diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 39b85c3c4b7..5696f22778d 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -217,9 +217,9 @@ }, "05e5a668-7b51-4a67-93ab-e9af405c9ef3": { "rule_name": "Interactive Terminal Spawned via Perl", - "sha256": "0c49b5b19550bb53fee01e7520f698f46a9a4a4b78d25014553b9557dcf61ad0", + "sha256": "50342979985de652906db48138fe9ab3e4a5b50313d02ced8e9fcf331f0d3915", "type": "query", - "version": 111 + "version": 112 }, "0635c542-1b96-4335-9b47-126582d2c19a": { "rule_name": "Remote System Discovery Commands", @@ -313,9 +313,9 @@ }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "ecac1068b5efcf837a17aa8bc11ec4898b57cf512f3d3953c575a14de27b12e4", + "sha256": "42e7ee3fe98ad169a9e8019700d1dd08faf3bb4fa9e52be141236531ecb4d169", "type": "esql", - "version": 3 + "version": 4 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -331,9 +331,9 @@ }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", - "sha256": "7dd24bc87e39f6c85db08894b607ccf895f7b2132659ba4231a27901adbfa0f7", + "sha256": "548398463d4c38c2b93eeae4abccef6032dfbc90b31a756391e48524bd463888", "type": "eql", - "version": 1 + "version": 2 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -451,9 +451,9 @@ }, "0b803267-74c5-444d-ae29-32b5db2d562a": { "rule_name": "Potential Shell via Wildcard Injection Detected", - "sha256": "c947cebb1e87be33e0ee7598eac34dabb449a2ba51d94b993da50309d33f66a7", + "sha256": "6faf5db93057e83066bf13c3aaa4a5a04171fc7c7b8bf01537d922c368d1d30c", "type": "eql", - "version": 110 + "version": 111 }, "0b96dfd8-5b8c-4485-9a1c-69ff7839786a": { "rule_name": "Attempt to Establish VScode Remote Tunnel", @@ -511,9 +511,9 @@ }, "0cd2f3e6-41da-40e6-b28b-466f688f00a6": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", - "sha256": "2d520b970c95e1e70958288a6575a3b71c21e856ff41cb18b171b44506169b45", + "sha256": "9d095c731b4c2d46ef473af7f62cb760bc1290a8a9ef4788e231d9ecebfdaecf", "type": "esql", - "version": 6 + "version": 7 }, "0ce6487d-8069-4888-9ddd-61b52490cebc": { "rule_name": "Suspicious Mailbox Permission Delegation in Exchange Online", @@ -529,9 +529,9 @@ }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { "rule_name": "Microsoft Entra ID Suspicious Session Reuse to Graph Access", - "sha256": "b32f370c015bc87d3327691efb6c5857e5df2ea848afca06a613dea840949d2c", + "sha256": "03e76b18164a77064f14c1555c43c90ea31874bf5060b6e700178e3deeccbeeb", "type": "esql", - "version": 5 + "version": 6 }, "0d69150b-96f8-467c-a86d-a67a3378ce77": { "rule_name": "Nping Process Activity", @@ -547,15 +547,15 @@ }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "f9a9b14855cdf4301bdc0e0ea559eb414df0e0156f82ab0b548cfcda7145f622", + "sha256": "367aa86bbae336557e47859aaa7ff46e28884858534ab2e3cf9f597679c3c3dd", "type": "esql", - "version": 103 + "version": 104 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", - "sha256": "7f134644d8273c890ac5ca095836aa00db805397f4b82c8ec536a7663c1c7235", + "sha256": "7aff08d29ead13e4514a8f4d8ec07442b5d0682d2fcfc0107c6f5e7fb64e7567", "type": "esql", - "version": 3 + "version": 4 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", @@ -571,9 +571,9 @@ }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token", - "sha256": "9c72d66b4c2525136f3f5da3c811654ecb870388d906b8fd7b608ab45ad2f057", + "sha256": "e0fc1db1622a8156c5b0701e10b162b8e5f8710ac73f34baa3029caa90ca4413", "type": "esql", - "version": 4 + "version": 5 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", @@ -793,9 +793,9 @@ }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - Note Files by System", - "sha256": "b101cdc8b23712971e9d06ee19f3e020fc7049e570aae7979071b3f20dfda0a2", + "sha256": "0e44245d4fd649d451bf7f350dd734cfff04db46a625091fb2e7912e67f0e290", "type": "esql", - "version": 211 + "version": 212 }, "139c7458-566a-410c-a5cd-f80238d6a5cd": { "rule_name": "SQL Traffic to the Internet", @@ -883,9 +883,9 @@ }, "1600f9e2-5be6-4742-8593-1ba50cd94069": { "rule_name": "Kubectl Permission Discovery", - "sha256": "af81dab62d4a88b4359136071b95a263a70c91e75bbc8964593fcad6454f9094", + "sha256": "89005b5fcead371a3cf011c3c761cd5988afc55f7cb5ad8132e6f57a186cb2b1", "type": "eql", - "version": 2 + "version": 3 }, "160896de-b66f-42cb-8fef-20f53a9006ea": { "rule_name": "Deprecated - Potential Container Escape via Modified release_agent File", @@ -931,9 +931,9 @@ }, "16acac42-b2f9-4802-9290-d6c30914db6e": { "rule_name": "AWS S3 Static Site JavaScript File Uploaded", - "sha256": "51b1f07322c906fa35afc0c304eeb45453c08f6828dbbd86af3c191f3e80d850", + "sha256": "e5a40d59b233e40a69435ad2be9799c61c53176c8b166c7608b426938b07fb61", "type": "esql", - "version": 3 + "version": 4 }, "16fac1a1-21ee-4ca6-b720-458e3855d046": { "rule_name": "Startup/Logon Script added to Group Policy Object", @@ -949,9 +949,9 @@ }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", - "sha256": "5b8d5a1b99c6b3e9b8f23db751a98aa42d12ea85d9927aac93c2ed685d2b6655", + "sha256": "852bbf9498b8b722277364bbd060e191e04de17966cf39f928840e4974f232cc", "type": "esql", - "version": 5 + "version": 6 }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", @@ -1069,9 +1069,9 @@ }, "19be0164-63d2-11ef-8e38-f661ea17fbce": { "rule_name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", - "sha256": "93836865cdc9026a4cdaf2a69ae09fc7789927189af5f4ca4a359713fb12d8ec", + "sha256": "7a1e11f1a8e05c40f236b9d16a6caa1d71dcb0ede87104a5c5cab05b1710499e", "type": "esql", - "version": 4 + "version": 5 }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", @@ -1127,6 +1127,12 @@ "type": "eql", "version": 314 }, + "1ac027c2-8c60-4715-af73-927b9c219e20": { + "rule_name": "Windows Server Update Service Spawning Suspicious Processes", + "sha256": "b74e84be6cfe9c1defab5c385b553c14e467b5829d982f21c40c7b3343061ac9", + "type": "eql", + "version": 1 + }, "1b0b4818-5655-409b-9c73-341cac4bb73f": { "rule_name": "Process Created with a Duplicated Token", "sha256": "2d3d874eed0f3d13992e5dbaec2e6f002a36fb0df39992d174abd1d48f5610c0", @@ -1195,9 +1201,9 @@ }, "1d0027d4-6717-4a37-bad8-531d8e9fe53f": { "rule_name": "Potential Hex Payload Execution via Command-Line", - "sha256": "d33be9f91f07fad94c4df50f66bb0183cd737599f18f763dcfbda450b73863c5", + "sha256": "36f46411758ccc6f9b89b35e4e216bf4f132b59110283f249a06f5852c7212fa", "type": "eql", - "version": 2 + "version": 3 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "rule_name": "Remote File Download via Script