From 7a797920823e75250d13effcb16bd72effd0fe7a Mon Sep 17 00:00:00 2001 From: shashank-elastic Date: Mon, 9 Dec 2024 14:24:17 +0000 Subject: [PATCH] Locked versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 --- detection_rules/etc/version.lock.json | 225 +++++++++++++++----------- 1 file changed, 130 insertions(+), 95 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 017769ac4ea..8dc7ebddd4d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -13,7 +13,7 @@ "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", "type": "query", - "version": 310 + "version": 312 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -89,7 +89,7 @@ "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", - "version": 103 + "version": 105 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", @@ -111,7 +111,7 @@ "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", - "version": 103 + "version": 105 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -423,7 +423,7 @@ "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", "type": "eql", - "version": 105 + "version": 107 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -529,7 +529,7 @@ "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", - "version": 103 + "version": 105 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -567,9 +567,9 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", + "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", @@ -721,11 +721,18 @@ "type": "eql", "version": 111 }, + "0e1af929-42ed-4262-a846-55a7c54e7c84": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", + "sha256": "b33e65a3ee076e720b9bdf2aa373dea700cfccd237404dd9f93cc4807700b15e", + "type": "esql", + "version": 1 + }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", - "version": 103 + "version": 105 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -1151,7 +1158,7 @@ "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", "type": "new_terms", - "version": 103 + "version": 105 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -1566,9 +1573,9 @@ }, "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": { "rule_name": "Possible Consent Grant Attack via Azure-Registered Application", - "sha256": "483537ca1f0a318f54568c093b78b5eca0658c9ceb0ab3daeed48949bb0e18c7", + "sha256": "9b82cc17d19e29ee2cba453d4fb97352ab4f1e2f8ecfe3d9ae2471f5f842509d", "type": "query", - "version": 212 + "version": 213 }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Suspicious File Creation in /etc for Persistence", @@ -1586,7 +1593,7 @@ "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", - "version": 103 + "version": 105 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1618,7 +1625,7 @@ "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", "type": "query", - "version": 105 + "version": 107 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1721,9 +1728,9 @@ "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", + "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", "type": "query", - "version": 6 + "version": 7 } }, "rule_name": "PowerShell Script with Discovery Capabilities", @@ -1773,7 +1780,7 @@ "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", - "version": 103 + "version": 105 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -2059,7 +2066,7 @@ "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", - "version": 105 + "version": 107 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2132,7 +2139,7 @@ "rule_name": "New Okta Authentication Behavior Detected", "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", "type": "query", - "version": 105 + "version": 107 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -2185,6 +2192,13 @@ "type": "eql", "version": 312 }, + "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Denied Topic Blocks Detected", + "sha256": "745f9961079e7134e24a8241e8b0dd9241739cd420c1904e1d1b3d479e86172d", + "type": "esql", + "version": 1 + }, "26a726d7-126e-4267-b43d-e9a70bfdee1e": { "rule_name": "Potential Defense Evasion via Doas", "sha256": "50cf0764ce053db1d0cb8bf2401a9d3fd54a9e4169552a7f5f6f0299476c5c27", @@ -2225,9 +2239,9 @@ "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", + "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", "type": "query", - "version": 5 + "version": 6 } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -2352,9 +2366,9 @@ }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "c4446351419a5cceb8e8748abd412e3ab49e52aa075b01c4df54b5a970d08403", + "sha256": "3ad739db58620275cb4330a3cc329918aeae3bec457d3dff8ae127ef93ac05f7", "type": "eql", - "version": 3 + "version": 4 }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", @@ -2420,9 +2434,9 @@ "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", + "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", "type": "new_terms", - "version": 211 + "version": 212 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2444,7 +2458,7 @@ "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", "type": "query", - "version": 104 + "version": 106 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2874,6 +2888,13 @@ "type": "query", "version": 104 }, + "3216949c-9300-4c53-b57a-221e364c6457": { + "min_stack_version": "8.13", + "rule_name": "Unusual High Word Policy Blocks Detected", + "sha256": "e60e73464e34fc8b533162ec135fadf0b5dcfc463f310236241febc2eb032c17", + "type": "esql", + "version": 1 + }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", "sha256": "f4f1b93a821c7d0b22e83e0cf23a1df584971e45af788834809e1d6f1c716d1e", @@ -2976,9 +2997,9 @@ }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "sha256": "31dfbf633245e9bf0fa40429d05f942caf186ed52c457ed58d90fd309dba218b", "type": "eql", - "version": 102 + "version": 104 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -3154,7 +3175,7 @@ "rule_name": "Attempted Bypass of Okta MFA", "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", "type": "query", - "version": 310 + "version": 312 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3310,7 +3331,7 @@ "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", - "version": 