From 32f0de27bd6ad9579b1764c7f5ead0e6e65af5d9 Mon Sep 17 00:00:00 2001 From: shashank-elastic Date: Mon, 8 Dec 2025 18:45:10 +0000 Subject: [PATCH 1/2] Locked versions for releases: 8.19,9.0,9.1,9.2 --- detection_rules/etc/version.lock.json | 513 +++++++++++++++++--------- docs-dev/ATT&CK-coverage.md | 16 + 2 files changed, 356 insertions(+), 173 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index c67e5e75a48..0177569b585 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -42,10 +42,10 @@ "version": 210 }, "015cca13-8832-49ac-a01b-a396114809f6": { - "rule_name": "AWS Redshift Cluster Creation", - "sha256": "485c2fd72b03d329a939d9aa2e0ed1fa869c9af0d75c6d1daaa066f99de00a26", + "rule_name": "Deprecated - AWS Redshift Cluster Creation", + "sha256": "f6e7e8c38698de53c1f503b5a483cd61fe060eba93c72f3d9d394148f9fb36ea", "type": "query", - "version": 209 + "version": 210 }, "0171f283-ade7-4f87-9521-ac346c68cc9b": { "rule_name": "Potential Network Scan Detected", @@ -313,9 +313,9 @@ }, "083383af-b9a4-42b7-a463-29c40efe7797": { "rule_name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "sha256": "42e7ee3fe98ad169a9e8019700d1dd08faf3bb4fa9e52be141236531ecb4d169", + "sha256": "4f14a718a89be4d729c0a63c46e4f6194cbbf0b477b7d7b0ba68c9b0ecf8c7b7", "type": "esql", - "version": 4 + "version": 5 }, "083fa162-e790-4d85-9aeb-4fea04188adb": { "rule_name": "Suspicious Hidden Child Process of Launchd", @@ -331,9 +331,9 @@ }, "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db": { "rule_name": "Node.js Pre or Post-Install Script Execution", - "sha256": "548398463d4c38c2b93eeae4abccef6032dfbc90b31a756391e48524bd463888", + "sha256": "95dfc163dc1bc31c6f67c9956a92031cea559ff27d774bc621436fbce4e3c4be", "type": "eql", - "version": 2 + "version": 3 }, "089db1af-740d-4d84-9a5b-babd6de143b0": { "rule_name": "Windows Account or Group Discovery", @@ -463,9 +463,9 @@ }, "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe": { "rule_name": "Elastic Defend and Network Security Alerts Correlation", - "sha256": "183cf42353fc5c65f841949b0932e3d3f3b22db72e600770b7384c9763af5fb6", + "sha256": "056d4ea5cd3b4e8aa563e49d2404f2c0050940516ba5249574bee7bb2353f021", "type": "esql", - "version": 1 + "version": 2 }, "0c093569-dff9-42b6-87b1-0242d9f7d9b4": { "rule_name": "Processes with Trailing Spaces", @@ -553,9 +553,9 @@ }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { "rule_name": "AWS Access Token Used from Multiple Addresses", - "sha256": "367aa86bbae336557e47859aaa7ff46e28884858534ab2e3cf9f597679c3c3dd", + "sha256": "8fa1e1fae1b9df0dcbf613745f11a37be91a3a4f12fffdfb2683e0d606fdb20b", "type": "esql", - "version": 104 + "version": 105 }, "0e1af929-42ed-4262-a846-55a7c54e7c84": { "rule_name": "Unusual High Denied Sensitive Information Policy Blocks Detected", @@ -577,9 +577,9 @@ }, "0e524fa6-eed3-11ef-82b4-f661ea17fbce": { "rule_name": "M365 OneDrive Excessive File Downloads with OAuth Token", - "sha256": "e0fc1db1622a8156c5b0701e10b162b8e5f8710ac73f34baa3029caa90ca4413", + "sha256": "c5c25c606f65d1dd93f7bb4554ef93fa844d008166cd092acbbb3fedbd622373", "type": "esql", - "version": 5 + "version": 6 }, "0e5acaae-6a64-4bbc-adb8-27649c03f7e1": { "rule_name": "GCP Service Account Key Creation", @@ -691,9 +691,9 @@ }, "119c8877-8613-416d-a98a-96b6664ee73a": { "rule_name": "AWS RDS Snapshot Export", - "sha256": "0cde2bfbacf1d5ad63f6bb5e0964b3b5a2a15cf4882e8cba347f52c5989079da", + "sha256": "bed507515e00c4a06151d8f8fb70eff8c61569f774c6889d3cbda5bee2cb6010", "type": "query", - "version": 209 + "version": 210 }, "119c8877-8613-416d-a98a-96b6664ee73a5": { "rule_name": "AWS RDS Snapshot Export", @@ -949,9 +949,9 @@ }, "1719ee47-89b8-4407-9d55-6dff2629dd4c": { "rule_name": "Persistence via a Windows Installer", - "sha256": "9d071673dc778a2ba73f917a3d9f6ec217c7c494f6a407363675471350a5deed", + "sha256": "11c0bff91c47efa25c0f5f167b3d977f3ac07a6fb5ff0158d88d3445efe327d9", "type": "eql", - "version": 4 + "version": 5 }, "17261da3-a6d0-463c-aac8-ea1718afcd20": { "rule_name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", @@ -1015,9 +1015,9 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "599cc8905fe0fb2873fc02bca62c1ebf97d34b684180665e7e909d527e509ad7", + "sha256": "2f942b288c66f4480066469ad579758c9ff2fe4287501321cfcac506bd4e3288", "type": "machine_learning", - "version": 107 + "version": 108 }, "181f6b23-3799-445e-9589-0018328a9e46": { "rule_name": "Script Execution via Microsoft HTML Application", @@ -1057,9 +1057,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "2bfc3b450c5f44d97b88b26d385af8956ca80d7cb2d78e45b85b0df3fc06993d", + "sha256": "0199418e23bdf78a20dd96bd7572555513e8aaa1350c6e48d99cf860a48b9ba9", "type": "eql", - "version": 9 + "version": 10 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -1081,9 +1081,9 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "c5ccfa06fcb6ada608a35d93744993c3f48966ce6d4323197e222dcb5324993f", + "sha256": "b836fac20b0940bfc3175c371b5a9a9693cc738c58e02cce56b41be1d943bddb", "type": "machine_learning", - "version": 211 + "version": 212 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", @@ -1111,9 +1111,9 @@ }, "1a3f2a4c-12d0-4b88-961a-2711ee295637": { "rule_name": "Potential System Tampering via File Modification", - "sha256": "103948de64613c9e00529640ef48bc2472935b80420628f0917df58b4f57ff10", + "sha256": "01016fb07b4de034fd77a549366e844c1df0ef74f37599b5e5b3dc0e87a4c168", "type": "eql", - "version": 2 + "version": 3 }, "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "rule_name": "Execution of COM object via Xwizard", @@ -1217,6 +1217,12 @@ "type": "eql", "version": 213 }, + "1d306bf0-7bcf-4acd-83fd-042f5711acc9": { + "rule_name": "Initial Access via File Upload Followed by GET Request", + "sha256": "97574d1e96bef8af267abfb06bc0f7cb8d0586d2437b3b101bee18f491296858", + "type": "eql", + "version": 1 + }, "1d485649-c486-4f1d-a99c-8d64795795ad": { "rule_name": "Potential CVE-2025-32463 Sudo Chroot Execution Attempt", "sha256": "c074d6687b59f8e9a8ddf9fb262efa268ccb014e0e218c7d1f8ee218f6d627eb", @@ -1585,9 +1591,9 @@ }, "26b01043-4f04-4d2f-882a-5a1d2e95751b": { "rule_name": "Privileges Elevation via Parent Process PID Spoofing", - "sha256": "beb3cd25d9df9767e008011425e30dbaed0ffa3f3d1fc6ba941135fedad0e089", + "sha256": "7851f2067a7914e98ceb33a4459b1b3eaae624ac3470df3cddde0f895f395d3d", "type": "eql", - "version": 10 + "version": 11 }, "26edba02-6979-4bce-920a-70b080a7be81": { "rule_name": "Azure Active Directory High Risk User Sign-in Heuristic", @@ -1830,11 +1836,20 @@ "version": 207 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { - "min_stack_version": "8.19", + "min_stack_version": "9.0", + "previous": { + "8.19": { + "max_allowable_version": 105, + "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", + "sha256": "09e0db85e9bb2792e16cac43d4386f3e6669fc339ee9f0fd5b9c0766b24390d7", + "type": "esql", + "version": 6 + } + }, "rule_name": "Microsoft Entra ID Excessive Account Lockouts Detected", "sha256": "aaad9534812f266fd81a731fb54499b095a087e856fc3d3ace34585f13135842", "type": "threshold", - "version": 5 + "version": 106 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { "rule_name": "Enumeration of Kernel Modules", @@ -2073,9 +2088,9 @@ "32f95776-6498-4f3c-a90c-d4f6083e3901": { "min_stack_version": "9.1", "rule_name": "Potential Masquerading as Svchost", - "sha256": "4afcc293f2da3e0d75279f561aff916cea9a37c827cb4cfa6c093a43be40acf2", + "sha256": "30826654b84c8a5018f4c8d5c115a0016759528fe1b85df69b8604c674ec7e95", "type": "esql", - "version": 1 + "version": 2 }, "3302835b-0049-4004-a325-660b1fba1f67": { "rule_name": "Directory Creation in /bin directory", @@ -2175,9 +2190,9 @@ }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "f387323689ef2cf34009ce6de40a191fa010ffb20334c5a343789667490315d6", + "sha256": "2076f8bac484f53cb646463676897a5173dc94e42712835dcbc45c9f571f6a56", "type": "machine_learning", - "version": 107 + "version": 108 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -2319,9 +2334,9 @@ }, "393ef120-63d1-11ef-8e38-f661ea17fbce": { "rule_name": "AWS EC2 Multi-Region DescribeInstances API Calls", - "sha256": "61259a7fd31474e07ef6f32f1f11c3e7bd5e381656f8b667d4c02a8db21e117d", + "sha256": "a2ae354dd666a1ae571d0b286934c5d03358e88ab0e6ed648b6e49e82281940a", "type": "esql", - "version": 6 + "version": 7 }, "397945f3-d39a-4e6f-8bcb-9656c2031438": { "rule_name": "Persistence via Microsoft Outlook VBA", @@ -2427,9 +2442,9 @@ }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "e28820cdef8824c303418b68a7e76996a4b6f9692520a06646c81c82c8ab4d6a", + "sha256": "90959aa7c932be6c768d07a768fca0c68d5723a9ef7996a75caa8f0bf3d55716", "type": "machine_learning", - "version": 107 + "version": 108 }, "3c9f7901-01d8-465d-8dc0-5d46671035fa": { "rule_name": "Kernel Seeking Activity", @@ -2455,6 +2470,12 @@ "type": "query", "version": 210 }, + "3db029b3-fbb7-4697-ad07-33cbfd5bd080": { + "rule_name": "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode", + "sha256": "3c165b3d0b7f63d4296bd1183d680a1097e47aeb7ca1b84255b0ff6d6d89d107", + "type": "esql", + "version": 1 + }, "3df49ff6-985d-11ef-88a1-f661ea17fbcd": { "rule_name": "AWS SNS Rare Protocol Subscription by User", "sha256": "6058fa96b4d3ccbd3cbe0800857ef03594df77f0f35cf37710da392649d733c3", @@ -2593,6 +2614,12 @@ "type": "eql", "version": 315 }, + "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1": { + "rule_name": "New GitHub Self Hosted Action Runner", + "sha256": "afbae386edf6dfb7e342c2fe33cd1ac8a58684a2d50313d22bba2a50c259afb8", + "type": "new_terms", + "version": 1 + }, "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "rule_name": "Suspicious Modprobe File Event", "sha256": "f74b29a60a90fdca80a92b306db20a9ad31e53709a4d46bea0308cb9f1bde95c", @@ -2739,9 +2766,9 @@ }, "4577ef08-61d1-4458-909f-25a4b10c87fe": { "rule_name": "AWS RDS DB Snapshot Shared with Another Account", - "sha256": "0a49b0bc11b7b7734b51c058fb7b983d9dc746749a1489031c26efc399d833fb", + "sha256": "fea0eb1b7a074a7c66598a13e49915f3809a1946f0ddcf5e238359c001a27692", "type": "eql", - "version": 5 + "version": 6 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", @@ -2749,6 +2776,13 @@ "type": "query", "version": 215 }, + "45d099b4-a12e-4913-951c-0129f73efb41": { + "min_stack_version": "9.2", + "rule_name": "Web Server Potential Remote File Inclusion Activity", + "sha256": "ff25fabd9223a7102f408eb2923f5a338aa9ebb6eb2990bab28b37fa546e040f", + "type": "esql", + "version": 1 + }, "45d273fb-1dca-457d-9855-bcb302180c21": { "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "d587f84061510af81e4d24d6a46b7d23a87048e8f6d3d1172b32452a1d829ae5", @@ -2779,6 +2813,12 @@ "type": "machine_learning", "version": 108 }, + "472b4944-d810-43cf-83dc-7d080ae1b8dd": { + "rule_name": "Multiple Cloud Secrets Accessed by Source Address", + "sha256": "63d56fef38ba2b4ccd12a2c05513698e2ff41e5070dae3e915f65671915d9490", + "type": "esql", + "version": 1 + }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "rule_name": "System V Init Script Created", "sha256": "962ab60a7b6b0263c7388f0355f15fac1e3a3d9003b2d0ab2d625af6b790d76a", @@ -2787,9 +2827,9 @@ }, "47595dea-452b-4d37-b82d-6dd691325139": { "rule_name": "Credential Access via TruffleHog Execution", - "sha256": "be16d5f3a77572e7460510d143328a666363e19e7d40eca3719eb3d2a314ff6b", + "sha256": "0ebaa20afe2747b15511424d174dff2a614551b155f5398c86ae2a524375e129", "type": "eql", - "version": 1 + "version": 2 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Deprecated - Sensitive Files Compression Inside A Container", @@ -3190,9 +3230,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "ab770d636e60e934030892c3300fbde621dafef776555bd84887bb2d146ec07d", + "sha256": "62bd8f8c90f70c3a4eb3671d95b3b6e54bd72c9902ec472ed75dbc680856fa84", "type": "machine_learning", - "version": 107 + "version": 108 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -3219,10 +3259,10 @@ "version": 14 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { - "rule_name": "AWS EFS File System or Mount Deleted", - "sha256": "0937e3ed0e1bfaded40e2d98b86747c93987130ca395825e0d477467a192e258", + "rule_name": "AWS EFS File System Deleted", + "sha256": "609ed621a69c3390bab0a9033977e866424574af96e87ba8f51ba3731d8ad7cd", "type": "query", - "version": 209 + "version": 210 }, "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de": { "rule_name": "Azure Diagnostic Settings Deletion", @@ -3392,6 +3432,12 @@ "type": "eql", "version": 208 }, + "57e118c1-19eb-4c20-93a6-8a6c30a5b48b": { + "rule_name": "Remote GitHub Actions Runner Registration", + "sha256": "1d0cb6b6f76ce755ca5fb4d086cbe1b222f7cf1a54d1751338d1440ff5acdcc3", + "type": "eql", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Backup Deletion with Wbadmin", "sha256": "bd99f1c1dc1bbc1957f29cd1c182ab5d00d9770fd4dd77a724fee4634f6f8135", @@ -3428,6 +3474,12 @@ "type": "eql", "version": 114 }, + "590fc62d-7386-4c75-92b0-af4517018da1": { + "rule_name": "Unusual Process Modifying GenAI Configuration File", + "sha256": "d15498a6c01273b39703c3016c982fcab89864cd34a4a815be7323f64ad64615", + "type": "new_terms", + "version": 1 + }, "5919988c-29e1-4908-83aa-1f087a838f63": { "rule_name": "File or Directory Deletion Command", "sha256": "580ad4755828bed2eed4fc05fda6a383cb56bcfad28fbc5784fe8aa3b56558e2", @@ -3898,9 +3950,9 @@ }, "64f17c52-6c6e-479e-ba72-236f3df18f3d": { "rule_name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "sha256": "b6cf23674580c2fcf3dd499e987b22b13642b9b8c7eef303611731dcf5d95d3b", + "sha256": "d942ea2a574b0c58f9570daac07cd6d5436809cbac8cb59e98a55aa70dae7c3c", "type": "esql", - "version": 6 + "version": 7 }, "6505e02e-28dd-41cd-b18f-64e649caa4e2": { "rule_name": "Manual Memory Dumping via Proc Filesystem", @@ -3932,6 +3984,12 @@ "type": "new_terms", "version": 3 }, + "65f28c4d-cfc8-4847-9cca-f2fb1e319151": { + "rule_name": "Unusual Web Server Command Execution", + "sha256": "a00138f5ac336eb4408e082304d0d74c151617aa44a0444dd0acb8960b67777e", + "type": "new_terms", + "version": 1 + }, "65f9bccd-510b-40df-8263-334f03174fed": { "rule_name": "Kubernetes Exposed Service Created With Type NodePort", "sha256": "2962f75c4c913a7ae6568d692aa100bc991b3f0a49913ed652b7423b7d56b4cd", @@ -3946,9 +4004,9 @@ }, "6631a759-4559-4c33-a392-13f146c8bcc4": { "rule_name": "Potential Spike in Web Server Error Logs", - "sha256": "98be4f9eef1a15a275f88c7d941c841e8bf9c82a05e15cb84747255c255d396c", + "sha256": "effc61a862d7377ca5db5b1edccd523326415b1fad2a0176cf40a825888b0431", "type": "esql", - "version": 1 + "version": 2 }, "6641a5af-fb7e-487a-adc4-9e6503365318": { "rule_name": "Suspicious Termination of ESXI Process", @@ -3976,9 +4034,9 @@ }, "66883649-f908-4a5b-a1e0-54090a1d3a32": { "rule_name": "Connection to Commonly Abused Web Services", - "sha256": "ed15ffb242f86a6f50709786a298deaf34a408fe5da570d4456f637e5ac04586", + "sha256": "341b1d747c5f1911c4deea9190dfab0c542a5d1d67dcc459764f21997264f460", "type": "eql", - "version": 123 + "version": 124 }, "66c058f3-99f4-4d18-952b-43348f2577a0": { "rule_name": "Linux Process Hooking via GDB", @@ -4012,9 +4070,9 @@ }, "6756ee27-9152-479b-9b73-54b5bbda301c": { "rule_name": "Rare Connection to WebDAV Target", - "sha256": "967542c9e365ae3208bfef2073ef7dac00b601c61d74a4487fd3c413c9c9bb3e", + "sha256": "2256b4ec67c4244841a6cbd5d266f2fa67bf43eb4fef34a0a2f0ec5958f6cf9c", "type": "esql", - "version": 3 + "version": 4 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "rule_name": "Attempt to Revoke Okta API Token", @@ -4114,9 +4172,9 @@ }, "6951f15e-533c-4a60-8014-a3c3ab851a1b": { "rule_name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", - "sha256": "dd12550a3cff20c4f63fc6067d74d35429245b167537619b73a3d2a44d4250db", + "sha256": "7d47c62652d1fd5b413a4b287ec7edaf4ad513a4c97d9db1b56892a3639fca0b", "type": "query", - "version": 109 + "version": 110 }, "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { "rule_name": "AWS IAM User Created Access Keys For Another User", @@ -4234,9 +4292,9 @@ }, "6ddb6c33-00ce-4acd-832a-24b251512023": { "rule_name": "Potential PowerShell Obfuscation via Special Character Overuse", - "sha256": "d84e236eff45eec22ad50a0288a325163adbb643b1dfa20e9db617201fe58709", + "sha256": "adde7f16204d80d3990b8f91dcb264ce4dc3b467b3aff63719ee416a82b35660", "type": "esql", - "version": 5 + "version": 6 }, "6ded0996-7d4b-40f2-bf4a-6913e7591795": { "rule_name": "Root Certificate Installation", @@ -4348,9 +4406,9 @@ }, "6fa3abe3-9cd8-41de-951b-51ed8f710523": { "rule_name": "Web Server Potential Spike in Error Response Codes", - "sha256": "8b34b274384a2853c8fe78423e0cc186bc5ae6593ca179b7160bb5e5d818efb5", + "sha256": "3802d6b986d632b4d8b454c524e9c70e97a2025548c150279629e3a953827f8b", "type": "esql", - "version": 1 + "version": 2 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { "rule_name": "Spike in Special Privilege Use Events", @@ -4552,9 +4610,9 @@ }, "74f45152-9aee-11ef-b0a5-f661ea17fbcd": { "rule_name": "AWS Discovery API Calls via CLI from a Single Resource", - "sha256": "d924ef5485e75e0c8853ab00ccb0ec1126e4e5422f67a276e9ef7ac8c0fb84d7", + "sha256": "dc6a565326bdc13f67b5abbecf56477d61decfb1c6d3f80667b859b733d7acc4", "type": "esql", - "version": 4 + "version": 5 }, "751b0329-7295-4682-b9c7-4473b99add69": { "rule_name": "Spike in Group Management Events", @@ -4684,9 +4742,9 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "23b9183b0b627393d88469e86e1b3ed49184a6b912ce0286003e993fe66341db", + "sha256": "ded06db1377caef944e1ffc5df502ec0a2060571e408b0973f71c22b6a2d0c89", "type": "machine_learning", - "version": 211 + "version": 212 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "rule_name": "Suspicious ScreenConnect Client Child Process", @@ -4916,9 +4974,15 @@ }, "7f65f984-5642-4291-a0a0-2bbefce4c617": { "rule_name": "Python Path File (pth) Creation", - "sha256": "51f4a31fd30564d6ed4c5f7b2b7fc3a1dcc968bde90c6d00593f4bc6e8ac17a3", + "sha256": "e59c0b9eacb4545d608aaddd4b9af94f9ee69288094831c2ca30b6f0308083d0", "type": "eql", - "version": 3 + "version": 4 + }, + "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2": { + "rule_name": "Web Server Potential SQL Injection Request", + "sha256": "204cd779dc6031bd76983b73b78317c57c9d6f994ce37c34e79baba33312ffdb", + "type": "eql", + "version": 1 }, "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db": { "rule_name": "Discovery of Internet Capabilities via Built-in Tools", @@ -4958,9 +5022,9 @@ }, "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "rule_name": "Potential PowerShell Obfuscated Script", - "sha256": "2704d9f00e0dde549f0ed2acc2e4b4c78b56ce3b6abbbce8060a543e57798f86", + "sha256": "21338d52150e45c05db894e54d90d6ef1f3db44cf524a501e31309cfbb983e05", "type": "query", - "version": 107 + "version": 108 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { "rule_name": "AWS SSM Session Started to EC2 Instance", @@ -4976,9 +5040,9 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "badc6a5976ec7afe16af98d9d59d033002ebd31687f59d4d87a8427d710dfbeb", + "sha256": "272e14dd9496c7030d82926713a2ce20703c2bbdd138ab8e3102543dec9d6ed8", "type": "machine_learning", - "version": 211 + "version": 212 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -5048,9 +5112,9 @@ }, "8383a8d0-008b-47a5-94e5-496629dc3590": { "rule_name": "Web Server Discovery or Fuzzing Activity", - "sha256": "5d0314db6259c4f5884084701984c5316aff5eac3c9e1f0fdd188abdf96aba43", + "sha256": "ab53ad1723cbcba05a3f4eea26e389306f8c217740c4fa194e7a3f5e112d3523", "type": "esql", - "version": 1 + "version": 2 }, "83a1931d-8136-46fc-b7b9-2db4f639e014": { "rule_name": "Azure Kubernetes Pods Deleted", @@ -5066,9 +5130,9 @@ }, "83bf249e-4348-47ba-9741-1202a09556ad": { "rule_name": "Suspicious Windows Powershell Arguments", - "sha256": "793552a1e01c4b4aaee3794578a3ecb4512bed33213c33b666bf453e7edd7aa2", + "sha256": "0347e6f35d144ad0df73bc8c69dd91de5d8d5e226494bf2511856671f3c94808", "type": "eql", - "version": 209 + "version": 210 }, "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f": { "rule_name": "Attempt to Disable IPTables or Firewall", @@ -5090,9 +5154,9 @@ }, "84755a05-78c8-4430-8681-89cd6c857d71": { "rule_name": "At Job Created or Modified", - "sha256": "4b40c8d4568713d94d3041b310220b96e926d642d9216b845db1d0aca6f8a500", + "sha256": "6e504e70a35be24ee291ec0ba421905fc26fddf57819413dbe239482adfba4c9", "type": "eql", - "version": 5 + "version": 6 }, "84d1f8db-207f-45ab-a578-921d91c23eb2": { "rule_name": "Potential Upgrade of Non-interactive Shell", @@ -5114,15 +5178,15 @@ }, "852c1f19-68e8-43a6-9dce-340771fe1be3": { "rule_name": "Suspicious PowerShell Engine ImageLoad", - "sha256": "2b68e3314eed43cc0d2bdc768e13c39f48e52778ff8449c187251249a074dc64", + "sha256": "bb796fbb6709db50cf45bb757855ee8bc991b319103faac34de21cd08d1bbc00", "type": "new_terms", - "version": 214 + "version": 215 }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "sha256": "e0010b13da80d6b7d6a418117dcfeb8273b72aaf61c191ca8ab299b54b0424df", + "sha256": "f5a68ee676891a83f8345f6c6cf82c90b609b89b2fd92207a5f25849e70fcc8f", "type": "esql", - "version": 4 + "version": 5 }, "860f2a03-a1cf-48d6-a674-c6d62ae608a1": { "rule_name": "Potential Subnet Scanning Activity from Compromised Host", @@ -5496,11 +5560,17 @@ "type": "eql", "version": 212 }, + "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1": { + "rule_name": "GenAI Process Connection to Unusual Domain", + "sha256": "c1ab7f1687abc48558b4f79637b81b5b869d77dc8f67f3919111860f1c8be8dd", + "type": "new_terms", + "version": 1 + }, "9055ece6-2689-4224-a0e0-b04881e1f8ad": { - "rule_name": "AWS Deletion of RDS Instance or Cluster", - "sha256": "c0ced9e98431f4313c2ee2846e7d348cf0c0a199a2116036d425cee836f6e272", + "rule_name": "AWS RDS DB Instance or Cluster Deleted", + "sha256": "daa3efa31df9fdb6c67f3ae012d725a7d068c9bdce1c74ef1b3e81f6d256e2f2", "type": "query", - "version": 209 + "version": 210 }, "907a26f5-3eb6-4338-a70e-6c375c1cde8a": { "rule_name": "Simple HTTP Web Server Creation", @@ -5532,6 +5602,13 @@ "type": "query", "version": 100 }, + "90e4ceab-79a5-4f8e-879b-513cac7fcad9": { + "min_stack_version": "9.2", + "rule_name": "Web Server Local File Inclusion Activity", + "sha256": "2cab88240e2e98e8fb79a3259fbd0f4623526ba79e62f420bbdb30c1d30c12ef", + "type": "esql", + "version": 1 + }, "90e5976d-ed8c-489a-a293-bfc57ff8ba89": { "rule_name": "Linux System Information Discovery via Getconf", "sha256": "4687e5bf7ae059a2434a6c4e07de4bdb3447074f7e07cff1fcbc294e415db0f4", @@ -5641,10 +5718,10 @@ "version": 208 }, "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "rule_name": "Modification of Standard Authentication Module or Configuration", - "sha256": "a3ec4aa1bace9ef4e52df433a1a9130b8ea7d6ed43756319c31ea2a5eb523627", + "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", + "sha256": "1e54e18fae8c9afcee81de6f64a1d344e006e894e2357424bbdf76c9accceb1c", "type": "new_terms", - "version": 207 + "version": 208 }, "94418745-529f-4259-8d25-a713a6feb6ae": { "rule_name": "Executable Bit Set for Potential Persistence Script", @@ -5690,9 +5767,9 @@ }, "954ee7c8-5437-49ae-b2d6-2960883898e9": { "rule_name": "Remote Scheduled Task Creation", - "sha256": "8cd15104409a97fd4438abc212c1c0ff0707de6458eeb1e1d8f7420e40c241c2", + "sha256": "6da3743f708580488d3f5e70ddab86ceadad147350a9bde3f95229d0021ba8c3", "type": "eql", - "version": 213 + "version": 214 }, "9563dace-5822-11f0-b1d3-f661ea17fbcd": { "rule_name": "Entra ID OAuth user_impersonation Scope for Unusual User and Client", @@ -5714,9 +5791,9 @@ }, "962a71ae-aac9-11ef-9348-f661ea17fbce": { "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", - "sha256": "f1670dfd45e43ac5895b53ca679f177046d57bc693a881636a01300acff3ecbb", + "sha256": "21247d90931b191b5dfd6bbfe9ecf48ffd7f4bf01251fa9957234ed6dcfe002d", "type": "new_terms", - "version": 4 + "version": 5 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container", @@ -5762,9 +5839,9 @@ }, "97020e61-e591-4191-8a3b-2861a2b887cd": { "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", - "sha256": "721369ff74415e524db18c08b07e924d7fc2afb77dd0de54c0094712ccad6b66", + "sha256": "fbebd44525dceef0ede4b04ea6dc25697c9905dcbe4212fe2c02f891abcb80a4", "type": "eql", - "version": 112 + "version": 113 }, "9705b458-689a-4ec6-afe8-b4648d090612": { "rule_name": "Unusual D-Bus Daemon Child Process", @@ -5802,6 +5879,12 @@ "type": "query", "version": 211 }, + "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e": { + "rule_name": "Potential HTTP Downgrade Attack", + "sha256": "4a73054f38e7c1a0a6cd09109a0af2f1b3799c2690618d534bcd1135ee0f6064", + "type": "new_terms", + "version": 1 + }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "rule_name": "Potentially Successful Okta MFA Bombing via Push Notifications", "sha256": "e60ca0f40eef1090732be6cccd54853228ee8d052ddf109441c7cc42cf9e8ba2", @@ -6122,15 +6205,15 @@ }, "9edd1804-83c7-4e48-b97d-c776b4c97564": { "rule_name": "PowerShell Obfuscation via Negative Index String Reversal", - "sha256": "42e0b978f0c0a9c4fbace71206d97c11ef387556c3bff09bae4c49934342707b", + "sha256": "cf6888d083e6d3a579b18b1ab105b96412b235f1370e5d79239762c8a95e79b8", "type": "esql", - "version": 4 + "version": 5 }, "9efb3f79-b77b-466a-9fa0-3645d22d1e7f": { "rule_name": "AWS RDS DB Instance Made Public", - "sha256": "6ab37a0c54d41e81d56ba27c0ad3dcac227dc7a8f82cd0f4324da20cc757080b", + "sha256": "e2349af7d08dca867f606f4f249e15878755f671b776eb1ca1a6fa17b882bdd4", "type": "eql", - "version": 5 + "version": 6 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -6140,9 +6223,9 @@ }, "9f432a8b-9588-4550-838e-1f77285580d3": { "rule_name": "Dynamic IEX Reconstruction via Method String Access", - "sha256": "e0dfbc0391e8ca17a470e41a103402daeebdac84b5ea26e44496486e852136bf", + "sha256": "d1ddff7c56268c96a8e68bdac7a60807a929770a433fc81868ff703976fc033b", "type": "esql", - "version": 6 + "version": 7 }, "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "rule_name": "Potential Credential Access via DCSync", @@ -6188,9 +6271,9 @@ }, "a1329140-8de3-4445-9f87-908fb6d824f4": { "rule_name": "File Deletion via Shred", - "sha256": "38364f20e36aaae29e165a3e0c9c3193d18addfb698d1ab56197ea8fd52725ff", + "sha256": "98412a3e65a49c2be4d293e3c9638980546eeb6a63f2ac2e43ea86e24cdb5fee", "type": "eql", - "version": 213 + "version": 214 }, "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", @@ -6234,11 +6317,17 @@ "type": "query", "version": 1 }, + "a1b2c3d4-e5f6-7890-abcd-ef1234567890": { + "rule_name": "GenAI Process Connection to Suspicious Top Level Domain", + "sha256": "c597b499c50eebdee9b57239e803b09995c9099b189f7337ed6bc1c272e861ea", + "type": "eql", + "version": 1 + }, "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35": { "rule_name": "Web Server Suspicious User Agent Requests", - "sha256": "b48f9bf3f906fccb7f09ca13f172a840467544e471b7087fb0301961ef7337f1", + "sha256": "cf0f38746759586b626e1934014abd885226f3d9a623a74cc9c9436ac79187aa", "type": "esql", - "version": 1 + "version": 2 }, "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f": { "rule_name": "Linux Group Creation", @@ -6360,6 +6449,12 @@ "type": "eql", "version": 317 }, + "a640ef5b-e1da-4b17-8391-468fdbd1b517": { + "rule_name": "Execution via GitHub Actions Runner", + "sha256": "5c2e02372424c7523c482923663eaedd7d5dd64f7f91059d807cbd86fd1ab716", + "type": "eql", + "version": 1 + }, "a6788d4b-b241-4bf0-8986-a3b4315c5b70": { "rule_name": "AWS S3 Bucket Server Access Logging Disabled", "sha256": "44d2266516b212b0b177209326e4e81953e7169d03ce0615fa6d86e7754d3bc3", @@ -6432,6 +6527,12 @@ "type": "new_terms", "version": 1 }, + "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd": { + "rule_name": "AWS EC2 LOLBin Execution via SSM SendCommand", + "sha256": "8ed3514f87da2cdb2928680ebebadacf9c99a8de8d6504196742c42c1969fb24", + "type": "esql", + "version": 1 + }, "a8d35ca0-ad8d-48a9-9f6c-553622dca61a": { "rule_name": "High Variance in RDP Session Duration", "sha256": "ab11651cb3fb46c70c3fdbf4479abc32ea2fb7d096747443517a1d135615d72c", @@ -6444,6 +6545,12 @@ "type": "machine_learning", "version": 3 }, + "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f": { + "rule_name": "React2Shell (CVE-2025-55182) Exploitation Attempt", + "sha256": "a60f77fb20413deff742fb48c1ef902bdd8a712ed6eacc619eceaf824f93bfbe", + "type": "eql", + "version": 1 + }, "a9198571-b135-4a76-b055-e3e5a476fd83": { "rule_name": "Hex Encoding/Decoding