Interpreter", @@ -1309,9 +1315,9 @@ }, "1fa350e0-0aa2-4055-bf8f-ab8b59233e59": { "rule_name": "High Number of Egress Network Connections from Unusual Executable", - "sha256": "c7a8ee25d1dbd3f36d7e967a1a1ade02348f712c5434c99e551d822ea1cd4f53", + "sha256": "73ff955e68e05576fc8ac61907278e7bd62c1ac9ec4f4303ccaeb69bdca65003", "type": "esql", - "version": 6 + "version": 7 }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", @@ -1477,9 +1483,9 @@ }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "9291369067936863eeba16c56062152ab56d940f747576a45d275649b1c22a5f", + "sha256": "5d77b9571fd9befb22e29f6cdfe893e29652ef95b68b9d1a4b92c1ea02d0a907", "type": "esql", - "version": 207 + "version": 208 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", @@ -1555,9 +1561,9 @@ }, "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73": { "rule_name": "Unusual High Denied Topic Blocks Detected", - "sha256": "17f2e732dffccfe95b1e8b3fd5f9806361f123bf905d25230378e2f44b8724f3", + "sha256": "f402dc7309dd06392ef91427f1cb93e23a9faae48cc56345bad56494e78803fb", "type": "esql", - "version": 3 + "version": 4 }, "267dace3-a4de-4c94-a7b5-dd6c0f5482e5": { "rule_name": "Successful SSH Authentication from Unusual SSH Public Key", @@ -1585,9 +1591,9 @@ }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "rule_name": "Potential Microsoft 365 User Account Brute Force", - "sha256": "0fb493e61559cdde3c67997c7b484a73e2f559aaa48ea10c5fa2ffb791811d8d", + "sha256": "2b183c8ff4b1adb9b82389b6ef12b826c27839a89dde915b512be9d4583499ce", "type": "esql", - "version": 414 + "version": 415 }, "27071ea3-e806-4697-8abc-e22c92aa4293": { "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -1639,9 +1645,9 @@ }, "28371aa1-14ed-46cf-ab5b-2fc7d1942278": { "rule_name": "Potential Widespread Malware Infection Across Multiple Hosts", - "sha256": "ce81951ab3d4a4fdf53ec1d89559c7146d3adb5b6d73f7e417446e8307628be9", + "sha256": "4b406b760e32e9a412057481852ee5187afe0ca95f051e000e375a52f6da5f6d", "type": "esql", - "version": 4 + "version": 5 }, "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "rule_name": "Account Discovery Command via SYSTEM Account", @@ -1813,9 +1819,9 @@ }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", - "sha256": "829da4a61241f96869d99dd5db9e57c47c25e7f5adfe36283aaabe00129f8639", + "sha256": "09e0db85e9bb2792e16cac43d4386f3e6669fc339ee9f0fd5b9c0766b24390d7", "type": "esql", - "version": 3 + "version": 4 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -1873,9 +1879,9 @@ }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3f6b774f3199b84d9f0dead0df2939a3098f91aa984a7bdf1c99262304f6bdcd", + "sha256": "279b0690d3f64f1daee0a3359ba854a476b3caa9d9bf86d9c005065b74ee0b61", "type": "esql", - "version": 308 + "version": 309 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -1939,9 +1945,9 @@ }, "30b5bb96-c7db-492c-80e9-1eab00db580b": { "rule_name": "AWS S3 Object Versioning Suspended", - "sha256": "e8038fba993b33fd9a9cba680cbdf6f6c2d75e00ede5f4405fad2dca66f1ec7c", + "sha256": "655c3b3d652a1f394b514d40e48d8ad32aa4ad61c36859d48dd4b0145455ad61", "type": "eql", - "version": 5 + "version": 6 }, "30bfddd7-2954-4c9d-bbc6-19a99ca47e23": { "rule_name": "ESXI Timestomping using Touch Command", @@ -1975,9 +1981,9 @@ }, "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { "rule_name": "Agent Spoofing - Mismatched Agent ID", - "sha256": "7cec198919a09236965c3fdfd4b59f77b7f52143b5764447161b1098935d2ee3", + "sha256": "fbfd898bc0c202aa3517fc3cd57714c852f81e3b2f0fa54b648b06e1c24452f6", "type": "query", - "version": 103 + "version": 104 }, "31295df3-277b-4c56-a1fb-84e31b4222a9": { "rule_name": "Inbound Connection to an Unsecure Elasticsearch Node", @@ -2005,9 +2011,9 @@ }, "3216949c-9300-4c53-b57a-221e364c6457": { "rule_name": "Unusual High Word Policy Blocks Detected", - "sha256": "5e62d95bdfadfdce8505ea429f74acce99d2c32d8fc2ca48883884f599022754", + "sha256": "c065de140770b25338ed259f21b0ba2ceba8fa855f7ea4c6532010e88a4b77e7", "type": "esql", - "version": 3 + "version": 4 }, "32300431-c2d5-432d-8ec8-0e03f9924756": { "rule_name": "Network Connection from Binary with RWX Memory Region", @@ -2040,10 +2046,10 @@ "version": 318 }, "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc": { - "rule_name": "M365 Portal Login (Atypical Travel)", - "sha256": "a4ce0502b3c36a2a63710f8ce397de99009cc125818e204b07b5a08018f4aefb", + "rule_name": "M365 Identity Login from Atypical Travel Location", + "sha256": "30d151c70b48bcb9403acaac9fdbeefd66a5c29ccbe15d9ce278cc5cb6d15068", "type": "new_terms", - "version": 7 + "version": 8 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "rule_name": "Suspicious MS Outlook Child Process", @@ -2081,6 +2087,12 @@ "type": "eql", "version": 114 }, + "341c6e18-9ef1-437e-bf18-b513f3ae2130": { + "rule_name": "Potential Privilege Escalation via SUID/SGID Proxy Execution", + "sha256": "cbb250758a970f4e6038d54c4841b61b2f956053e11c7677d2eaaebc6c48ba29", + "type": "eql", + "version": 1 + }, "342f834b-21a6-41bf-878c-87d116eba3ee": { "rule_name": "Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container", "sha256": "fbb2b779a78b5d6c820b04c3db01f7bca19d53f3c2c2c32db2ab7af5b15e09c6", @@ -2095,9 +2107,9 @@ }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", - "sha256": "d06be28d3364dbd350dea7c15a7869236ff9071a5f45073b7d34dc5d3ecfb65f", + "sha256": "6e83e75d37c6ca6e894f60aca2f968e0db9888439388384b472e8b283a2f0a85", "type": "new_terms", - "version": 4 + "version": 5 }, "34fde489-94b0-4500-a76f-b8a157cf9269": { "rule_name": "Accepted Default Telnet Port Connection", @@ -2125,9 +2137,9 @@ }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { "rule_name": "Microsoft 365 Brute Force via Entra ID Sign-Ins", - "sha256": "60c2fc11978852a996fb278f4aac315cd7c7f33e06b92629a06c3abd34ab6c92", + "sha256": "b4aa448f1ff0dee03c06330055b66b242313310318eb1d2388060d1db5a1f5bc", "type": "esql", - "version": 107 + "version": 108 }, "35c029c3-090e-4a25-b613-0b8099970fc1": { "rule_name": "File System Debugger Launched Inside a Container", @@ -2155,9 +2167,9 @@ }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { "rule_name": "Suspicious Microsoft 365 UserLoggedIn via OAuth Code", - "sha256": "f7b8638c72aa4be24af5867692cba374ef22158cd85a167395211d894ca7f1a7", + "sha256": "2a1752d25fa88edec830a6f8170790bc4acda992a6769dddd9d791d5c6620733", "type": "esql", - "version": 4 + "version": 5 }, "3688577a-d196-11ec-90b0-f661ea17fbce": { "rule_name": "Process Started from Process ID (PID) File", @@ -2185,9 +2197,9 @@ }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { "rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS", - "sha256": "e3df906d83872fe513b2e15af933e5e5fa83dce1ca44852c161ad6e5f5abe99b", + "sha256": "fb4c20e6bcbe392646ae66c298b52541a50a92d963ab884abfd4da043c128e2e", "type": "esql", - "version": 4 + "version": 5 }, "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { "rule_name": "AWS RDS Security Group Creation", @@ -2250,10 +2262,10 @@ "version": 213 }, "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc": { - "rule_name": "M365 Portal Login (Impossible Travel)", - "sha256": "1a136232efc098e05492a02b38c1de4c37e1616b2bb6c7c8047271d53864c005", + "rule_name": "M365 Identity Login from Impossible Travel Location", + "sha256": "052a0f257369554fcb13f156ac2746ee3f5f386df4e4bce25b278a8427e3865f", "type": "threshold", - "version": 7 + "version": 8 }, "38e5acdd-5f20-4d99-8fe4-f0a1a592077f": { "rule_name": "User Added as Owner for Azure Service Principal", @@ -2281,9 +2293,9 @@ }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "de1af1001bd67fdd967b116f1da6193d98831a0be504bea9b4c08d2628929381", + "sha256": "61259a7fd31474e07ef6f32f1f11c3e7bd5e381656f8b667d4c02a8db21e117d", "type": "esql", - "version": 5 + "version": 6 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", @@ -2347,9 +2359,9 @@ }, "3aff6ab1-18bd-427e-9d4c-c5732110c261": { "rule_name": "Suspicious Kernel Feature Activity", - "sha256": "b19a71af0dd3d0c65908e3a07b6073800094a1af6be7b8e8457d6de5650bf438", + "sha256": "1475f09809ef9abb025cae97a5f28be2648a7ff0d5f8d6031f8b552f5bcd1101", "type": "eql", - "version": 2 + "version": 3 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -2521,9 +2533,9 @@ }, "3fac01b2-b811-11ef-b25b-f661ea17fbce": { "rule_name": "Microsoft Entra ID MFA TOTP Brute Force Attempts", - "sha256": "7f2ce0ff846c466f2258a4bbbc78e9e8cff7c4a1fc1af9105e4cd51b8bc34df6", + "sha256": "644c0b79e73cbe7f3ae2fc9bb89421c210207ab31270851e167fb2867f0eb2d1", "type": "esql", - "version": 5 + "version": 6 }, "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { "rule_name": "DNF Package Manager Plugin File Creation", @@ -2539,9 +2551,9 @@ }, "4021e78d-5293-48d3-adee-a70fa4c18fab": { "rule_name": "Potential Azure OpenAI Model Theft", - "sha256": "f5943841572ea047091c8d64f568053c517e10ee41b48cb5f13a403583415c62", + "sha256": "785d2c7d8206511fdb0a93798255102ab0b1c900ab4d7bc907fb1e30dde95ab4", "type": "esql", - "version": 3 + "version": 4 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { "rule_name": "GitHub User Blocked From Organization", @@ -2599,9 +2611,9 @@ }, "4182e486-fc61-11ee-a05d-f661ea17fbce": { "rule_name": "AWS EC2 EBS Snapshot Shared or Made Public", - "sha256": "c5f336182037e4433738832b6d5bc28d622dd67871af0e6e43f012b1667671f1", - "type": "esql", - "version": 7 + "sha256": "6e0487fa8087c73f97c960fbddba8559fa30f0ffbd5ec6ec7cdc70836e57516e", + "type": "eql", + "version": 8 }, "41b638a1-8ab6-4f8e-86d9-466317ef2db5": { "rule_name": "Potential Hidden Local User Account Creation", @@ -2783,6 +2795,13 @@ "type": "eql", "version": 112 }, + "483832a8-ffdd-4e11-8e96-e0224f7bda9b": { + "min_stack_version": "9.2", + "rule_name": "New USB Storage Device Mounted", + "sha256": "d9c4c1882638f87b1efbed9faeba2bd77e279205865e378e6c57377a911029ac", + "type": "new_terms", + "version": 1 + }, "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "efe13789f0e114a22962a031a630587a9068815b16a6fecfd9212043b5c8e175", @@ -2863,9 +2882,9 @@ }, "498e4094-60e7-11f0-8847-f661ea17fbcd": { "rule_name": "OIDC Discovery URL Changed in Entra ID", - "sha256": "7722977ca172c15543358ec4ecf8b7596fcd1af66ef4e74cca3f684da5c8ba98", + "sha256": "314c7fb5e3c52fc65ff69e1076eb58380ae51c5842f5a9d171cf6300f6ff717d", "type": "esql", - "version": 4 + "version": 5 }, "4a4e23cf-78a2-449c-bac3-701924c269d3": { "rule_name": "Possible FIN7 DGA Command and Control Behavior", @@ -2947,9 +2966,9 @@ }, "4c3c6c47-e38f-4944-be27-5c80be973bd7": { "rule_name": "Unusual SSHD Child Process", - "sha256": "ab437647e4c42b5dbbef390721e127a7bbb847211dbd4e8525aba85f0bcc36c9", + "sha256": "143d5f941061398037bece454ac774e85520a0a1c4e3ad5d6658224c4b9da4d4", "type": "new_terms", - "version": 4 + "version": 5 }, "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "rule_name": "PowerShell Share Enumeration Script", @@ -3037,9 +3056,9 @@ }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "rule_name": "Unusual High Confidence Content Filter Blocks Detected", - "sha256": "e5102d089042d08384dbb93e20f1d6ca500573c87d6000063ca8dabf14ba8ce6", + "sha256": "182bc938e327e6c65baf1a2fa6331963551b438902b9978d4d203832c22df4d6", "type": "esql", - "version": 7 + "version": 8 }, "4fe9d835-40e1-452d-8230-17c147cafad8": { "rule_name": "Execution via TSClient Mountpoint", @@ -3199,9 +3218,9 @@ }, "53ef31ea-1f8a-493b-9614-df23d8277232": { "rule_name": "Pluggable Authentication Module (PAM) Source Download", - "sha256": "6561e4ef2050da23f60447670d9e59c3ddfa0c5da7d115c2deb810ca982fbf21", + "sha256": "eefa1455949513067e873bfb9c87497da5a9984e12511c7f75308aa9ed69eb7d", "type": "eql", - "version": 4 + "version": 5 }, "54902e45-3467-49a4-8abc-529f2c8cfb80": { "rule_name": "Uncommon Registry Persistence Change", @@ -3409,9 +3428,9 @@ }, "5a138e2e-aec3-4240-9843-56825d0bc569": { "rule_name": "IPv4/IPv6 Forwarding Activity", - "sha256": "6306291aafc48fbdf6884e130072d6f64ac51aec5a1a517ebde694fef182f68a", + "sha256": "c506a92be8601e924edcb09f22a8f9ce6120705f3d895d1f2fb2cced412e006e", "type": "eql", - "version": 105 + "version": 106 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -3427,9 +3446,9 @@ }, "5a876e0d-d39a-49b9-8ad8-19c9b622203b": { "rule_name": "Command Line Obfuscation via Whitespace Padding", - "sha256": "e8e4200bfd160124ebd18fa2e0136a6e6a467bbd77c38003b4679d2c28ac425a", + "sha256": "a09caeed705d76bf1319270c22c103581fd6f70eb26274edf57869f996ecf4c0", "type": "esql", - "version": 1 + "version": 2 }, "5ab49127-b1b3-46e6-8a38-9e8512a2a363": { "rule_name": "ROT Encoded Python Script Execution", @@ -3439,9 +3458,9 @@ }, "5ae02ebc-a5de-4eac-afe6-c88de696477d": { "rule_name": "Potential Chroot Container Escape via Mount", - "sha256": "b4059f1489642cfd577781cc4bb592210ed1eb9478f8810f63a8d6d4cd9a99f0", + "sha256": "c857ed14ca09f8505114fd0edba3e1aebc519d4769ba8e166ba7663b168e4364", "type": "eql", - "version": 