103 + "version": 105 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3399,9 +3420,9 @@ "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", + "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", "type": "query", - "version": 5 + "version": 6 } }, "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -3569,7 +3590,7 @@ "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", - "version": 103 + "version": 105 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", @@ -3633,7 +3654,7 @@ "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", - "version": 103 + "version": 105 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -3680,7 +3701,7 @@ "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", "type": "threshold", - "version": 311 + "version": 313 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4254,14 +4275,14 @@ "rule_name": "Unauthorized Access to an Okta Application", "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", "type": "query", - "version": 309 + "version": 311 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", - "rule_name": "Unusual High Confidence Misconduct Blocks Detected", - "sha256": "273e5740f1d9e333cd6a22cd396b698234240feab6dba79c175c790fdf183ccc", + "rule_name": "Unusual High Confidence Content Filter Blocks Detected", + "sha256": "b7158a40dd8e99134d485c6d09a2aebc63453ffe622fb446d43f1f4d20247a0e", "type": "esql", - "version": 4 + "version": 5 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", @@ -4300,7 +4321,7 @@ "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", "type": "threshold", - "version": 105 + "version": 107 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -4559,9 +4580,9 @@ "8.12": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", + "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", "type": "query", - "version": 8 + "version": 9 } }, "rule_name": "Exchange Mailbox Export via PowerShell", @@ -4653,7 +4674,7 @@ "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", "type": "eql", - "version": 104 + "version": 106 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -4695,9 +4716,9 @@ "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", - "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", + "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", "type": "query", - "version": 110 + "version": 111 } }, "rule_name": "PowerShell PSReflect Script", @@ -5260,7 +5281,7 @@ "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", - "version": 103 + "version": 105 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", @@ -5284,9 +5305,9 @@ "8.12": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", + "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", "type": "query", - "version": 113 + "version": 114 } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -5330,7 +5351,7 @@ "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", "type": "threshold", - "version": 105 + "version": 107 }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", @@ -5507,7 +5528,7 @@ "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", "type": "new_terms", - "version": 104 + "version": 106 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -5579,7 +5600,7 @@ "rule_name": "Attempt to Modify an Okta Policy", "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", "type": "query", - "version": 309 + "version": 311 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", @@ -5601,7 +5622,7 @@ "rule_name": "Attempt to Revoke Okta API Token", "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", "type": "query", - "version": 309 + "version": 311 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5664,7 +5685,7 @@ "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", "type": "query", - "version": 308 + "version": 310 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -5928,7 +5949,7 @@ "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", - "version": 103 + "version": 105 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", @@ -6092,7 +6113,7 @@ "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", "type": "new_terms", - "version": 104 + "version": 106 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -6236,7 +6257,7 @@ "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", "type": "query", - "version": 309 + "version": 311 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -6887,9 +6908,9 @@ "8.12": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", + "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", "type": "query", - "version": 111 + "version": 112 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", @@ -7212,13 +7233,13 @@ "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", "type": "eql", - "version": 106 + "version": 108 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", - "version": 103 + "version": 105 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", @@ -7256,7 +7277,7 @@ "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", "type": "query", - "version": 309 + "version": 311 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -7576,9 +7597,9 @@ "8.12": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", + "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", "type": "query", - "version": 8 + "version": 9 } }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", @@ -7840,7 +7861,7 @@ "rule_name": "Attempt to Create Okta API Token", "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", "type": "query", - "version": 308 + "version": 310 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -7908,7 +7929,7 @@ "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", "type": "eql", - "version": 312 + "version": 314 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -8146,7 +8167,7 @@ "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", - "version": 105 + "version": 107 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9386,7 +9407,7 @@ "rule_name": "Attempt to Delete an Okta Policy", "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", "type": "query", - "version": 309 + "version": 311 