From f17e1c65442fa121b47971d79334f96a77fb19f7 Mon Sep 17 00:00:00 2001 From: Domenico Andreoli Date: Tue, 7 May 2024 13:31:25 +0200 Subject: [PATCH] Update rules to 8.13.6, 8.12.11, 8.11.15, and 8.10.18 --- tests/reports/alerts_from_rules-8.10.md | 2 +- tests/reports/alerts_from_rules-8.11.md | 2 +- tests/reports/alerts_from_rules-8.12.md | 2 +- tests/reports/alerts_from_rules-8.13.md | 1486 ++++++++++---------- tests/reports/documents_from_rules-8.10.md | 2 +- tests/reports/documents_from_rules-8.11.md | 2 +- tests/reports/documents_from_rules-8.12.md | 2 +- tests/reports/documents_from_rules-8.13.md | 14 +- 8 files changed, 762 insertions(+), 750 deletions(-) diff --git a/tests/reports/alerts_from_rules-8.10.md b/tests/reports/alerts_from_rules-8.10.md index ea46686c..142ab76b 100644 --- a/tests/reports/alerts_from_rules-8.10.md +++ b/tests/reports/alerts_from_rules-8.10.md @@ -5,7 +5,7 @@ learn what rules are supported and what not and why. Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.10.17 +Rules version: 8.10.18 ## Table of contents 1. [Unsuccessful rules with signals (6)](#unsuccessful-rules-with-signals-6) diff --git a/tests/reports/alerts_from_rules-8.11.md b/tests/reports/alerts_from_rules-8.11.md index cbc2df83..4ec1238d 100644 --- a/tests/reports/alerts_from_rules-8.11.md +++ b/tests/reports/alerts_from_rules-8.11.md @@ -5,7 +5,7 @@ learn what rules are supported and what not and why. Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.11.14 +Rules version: 8.11.15 ## Table of contents 1. [Unsuccessful rules with signals (6)](#unsuccessful-rules-with-signals-6) diff --git a/tests/reports/alerts_from_rules-8.12.md b/tests/reports/alerts_from_rules-8.12.md index 69a17401..26c1e158 100644 --- a/tests/reports/alerts_from_rules-8.12.md +++ b/tests/reports/alerts_from_rules-8.12.md @@ -5,7 +5,7 @@ learn what rules are supported and what not and why. Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.12.10 +Rules version: 8.12.11 ## Table of contents 1. [Unsuccessful rules with signals (6)](#unsuccessful-rules-with-signals-6) diff --git a/tests/reports/alerts_from_rules-8.13.md b/tests/reports/alerts_from_rules-8.13.md index 23ed8f09..bf7f426a 100644 --- a/tests/reports/alerts_from_rules-8.13.md +++ b/tests/reports/alerts_from_rules-8.13.md @@ -5,7 +5,7 @@ learn what rules are supported and what not and why. Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.13.5 +Rules version: 8.13.6 ## Table of contents 1. [Unsuccessful rules with signals (6)](#unsuccessful-rules-with-signals-6) @@ -19,7 +19,7 @@ Rules version: 8.13.5 Branch count: 4608 Document count: 13824 -Index: geneve-ut-263 +Index: geneve-ut-267 ```python sequence by host.id, user.id with maxspan=1m @@ -40,7 +40,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-588 +Index: geneve-ut-593 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -59,7 +59,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-592 +Index: geneve-ut-597 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -78,7 +78,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 2048 Document count: 22528 -Index: geneve-ut-684 +Index: geneve-ut-689 ```python sequence by host.id, source.ip, user.name with maxspan=15s @@ -95,7 +95,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-872 +Index: geneve-ut-877 ```python process where host.os.type == "windows" and event.type == "start" and @@ -144,7 +144,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1836 Document count: 1836 -Index: geneve-ut-926 +Index: geneve-ut-931 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -176,7 +176,7 @@ process.name == "ln" and process.args in ("-s", "-sf") and Branch count: 2 Document count: 2 -Index: geneve-ut-405 +Index: geneve-ut-409 ```python iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and @@ -189,7 +189,7 @@ process.name in ("groupadd", "addgroup") and group.name != null Branch count: 2 Document count: 2 -Index: geneve-ut-409 +Index: geneve-ut-413 ```python iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and @@ -202,7 +202,7 @@ process.name in ("useradd", "adduser") and user.name != null Branch count: 4 Document count: 8 -Index: geneve-ut-621 +Index: geneve-ut-626 ```python sequence by user.name, source.port, source.ip with maxspan=15s @@ -222,7 +222,7 @@ sequence by user.name, source.port, source.ip with maxspan=15s Branch count: 4608 Document count: 13824 -Index: geneve-ut-263 +Index: geneve-ut-267 Failure message(s): got 1000 signals, expected 4608 @@ -245,7 +245,7 @@ sequence by host.id, user.id with maxspan=1m Branch count: 1024 Document count: 10240 -Index: geneve-ut-588 +Index: geneve-ut-593 Failure message(s): got 1000 signals, expected 1024 @@ -266,7 +266,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 1024 Document count: 10240 -Index: geneve-ut-592 +Index: geneve-ut-597 Failure message(s): got 1000 signals, expected 1024 @@ -287,7 +287,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 6 Document count: 12 -Index: geneve-ut-646 +Index: geneve-ut-651 Failure message(s): got 5 signals, expected 6 @@ -304,7 +304,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5s Branch count: 2048 Document count: 22528 -Index: geneve-ut-684 +Index: geneve-ut-689 Failure message(s): got 1000 signals, expected 2048 @@ -323,7 +323,7 @@ sequence by host.id, source.ip, user.name with maxspan=15s Branch count: 4608 Document count: 4608 -Index: geneve-ut-872 +Index: geneve-ut-877 Failure message(s): got 1000 signals, expected 4608 @@ -374,7 +374,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 22 -Index: geneve-ut-901 +Index: geneve-ut-906 Failure message(s): got 8 signals, expected 11 @@ -395,7 +395,7 @@ sequence by host.id with maxspan=5s Branch count: 1836 Document count: 1836 -Index: geneve-ut-926 +Index: geneve-ut-931 Failure message(s): got 1000 signals, expected 1836 @@ -486,7 +486,7 @@ iam where event.action == "scheduled-task-updated" and Branch count: 1 Document count: 1 -Index: geneve-ut-002 +Index: geneve-ut-005 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success @@ -498,7 +498,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-003 +Index: geneve-ut-006 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success @@ -510,7 +510,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-004 +Index: geneve-ut-007 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success @@ -522,7 +522,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-005 +Index: geneve-ut-008 ```python event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success @@ -534,7 +534,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-006 +Index: geneve-ut-009 ```python event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success @@ -546,7 +546,7 @@ event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and eve Branch count: 1 Document count: 1 -Index: geneve-ut-007 +Index: geneve-ut-010 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success @@ -558,7 +558,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 1 Document count: 1 -Index: geneve-ut-008 +Index: geneve-ut-011 ```python event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success @@ -570,7 +570,7 @@ event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.act Branch count: 9 Document count: 9 -Index: geneve-ut-009 +Index: geneve-ut-012 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and @@ -585,7 +585,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and Branch count: 1 Document count: 1 -Index: geneve-ut-010 +Index: geneve-ut-013 ```python event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success @@ -597,7 +597,7 @@ event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.a Branch count: 84 Document count: 84 -Index: geneve-ut-011 +Index: geneve-ut-014 ```python process where event.module == "cloud_defend" and @@ -614,7 +614,7 @@ process.args : ("*aws_access_key_id*", "*aws_secret_access_key*", "*aws_session_ Branch count: 3 Document count: 3 -Index: geneve-ut-012 +Index: geneve-ut-015 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) @@ -627,7 +627,7 @@ and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-013 +Index: geneve-ut-016 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success @@ -639,7 +639,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 4 Document count: 4 -Index: geneve-ut-014 +Index: geneve-ut-017 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and @@ -653,7 +653,7 @@ event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-015 +Index: geneve-ut-018 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success @@ -665,7 +665,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-016 +Index: geneve-ut-019 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success @@ -677,7 +677,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-017 +Index: geneve-ut-020 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute @@ -689,7 +689,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-018 +Index: geneve-ut-021 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure @@ -701,7 +701,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-019 +Index: geneve-ut-022 ```python event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and @@ -714,7 +714,7 @@ event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-020 +Index: geneve-ut-023 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and @@ -727,7 +727,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-021 +Index: geneve-ut-024 ```python event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or @@ -741,7 +741,7 @@ event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and ev Branch count: 2 Document count: 2 -Index: geneve-ut-022 +Index: geneve-ut-025 ```python event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and @@ -754,7 +754,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-023 +Index: geneve-ut-026 ```python event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success @@ -766,7 +766,7 @@ event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-024 +Index: geneve-ut-027 ```python event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success @@ -778,7 +778,7 @@ event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and even Branch count: 1 Document count: 1 -Index: geneve-ut-025 +Index: geneve-ut-028 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success @@ -790,7 +790,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-027 +Index: geneve-ut-030 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success @@ -802,7 +802,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-028 +Index: geneve-ut-031 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success @@ -814,7 +814,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-029 +Index: geneve-ut-032 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success @@ -826,7 +826,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-030 +Index: geneve-ut-033 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success @@ -838,7 +838,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-031 +Index: geneve-ut-034 ```python event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success @@ -850,7 +850,7 @@ event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-032 +Index: geneve-ut-035 ```python event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:("DisableKey" or "ScheduleKeyDeletion") and event.outcome:success @@ -862,7 +862,7 @@ event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-034 +Index: geneve-ut-037 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success @@ -874,7 +874,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 2 Document count: 2 -Index: geneve-ut-035 +Index: geneve-ut-038 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success @@ -886,7 +886,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-036 +Index: geneve-ut-039 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success @@ -898,7 +898,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 2 Document count: 2 -Index: geneve-ut-037 +Index: geneve-ut-040 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success @@ -910,7 +910,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-038 +Index: geneve-ut-041 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success @@ -922,7 +922,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-039 +Index: geneve-ut-042 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success @@ -934,7 +934,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-040 +Index: geneve-ut-043 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success @@ -946,7 +946,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-041 +Index: geneve-ut-044 ```python event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and @@ -959,7 +959,7 @@ event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-042 +Index: geneve-ut-045 ```python event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success @@ -971,7 +971,7 @@ event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event Branch count: 1 Document count: 1 -Index: geneve-ut-043 +Index: geneve-ut-046 ```python event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and @@ -986,7 +986,7 @@ event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.a Branch count: 1 Document count: 1 -Index: geneve-ut-044 +Index: geneve-ut-047 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success @@ -998,7 +998,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 1 Document count: 1 -Index: geneve-ut-045 +Index: geneve-ut-048 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success @@ -1010,7 +1010,7 @@ event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event. Branch count: 2 Document count: 2 -Index: geneve-ut-046 +Index: geneve-ut-049 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and @@ -1023,7 +1023,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-047 +Index: geneve-ut-050 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or @@ -1036,7 +1036,7 @@ DeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:suc Branch count: 1 Document count: 1 -Index: geneve-ut-048 +Index: geneve-ut-051 ```python event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and @@ -1049,7 +1049,7 @@ event.outcome:success Branch count: 5 Document count: 5 -Index: geneve-ut-049 +Index: geneve-ut-052 ```python event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and @@ -1064,7 +1064,7 @@ event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and Branch count: 4 Document count: 4 -Index: geneve-ut-050 +Index: geneve-ut-054 ```python event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or @@ -1077,7 +1077,7 @@ UpdateSAMLProvider) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-051 +Index: geneve-ut-055 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and @@ -1090,7 +1090,7 @@ aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success Branch count: 6 Document count: 6 -Index: geneve-ut-052 +Index: geneve-ut-056 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or @@ -1104,7 +1104,7 @@ RevokeSecurityGroupIngress) and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-053 +Index: geneve-ut-057 ```python event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and @@ -1117,7 +1117,7 @@ aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event. Branch count: 1 Document count: 1 -Index: geneve-ut-054 +Index: geneve-ut-058 ```python event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success @@ -1129,7 +1129,7 @@ event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.acti Branch count: 1 Document count: 1 -Index: geneve-ut-055 +Index: geneve-ut-059 ```python event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success @@ -1141,7 +1141,7 @@ event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:suc Branch count: 6 Document count: 6 -Index: geneve-ut-056 +Index: geneve-ut-060 ```python event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success @@ -1153,7 +1153,7 @@ event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-region Branch count: 3 Document count: 3 -Index: geneve-ut-059 +Index: geneve-ut-063 ```python (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) @@ -1169,7 +1169,7 @@ Index: geneve-ut-059 Branch count: 52 Document count: 52 -Index: geneve-ut-060 +Index: geneve-ut-064 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1198,7 +1198,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 12 Document count: 12 -Index: geneve-ut-061 +Index: geneve-ut-065 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -1236,7 +1236,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-062 +Index: geneve-ut-066 ```python any where event.action == "Directory Service Access" and event.code == "4662" and @@ -1271,7 +1271,7 @@ any where event.action == "Directory Service Access" and event.code == "4662" an Branch count: 4 Document count: 4 -Index: geneve-ut-063 +Index: geneve-ut-067 ```python process where host.os.type == "windows" and event.type == "start" and process.args : ("*.ost", "*.pst") and @@ -1288,7 +1288,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ar Branch count: 4 Document count: 4 -Index: geneve-ut-065 +Index: geneve-ut-069 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1308,7 +1308,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 18 -Index: geneve-ut-066 +Index: geneve-ut-070 ```python sequence by winlog.computer_name with maxspan=1m @@ -1336,7 +1336,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 48 Document count: 48 -Index: geneve-ut-067 +Index: geneve-ut-071 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -1354,7 +1354,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 36 Document count: 36 -Index: geneve-ut-068 +Index: geneve-ut-072 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1374,7 +1374,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-070 +Index: geneve-ut-074 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -1387,7 +1387,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 1 Document count: 1 -Index: geneve-ut-072 +Index: geneve-ut-076 ```python event.dataset:okta.system and event.action:group.privilege.grant @@ -1399,7 +1399,7 @@ event.dataset:okta.system and event.action:group.privilege.grant Branch count: 1 Document count: 1 -Index: geneve-ut-073 +Index: geneve-ut-077 ```python event.dataset:okta.system and event.action:user.account.privilege.grant @@ -1411,7 +1411,7 @@ event.dataset:okta.system and event.action:user.account.privilege.grant Branch count: 2 Document count: 2 -Index: geneve-ut-074 +Index: geneve-ut-078 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -1426,7 +1426,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 2 -Index: geneve-ut-075 +Index: geneve-ut-079 ```python event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) @@ -1438,7 +1438,7 @@ event.kind:alert and event.module:endgame and (event.action:behavior_protection_ Branch count: 1 Document count: 1 -Index: geneve-ut-076 +Index: geneve-ut-080 ```python event.agent_id_status:agent_id_mismatch @@ -1450,7 +1450,7 @@ event.agent_id_status:agent_id_mismatch Branch count: 1 Document count: 2 -Index: geneve-ut-082 +Index: geneve-ut-086 ```python sequence by host.id, process.entity_id with maxspan=30s @@ -1469,7 +1469,7 @@ sequence by host.id, process.entity_id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-084 +Index: geneve-ut-088 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION @@ -1481,7 +1481,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-085 +Index: geneve-ut-089 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:"change" and @@ -1496,7 +1496,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.type:" Branch count: 1 Document count: 1 -Index: geneve-ut-087 +Index: geneve-ut-091 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*" @@ -1508,7 +1508,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 4 Document count: 4 -Index: geneve-ut-088 +Index: geneve-ut-092 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -1521,7 +1521,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-089 +Index: geneve-ut-093 ```python event.dataset:okta.system and event.action:system.api_token.create @@ -1533,7 +1533,7 @@ event.dataset:okta.system and event.action:system.api_token.create Branch count: 1 Document count: 1 -Index: geneve-ut-090 +Index: geneve-ut-094 ```python event.dataset:okta.system and event.action:application.lifecycle.deactivate @@ -1545,7 +1545,7 @@ event.dataset:okta.system and event.action:application.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-091 +Index: geneve-ut-095 ```python event.dataset:okta.system and event.action:zone.deactivate @@ -1557,7 +1557,7 @@ event.dataset:okta.system and event.action:zone.