106 + "version": 107 }, "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": { "rule_name": "Remote SSH Login Enabled via systemsetup Command", @@ -3457,9 +3476,9 @@ }, "5b03c9fb-9945-4d2f-9568-fd690fee3fba": { "rule_name": "Virtual Machine Fingerprinting", - "sha256": "a68d1197dbfcde78c418443b44873deec4a06a2723022ccad6b4b536998f5849", + "sha256": "d13947b56b24ecab07a268812dcef3a101cc1257cb5ef56aac5a25583aa8cb13", "type": "query", - "version": 111 + "version": 112 }, "5b06a27f-ad72-4499-91db-0c69667bffa5": { "rule_name": "SUID/SGUID Enumeration Detected", @@ -3499,9 +3518,9 @@ }, "5bdad1d5-5001-4a13-ae99-fa8619500f1a": { "rule_name": "Base64 Decoded Payload Piped to Interpreter", - "sha256": "09b7736bd172c70c630af6568b3e22a57d3aa2c0a8bd1cda795ae81551904c4e", + "sha256": "e38903b010865466b54e4f47257b42b133640c32a19863ade6850a1c8af4e812", "type": "eql", - "version": 3 + "version": 4 }, "5beaebc1-cc13-4bfc-9949-776f9e0dc318": { "rule_name": "AWS WAF Rule or Rule Group Deletion", @@ -3625,9 +3644,9 @@ }, "5e4023e7-6357-4061-ae1c-9df33e78c674": { "rule_name": "Memory Swap Modification", - "sha256": "4057788684412d061d4da08a599e2826415b89cea6358903f10773366b45d795", + "sha256": "f1c58177d0689e003821cd34b5c213e5c09f24fb8aeb263fa8087395d0798462", "type": "eql", - "version": 105 + "version": 106 }, "5e552599-ddec-4e14-bad1-28aa42404388": { "rule_name": "Microsoft 365 Teams Guest Access Enabled", @@ -3713,6 +3732,12 @@ "type": "eql", "version": 108 }, + "618bb351-00f0-467b-8956-8cace8b81f07": { + "rule_name": "AWS S3 Bucket Policy Added to Allow Public Access", + "sha256": "fa5970c1b1b13aa4f605f5963559ad1b94b7ca3fabb1f4be3c00ee0c159d9cf0", + "type": "eql", + "version": 1 + }, "61ac3638-40a3-44b2-855a-985636ca985e": { "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "6444953107ff83401fc01f27ae794d13e3408444ee70c27f3b40202cdc04c216", @@ -3835,9 +3860,9 @@ }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "fda6cdc3f42b88f38449c8dc374c2474384889313433b94cfc507f47fcf813c9", + "sha256": "b6cf23674580c2fcf3dd499e987b22b13642b9b8c7eef303611731dcf5d95d3b", "type": "esql", - "version": 5 + "version": 6 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", @@ -3859,15 +3884,15 @@ }, "65613f5e-0d48-4b55-ad61-2fb9567cb1ad": { "rule_name": "Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments", - "sha256": "2b3c16cfb34b61af6507557a60d2afb7a9f8f8b1aa93204f8026476e3f6f2b01", + "sha256": "d11daf5edfaaaa879e4d93099c3ca9eca21ca4120d1d19a492547f0a00d4eba4", "type": "new_terms", - "version": 2 + "version": 3 }, "656739a8-2786-402b-8ee1-22e0762b63ba": { "rule_name": "Unusual Execution from Kernel Thread (kthreadd) Parent", - "sha256": "85068828f8ad2c6992b31af574b8eea3dfd7d81c7609c50c3d09830098e83a94", + "sha256": "2f2b36cd3287567c3df71f99ffa36b3040ae29ca1871d964961cbf2e42e915b1", "type": "new_terms", - "version": 2 + "version": 3 }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", @@ -3883,9 +3908,9 @@ }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", - "sha256": "790e3ecbcdc60ea5dc2354a92eab59b577b49b446d8974b50470c28828ab826e", + "sha256": "9b09c4347a8ab7399513ed370dfa73411d166c2f1fbe8ac68c28632a903dcc5e", "type": "eql", - "version": 10 + "version": 11 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", @@ -3943,9 +3968,9 @@ }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "226bc2c66a12087220919af679f96b33f238a293993cc8a86a3b04d4544dca5f", + "sha256": "967542c9e365ae3208bfef2073ef7dac00b601c61d74a4487fd3c413c9c9bb3e", "type": "esql", - "version": 2 + "version": 3 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -3961,9 +3986,9 @@ }, "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b": { "rule_name": "High Number of Process Terminations", - "sha256": "b70379162e6c43363d0f74d4e6d6f9a914c5fba08a7e2e0d774ea7d2fe4a85d9", + "sha256": "9f03da4571706bf3c54798d01621e5d0191cdd91aac549820b7b24c61607f4cb", "type": "threshold", - "version": 114 + "version": 115 }, "68113fdc-3105-4cdd-85bb-e643c416ef0b": { "rule_name": "Query Registry via reg.exe", @@ -4045,9 +4070,9 @@ }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", - "sha256": "7b39cd5eb1265b38b23ac4a4fd9eac4a5e4b88e749188c3227771a3ae3177289", + "sha256": "c6a4f5ea4aaf2828aef98df69aee67219d99ba0ecd246d64ac8e4fa54c502bb7", "type": "esql", - "version": 8 + "version": 9 }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", @@ -4105,9 +4130,9 @@ }, "6b341d03-1d63-41ac-841a-2009c86959ca": { "rule_name": "Potential Port Scanning Activity from Compromised Host", - "sha256": "7406d86097a7422ef6dff1c3698fde719b64bc5d3f873821eb28bfb4cac1318e", + "sha256": "4cbe1754a667553d0a4cb76f864dbb5f767e24d89bb28bdc19299c59bf411ef5", "type": "esql", - "version": 7 + "version": 8 }, "6b84d470-9036-4cc0-a27c-6d90bbfe81ab": { "rule_name": "Sensitive Files Compression", @@ -4159,9 +4184,9 @@ }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "8c4f5c161d76288dfa5f503ea1353b52bf9fc70d4dc497687833391b1952227a", + "sha256": "d84e236eff45eec22ad50a0288a325163adbb643b1dfa20e9db617201fe58709", "type": "esql", - "version": 4 + "version": 5 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -4327,9 +4352,9 @@ }, "713e0f5f-caf7-4dc2-88a7-3561f61f262a": { "rule_name": "AWS EC2 EBS Snapshot Access Removed", - "sha256": "52024b2e77cc4795b4f03cbcbc178c5b1ef9142451d06b12605d4031d44923d9", - "type": "esql", - "version": 2 + "sha256": "b9a41fc8133947dfe33ff0ccc698cf1f61173a14c2e6f0647635f96120c268cc", + "type": "eql", + "version": 3 }, "7164081a-3930-11ed-a261-0242ac120002": { "rule_name": "Kubernetes Container Created with Excessive Linux Capabilities", @@ -4381,9 +4406,9 @@ }, "725a048a-88c5-4fc7-8677-a44fc0031822": { "rule_name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", - "sha256": "f3a375efa9dad165b0ceee2708b1a82c91b5e018d88c7a9b2e3e9b92105cc17e", + "sha256": "4dd3bc4d2338df9e5861a9dd612da6fa7b5e626521e7802ad9e0b71c51f0d760", "type": "esql", - "version": 5 + "version": 6 }, "7290be75-2e10-49ec-b387-d4ed55b920ff": { "rule_name": "Suspicious Network Tool Launched Inside A Container", @@ -4465,15 +4490,15 @@ }, "74e5241e-c1a1-4e70-844e-84ee3d73eb7d": { "rule_name": "Kubectl Workload and Cluster Discovery", - "sha256": "8ff0a1414ddc2ca23f6b2cc65b8d0d14ab94dbb3f7b1eadd08db69f34c251759", + "sha256": "90a45d01eaf0d5df552f32551a7a4d7d49f2b95c746968de7fb580c322514b34", "type": "eql", - "version": 1 + "version": 2 }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "53be035e01bd869c4c8f86c9ace24ef2f4e616229a67d7fdc7f988937f3027c0", + "sha256": "d924ef5485e75e0c8853ab00ccb0ec1126e4e5422f67a276e9ef7ac8c0fb84d7", "type": "esql", - "version": 3 + "version": 4 }, "751b0329-7295-4682-b9c7-4473b99add69": { "rule_name": "Spike in Group Management Events", @@ -4555,9 +4580,9 @@ }, "77122db4-5876-4127-b91b-6c179eb21f88": { "rule_name": "Potential Malware-Driven SSH Brute Force Attempt", - "sha256": "8636de92418ba0fb4da7c8ecf7acdb02dc3d945c502ffcedf1c9f4dcdcf5827f", + "sha256": "c5ea04c01e2e9217a341f891ca0800fd62e99df382ee2be595da6d5f98f84b14", "type": "esql", - "version": 6 + "version": 7 }, "774f5e28-7b75-4a58-b94e-41bf060fdd86": { "rule_name": "User Added as Owner for Azure Application", @@ -4649,7 +4674,7 @@ } }, "rule_name": "Execution of a Downloaded Windows Script", - "sha256": "9230aff8470d6cf4f90ca1386ed2eda9416b1028b41d3e3b69304f8d26829e19", + "sha256": "2e5fd5f8a4d3f408aa6fdaa1bd1f128bf6f322f9d431cf50b35d478658849263", "type": "eql", "version": 104 }, @@ -4697,9 +4722,9 @@ }, "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8": { "rule_name": "Potential Privilege Escalation through Writable Docker Socket", - "sha256": "25ceb2317db65f25c36e30c0ef8c8fa5042168f40262eb917405a7b1ca074005", + "sha256": "b1a7438795c58d0002c7f5acb4e0a0e859379c4d78e74453f89e03d1177191c9", "type": "eql", - "version": 9 + "version": 10 }, "7afc6cc9-8800-4c7f-be6b-b688d2dea248": { "rule_name": "Potential Execution via XZBackdoor", @@ -4847,9 +4872,9 @@ }, "7fc95782-4bd1-11f0-9838-f661ea17fbcd": { "rule_name": "Excessive Microsoft 365 Mailbox Items Accessed", - "sha256": "b741065a55b3437b861e17871cd9a198a211a2bb9a6b035fee3b3b7331428b29", + "sha256": "833e32d4e858d775a15c563c6d8dbff41b0cc86acc0854015d0c0311a0b006cf", "type": "query", - "version": 1 + "version": 2 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "rule_name": "Potential AWS S3 Bucket Ransomware Note Uploaded", @@ -4907,9 +4932,9 @@ }, "8167c5ae-3310-439a-8a58-be60f55023d2": { "rule_name": "Suspicious Named Pipe Creation", - "sha256": "494984781f6a9d1a60f60d5ddd02a51a71de36c58fcf5889976860b913bdfbd9", + "sha256": "55f0e104f32d7176a919ccdf1768da387c1690ab1193ab198d38489a7207064c", "type": "new_terms", - "version": 2 + "version": 3 }, "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "rule_name": "PowerShell Script Block Logging Disabled", @@ -5027,15 +5052,15 @@ }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "d20f6ac63151a8527f3e3d7607516b14c02b5d6b364d23f9271adb90900ea3cd", + "sha256": "e0010b13da80d6b7d6a418117dcfeb8273b72aaf61c191ca8ab299b54b0424df", "type": "esql", - "version": 3 + "version": 4 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", - "sha256": "2e528cbe49d075785c8bfdb56f1f98a894355c967ffedb16520edafc3eb1b59b", + "sha256": "7b88c16b3a50cdd64c588552cd68380d78a9acb36688af8465c9be3bd6d5df4b", "type": "esql", - "version": 6 + "version": 7 }, "8623535c-1e17-44e1-aa97-7a0699c3037d": { "rule_name": "AWS EC2 Network Access Control List Deletion", @@ -5141,9 +5166,9 @@ }, "894b7cc9-040b-427c-aca5-36b40d3667bf": { "rule_name": "Unusual File Creation by Web Server", - "sha256": "fa5fc4ccea16df933ee8257a2e7743b75e88d0885c61ae805f69b2541793766a", + "sha256": "1e140b1d8d63484bf1b2a20cfcc4c548aae15c70c3bf5382f3f892ccc5870e8d", "type": "esql", - "version": 4 + "version": 5 }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", @@ -5213,9 +5238,9 @@ }, "8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d": { "rule_name": "Unusual Command Execution from Web Server Parent", - "sha256": "b46ae0c3ec957325459e7b26755db5f31c216654a2fffa191c8814e5cfc43e8b", + "sha256": "fee2ba485ac76d3a424267b1b9ea79a82de6a3ac864903b1dcbd7f8f5b461ebd", "type": "esql", - "version": 6 + "version": 7 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -5351,9 +5376,9 @@ }, "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5": { "rule_name": "Entra ID Actor Token User Impersonation Abuse", - "sha256": "f0002ccc4d3221a379817a1e25586dec156802adb108d2cd819bf3c807df770b", + "sha256": "35cb8615df63c9d7ba4a2ad93bf9a1177c7be7644dc539f8ea476d1296d9ddad", "type": "esql", - "version": 1 + "version": 2 }, "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "rule_name": "Bitsadmin Activity", @@ -5363,9 +5388,9 @@ }, "8eeeda11-dca6-4c3e-910f-7089db412d1c": { "rule_name": "Unusual File Transfer Utility Launched", - "sha256": "b22313068d9b66259cfc59c5bdd36076a9d504ead65aeed21bbcd51d82eb3453", + "sha256": "322601a75d0aa9a716a772cdba3bcfc5f67adf7a07454e3ab0a69e5b810fa729", "type": "esql", - "version": 6 + "version": 7 }, "8f242ffb-b191-4803-90ec-0f19942e17fd": { "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", @@ -5441,9 +5466,9 @@ }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", - "sha256": "de08bafde13be30f25eed89b257f1dcb7cf6d1b591601d9b550285c585feda80", + "sha256": "4687e5bf7ae059a2434a6c4e07de4bdb3447074f7e07cff1fcbc294e415db0f4", "type": "eql", - "version": 3 + "version": 4 }, "90efea04-5675-11f0-8f80-f661ea17fbcd": { "rule_name": "Microsoft Entra ID Suspicious Cloud Device Registration", @@ -5573,9 +5598,9 @@ }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "6505082b109534e2c4cd553d3f8cd9769f017009fdc339342458c8e7303c6c37", + "sha256": "68d3152a44bb3233dd6ea2a751dd806a05611119c6d8fdd35a2ce561f77008e8", "type": "esql", - "version": 207 + "version": 208 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -5615,9 +5640,9 @@ }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "cec23001ee500f02689c9c3895aafe7999e6f7b8609a50e286790cdf5b2f035d", + "sha256": "cd1a5de507c25bd1a6334afde371785eb24794bfa0ef15228a7e405e5ae20e85", "type": "esql", - "version": 207 + "version": 208 }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", @@ -5699,9 +5724,9 @@ }, "976b2391-413f-4a94-acb4-7911f3803346": { "rule_name": "Unusual Process Spawned from Web Server Parent", - "sha256": "86e6bb848041609668083d39fe198b49fdcba76b3f0cf20ff5996c0d9f52abeb", + "sha256": "5d1c7b45878bf61e1e80a4cbf813a5317d226ffd320a33975023057654262b7c", "type": "esql", - "version": 6 + "version": 7 }, "979729e7-0c52-4c4c-b71e-88103304a79f": { "rule_name": "AWS IAM SAML Provider Updated", @@ -5783,9 +5808,9 @@ }, "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b": { "rule_name": "Kubectl Configuration