Activity", "sha256": "b6cfa5bf24a78049ee0f873fe01bcc14ef5116a6adf59b8721abeb11ceca01cf", @@ -6530,9 +6637,9 @@ }, "ab8f074c-5565-4bc4-991c-d49770e19fc9": { "rule_name": "AWS S3 Object Encryption Using External KMS Key", - "sha256": "958773d8daef17b9524d9777dd4b3cf3630c13699cceb373bab52de8855ddccf", + "sha256": "5f92ecc1a1ab4856446a7daefdbb84f2124c1fb6c1c82caeed75f72022ade618", "type": "esql", - "version": 7 + "version": 8 }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", @@ -6572,9 +6679,9 @@ }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "22dee7a0dba4259dae807f0636fa682ffa5c2f3fa4a3025aefea153263a89744", + "sha256": "1bb48c457ffaa6213c29fb112617a61f4513cf5ed3fe8ae984d050f46f0e2a14", "type": "machine_learning", - "version": 211 + "version": 212 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", @@ -6638,9 +6745,9 @@ }, "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18": { "rule_name": "Decline in host-based traffic", - "sha256": "2437e732072bc33cbbc5ba0bd9ea39c6556f00672e79ac4e3f3bdc54398e324f", + "sha256": "6fc5bbba4f289f6433e148acbd5a3f03e6a19a814418a883f6f068b46e73beae", "type": "machine_learning", - "version": 3 + "version": 4 }, "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", @@ -6678,6 +6785,12 @@ "type": "eql", "version": 109 }, + "ae3e9625-89ad-4fc3-a7bf-fced5e64f01b": { + "rule_name": "Suspicious React Server Child Process", + "sha256": "a1f8cf50a3bdc7b67f8625f5d07e539dbc4826e9c5e69841688e50274dfb91af", + "type": "eql", + "version": 1 + }, "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "967c59ea43c5beb353059b127aead53cfc4bb82df6b3deffafa653e4fea554c8", @@ -6764,9 +6877,9 @@ }, "b0c98cfb-0745-4513-b6f9-08dddb033490": { "rule_name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "sha256": "7d06dd74453291b00725d654daea341f2ca17b2a79e2b8712d00507005156728", + "sha256": "1be1ec78c8c9466fb5a6c635180b30142956d174d90b1e8b4be363149489b171", "type": "esql", - "version": 5 + "version": 6 }, "b11116fd-023c-4718-aeb8-fa9d283fc53b": { "rule_name": "Kubeconfig File Creation or Modification", @@ -6800,9 +6913,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "5dbb9eed1f0e10b192dc7c2f72a009a668a5dba1bb5dc8fa0c86326ff2bd145f", + "sha256": "6f5749f79295a76dfb8b39ad7c7cd307890d4e6907b1978e040776de3c977e5b", "type": "machine_learning", - "version": 107 + "version": 108 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", @@ -6828,6 +6941,18 @@ "type": "threshold", "version": 1 }, + "b2c3d4e5-f6a7-8901-bcde-f123456789ab": { + "rule_name": "GenAI Process Compiling or Generating Executables", + "sha256": "1b44e3cddeb6ca2f774015e8420483b4590ca117d2b4e014e2a651e58d0075d6", + "type": "eql", + "version": 1 + }, + "b2c3d4e5-f6a7-8901-bcde-f23456789012": { + "rule_name": "GenAI or MCP Server Child Process Execution", + "sha256": "223b956a529959c9e18df158fc49c4954749b3b139a4e0e2c98d9056fe6cb7e4", + "type": "eql", + "version": 1 + }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", "sha256": "ebac0be3cc98660cdc22804d5fb5347f782deed7f06851e8d9774d2b80988cf1", @@ -6836,9 +6961,9 @@ }, "b36c99af-b944-4509-a523-7e0fad275be1": { "rule_name": "AWS RDS Snapshot Deleted", - "sha256": "ade98e7953750dbc98194e18eb9a5c0b009482bdd4291ee0afa7c090646fd8a3", + "sha256": "0608995dc9f8ecd5e421b6699b410ddffada935f84fcc24fdb93bc0b20716d8a", "type": "eql", - "version": 5 + "version": 6 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -7038,11 +7163,17 @@ "type": "eql", "version": 105 }, + "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e": { + "rule_name": "Anomalous React Server Components Flight Data Patterns", + "sha256": "0c4d821949f83cc7229d9d2a9c117db1c8e639e5e03279e9ec182569ea1e7232", + "type": "eql", + "version": 1 + }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "8d8e53fbf2a2f3163dfc630866851d9212df2d9741e38c81cf5846fa0e60250a", + "sha256": "8add33888ce9849b510c0d0b80fd76797ddc082ac5700758b7b90c58c80099c1", "type": "machine_learning", - "version": 209 + "version": 210 }, "ba5a0b0c-b477-4729-a3dc-0147c2049cf1": { "rule_name": "AWS STS Role Chaining", @@ -7232,9 +7363,9 @@ }, "bf1073bf-ce26-4607-b405-ba1ed8e9e204": { "rule_name": "AWS RDS DB Instance Restored", - "sha256": "9eafea55bf73d9efa7281b8e04b71b2411d67ceaa0bd491ce8b7ff8716e4469e", - "type": "eql", - "version": 210 + "sha256": "5194de7967cb4987fc5b077de80c87f720fc241fd5484fbf074d0f3ba2b9db2c", + "type": "query", + "version": 211 }, "bf8c007c-7dee-4842-8e9a-ee534c09d205": { "rule_name": "System Owner/User Discovery Linux", @@ -7254,6 +7385,12 @@ "type": "eql", "version": 218 }, + "c0136397-f82a-45e5-9b9f-a3651d77e21a": { + "rule_name": "GenAI Process Accessing Sensitive Files", + "sha256": "d6c0c41cfb020fd17045a5aad1f7f9fe737fbf0b70b796e1c9e28fb6dde7697c", + "type": "eql", + "version": 1 + }, "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": { "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy", "sha256": "3194a97a3ddcdf805d1dd80b9746243334be76e30e2727bac3465ff1ad50b75f", @@ -7410,6 +7547,12 @@ "type": "new_terms", "version": 1 }, + "c3d4e5f6-a7b8-9012-cdef-123456789abc": { + "rule_name": "GenAI Process Performing Encoding/Chunking Prior to Network Activity", + "sha256": "cdb4bf583f1114ff298aa113567237a8727f03bf3675eca5da4ec615db63f688", + "type": "eql", + "version": 1 + }, "c3f5e1d8-910e-43b4-8d44-d748e498ca86": { "rule_name": "Potential JAVA/JNDI Exploitation Attempt", "sha256": "c353bf8d28c1c9cca5662d7a7a69e0a7229505982746bd0b0be3276fbda1444b", @@ -7470,6 +7613,12 @@ "type": "query", "version": 107 }, + "c595363f-52a6-49e1-9257-0e08ae043dbd": { + "rule_name": "Pod or Container Creation with Suspicious Command-Line", + "sha256": "0978c07dd959e8239b4ba8195831bf80b8e8978c16d7aae614691c0d82edec11", + "type": "eql", + "version": 1 + }, "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "a53e65d2430e3ea2e00f15ea40f9a151c2ea30db22fa0dca97a1936c8b70f192", @@ -7526,9 +7675,9 @@ }, "c6b40f4c-c6a9-434e-adb8-989b0d06d005": { "rule_name": "Suspicious Kerberos Authentication Ticket Request", - "sha256": "e23ea6934805893d0a762d92c016466df1e095e89990ac13b0fd20adf6fcf712", + "sha256": "3e8bbd5ab3f47272a2294246d2e869c3a340607be602eb6af2662418340cb228", "type": "eql", - "version": 1 + "version": 2 }, "c70d9f0d-8cb6-4cfc-85df-a95c1ccf4eab": { "rule_name": "AWS IAM API Calls via Temporary Session Tokens", @@ -7586,9 +7735,9 @@ }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "e11202b80cd04fed8b343ef174236d78a6d5ea6fbbd37a73fb8a9ddc666d4548", + "sha256": "0e93c7c9d8c379f5113f5da64c80c41a4baa81ef5c9f06da338f591b12f797b6", "type": "machine_learning", - "version": 108 + "version": 109 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", @@ -7808,9 +7957,9 @@ }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "c5d8f7341c8aa94026664e5ad58319bfe7157e03a65de4182baa55387cc32856", + "sha256": "6a3a41432334b7098df61a7139dca98767324dea23216d6d9fd8e10be74d51aa", "type": "query", - "version": 218 + "version": 219 }, "cdf1a39b-1ca5-4e2a-9739-17fc4d026029": { "rule_name": "Shadow File Modification by Unusual Process", @@ -7944,6 +8093,12 @@ "type": "eql", "version": 