e7390724cc44bee3445821c663cc35e2a63f065df204c8", + "type": "eql", + "version": 100 }, "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c", - "type": "query", - "version": 10 - } - }, - "rule_name": "IPSEC NAT Traversal Port Activity", - "sha256": "9514b2ab490981c6da52e14c7e684b707df17a30ee85bd55cf7aa8ec16abef5d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "IPSEC NAT Traversal Port Activity", + "sha256": "f3e51f33c8c8fda2a728a1e73185ef757441a7a1fe4d4c7e057ba1ba00e8fd4c", + "type": "query", + "version": 10 + } + }, + "rule_name": "IPSEC NAT Traversal Port Activity", + "sha256": "9514b2ab490981c6da52e14c7e684b707df17a30ee85bd55cf7aa8ec16abef5d", + "type": "query", + "version": 100 }, "aa8007f0-d1df-49ef-8520-407857594827": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP IAM Custom Role Creation", - "sha256": "04d6d20db9c8c8bbd98a77b090067d46efc0d6091ef0abe5e63bb6798f7c803c", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP IAM Custom Role Creation", - "sha256": "294bf4b8d61d9f3874898e9fef36d04a79dd0134a0b5480a4aa51c49613ffe49", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP IAM Custom Role Creation", + "sha256": "04d6d20db9c8c8bbd98a77b090067d46efc0d6091ef0abe5e63bb6798f7c803c", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP IAM Custom Role Creation", + "sha256": "294bf4b8d61d9f3874898e9fef36d04a79dd0134a0b5480a4aa51c49613ffe49", + "type": "query", + "version": 100 }, "aa895aea-b69c-4411-b110-8d7599634b30": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "System Log File Deletion", - "sha256": "32f9c84c5cce449a17ac218b0c36c04bf7a4b6e603bdc57b4ab1163a8a3082d5", - "type": "eql", - "version": 7 - } - }, - "rule_name": "System Log File Deletion", - "sha256": "46917edee13ce1920e16d4abca0860805c2905e081f95a13acdc961ccb31bd70", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "System Log File Deletion", + "sha256": "32f9c84c5cce449a17ac218b0c36c04bf7a4b6e603bdc57b4ab1163a8a3082d5", + "type": "eql", + "version": 7 + } + }, + "rule_name": "System Log File Deletion", + "sha256": "46917edee13ce1920e16d4abca0860805c2905e081f95a13acdc961ccb31bd70", + "type": "eql", + "version": 100 }, "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remotely Started Services via RPC", - "sha256": "e9b84550c8017aec72d49f15fe13c67df843abbb87d04fdce004e54d174ef69e", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Remotely Started Services via RPC", - "sha256": "44295f80f3b15cb68948b0739863a71d934c0ef69288410d12b69e5fa4c3eb75", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remotely Started Services via RPC", + "sha256": "e9b84550c8017aec72d49f15fe13c67df843abbb87d04fdce004e54d174ef69e", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Remotely Started Services via RPC", + "sha256": "44295f80f3b15cb68948b0739863a71d934c0ef69288410d12b69e5fa4c3eb75", + "type": "eql", + "version": 100 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote Execution via File Shares", - "sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Remote Execution via File Shares", - "sha256": "acb9b71ba876ce876744b2d81deec5f975cbc9622840ecf0c9a35e6460932b07", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote Execution via File Shares", + "sha256": "a4fa795f24e1eecf02164092ec16a99174eddb8733615dc448b876ebd08b8426", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Remote Execution via File Shares", + "sha256": "acb9b71ba876ce876744b2d81deec5f975cbc9622840ecf0c9a35e6460932b07", + "type": "eql", + "version": 100 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "e3d6764e1b127cbf3554a696701134a380a05acc03ebfd8ca6809ddb38161aeb", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Unusual Windows Process Calling the Metadata Service", + "sha256": "e3d6764e1b127cbf3554a696701134a380a05acc03ebfd8ca6809ddb38161aeb", + "type": "machine_learning", + "version": 100 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Persistence via Login Hook", - "sha256": "f182d2a5e737be7c35daf36c8ca3510919c2bf6cfc2379711b3a866f4069eac4", - "type": "query", - "version": 5 - } - }, - "rule_name": "Potential Persistence via Login Hook", - "sha256": "21c5c05e597fe02f130b9a0af8bbaa4669e45f5159f1a272e3b79187f5ba3347", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Persistence via Login Hook", + "sha256": "f182d2a5e737be7c35daf36c8ca3510919c2bf6cfc2379711b3a866f4069eac4", + "type": "query", + "version": 5 + } + }, + "rule_name": "Potential Persistence via Login Hook", + "sha256": "21c5c05e597fe02f130b9a0af8bbaa4669e45f5159f1a272e3b79187f5ba3347", + "type": "query", + "version": 100 }, "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious WerFault Child Process", - "sha256": "2ba82e2240cb3b0213c5617a7d13fb0bcb0047fdd6f3b7d46f12aae06d22e472", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "9eb523c7e7f8f2b03de629dcf315e163280f3f23f07a3c8541352802a57c4944", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "2ba82e2240cb3b0213c5617a7d13fb0bcb0047fdd6f3b7d46f12aae06d22e472", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "9eb523c7e7f8f2b03de629dcf315e163280f3f23f07a3c8541352802a57c4944", + "type": "eql", + "version": 100 }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual AWS Command for a User", - "sha256": "bf21bf3820a8d1fcbad4e7592d7c82a26e944e5b846959633030809fbd449532", - "type": "machine_learning", - "version": 10 - } - }, - "rule_name": "Unusual AWS Command for a User", - "sha256": "1a56f898719d89efc88cd607e678a90c70b685a7a726ff154d69d82aa02a39e3", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual AWS Command for a User", + "sha256": "bf21bf3820a8d1fcbad4e7592d7c82a26e944e5b846959633030809fbd449532", + "type": "machine_learning", + "version": 10 + } + }, + "rule_name": "Unusual AWS Command for a User", + "sha256": "1a56f898719d89efc88cd607e678a90c70b685a7a726ff154d69d82aa02a39e3", + "type": "machine_learning", + "version": 100 }, "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "a342bfd3e7aa4925926c7efd91db9ecc8442cdeb5c66dbbcf772092e1a2d55cf", - "type": "query", - "version": 4 - } - }, - "rule_name": "Potential Invoke-Mimikatz PowerShell Script", - "sha256": "fbe7bf8e4c621ac26b7b792325e84d8a4ebaf756e9ac6dd25c21666bde8a4bec", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Invoke-Mimikatz PowerShell Script", + "sha256": "a342bfd3e7aa4925926c7efd91db9ecc8442cdeb5c66dbbcf772092e1a2d55cf", + "type": "query", + "version": 4 + } + }, + "rule_name": "Potential Invoke-Mimikatz PowerShell Script", + "sha256": "fbe7bf8e4c621ac26b7b792325e84d8a4ebaf756e9ac6dd25c21666bde8a4bec", + "type": "query", + "version": 100 }, "acbc8bb9-2486-49a8-8779-45fb5f9a93ee": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "cb726260cbf8b5a0f646d56b06b9be07fc0ff6fb2efbda14ded64114e8e1c32f", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "e83a4b6239ffd937ca01ed100a5d9d4f28967445797a34ee411768d8991f212b", - "type": "query", - "version": 15 - } - }, - "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", - "sha256": "4c8958b19960c9a1e57732514e1f40504283902ba203aa4188bb92999137aea8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "cb726260cbf8b5a0f646d56b06b9be07fc0ff6fb2efbda14ded64114e8e1c32f", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "e83a4b6239ffd937ca01ed100a5d9d4f28967445797a34ee411768d8991f212b", + "type": "query", + "version": 15 + } + }, + "rule_name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", + "sha256": "4c8958b19960c9a1e57732514e1f40504283902ba203aa4188bb92999137aea8", + "type": "query", + "version": 100 }, "acd611f3-2b93-47b3-a0a3-7723bcc46f6d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Potential Command and Control via Internet Explorer", - "sha256": "0bdd548ca60181ea30cf746e0ea8cf8e345ac00870ff3ae9f442c4270de08f1e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Command and Control via Internet Explorer", + "sha256": "ecf39233d5f53c119cd57516c3b0ad7c0bc09ff58fd279a47a28d5b61f6c10e1", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Potential Command and Control via Internet Explorer", + "sha256": "0bdd548ca60181ea30cf746e0ea8cf8e345ac00870ff3ae9f442c4270de08f1e", + "type": "eql", + "version": 100 }, "ace1e989-a541-44df-93a8-a8b0591b63c0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential SSH Brute Force Detected", - "sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e", - "type": "threshold", - "version": 4 - } - }, - "rule_name": "Potential SSH Brute Force Detected", - "sha256": "6d0cb93c3879e8f129c1c6b3ba4f47ac8247824375ceadcff0e6a9df2e21ef78", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential SSH Brute Force Detected", + "sha256": "d29b62554e453edb9dea6a8ac0d579c62aded9e00bd9d832e71760d5738d5c1e", + "type": "threshold", + "version": 4 + } + }, + "rule_name": "Potential SSH Brute Force Detected", + "sha256": "6d0cb93c3879e8f129c1c6b3ba4f47ac8247824375ceadcff0e6a9df2e21ef78", + "type": "threshold", + "version": 100 }, "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "a357b9a510442209bb5f8d23dabe74e4309831848d7ac1c52301f236013ec19d", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious Managed Code Hosting Process", - "sha256": "ebf48498fb0a4978117f81534e3e692df555fb019bec0b3327cf002ababe9276", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Managed Code Hosting Process", + "sha256": "a357b9a510442209bb5f8d23dabe74e4309831848d7ac1c52301f236013ec19d", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious Managed Code Hosting Process", + "sha256": "ebf48498fb0a4978117f81534e3e692df555fb019bec0b3327cf002ababe9276", + "type": "eql", + "version": 100 }, "ad0d2742-9a49-11ec-8d6b-acde48001122": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "d429e915fb2c4125fb4990d0e489102f961dd33224c3e70220b15d3751903824", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Signed Proxy Execution via MS Work Folders", - "sha256": "33398fe6a04ff61536aa6088fb0c111b0633efe03669e855d9ac6df46d5e40c1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Signed Proxy Execution via MS Work Folders", + "sha256": "d429e915fb2c4125fb4990d0e489102f961dd33224c3e70220b15d3751903824", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Signed Proxy Execution via MS Work Folders", + "sha256": "33398fe6a04ff61536aa6088fb0c111b0633efe03669e855d9ac6df46d5e40c1", + "type": "eql", + "version": 100 }, "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { - "rule_name": "Proxy Port Activity to the Internet", - "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", - "type": "query", - "version": 100 + "rule_name": "Proxy Port Activity to the Internet", + "sha256": "b6ebab2e583cd3bf78d4951f8718ff88b6bbea6dfd4004c586ce00a703ec0a10", + "type": "query", + "version": 100 }, "ad3f2807-2b3e-47d7-b282-f84acbbe14be": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "d1b026666d40c609533cf8728001d959fbf822a6ea704f9471b93c1e1bc79142", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "c8bca11e5b1732bfc4bffb9bf1377db165824c647a7bc60bf84ec0f947cbde14", - "type": "query", - "version": 15 - } - }, - "rule_name": "Google Workspace Custom Admin Role Created", - "sha256": "512538be9948d8ee8a4d339c569d5fbdc37e0701050a67f4b26f08a6e36fdb63", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "d1b026666d40c609533cf8728001d959fbf822a6ea704f9471b93c1e1bc79142", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "c8bca11e5b1732bfc4bffb9bf1377db165824c647a7bc60bf84ec0f947cbde14", + "type": "query", + "version": 15 + } + }, + "rule_name": "Google Workspace Custom Admin Role Created", + "sha256": "512538be9948d8ee8a4d339c569d5fbdc37e0701050a67f4b26f08a6e36fdb63", + "type": "query", + "version": 100 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "b70e724e7ed3a0764f4e30d64fa85314bc7819636d9f82c92bd6a72ecb0e9904", - "type": "query", - "version": 9 - } - }, - "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", - "sha256": "dd87b932c4d7e0c7d1df354bc2dd687d599fda8e96b30a3dfa407ad8b0dc1dfc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", + "sha256": "b70e724e7ed3a0764f4e30d64fa85314bc7819636d9f82c92bd6a72ecb0e9904", + "type": "query", + "version": 9 + } + }, + "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", + "sha256": "dd87b932c4d7e0c7d1df354bc2dd687d599fda8e96b30a3dfa407ad8b0dc1dfc", + "type": "query", + "version": 100 }, "ad88231f-e2ab-491c-8fc6-64746da26cfe": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "8eb1433d514c8bcf8670859a3904ff86b03e31f4050334e9bb5fe33dbb5b35fc", - "type": "query", - "version": 7 - } - }, - "rule_name": "Kerberos Cached Credentials Dumping", - "sha256": "83259690e546c1cde573408b1c7067adf11aa9bef323738c8af9f6c6414bbad2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Kerberos Cached Credentials Dumping", + "sha256": "8eb1433d514c8bcf8670859a3904ff86b03e31f4050334e9bb5fe33dbb5b35fc", + "type": "query", + "version": 7 + } + }, + "rule_name": "Kerberos Cached Credentials Dumping", + "sha256": "83259690e546c1cde573408b1c7067adf11aa9bef323738c8af9f6c6414bbad2", + "type": "query", + "version": 100 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Netcat Network Activity", - "sha256": "31a31c303f07c9556120cb94db7f8c7ebfb77cc7a363376fe5262ff8f5e2c07e", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Netcat Network Activity", - "sha256": "6d5d12b1e6bb04345611fdbe1efd6fcdb2969c24797068c84c66981792df43ae", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Netcat Network Activity", + "sha256": "31a31c303f07c9556120cb94db7f8c7ebfb77cc7a363376fe5262ff8f5e2c07e", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Netcat Network Activity", + "sha256": "6d5d12b1e6bb04345611fdbe1efd6fcdb2969c24797068c84c66981792df43ae", + "type": "eql", + "version": 100 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Local Scheduled Task Creation", - "sha256": "ea88687da0b3e350cbec589c89e6b91be2999547a3762f95b3ee42423842539b", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Local Scheduled Task Creation", - "sha256": "d412e663786e8446c8b21ca4436eca75890995e2f9ba2af309afc077e1b63ef5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Local Scheduled Task Creation", + "sha256": "ea88687da0b3e350cbec589c89e6b91be2999547a3762f95b3ee42423842539b", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Local Scheduled Task Creation", + "sha256": "d412e663786e8446c8b21ca4436eca75890995e2f9ba2af309afc077e1b63ef5", + "type": "eql", + "version": 100 }, "b0046934-486e-462f-9487-0d4cf9e429c6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Timestomping using Touch Command", - "sha256": "4c674f73145d658fd82a2d0f0efbb8ab0da6d6e4158ab4cb6f38d490f02dd8c3", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Timestomping using Touch Command", - "sha256": "badf206b4c63014bf266dbd796d05ac69c44c9ebc85b1f4c82a2fc7f24091ef6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Timestomping using Touch Command", + "sha256": "4c674f73145d658fd82a2d0f0efbb8ab0da6d6e4158ab4cb6f38d490f02dd8c3", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Timestomping using Touch Command", + "sha256": "badf206b4c63014bf266dbd796d05ac69c44c9ebc85b1f4c82a2fc7f24091ef6", + "type": "eql", + "version": 100 }, "b00bcd89-000c-4425-b94c-716ef67762f6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "6019d3a7c04e868bfcd2a4ce5b6be1b4dad353849b67a12816d62c13d0db55e1", - "type": "query", - "version": 4 - } - }, - "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", - "sha256": "a61edea5c1d4544de197bf9e4c4e33c1b04b7efc46be0500c67b97a63b756b5e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", + "sha256": "6019d3a7c04e868bfcd2a4ce5b6be1b4dad353849b67a12816d62c13d0db55e1", + "type": "query", + "version": 4 + } + }, + "rule_name": "TCC Bypass via Mounted APFS Snapshot Access", + "sha256": "a61edea5c1d4544de197bf9e4c4e33c1b04b7efc46be0500c67b97a63b756b5e", + "type": "query", + "version": 100 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { - "rule_name": "Potential Persistence via Cron Job", - "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", - "type": "query", - "version": 100 + "rule_name": "Potential Persistence via Cron Job", + "sha256": "0c030fdda99d067a509f80bd3faff91ee4d8414e5074a9ef6cf7bf5fc97fcbed", + "type": "query", + "version": 100 }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Network Traffic", - "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Spike in Network Traffic", - "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Network Traffic", + "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Spike in Network Traffic", + "sha256": "64955fd74b359a0ab411b632bce3bd9f4520f486fe3a1b7a16e7f4973faf8417", + "type": "machine_learning", + "version": 100 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Copy via TeamViewer", - "sha256": "bbbe884c4ab21c2cf6da78196dbe4840ac39e83bbbfd9c7b989da641d7ecf781", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Remote File Copy via TeamViewer", - "sha256": "c67a26e60bcc0d0102f11fb944764f8b6dc3e298161377161f45d7c960e23899", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Copy via TeamViewer", + "sha256": "bbbe884c4ab21c2cf6da78196dbe4840ac39e83bbbfd9c7b989da641d7ecf781", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Remote File Copy via TeamViewer", + "sha256": "c67a26e60bcc0d0102f11fb944764f8b6dc3e298161377161f45d7c960e23899", + "type": "eql", + "version": 100 }, "b2951150-658f-4a60-832f-a00d1e6c6745": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "c15e0ca82179bc61cad6e21dcecf05156532d48168c2e929eb9225e9929bd54c", - "type": "query", - "version": 5 - } - }, - "rule_name": "Microsoft 365 Unusual Volume of File Deletion", - "sha256": "af13512c9e80f6b0e0f68518c427f2f85b15391d25ecab9801a969c0dcc8988a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "c15e0ca82179bc61cad6e21dcecf05156532d48168c2e929eb9225e9929bd54c", + "type": "query", + "version": 5 + } + }, + "rule_name": "Microsoft 365 Unusual Volume of File Deletion", + "sha256": "af13512c9e80f6b0e0f68518c427f2f85b15391d25ecab9801a969c0dcc8988a", + "type": "query", + "version": 100 }, "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "15eb788d4a9800bec206ecacd72fceec547ba4fffccbf3f1860e532c9e9dcf2e", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Network Connection via Compiled HTML File", - "sha256": "5e51d62f56318bd78eb9684d5134fa7783186b89ac95ede02b6fb0a8292cfb09", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Connection via Compiled HTML File", + "sha256": "15eb788d4a9800bec206ecacd72fceec547ba4fffccbf3f1860e532c9e9dcf2e", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Network Connection via Compiled HTML File", + "sha256": "5e51d62f56318bd78eb9684d5134fa7783186b89ac95ede02b6fb0a8292cfb09", + "type": "eql", + "version": 100 }, "b347b919-665f-4aac-b9e8-68369bf2340c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Username", - "sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Unusual Linux Username", - "sha256": "912c516b39b6f85f0aec770db42879bb07f167b39dceca96085ea274114e3953", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Username", + "sha256": "e25a73b70b17529d8b55a00fffc8d8519098a3374280fad8d7081623383fa6eb", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Unusual Linux Username", + "sha256": "912c516b39b6f85f0aec770db42879bb07f167b39dceca96085ea274114e3953", + "type": "machine_learning", + "version": 100 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "bae454d37c97afdf6c1303e06d1e2bf81e178a7ac750f24c8fe9702a1fccd249", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious Endpoint Security Parent Process", - "sha256": "9bc0223af51d5a440aa3392f44355d22cce419d813ee3df11a0208590ee4bc2f", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Endpoint Security Parent Process", + "sha256": "bae454d37c97afdf6c1303e06d1e2bf81e178a7ac750f24c8fe9702a1fccd249", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious Endpoint Security Parent Process", + "sha256": "9bc0223af51d5a440aa3392f44355d22cce419d813ee3df11a0208590ee4bc2f", + "type": "eql", + "version": 100 }, "b4449455-f986-4b5a-82ed-e36b129331f7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "d12bd7983ff5fe776653f790d4e8ee2333413bf1e652396a00e96742ae0ed425", - "type": "query", - "version": 4 - } - }, - "rule_name": "Potential Persistence via Atom Init Script Modification", - "sha256": "692eae78c3fbf7ad8a3d205cddb0b73107ad787cee734dae5530b050d0cff6a6", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Persistence via Atom Init Script Modification", + "sha256": "d12bd7983ff5fe776653f790d4e8ee2333413bf1e652396a00e96742ae0ed425", + "type": "query", + "version": 4 + } + }, + "rule_name": "Potential Persistence via Atom Init Script Modification", + "sha256": "692eae78c3fbf7ad8a3d205cddb0b73107ad787cee734dae5530b050d0cff6a6", + "type": "query", + "version": 100 }, "b45ab1d2-712f-4f01-a751-df3826969807": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "a16c71cecd3c18625bcda7dcb6b779b65910eea51f4833319401d2b876751d1b", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS STS GetSessionToken Abuse", - "sha256": "06b29e5ffac1476ee93e6bf42ca20f236d0db705ca158a59a35d234d824b4f03", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "a16c71cecd3c18625bcda7dcb6b779b65910eea51f4833319401d2b876751d1b", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS STS GetSessionToken Abuse", + "sha256": "06b29e5ffac1476ee93e6bf42ca20f236d0db705ca158a59a35d234d824b4f03", + "type": "query", + "version": 100 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "6117d395132d33dcb37abc399f31be1ec36cb113a46014969e3e8c346de92241", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "edcf5e80215b2447d4f0112ee839c452f063b302f7f8226074947b172e2323f5", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "6117d395132d33dcb37abc399f31be1ec36cb113a46014969e3e8c346de92241", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "edcf5e80215b2447d4f0112ee839c452f063b302f7f8226074947b172e2323f5", + "type": "query", + "version": 100 }, "b5877334-677f-4fb9-86d5-a9721274223b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Clearing Windows Console History", - "sha256": "5a2ba281f21edbffcdc9934e0317b8d2ca9b0499c0c4954f0987a3a41bab5fd5", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Clearing Windows Console History", - "sha256": "fee88e407b3008427032dad110fde2345d4a282f54093f7280991a20befeb34c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Clearing Windows Console History", + "sha256": "5a2ba281f21edbffcdc9934e0317b8d2ca9b0499c0c4954f0987a3a41bab5fd5", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Clearing Windows Console