Discovery", - "sha256": "8e19fcd9899ba3285374e1499fd908f19cbeb9940fd3a022e3629576ac485425", + "sha256": "a0380a2802f3e3c5cd59821753eed10d64ae459756529b19a48d39927de16612", "type": "eql", - "version": 1 + "version": 2 }, "98fd7407-0bd5-5817-cda0-3fcc33113a56": { "rule_name": "Deprecated - AWS EC2 Snapshot Activity", @@ -6015,6 +6040,12 @@ "type": "new_terms", "version": 5 }, + "9eaa3fb1-3f70-48ed-bb0e-d7ae4d3c8f28": { + "rule_name": "Potential SSH Password Grabbing via strace", + "sha256": "d1fbdfecf20aea633c89399d5719ce0e0cdff52fc9539fc32975483bc2753471", + "type": "eql", + "version": 1 + }, "9ebd48ac-a0e2-430a-a219-fe072a50146b": { "rule_name": "AWS CloudTrail Log Evasion", "sha256": "9e5d44c6c292f3f18557af3764294a0e03bfcc100c90a5eb9a012b201ecdaca2", @@ -6023,9 +6054,9 @@ }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", - "sha256": "818f3ee681de149ffba0cd3b9141ac53f478b6a921c742d6025a2ab0b70fc92a", + "sha256": "42e0b978f0c0a9c4fbace71206d97c11ef387556c3bff09bae4c49934342707b", "type": "esql", - "version": 3 + "version": 4 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", @@ -6041,9 +6072,9 @@ }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", - "sha256": "d780db42a9137fadf25fea4f63c471704e7c6f0b488e4dbb61ceb66ce75e0efc", + "sha256": "e0dfbc0391e8ca17a470e41a103402daeebdac84b5ea26e44496486e852136bf", "type": "esql", - "version": 5 + "version": 6 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -6257,9 +6288,9 @@ }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", - "sha256": "7a829aa92921bd6efa6172be1cdfd034abfc510741566956703e5412f91935a5", + "sha256": "44d2266516b212b0b177209326e4e81953e7169d03ce0615fa6d86e7754d3bc3", "type": "eql", - "version": 4 + "version": 5 }, "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": { "rule_name": "Emond Rules Creation or Modification", @@ -6419,9 +6450,9 @@ }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "757b1c1389a22d0a43661670468aaf5f14b82e884b26c8905f5e9c19b20f0259", + "sha256": "958773d8daef17b9524d9777dd4b3cf3630c13699cceb373bab52de8855ddccf", "type": "esql", - "version": 6 + "version": 7 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", @@ -6545,15 +6576,15 @@ }, "ad959eeb-2b7b-4722-ba08-a45f6622f005": { "rule_name": "Suspicious APT Package Manager Execution", - "sha256": "a5b4fff58ec10241b63897d27655953599e22b8f0be8b6b8df4a941fe7f423a3", + "sha256": "515ced619c9cf8e00f05691b2c4efd58daed98635f6dca75cd4112d8702e1540", "type": "eql", - "version": 108 + "version": 109 }, "adb961e0-cb74-42a0-af9e-29fc41f88f5f": { "rule_name": "File Transfer or Listener Established via Netcat", - "sha256": "def8106673121987611eb73a47a5bdf8f12fd1db3da28561cbcf18fd15935ccd", + "sha256": "4239c0e54a533bf54ce1ffa594d9547a1893c342c07465a5a130880daf78662a", "type": "eql", - "version": 214 + "version": 215 }, "adbfa3ee-777e-4747-b6b0-7bd645f30880": { "rule_name": "Suspicious Communication App Child Process", @@ -6587,9 +6618,9 @@ }, "af1e36fe-0abd-4463-b5ec-4e276dec0b26": { "rule_name": "Linux Telegram API Request", - "sha256": "6ac91d1a303eaa48227d0640d61daf8090249c5177fec04c8eab7eef3e42a2c6", + "sha256": "482b80a69f506310527c64ec1616708293031773f0ceffa382b34a20b90a8723", "type": "eql", - "version": 2 + "version": 3 }, "af22d970-7106-45b4-b5e3-460d15333727": { "rule_name": "First Occurrence of Entra ID Auth via DeviceCode Protocol", @@ -6635,9 +6666,9 @@ }, "b0450411-46e5-46d2-9b35-8b5dd9ba763e": { "rule_name": "Potential Denial of Azure OpenAI ML Service", - "sha256": "c1ef34302dc9874b98d408675be77d3bbd72765a0566a6b19735cd3f44abfcf7", + "sha256": "5a86479548e1f4f7144d5006bfc38aad7c46f5d62ab025a804f899a4572ee5cf", "type": "esql", - "version": 3 + "version": 4 }, "b0638186-4f12-48ac-83d2-47e686d08e82": { "rule_name": "Netsh Helper DLL", @@ -6653,9 +6684,9 @@ }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "sha256": "9107236bf5385a208a94f3b3a6934b5e38c8a96c3e94b398a2ca18dfc47a82c6", + "sha256": "7d06dd74453291b00725d654daea341f2ca17b2a79e2b8712d00507005156728", "type": "esql", - "version": 4 + "version": 5 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "rule_name": "Kubeconfig File Creation or Modification", @@ -6671,9 +6702,9 @@ }, "b1773d05-f349-45fb-9850-287b8f92f02d": { "rule_name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", - "sha256": "fe2dd63b825311ec149f4abbb7a2b4ac98755b8186de5519e40c46a42669e1c2", + "sha256": "9e418c454131da6894a78ddf5a4953ab68e81617b619ef5fc4f5b413511a3efb", "type": "esql", - "version": 5 + "version": 6 }, "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { "rule_name": "Potential Persistence via Cron Job", @@ -6845,9 +6876,9 @@ }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", - "sha256": "0e51d8fc1c57ef36f5bed2d775749f39995b2c2e89418ab876477ebc1ce64d85", + "sha256": "b83c04792c72f534bf23f64e67be86d5433487749b84cb43dfb3bba6c90e388d", "type": "eql", - "version": 5 + "version": 6 }, "b8386923-b02c-4b94-986a-d223d9b01f88": { "rule_name": "PowerShell Invoke-NinjaCopy script", @@ -6893,9 +6924,9 @@ }, "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc": { "rule_name": "Discovery of Domain Groups", - "sha256": "07f4c4c14408aba1ad815ce9007efc2666185fc6b55c84c54f1a916464ad628e", + "sha256": "78acee60a41b09251f89ee68e7c51c978e7174c9f003de84bcaed2bd0f34ce20", "type": "eql", - "version": 4 + "version": 5 }, "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c": { "rule_name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", @@ -6965,9 +6996,9 @@ }, "bb9b13b2-1700-48a8-a750-b43b0a72ab69": { "rule_name": "AWS EC2 Encryption Disabled", - "sha256": "c649c0cdb3dcd615f29d03f6e087ad2e8872b1668bd0e2c0f589166c67be14fa", + "sha256": "009e2c048bca063a6320909f479f8805963329ccccc062647a0df027bedfac12", "type": "query", - "version": 209 + "version": 210 }, "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1": { "rule_name": "OneDrive Malware File Upload", @@ -7109,9 +7140,9 @@ }, "be70614d-4295-473c-a953-582aef41c865": { "rule_name": "Potential Data Exfiltration Through Curl", - "sha256": "31ebf7429c5ac254ebc96c3aacc840a37e1600d68aeb0a1162386fe4c962209b", + "sha256": "35c5dd9640911b77ed03e88f6ff5d95301aa0aa8c3cf83046c1bc74ba6d4f744", "type": "eql", - "version": 2 + "version": 3 }, "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "rule_name": "Searching for Saved Credentials via VaultCmd", @@ -7127,9 +7158,9 @@ }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", - "sha256": "d710a490ccacc1fadbdceaa8c0c2415722f542b2167371eddef396d13fd5cf1d", + "sha256": "7f645cd63d32a17ade3af3712dc5d24f5e46c114185627849889dcce7cae7751", "type": "eql", - "version": 