1 }, + "d1f310cb-5921-4d37-bbdf-cfdab7a6df9c": { + "rule_name": "Privileged Container Creation with Host Directory Mount", + "sha256": "16394afb9f2c78168b53837f4bd19e6929e026be8f08c8291b17ea82e16d97ba", + "type": "eql", + "version": 1 + }, "d2053495-8fe7-4168-b3df-dad844046be3": { "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", "sha256": "07e21a98e0a2f05e6d9191ef82577f66f1c1ed1a2f93cd54771faa83ee6ceda6", @@ -7994,9 +8149,9 @@ }, "d43f2b43-02a1-4219-8ce9-10929a32a618": { "rule_name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "sha256": "5e0286288a46daccf7f9d563112ed05545bab69583b2aa32b10852647b4ef5d9", + "sha256": "01699cbe4fa27efc2594bc6e9836990f28194adaaf4ba50d7a7df86e96872607", "type": "esql", - "version": 4 + "version": 5 }, "d461fac0-43e8-49e2-85ea-3a58fe120b4f": { "rule_name": "Shell Execution via Apple Scripting", @@ -8006,9 +8161,9 @@ }, "d488f026-7907-4f56-ad51-742feb3db01c": { "rule_name": "AWS S3 Bucket Replicated to Another Account", - "sha256": "064253e65c01b23e75a16fd16708b2a3f9ecdd7da6ff9823f13d37e081416990", + "sha256": "f754c6d0d951940fc7c786c9b64fdcdadf44f8e92eb5c966b6aa14d75a295129", "type": "eql", - "version": 4 + "version": 5 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "rule_name": "Attempt to Delete an Okta Application", @@ -8150,9 +8305,9 @@ }, "d788313c-9e0b-4c5a-8c4b-c3f05a47d5a8": { "rule_name": "Python Site or User Customize File Creation", - "sha256": "4b3a053c8caeca2a1bd34ac1c472b5a915029448a8d37e95ddec0e407343489a", + "sha256": "e870753b28c4b9bf32983bd2fb5bcfafae38f902273f04300b5f3354570c37ec", "type": "eql", - "version": 3 + "version": 4 }, "d79c4b2a-6134-4edd-86e6-564a92a933f9": { "rule_name": "Azure Blob Permissions Modification", @@ -8216,9 +8371,9 @@ }, "d9af2479-ad13-4471-a312-f586517f1243": { "rule_name": "Curl or Wget Spawned via Node.js", - "sha256": "7d25f249eb1c37f0387a50af1d770254a7a935c20d9520f05e795438d486f719", + "sha256": "e9b7a7e641e61102321f9e774ae3df5054f9ef8ff40b6d2376f243c1389aca11", "type": "eql", - "version": 2 + "version": 3 }, "d9faf1ba-a216-4c29-b8e0-a05a9d14b027": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -8336,9 +8491,9 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "1deeb5c156dc053b7a9d4898334185233e3078a2d6669323b32bc24dd35eaeb1", + "sha256": "5fcc8e1b8ffda2633c5e84605dbccd3b4fa19f61cb6746ba6f2e9673df63aa6f", "type": "machine_learning", - "version": 211 + "version": 212 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", @@ -8418,6 +8573,12 @@ "type": "query", "version": 1 }, + "df0553c8-2296-45ef-b4dc-3b88c4c130a7": { + "rule_name": "Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners", + "sha256": "1911bad236dfa90b27f167aac3ae24c7f49c5a1fc583ab500bff60f013b34dc6", + "type": "eql", + "version": 1 + }, "df0fd41e-5590-4965-ad5e-cd079ec22fa9": { "rule_name": "First Time Seen Driver Loaded", "sha256": "22276ed48570dff5dd0abb9dcb47a087657cc6232ec63597dc0e0b26c49c722e", @@ -8803,16 +8964,16 @@ "version": 2 }, "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { - "rule_name": "Host Files System Changes via Windows Subsystem for Linux", - "sha256": "570f50040e4c5830eda8d9d4d63e5472233a96b0aac24dcd32a887779944a110", + "rule_name": "Host File System Changes via Windows Subsystem for Linux", + "sha256": "fc04a26c8bd9015b4cca4f17b20d8f18ac3eacb335a947d8793d0016b6ebbf0f", "type": "eql", - "version": 111 + "version": 112 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", - "sha256": "70238f523a244c54e5d533afdf35c0eb016e7a89fdf5f53db9f37e3e91b4559c", + "sha256": "9b8d379c12a7bfbde5c49431b8583f858819263472a48003b8b105c5504a48b0", "type": "eql", - "version": 6 + "version": 7 }, "e8ea6f58-0040-11f0-a243-f661ea17fbcd": { "rule_name": "AWS DynamoDB Table Exported to S3", @@ -8828,9 +8989,9 @@ }, "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5": { "rule_name": "Potential PowerShell Obfuscation via String Reordering", - "sha256": "d2f95295421397874a9612a08627ff834430be52aea03bf2db77a9b641da195c", + "sha256": "7398bf8dcf03e0a14d88b60fd486092a22b0e758a93f99dbefdd54bd5997170e", "type": "esql", - "version": 7 + "version": 8 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", @@ -8893,16 +9054,16 @@ "version": 110 }, "ea248a02-bc47-4043-8e94-2885b19b2636": { - "rule_name": "AWS IAM Brute Force of Assume Role Policy", - "sha256": "cc2ff222226e52b4e5328e06189bf9e8e8888b2ffce285254bfe1ad99938251a", + "rule_name": "AWS IAM Principal Enumeration via UpdateAssumeRolePolicy", + "sha256": "f14b002eebcbbb555471d258b2d7843d5ea29c1f6968943863f83e6cae46568c", "type": "threshold", - "version": 212 + "version": 213 }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "64375b8122d8cb9d91710468df616731c22eafab3c95b0ae6238cd55db970ddc", + "sha256": "1682a0c3be0d13c2d886046e969759c83cba4312382efe8fca8f9be342ef8e86", "type": "machine_learning", - "version": 107 + "version": 108 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", @@ -8912,9 +9073,9 @@ }, "eb079c62-4481-4d6e-9643-3ca499df7aaa": { "rule_name": "External Alerts", - "sha256": "3076f6b1adaf92e302684e1464639085c90751e68a525064398b7a9c2a03e3e5", + "sha256": "af86440d8e74a3463325d061cfbf3f755cc974d7c9e0929ccd302ad2b2a9b4f1", "type": "query", - "version": 105 + "version": 106 }, "eb44611f-62a8-4036-a5ef-587098be6c43": { "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", @@ -9044,9 +9205,9 @@ }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "rule_name": "Unusual Print Spooler Child Process", - "sha256": "94421dbaf4b818996b818ce7add2fff5f19b3361bc746e84bf7b001c6f22a107", + "sha256": "54e542eced060164ea48e1acd0e2dad60a507e92b22080e79fefa1717cdb3600", "type": "eql", - "version": 214 + "version": 215 }, "ee53d67a-5f0c-423c-a53c-8084ae562b5c": { "rule_name": "Shortcut File Written or Modified on Startup Folder", @@ -9182,9 +9343,9 @@ }, "f2015527-7c46-4bb9-80db-051657ddfb69": { "rule_name": "AWS RDS DB Instance or Cluster Password Modified", - "sha256": "d3de58ca35a9dc6d480cb9bef167e9065d10fd64c76dd25369636c977eb978bf", + "sha256": "8a13d49d9f7ae5db75943a19a2ddd120f65594d8ea51715e52c0c2e122f7ac52", "type": "eql", - "version": 5 + "version": 6 }, "f243fe39-83a4-46f3-a3b6-707557a102df": { "rule_name": "Service Path Modification", @@ -9266,9 +9427,9 @@ }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", - "sha256": "0c9ca06dc06f2ec65026cb7a0472081a2aece5bb59900ad0a99e1306ca842b25", + "sha256": "54495e1bb2c0ec5091f7a95edc4df069f5177b211e4e4da61c957cfd5db18020", "type": "esql", - "version": 5 + "version": 6 }, "f391d3fd-219b-42a3-9ba9-2f66eb0155aa": { "rule_name": "Kill Command Execution", @@ -9278,9 +9439,9 @@ }, "f3ac6734-7e52-4a0d-90b7-6847bf4308f2": { "rule_name": "Web Server Potential Command Injection Request", - "sha256": "e550ce52f82ca0148dbb9cd09300cc2bf87d55fcb223f6969d7b86782f1445b9", + "sha256": "b7997278cd12830ba691f272f4ac953dbaf2fc6fc873c92ee9e7c1694d8ae2ab", "type": "esql", - "version": 1 + "version": 2 }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", @@ -9308,9 +9469,9 @@ }, "f48ecc44-7d02-437d-9562-b838d2c41987": { "rule_name": "Creation or Modification of