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-092 +Index: geneve-ut-096 ```python event.dataset:okta.system and event.action:policy.lifecycle.deactivate @@ -1569,7 +1569,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-093 +Index: geneve-ut-097 ```python event.dataset:okta.system and event.action:policy.rule.deactivate @@ -1581,7 +1581,7 @@ event.dataset:okta.system and event.action:policy.rule.deactivate Branch count: 1 Document count: 1 -Index: geneve-ut-094 +Index: geneve-ut-098 ```python event.dataset:okta.system and event.action:application.lifecycle.delete @@ -1593,7 +1593,7 @@ event.dataset:okta.system and event.action:application.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-095 +Index: geneve-ut-099 ```python event.dataset:okta.system and event.action:zone.delete @@ -1605,7 +1605,7 @@ event.dataset:okta.system and event.action:zone.delete Branch count: 1 Document count: 1 -Index: geneve-ut-096 +Index: geneve-ut-100 ```python event.dataset:okta.system and event.action:policy.lifecycle.delete @@ -1617,7 +1617,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.delete Branch count: 1 Document count: 1 -Index: geneve-ut-097 +Index: geneve-ut-101 ```python event.dataset:okta.system and event.action:policy.rule.delete @@ -1629,7 +1629,7 @@ event.dataset:okta.system and event.action:policy.rule.delete Branch count: 2 Document count: 2 -Index: geneve-ut-098 +Index: geneve-ut-102 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1642,7 +1642,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 34 Document count: 34 -Index: geneve-ut-099 +Index: geneve-ut-103 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -1669,7 +1669,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 30 Document count: 30 -Index: geneve-ut-100 +Index: geneve-ut-104 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -1685,7 +1685,7 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event") Branch count: 2 Document count: 2 -Index: geneve-ut-101 +Index: geneve-ut-105 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1698,7 +1698,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-102 +Index: geneve-ut-106 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1717,7 +1717,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-103 +Index: geneve-ut-107 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1732,7 +1732,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-104 +Index: geneve-ut-108 ```python event.dataset:okta.system and event.action:application.lifecycle.update @@ -1744,7 +1744,7 @@ event.dataset:okta.system and event.action:application.lifecycle.update Branch count: 3 Document count: 3 -Index: geneve-ut-105 +Index: geneve-ut-109 ```python event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist) @@ -1756,7 +1756,7 @@ event.dataset:okta.system and event.action:(zone.update or network_zone.rule.dis Branch count: 1 Document count: 1 -Index: geneve-ut-106 +Index: geneve-ut-110 ```python event.dataset:okta.system and event.action:policy.lifecycle.update @@ -1768,7 +1768,7 @@ event.dataset:okta.system and event.action:policy.lifecycle.update Branch count: 1 Document count: 1 -Index: geneve-ut-107 +Index: geneve-ut-111 ```python event.dataset:okta.system and event.action:policy.rule.update @@ -1780,7 +1780,7 @@ event.dataset:okta.system and event.action:policy.rule.update Branch count: 1 Document count: 1 -Index: geneve-ut-110 +Index: geneve-ut-114 ```python event.dataset:okta.system and event.action:user.mfa.factor.reset_all @@ -1792,7 +1792,7 @@ event.dataset:okta.system and event.action:user.mfa.factor.reset_all Branch count: 1 Document count: 1 -Index: geneve-ut-111 +Index: geneve-ut-115 ```python event.dataset:okta.system and event.action:system.api_token.revoke @@ -1804,7 +1804,7 @@ event.dataset:okta.system and event.action:system.api_token.revoke Branch count: 4 Document count: 4 -Index: geneve-ut-112 +Index: geneve-ut-116 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -1817,7 +1817,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 1 Document count: 1 -Index: geneve-ut-113 +Index: geneve-ut-117 ```python event.dataset:okta.system and event.action:user.mfa.attempt_bypass @@ -1829,7 +1829,7 @@ event.dataset:okta.system and event.action:user.mfa.attempt_bypass Branch count: 3 Document count: 3 -Index: geneve-ut-114 +Index: geneve-ut-118 ```python process where host.os.type == "windows" and event.type == "start" and @@ -1859,7 +1859,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-117 +Index: geneve-ut-121 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -1874,7 +1874,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-118 +Index: geneve-ut-122 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -1888,7 +1888,7 @@ azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\ Branch count: 4 Document count: 4 -Index: geneve-ut-119 +Index: geneve-ut-123 ```python event.dataset:azure.signinlogs and @@ -1902,7 +1902,7 @@ event.dataset:azure.signinlogs and Branch count: 4 Document count: 4 -Index: geneve-ut-120 +Index: geneve-ut-124 ```python event.dataset:azure.signinlogs and @@ -1915,7 +1915,7 @@ event.dataset:azure.signinlogs and Branch count: 2 Document count: 2 -Index: geneve-ut-121 +Index: geneve-ut-125 ```python event.dataset:azure.signinlogs and @@ -1929,7 +1929,7 @@ event.dataset:azure.signinlogs and Branch count: 1 Document count: 1 -Index: geneve-ut-122 +Index: geneve-ut-126 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and @@ -1942,7 +1942,7 @@ event.outcome: "success" Branch count: 2 Document count: 2 -Index: geneve-ut-123 +Index: geneve-ut-127 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success) @@ -1954,7 +1954,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update applica Branch count: 2 Document count: 2 -Index: geneve-ut-124 +Index: geneve-ut-128 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) @@ -1966,7 +1966,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-125 +Index: geneve-ut-129 ```python event.dataset:azure.activitylogs and @@ -1985,7 +1985,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-126 +Index: geneve-ut-130 ```python event.dataset:azure.activitylogs and @@ -1999,7 +1999,7 @@ event.dataset:azure.activitylogs and Branch count: 4 Document count: 4 -Index: geneve-ut-127 +Index: geneve-ut-131 ```python event.dataset:azure.activitylogs and @@ -2017,7 +2017,7 @@ event.dataset:azure.activitylogs and Branch count: 2 Document count: 2 -Index: geneve-ut-128 +Index: geneve-ut-132 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) @@ -2029,7 +2029,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-129 +Index: geneve-ut-133 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( @@ -2044,7 +2044,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( Branch count: 2 Document count: 2 -Index: geneve-ut-130 +Index: geneve-ut-134 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) @@ -2056,7 +2056,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 4 Document count: 4 -Index: geneve-ut-131 +Index: geneve-ut-135 ```python event.dataset:(azure.activitylogs or azure.auditlogs) and @@ -2069,7 +2069,7 @@ event.action:"Update conditional access policy" and event.outcome:(Success or su Branch count: 2 