5 + "version": 6 }, "bfba5158-1fd6-4937-a205-77d96213b341": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Region", @@ -7163,9 +7194,9 @@ }, "c07f7898-5dc3-11f0-9f27-f661ea17fbcd": { "rule_name": "Excessive Secret or Key Retrieval from Azure Key Vault", - "sha256": "3042d4bb8ab097ead4fa72001cd04d2743f87611580ff1c9b8bcb407509522ff", + "sha256": "2e6c5a242cd8d1445fad39d2d1f00850d5d419b1081dd65097dacedc7854a35e", "type": "esql", - "version": 4 + "version": 5 }, "c0b9dc99-c696-4779-b086-0d37dc2b3778": { "rule_name": "Memory Dump File with Unusual Extension", @@ -7193,9 +7224,9 @@ }, "c1812764-0788-470f-8e74-eb4a14d47573": { "rule_name": "AWS EC2 Full Network Packet Capture Detected", - "sha256": "c0276f24b0266c561cc8997162b88cb356376f501ac2d4f463594a3cb9bede84", + "sha256": "b0a071b09f705691be80fab8b94940c00eae4ca4783abe359197dc3bede57f69", "type": "query", - "version": 209 + "version": 210 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { "rule_name": "Potential RemoteMonologue Attack", @@ -7325,9 +7356,9 @@ }, "c5637438-e32d-4bb3-bc13-bd7932b3289f": { "rule_name": "Unusual Base64 Encoding/Decoding Activity", - "sha256": "dd7c4d836b8b90c5b5107cc4889992f11f3c126896601722f08d18234919bd58", + "sha256": "2eef1198b4775ccd5423bd2bedf9def5f0e0c0b4a137e9e3331dc2576a3de3f2", "type": "esql", - "version": 5 + "version": 6 }, "c5677997-f75b-4cda-b830-a75920514096": { "rule_name": "Service Path Modification via sc.exe", @@ -7401,6 +7432,12 @@ "type": "esql", "version": 4 }, + "c6b40f4c-c6a9-434e-adb8-989b0d06d005": { + "rule_name": "Suspicious Kerberos Authentication Ticket Request", + "sha256": "e23ea6934805893d0a762d92c016466df1e095e89990ac13b0fd20adf6fcf712", + "type": "eql", + "version": 1 + }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "rule_name": "AWS IAM API Calls via Temporary Session Tokens", "sha256": "e626b7b443a5465097d8ff16e1c33ef3355689d803f4557bf453f3236e8ea5c3", @@ -7595,9 +7632,9 @@ }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "92a2b265f8333817d48a884994a53bfa4d71af4c10f7735ee3308a2767e5154a", + "sha256": "8e7204daa15aa64acf5ab9e352b8e028ba759ad98fbff579bc815a9848e31909", "type": "esql", - "version": 308 + "version": 309 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -7625,9 +7662,9 @@ }, "cca64114-fb8b-11ef-86e2-f661ea17fbce": { "rule_name": "Microsoft Entra ID Sign-In Brute Force Activity", - "sha256": "a833679669c3857a3d6d6d02eacf8266f01bdb11bdf707600e18c3dd4a2e54c4", + "sha256": "c35589d8fa91f42b8fb5b1eea51ed483b141b2e2be94f3cb9d54764dac4e3a57", "type": "esql", - "version": 5 + "version": 6 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -7859,9 +7896,9 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "d390cfde7a98a3e21ba61d850694e7bef67c2b67e530d666f3bfa33f8965c37b", + "sha256": "5e0286288a46daccf7f9d563112ed05545bab69583b2aa32b10852647b4ef5d9", "type": "esql", - "version": 3 + "version": 4 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -8075,9 +8112,9 @@ }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", - "sha256": "c9cf92ce2278f727fa0365e0ec18b82701368242dece56d50014c61f32aca9ea", + "sha256": "7d25f249eb1c37f0387a50af1d770254a7a935c20d9520f05e795438d486f719", "type": "eql", - "version": 1 + "version": 2 }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -8159,9 +8196,9 @@ }, "dc61f382-dc0c-4cc0-a845-069f2a071704": { "rule_name": "Git Hook Command Execution", - "sha256": "65bbcb037340b4e176c19b00b45ad4bdbfc83122c4bde2cdf9eefa592ebc5d81", + "sha256": "1183a043e5e0318d1ca4b25e2dbcf9236513dec83e319530014fe69253977ef2", "type": "eql", - "version": 105 + "version": 106 }, "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", @@ -8243,9 +8280,9 @@ }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { "rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window", - "sha256": "8ea7eb9a447ba7324e7fc5acb44be7236513463e0b52bf36585e33ccef606f85", + "sha256": "f775827c15a307f4bfc8c19ca60fc0a488265a1055f37d8dbdf66fddcedc897d", "type": "esql", - "version": 4 + "version": 5 }, "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "rule_name": "Unusual Child Process from a System Virtual Process", @@ -8265,6 +8302,12 @@ "type": "new_terms", "version": 108 }, + "deee5856-25ba-438d-ae53-09d66f41b127": { + "rule_name": "AWS EC2 Export Task", + "sha256": "04e0ea59740f3bbe3725c404643d4a307fc746c79a4b4a13bab468c4e51a1d6f", + "type": "query", + "version": 1 + }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", "sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e", @@ -8315,9 +8358,9 @@ }, "e00b8d49-632f-4dc6-94a5-76153a481915": { "rule_name": "Delayed Execution via Ping", - "sha256": "226677e1709879f6b2147b84a49d59c0c57872bb5c235328d36a7ba37936b95c", + "sha256": "3db533741b55d6d75bb2c5e997575e42cd8dfe5e3e5c71ca2726a0c46208a150", "type": "eql", - "version": 6 + "version": 7 }, "e02bd3ea-72c6-4181-ac2b-0f83d17ad969": { "rule_name": "Azure Firewall Policy Deletion", @@ -8459,9 +8502,9 @@ }, "e3bd85e9-7aff-46eb-b60e-20dfc9020d98": { "rule_name": "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties", - "sha256": "cf796a0f6dfa5c9f8110eb6d749fa7772622db9cc71898722806f98c6edd84be", + "sha256": "30ce8022e8e62dfa59bb2e69c66cf2b49cec6cce4c5274e3536ef7c0062491d8", "type": "esql", - "version": 3 + "version": 4 }, "e3c27562-709a-42bd-82f2-3ed926cced19": { "rule_name": "AWS Route53 private hosted zone associated with a VPC", @@ -8543,9 +8586,9 @@ }, "e5d69377-f8cf-4e8f-8328-690822cd012a": { "rule_name": "GitHub Authentication Token Access via Node.js", - "sha256": "3653340ba27b9372b0aaab1d86c807c88f48932c5f9045e56a5d395f9105fad9", + "sha256": "652b1534fff441e5da35b04c8a1d600d8665dde62361ec127b50db89bb599706", "type": "eql", - "version": 1 + "version": 2 }, "e6c1a552-7776-44ad-ae0f-8746cc07773c": { "rule_name": "Bash Shell Profile Modification", @@ -8657,9 +8700,9 @@ }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "2003d958b29954da3cb96a7ad03e4c29122f3cdde583ac4052f5f20d5b1e8608", + "sha256": "70238f523a244c54e5d533afdf35c0eb016e7a89fdf5f53db9f37e3e91b4559c", "type": "eql", - "version": 5 + "version": 6 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", @@ -8675,9 +8718,9 @@ }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "40bf0892c2068fff5e2b61f79cb7b0eedd5aaaa6193bd39a6eb188ef6184aac3", + "sha256": "d2f95295421397874a9612a08627ff834430be52aea03bf2db77a9b641da195c", "type": "esql", - "version": 