History", + "sha256": "fee88e407b3008427032dad110fde2345d4a282f54093f7280991a20befeb34c", + "type": "eql", + "version": 100 }, "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "d7ea25e3433ca8f64f4699dda914009c10dcad92b0f1eeb1bc71a13391a2560e", - "type": "eql", - "version": 16 - } - }, - "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", - "sha256": "f9e7c547669253937f5c4f6d8f1a0ef17e3d2a2dfd660f265b8be56298d73b9d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "sha256": "d7ea25e3433ca8f64f4699dda914009c10dcad92b0f1eeb1bc71a13391a2560e", + "type": "eql", + "version": 16 + } + }, + "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", + "sha256": "f9e7c547669253937f5c4f6d8f1a0ef17e3d2a2dfd660f265b8be56298d73b9d", + "type": "eql", + "version": 100 }, "b627cd12-dac4-11ec-9582-f661ea17fbcd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Elastic Agent Service Terminated", - "sha256": "bbf62b64c2be8fc69c5cf32a50509ac3984131a165cf3c4440aff53a0bedb78a", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Elastic Agent Service Terminated", - "sha256": "4512f73e6654a8e9e55ea3f6b5d6c0af90ddc81ca57dca83a48927cb2b5f09bb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Elastic Agent Service Terminated", + "sha256": "bbf62b64c2be8fc69c5cf32a50509ac3984131a165cf3c4440aff53a0bedb78a", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Elastic Agent Service Terminated", + "sha256": "4512f73e6654a8e9e55ea3f6b5d6c0af90ddc81ca57dca83a48927cb2b5f09bb", + "type": "eql", + "version": 100 }, "b64b183e-1a76-422d-9179-7b389513e74d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "239fc0484293f38ab48bea2184b5897df6fddbc7c1088d9ee2995547d0f72ec8", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Windows Script Interpreter Executing Process via WMI", - "sha256": "80c7df7cc840129e3c4fb2dee6e31acb20b0c706d30a52b16562358420b14edd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Script Interpreter Executing Process via WMI", + "sha256": "239fc0484293f38ab48bea2184b5897df6fddbc7c1088d9ee2995547d0f72ec8", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Windows Script Interpreter Executing Process via WMI", + "sha256": "80c7df7cc840129e3c4fb2dee6e31acb20b0c706d30a52b16562358420b14edd", + "type": "eql", + "version": 100 }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "570457480dcddf764559deab4f29056049caf7e7b1cb98c2f902ec08e1d645c1", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Event Hub Authorization Rule Created or Updated", - "sha256": "04094094355895232041796a086d7abb0aa1ae7d5e22c101de47ae846055575c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Event Hub Authorization Rule Created or Updated", + "sha256": "570457480dcddf764559deab4f29056049caf7e7b1cb98c2f902ec08e1d645c1", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Event Hub Authorization Rule Created or Updated", + "sha256": "04094094355895232041796a086d7abb0aa1ae7d5e22c101de47ae846055575c", + "type": "query", + "version": 100 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "60164749c3210d3649e58a3e25f0cd7d7ba346fcabafc30b70aa5bfd1c7f953c", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "ff4ea8914e56922c8a23773fda12c35216ec87250d9be3d3d4c720c9d3a51ed3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "60164749c3210d3649e58a3e25f0cd7d7ba346fcabafc30b70aa5bfd1c7f953c", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "ff4ea8914e56922c8a23773fda12c35216ec87250d9be3d3d4c720c9d3a51ed3", + "type": "query", + "version": 100 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "caf8faad9c8fe37979f1c02c18d19d948a17fae64f01a8e5cc016a50f1cf76da", - "type": "query", - "version": 9 - } - }, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "9bb3a9964ec4649701ded0b07c680d5e1eeb51c19f098c11d5924fcf4e72612c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "caf8faad9c8fe37979f1c02c18d19d948a17fae64f01a8e5cc016a50f1cf76da", + "type": "query", + "version": 9 + } + }, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "9bb3a9964ec4649701ded0b07c680d5e1eeb51c19f098c11d5924fcf4e72612c", + "type": "query", + "version": 100 }, "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "25a1de83681ef1540f609d3490620ba344894b74b2ee92d4ddc0bfb84a6b45b1", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "434c624c1d4ddbd26abf31b01797279cd3eb29a00e4e07455d3188ac512fe7d7", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "25a1de83681ef1540f609d3490620ba344894b74b2ee92d4ddc0bfb84a6b45b1", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "434c624c1d4ddbd26abf31b01797279cd3eb29a00e4e07455d3188ac512fe7d7", + "type": "eql", + "version": 100 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Connection via MsXsl", - "sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Network Connection via MsXsl", - "sha256": "5dae170229a82ef184cbabf4ac2e3f63eb63df1d14b66d0fee6a3e1b5b9d8d9a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Connection via MsXsl", + "sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Network Connection via MsXsl", + "sha256": "5dae170229a82ef184cbabf4ac2e3f63eb63df1d14b66d0fee6a3e1b5b9d8d9a", + "type": "eql", + "version": 100 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "c331e0a716974ea21eae76d7b37f16e0f6b158e79b198cd009dcb38f562d1a90", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", - "sha256": "8be0bdf2c5c59327a0d79bead790436d1ee2860046be852b30b54622a7850e7d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "sha256": "c331e0a716974ea21eae76d7b37f16e0f6b158e79b198cd009dcb38f562d1a90", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", + "sha256": "8be0bdf2c5c59327a0d79bead790436d1ee2860046be852b30b54622a7850e7d", + "type": "eql", + "version": 100 }, "b910f25a-2d44-47f2-a873-aabdc0d355e6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Chkconfig Service Add", - "sha256": "bbf7065cbab3cc380cef1f9b3ef2e40c2686e1d5202252f23cd544a516877b0d", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Chkconfig Service Add", - "sha256": "43845d217ffc6f9d49ae8bcad10ff34324d7067cfb981dc76b526a32db61a632", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Chkconfig Service Add", + "sha256": "bbf7065cbab3cc380cef1f9b3ef2e40c2686e1d5202252f23cd544a516877b0d", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Chkconfig Service Add", + "sha256": "43845d217ffc6f9d49ae8bcad10ff34324d7067cfb981dc76b526a32db61a632", + "type": "eql", + "version": 100 }, "b9554892-5e0e-424b-83a0-5aef95aa43bf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "1d211f0a0697815ab2ee20f20ab3163fb61e42278fa4b5921bbad99efa68634a", - "type": "query", - "version": 7 - } - }, - "rule_name": "Group Policy Abuse for Privilege Addition", - "sha256": "cee1d015a929b92ca29c739cd0dde4b5840b9274d7a7f9a49dfb18eee6ce508b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Group Policy Abuse for Privilege Addition", + "sha256": "1d211f0a0697815ab2ee20f20ab3163fb61e42278fa4b5921bbad99efa68634a", + "type": "query", + "version": 7 + } + }, + "rule_name": "Group Policy Abuse for Privilege Addition", + "sha256": "cee1d015a929b92ca29c739cd0dde4b5840b9274d7a7f9a49dfb18eee6ce508b", + "type": "query", + "version": 100 }, "b9666521-4742-49ce-9ddc-b8e84c35acae": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "285891514c70f9a4bdb265d76d50a0dea755e00ad2f1ea37619fbc8450287422", - "type": "eql", - "version": 11 - } - }, - "rule_name": "Creation of Hidden Files and Directories via CommandLine", - "sha256": "e81ded661259ed8eb587cffafee0ca8b36aea8bc59fbf2efc795076a88e437ed", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation of Hidden Files and Directories via CommandLine", + "sha256": "285891514c70f9a4bdb265d76d50a0dea755e00ad2f1ea37619fbc8450287422", + "type": "eql", + "version": 11 + } + }, + "rule_name": "Creation of Hidden Files and Directories via CommandLine", + "sha256": "e81ded661259ed8eb587cffafee0ca8b36aea8bc59fbf2efc795076a88e437ed", + "type": "eql", + "version": 100 }, "b9960fef-82c6-4816-befa-44745030e917": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "873d27c6621fc80c5c4890000abc5ee63099a0a04a7f19ad10551de3ecf660e5", - "type": "eql", - "version": 8 - } - }, - "rule_name": "SolarWinds Process Disabling Services via Registry", - "sha256": "9c46b2102e5e8fe2f5628ea58b100c07e32fd347df708a90b4a6735485090aaa", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SolarWinds Process Disabling Services via Registry", + "sha256": "873d27c6621fc80c5c4890000abc5ee63099a0a04a7f19ad10551de3ecf660e5", + "type": "eql", + "version": 8 + } + }, + "rule_name": "SolarWinds Process Disabling Services via Registry", + "sha256": "9c46b2102e5e8fe2f5628ea58b100c07e32fd347df708a90b4a6735485090aaa", + "type": "eql", + "version": 100 }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows Network Activity", - "sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3", - "type": "machine_learning", - "version": 7 - } - }, - "rule_name": "Unusual Windows Network Activity", - "sha256": "7b02abc336d84242dd450c5912423eaaed3a749e68d8a3f890cfdc80079a6226", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows Network Activity", + "sha256": "e902d7fb397e08212a5197fa5dce5708b07375ee8b7ccc2719b0633e9b8c27e3", + "type": "machine_learning", + "version": 7 + } + }, + "rule_name": "Unusual Windows Network Activity", + "sha256": "7b02abc336d84242dd450c5912423eaaed3a749e68d8a3f890cfdc80079a6226", + "type": "machine_learning", + "version": 100 }, "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "fd7ce2d2723ab08731ea17180d65559e6f7a5c93cdcdf4ab2406d05846bf37de", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", - "sha256": "22650f8dea38ba6c49c4931a71d9ea6e2cc1a2276b28ae2100f551e23bd801dc", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", + "sha256": "fd7ce2d2723ab08731ea17180d65559e6f7a5c93cdcdf4ab2406d05846bf37de", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", + "sha256": "22650f8dea38ba6c49c4931a71d9ea6e2cc1a2276b28ae2100f551e23bd801dc", + "type": "eql", + "version": 100 }, "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Resource Group Deletion", - "sha256": "225a663f235910ed9a74eb8ff36cc51095ab83677e3d8daa8954da29de2b6b62", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Resource Group Deletion", - "sha256": "94b90ae01599bc94e246813b4a812f598fcc7446ba02ac19c80c7180d8e9acbe", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Resource Group Deletion", + "sha256": "225a663f235910ed9a74eb8ff36cc51095ab83677e3d8daa8954da29de2b6b62", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Resource Group Deletion", + "sha256": "94b90ae01599bc94e246813b4a812f598fcc7446ba02ac19c80c7180d8e9acbe", + "type": "query", + "version": 100 }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "4025a11d274c2ceb96f009a6c57bf9fc493e1d91258bb40b290cc42a39464630", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "205094be6c82e2874f4820a6e6e5c0316ee64f27181cc21b5e579ff7070e325a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "4025a11d274c2ceb96f009a6c57bf9fc493e1d91258bb40b290cc42a39464630", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS EC2 Encryption Disabled", + "sha256": "205094be6c82e2874f4820a6e6e5c0316ee64f27181cc21b5e579ff7070e325a", + "type": "query", + "version": 100 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "OneDrive Malware File Upload", - "sha256": "2046461085f32a7b72d00a3fc9d855150e46efce819a90720a13f1cafdd9f451", - "type": "query", - "version": 4 - } - }, - "rule_name": "OneDrive Malware File Upload", - "sha256": "7dadd14a66fd84409d24d959abfe601368897ba2639a12d15fb7ae75727de751", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "OneDrive Malware File Upload", + "sha256": "2046461085f32a7b72d00a3fc9d855150e46efce819a90720a13f1cafdd9f451", + "type": "query", + "version": 4 + } + }, + "rule_name": "OneDrive Malware File Upload", + "sha256": "7dadd14a66fd84409d24d959abfe601368897ba2639a12d15fb7ae75727de751", + "type": "query", + "version": 100 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "337779ecd316649e262c7e31f4d0f28ab285571f1cd3c8f3300f11ea579e9dbe", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", - "sha256": "0be4efbb6ae7b8d50f0cdb4977cde0d5a8bb349d00e13b1e5a79c9f3246fc72e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "337779ecd316649e262c7e31f4d0f28ab285571f1cd3c8f3300f11ea579e9dbe", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Teams Custom Application Interaction Allowed", + "sha256": "0be4efbb6ae7b8d50f0cdb4977cde0d5a8bb349d00e13b1e5a79c9f3246fc72e", + "type": "query", + "version": 100 }, "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Root Login Without MFA", - "sha256": "e41c94e88ce170a7642375c19b31680ecb8cb01b057519518c2e27ddf5dbbe43", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS Root Login Without MFA", - "sha256": "fb313dd5be37e0f39d704b9306bd43a7cc691aefe48175c56edc3b8d3cafe805", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Root Login Without MFA", + "sha256": "e41c94e88ce170a7642375c19b31680ecb8cb01b057519518c2e27ddf5dbbe43", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS Root Login Without MFA", + "sha256": "fb313dd5be37e0f39d704b9306bd43a7cc691aefe48175c56edc3b8d3cafe805", + "type": "query", + "version": 100 }, "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Storage Bucket Deletion", - "sha256": "abccd332b70f7792ac3df97f8a8c7b820f8318e6dc845c71ee3a00c7fa72d21b", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Storage Bucket Deletion", - "sha256": "93446b0f506e848825ea5e62113b964e8bdb512e73bfe0835a17d08053ee6582", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Storage Bucket Deletion", + "sha256": "abccd332b70f7792ac3df97f8a8c7b820f8318e6dc845c71ee3a00c7fa72d21b", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Storage Bucket Deletion", + "sha256": "93446b0f506e848825ea5e62113b964e8bdb512e73bfe0835a17d08053ee6582", + "type": "query", + "version": 100 }, "bc1eeacf-2972-434f-b782-3a532b100d67": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Install Root Certificate", - "sha256": "8a2581f2613198e069bf50428befcccde626bde5c3329f7dd6799ffef0e2b66f", - "type": "query", - "version": 4 - } - }, - "rule_name": "Attempt to Install Root Certificate", - "sha256": "30586f2965e6afb9eef7a00ff280fb9900fe5d7c9f16499c2da76a6bd567e205", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Install Root Certificate", + "sha256": "8a2581f2613198e069bf50428befcccde626bde5c3329f7dd6799ffef0e2b66f", + "type": "query", + "version": 4 + } + }, + "rule_name": "Attempt to Install Root Certificate", + "sha256": "30586f2965e6afb9eef7a00ff280fb9900fe5d7c9f16499c2da76a6bd567e205", + "type": "query", + "version": 100 }, "bc48bba7-4a23-4232-b551-eca3ca1e3f20": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "0d5f7f7cd950530e43f8061422946c3ed98864c5d7f4e2a7b70ecbd0043b4dea", - "type": "query", - "version": 9 - } - }, - "rule_name": "Azure Conditional Access Policy Modified", - "sha256": "bb567cd5db3fc59b967cc96e80182e5299a5d791f77e531f72d79b3c02a477f8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Conditional Access Policy Modified", + "sha256": "0d5f7f7cd950530e43f8061422946c3ed98864c5d7f4e2a7b70ecbd0043b4dea", + "type": "query", + "version": 9 + } + }, + "rule_name": "Azure Conditional Access Policy Modified", + "sha256": "bb567cd5db3fc59b967cc96e80182e5299a5d791f77e531f72d79b3c02a477f8", + "type": "query", + "version": 100 }, "bca7d28e-4a48-47b1-adb7-5074310e9a61": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Service Account Disabled", - "sha256": "446316b8793acc21c065843e48659dc5c0741e50b48348c42d8091ead70aaf88", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Service Account Disabled", - "sha256": "344e1bfa420757d88f390edabb32aef5abff288cc9d99b293bdcfa0016267a34", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Service Account Disabled", + "sha256": "446316b8793acc21c065843e48659dc5c0741e50b48348c42d8091ead70aaf88", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Service Account Disabled", + "sha256": "344e1bfa420757d88f390edabb32aef5abff288cc9d99b293bdcfa0016267a34", + "type": "query", + "version": 100 }, "bd2c86a0-8b61-4457-ab38-96943984e889": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Keylogging Script", - "sha256": "055b0cdf7f95c9f6a820c512ca9e97a7ff34a41bef1599875091ab66422a238e", - "type": "query", - "version": 8 - } - }, - "rule_name": "PowerShell Keylogging Script", - "sha256": "0005eed7151bc66fb0cd04e87aaa3bf667dcfa1611ada4454766beb6ba00acbe", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Keylogging Script", + "sha256": "055b0cdf7f95c9f6a820c512ca9e97a7ff34a41bef1599875091ab66422a238e", + "type": "query", + "version": 8 + } + }, + "rule_name": "PowerShell Keylogging Script", + "sha256": "0005eed7151bc66fb0cd04e87aaa3bf667dcfa1611ada4454766beb6ba00acbe", + "type": "query", + "version": 100 }, "bd7eefee-f671-494e-98df-f01daf9e5f17": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Suspicious Print Spooler Point and Print DLL", - "sha256": "6bb8e576cae990d70ff8b16a6c8e408766a8aeda758c3f4de21bffb4c92e6f89", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Print Spooler Point and Print DLL", + "sha256": "d32226f39b805f0d3b878197ce1e5edefacb3256c64e3e9202c9471e13b4e3c9", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Suspicious Print Spooler Point and Print DLL", + "sha256": "6bb8e576cae990d70ff8b16a6c8e408766a8aeda758c3f4de21bffb4c92e6f89", + "type": "eql", + "version": 100 }, "bdcf646b-08d4-492c-870a-6c04e3700034": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "015745600463e9a1d6e2dcb6b06f3e8a1734b07afbb6d7b4af670462e85f6a01", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", - "sha256": "c0e40bfbb0993658ffc65f2aa928ddf04bd3bb4cab36d3eb5692295c546829d2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", + "sha256": "015745600463e9a1d6e2dcb6b06f3e8a1734b07afbb6d7b4af670462e85f6a01", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", + "sha256": "c0e40bfbb0993658ffc65f2aa928ddf04bd3bb4cab36d3eb5692295c546829d2", + "type": "eql", + "version": 100 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "c108531ffe8d2942cfd96060e577320ddea84961b41d8d0dc4f3184028a7e558", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Searching for Saved Credentials via VaultCmd", - "sha256": "b903b68f801e8ea76737f8da58506d0a3cf41a8c58e853a307b0b8dc46a8c08d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Searching for Saved Credentials via VaultCmd", + "sha256": "c108531ffe8d2942cfd96060e577320ddea84961b41d8d0dc4f3184028a7e558", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Searching for Saved Credentials via VaultCmd", + "sha256": "b903b68f801e8ea76737f8da58506d0a3cf41a8c58e853a307b0b8dc46a8c08d", + "type": "eql", + "version": 100 }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Snapshot Restored", - "sha256": "407e232dcb7c87839e92e728b33fdd7802cd70f413d313d516e801c854217b38", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS RDS Snapshot Restored", - "sha256": "96e64f19d7922c69fb0c0dde9c25bdba6c32a2760f8d29c651a310cb1c8a7acf", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "407e232dcb7c87839e92e728b33fdd7802cd70f413d313d516e801c854217b38", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS RDS Snapshot Restored", + "sha256": "96e64f19d7922c69fb0c0dde9c25bdba6c32a2760f8d29c651a310cb1c8a7acf", + "type": "query", + "version": 100 }, "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "43df78621e41de3c8e5e86c1af48d514b045d358635229ba8a2fd0f7cc3490f8", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", - "sha256": "71dd67b27fa1543084d78895e408c1553aae3c0e79e3450ccd0afb37828d1346", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "sha256": "43df78621e41de3c8e5e86c1af48d514b045d358635229ba8a2fd0f7cc3490f8", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", + "sha256": "71dd67b27fa1543084d78895e408c1553aae3c0e79e3450ccd0afb37828d1346", + "type": "eql", + "version": 100 }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "e38b278f03f4d9550032ce5e2c148ddf1f16e61c50f97af58dc6383df83f80fe", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", - "sha256": "479de12601bd58360df092a9a63fb5818b7e967d9142f819e26ad491b235b677", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "sha256": "e38b278f03f4d9550032ce5e2c148ddf1f16e61c50f97af58dc6383df83f80fe", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", + "sha256": "479de12601bd58360df092a9a63fb5818b7e967d9142f819e26ad491b235b677", + "type": "eql", + "version": 100 }, "c0429aa8-9974-42da-bfb6-53a0a515a145": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "eaaa0be08f9c816cdd87eda6ace86ee28b68147a27fb74acc5575b89f6b297bf", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", - "sha256": "e9831ca3b5becdb0e68783790b36ff8efc3a0e898056a27f995b7d83053ba624", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", + "sha256": "eaaa0be08f9c816cdd87eda6ace86ee28b68147a27fb74acc5575b89f6b297bf", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", + "sha256": "e9831ca3b5becdb0e68783790b36ff8efc3a0e898056a27f995b7d83053ba624", + "type": "eql", + "version": 100 }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "ebeacb47380be9a09a9d1eed5566517aca491c5c2d96341e0e7638da0f325dc9", - "type": "query", - "version": 10 - } - }, - "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "8d36cb1bb98e55bb4e2ed2cf06aac2db1e1f3a86b9c99dcc91ac589074a780b1", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Credential Manipulation - Detected - Elastic Endgame", + "sha256": "ebeacb47380be9a09a9d1eed5566517aca491c5c2d96341e0e7638da0f325dc9", + "type": "query", + "version": 10 + } + }, + "rule_name": "Credential Manipulation - Detected - Elastic Endgame", + "sha256": "8d36cb1bb98e55bb4e2ed2cf06aac2db1e1f3a86b9c99dcc91ac589074a780b1", + "type": "query", + "version": 100 }, "c1812764-0788-470f-8e74-eb4a14d47573": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "beef9e00937e345042597f3ed53542f76ca08838731a5f61c294fb65b1f749b7", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "1c8b9b64822df7751436f08db4f45efe622e20df94d6b8ebee251c2c88bd713f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "beef9e00937e345042597f3ed53542f76ca08838731a5f61c294fb65b1f749b7", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS EC2 Full Network Packet Capture Detected", + "sha256": "1c8b9b64822df7751436f08db4f45efe622e20df94d6b8ebee251c2c88bd713f", + "type": "query", + "version": 100 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "5d7466ef9e04c7cd2d7070b0824a4df93383dc6a3bb31abbc7becc064a38a057", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Microsoft IIS Connection Strings