Pluggable Authentication Module or Configuration", - "sha256": "600d74d6c0a73fde14d13868996c69e59247528ce68d34fc56405dbf549e548e", + "sha256": "e7e9acdb251a2b166fc608361ff69aadeffe38a3417c4ccf906230a0a46b9c9a", "type": "eql", - "version": 6 + "version": 7 }, "f494c678-3c33-43aa-b169-bb3d5198c41d": { "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", @@ -9416,9 +9577,9 @@ }, "f6652fb5-cd8e-499c-8311-2ce2bb6cac62": { "rule_name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", - "sha256": "5ff52316c612a32b456c1d8cabd1f45f2752e52eb36c4c2d1950f4f50750c57f", + "sha256": "54e022f155300bd083ae3a1d4abb3d750bfbfa0d9764c4b939fc2e266a475c85", "type": "eql", - "version": 5 + "version": 6 }, "f675872f-6d85-40a3-b502-c0d2ef101e92": { "rule_name": "Delete Volume USN Journal with Fsutil", @@ -9440,9 +9601,9 @@ }, "f6d8c743-0916-4483-8333-3c6f107e0caa": { "rule_name": "Potential PowerShell Obfuscation via String Concatenation", - "sha256": "89bd628a65d8efba57ca5a4279fdbb8a3dbe414ee8bab5ccc726f2392189c425", + "sha256": "2522ba5d4934299385050871e4b4982e48a2ccf3dd12fbbae5c588655c2633bb", "type": "esql", - "version": 5 + "version": 6 }, "f701be14-0a36-4e9a-a851-b3e20ae55f09": { "rule_name": "Potential Kerberos Coercion via DNS-Based SPN Spoofing", @@ -9552,6 +9713,12 @@ "type": "eql", "version": 105 }, + "f92171ed-a4d3-4baa-98f9-4df1652cb11b": { + "rule_name": "Potential Secret Scanning via Gitleaks", + "sha256": "33e0146feb9de871b5ada55b0af64c3223f0c8f03ad5434f251ab66a85956093", + "type": "eql", + "version": 1 + }, "f94e898e-94f1-4545-8923-03e4b2866211": { "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "220ffd3b00b10fff5b9c9d3ea8cee1554fc9fa9e03cd8b6af5c2f5657604728b", @@ -9572,15 +9739,15 @@ }, "f97504ac-1053-498f-aeaa-c6d01e76b379": { "rule_name": "Browser Extension Install", - "sha256": "576be150607dc9afd8fedcd60b859916ff133c1200bc665c1b3be75c7b71afd8", + "sha256": "81bcee1c190422617ecec5060d5c56cac2493d8ea917f010d9ecb2c97e1c8082", "type": "eql", - "version": 206 + "version": 207 }, "f9753455-8d55-4ad8-b70a-e07b6f18deea": { "rule_name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "sha256": "3b05a3eb675347f627c2d4b98effbd8fe5cd8eb924ea7110b9fc947fc753525a", + "sha256": "cf7fbc9464030a3093b93140a3546ac433b241d612890f6b22e11fa3df3a5c42", "type": "esql", - "version": 4 + "version": 5 }, "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "rule_name": "Privileged Account Brute Force", @@ -9596,9 +9763,9 @@ }, "f9abcddc-a05d-4345-a81d-000b79aa5525": { "rule_name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "sha256": "20ca9752cbc305147351fbd73c5705e988791b2a8b5ed27d0af2e1bd6bd47449", + "sha256": "988364349c492d2af5ea38485ae58fe9249b04052c0f74c627b555942806bba0", "type": "esql", - "version": 6 + "version": 7 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "rule_name": "Remote File Copy to a Hidden Share", @@ -9752,9 +9919,9 @@ }, "fd4a992d-6130-4802-9ff8-829b89ae801f": { "rule_name": "Potential Application Shimming via Sdbinst", - "sha256": "d31dcef398fc63196c928a47cf1a242e1bc03e206145f2973e6f2717c0a47417", + "sha256": "d9690771206500e07e7c25755beb650bddea9bff417f6e2bbdf01c97d2926969", "type": "eql", - "version": 316 + "version": 317 }, "fd70c98a-c410-42dc-a2e3-761c71848acf": { "rule_name": "Suspicious CertUtil Commands", @@ -9800,9 +9967,9 @@ }, "fe8d6507-b543-4bbc-849f-dc0da6db29f6": { "rule_name": "Spike in host-based traffic", - "sha256": "4fa29254fdfdc90f04cb22e0b5a84b3f62769dda8e36b0ebe462188b99fd92d4", + "sha256": "7d0904f2a6c2a004781895aff437401514b91b5b08ebb3f2ee87de5341e110a7", "type": "machine_learning", - "version": 3 + "version": 4 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", diff --git a/docs-dev/ATT&CK-coverage.md b/docs-dev/ATT&CK-coverage.md index e65bcea5e12..158cdc94c78 100644 --- a/docs-dev/ATT&CK-coverage.md +++ b/docs-dev/ATT&CK-coverage.md @@ -26,6 +26,8 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-endgame-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-endgame-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-filebeat-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-filebeat-WILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-WILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-WILDCARD.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-indexes-logs-apache](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-indexes-logs-apache_tomcat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-apache_tomcat.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-auditd_manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-auditd_manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-aws](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-aws.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-azure](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-azure.json&leave_site_dialog=false&tabs=false)| @@ -39,10 +41,12 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-indexes-logs-gcpWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-gcpWILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-github.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-google_workspaceWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-google_workspaceWILDCARD.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-indexes-logs-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-iis.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-jamf_protectWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-jamf_protectWILDCARD.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-kubernetes](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-kubernetes.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-m365_defender](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-m365_defender.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-network_traffic](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-network_traffic.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-indexes-logs-nginx](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-nginx.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-o365](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-o365.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-okta](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-okta.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-indexes-logs-oktaWILDCARD](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-indexes-logs-oktaWILDCARD.json&leave_site_dialog=false&tabs=false)| @@ -65,11 +69,15 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-apache-tomcat](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-apache-tomcat.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-apache](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-apache.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-api.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-application](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-application.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-asset-visibility](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-asset-visibility.