elastic · shashank-elastic · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +27,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-configuration where event.dataset == "github.audit" 
+configuration where event.dataset == "github.audit"
   and github.category == "protected_branch" and event.type == "change"
 '''
 

diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/10/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/10/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]
@@ -29,8 +31,8 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and 
-github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and 
+event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
 github.repository_public:false
 '''
 

diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
@@ -1,7 +1,9 @@
 [metadata]
 creation_date = "2023/12/14"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/09/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml
@@ -2,7 +2,9 @@
 creation_date = "2023/09/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/10"
+min_stack_version = "8.13.0"
+min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/08/19"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]

diff --git a/...grations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/...grations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
@@ -2,9 +2,9 @@
 creation_date = "2023/11/10"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/...grations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/...grations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
@@ -2,9 +2,9 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
-min_stack_version = "8.14.0"
-updated_date = "2024/11/27"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
+min_stack_version = "8.15.0"
+updated_date = "2024/12/09"
 
 [rule]
 author = ["Elastic"]

diff --git a/...ons/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/...ons/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
-min_stack_version = "8.14.0"
-updated_date = "2024/11/27"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
+min_stack_version = "8.15.0"
+updated_date = "2024/12/09"
 
 [rule]
 author = ["Elastic"]

diff --git a/...ential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/...ential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
-min_stack_version = "8.14.0"
-updated_date = "2024/11/27"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
+min_stack_version = "8.15.0"
+updated_date = "2024/12/09"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/07/16"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml
@@ -2,9 +2,9 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/...ntegrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/...ntegrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
-min_stack_version = "8.14.0"
-updated_date = "2024/11/27"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
+min_stack_version = "8.15.0"
+updated_date = "2024/12/09"
 
 [rule]
 author = ["Elastic"]

diff --git a/...ta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/...ta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
@@ -2,9 +2,9 @@
 creation_date = "2022/01/05"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml
@@ -2,9 +2,9 @@
 creation_date = "2022/03/22"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/...ons/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/...ons/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/09/11"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/28"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

diff --git a/...grations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/...grations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/08/19"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/11/27"
-min_stack_version = "8.14.0"
-min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+updated_date = "2024/12/09"
+min_stack_version = "8.15.0"
+min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]