Decryption", - "sha256": "e9606bdaf8cc52bc03c0de35b84bc98c73553ac3a8915da58ec88020a386f392", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft IIS Connection Strings Decryption", + "sha256": "5d7466ef9e04c7cd2d7070b0824a4df93383dc6a3bb31abbc7becc064a38a057", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Microsoft IIS Connection Strings Decryption", + "sha256": "e9606bdaf8cc52bc03c0de35b84bc98c73553ac3a8915da58ec88020a386f392", + "type": "eql", + "version": 100 }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "e124e0a0c8431f7cb9d2620441bbba0cd3b662770721332fa1e52b056c6c3dc2", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux Network Connection Discovery", + "sha256": "711dd36c9d0eca5be33613044ab9de38bdc703b51e619c57abd6125385dc7bb0", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Linux Network Connection Discovery", + "sha256": "e124e0a0c8431f7cb9d2620441bbba0cd3b662770721332fa1e52b056c6c3dc2", + "type": "machine_learning", + "version": 100 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Folder Action Script", - "sha256": "2b60a88bd670e6e1ee0b80ff257f00a7f4e3d30c07ea6d3795398989840050cd", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistence via Folder Action Script", - "sha256": "cc52212bbc415884de6740f1eca26d7a912a4e10fcecd39f4603ba81bd669106", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Folder Action Script", + "sha256": "2b60a88bd670e6e1ee0b80ff257f00a7f4e3d30c07ea6d3795398989840050cd", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistence via Folder Action Script", + "sha256": "cc52212bbc415884de6740f1eca26d7a912a4e10fcecd39f4603ba81bd669106", + "type": "eql", + "version": 100 }, "c2d90150-0133-451c-a783-533e736c12d7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Mshta Making Network Connections", - "sha256": "c02ad5adbafb5f0e2c94101b9d8ff86a48baaa9d36ab95c07a3df386963df3c0", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Mshta Making Network Connections", - "sha256": "5e623f8957f6bb70d2860015d274b6cd9c0fc27d1da66dc8e3b4d26acdad0305", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Mshta Making Network Connections", + "sha256": "c02ad5adbafb5f0e2c94101b9d8ff86a48baaa9d36ab95c07a3df386963df3c0", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Mshta Making Network Connections", + "sha256": "5e623f8957f6bb70d2860015d274b6cd9c0fc27d1da66dc8e3b4d26acdad0305", + "type": "eql", + "version": 100 }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "d678380453e0f0b6769da30e54f6a9ff1b02cdfd3c9f44817f5e52c3f76eccc6", - "type": "query", - "version": 10 - } - }, - "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "8c71d85fb8e7ca57ddb9f334300043978dd5976f7efc1d0ad06d561ea9cad9b9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Permission Theft - Detected - Elastic Endgame", + "sha256": "d678380453e0f0b6769da30e54f6a9ff1b02cdfd3c9f44817f5e52c3f76eccc6", + "type": "query", + "version": 10 + } + }, + "rule_name": "Permission Theft - Detected - Elastic Endgame", + "sha256": "8c71d85fb8e7ca57ddb9f334300043978dd5976f7efc1d0ad06d561ea9cad9b9", + "type": "query", + "version": 100 }, "c3b915e0-22f3-4bf7-991d-b643513c722f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "59903aa0ee2b98dd7b68d87048b5cac465cb91b05eaa78dbd066f43cc692a1b9", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "b007236deb7a9347f897ceb0161f1726c57aba660f3fce96e08b686e0076aa59", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "59903aa0ee2b98dd7b68d87048b5cac465cb91b05eaa78dbd066f43cc692a1b9", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "b007236deb7a9347f897ceb0161f1726c57aba660f3fce96e08b686e0076aa59", + "type": "eql", + "version": 100 }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "f60fe5b32ff54a35a502abef27b7a8c4a8294ad3ad27523e6a38c233611f7732", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Potential JAVA/JNDI Exploitation Attempt", - "sha256": "0e20c1d9c7505bac6f968e50499da0d632e80699fa86b8d5f80681f960853bbe", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential JAVA/JNDI Exploitation Attempt", + "sha256": "f60fe5b32ff54a35a502abef27b7a8c4a8294ad3ad27523e6a38c233611f7732", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Potential JAVA/JNDI Exploitation Attempt", + "sha256": "0e20c1d9c7505bac6f968e50499da0d632e80699fa86b8d5f80681f960853bbe", + "type": "eql", + "version": 100 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "2a4680018cf4295914ef398a0463c2bd7dcbc3ac5ad8cbda20d0f7fcc7777c5c", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Mounting Hidden or WebDav Remote Shares", - "sha256": "ecef5c16ea5973e0fe50eaf9dad95b17ee6ddb1129d560ce19056e4143efdef2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Mounting Hidden or WebDav Remote Shares", + "sha256": "2a4680018cf4295914ef398a0463c2bd7dcbc3ac5ad8cbda20d0f7fcc7777c5c", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Mounting Hidden or WebDav Remote Shares", + "sha256": "ecef5c16ea5973e0fe50eaf9dad95b17ee6ddb1129d560ce19056e4143efdef2", + "type": "eql", + "version": 100 }, "c4818812-d44f-47be-aaef-4cfb2f9cc799": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "cb6467aec9a8efbce200c151befc915eb2db3882b84358a4cdf00d9104327d78", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Suspicious Print Spooler File Deletion", - "sha256": "4386351a99165eae57ee5fbb8dd05ebf0218c507d0b67817cc082f245026cf98", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Print Spooler File Deletion", + "sha256": "cb6467aec9a8efbce200c151befc915eb2db3882b84358a4cdf00d9104327d78", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Suspicious Print Spooler File Deletion", + "sha256": "4386351a99165eae57ee5fbb8dd05ebf0218c507d0b67817cc082f245026cf98", + "type": "eql", + "version": 100 }, "c57f8579-e2a5-4804-847f-f2732edc5156": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "58344617d62b41f202f44b3143e2f946d7600510e021c58a48cb1955c42157e9", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential Remote Desktop Shadowing Activity", - "sha256": "568ed65a981e9bbc685870951ed6d77baa80bf363018c8a2b861ecd9e809ead5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Remote Desktop Shadowing Activity", + "sha256": "58344617d62b41f202f44b3143e2f946d7600510e021c58a48cb1955c42157e9", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential Remote Desktop Shadowing Activity", + "sha256": "568ed65a981e9bbc685870951ed6d77baa80bf363018c8a2b861ecd9e809ead5", + "type": "eql", + "version": 100 }, "c58c3081-2e1d-4497-8491-e73a45d1a6d6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "c5022f7a759d76bc0a187f9612b1034b0faa982c8e9b05ab345fe252c6ec2caf", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Virtual Private Cloud Network Deletion", - "sha256": "7a972f51501b28f2921345f60267ef6856109de6b98cc9bdd0fcb8e27e44d021", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Virtual Private Cloud Network Deletion", + "sha256": "c5022f7a759d76bc0a187f9612b1034b0faa982c8e9b05ab345fe252c6ec2caf", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Virtual Private Cloud Network Deletion", + "sha256": "7a972f51501b28f2921345f60267ef6856109de6b98cc9bdd0fcb8e27e44d021", + "type": "query", + "version": 100 }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "e74680d2801209f53df00cfcad05ff388692b52918c2ff3f018df44999e5ab68", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", - "sha256": "5693c66099391127c7952f8bb15cd31dbd3a0310486de295ae5fc0448a2c263c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", + "sha256": "e74680d2801209f53df00cfcad05ff388692b52918c2ff3f018df44999e5ab68", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", + "sha256": "5693c66099391127c7952f8bb15cd31dbd3a0310486de295ae5fc0448a2c263c", + "type": "eql", + "version": 100 }, "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Installation of Custom Shim Databases", - "sha256": "f4cec74529561a0fc2e6dfcd5ba89600e6e9a30c2832e5070005d0d96511968d", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Installation of Custom Shim Databases", - "sha256": "0fa93fc1d232fea99607148f3695e1fb73869fa61cb2e6484fb809f3b4ea84cd", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Installation of Custom Shim Databases", + "sha256": "f4cec74529561a0fc2e6dfcd5ba89600e6e9a30c2832e5070005d0d96511968d", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Installation of Custom Shim Databases", + "sha256": "0fa93fc1d232fea99607148f3695e1fb73869fa61cb2e6484fb809f3b4ea84cd", + "type": "eql", + "version": 100 }, "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "ea301ca7e7d227378716c3ed96bdd9e028e2e189f0142885780ff9e9d157e6fe", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Microsoft Build Engine Started by an Office Application", - "sha256": "d350611625e53a26866d718ab7d51f9a10f552f8c1679db2031e4b70d7bde1d8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Build Engine Started by an Office Application", + "sha256": "ea301ca7e7d227378716c3ed96bdd9e028e2e189f0142885780ff9e9d157e6fe", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Microsoft Build Engine Started by an Office Application", + "sha256": "d350611625e53a26866d718ab7d51f9a10f552f8c1679db2031e4b70d7bde1d8", + "type": "eql", + "version": 100 }, "c5f81243-56e0-47f9-b5bb-55a5ed89ba57": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "11c7d628e42834cf18a0ff6695673e7b4d30da3ef8efad6fef35a2ccb3ef745f", - "type": "query", - "version": 4 - } - }, - "rule_name": "CyberArk Privileged Access Security Recommended Monitor", - "sha256": "1ee3e28fb47b89be84bd890417f1d0f1b24cff664df7064d72ab91a8142cda07", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "CyberArk Privileged Access Security Recommended Monitor", + "sha256": "11c7d628e42834cf18a0ff6695673e7b4d30da3ef8efad6fef35a2ccb3ef745f", + "type": "query", + "version": 4 + } + }, + "rule_name": "CyberArk Privileged Access Security Recommended Monitor", + "sha256": "1ee3e28fb47b89be84bd890417f1d0f1b24cff664df7064d72ab91a8142cda07", + "type": "query", + "version": 100 }, "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "276a468726946549ef3f02c8b97760a323a403a68dbfc8f7c3263d5f94a76f69", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Remote File Download via MpCmdRun", - "sha256": "78c9c95071c452b4bd48d9a8d46a37b55762ba51da228e5629e93a0ceb754198", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Download via MpCmdRun", + "sha256": "276a468726946549ef3f02c8b97760a323a403a68dbfc8f7c3263d5f94a76f69", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Remote File Download via MpCmdRun", + "sha256": "78c9c95071c452b4bd48d9a8d46a37b55762ba51da228e5629e93a0ceb754198", + "type": "eql", + "version": 100 }, "c6474c34-4953-447a-903e-9fcb7b6661aa": { - "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", - "type": "query", - "version": 100 + "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", + "sha256": "dba60ab7ccce534b20532548b6aff6b799d54bacbacf3328fd250e65420a998c", + "type": "query", + "version": 100 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "8c2d99b22d9a821fd2097d3c5efb649fd5b1f9082edbb56773878940c64f83c0", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "f2218dbd58d500ba58b0845e860e823940b702e3d10370caee0def86e1d20018", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "8c2d99b22d9a821fd2097d3c5efb649fd5b1f9082edbb56773878940c64f83c0", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "f2218dbd58d500ba58b0845e860e823940b702e3d10370caee0def86e1d20018", + "type": "query", + "version": 100 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "96caea11aa97bb793f524a016ce9ea8a9547380f255f0468cc7b7780d1ad498a", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "133f87faebe15890cf4697181eb3ff38eabbab663d367540b89039f1992489aa", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "96caea11aa97bb793f524a016ce9ea8a9547380f255f0468cc7b7780d1ad498a", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "133f87faebe15890cf4697181eb3ff38eabbab663d367540b89039f1992489aa", + "type": "query", + "version": 100 }, "c7894234-7814-44c2-92a9-f7d851ea246a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "b02be7c05f4bb78a1a219cb52c0e1383c9d77a7d0091ecaaadbf9e2c177d7ab4", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Unusual Network Connection via DllHost", - "sha256": "404c23543760a2e14f04d2b192de7c50520d60a6f08226353de75af3a01c41ab", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Network Connection via DllHost", + "sha256": "b02be7c05f4bb78a1a219cb52c0e1383c9d77a7d0091ecaaadbf9e2c177d7ab4", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Unusual Network Connection via DllHost", + "sha256": "404c23543760a2e14f04d2b192de7c50520d60a6f08226353de75af3a01c41ab", + "type": "eql", + "version": 100 }, "c7908cac-337a-4f38-b50d-5eeb78bdb531": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "01bac327794401a552f635ee0b3a0bcc5ae37d9ca094baaf92b7f233dbcbef0b", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Privileged Pod Created", - "sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "01bac327794401a552f635ee0b3a0bcc5ae37d9ca094baaf92b7f233dbcbef0b", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Privileged Pod Created", + "sha256": "490d52d841dfa80ed829303bdf0106213c05928b84203e29adca6b9ee93ffc98", + "type": "query", + "version": 100 }, "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "3d8b44e3b658a23b1d325e946b48ca23595108bf8b821c2afa0932775568c8fd", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Unusual File Modification by dns.exe", - "sha256": "f2595eda244fd4babde332e6b734f668a97ab1f7e128e4753c8ee5c8d3c56904", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual File Modification by dns.exe", + "sha256": "3d8b44e3b658a23b1d325e946b48ca23595108bf8b821c2afa0932775568c8fd", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Unusual File Modification by dns.exe", + "sha256": "f2595eda244fd4babde332e6b734f668a97ab1f7e128e4753c8ee5c8d3c56904", + "type": "eql", + "version": 100 }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Network Traffic To a Country", - "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Spike in Network Traffic To a Country", - "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Network Traffic To a Country", + "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Spike in Network Traffic To a Country", + "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f", + "type": "machine_learning", + "version": 100 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe", - "type": "query", - "version": 4 - } - }, - "rule_name": "Persistence via Docker Shortcut Modification", - "sha256": "c6905ab62e0de895f721a12c25d298a797a67062abf1b0c72408e099705ecf8a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Docker Shortcut Modification", + "sha256": "8b02aafa4506d9cb5eda8c8243ed102f6b9e882c5a109e5c1f26b086ffbb0afe", + "type": "query", + "version": 4 + } + }, + "rule_name": "Persistence via Docker Shortcut Modification", + "sha256": "c6905ab62e0de895f721a12c25d298a797a67062abf1b0c72408e099705ecf8a", + "type": "query", + "version": 100 }, "c82b2bd8-d701-420c-ba43-f11a155b681a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac", - "type": "query", - "version": 13 - } - }, - "rule_name": "SMB (Windows File Sharing) Activity to the Internet", - "sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SMB (Windows File Sharing) Activity to the Internet", + "sha256": "cccbd868c1f9fa563d8d731c88ed3e783e085b8c53412177f113a9eaa94118ac", + "type": "query", + "version": 13 + } + }, + "rule_name": "SMB (Windows File Sharing) Activity to the Internet", + "sha256": "c762f5de1c0dc8d4fbefecbe5ec987d85ff703868558b4c2025a6491f8434e05", + "type": "query", + "version": 100 }, "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Direct Outbound SMB Connection", - "sha256": "c6c4691ccdc5e9a66fbfda821c297d1d55b5cb07d3807002a8924db894f0ab52", - "type": "eql", - "version": 10 - } - }, - "rule_name": "Direct Outbound SMB Connection", - "sha256": "65f317c19bd06744eafcd8c8246900f89b760520f72bc869d0b83bee86a882c8", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Direct Outbound SMB Connection", + "sha256": "c6c4691ccdc5e9a66fbfda821c297d1d55b5cb07d3807002a8924db894f0ab52", + "type": "eql", + "version": 10 + } + }, + "rule_name": "Direct Outbound SMB Connection", + "sha256": "65f317c19bd06744eafcd8c8246900f89b760520f72bc869d0b83bee86a882c8", + "type": "eql", + "version": 100 }, "c85eb82c-d2c8-485c-a36f-534f914b7663": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "e3eee97261e6eb96eba1f05a344fe29cafc24ef890b991f423887461f7a2fa2d", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Virtual Machine Fingerprinting via Grep", - "sha256": "d8ee45d0074e6b1d209b59fe30f6728feb04cfcdb6ab190e899977e14bbfecf0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Virtual Machine Fingerprinting via Grep", + "sha256": "e3eee97261e6eb96eba1f05a344fe29cafc24ef890b991f423887461f7a2fa2d", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Virtual Machine Fingerprinting via Grep", + "sha256": "d8ee45d0074e6b1d209b59fe30f6728feb04cfcdb6ab190e899977e14bbfecf0", + "type": "eql", + "version": 100 }, "c87fca17-b3a9-4e83-b545-f30746c53920": { - "rule_name": "Nmap Process Activity", - "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", - "type": "query", - "version": 100 + "rule_name": "Nmap Process Activity", + "sha256": "85b00c642776304ce2f5d7c1374ad4f666c1669ace49cc43ede47f075674581d", + "type": "query", + "version": 100 }, "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Parent Process PID Spoofing", - "sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Parent Process PID Spoofing", - "sha256": "d3993b3b51d82ef26f3c5420b569f1f6abd55eacb17808430d6280fefccf1254", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Parent Process PID Spoofing", + "sha256": "1fef8434702bfb1e375a190414def78e6ee6a6523b0ab47eab82953922195230", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Parent Process PID Spoofing", + "sha256": "d3993b3b51d82ef26f3c5420b569f1f6abd55eacb17808430d6280fefccf1254", + "type": "eql", + "version": 100 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious Startup Shell Folder Modification", - "sha256": "ca362fc15b7aa368a146c5f16f7deff23a7f90907b1a6aea57a84a3989bb3d76", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Startup Shell Folder Modification", + "sha256": "bf93f818a5acdc021805c2fb4f53fa56ededcdf991128dd0b0bdbbd7d3f18c8c", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious Startup Shell Folder Modification", + "sha256": "ca362fc15b7aa368a146c5f16f7deff23a7f90907b1a6aea57a84a3989bb3d76", + "type": "eql", + "version": 100 }, "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "2f2961f517d0e9d4a328175bccbd326bd7faf5dfee6e9f6503416f3aca86b008", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Disabling Windows Defender Security Settings via PowerShell", - "sha256": "8af2a2813d0cd1bd5762df61f47e5d27027bbb7fac6855f1c80192bd6fef08a9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Disabling Windows Defender Security Settings via PowerShell", + "sha256": "2f2961f517d0e9d4a328175bccbd326bd7faf5dfee6e9f6503416f3aca86b008", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Disabling Windows Defender Security Settings via PowerShell", + "sha256": "8af2a2813d0cd1bd5762df61f47e5d27027bbb7fac6855f1c80192bd6fef08a9", + "type": "eql", + "version": 100 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "85039ed0d04d2658ca81064f458976d86e88705fa02d00cf22104d46ff4085b1", - "type": "query", - "version": 10 - } - }, - "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "40292ab6b3b74c0736e9142d0a2f4da6595e481d679c644ebce45713e3cf04d3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", + "sha256": "85039ed0d04d2658ca81064f458976d86e88705fa02d00cf22104d46ff4085b1", + "type": "query", + "version": 10 + } + }, + "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", + "sha256": "40292ab6b3b74c0736e9142d0a2f4da6595e481d679c644ebce45713e3cf04d3", + "type": "query", + "version": 100 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "0b482e9161bd3ed8bce4c2863a6411cc274efdd5134e2e3dd73e9ef1333dda0e", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", - "sha256": "3ff02ff308fe785c128e067929b76a589d41177cafaff1dd3a0a7f318ebcb793", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "0b482e9161bd3ed8bce4c2863a6411cc274efdd5134e2e3dd73e9ef1333dda0e", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", + "sha256": "3ff02ff308fe785c128e067929b76a589d41177cafaff1dd3a0a7f318ebcb793", + "type": "query", + "version": 100 }, "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { - "rule_name": "Auditd Login from Forbidden Location", - "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", - "type": "query", - "version": 100 + "rule_name": "Auditd Login from Forbidden Location", + "sha256": "85a1d29a1ac4a700594437c856775141ae1b4cc58a4c41def22e0a8762c7a8ed", + "type": "query", + "version": 100 }, "cac91072-d165-11ec-a764-f661ea17fbce": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "b8e199e0275a56f67e21011dad1879c8a66b32cfb373e69af50442d187c3c1bc", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "4c77fcd9cdd04d3546df2ecf4157a33cf6a39a68fda324b1c77cfcaf2e0d0b9a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "b8e199e0275a56f67e21011dad1879c8a66b32cfb373e69af50442d187c3c1bc", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Abnormal Process ID or Lock File Created", + "sha256": "4c77fcd9cdd04d3546df2ecf4157a33cf6a39a68fda324b1c77cfcaf2e0d0b9a", + "type": "eql", + "version": 100 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "599fc850f87b0b11bb3af05aa1936c1859f7c5e188c1f83be2655ea3cc71a1db", - "type": "query", - "version": 13 - }, - "8.0": { - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "3ffdd0f16144e0dd0d207c2e8604c3cfc075b03c9e2c2bc68530c26c20242b35", - "type": "query", - "version": 16 - } - }, - "rule_name": "Google Workspace MFA Enforcement Disabled", - "sha256": "d7cfa0897aa671a31636e023f43835a351b3bc09bc6e1e3a047e122eda03a7a4", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 15, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "599fc850f87b0b11bb3af05aa1936c1859f7c5e188c1f83be2655ea3cc71a1db", + "type": "query", + "version": 13 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "3ffdd0f16144e0dd0d207c2e8604c3cfc075b03c9e2c2bc68530c26c20242b35", + "type": "query", + "version": 16 + } + }, + "rule_name": "Google Workspace MFA Enforcement Disabled", + "sha256": "d7cfa0897aa671a31636e023f43835a351b3bc09bc6e1e3a047e122eda03a7a4", + "type": "query", + "version": 100 }, "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Calendar File Modification", - "sha256": "a17d553f673da651ded7a3ea66e07c128029b88490acc7ebc9e1ace84c9584a1", - "type": "query", - "version": 4 - } - }, - "rule_name": "Suspicious Calendar File Modification", - "sha256": "ef1e067b97520b59119126b3922f3dfecb186812f90c1a7df39eb2d54fda70ea", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Calendar File Modification", + "sha256": "a17d553f673da651ded7a3ea66e07c128029b88490acc7ebc9e1ace84c9584a1", + "type": "query", + "version": 4 + } + }, + "rule_name": "Suspicious Calendar File Modification", + "sha256": "ef1e067b97520b59119126b3922f3dfecb186812f90c1a7df39eb2d54fda70ea", + "type": "query", + "version": 100 }, "cc16f774-59f9-462d-8b98-d27ccd4519ec": { - "rule_name": "Process Discovery via Tasklist", - "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", - "type": "query", - "version": 100 + "rule_name": "Process Discovery via Tasklist", + "sha256": "8612fc7b7e41ef8548eb18803ce4a0ca6e178952add06c716bfbf190fa1788f3", + "type": "query", + "version": 100 }, "cc2fd2d0-ba3a-4939-b87f-2901764ed036": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Enable the Root Account", - "sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da", - "type": "query", - "version": 3 - } - }, - "rule_name": "Attempt to Enable the Root Account", - "sha256": "741aeb42feeab9054165b3145253ab3826124f2ba19d70c33129b46f36ef7f2a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Enable the Root Account", + "sha256": "25a2832a5de142a55071b950816a7c18bc95e803ac391db31c6caa1ed11689da", + "type": "query", + "version": 3 + } + }, + "rule_name": "Attempt to Enable the Root Account", + "sha256": "741aeb42feeab9054165b3145253ab3826124f2ba19d70c33129b46f36ef7f2a", + "type": "query", + "version": 100 }, "cc89312d-6f47-48e4-a87c-4977bd4633c3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "bfe8159a7886d23dd38393fa9bee89ac16f4726a3c4f25cf4ed5898c41168383", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Pub/Sub Subscription Deletion", - "sha256": "c31392904afea3d493c1aaed8fbb19bd0365011c9b16ff72f04f359ad770c763", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Pub/Sub Subscription Deletion", + "sha256": "bfe8159a7886d23dd38393fa9bee89ac16f4726a3c4f25cf4ed5898c41168383", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Pub/Sub Subscription Deletion", + "sha256": "c31392904afea3d493c1aaed8fbb19bd0365011c9b16ff72f04f359ad770c763", + "type": "query", + "version": 100 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "f3f3e6c106b9b59224b4adc2dcc0440429e547b549cf3968180a653aaabe5ec4", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "d7cde97c8d9a661b5b7a290af52757e631313dbcf59b0c83a65e015074d089c0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "f3f3e6c106b9b59224b4adc2dcc0440429e547b549cf3968180a653aaabe5ec4", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "d7cde97c8d9a661b5b7a290af52757e631313dbcf59b0c83a65e015074d089c0", + "type": "query", + "version": 100 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Potential Process Herpaderping Attempt", - "sha256": "d3d51648e56786364ca0f5e181a5e8cf20b152c6edc443c8748cab4de6a5fa33", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Process Herpaderping Attempt", + "sha256": "2b1dac1ccc6843acfa825aa0f250925056ed80d273deef8c7fd10f656fd48f35", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Potential Process Herpaderping Attempt", + "sha256": "d3d51648e56786364ca0f5e181a5e8cf20b152c6edc443c8748cab4de6a5fa33", + "type": "eql", + "version": 100 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "a1813eae5d63d4726b936d105486b17a6d73e0c440c903e014e7616dfe44172d", - "type": "query", - "version": 9 - } - }, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "a426f223e9e1dd9112d3cd717f84671ff7d63875d60d5dce16ebdc3568a04aa3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "a1813eae5d63d4726b936d105486b17a6d73e0c440c903e014e7616dfe44172d", + "type": "query", + "version": 9 + } + }, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "a426f223e9e1dd9112d3cd717f84671ff7d63875d60d5dce16ebdc3568a04aa3", + "type": "query", + "version": 100 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { - "rule_name": "Socat Process Activity", - "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", - "type": "query", - "version": 100 + "rule_name": "Socat Process Activity", + "sha256": "572416fa9eb3b37a9360cbd474d0dccd7844685ad36b022f4a42d3a4525cac25", + "type": "query", + "version": 100 }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "47355104ae58c2ce6a485512d48639feeab99afb93a70a0e73207a82bf3c6a9a", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Anomalous Linux Compiler Activity", + "sha256": "72774e826f2421c6fb071aca38cde16199ac2227c454f40e278aa68331bfb9ff", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Anomalous Linux Compiler Activity", + "sha256": "47355104ae58c2ce6a485512d48639feeab99afb93a70a0e73207a82bf3c6a9a", + "type": "machine_learning", + "version": 100 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Kernel Module Removal", - "sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32", - "type": "query", - "version": 9 - } - }, - "rule_name": "Kernel Module Removal", - "sha256": "1c8be7221b73c0ef1a2ecd9c9d67a30493f1a138df4ed632c30a1eaaad4668d8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Kernel Module Removal", + "sha256": "ada4b7f1536b5940bf11ef7267b8ccefd251c58d01db796b01ab135fc4d18a32", + "type": "query", + "version": 9 + } + }, + "rule_name": "Kernel Module Removal", + "sha256": "1c8be7221b73c0ef1a2ecd9c9d67a30493f1a138df4ed632c30a1eaaad4668d8", + "type": "query", + "version": 100 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "f0ba64dc6504953e0d1713f1a46c37f9a3ddddf5ac0dac882e80bc5fb9825188", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "1bcabbb99bc40c24f88f8514ba0d56999857fa558bc42918f7a26088cba56a08", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Deactivate MFA for an Okta User Account", + "sha256": "f0ba64dc6504953e0d1713f1a46c37f9a3ddddf5ac0dac882e80bc5fb9825188", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Deactivate MFA for an Okta User Account", + "sha256": "1bcabbb99bc40c24f88f8514ba0d56999857fa558bc42918f7a26088cba56a08", + "type": "query", + "version": 100 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Okta User Session Impersonation", - "sha256": "fd41cb20e5354ce70352537af6589d7fe8bddaaa3efc190dcb7f28c90016dfa9", - "type": "query", - "version": 4 - } - }, - "rule_name": "Okta User Session Impersonation", - "sha256": "d74bce14eca816f10062503c436a8f5ab108761b5554f8c7439644ca4088eee8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Okta User Session Impersonation", + "sha256": "fd41cb20e5354ce70352537af6589d7fe8bddaaa3efc190dcb7f28c90016dfa9", + "type": "query", + "version": 4 + } + }, + "rule_name": "Okta User Session Impersonation", + "sha256": "d74bce14eca816f10062503c436a8f5ab108761b5554f8c7439644ca4088eee8", + "type": "query", + "version": 100 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "89f5e200675a86a78dd4ae429ab59815d6f2fc8a788cb55a3116bdfdf2661e67", - "type": "eql", - "version": 10 - } - }, - "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", - "sha256": "d6d11a510336026baccb5c48c6f213a08074dfb4e5e820dd69f75346cbaac023", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "sha256": "89f5e200675a86a78dd4ae429ab59815d6f2fc8a788cb55a3116bdfdf2661e67", + "type": "eql", + "version": 10 + } + }, + "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", + "sha256": "d6d11a510336026baccb5c48c6f213a08074dfb4e5e820dd69f75346cbaac023", + "type": "eql", + "version": 100 }, "cf53f532-9cc9-445a-9ae7-fced307ec53c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", - "type": "query", - "version": 6 - } - }, - "rule_name": "Cobalt Strike Command and Control Beacon", - "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Cobalt Strike Command and Control Beacon", + "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", + "type": "query", + "version": 6 + } + }, + "rule_name": "Cobalt Strike Command and Control Beacon", + "sha256": "251ce0bab9c64891a65817cbbe623561d5a89f168d844da108c03562d4e2266e", + "type": "query", + "version": 100 }, "cf549724-c577-4fd6-8f9b-d1b8ec519ec0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "cd4f89243551c1339b5502a776a7ca15183d07da9cfd5df268a4c4b2e5954c56", - "type": "query", - "version": 12 - }, - "8.0": { - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "05fe436d072dffdbdb136a88e93c7636e147f91bf5c02b89ba7eeed8fd336e3e", - "type": "query", - "version": 15 - } - }, - "rule_name": "Domain Added to Google Workspace Trusted Domains", - "sha256": "01c48dc0838a6a2c291d22a40540e1bd4b156aa8b707b0e1eceb1ed6c66e31c3", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "cd4f89243551c1339b5502a776a7ca15183d07da9cfd5df268a4c4b2e5954c56", + "type": "query", + "version": 12 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "05fe436d072dffdbdb136a88e93c7636e147f91bf5c02b89ba7eeed8fd336e3e", + "type": "query", + "version": 15 + } + }, + "rule_name": "Domain Added to Google Workspace Trusted Domains", + "sha256": "01c48dc0838a6a2c291d22a40540e1bd4b156aa8b707b0e1eceb1ed6c66e31c3", + "type": "query", + "version": 100 }, "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "556e7fd38bd70311927aa98b016c3d73f728df2a0173385f0c7a6d5f72399060", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Execution from Unusual Directory - Command Line", - "sha256": "b9c23acbf43665b0b2a7a52dcb4fa5d772b1dbdace50fe13fb5e2fb36640cb45", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution from Unusual Directory - Command Line", + "sha256": "556e7fd38bd70311927aa98b016c3d73f728df2a0173385f0c7a6d5f72399060", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Execution from Unusual Directory - Command Line", + "sha256": "b9c23acbf43665b0b2a7a52dcb4fa5d772b1dbdace50fe13fb5e2fb36640cb45", + "type": "eql", + "version": 100 }, "d0e159cf-73e9-40d1-a9ed-077e3158a855": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "d6965099fd14c541f08c466c817f679a6939cb7e9d4bb6bde634d79c16a5ca66", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Registry Persistence via AppInit DLL", - "sha256": "ec596232b07f57337ded42809b05e4616306c860f9cbbfdcd7016ce0f195b8f4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Registry Persistence via AppInit DLL", + "sha256": "d6965099fd14c541f08c466c817f679a6939cb7e9d4bb6bde634d79c16a5ca66", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Registry Persistence via AppInit DLL", + "sha256": "ec596232b07f57337ded42809b05e4616306c860f9cbbfdcd7016ce0f195b8f4", + "type": "eql", + "version": 100 }, "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "1f6bd29235c4140598d12135b67fc6285adab3882cdbf5fb3eda91de5dd1b2b0", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Symbolic Link to Shadow Copy Created", - "sha256": "c83b9154eb59550be3f873a64afb2d96a58e3a1e3d08eb79ccfe48c5e6addf8b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Symbolic Link to Shadow Copy Created", + "sha256": "1f6bd29235c4140598d12135b67fc6285adab3882cdbf5fb3eda91de5dd1b2b0", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Symbolic Link to Shadow Copy Created", + "sha256": "c83b9154eb59550be3f873a64afb2d96a58e3a1e3d08eb79ccfe48c5e6addf8b", + "type": "eql", + "version": 100 }, "d2053495-8fe7-4168-b3df-dad844046be3": { - "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", - "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", - "type": "query", - "version": 100 + "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", + "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", + "type": "query", + "version": 100 }, "d22a85c6-d2ad-4cc4-bf7b-54787473669a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "dfc63901f804b7cf2d08cccd4f0795208161faf81c73c1699baf48f8884fa9b1", - "type": "query", - "version": 4 - } - }, - "rule_name": "Potential Microsoft Office Sandbox Evasion", - "sha256": "26ee346753067979114f45b3c4d53389580cfa75342e55b78ec8c644873fc62f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Microsoft Office Sandbox Evasion", + "sha256": "dfc63901f804b7cf2d08cccd4f0795208161faf81c73c1699baf48f8884fa9b1", + "type": "query", + "version": 4 + } + }, + "rule_name": "Potential Microsoft Office Sandbox Evasion", + "sha256": "26ee346753067979114f45b3c4d53389580cfa75342e55b78ec8c644873fc62f", + "type": "query", + "version": 100 }, "d31f183a-e5b1-451b-8534-ba62bca0b404": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "32c87270f7d3db1e4556a1410d02bef58c136aa70569924f60318e9b22768dd5", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Disabling User Account Control via Registry Modification", - "sha256": "963327ef29e41ffff32d97cc72c852380b91a1f508c7e73eb8997b8f08b7203e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Disabling User Account Control via Registry Modification", + "sha256": "32c87270f7d3db1e4556a1410d02bef58c136aa70569924f60318e9b22768dd5", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Disabling User Account Control via Registry Modification", + "sha256": "963327ef29e41ffff32d97cc72c852380b91a1f508c7e73eb8997b8f08b7203e", + "type": "eql", + "version": 100 }, "d331bbe2-6db4-4941-80a5-8270db72eb61": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Clearing Windows Event Logs", - "sha256": "dec588e701c38e67a10b0a6521c4c022892f6671b2feca4f727a6d17df173077", - "type": "eql", - "version": 16 - } - }, - "rule_name": "Clearing Windows Event Logs", - "sha256": "594f4c6237bcc2ceef8508b147a75303098f1b3e334a56c48423cfa272366237", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Clearing Windows Event Logs", + "sha256": "dec588e701c38e67a10b0a6521c4c022892f6671b2feca4f727a6d17df173077", + "type": "eql", + "version": 16 + } + }, + "rule_name": "Clearing Windows Event Logs", + "sha256": "594f4c6237bcc2ceef8508b147a75303098f1b3e334a56c48423cfa272366237", + "type": "eql", + "version": 100 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Shell Execution via Apple Scripting", - "sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Shell Execution via Apple Scripting", - "sha256": "d216e2e2cf3d06fa293ae9c2c3cba3977897440f561a3bcbb53130428bfae7bc", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Shell Execution via Apple Scripting", + "sha256": "81d944d6e43616c8ce9d52f1959afb89444b9972b4c8269b28c8d7c74485e4b8", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Shell Execution via Apple Scripting", + "sha256": "d216e2e2cf3d06fa293ae9c2c3cba3977897440f561a3bcbb53130428bfae7bc", + "type": "eql", + "version": 100 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "9128314e4252732403889dadd2b7748918acd7e1ce8f8541daedaba48b40d4e7", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "5775f8988ecf8ce2b7d4d780a1a2c5fd46e2b253c21143d53d918ed3ed0b1ea8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "9128314e4252732403889dadd2b7748918acd7e1ce8f8541daedaba48b40d4e7", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "5775f8988ecf8ce2b7d4d780a1a2c5fd46e2b253c21143d53d918ed3ed0b1ea8", + "type": "query", + "version": 100 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263", - "type": "query", - "version": 9 - } - }, - "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", - "sha256": "19024513ed918b3f834bfc02a6fade03e36daff8a7c0fb19bedeaee8a1613dd2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", + "sha256": "4b9eead51bdd9860f02d47c1a20fc4892ba90960f2151ebe61c89e07ed3f4263", + "type": "query", + "version": 9 + } + }, + "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", + "sha256": "19024513ed918b3f834bfc02a6fade03e36daff8a7c0fb19bedeaee8a1613dd2", + "type": "query", + "version": 100 }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "3d98f764fe976df253f64e01eebc8c21b6f053483109c520c47251ae353f12df", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux System Information Discovery Activity", + "sha256": "e6bfd938d1323fddf3554c4c9a5a57d6490c2b23ec7d42a12455a5cd6ab96d14", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Linux System Information Discovery Activity", + "sha256": "3d98f764fe976df253f64e01eebc8c21b6f053483109c520c47251ae353f12df", + "type": "machine_learning", + "version": 100 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Source IP for a User to Logon from", + "sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Source IP for a User to Logon from", + "sha256": "2e2ae07f9d9f4346d8f2855672b7cb74eba7a74483e53a99064ec4e6a14560ae", + "type": "machine_learning", + "version": 100 }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Privilege Escalation via Windir Environment Variable", - "sha256": "5d902a20e493e034ac8616cf47bccd266ca21bd9977159e026db0bad56121168", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Privilege Escalation via Windir Environment Variable", + "sha256": "df727534686ff5d08f97b53cebae31cc82f831264c16022e81a2aeab10cbd8f9", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Privilege Escalation via Windir Environment Variable", + "sha256": "5d902a20e493e034ac8616cf47bccd266ca21bd9977159e026db0bad56121168", + "type": "eql", + "version": 100 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "40a4b168923189b0651c8e31ddd382c3eee3007b4d93d968f76f9813567f708a", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "f46efadc5223126d7d2b269800e56bd1bfe7414df41232e503770f4d7f394e5a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "40a4b168923189b0651c8e31ddd382c3eee3007b4d93d968f76f9813567f708a", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "f46efadc5223126d7d2b269800e56bd1bfe7414df41232e503770f4d7f394e5a", + "type": "query", + "version": 100 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Service Command Lateral Movement", - "sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Service Command Lateral Movement", - "sha256": "4f1a9cea4e27cd4aa1579b26c0e1194e00c56dbaa173df926d00b2ac54ffc361", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Service Command Lateral Movement", + "sha256": "14fe2ba1367484a6ee97e359ba9b8c5c66987e02d2865d8537b9ae9b1ef6d2ab", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Service Command Lateral Movement", + "sha256": "4f1a9cea4e27cd4aa1579b26c0e1194e00c56dbaa173df926d00b2ac54ffc361", + "type": "eql", + "version": 100 }, "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "43fab9e1ad69e93f3f1d82b141356b4241d3e3b6a4abe88c87f57950893e7b8e", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS CloudWatch Log Stream Deletion", - "sha256": "83c04102eefcd5bad2b3187a8eaa5d04383506462f09127894aabcdeb2c7cc97", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "43fab9e1ad69e93f3f1d82b141356b4241d3e3b6a4abe88c87f57950893e7b8e", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS CloudWatch Log Stream Deletion", + "sha256": "83c04102eefcd5bad2b3187a8eaa5d04383506462f09127894aabcdeb2c7cc97", + "type": "query", + "version": 100 }, "d62b64a8-a7c9-43e5-aee3-15a725a794e7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "29519fb575a745714635c63fc1316d44e4760dc28d15c7bb88a5665b423c5330", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP Pub/Sub Subscription Creation", - "sha256": "e4952632295f7786983b529846c2a56aa18d946bdfe8c592ec3c1253600b8b1d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Pub/Sub Subscription Creation", + "sha256": "29519fb575a745714635c63fc1316d44e4760dc28d15c7bb88a5665b423c5330", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP Pub/Sub Subscription Creation", + "sha256": "e4952632295f7786983b529846c2a56aa18d946bdfe8c592ec3c1253600b8b1d", + "type": "query", + "version": 100 }, "d6450d4e-81c6-46a3-bd94-079886318ed5": { - "rule_name": "Strace Process Activity", - "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", - "type": "query", - "version": 100 + "rule_name": "Strace Process Activity", + "sha256": "d429bce6c680e9197c1314118b5cf81da6824a06e1d95e2882c4a9a274975eb7", + "type": "query", + "version": 100 }, "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "0301f13a0cce7d153d3e01f8a199d99175bf2c028af2a3146f754e5c753f93be", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", - "sha256": "a50d37bbe9b43e7724a7eb24505e7aa03927a2ec67370f69ca28127d662d68fc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "0301f13a0cce7d153d3e01f8a199d99175bf2c028af2a3146f754e5c753f93be", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", + "sha256": "a50d37bbe9b43e7724a7eb24505e7aa03927a2ec67370f69ca28127d662d68fc", + "type": "query", + "version": 100 }, "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of WDigest Security Provider", - "sha256": "1ad06b0fe0245e82429077bae391d3c2af5984b53799cfcec254e3b65569743a", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Modification of WDigest Security Provider", - "sha256": "18ae14496eae54ed3c43ec695b95a0db7ea09815f0fb2c0c014bfa319308596a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of WDigest Security Provider", + "sha256": "1ad06b0fe0245e82429077bae391d3c2af5984b53799cfcec254e3b65569743a", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Modification of WDigest Security Provider", + "sha256": "18ae14496eae54ed3c43ec695b95a0db7ea09815f0fb2c0c014bfa319308596a", + "type": "eql", + "version": 100 }, "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "c66dd3b64916aa7fabacfe800aa2076f58946cd244e563af4d3b0f6cee003610", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Command Execution via SolarWinds Process", - "sha256": "12bb91c5494107580ebf88ac8241b7af9912cc883383de028b8fb9fd9532098c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Command Execution via SolarWinds Process", + "sha256": "c66dd3b64916aa7fabacfe800aa2076f58946cd244e563af4d3b0f6cee003610", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Command Execution via SolarWinds Process", + "sha256": "12bb91c5494107580ebf88ac8241b7af9912cc883383de028b8fb9fd9532098c", + "type": "eql", + "version": 100 }, "d743ff2a-203e-4a46-a3e3-40512cfe8fbb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "c708af23dddbb7172b0b812a70be4c7b90797d357b2088d1db8bda43c16d92b2", - "type": "query", - "version": 8 - } - }, - "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", - "sha256": "f57519c1aa31055750c5639076d19820fd5ac67f477ad74655a84276f0c2ff6d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "c708af23dddbb7172b0b812a70be4c7b90797d357b2088d1db8bda43c16d92b2", + "type": "query", + "version": 8 + } + }, + "rule_name": "Microsoft 365 Exchange Malware Filter Policy