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", @@ -9527,7 +9548,7 @@ "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", "type": "query", - "version": 309 + "version": 311 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9549,7 +9570,7 @@ "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", "type": "query", - "version": 308 + "version": 310 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10049,6 +10070,13 @@ "type": "eql", "version": 310 }, + "c04be7e0-b0fc-11ef-a826-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM Login Profile Added for Root", + "sha256": "e97ee0da03a10eab7cd326f1e77d4b2c462848200bc15e183a7be0b2074dcca1", + "type": "esql", + "version": 1 + }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", "sha256": "647f3ad965f3c8ae1c09160f3cfab647649612e66c8bb2dd746309e241322f1c", @@ -10436,7 +10464,7 @@ "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", "type": "query", - "version": 309 + "version": 311 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.14", @@ -10452,7 +10480,7 @@ "rule_name": "Attempt to Modify an Okta Application", "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", "type": "query", - "version": 308 + "version": 310 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -10707,7 +10735,7 @@ "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", "type": "query", - "version": 310 + "version": 312 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10729,7 +10757,7 @@ "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", "type": "query", - "version": 309 + "version": 311 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10769,7 +10797,7 @@ "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", "type": "eql", - "version": 311 + "version": 313 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.14", @@ -10785,7 +10813,7 @@ "rule_name": "Okta User Session Impersonation", "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", "type": "query", - "version": 310 + "version": 312 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -10793,9 +10821,9 @@ "8.12": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", + "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", "type": "query", - "version": 11 + "version": 12 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", @@ -10813,7 +10841,7 @@ "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", - "version": 103 + "version": 105 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -11083,7 +11111,7 @@ "rule_name": "Attempt to Delete an Okta Application", "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", "type": "query", - "version": 308 + "version": 310 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -11158,7 +11186,7 @@ "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", "type": "query", - "version": 309 + "version": 311 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -11819,7 +11847,7 @@ "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", "type": "threshold", - "version": 311 + "version": 313 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -11881,9 +11909,9 @@ "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", + "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", "type": "query", - "version": 112 + "version": 113 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", @@ -12053,7 +12081,7 @@ "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", "type": "query", - "version": 309 + "version": 311 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -12125,7 +12153,7 @@ "rule_name": "Possible Okta DoS Attack", "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", "type": "query", - "version": 308 + "version": 310 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -12311,7 +12339,7 @@ "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", "type": "threshold", - "version": 311 + "version": 313 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", @@ -12604,7 +12632,7 @@ "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", "type": "query", - "version": 309 + "version": 311 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -12649,7 +12677,7 @@ "rule_name": "Okta FastPass Phishing Detection", "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", "type": "query", - "version": 206 + "version": 208 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -12761,7 +12789,7 @@ "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", "type": "query", - "version": 308 + "version": 310 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -12833,6 +12861,13 @@ "type": "eql", "version": 110 }, + "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { + "min_stack_version": "8.13", + "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", + "sha256": "c38cb3e116786c25852f4790593e82bfaff12642ff456bb3fa6fd5dab8596b3c", + "type": "esql", + "version": 1 + }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", "previous": { @@ -13349,7 +13384,7 @@ "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", - "version": 103 + "version": 105 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -13416,7 +13451,7 @@ "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", "type": "query", - "version": 308 + "version": 310 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -13508,7 +13543,7 @@ "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", "type": "threshold", - "version": 103 + "version": 105 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13549,7 +13584,7 @@ "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", - "version": 103 + "version": 105 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", @@ -13561,7 +13596,7 @@ "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", - "version": 103 + "version": 105 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", @@ -13813,8 +13848,8 @@ }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "a7acb15e762a822b94eadf4a2caebe464a6f3cf2f67bfbcebcacba6c928d5366", + "sha256": "d9a50180875a16c7d3cfedadf27a0c3bb75bd18b950d188993f9ba0f43f504ca", "type": "eql", - "version": 5 + "version": 6 } } \ No newline at end of file