6 + "version": 7 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -8686,10 +8729,10 @@ "version": 415 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "rule_name": "AWS EC2 VM Export Failure", - "sha256": "1d3ae981d88e6e54b6ca5ba74e9b97a58f4f9b3bea622a875c9d661eaf38148c", + "rule_name": "Deprecated - AWS EC2 VM Export Failure", + "sha256": "7339232c396fb3ef53df007330bd3fdbe73aba02804975f4a767f59c658cb33f", "type": "query", - "version": 209 + "version": 210 }, "e92c99b6-c547-4bb6-b244-2f27394bc849": { "rule_name": "Spike in Bytes Sent to an External Device via Airdrop", @@ -8993,9 +9036,9 @@ }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { "rule_name": "Microsoft 365 or Entra ID Sign-in from a Suspicious Source", - "sha256": "1c82a2568d10fea4868e5657b9934f3be6431843d1a284c5dde1fff807ea002e", + "sha256": "b6ae280b291aac4deec3e9f27ab73ae0afa52471e1cb8b5dd6e7874d706274e5", "type": "esql", - "version": 3 + "version": 4 }, "f0dbff4c-1aa7-4458-9ed5-ada472f64970": { "rule_name": "dMSA Account Creation by an Unusual User", @@ -9059,9 +9102,9 @@ }, "f2c653b7-7daf-4774-86f2-34cdbd1fc528": { "rule_name": "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session", - "sha256": "6ff7d13565c3fa8aaf9cead54500dbc3dd13e124a87f2b6c7eaf2d0d528cd55f", + "sha256": "77898c5469949cfb73f4b6a3d6d0e02bceeb8e65bff93cf6a24f6a88223ffadf", "type": "esql", - "version": 3 + "version": 4 }, "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "rule_name": "SIP Provider Modification", @@ -9113,9 +9156,9 @@ }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", - "sha256": "4935469fc2fc470b586e4d5f9667f0e749fdc27c59dd87f33de369314ff2c9c4", + "sha256": "0c9ca06dc06f2ec65026cb7a0472081a2aece5bb59900ad0a99e1306ca842b25", "type": "esql", - "version": 4 + "version": 5 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", @@ -9167,9 +9210,9 @@ }, "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c": { "rule_name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", - "sha256": "20f641858b068dde9a75476a566ea629fab3125934c93b48a3aacd5f5b076441", + "sha256": "32f734a7ca7c0ede2de12cee44877eff6f0c6b1fd835696e64e13f6376b52917", "type": "esql", - "version": 5 + "version": 6 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { "rule_name": "DPKG Package Installed by Unusual Parent Process", @@ -9281,9 +9324,9 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "048b30521186afd04760fc0dfb8ca1957d7f5bdb6c98a7135a9707e201b4939c", + "sha256": "89bd628a65d8efba57ca5a4279fdbb8a3dbe414ee8bab5ccc726f2392189c425", "type": "esql", - "version": 4 + "version": 5 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", @@ -9311,9 +9354,9 @@ }, "f770ce79-05fd-4d74-9866-1c5d66c9b34b": { "rule_name": "Potential Malicious PowerShell Based on Alert Correlation", - "sha256": "4ddf7e935836ae79df33c7406f3e6ca7225d0c4e4f77992dd7ce9913fc461000", + "sha256": "3bb1b5457415afbc01790c12c23c72752d168bf76ed767c4e9eaae3a240e3f3a", "type": "esql", - "version": 2 + "version": 3 }, "f772ec8a-e182-483c-91d2-72058f76a44c": { "rule_name": "AWS CloudWatch Alarm Deletion", @@ -9365,9 +9408,9 @@ }, "f86cd31c-5c7e-4481-99d7-6875a3e31309": { "rule_name": "Printer User (lp) Shell Execution", - "sha256": "73fa9d9578f6690ca855f81f5bb10c8a750b00eb518b225cccb185c75a693c2b", + "sha256": "0b0a96626505d63fb496bf6d6a9a98c9608a9e06cfd0033f50bce04e7d6d2719", "type": "eql", - "version": 7 + "version": 8 }, "f874315d-5188-4b4a-8521-d1c73093a7e4": { "rule_name": "Modification of AmsiEnable Registry Key", @@ -9419,9 +9462,9 @@ }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "sha256": "26098d2afb164e6f05a99cf24bd627301f808c5c1240693437cb14925bfab1c0", + "sha256": "3b05a3eb675347f627c2d4b98effbd8fe5cd8eb924ea7110b9fc947fc753525a", "type": "esql", - "version": 3 + "version": 4 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Account Brute Force", @@ -9437,9 +9480,9 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "fa648e659bffe932aa1fffefe9c560668d631de9217505b3e3a7df813857b011", + "sha256": "20ca9752cbc305147351fbd73c5705e988791b2a8b5ed27d0af2e1bd6bd47449", "type": "esql", - "version": 5 + "version": 6 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", @@ -9491,9 +9534,9 @@ }, "fb16f9ef-cb03-4234-adc2-44641f3b71ee": { "rule_name": "Azure OpenAI Insecure Output Handling", - "sha256": "799952ea9ded7fa71e9d842e3a27b248bc6c4d49ac83aa56949ca1bd6d6447df", + "sha256": "be48db6e30b0170a36b5062f126e73ca47624d8431d7c42a25da373ec3441207", "type": "esql", - "version": 3 + "version": 4 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { "rule_name": "Unusual Group Name Accessed by a User", @@ -9683,9 +9726,9 @@ }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", - "sha256": "07d9e674bd98c3887caebf9c24b25366899c3c3cad0ac4cdcc322c0765ecdbc5", - "type": "query", - "version": 5 + "sha256": "c856dc43828db7fa202981782f293b815fc5282e7b70e542f5f5561f5eaf328e", + "type": "eql", + "version": 6 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index fe42f5cef10..2fb6a401cab 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -103,6 +103,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-cyberark-pas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-cyberark-pas.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-data-exfiltration-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-data-exfiltration-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-defense-evasion](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-defense-evasion.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-device-control](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-device-control.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-discovery](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-discovery.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-domain-generation-algorithm-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-domain-generation-algorithm-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-elastic-defend](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-elastic-defend.json&leave_site_dialog=false&tabs=false)| diff --git a/pyproject.toml b/pyproject.toml index 79d3df01241..d8f88794f62 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.6" +version = "1.5.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"