Deletion", + "sha256": "f57519c1aa31055750c5639076d19820fd5ac67f477ad74655a84276f0c2ff6d", + "type": "query", + "version": 100 }, "d75991f2-b989-419d-b797-ac1e54ec2d61": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SystemKey Access via Command Line", - "sha256": "bad21256e2539ed2889697b46ad97e31897d99ae6b81423aa0ed71e86c03c165", - "type": "query", - "version": 4 - } - }, - "rule_name": "SystemKey Access via Command Line", - "sha256": "cd672851cc7069c4978d323f3759c166eb8be77fcacdbd1f44c796534216316a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SystemKey Access via Command Line", + "sha256": "bad21256e2539ed2889697b46ad97e31897d99ae6b81423aa0ed71e86c03c165", + "type": "query", + "version": 4 + } + }, + "rule_name": "SystemKey Access via Command Line", + "sha256": "cd672851cc7069c4978d323f3759c166eb8be77fcacdbd1f44c796534216316a", + "type": "query", + "version": 100 }, "d76b02ef-fc95-4001-9297-01cb7412232f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f", - "type": "query", - "version": 8 - }, - "8.2": { - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "fb31d0eaf6786a71496f8d2605f731b9e3770b5a16af3d6e301e5b5432154634", - "type": "query", - "version": 11 - } - }, - "rule_name": "Interactive Terminal Spawned via Python", - "sha256": "d552db67ab29b26dc0436467f567af8c199d24be56081fae0131e09de1d1a07d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 10, + "rule_name": "Interactive Terminal Spawned via Python", + "sha256": "1b8e9ea27c151d2de3fd5c94f0ff8de14098ccc0348a81ac3a39dc28f0dd118f", + "type": "query", + "version": 8 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Interactive Terminal Spawned via Python", + "sha256": "fb31d0eaf6786a71496f8d2605f731b9e3770b5a16af3d6e301e5b5432154634", + "type": "query", + "version": 11 + } + }, + "rule_name": "Interactive Terminal Spawned via Python", + "sha256": "d552db67ab29b26dc0436467f567af8c199d24be56081fae0131e09de1d1a07d", + "type": "query", + "version": 100 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Blob Permissions Modification", - "sha256": "c0d96e3c996d58a507d4b57459abb95bc875d950f28a6dec3eb17e1091d5d624", - "type": "query", - "version": 4 - } - }, - "rule_name": "Azure Blob Permissions Modification", - "sha256": "93f9f5b59ff0b2dda8d48b18b5d29f3434d7d8c95026e6d3029877c99182109c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Blob Permissions Modification", + "sha256": "c0d96e3c996d58a507d4b57459abb95bc875d950f28a6dec3eb17e1091d5d624", + "type": "query", + "version": 4 + } + }, + "rule_name": "Azure Blob Permissions Modification", + "sha256": "93f9f5b59ff0b2dda8d48b18b5d29f3434d7d8c95026e6d3029877c99182109c", + "type": "query", + "version": 100 }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Logon Events", - "sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Spike in Logon Events", - "sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Logon Events", + "sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Spike in Logon Events", + "sha256": "2aa5266f2f98a3501aa1994db0eeb48e48c8eb3bf8bb8500f0b9a3447c472d62", + "type": "machine_learning", + "version": 100 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SMTP on Port 26/TCP", - "sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b", - "type": "query", - "version": 10 - } - }, - "rule_name": "SMTP on Port 26/TCP", - "sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SMTP on Port 26/TCP", + "sha256": "7e8d3c2560ac6a468f7701f9ee237e39bc51231edf8d5b94ab0055d60286730b", + "type": "query", + "version": 10 + } + }, + "rule_name": "SMTP on Port 26/TCP", + "sha256": "f795ea35f70c7ee41f46586159af9c713d96e6b0356ce45c1bd5e35dcf5b7e9f", + "type": "query", + "version": 100 }, "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "23d6f3d38e476c57d63ce8eec3ba6ce5ef7986d3db93dca2f21944b00209f9da", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS IAM Deactivation of MFA Device", - "sha256": "753005c4405fcb6da3a3a59832d25d2fd9fa5b4b5518af0cf58cdfc67756adbf", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "23d6f3d38e476c57d63ce8eec3ba6ce5ef7986d3db93dca2f21944b00209f9da", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS IAM Deactivation of MFA Device", + "sha256": "753005c4405fcb6da3a3a59832d25d2fd9fa5b4b5518af0cf58cdfc67756adbf", + "type": "query", + "version": 100 }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "5598f885f41354f84ab95aeca4b2046243900f013a7edb6a0b1bebe13f3966ad", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Volume Shadow Copy Deletion via PowerShell", - "sha256": "589e122c626ad5497068f4f69cc7ef691042971e5ac9c4a8d1a1268a5af9888e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Volume Shadow Copy Deletion via PowerShell", + "sha256": "5598f885f41354f84ab95aeca4b2046243900f013a7edb6a0b1bebe13f3966ad", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Volume Shadow Copy Deletion via PowerShell", + "sha256": "589e122c626ad5497068f4f69cc7ef691042971e5ac9c4a8d1a1268a5af9888e", + "type": "eql", + "version": 100 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { - "rule_name": "Linux Restricted Shell Breakout via the gcc command", - "sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the gcc command", + "sha256": "0dcf883b0cf19432784e5b592f0e8a9b03bef386eb8d86065ca7d27c3b395443", + "type": "eql", + "version": 100 }, "dafa3235-76dc-40e2-9f71-1773b96d24cf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "3ca4a61f3f93dba1eb22f2c680262ddc66a954a10446af5a66a3d5d179c18981", - "type": "query", - "version": 8 - } - }, - "rule_name": "Multi-Factor Authentication Disabled for an Azure User", - "sha256": "fc8ed24bb22f92a18306bd5f3b1453f0368cab9e7f0ff5e90f051fd2a5d57c04", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Multi-Factor Authentication Disabled for an Azure User", + "sha256": "3ca4a61f3f93dba1eb22f2c680262ddc66a954a10446af5a66a3d5d179c18981", + "type": "query", + "version": 8 + } + }, + "rule_name": "Multi-Factor Authentication Disabled for an Azure User", + "sha256": "fc8ed24bb22f92a18306bd5f3b1453f0368cab9e7f0ff5e90f051fd2a5d57c04", + "type": "query", + "version": 100 }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "3d1e91e1892322a81b322cb102e46b9cc9913bb297aa2e3495db029019a488d9", - "type": "query", - "version": 10 - } - }, - "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "b0491008a10432af0609a3d3046c5ba9697fe4ee6fe28c05d20735f663452a74", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Credential Dumping - Prevented - Elastic Endgame", + "sha256": "3d1e91e1892322a81b322cb102e46b9cc9913bb297aa2e3495db029019a488d9", + "type": "query", + "version": 10 + } + }, + "rule_name": "Credential Dumping - Prevented - Elastic Endgame", + "sha256": "b0491008a10432af0609a3d3046c5ba9697fe4ee6fe28c05d20735f663452a74", + "type": "query", + "version": 100 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { - "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", - "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", - "type": "threat_match", - "version": 100 + "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", + "sha256": "a6db1fdda6906b8d352b2d9c369c0b2e4271c911d0919320c8dd20f053d0e095", + "type": "threat_match", + "version": 100 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "520e6a810db9da762309f7f86fab50fbdab92279864f4374f2eb5bad2e042e59", - "type": "eql", - "version": 15 - } - }, - "rule_name": "Volume Shadow Copy Deletion via WMIC", - "sha256": "9adb7cd1d7292a45f031dd2beda9b2cce1607bef38696f31ddd2eea4bf12ac34", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Volume Shadow Copy Deletion via WMIC", + "sha256": "520e6a810db9da762309f7f86fab50fbdab92279864f4374f2eb5bad2e042e59", + "type": "eql", + "version": 15 + } + }, + "rule_name": "Volume Shadow Copy Deletion via WMIC", + "sha256": "9adb7cd1d7292a45f031dd2beda9b2cce1607bef38696f31ddd2eea4bf12ac34", + "type": "eql", + "version": 100 }, "dca28dee-c999-400f-b640-50a081cc0fd1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Country For an AWS Command", - "sha256": "ae4289833d6b2477d4d3b35e5be4baa736658ec619798c552e85a718212e8dcd", - "type": "machine_learning", - "version": 12 - } - }, - "rule_name": "Unusual Country For an AWS Command", - "sha256": "80f07708470935bc9868b5c62df80b69626b2cbfb5a79e41546a6326905e1722", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "ae4289833d6b2477d4d3b35e5be4baa736658ec619798c552e85a718212e8dcd", + "type": "machine_learning", + "version": 12 + } + }, + "rule_name": "Unusual Country For an AWS Command", + "sha256": "80f07708470935bc9868b5c62df80b69626b2cbfb5a79e41546a6326905e1722", + "type": "machine_learning", + "version": 100 }, "ddab1f5f-7089-44f5-9fda-de5b11322e77": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029", - "type": "eql", - "version": 4 - } - }, - "rule_name": "NullSessionPipe Registry Modification", - "sha256": "3c571a1dd8be7ebd5a8a34f2c143d1ec0405ca997f9b91ddfda5df8707b3d122", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "NullSessionPipe Registry Modification", + "sha256": "efa60094cebe3428f728d0c83e1c5a563182fe632fc708289651cae652351029", + "type": "eql", + "version": 4 + } + }, + "rule_name": "NullSessionPipe Registry Modification", + "sha256": "3c571a1dd8be7ebd5a8a34f2c143d1ec0405ca997f9b91ddfda5df8707b3d122", + "type": "eql", + "version": 100 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "1402cb6fa10885f90b83f2612e179207ca87149a8fa931334c0b2c2854247ba6", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Unusual Child Process from a System Virtual Process", - "sha256": "f32e6b1973127776314666998a5a0cf538c4c0fd2af4401388c467f0259e2380", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Child Process from a System Virtual Process", + "sha256": "1402cb6fa10885f90b83f2612e179207ca87149a8fa931334c0b2c2854247ba6", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Unusual Child Process from a System Virtual Process", + "sha256": "f32e6b1973127776314666998a5a0cf538c4c0fd2af4401388c467f0259e2380", + "type": "eql", + "version": 100 }, "debff20a-46bc-4a4d-bae5-5cdd14222795": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012", - "type": "query", - "version": 9 - } - }, - "rule_name": "Base16 or Base32 Encoding/Decoding Activity", - "sha256": "703cac8fdd4f1098c5947cd5c2edb3baae065d09e094928ded1d4404af74af7b", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Base16 or Base32 Encoding/Decoding Activity", + "sha256": "2dfa50e7bce0eb5396a016deae281f948ed101975bee4806e8d388199a8b4012", + "type": "query", + "version": 9 + } + }, + "rule_name": "Base16 or Base32 Encoding/Decoding Activity", + "sha256": "703cac8fdd4f1098c5947cd5c2edb3baae065d09e094928ded1d4404af74af7b", + "type": "query", + "version": 100 }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "634c76aca1df7fc5b64e42733e6536ac48114a9aedd05e57024538ba6798e092", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Windows User Calling the Metadata Service", + "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Unusual Windows User Calling the Metadata Service", + "sha256": "634c76aca1df7fc5b64e42733e6536ac48114a9aedd05e57024538ba6798e092", + "type": "machine_learning", + "version": 100 }, "df26fd74-1baa-4479-b42e-48da84642330": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Automation Account Created", - "sha256": "c55195c2b2ed4f0018d4b847a215c4d7be7df1e3a4b7d1b250c4ea8975172370", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Automation Account Created", - "sha256": "b6e3b2811b688e3537fac8a996aee5ea20ea6ac92c3d0c09282606659b5d43d6", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Automation Account Created", + "sha256": "c55195c2b2ed4f0018d4b847a215c4d7be7df1e3a4b7d1b250c4ea8975172370", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Automation Account Created", + "sha256": "b6e3b2811b688e3537fac8a996aee5ea20ea6ac92c3d0c09282606659b5d43d6", + "type": "query", + "version": 100 }, "df6f62d9-caab-4b88-affa-044f4395a1e0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Dynamic Linker Copy", - "sha256": "da1ef679ca66c6b0366910d70af13bec01a81e77bacce23a37c4c8f52039680a", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Dynamic Linker Copy", - "sha256": "a0d28e150163fd23347953ec761c56d773e6f4a276ddcf7ac23ff1d9e11f514d", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Dynamic Linker Copy", + "sha256": "da1ef679ca66c6b0366910d70af13bec01a81e77bacce23a37c4c8f52039680a", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Dynamic Linker Copy", + "sha256": "a0d28e150163fd23347953ec761c56d773e6f4a276ddcf7ac23ff1d9e11f514d", + "type": "eql", + "version": 100 }, "df7fda76-c92b-4943-bc68-04460a5ea5ba": { - "min_stack_version": "8.3", - "previous": { - "8.2": { - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "5f82d1552eab33089166bf4b52136d5755de62953bde404fa8922d5d4b39ac0d", - "type": "query", - "version": 3 - } - }, - "rule_name": "Kubernetes Pod Created With HostPID", - "sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "8.2": { + "max_allowable_version": 99, + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "5f82d1552eab33089166bf4b52136d5755de62953bde404fa8922d5d4b39ac0d", + "type": "query", + "version": 3 + } + }, + "rule_name": "Kubernetes Pod Created With HostPID", + "sha256": "1812535ee0bdc44f1edbc5e9801928f2712abc4984e8a97fc4f641b2b6c2ea7a", + "type": "query", + "version": 100 }, "df959768-b0c9-4d45-988c-5606a2be8e5a": { - "rule_name": "Unusual Process Execution - Temp", - "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", - "type": "query", - "version": 100 + "rule_name": "Unusual Process Execution - Temp", + "sha256": "95a4dd4b036baa17e7ddbfc9e142208cc5b2b5f28ef3a929836c1a6833d3552d", + "type": "query", + "version": 100 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Firewall Policy Deletion", - "sha256": "6f056b63bd37ce31e2fb8ff941b298f142fc93f6a9abb579ff043daf0b514d6a", - "type": "query", - "version": 9 - } - }, - "rule_name": "Azure Firewall Policy Deletion", - "sha256": "cec609b5bd2ed5b821240b2725a14f9f43703ed66c1eb444a3a3eeb917f845bd", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Firewall Policy Deletion", + "sha256": "6f056b63bd37ce31e2fb8ff941b298f142fc93f6a9abb579ff043daf0b514d6a", + "type": "query", + "version": 9 + } + }, + "rule_name": "Azure Firewall Policy Deletion", + "sha256": "cec609b5bd2ed5b821240b2725a14f9f43703ed66c1eb444a3a3eeb917f845bd", + "type": "query", + "version": 100 }, "e052c845-48d0-4f46-8a13-7d0aba05df82": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "3d369cbdba03a5b562dc577c209d5c92d7e9c9eb91c01e06e9469552df357ba6", - "type": "query", - "version": 5 - } - }, - "rule_name": "KRBTGT Delegation Backdoor", - "sha256": "8c69d278b16327517865f29ffcae09bde12f424357d992fd78ed167c305008a5", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "KRBTGT Delegation Backdoor", + "sha256": "3d369cbdba03a5b562dc577c209d5c92d7e9c9eb91c01e06e9469552df357ba6", + "type": "query", + "version": 5 + } + }, + "rule_name": "KRBTGT Delegation Backdoor", + "sha256": "8c69d278b16327517865f29ffcae09bde12f424357d992fd78ed167c305008a5", + "type": "query", + "version": 100 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "97577c6feb55a61357f1c8565ad69c823d142cbb5835b15aa759ff00d37641f0", - "type": "threshold", - "version": 8 - } - }, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "292a18aa33370f4a3def19295acca57a4ca7740abbadcf44671a34b77f78c7ab", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "97577c6feb55a61357f1c8565ad69c823d142cbb5835b15aa759ff00d37641f0", + "type": "threshold", + "version": 8 + } + }, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "292a18aa33370f4a3def19295acca57a4ca7740abbadcf44671a34b77f78c7ab", + "type": "threshold", + "version": 100 }, "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { - "min_stack_version": "7.16", - "previous": { - "7.16": { - "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Whitespace Padding in Process Command Line", - "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", - "type": "eql", - "version": 100 + "min_stack_version": "7.16", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Whitespace Padding in Process Command Line", + "sha256": "de0b525b55b31026d29a5a835b5e420d95ceaa8d6c6f7e377c3b2cdae2064fdf", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Whitespace Padding in Process Command Line", + "sha256": "2aa8bb1cd50151cb0c68f9f9aaca7894681a205d965326b65eb8c1163e176257", + "type": "eql", + "version": 100 }, "e0f36de1-0342-453d-95a9-a068b257b053": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Event Hub Deletion", - "sha256": "22579997b9c568c17e2594954120cb37beba84d4adf9aa90e33f866fcd40502c", - "type": "query", - "version": 9 - } - }, - "rule_name": "Azure Event Hub Deletion", - "sha256": "fcaa244c4b85d912fc2186203edf3c756e86fe0f326986965d47b64b049e9a53", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Event Hub Deletion", + "sha256": "22579997b9c568c17e2594954120cb37beba84d4adf9aa90e33f866fcd40502c", + "type": "query", + "version": 9 + } + }, + "rule_name": "Azure Event Hub Deletion", + "sha256": "fcaa244c4b85d912fc2186203edf3c756e86fe0f326986965d47b64b049e9a53", + "type": "query", + "version": 100 }, "e12c0318-99b1-44f2-830c-3a38a43207ca": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Route Table Created", - "sha256": "33c77b87c951490c44ac8b2643a1161ec8a8b1ef0850c08a6d2ebdd0e7d64014", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS Route Table Created", - "sha256": "91f22a4cab37c8825bcd6d20d125eb71c27ea27151cbc76e1b597d889a832b7d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Route Table Created", + "sha256": "33c77b87c951490c44ac8b2643a1161ec8a8b1ef0850c08a6d2ebdd0e7d64014", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS Route Table Created", + "sha256": "91f22a4cab37c8825bcd6d20d125eb71c27ea27151cbc76e1b597d889a832b7d", + "type": "query", + "version": 100 }, "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Cluster Creation", - "sha256": "441fc16b46dd672112bbe72c32cc9f23a481e2e18b210364ca9b7052e18a9818", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS RDS Cluster Creation", - "sha256": "9d940646c93297f6f313fd20534a4ae320b2a9ff5921954ff8c1f05ef597333c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "441fc16b46dd672112bbe72c32cc9f23a481e2e18b210364ca9b7052e18a9818", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS RDS Cluster Creation", + "sha256": "9d940646c93297f6f313fd20534a4ae320b2a9ff5921954ff8c1f05ef597333c", + "type": "query", + "version": 100 }, "e19e64ee-130e-4c07-961f-8a339f0b8362": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Connection to External Network via Telnet", - "sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Connection to External Network via Telnet", - "sha256": "472df9dc371166d7dad6b226846b2c2335d95a925c8a949249a6dba01f850618", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Connection to External Network via Telnet", + "sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Connection to External Network via Telnet", + "sha256": "472df9dc371166d7dad6b226846b2c2335d95a925c8a949249a6dba01f850618", + "type": "eql", + "version": 100 }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", - "type": "machine_learning", - "version": 3 - } - }, - "rule_name": "Spike in Logon Events from a Source IP", - "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Logon Events from a Source IP", + "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", + "type": "machine_learning", + "version": 3 + } + }, + "rule_name": "Spike in Logon Events from a Source IP", + "sha256": "a5988a3dfc897aa2a50b11f7ed790699fb3b5c8450c61d82e331ff65dc180d6f", + "type": "machine_learning", + "version": 100 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "f24d9851bece6511354bb48a20a6a46b1c7f8432fc427ac95d278ad0a5d2d7df", - "type": "query", - "version": 6 - } - }, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "83939370b4568763eb651229e8801014e6e48c318980ac868ba33aad9dfdf306", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "f24d9851bece6511354bb48a20a6a46b1c7f8432fc427ac95d278ad0a5d2d7df", + "type": "query", + "version": 6 + } + }, + "rule_name": "Suspicious .NET Reflection via PowerShell", + "sha256": "83939370b4568763eb651229e8801014e6e48c318980ac868ba33aad9dfdf306", + "type": "query", + "version": 100 }, "e2a67480-3b79-403d-96e3-fdd2992c50ef": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Management Console Root Login", - "sha256": "1984c64d7c425aa3e3dfa6e37906c5c0da217a8d298ecc5438605b05a294e597", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS Management Console Root Login", - "sha256": "42d6d91e094e7f0bad724c4d71bef83efcabc880327a5d87d5e96979bc91dcc9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Management Console Root Login", + "sha256": "1984c64d7c425aa3e3dfa6e37906c5c0da217a8d298ecc5438605b05a294e597", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS Management Console Root Login", + "sha256": "42d6d91e094e7f0bad724c4d71bef83efcabc880327a5d87d5e96979bc91dcc9", + "type": "query", + "version": 100 }, "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "a569325f4987343db397f8e9bc7bd812bec981788b66c578abc8a07d6f1e96eb", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", - "sha256": "cf6a6f0eadf2cdccaca88796048d328c3ddbde3453bc36f69a564675fda98019", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", + "sha256": "a569325f4987343db397f8e9bc7bd812bec981788b66c578abc8a07d6f1e96eb", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", + "sha256": "cf6a6f0eadf2cdccaca88796048d328c3ddbde3453bc36f69a564675fda98019", + "type": "eql", + "version": 100 }, "e2fb5b18-e33c-4270-851e-c3d675c9afcd": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP IAM Role Deletion", - "sha256": "1ee46ee5f8a64de558dc4c27460715faae0e711c7d1a7af0c771060037471729", - "type": "query", - "version": 9 - } - }, - "rule_name": "GCP IAM Role Deletion", - "sha256": "596582abda1952e5ff855671798f64d01d0fe5088e7bf77e43841f20bf51117c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP IAM Role Deletion", + "sha256": "1ee46ee5f8a64de558dc4c27460715faae0e711c7d1a7af0c771060037471729", + "type": "query", + "version": 9 + } + }, + "rule_name": "GCP IAM Role Deletion", + "sha256": "596582abda1952e5ff855671798f64d01d0fe5088e7bf77e43841f20bf51117c", + "type": "query", + "version": 100 }, "e3343ab9-4245-4715-b344-e11c56b0a47f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "1fca27785372d869e73f5920c8e1f5a2cfe9d1d2623946389e0f92f0668c0cd3", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Process Activity via Compiled HTML