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-auditd-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-auditd-manager.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-cloudfront](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudfront.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-cloudtrail](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-cloudtrail.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-dynamodb](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-dynamodb.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-ec2](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ec2.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-efs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-efs.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-elastic-load-balancing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-elastic-load-balancing.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-guardduty](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-guardduty.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-iam.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-kms](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-kms.json&leave_site_dialog=false&tabs=false)| @@ -79,6 +87,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-aws-s3](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-s3.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-secrets-manager](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-secrets-manager.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-service-quotas](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-service-quotas.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-aws-ses](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-ses.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-sign-in](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sign-in.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-sns](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sns.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-aws-sqs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-aws-sqs.json&leave_site_dialog=false&tabs=false)| @@ -124,6 +133,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-exploit-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-exploit-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-file-integrity-monitoring](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-file-integrity-monitoring.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-fortinet](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-fortinet.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-gcp-audit-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp-audit-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-gcp](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-gcp.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-github](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-github.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-google-cloud-platform](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-google-cloud-platform.json&leave_site_dialog=false&tabs=false)| @@ -131,6 +141,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-graph-api-activity-logs](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api-activity-logs.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-graph-api](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-graph-api.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-higher-order-rule](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-higher-order-rule.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-iam](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iam.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-identity-and-access-audit](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity-and-access-audit.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-identity](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-identity.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-iis](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-iis.json&leave_site_dialog=false&tabs=false)| @@ -144,6 +155,7 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-lightning-framework](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-lightning-framework.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-linux](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-linux.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-living-off-the-land-attack-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-living-off-the-land-attack-detection.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-llm](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-llm.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-log-auditing](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-log-auditing.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-machine-learning](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-machine-learning.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-macos](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-macos.json&leave_site_dialog=false&tabs=false)| @@ -185,6 +197,10 @@ coverage from the state of rules in the `main` branch. |[Elastic-detection-rules-tags-storage](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-storage.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-sysmon](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-sysmon.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-system](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-system.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-t0053](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0053.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-t0055](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0055.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-t0085](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0085.json&leave_site_dialog=false&tabs=false)| +|[Elastic-detection-rules-tags-t0086](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-t0086.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-threat-detection](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-threat-detection.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-triplecross](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-triplecross.json&leave_site_dialog=false&tabs=false)| |[Elastic-detection-rules-tags-ueba](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fgist.githubusercontent.com%2Ftradebot-elastic%2F0443cfb5016bed103f1940b2f336e45a%2Fraw%2FElastic-detection-rules-tags-ueba.json&leave_site_dialog=false&tabs=false)| From b2eb1e05b10335d1bf2df06050f0c926c3eb28c4 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Tue, 9 Dec 2025 00:18:31 +0530 Subject: [PATCH 2/2] Update patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 43b565a787a..b6eb932824e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.21" +version = "1.5.22" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"