File", - "sha256": "b2464865a55c2b0b4cc06c1d870dfac128c7778611e9412fed01ada2d71fa972", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Activity via Compiled HTML File", + "sha256": "1fca27785372d869e73f5920c8e1f5a2cfe9d1d2623946389e0f92f0668c0cd3", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Process Activity via Compiled HTML File", + "sha256": "b2464865a55c2b0b4cc06c1d870dfac128c7778611e9412fed01ada2d71fa972", + "type": "eql", + "version": 100 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "7e0ce795dbe9c0506d547705f5519c33f1ca279066cbd0056f58ac48444f8314", - "type": "query", - "version": 4 - } - }, - "rule_name": "AWS Route53 private hosted zone associated with a VPC", - "sha256": "1987a386d6d4a8d7181dddd2f93a6ae937be94af71202370a5b903ea82e740ce", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "7e0ce795dbe9c0506d547705f5519c33f1ca279066cbd0056f58ac48444f8314", + "type": "query", + "version": 4 + } + }, + "rule_name": "AWS Route53 private hosted zone associated with a VPC", + "sha256": "1987a386d6d4a8d7181dddd2f93a6ae937be94af71202370a5b903ea82e740ce", + "type": "query", + "version": 100 }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f", - "type": "query", - "version": 10 - } - }, - "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Ransomware - Prevented - Elastic Endgame", + "sha256": "2597f5c35305aefc8016770975bbc727d72230fbabd8c9418d4147741104be0f", + "type": "query", + "version": 10 + } + }, + "rule_name": "Ransomware - Prevented - Elastic Endgame", + "sha256": "b47502c00c1c5a89a76099135cda46927a2bac199a32fa69c796440b73fd9db8", + "type": "query", + "version": 100 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "08f9a6a7d9bdfcd6fccb7ea6baf0c48608a745befdf9be3782562c549736346b", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", - "sha256": "025fac3c239ae8bdb22816f8add55a9f1f8683d33e9131a4a3a31b9b8034ab57", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", + "sha256": "08f9a6a7d9bdfcd6fccb7ea6baf0c48608a745befdf9be3782562c549736346b", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", + "sha256": "025fac3c239ae8bdb22816f8add55a9f1f8683d33e9131a4a3a31b9b8034ab57", + "type": "eql", + "version": 100 }, "e3e904b3-0a8e-4e68-86a8-977a163e21d3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "773655f13eb054137041e1317a67b1537cc6c6eebf234827f44638005203b357", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", - "sha256": "ac43607e86f104e0f628e10cf3fed3e5e19bd1eaeb254e4a0bbb5622f0901fff", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "sha256": "773655f13eb054137041e1317a67b1537cc6c6eebf234827f44638005203b357", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Persistence via KDE AutoStart Script or Desktop File Modification", + "sha256": "ac43607e86f104e0f628e10cf3fed3e5e19bd1eaeb254e4a0bbb5622f0901fff", + "type": "eql", + "version": 100 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "6ea5f27f5addad69fded0976880577eb922b37615f7e5136583d5c41954cf838", - "type": "query", - "version": 9 - } - }, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "d8c50abeef3ea56327bef49926aade2c4cb9c4aac52de171ae494e75edd63816", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "6ea5f27f5addad69fded0976880577eb922b37615f7e5136583d5c41954cf838", + "type": "query", + "version": 9 + } + }, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "d8c50abeef3ea56327bef49926aade2c4cb9c4aac52de171ae494e75edd63816", + "type": "query", + "version": 100 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Service Creation via Local Kerberos Authentication", - "sha256": "9cc4b2d0d69c50b16c191500392d6623afffd2b4a329bb2e9536341de907e1b5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Service Creation via Local Kerberos Authentication", + "sha256": "bcdd122e8566edca2f53e8e240809c4b74fe7a8351cf91d27f712b45b2848ade", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Service Creation via Local Kerberos Authentication", + "sha256": "9cc4b2d0d69c50b16c191500392d6623afffd2b4a329bb2e9536341de907e1b5", + "type": "eql", + "version": 100 }, "e514d8cd-ed15-4011-84e2-d15147e059f1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "594ec61d54894f173198a316ad2e8f5e7d004348466a0e738d8dc0a23b7c2a42", - "type": "query", - "version": 6 - } - }, - "rule_name": "Kerberos Pre-authentication Disabled for User", - "sha256": "d7e564ab0ed7612650185717def8f732fc9eaba9ad93059452d09ba72cd7ae6a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Kerberos Pre-authentication Disabled for User", + "sha256": "594ec61d54894f173198a316ad2e8f5e7d004348466a0e738d8dc0a23b7c2a42", + "type": "query", + "version": 6 + } + }, + "rule_name": "Kerberos Pre-authentication Disabled for User", + "sha256": "d7e564ab0ed7612650185717def8f732fc9eaba9ad93059452d09ba72cd7ae6a", + "type": "query", + "version": 100 }, "e555105c-ba6d-481f-82bb-9b633e7b4827": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "c2ac77cd236c9997bebad7dbd68fbca34417ff4c999a05fa26114d41393ec636", - "type": "query", - "version": 13 - }, - "8.0": { - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "da0c5e7ff098e790a9bbfe529a062110d2e03eeaf932eb822601bed55710c833", - "type": "query", - "version": 16 - } - }, - "rule_name": "MFA Disabled for Google Workspace Organization", - "sha256": "bce03d2540705763734e0aa3aa9e1d29b2311abdce4691366dd58b6d44721a11", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 15, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "c2ac77cd236c9997bebad7dbd68fbca34417ff4c999a05fa26114d41393ec636", + "type": "query", + "version": 13 + }, + "8.0": { + "max_allowable_version": 99, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "da0c5e7ff098e790a9bbfe529a062110d2e03eeaf932eb822601bed55710c833", + "type": "query", + "version": 16 + } + }, + "rule_name": "MFA Disabled for Google Workspace Organization", + "sha256": "bce03d2540705763734e0aa3aa9e1d29b2311abdce4691366dd58b6d44721a11", + "type": "query", + "version": 100 }, "e56993d2-759c-4120-984c-9ec9bb940fd5": { - "rule_name": "RDP (Remote Desktop Protocol) to the Internet", - "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", - "type": "query", - "version": 100 + "rule_name": "RDP (Remote Desktop Protocol) to the Internet", + "sha256": "e2f1607e4ec15d9f1e4cdfb3c307852c151afef4fa9f42ee068ccd4b335543ed", + "type": "query", + "version": 100 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Bash Shell Profile Modification", - "sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e", - "type": "query", - "version": 4 - } - }, - "rule_name": "Bash Shell Profile Modification", - "sha256": "d5574cea1dee742493442d485015a56dd84807693c0dea38b92f3f8c87bf8f88", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Bash Shell Profile Modification", + "sha256": "870461090ff0ee534196576c1434c8bab00da1ea368665bc7fbea973a390e24e", + "type": "query", + "version": 4 + } + }, + "rule_name": "Bash Shell Profile Modification", + "sha256": "d5574cea1dee742493442d485015a56dd84807693c0dea38b92f3f8c87bf8f88", + "type": "query", + "version": 100 }, "e6c98d38-633d-4b3e-9387-42112cd5ac10": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Authorization Plugin Modification", - "sha256": "54671c684270f841e5c8afcb9c0551b1860dffd29d8a2589f1b6d84ca2193107", - "type": "query", - "version": 4 - } - }, - "rule_name": "Authorization Plugin Modification", - "sha256": "4e4b8ddbe7bcf880aaf748f5fa3d76a42469876a0e592d8ccd48d80169ed0771", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Authorization Plugin Modification", + "sha256": "54671c684270f841e5c8afcb9c0551b1860dffd29d8a2589f1b6d84ca2193107", + "type": "query", + "version": 4 + } + }, + "rule_name": "Authorization Plugin Modification", + "sha256": "4e4b8ddbe7bcf880aaf748f5fa3d76a42469876a0e592d8ccd48d80169ed0771", + "type": "query", + "version": 100 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Possible Okta DoS Attack", - "sha256": "d5ee7bc5de9e1f4610bc34e85624902d13fb82124efc99058407b42bfada5a55", - "type": "query", - "version": 9 - } - }, - "rule_name": "Possible Okta DoS Attack", - "sha256": "53c7b993a4b9e4da58773e04d3a9cbb6f33e3b2975c5a88f14c63cc0ea6d1954", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Possible Okta DoS Attack", + "sha256": "d5ee7bc5de9e1f4610bc34e85624902d13fb82124efc99058407b42bfada5a55", + "type": "query", + "version": 9 + } + }, + "rule_name": "Possible Okta DoS Attack", + "sha256": "53c7b993a4b9e4da58773e04d3a9cbb6f33e3b2975c5a88f14c63cc0ea6d1954", + "type": "query", + "version": 100 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "e3a968c044da68d2f23aa6a66a47a0f3d61a734268792b0a360ce167fab200b0", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Screensaver Plist File Modified by Unexpected Process", - "sha256": "e729c078dcf4e96d606f88ca1e5c5af1a449659cc6c1122c95169a249e03f74c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Screensaver Plist File Modified by Unexpected Process", + "sha256": "e3a968c044da68d2f23aa6a66a47a0f3d61a734268792b0a360ce167fab200b0", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Screensaver Plist File Modified by Unexpected Process", + "sha256": "e729c078dcf4e96d606f88ca1e5c5af1a449659cc6c1122c95169a249e03f74c", + "type": "eql", + "version": 100 }, "e7075e8d-a966-458e-a183-85cd331af255": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7", - "type": "query", - "version": 8 - } - }, - "rule_name": "Default Cobalt Strike Team Server Certificate", - "sha256": "def78e2a7f58ea9d6e4fe790d93765a71427715d5b30ac836d9328fc5afaaa2a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Default Cobalt Strike Team Server Certificate", + "sha256": "d06b33a543d522b2f430c7851d7bcfc6784092fac3d4efcc1bd100f0eebabee7", + "type": "query", + "version": 8 + } + }, + "rule_name": "Default Cobalt Strike Team Server Certificate", + "sha256": "def78e2a7f58ea9d6e4fe790d93765a71427715d5b30ac836d9328fc5afaaa2a", + "type": "query", + "version": 100 }, "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Execution of Persistent Suspicious Program", - "sha256": "2fdf04b7009cd2472b90eae3023287e0ee8d2592461378505618292c3c102822", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution of Persistent Suspicious Program", + "sha256": "a20d59b00c5cb946794ec2b30277dc754792a46bce3ee1cd6274d512ff418929", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Execution of Persistent Suspicious Program", + "sha256": "2fdf04b7009cd2472b90eae3023287e0ee8d2592461378505618292c3c102822", + "type": "eql", + "version": 100 }, "e7cd5982-17c8-4959-874c-633acde7d426": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "bdb348ecf6ea584e98544fef4a59aec7bf3f2242b523b3b71daa6db84836674c", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS Route Table Modified or Deleted", - "sha256": "578a5b981a102054ded368e528ee57d95054d91b0072fbcc421641ff6240aa78", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "bdb348ecf6ea584e98544fef4a59aec7bf3f2242b523b3b71daa6db84836674c", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS Route Table Modified or Deleted", + "sha256": "578a5b981a102054ded368e528ee57d95054d91b0072fbcc421641ff6240aa78", + "type": "query", + "version": 100 }, "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "bd499e25fb8cc24f16dfb5ec400da1a758a867f6a919caef4719aecd9ec47e70", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Service Control Spawned via Script Interpreter", - "sha256": "c2363d4297c17ada60264f950fd5ceeb2522d94d858b1147b05e3cb6e8afa666", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Service Control Spawned via Script Interpreter", + "sha256": "bd499e25fb8cc24f16dfb5ec400da1a758a867f6a919caef4719aecd9ec47e70", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Service Control Spawned via Script Interpreter", + "sha256": "c2363d4297c17ada60264f950fd5ceeb2522d94d858b1147b05e3cb6e8afa666", + "type": "eql", + "version": 100 }, "e86da94d-e54b-4fb5-b96c-cecff87e8787": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Installation of Security Support Provider", - "sha256": "1c94a28eb10cf8d623b9c7766c3e09c1277211577525c7aef2a0d95b82902eda", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Installation of Security Support Provider", - "sha256": "6930fda0828ead9f29766d8893239c3a557c78cd70ddbab9442598fff4688715", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Installation of Security Support Provider", + "sha256": "1c94a28eb10cf8d623b9c7766c3e09c1277211577525c7aef2a0d95b82902eda", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Installation of Security Support Provider", + "sha256": "6930fda0828ead9f29766d8893239c3a557c78cd70ddbab9442598fff4688715", + "type": "eql", + "version": 100 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "14c75064015b57cde04fdcd0f5358d7f17272c249bcd3874ce2ec296f9e2cefe", - "type": "threshold", - "version": 8 - } - }, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "fb61c309a0e0f56c96d87b5b2512051b11481a86ee0ea795f757829a50a88a9a", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "14c75064015b57cde04fdcd0f5358d7f17272c249bcd3874ce2ec296f9e2cefe", + "type": "threshold", + "version": 8 + } + }, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "fb61c309a0e0f56c96d87b5b2512051b11481a86ee0ea795f757829a50a88a9a", + "type": "threshold", + "version": 100 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "d4182fc6f1adb47b30a48ca8dc5b8d7ccd69e295f56db8bd67beef482087b523", - "type": "query", - "version": 5 - } - }, - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "2c4145f775a63a163c0ab4ba0f428cb98d0671fb1dde6829f9c2b507f433a96a", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "d4182fc6f1adb47b30a48ca8dc5b8d7ccd69e295f56db8bd67beef482087b523", + "type": "query", + "version": 5 + } + }, + "rule_name": "AWS EC2 VM Export Failure", + "sha256": "2c4145f775a63a163c0ab4ba0f428cb98d0671fb1dde6829f9c2b507f433a96a", + "type": "query", + "version": 100 }, "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "b08da1641037f279ce706e380fa8da2c89eb8fabce5c70bf3bbd42df74e4de43", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Unusual Executable File Creation by a System Critical Process", - "sha256": "1525ec0087caa20e049ab4ebd2fdf4d75cb1fd1370bff99ce6dc73770aed7a1b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Executable File Creation by a System Critical Process", + "sha256": "b08da1641037f279ce706e380fa8da2c89eb8fabce5c70bf3bbd42df74e4de43", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Unusual Executable File Creation by a System Critical Process", + "sha256": "1525ec0087caa20e049ab4ebd2fdf4d75cb1fd1370bff99ce6dc73770aed7a1b", + "type": "eql", + "version": 100 }, "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Potential LSA Authentication Package Abuse", - "sha256": "f8ede6bdaae2f159c71ac86b1366f22fab966c71ac620a890fc4c89930bc6cac", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential LSA Authentication Package Abuse", + "sha256": "8d77171cf0f3a00f7c7f86fa5a55cf2a6f92fb20fe2ac7515ec1c11255a015f9", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Potential LSA Authentication Package Abuse", + "sha256": "f8ede6bdaae2f159c71ac86b1366f22fab966c71ac620a890fc4c89930bc6cac", + "type": "eql", + "version": 100 }, "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { - "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", - "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", + "sha256": "f5726e1a8ce8508e84699dd4648108f26b624ea175aeb4a0cdace248925f0d8a", + "type": "eql", + "version": 100 }, "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Automation Webhook Created", - "sha256": "40217a45f13f6e49a38e1428b1312af7a7d280737f29ed454c5516b82556c42a", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Automation Webhook Created", - "sha256": "e5b59d184ef3e24f596458f15e28ad91ef1dbafd5dd5dd70da6cda067330f236", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Automation Webhook Created", + "sha256": "40217a45f13f6e49a38e1428b1312af7a7d280737f29ed454c5516b82556c42a", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Automation Webhook Created", + "sha256": "e5b59d184ef3e24f596458f15e28ad91ef1dbafd5dd5dd70da6cda067330f236", + "type": "query", + "version": 100 }, "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { - "rule_name": "SSH (Secure Shell) from the Internet", - "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", - "type": "query", - "version": 100 + "rule_name": "SSH (Secure Shell) from the Internet", + "sha256": "a5b483bc27ea95cd71683dd2f631a41276da2ab442b4d14e2e843c1df6519efa", + "type": "query", + "version": 100 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "044053705f8910f195400bf16dad023b28b4a9d17160ede41a24bc6c7081f12b", - "type": "threshold", - "version": 8 - } - }, - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "e782f3b4525be7c780fb64337f04a76fea5509fd810c0f6370639c3008d66591", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "044053705f8910f195400bf16dad023b28b4a9d17160ede41a24bc6c7081f12b", + "type": "threshold", + "version": 8 + } + }, + "rule_name": "AWS IAM Brute Force of Assume Role Policy", + "sha256": "e782f3b4525be7c780fb64337f04a76fea5509fd810c0f6370639c3008d66591", + "type": "threshold", + "version": 100 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Spike in Firewall Denies", - "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Spike in Firewall Denies", - "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Spike in Firewall Denies", + "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Spike in Firewall Denies", + "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5", + "type": "machine_learning", + "version": 100 }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "External Alerts", - "sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403", - "type": "query", - "version": 6 - } - }, - "rule_name": "External Alerts", - "sha256": "a85b3601831d4047395d6f38ca712e50515a4e8aa1a91dd3c803b3857d9a38bc", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "External Alerts", + "sha256": "3c761c7b1a22a38d6334369cd822c00a6b2d954f9c650ffc564cf84ff8f8f403", + "type": "query", + "version": 6 + } + }, + "rule_name": "External Alerts", + "sha256": "a85b3601831d4047395d6f38ca712e50515a4e8aa1a91dd3c803b3857d9a38bc", + "type": "query", + "version": 100 }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "3bba2d24ab56fc6d4d2d951047e6f4b2269b43eb68527dd062f822632e86a338", - "type": "query", - "version": 6 - } - }, - "rule_name": "PowerShell Kerberos Ticket Request", - "sha256": "f2c04977975186299b4c20414c3fcc749937686fc65d5c023d2bac38d4d7f923", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "PowerShell Kerberos Ticket Request", + "sha256": "3bba2d24ab56fc6d4d2d951047e6f4b2269b43eb68527dd062f822632e86a338", + "type": "query", + "version": 6 + } + }, + "rule_name": "PowerShell Kerberos Ticket Request", + "sha256": "f2c04977975186299b4c20414c3fcc749937686fc65d5c023d2bac38d4d7f923", + "type": "query", + "version": 100 }, "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "48ccffc9a81724c28be76eede89fe50482103e2a7b6e501241e92a6e06a9f3a8", - "type": "eql", - "version": 4 - } - }, - "rule_name": "Suspicious Network Connection Attempt by Root", - "sha256": "a1879a8462d39efac1be94aa98797de0fe3cfc6e3ba19256303e2f1950899cf2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Network Connection Attempt by Root", + "sha256": "48ccffc9a81724c28be76eede89fe50482103e2a7b6e501241e92a6e06a9f3a8", + "type": "eql", + "version": 4 + } + }, + "rule_name": "Suspicious Network Connection Attempt by Root", + "sha256": "a1879a8462d39efac1be94aa98797de0fe3cfc6e3ba19256303e2f1950899cf2", + "type": "eql", + "version": 100 }, "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Disabling of SELinux", - "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", - "type": "query", - "version": 9 - } - }, - "rule_name": "Potential Disabling of SELinux", - "sha256": "d20cddc6cb9b6be1cd6a7423949f3879c7f7f43a3b4fc8387febbac8372dcba4", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Disabling of SELinux", + "sha256": "062c1916cf85ed48401162e51109dc371e142f7983c9f404ab00cbc1846a3a40", + "type": "query", + "version": 9 + } + }, + "rule_name": "Potential Disabling of SELinux", + "sha256": "d20cddc6cb9b6be1cd6a7423949f3879c7f7f43a3b4fc8387febbac8372dcba4", + "type": "query", + "version": 100 }, "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "34d22b9f451c2f7efc83c9d7cb724eaff3cdefef7d835846c87b624d83b08ff9", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "228f6f139ec1c9c8b08ad6ec16b70da46edc27cfe4f6e0cd704fb38e4c37b7b1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "34d22b9f451c2f7efc83c9d7cb724eaff3cdefef7d835846c87b624d83b08ff9", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "228f6f139ec1c9c8b08ad6ec16b70da46edc27cfe4f6e0cd704fb38e4c37b7b1", + "type": "eql", + "version": 100 }, "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "e9752afbf2c33f50ae435653a04acb7a4014f7ba2879c691383213ca884424be", - "type": "eql", - "version": 10 - } - }, - "rule_name": "IIS HTTP Logging Disabled", - "sha256": "7379a9e4b38b8ab051194763cfb39573689221db20c6e687894566e30663a7a1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "IIS HTTP Logging Disabled", + "sha256": "e9752afbf2c33f50ae435653a04acb7a4014f7ba2879c691383213ca884424be", + "type": "eql", + "version": 10 + } + }, + "rule_name": "IIS HTTP Logging Disabled", + "sha256": "7379a9e4b38b8ab051194763cfb39573689221db20c6e687894566e30663a7a1", + "type": "eql", + "version": 100 }, "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "28a26a8ea059812344fc5b88cadfd47c83328674062824657484db1da6ee98f3", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Process Execution from an Unusual Directory", - "sha256": "27ef752b89998ad4fbbcf57fcade195acad503f119848acd7db14bd548dedbd0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Process Execution from an Unusual Directory", + "sha256": "28a26a8ea059812344fc5b88cadfd47c83328674062824657484db1da6ee98f3", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Process Execution from an Unusual Directory", + "sha256": "27ef752b89998ad4fbbcf57fcade195acad503f119848acd7db14bd548dedbd0", + "type": "eql", + "version": 100 }, "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "10ac2f7a79a955d91c4ae4232125eebb8d2678851db37d3f4e3a4d47c9b00d7b", - "type": "query", - "version": 7 - } - }, - "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", - "sha256": "84f6898ed88bde6a64ddb452f651145baeb6c7bada93820ecd01c8d1028f8bab", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "10ac2f7a79a955d91c4ae4232125eebb8d2678851db37d3f4e3a4d47c9b00d7b", + "type": "query", + "version": 7 + } + }, + "rule_name": "Microsoft 365 Inbox Forwarding Rule Created", + "sha256": "84f6898ed88bde6a64ddb452f651145baeb6c7bada93820ecd01c8d1028f8bab", + "type": "query", + "version": 100 }, "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "231216c92c8b517d75784dfb4cb92f4d664c8b90eebbda4dc0b446280f081522", - "type": "query", - "version": 8 - } - }, - "rule_name": "AWS RDS Instance/Cluster Stoppage", - "sha256": "16f3aa6331c7ab9a27ff61ac841ed9388c880da58d0a9f05015dda9354c2f6f5", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "231216c92c8b517d75784dfb4cb92f4d664c8b90eebbda4dc0b446280f081522", + "type": "query", + "version": 8 + } + }, + "rule_name": "AWS RDS Instance/Cluster Stoppage", + "sha256": "16f3aa6331c7ab9a27ff61ac841ed9388c880da58d0a9f05015dda9354c2f6f5", + "type": "query", + "version": 100 }, "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "da79376cfd32568b8b899acbdd94fa61e8f4b4f5fe1e2b7fe363aae8f7680549", - "type": "query", - "version": 8 - } - }, - "rule_name": "Azure Global Administrator Role Addition to PIM User", - "sha256": "2bcddb0c020341ebfe3dcf8d5f57f929f17ae536598101452d7d9b1419e6176f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Global Administrator Role Addition to PIM User", + "sha256": "da79376cfd32568b8b899acbdd94fa61e8f4b4f5fe1e2b7fe363aae8f7680549", + "type": "query", + "version": 8 + } + }, + "rule_name": "Azure Global Administrator Role Addition to PIM User", + "sha256": "2bcddb0c020341ebfe3dcf8d5f57f929f17ae536598101452d7d9b1419e6176f", + "type": "query", + "version": 100 }, "eda499b8-a073-4e35-9733-22ec71f57f3a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AdFind Command Activity", - "sha256": "c4b497868eb20d062a8f046c7796d5b43fe75871b0c7f788c6592e876e673f28", - "type": "eql", - "version": 11 - } - }, - "rule_name": "AdFind Command Activity", - "sha256": "6066406fc5832c00400b2662b56f9e9cff4875ff349e6932dab06ac0d30c21e5", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AdFind Command Activity", + "sha256": "c4b497868eb20d062a8f046c7796d5b43fe75871b0c7f788c6592e876e673f28", + "type": "eql", + "version": 11 + } + }, + "rule_name": "AdFind Command Activity", + "sha256": "6066406fc5832c00400b2662b56f9e9cff4875ff349e6932dab06ac0d30c21e5", + "type": "eql", + "version": 100 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "239799d589689fbfd18345dad0c3f085138b963f4aba5028e65373cc8d36df4f", - "type": "query", - "version": 7 - } - }, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "1d7183696bff8175c0bf7984bac44c90267b9aaf49765a7b877b14bafd1d562f", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "239799d589689fbfd18345dad0c3f085138b963f4aba5028e65373cc8d36df4f", + "type": "query", + "version": 7 + } + }, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "1d7183696bff8175c0bf7984bac44c90267b9aaf49765a7b877b14bafd1d562f", + "type": "query", + "version": 100 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "ce1db93b10b8a940e45490c31cdb384062d41c0cb6395c3cc706e1de4c9cb46c", - "type": "eql", - "version": 7 - }, - "8.2": { - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "15633a53798ae01e2fdfef1f1ea0a74d7916ced0a48d742d446644cbdb8c75e8", - "type": "eql", - "version": 10 - } - }, - "rule_name": "ImageLoad via Windows Update Auto Update Client", - "sha256": "d8a2c21710519775b99328290a6e140ea3e75c3e833cd07dd9ac0b07dc7d6b31", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 9, + "rule_name": "ImageLoad via Windows Update Auto Update Client", + "sha256": "ce1db93b10b8a940e45490c31cdb384062d41c0cb6395c3cc706e1de4c9cb46c", + "type": "eql", + "version": 7 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "ImageLoad via Windows Update Auto Update Client", + "sha256": "15633a53798ae01e2fdfef1f1ea0a74d7916ced0a48d742d446644cbdb8c75e8", + "type": "eql", + "version": 10 + } + }, + "rule_name": "ImageLoad via Windows Update Auto Update Client", + "sha256": "d8a2c21710519775b99328290a6e140ea3e75c3e833cd07dd9ac0b07dc7d6b31", + "type": "eql", + "version": 100 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "2f851991fa9398f083d7cfbc06bebd99acc958c0652597f0b8872a2fec42533e", - "type": "eql", - "version": 9 - } - }, - "rule_name": "Unusual Print Spooler Child Process", - "sha256": "3fe25e314cdcf16071088596e01b717c7be9354046ef5d784a23e38b8b1decc2", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Print Spooler Child Process", + "sha256": "2f851991fa9398f083d7cfbc06bebd99acc958c0652597f0b8872a2fec42533e", + "type": "eql", + "version": 9 + } + }, + "rule_name": "Unusual Print Spooler Child Process", + "sha256": "3fe25e314cdcf16071088596e01b717c7be9354046ef5d784a23e38b8b1decc2", + "type": "eql", + "version": 100 }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { - "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", - "sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", + "sha256": "284931b7332c5d8775ad1b0d93e012b6b7391afd6b546209c576ebbb44f85a80", + "type": "eql", + "version": 100 }, "eea82229-b002-470e-a9e1-00be38b14d32": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "85fe1eb19d66f592dad24600606b8472dfc84b4716e64052f67af8043fef5a79", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", - "sha256": "2ea934f6af15bdbb3fd47cd5fe8c0016a6408c99beb97954a13e14b0f808437a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", + "sha256": "85fe1eb19d66f592dad24600606b8472dfc84b4716e64052f67af8043fef5a79", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Potential Privacy Control Bypass via TCCDB Modification", + "sha256": "2ea934f6af15bdbb3fd47cd5fe8c0016a6408c99beb97954a13e14b0f808437a", + "type": "eql", + "version": 100 }, "ef04a476-07ec-48fc-8f3d-5e1742de76d3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "BPF filter applied using TC", - "sha256": "a890bd484df6a7b4170e055a13563f50c1b7f00282fc3b0623c176c561e6a911", - "type": "eql", - "version": 3 - } - }, - "rule_name": "BPF filter applied using TC", - "sha256": "a45bca6f177105ff77836c134bd1664a95a690cb62b20d6197294a472a3afb8b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "BPF filter applied using TC", + "sha256": "a890bd484df6a7b4170e055a13563f50c1b7f00282fc3b0623c176c561e6a911", + "type": "eql", + "version": 3 + } + }, + "rule_name": "BPF filter applied using TC", + "sha256": "a45bca6f177105ff77836c134bd1664a95a690cb62b20d6197294a472a3afb8b", + "type": "eql", + "version": 100 }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Whoami Process Activity", - "sha256": "6255a59f1907f90afb7d99a93dc1de288448f8d5eddd72f4077c13a632048b84", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Whoami Process Activity", - "sha256": "5d0df796ec4949e95ecae211e8fb18e273a374f3d3734268dd12166a9e7b0928", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Whoami Process Activity", + "sha256": "6255a59f1907f90afb7d99a93dc1de288448f8d5eddd72f4077c13a632048b84", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Whoami Process Activity", + "sha256": "5d0df796ec4949e95ecae211e8fb18e273a374f3d3734268dd12166a9e7b0928", + "type": "eql", + "version": 100 }, "f036953a-4615-4707-a1ca-dc53bf69dcd5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "607544934e3152f41a4713b12c1f809518dfe52cfe1179d9f7c6ab62b27092a9", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Unusual Child Processes of RunDLL32", - "sha256": "f5958c3554e8448c5a1295ba0b6827ad3a984642e7d39076c7d43e4ade3ff34a", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Child Processes of RunDLL32", + "sha256": "607544934e3152f41a4713b12c1f809518dfe52cfe1179d9f7c6ab62b27092a9", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Unusual Child Processes of RunDLL32", + "sha256": "f5958c3554e8448c5a1295ba0b6827ad3a984642e7d39076c7d43e4ade3ff34a", + "type": "eql", + "version": 100 }, "f0493cb4-9b15-43a9-9359-68c23a7f2cf3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious HTML File Creation", - "sha256": "a25733dc5db93e97dbb6099c740ad240b0c1822325ceaafe17732f7dc28dab29", - "type": "eql", - "version": 3 - } - }, - "rule_name": "Suspicious HTML File Creation", - "sha256": "29eb6c6d14b086aa1b1c7556988f00658c69cbb37fec3e21ca03b568452f1720", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious HTML File Creation", + "sha256": "a25733dc5db93e97dbb6099c740ad240b0c1822325ceaafe17732f7dc28dab29", + "type": "eql", + "version": 3 + } + }, + "rule_name": "Suspicious HTML File Creation", + "sha256": "29eb6c6d14b086aa1b1c7556988f00658c69cbb37fec3e21ca03b568452f1720", + "type": "eql", + "version": 100 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "d15dd5779036e85d5d88bab96e6b6cd2e9fb5025dae8ef032429d99edf7ea868", - "type": "query", - "version": 7 - } - }, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "01e9c35d451ee51ce6555cb2e69118ea0af2b526abe9523361d4adedc8eacb23", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "d15dd5779036e85d5d88bab96e6b6cd2e9fb5025dae8ef032429d99edf7ea868", + "type": "query", + "version": 7 + } + }, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "01e9c35d451ee51ce6555cb2e69118ea0af2b526abe9523361d4adedc8eacb23", + "type": "query", + "version": 100 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "66097f87ce7d53ec4c5a9c78d2ad5ea9434fb4800ba59615353fa48857104300", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Attempt to Remove File Quarantine Attribute", - "sha256": "a6529b64b559bd8bd42c20e78b8414e067f080935f145dcd144069d59b193065", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Attempt to Remove File Quarantine Attribute", + "sha256": "66097f87ce7d53ec4c5a9c78d2ad5ea9434fb4800ba59615353fa48857104300", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Attempt to Remove File Quarantine Attribute", + "sha256": "a6529b64b559bd8bd42c20e78b8414e067f080935f145dcd144069d59b193065", + "type": "eql", + "version": 100 }, "f0bc081a-2346-4744-a6a4-81514817e888": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "df8ec13cd47fc1fffe12deff3970a9194c19e52746805d646bb4f797e85a680e", - "type": "query", - "version": 5 - } - }, - "rule_name": "Azure Alert Suppression Rule Created or Modified", - "sha256": "2183384bcc6041752cf41516ee30721db4d87c33c6cc490a4e40f725792feeff", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Alert Suppression Rule Created or Modified", + "sha256": "df8ec13cd47fc1fffe12deff3970a9194c19e52746805d646bb4f797e85a680e", + "type": "query", + "version": 5 + } + }, + "rule_name": "Azure Alert Suppression Rule Created or Modified", + "sha256": "2183384bcc6041752cf41516ee30721db4d87c33c6cc490a4e40f725792feeff", + "type": "query", + "version": 100 }, "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "7a4c42f5bfb7bee1424ed3f2c6a969c641f1c4b9b7d9ce817f921f447b076725", - "type": "query", - "version": 5 - } - }, - "rule_name": "Execution with Explicit Credentials via Scripting", - "sha256": "f4436ecb9166018d1599495e008b01508f468324cbc863916483dbb05bfef6f2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Execution with Explicit Credentials via Scripting", + "sha256": "7a4c42f5bfb7bee1424ed3f2c6a969c641f1c4b9b7d9ce817f921f447b076725", + "type": "query", + "version": 5 + } + }, + "rule_name": "Execution with Explicit Credentials via Scripting", + "sha256": "f4436ecb9166018d1599495e008b01508f468324cbc863916483dbb05bfef6f2", + "type": "query", + "version": 100 }, "f24bcae1-8980-4b30-b5dd-f851b055c9e7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "0faaa346858f2dcb17db77667c2b5405492684ba8c0108091bb15d7a4d76ac79", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Creation of Hidden Login Item via Apple Script", - "sha256": "69f6e9352509b644c95ad43357cb6f9d3c39cb13a3a793ba5844232554883eda", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Creation of Hidden Login Item via Apple Script", + "sha256": "0faaa346858f2dcb17db77667c2b5405492684ba8c0108091bb15d7a4d76ac79", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Creation of Hidden Login Item via Apple Script", + "sha256": "69f6e9352509b644c95ad43357cb6f9d3c39cb13a3a793ba5844232554883eda", + "type": "eql", + "version": 100 }, "f28e2be4-6eca-4349-bdd9-381573730c22": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "24b4d57df7a4e7ce08d3ad2bd3b675b8a5b3e8fd9173019958bacce878092ba8", - "type": "eql", - "version": 5 - } - }, - "rule_name": "Potential OpenSSH Backdoor Logging Activity", - "sha256": "d48192062bd0af2ed545308c339e302c6dcd8cdff8066bc1737b54bae82841f6", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential OpenSSH Backdoor Logging Activity", + "sha256": "24b4d57df7a4e7ce08d3ad2bd3b675b8a5b3e8fd9173019958bacce878092ba8", + "type": "eql", + "version": 5 + } + }, + "rule_name": "Potential OpenSSH Backdoor Logging Activity", + "sha256": "d48192062bd0af2ed545308c339e302c6dcd8cdff8066bc1737b54bae82841f6", + "type": "eql", + "version": 100 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SIP Provider Modification", - "sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110", - "type": "eql", - "version": 4 - } - }, - "rule_name": "SIP Provider Modification", - "sha256": "5262a4e6073b071fc281f6e7520b0fd5d2dc72fe5ee12be03ff920741797cf9b", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SIP Provider Modification", + "sha256": "2ba459343a12bb5eab29944e3968636c5b38e0007b17f8e5b6b8c12c58827110", + "type": "eql", + "version": 4 + } + }, + "rule_name": "SIP Provider Modification", + "sha256": "5262a4e6073b071fc281f6e7520b0fd5d2dc72fe5ee12be03ff920741797cf9b", + "type": "eql", + "version": 100 }, "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "LSASS Memory Dump Creation", - "sha256": "3e6e50826d519b95be8230a60471e7347a0cf1a3f68d2aa857aac4ce300b05a7", - "type": "eql", - "version": 9 - }, - "8.2": { - "rule_name": "LSASS Memory Dump Creation", - "sha256": "267feaf9654f7bc39c4ec3c0aeefa5ac3961a87fc6aea9c7feee3396bff425ec", - "type": "eql", - "version": 12 - } - }, - "rule_name": "LSASS Memory Dump Creation", - "sha256": "d5ea7927774ec7e899aabbe5ff76bbf6320747fab152f3060a53f0ffa131d1a0", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 11, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "3e6e50826d519b95be8230a60471e7347a0cf1a3f68d2aa857aac4ce300b05a7", + "type": "eql", + "version": 9 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "267feaf9654f7bc39c4ec3c0aeefa5ac3961a87fc6aea9c7feee3396bff425ec", + "type": "eql", + "version": 12 + } + }, + "rule_name": "LSASS Memory Dump Creation", + "sha256": "d5ea7927774ec7e899aabbe5ff76bbf6320747fab152f3060a53f0ffa131d1a0", + "type": "eql", + "version": 100 }, "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS RDS Instance Creation", - "sha256": "fdb052cc421e14176073509078d7ebb84e69338f14a02d61b3687ce413a5263a", - "type": "query", - "version": 6 - } - }, - "rule_name": "AWS RDS Instance Creation", - "sha256": "2df8ac1aaabae7c8c3f0efc22b7851cb24e160195b8a7f7757705c1328737d76", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS RDS Instance Creation", + "sha256": "fdb052cc421e14176073509078d7ebb84e69338f14a02d61b3687ce413a5263a", + "type": "query", + "version": 6 + } + }, + "rule_name": "AWS RDS Instance Creation", + "sha256": "2df8ac1aaabae7c8c3f0efc22b7851cb24e160195b8a7f7757705c1328737d76", + "type": "query", + "version": 100 }, "f3475224-b179-4f78-8877-c2bd64c26b88": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d", - "type": "eql", - "version": 6 - } - }, - "rule_name": "WMI Incoming Lateral Movement", - "sha256": "846cf2dcf2612cb91b36b658b97ebaccfb99e83642a247e3a1fe4cacc06594f3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "WMI Incoming Lateral Movement", + "sha256": "697265472771d768d277926b42e99b11fc14f495b24c6f2b8aecc0cc10b6409d", + "type": "eql", + "version": 6 + } + }, + "rule_name": "WMI Incoming Lateral Movement", + "sha256": "846cf2dcf2612cb91b36b658b97ebaccfb99e83642a247e3a1fe4cacc06594f3", + "type": "eql", + "version": 100 }, "f37f3054-d40b-49ac-aa9b-a786c74c58b8": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7", - "type": "threshold", - "version": 3 - } - }, - "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", - "sha256": "7ae7a67bf3618c7bd90ff834cec03ddfb7fdde73bf2786adcae9331c93b735ee", - "type": "threshold", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", + "sha256": "6e5898678bcd1b9c833fd090aabbf6e7e2fd69692405c532e8e7db74f71f9ae7", + "type": "threshold", + "version": 3 + } + }, + "rule_name": "Sudo Heap-Based Buffer Overflow Attempt", + "sha256": "7ae7a67bf3618c7bd90ff834cec03ddfb7fdde73bf2786adcae9331c93b735ee", + "type": "threshold", + "version": 100 }, "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "a527339384f08721754875fa945abf7d3cdf22d66ac5c2e8f2b62e1706013b2b", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Persistence via Microsoft Office AddIns", - "sha256": "8b716970a3ae6c3521ac2c34930178185ecc89e9a9cb83bca9e682e1ef1505c3", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistence via Microsoft Office AddIns", + "sha256": "a527339384f08721754875fa945abf7d3cdf22d66ac5c2e8f2b62e1706013b2b", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Persistence via Microsoft Office AddIns", + "sha256": "8b716970a3ae6c3521ac2c34930178185ecc89e9a9cb83bca9e682e1ef1505c3", + "type": "eql", + "version": 100 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "bdb6832aff1a99405ce51272c3c4ea81e914802fc8149673b9ec7521cfe6a2cf", - "type": "query", - "version": 6 - } - }, - "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", - "sha256": "9bf14a6e899e66713cc68e923fec0464974a147ca6e00806fbc7b72a00fc2ea2", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "sha256": "bdb6832aff1a99405ce51272c3c4ea81e914802fc8149673b9ec7521cfe6a2cf", + "type": "query", + "version": 6 + } + }, + "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", + "sha256": "9bf14a6e899e66713cc68e923fec0464974a147ca6e00806fbc7b72a00fc2ea2", + "type": "query", + "version": 100 }, "f52362cd-baf1-4b6d-84be-064efc826461": { - "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", - "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", + "sha256": "9a30702aaa4b583d4dfed22529c75be33a32d661580c7885d29a45fb627ec6b7", + "type": "eql", + "version": 100 }, "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Script Executing PowerShell", - "sha256": "a540d7b91d337c085613ea8d5f7a5984c3e02c2b1c6020ce9051e8c37e7eca19", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Windows Script Executing PowerShell", - "sha256": "0eea0b65385ccfaffea183f5d8fe0dc99646b80e0ce365c4bb3a9626d4e8d7b4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Script Executing PowerShell", + "sha256": "a540d7b91d337c085613ea8d5f7a5984c3e02c2b1c6020ce9051e8c37e7eca19", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Windows Script Executing PowerShell", + "sha256": "0eea0b65385ccfaffea183f5d8fe0dc99646b80e0ce365c4bb3a9626d4e8d7b4", + "type": "eql", + "version": 100 }, "f63c8e3c-d396-404f-b2ea-0379d3942d73": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "006a7c779aedd42261a1a521731bcf7cbcf76d5381683aab472281003a7f7bb4", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Windows Firewall Disabled via PowerShell", - "sha256": "44c57bc161ee1e3d503a79ed1594a516a66e383ee248401a96dba30cb0c84122", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Windows Firewall Disabled via PowerShell", + "sha256": "006a7c779aedd42261a1a521731bcf7cbcf76d5381683aab472281003a7f7bb4", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Windows Firewall Disabled via PowerShell", + "sha256": "44c57bc161ee1e3d503a79ed1594a516a66e383ee248401a96dba30cb0c84122", + "type": "eql", + "version": 100 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "b8ea24d38fe9b6522e77bcc999fefa26a1ee87060cdb4e7d4d373dd994742272", - "type": "eql", - "version": 13 - } - }, - "rule_name": "Delete Volume USN Journal with Fsutil", - "sha256": "84ff62e38a254252fdbee7dd54a05c1d28934e10e02a095f611c07747cda8c2c", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Delete Volume USN Journal with Fsutil", + "sha256": "b8ea24d38fe9b6522e77bcc999fefa26a1ee87060cdb4e7d4d373dd994742272", + "type": "eql", + "version": 13 + } + }, + "rule_name": "Delete Volume USN Journal with Fsutil", + "sha256": "84ff62e38a254252fdbee7dd54a05c1d28934e10e02a095f611c07747cda8c2c", + "type": "eql", + "version": 100 }, "f683dcdf-a018-4801-b066-193d4ae6c8e5": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa", - "type": "query", - "version": 3 - } - }, - "rule_name": "SoftwareUpdate Preferences Modification", - "sha256": "edd3f40fac8193db6209fe14fa865985ae1f790f05c2da639f2f1b7c8211ad78", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "SoftwareUpdate Preferences Modification", + "sha256": "baedc4fcc8fd933fc5bf8e2f76c4ebb6acb9bded48fe91f102727b5978c797fa", + "type": "query", + "version": 3 + } + }, + "rule_name": "SoftwareUpdate Preferences Modification", + "sha256": "edd3f40fac8193db6209fe14fa865985ae1f790f05c2da639f2f1b7c8211ad78", + "type": "query", + "version": 100 }, "f766ffaf-9568-4909-b734-75d19b35cbf4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Azure Service Principal Credentials Added", - "sha256": "91839fac086519a95bf9186adb97fdcab72a39a1c0e719461638efa09485aae7", - "type": "query", - "version": 5 - } - }, - "rule_name": "Azure Service Principal Credentials Added", - "sha256": "60abce2112c71ffdd5cc301d683fe30d4f3ef9462959641be4987634ac452474", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Azure Service Principal Credentials Added", + "sha256": "91839fac086519a95bf9186adb97fdcab72a39a1c0e719461638efa09485aae7", + "type": "query", + "version": 5 + } + }, + "rule_name": "Azure Service Principal Credentials Added", + "sha256": "60abce2112c71ffdd5cc301d683fe30d4f3ef9462959641be4987634ac452474", + "type": "query", + "version": 100 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "8ad42f1e8cb0d26f21a5da2eb9d80dbfad54d5a602c8d033ecbb349f0aecb297", - "type": "query", - "version": 10 - } - }, - "rule_name": "AWS CloudWatch Alarm Deletion", - "sha256": "4eaf60e5412ecfdd14fef03492de085caeb67e3759d25d337ed592a4d937f76c", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "8ad42f1e8cb0d26f21a5da2eb9d80dbfad54d5a602c8d033ecbb349f0aecb297", + "type": "query", + "version": 10 + } + }, + "rule_name": "AWS CloudWatch Alarm Deletion", + "sha256": "4eaf60e5412ecfdd14fef03492de085caeb67e3759d25d337ed592a4d937f76c", + "type": "query", + "version": 100 }, "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "15943bc13543a3c145d72f22f142223d4b10ef04fa295fb914b0a1ba1ace1307", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Persistent Scripts in the Startup Directory", - "sha256": "da2561988baf9f0171a26e41a80e7924b7371984fca58c3fd1662dd767f6a3a9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Persistent Scripts in the Startup Directory", + "sha256": "15943bc13543a3c145d72f22f142223d4b10ef04fa295fb914b0a1ba1ace1307", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Persistent Scripts in the Startup Directory", + "sha256": "da2561988baf9f0171a26e41a80e7924b7371984fca58c3fd1662dd767f6a3a9", + "type": "eql", + "version": 100 }, "f81ee52c-297e-46d9-9205-07e66931df26": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "702da601e24ddc5235a8fc5057bd20f2a12903f1374117532cee7c9f1352f3f2", - "type": "eql", - "version": 6 - } - }, - "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", - "sha256": "d641237aa9ee963766061572dd0b8b367a932277639333967115dfcc6e36cdb9", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "sha256": "702da601e24ddc5235a8fc5057bd20f2a12903f1374117532cee7c9f1352f3f2", + "type": "eql", + "version": 6 + } + }, + "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", + "sha256": "d641237aa9ee963766061572dd0b8b367a932277639333967115dfcc6e36cdb9", + "type": "eql", + "version": 100 }, "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "5146e28a6514142021a6718494e20683e8163f2f3998cbfb5c5e5b27b3b33396", - "type": "query", - "version": 3 - } - }, - "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", - "sha256": "3daba2b12aa3f073d284e90d7d1b18bdb0730b54ae73ade8792df554df832488", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "sha256": "5146e28a6514142021a6718494e20683e8163f2f3998cbfb5c5e5b27b3b33396", + "type": "query", + "version": 3 + } + }, + "rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", + "sha256": "3daba2b12aa3f073d284e90d7d1b18bdb0730b54ae73ade8792df554df832488", + "type": "query", + "version": 100 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "69e4d6aba25b972ffc1d02bcc6bb8a5b00e1a1e84d8d24b549b384e85e81b560", - "type": "eql", - "version": 8 - } - }, - "rule_name": "Modification of AmsiEnable Registry Key", - "sha256": "5ebee476de3aadc8d6bec46ede1398e84614f270dc5c834a19d1adf957b0c0e1", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Modification of AmsiEnable Registry Key", + "sha256": "69e4d6aba25b972ffc1d02bcc6bb8a5b00e1a1e84d8d24b549b384e85e81b560", + "type": "eql", + "version": 8 + } + }, + "rule_name": "Modification of AmsiEnable Registry Key", + "sha256": "5ebee476de3aadc8d6bec46ede1398e84614f270dc5c834a19d1adf957b0c0e1", + "type": "eql", + "version": 100 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Unusual Linux System Network Configuration Discovery", - "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8", - "type": "machine_learning", - "version": 2 - } - }, - "rule_name": "Unusual Linux System Network Configuration Discovery", - "sha256": "14d20e2e82e941edcdbd220e8a8452c2b7c3d439345f8c165c7028552891d60d", - "type": "machine_learning", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Unusual Linux System Network Configuration Discovery", + "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8", + "type": "machine_learning", + "version": 2 + } + }, + "rule_name": "Unusual Linux System Network Configuration Discovery", + "sha256": "14d20e2e82e941edcdbd220e8a8452c2b7c3d439345f8c165c7028552891d60d", + "type": "machine_learning", + "version": 100 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "723e46c1bcdfafc46527365b132c23ef8da4019c75dbbb363e9768944234eeb5", - "type": "query", - "version": 9 - } - }, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "63bf340350b8b593d28ec081ac9cda0e246500e5115d6613d57001bbfef4a3e9", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "723e46c1bcdfafc46527365b132c23ef8da4019c75dbbb363e9768944234eeb5", + "type": "query", + "version": 9 + } + }, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "63bf340350b8b593d28ec081ac9cda0e246500e5115d6613d57001bbfef4a3e9", + "type": "query", + "version": 100 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "56b1ecfa2db9264a36ac1f9f8bf803d472f490b7851d54ed7cb678484069cf55", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Remote File Copy to a Hidden Share", - "sha256": "569766bec372711851a155fc64514fe8421e5c3db5f3c6e3b0ce5eb2b290fb6e", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Remote File Copy to a Hidden Share", + "sha256": "56b1ecfa2db9264a36ac1f9f8bf803d472f490b7851d54ed7cb678484069cf55", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Remote File Copy to a Hidden Share", + "sha256": "569766bec372711851a155fc64514fe8421e5c3db5f3c6e3b0ce5eb2b290fb6e", + "type": "eql", + "version": 100 }, "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Network Connection via Registration Utility", - "sha256": "c346662d4ca6f6e99bd7d943aaf1b6e3ff59a95a78beec24b080fdaf82289c3e", - "type": "eql", - "version": 14 - } - }, - "rule_name": "Network Connection via Registration Utility", - "sha256": "8c7eab8a4a361830ac00729ea391f70f4d90a8e9e3a9c14bdfaf0b9f8612fa75", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Network Connection via Registration Utility", + "sha256": "c346662d4ca6f6e99bd7d943aaf1b6e3ff59a95a78beec24b080fdaf82289c3e", + "type": "eql", + "version": 14 + } + }, + "rule_name": "Network Connection via Registration Utility", + "sha256": "8c7eab8a4a361830ac00729ea391f70f4d90a8e9e3a9c14bdfaf0b9f8612fa75", + "type": "eql", + "version": 100 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { - "rule_name": "Auditd Max Failed Login Attempts", - "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", - "type": "query", - "version": 100 + "rule_name": "Auditd Max Failed Login Attempts", + "sha256": "10e3eb490a17e954aaf3fe1059a57a5b3f7f064eeea3e41b6ac7799bde4ce412", + "type": "query", + "version": 100 }, "fbd44836-0d69-4004-a0b4-03c20370c435": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "bb8a45312a7cd79e9fdb40d1fe639f5a426fd830420ed64cd08efb557b612edd", - "type": "query", - "version": 9 - } - }, - "rule_name": "AWS Configuration Recorder Stopped", - "sha256": "fcbbf3876a8263b501994582b3e99b2ddf5a90b3d71dc2b2dbf4a90b4ef5f3d0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "bb8a45312a7cd79e9fdb40d1fe639f5a426fd830420ed64cd08efb557b612edd", + "type": "query", + "version": 9 + } + }, + "rule_name": "AWS Configuration Recorder Stopped", + "sha256": "fcbbf3876a8263b501994582b3e99b2ddf5a90b3d71dc2b2dbf4a90b4ef5f3d0", + "type": "query", + "version": 100 }, "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "b224ba9133037909f492e2403fc22a98d8d4409df23717060ec4ee312f323658", - "type": "eql", - "version": 8 - } - }, - "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", - "sha256": "583a2e68141b9adacd617c3da8517b10e3e9ee5f7d897dfdf86b060d095bb4f4", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "sha256": "b224ba9133037909f492e2403fc22a98d8d4409df23717060ec4ee312f323658", + "type": "eql", + "version": 8 + } + }, + "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", + "sha256": "583a2e68141b9adacd617c3da8517b10e3e9ee5f7d897dfdf86b060d095bb4f4", + "type": "eql", + "version": 100 }, "fd3fc25e-7c7c-4613-8209-97942ac609f6": { - "rule_name": "Linux Restricted Shell Breakout via the expect command", - "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", - "type": "eql", - "version": 100 + "rule_name": "Linux Restricted Shell Breakout via the expect command", + "sha256": "39518f23768d9d8d0aee453661f03bc6b0f23cbb1de79fc370a7816ecebba032", + "type": "eql", + "version": 100 }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "a7f66209cee9e1f45ad0e512e71f847b6c46c94015ca52f7f08b345a9c60b28c", - "type": "eql", - "version": 12 - } - }, - "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "4b763acfaf2892abb41f28cb3f0381a3742bfc4456a0b2001aafd8c4fe93cd26", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Potential Application Shimming via Sdbinst", + "sha256": "a7f66209cee9e1f45ad0e512e71f847b6c46c94015ca52f7f08b345a9c60b28c", + "type": "eql", + "version": 12 + } + }, + "rule_name": "Potential Application Shimming via Sdbinst", + "sha256": "4b763acfaf2892abb41f28cb3f0381a3742bfc4456a0b2001aafd8c4fe93cd26", + "type": "eql", + "version": 100 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Suspicious CertUtil Commands", - "sha256": "72b6aefd420c13f2f9a75c27271f96b8fc4a9d2ba474654cf69f6a5586bab85a", - "type": "eql", - "version": 14 - }, - "8.2": { - "rule_name": "Suspicious CertUtil Commands", - "sha256": "4a4057d6b10296e8a4a271e309922994d7208971a5baee1d7805193e3f27fe81", - "type": "eql", - "version": 17 - } - }, - "rule_name": "Suspicious CertUtil Commands", - "sha256": "7aafa80bd5d1755dd6faec5fd986c4dd331ab5c5139ef457c089cec992e6dd21", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 16, + "rule_name": "Suspicious CertUtil Commands", + "sha256": "72b6aefd420c13f2f9a75c27271f96b8fc4a9d2ba474654cf69f6a5586bab85a", + "type": "eql", + "version": 14 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Suspicious CertUtil Commands", + "sha256": "4a4057d6b10296e8a4a271e309922994d7208971a5baee1d7805193e3f27fe81", + "type": "eql", + "version": 17 + } + }, + "rule_name": "Suspicious CertUtil Commands", + "sha256": "7aafa80bd5d1755dd6faec5fd986c4dd331ab5c5139ef457c089cec992e6dd21", + "type": "eql", + "version": 100 }, "fd7a6052-58fa-4397-93c3-4795249ccfa2": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Svchost spawning Cmd", - "sha256": "3d668370d9b557693bef4d3e27feee891c659346bc032f6d62a25a08561cf61f", - "type": "eql", - "version": 12 - }, - "8.2": { - "rule_name": "Svchost spawning Cmd", - "sha256": "a5ec087e76c65ab534d4a43f658c0765caa060175968b140808538a92d80abb4", - "type": "eql", - "version": 15 - } - }, - "rule_name": "Svchost spawning Cmd", - "sha256": "1c4aec6373efe193a4250de2efba553b30aafbfb17b9a33cf9a237ef237baa02", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 14, + "rule_name": "Svchost spawning Cmd", + "sha256": "3d668370d9b557693bef4d3e27feee891c659346bc032f6d62a25a08561cf61f", + "type": "eql", + "version": 12 + }, + "8.2": { + "max_allowable_version": 99, + "rule_name": "Svchost spawning Cmd", + "sha256": "a5ec087e76c65ab534d4a43f658c0765caa060175968b140808538a92d80abb4", + "type": "eql", + "version": 15 + } + }, + "rule_name": "Svchost spawning Cmd", + "sha256": "1c4aec6373efe193a4250de2efba553b30aafbfb17b9a33cf9a237ef237baa02", + "type": "eql", + "version": 100 }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "7ce1ab37d88d1e6455883aa77e2ff80ecd52499d612b2dd90dd803b11040a078", - "type": "eql", - "version": 7 - } - }, - "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "8ae9156a1e8b4fc571d581dadad39e033e00b984b7ce4af8939bfbe759cc8958", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft Windows Defender Tampering", + "sha256": "7ce1ab37d88d1e6455883aa77e2ff80ecd52499d612b2dd90dd803b11040a078", + "type": "eql", + "version": 7 + } + }, + "rule_name": "Microsoft Windows Defender Tampering", + "sha256": "8ae9156a1e8b4fc571d581dadad39e033e00b984b7ce4af8939bfbe759cc8958", + "type": "eql", + "version": 100 }, "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "3e42b34005caca684b62e9680d19d3b026730f8518c88065d34dbaa6db7db2b4", - "type": "eql", - "version": 6 - } - }, - "rule_name": "MS Office Macro Security Registry Modifications", - "sha256": "2e8be374693ae806c801cd7688bae86a28197f10def63a9645c57e9bbf992ecb", - "type": "eql", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "MS Office Macro Security Registry Modifications", + "sha256": "3e42b34005caca684b62e9680d19d3b026730f8518c88065d34dbaa6db7db2b4", + "type": "eql", + "version": 6 + } + }, + "rule_name": "MS Office Macro Security Registry Modifications", + "sha256": "2e8be374693ae806c801cd7688bae86a28197f10def63a9645c57e9bbf992ecb", + "type": "eql", + "version": 100 }, "ff013cb4-274d-434a-96bb-fe15ddd3ae92": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", - "type": "query", - "version": 11 - } - }, - "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", - "sha256": "1b5384df54d213d82ed03c31b1cc6e0a2eb427f2c87cefc8da2bc88f7313bbb0", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "sha256": "20fa3931651c3cd2a65942d63e382bf5e5a7faf3f3274c700fcea9cdcb94e099", + "type": "query", + "version": 11 + } + }, + "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", + "sha256": "1b5384df54d213d82ed03c31b1cc6e0a2eb427f2c87cefc8da2bc88f7313bbb0", + "type": "query", + "version": 100 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "070acfe2b3f2fc4f568c643936593196e64cb629b3005c6fdc739b28ca4bc1ec", - "type": "query", - "version": 9 - } - }, - "rule_name": "Microsoft 365 Exchange Transport Rule Creation", - "sha256": "4f9627d3b6b169fbfa945c83748ecb0c9a8e9b3b4ebcbcc162dcc625c469e507", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "070acfe2b3f2fc4f568c643936593196e64cb629b3005c6fdc739b28ca4bc1ec", + "type": "query", + "version": 9 + } + }, + "rule_name": "Microsoft 365 Exchange Transport Rule Creation", + "sha256": "4f9627d3b6b169fbfa945c83748ecb0c9a8e9b3b4ebcbcc162dcc625c469e507", + "type": "query", + "version": 100 }, "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1": { - "min_stack_version": "8.3", - "previous": { - "7.16": { - "rule_name": "GCP Firewall Rule Deletion", - "sha256": "028f2986eed7da7502174e85bb85dd5d500ad50a933a1d7e90343e1a8cfea632", - "type": "query", - "version": 8 - } - }, - "rule_name": "GCP Firewall Rule Deletion", - "sha256": "03a38acfa70739c8c1ab7c0f205e4f0806de8072b4475c2be8b96f1ac65b2b5d", - "type": "query", - "version": 100 + "min_stack_version": "8.3", + "previous": { + "7.16": { + "max_allowable_version": 99, + "rule_name": "GCP Firewall Rule Deletion", + "sha256": "028f2986eed7da7502174e85bb85dd5d500ad50a933a1d7e90343e1a8cfea632", + "type": "query", + "version": 8 + } + }, + "rule_name": "GCP Firewall Rule Deletion", + "sha256": "03a38acfa70739c8c1ab7c0f205e4f0806de8072b4475c2be8b96f1ac65b2b5d", + "type": "query", + "version": 100 } - } \ No newline at end of file +} \ No newline at end of file diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 98825856bdb..fb33b9231f4 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -342,7 +342,7 @@ def ast(self) -> Any: @property def unique_fields(self) -> Any: - raise NotImplementedError + raise NotImplementedError() def validate(self, data: 'QueryRuleData', meta: RuleMeta) -> None: raise NotImplementedError() @@ -585,16 +585,48 @@ def lock_info(self, bump=True) -> dict: @property def is_dirty(self) -> Optional[bool]: """Determine if the rule has changed since its version was locked.""" - min_stack = self.metadata.get('min_stack_version') or str(get_min_supported_stack_version(drop_patch=True)) + min_stack = self.get_supported_version() existing_sha256 = self.version_lock.get_locked_hash(self.id, min_stack) if existing_sha256 is not None: return existing_sha256 != self.sha256() + @property + def lock_entry(self) -> Optional[dict]: + lock_entry = self.version_lock.version_lock.data.get(self.id) + if lock_entry: + return lock_entry.to_dict() + + @property + def has_forked(self) -> bool: + """Determine if the rule has forked at any point (has a previous entry).""" + lock_entry = self.lock_entry + if lock_entry: + return 'previous' in lock_entry + return False + + @property + def is_in_forked_version(self) -> bool: + """Determine if the rule is in a forked version.""" + if not self.has_forked: + return False + locked_min_stack = Version(self.lock_entry['min_stack_version']) + current_package_ver = Version(load_current_package_version()) + return current_package_ver < locked_min_stack + + def get_version_space(self) -> Optional[int]: + """Retrieve the number of version spaces available (None for unbound).""" + if self.is_in_forked_version: + current_entry = self.lock_entry['previous'][self.metadata.min_stack_version] + current_version = current_entry['version'] + max_allowable_version = current_entry['max_allowable_version'] + + return max_allowable_version - current_version - 1 + @property def latest_version(self) -> Optional[int]: """Retrieve the latest known version of the rule.""" - min_stack = self.metadata.get('min_stack_version') or str(get_min_supported_stack_version(drop_patch=True)) + min_stack = self.get_supported_version() return self.version_lock.get_locked_version(self.id, min_stack) @property @@ -606,6 +638,21 @@ def autobumped_version(self) -> Optional[int]: return version + 1 if self.is_dirty else version + @classmethod + def convert_supported_version(cls, stack_version: Optional[str]) -> Version: + """Convert an optional stack version to the minimum for the lock in the form major.minor.""" + min_version = get_min_supported_stack_version(drop_patch=True) + if stack_version is None: + return min_version + short_stack_version = Version(Version(stack_version)[:2]) + return max(short_stack_version, min_version) + + def get_supported_version(self) -> str: + """Get the lowest stack version for the rule that is currently supported in the form major.minor.""" + rule_min_stack = self.metadata.get('min_stack_version') + min_stack = self.convert_supported_version(rule_min_stack) + return str(min_stack) + def _post_dict_transform(self, obj: dict) -> dict: """Transform the converted API in place before sending to Kibana.""" diff --git a/detection_rules/semver.py b/detection_rules/semver.py index 85a83ca92ba..ab07c7ddcab 100644 --- a/detection_rules/semver.py +++ b/detection_rules/semver.py @@ -29,3 +29,8 @@ def __str__(self): recovered_str += "." + str(additional) return recovered_str + + +def max_versions(*versions: str) -> str: + """Return the max versioned string.""" + return str(max([Version(v) for v in versions])) diff --git a/detection_rules/version_lock.py b/detection_rules/version_lock.py index 27ab6bdb00f..ded4d3b0bbf 100644 --- a/detection_rules/version_lock.py +++ b/detection_rules/version_lock.py @@ -12,7 +12,7 @@ from .mixins import LockDataclassMixin, MarshmallowDataclassMixin from .rule_loader import RuleCollection -from .schemas import definitions, get_min_supported_stack_version +from .schemas import definitions from .semver import Version from .utils import cached, get_etc_path @@ -34,11 +34,19 @@ class BaseEntry: version: definitions.PositiveInteger +@dataclass(frozen=True) +class PreviousEntry(BaseEntry): + + # this is Optional for resiliency in already tagged branches missing this field. This means we should strictly + # validate elsewhere + max_allowable_version: Optional[int] + + @dataclass(frozen=True) class VersionLockFileEntry(MarshmallowDataclassMixin, BaseEntry): """Schema for a rule entry in the version lock.""" min_stack_version: Optional[definitions.SemVerMinorOnly] - previous: Optional[Dict[definitions.SemVerMinorOnly, BaseEntry]] + previous: Optional[Dict[definitions.SemVerMinorOnly, PreviousEntry]] @dataclass(frozen=True) @@ -83,15 +91,6 @@ def __getitem__(self, item) -> DeprecatedRulesEntry: return self.data[item] -def _convert_lock_version(stack_version: Optional[str]) -> Version: - """Convert an optional stack version to the minimum for the lock.""" - min_version = get_min_supported_stack_version(drop_patch=True) - if stack_version is None: - return min_version - short_stack_version = Version(Version(stack_version)[:2]) - return max(short_stack_version, min_version) - - @cached def load_versions() -> dict: """Load and validate the default version.lock file.""" @@ -203,7 +202,7 @@ def log_changes(r, route_taken, new_rule_version, *msg): for rule in rules: if rule.contents.metadata.maturity == "production" or rule.id in newly_deprecated: # assume that older stacks are always locked first - min_stack = _convert_lock_version(rule.contents.metadata.min_stack_version) + min_stack = Version(rule.contents.get_supported_version()) lock_from_rule = rule.contents.lock_info(bump=not exclude_version_update) lock_from_file: dict = lock_file_contents.setdefault(rule.id, {}) @@ -222,7 +221,8 @@ def log_changes(r, route_taken, new_rule_version, *msg): # 2) on the latest, after a breaking change has been locked # 3) on the latest stack, locking in a breaking change # 4) on an old stack, after a breaking change has been made - latest_locked_stack_version = _convert_lock_version(lock_from_file.get("min_stack_version")) + latest_locked_stack_version = rule.contents.convert_supported_version( + lock_from_file.get("min_stack_version")) if not lock_from_file or min_stack == latest_locked_stack_version: route = 'A' @@ -241,6 +241,7 @@ def log_changes(r, route_taken, new_rule_version, *msg): route = 'B' # 3) on the latest stack, locking in a breaking change previous_lock_info = { + "max_allowable_version": lock_from_rule['version'] - 1, "rule_name": lock_from_file["rule_name"], "sha256": lock_from_file["sha256"], "version": lock_from_file["version"], @@ -272,11 +273,18 @@ def log_changes(r, route_taken, new_rule_version, *msg): # We can still inspect the version lock manually after locks are made, # since it's a good summary of everything that happens - # if version bump collides with future bump, fail - # if space, change and log + previous_entry = lock_from_file["previous"][str(min_stack)] + max_allowable_version = previous_entry['max_allowable_version'] + + # if version bump collides with future bump: fail + # if space: change and log info_from_rule = (lock_from_rule['sha256'], lock_from_rule['version']) - info_from_file = (lock_from_file["previous"][str(min_stack)]['sha256'], - lock_from_file["previous"][str(min_stack)]['version']) + info_from_file = (previous_entry['sha256'], previous_entry['version']) + + if lock_from_rule['version'] > max_allowable_version: + raise ValueError(f'Forked rule: {rule.id} - {rule.name} has changes that will force it to ' + f'exceed the max allowable version of {max_allowable_version}') + if info_from_rule != info_from_file: lock_from_file["previous"][str(min_stack)] = lock_from_rule new_version = lock_from_rule["version"] @@ -286,14 +294,6 @@ def log_changes(r, route_taken, new_rule_version, *msg): else: raise RuntimeError("Unreachable code") - if 'previous' in lock_from_file: - current_rule_version = rule.contents.lock_info()['version'] - for min_stack_version, versioned_lock in lock_from_file['previous'].items(): - existing_lock_version = versioned_lock['version'] - if current_rule_version < existing_lock_version: - raise ValueError(f'{rule.id} - previous {min_stack_version=} {existing_lock_version=} ' - f'has a higher version than {current_rule_version=}') - for rule in rules.deprecated: if rule.id in newly_deprecated: current_deprecated_lock[rule.id] = {