Document count: 2 -Index: geneve-ut-132 +Index: geneve-ut-136 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) @@ -2081,7 +2081,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-133 +Index: geneve-ut-137 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) @@ -2093,7 +2093,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-134 +Index: geneve-ut-138 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) @@ -2105,7 +2105,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-135 +Index: geneve-ut-139 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success) @@ -2117,7 +2117,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite externa Branch count: 2 Document count: 2 -Index: geneve-ut-136 +Index: geneve-ut-140 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2129,7 +2129,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-137 +Index: geneve-ut-141 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) @@ -2141,7 +2141,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 6 Document count: 6 -Index: geneve-ut-138 +Index: geneve-ut-142 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2159,7 +2159,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-139 +Index: geneve-ut-143 ```python event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and @@ -2175,7 +2175,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManage Branch count: 2 Document count: 2 -Index: geneve-ut-140 +Index: geneve-ut-144 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) @@ -2187,7 +2187,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-141 +Index: geneve-ut-145 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and @@ -2200,7 +2200,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-142 +Index: geneve-ut-146 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and @@ -2213,7 +2213,7 @@ event.outcome:(Success or success) Branch count: 4 Document count: 4 -Index: geneve-ut-143 +Index: geneve-ut-147 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name: @@ -2228,7 +2228,7 @@ event.outcome:(Success or success) Branch count: 2 Document count: 2 -Index: geneve-ut-144 +Index: geneve-ut-148 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) @@ -2240,7 +2240,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-145 +Index: geneve-ut-149 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success) @@ -2252,7 +2252,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role se Branch count: 2 Document count: 2 -Index: geneve-ut-146 +Index: geneve-ut-150 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) @@ -2264,7 +2264,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 2 Document count: 2 -Index: geneve-ut-147 +Index: geneve-ut-151 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) @@ -2276,7 +2276,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-148 +Index: geneve-ut-152 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success) @@ -2288,7 +2288,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service pr Branch count: 2 Document count: 2 -Index: geneve-ut-149 +Index: geneve-ut-153 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) @@ -2300,7 +2300,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOF Branch count: 22 Document count: 22 -Index: geneve-ut-150 +Index: geneve-ut-154 ```python event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE" or @@ -2318,7 +2318,7 @@ event.outcome:(Success or success) Branch count: 1 Document count: 1 -Index: geneve-ut-151 +Index: geneve-ut-155 ```python process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and @@ -2332,7 +2332,7 @@ not process.parent.executable == "/usr/sbin/libvirtd" Branch count: 16 Document count: 16 -Index: geneve-ut-152 +Index: geneve-ut-156 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -2346,7 +2346,7 @@ not process.args in ("--help", "--version") Branch count: 9 Document count: 9 -Index: geneve-ut-153 +Index: geneve-ut-157 ```python event.category:file and event.type:change and @@ -2371,7 +2371,7 @@ event.category:file and event.type:change and Branch count: 3 Document count: 3 -Index: geneve-ut-154 +Index: geneve-ut-158 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2386,7 +2386,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 13 Document count: 13 -Index: geneve-ut-156 +Index: geneve-ut-160 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2408,7 +2408,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-157 +Index: geneve-ut-161 ```python file where host.os.type == "windows" and event.action : "creation" and @@ -2437,7 +2437,7 @@ file where host.os.type == "windows" and event.action : "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-158 +Index: geneve-ut-162 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2455,7 +2455,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-160 +Index: geneve-ut-164 ```python process where host.os.type == "linux" and event.action in ("exec", "exec_event") and @@ -2473,7 +2473,7 @@ not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") Branch count: 24 Document count: 24 -Index: geneve-ut-161 +Index: geneve-ut-165 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2489,7 +2489,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 9 Document count: 9 -Index: geneve-ut-162 +Index: geneve-ut-166 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2511,7 +2511,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 16 Document count: 16 -Index: geneve-ut-164 +Index: geneve-ut-168 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2525,7 +2525,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-166 +Index: geneve-ut-170 ```python process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and @@ -2545,7 +2545,7 @@ process.parent.name: ( Branch count: 1 Document count: 2 -Index: geneve-ut-167 +Index: geneve-ut-171 ```python sequence by process.entity_id @@ -2568,7 +2568,7 @@ sequence by process.entity_id Branch count: 12 Document count: 12 -Index: geneve-ut-170 +Index: geneve-ut-174 ```python library where host.os.type == "windows" and event.action == "load" and @@ -2598,7 +2598,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 24 Document count: 24 -Index: geneve-ut-172 +Index: geneve-ut-176 ```python network where host.os.type == "windows" and network.protocol == "dns" and @@ -2623,7 +2623,7 @@ network where host.os.type == "windows" and network.protocol == "dns" and Branch count: 1 Document count: 2 -Index: geneve-ut-174 +Index: geneve-ut-178 ```python sequence by process.entity_id @@ -2644,7 +2644,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-175 +Index: geneve-ut-179 ```python sequence by process.entity_id @@ -2665,7 +2665,7 @@ sequence by process.entity_id Branch count: 9 Document count: 9 -Index: geneve-ut-176 +Index: geneve-ut-180 ```python process where container.id: "*" and event.type== "start" @@ -2678,7 +2678,7 @@ process where container.id: "*" and event.type== "start" Branch count: 1 Document count: 1 -Index: geneve-ut-177 +Index: geneve-ut-181 ```python event.kind:alert and event.module:cloud_defend @@ -2690,7 +2690,7 @@ event.kind:alert and event.module:cloud_defend Branch count: 5 Document count: 5 -Index: geneve-ut-180 +Index: geneve-ut-184 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -2710,7 +2710,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-182 +Index: geneve-ut-186 ```python file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and @@ -2723,7 +2723,7 @@ not process.name == "dockerd" Branch count: 2 Document count: 2 -Index: geneve-ut-183 +Index: geneve-ut-187 ```python file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and @@ -2738,7 +2738,7 @@ file.extension == "ko" and not process.name : ( Branch count: 1 Document count: 1 -Index: geneve-ut-184 +Index: geneve-ut-188 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -2755,7 +2755,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-185 +Index: geneve-ut-189 ```python any where host.os.type == "windows" and event.action == "Directory Service Changes" and @@ -2769,7 +2769,7 @@ any where host.os.type == "windows" and event.action == "Directory Service Chang Branch count: 2 Document count: 2 -Index: geneve-ut-186 +Index: geneve-ut-190 ```python registry where host.os.type == "windows" and registry.path : ( @@ -2784,7 +2784,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 2 Document count: 2 -Index: geneve-ut-187 +Index: geneve-ut-191 ```python file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") @@ -2796,7 +2796,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.name Branch count: 16 Document count: 16 -Index: geneve-ut-188 +Index: geneve-ut-192 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -2839,7 +2839,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 2 Document count: 2 -Index: geneve-ut-189 +Index: geneve-ut-193 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -2854,7 +2854,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 8 Document count: 8 -Index: geneve-ut-190 +Index: geneve-ut-194 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2869,7 +2869,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-191 +Index: geneve-ut-195 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2881,7 +2881,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-192 +Index: geneve-ut-196 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) @@ -2893,7 +2893,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-193 +Index: geneve-ut-197 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2905,7 +2905,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-194 +Index: geneve-ut-198 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) @@ -2917,7 +2917,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-196 +Index: geneve-ut-200 ```python event.dataset:cyberarkpas.audit and event.type:error @@ -2929,7 +2929,7 @@ event.dataset:cyberarkpas.audit and event.type:error Branch count: 20 Document count: 20 -Index: geneve-ut-197 +Index: geneve-ut-201 ```python event.dataset:cyberarkpas.audit and @@ -2944,7 +2944,7 @@ event.dataset:cyberarkpas.audit and Branch count: 9 Document count: 9 -Index: geneve-ut-200 +Index: geneve-ut-204 ```python (event.dataset: network_traffic.tls or event.category: (network or network_traffic)) @@ -2959,7 +2959,7 @@ Index: geneve-ut-200 Branch count: 2 Document count: 2 -Index: geneve-ut-202 +Index: geneve-ut-206 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2973,7 +2973,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-203 +Index: geneve-ut-207 ```python process where host.os.type == "windows" and event.type == "start" and @@ -2987,7 +2987,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-205 +Index: geneve-ut-209 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3009,7 +3009,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-206 +Index: geneve-ut-210 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3026,7 +3026,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 24 -Index: geneve-ut-208 +Index: geneve-ut-212 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3043,7 +3043,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-209 +Index: geneve-ut-213 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3058,7 +3058,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-211 +Index: geneve-ut-215 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS @@ -3070,7 +3070,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-214 +Index: geneve-ut-218 ```python event.category:process and host.os.type:macos and event.type:start and @@ -3083,7 +3083,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-215 +Index: geneve-ut-219 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" @@ -3095,7 +3095,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 10 Document count: 20 -Index: geneve-ut-216 +Index: geneve-ut-220 ```python sequence by process.entity_id with maxspan=1m @@ -3113,7 +3113,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 12 Document count: 12 -Index: geneve-ut-217 +Index: geneve-ut-221 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3126,7 +3126,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 108 Document count: 108 -Index: geneve-ut-218 +Index: geneve-ut-222 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3141,7 +3141,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 12 Document count: 12 -Index: geneve-ut-219 +Index: geneve-ut-223 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -3155,7 +3155,7 @@ process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") Branch count: 2 Document count: 2 -Index: geneve-ut-220 +Index: geneve-ut-224 ```python event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6* @@ -3167,7 +3167,7 @@ event.category:process and event.type:(process_started or start) and process.nam Branch count: 201 Document count: 201 -Index: geneve-ut-221 +Index: geneve-ut-225 ```python process where @@ -3198,7 +3198,7 @@ or Branch count: 3 Document count: 3 -Index: geneve-ut-222 +Index: geneve-ut-226 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -3211,7 +3211,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-223 +Index: geneve-ut-227 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3225,7 +3225,7 @@ process.args : ("firewall", "advfirewall") and process.args : "group=Network Dis Branch count: 14 Document count: 14 -Index: geneve-ut-225 +Index: geneve-ut-229 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3256,7 +3256,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-226 +Index: geneve-ut-230 ```python event.kind:alert and event.module:(endpoint and not endgame) @@ -3268,7 +3268,7 @@ event.kind:alert and event.module:(endpoint and not endgame) Branch count: 2 Document count: 2 -Index: geneve-ut-227 +Index: geneve-ut-231 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3282,7 +3282,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 7 Document count: 7 -Index: geneve-ut-228 +Index: geneve-ut-232 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3301,7 +3301,7 @@ not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") Branch count: 64 Document count: 64 -Index: geneve-ut-230 +Index: geneve-ut-234 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3328,7 +3328,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 46 Document count: 46 -Index: geneve-ut-234 +Index: geneve-ut-238 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -3358,7 +3358,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-235 +Index: geneve-ut-239 ```python event.category:process and host.os.type:windows and @@ -3371,7 +3371,7 @@ event.category:process and host.os.type:windows and Branch count: 64 Document count: 64 -Index: geneve-ut-237 +Index: geneve-ut-241 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -3399,7 +3399,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-238 +Index: geneve-ut-242 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -3412,7 +3412,7 @@ process.name : ("kworker*", "kthread*") and process.executable != null Branch count: 4 Document count: 8 -Index: geneve-ut-240 +Index: geneve-ut-244 ```python sequence by process.entity_id with maxspan=5m @@ -3432,7 +3432,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 4 Document count: 4 -Index: geneve-ut-241 +Index: geneve-ut-245 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3451,7 +3451,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 24 Document count: 48 -Index: geneve-ut-242 +Index: geneve-ut-246 ```python sequence with maxspan=2h @@ -3476,7 +3476,7 @@ sequence with maxspan=2h Branch count: 4 Document count: 8 -Index: geneve-ut-243 +Index: geneve-ut-247 ```python sequence with maxspan=2h @@ -3501,7 +3501,7 @@ sequence with maxspan=2h Branch count: 54 Document count: 162 -Index: geneve-ut-244 +Index: geneve-ut-248 ```python /* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */ @@ -3530,7 +3530,7 @@ sequence by host.id, user.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-246 +Index: geneve-ut-250 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) @@ -3542,7 +3542,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 7 Document count: 7 -Index: geneve-ut-248 +Index: geneve-ut-252 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and @@ -3565,7 +3565,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 1 Document count: 1 -Index: geneve-ut-250 +Index: geneve-ut-254 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" @@ -3577,7 +3577,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 2 Document count: 2 -Index: geneve-ut-251 +Index: geneve-ut-255 ```python process where host.os.type == "windows" and event.type : "start" and @@ -3599,7 +3599,7 @@ process where host.os.type == "windows" and event.type : "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-252 +Index: geneve-ut-256 ```python file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" @@ -3611,7 +3611,7 @@ file where host.os.type == "windows" and file.extension : "dll" and file.path : Branch count: 24 Document count: 24 -Index: geneve-ut-253 +Index: geneve-ut-257 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -3625,7 +3625,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-254 +Index: geneve-ut-258 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -3638,7 +3638,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 2 Document count: 2 -Index: geneve-ut-255 +Index: geneve-ut-259 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3650,7 +3650,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-256 +Index: geneve-ut-260 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) @@ -3662,7 +3662,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-258 +Index: geneve-ut-262 ```python event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) @@ -3674,7 +3674,7 @@ event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) Branch count: 1 Document count: 1 -Index: geneve-ut-262 +Index: geneve-ut-266 ```python file where host.os.type == "windows" and event.code : "2" and @@ -3706,7 +3706,7 @@ file where host.os.type == "windows" and event.code : "2" and Branch count: 4 Document count: 4 -Index: geneve-ut-264 +Index: geneve-ut-268 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( @@ -3720,7 +3720,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 20 Document count: 20 -Index: geneve-ut-265 +Index: geneve-ut-269 ```python file where container.id: "*" and event.type in ("change", "creation") and @@ -3736,7 +3736,7 @@ process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x" Branch count: 1 Document count: 1 -Index: geneve-ut-267 +Index: geneve-ut-271 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -3751,7 +3751,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-268 +Index: geneve-ut-272 ```python process where event.module == "cloud_defend" and @@ -3766,7 +3766,7 @@ process where event.module == "cloud_defend" and Branch count: 375 Document count: 750 -Index: geneve-ut-269 +Index: geneve-ut-273 ```python sequence by process.entity_id @@ -3793,7 +3793,7 @@ sequence by process.entity_id Branch count: 16 Document count: 16 -Index: geneve-ut-270 +Index: geneve-ut-274 ```python process where event.type == "start" and host.os.type == "windows" and @@ -3814,7 +3814,7 @@ not ( Branch count: 2 Document count: 2 -Index: geneve-ut-271 +Index: geneve-ut-275 ```python process where host.os.type == "linux" and event.type == "start" and user.id == "0" and @@ -3829,7 +3829,7 @@ process where host.os.type == "linux" and event.type == "start" and user.id == " Branch count: 11 Document count: 11 -Index: geneve-ut-272 +Index: geneve-ut-276 ```python process where host.os.type == "windows" and event.type == "start" and @@ -3855,7 +3855,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-274 +Index: geneve-ut-278 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and @@ -3881,7 +3881,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 1 Document count: 1 -Index: geneve-ut-292 +Index: geneve-ut-296 ```python event.dataset: google_workspace.alert @@ -3893,7 +3893,7 @@ event.dataset: google_workspace.alert Branch count: 2 Document count: 2 -Index: geneve-ut-294 +Index: geneve-ut-298 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule) @@ -3905,7 +3905,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-295 +Index: geneve-ut-299 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule) @@ -3917,7 +3917,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.a Branch count: 2 Document count: 2 -Index: geneve-ut-296 +Index: geneve-ut-300 ```python event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule) @@ -3929,7 +3929,7 @@ event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.ap Branch count: 1 Document count: 1 -Index: geneve-ut-297 +Index: geneve-ut-301 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success @@ -3941,7 +3941,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-298 +Index: geneve-ut-302 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success @@ -3953,7 +3953,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and even Branch count: 1 Document count: 1 -Index: geneve-ut-299 +Index: geneve-ut-303 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success @@ -3965,7 +3965,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-300 +Index: geneve-ut-304 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success @@ -3977,7 +3977,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-301 +Index: geneve-ut-305 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success @@ -3989,7 +3989,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Delet Branch count: 1 Document count: 1 -Index: geneve-ut-302 +Index: geneve-ut-306 ```python event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success @@ -4001,7 +4001,7 @@ event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.Updat Branch count: 1 Document count: 1 -Index: geneve-ut-303 +Index: geneve-ut-307 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success @@ -4013,7 +4013,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-304 +Index: geneve-ut-308 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success @@ -4025,7 +4025,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubsc Branch count: 1 Document count: 1 -Index: geneve-ut-305 +Index: geneve-ut-309 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success @@ -4037,7 +4037,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic Branch count: 1 Document count: 1 -Index: geneve-ut-306 +Index: geneve-ut-310 ```python event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success @@ -4049,7 +4049,7 @@ event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic Branch count: 1 Document count: 1 -Index: geneve-ut-307 +Index: geneve-ut-311 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success @@ -4061,7 +4061,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-308 +Index: geneve-ut-312 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success @@ -4073,7 +4073,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-309 +Index: geneve-ut-313 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success @@ -4085,7 +4085,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccou Branch count: 1 Document count: 1 -Index: geneve-ut-310 +Index: geneve-ut-314 ```python event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success @@ -4097,7 +4097,7 @@ event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccoun Branch count: 1 Document count: 1 -Index: geneve-ut-311 +Index: geneve-ut-315 ```python event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success @@ -4109,7 +4109,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-312 +Index: geneve-ut-316 ```python event.dataset:gcp.audit and event.action:"storage.buckets.delete" @@ -4121,7 +4121,7 @@ event.dataset:gcp.audit and event.action:"storage.buckets.delete" Branch count: 1 Document count: 1 -Index: geneve-ut-313 +Index: geneve-ut-317 ```python event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success @@ -4133,7 +4133,7 @@ event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.o Branch count: 1 Document count: 1 -Index: geneve-ut-314 +Index: geneve-ut-318 ```python event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success @@ -4145,7 +4145,7 @@ event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.ou Branch count: 2 Document count: 2 -Index: geneve-ut-315 +Index: geneve-ut-319 ```python event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert") @@ -4157,7 +4157,7 @@ event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.comp Branch count: 1 Document count: 1 -Index: geneve-ut-316 +Index: geneve-ut-320 ```python event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success @@ -4169,7 +4169,7 @@ event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outc Branch count: 1 Document count: 1 -Index: geneve-ut-317 +Index: geneve-ut-321 ```python configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" @@ -4181,7 +4181,7 @@ configuration where event.dataset == "github.audit" and github.category == "inte Branch count: 1 Document count: 1 -Index: geneve-ut-318 +Index: geneve-ut-322 ```python iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin" @@ -4193,7 +4193,7 @@ iam where event.dataset == "github.audit" and event.action == "org.update_member Branch count: 1 Document count: 1 -Index: geneve-ut-319 +Index: geneve-ut-323 ```python configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" @@ -4205,7 +4205,7 @@ configuration where event.dataset == "github.audit" and event.action == "persona Branch count: 1 Document count: 1 -Index: geneve-ut-320 +Index: geneve-ut-324 ```python configuration where event.dataset == "github.audit" @@ -4218,7 +4218,7 @@ configuration where event.dataset == "github.audit" Branch count: 1 Document count: 1 -Index: geneve-ut-321 +Index: geneve-ut-325 ```python configuration where event.dataset == "github.audit" and event.action == "repo.create" @@ -4230,7 +4230,7 @@ configuration where event.dataset == "github.audit" and event.action == "repo.cr Branch count: 1 Document count: 1 -Index: geneve-ut-322 +Index: geneve-ut-326 ```python configuration where event.module == "github" and event.action == "repo.destroy" @@ -4242,7 +4242,7 @@ configuration where event.module == "github" and event.action == "repo.destroy" Branch count: 1 Document count: 1 -Index: geneve-ut-324 +Index: geneve-ut-328 ```python configuration where event.dataset == "github.audit" and event.action == "org.block_user" @@ -4254,7 +4254,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.blo Branch count: 1 Document count: 1 -Index: geneve-ut-325 +Index: geneve-ut-329 ```python event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_REQUEST" @@ -4267,7 +4267,7 @@ event.dataset:"google_workspace.admin" and event.action:"CREATE_DATA_TRANSFER_RE Branch count: 1 Document count: 1 -Index: geneve-ut-326 +Index: geneve-ut-330 ```python event.dataset:"google_workspace.login" and event.action:"2sv_disable" @@ -4279,7 +4279,7 @@ event.dataset:"google_workspace.login" and event.action:"2sv_disable" Branch count: 1 Document count: 1 -Index: geneve-ut-327 +Index: geneve-ut-331 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS @@ -4291,7 +4291,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-328 +Index: geneve-ut-332 ```python event.dataset:"google_workspace.admin" and event.category:"iam" and event.action:"ASSIGN_ROLE" @@ -4304,7 +4304,7 @@ event.dataset:"google_workspace.admin" and event.category:"iam" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-329 +Index: geneve-ut-333 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE @@ -4316,7 +4316,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-330 +Index: geneve-ut-334 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4329,7 +4329,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 1 Document count: 1 -Index: geneve-ut-331 +Index: geneve-ut-335 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE @@ -4341,7 +4341,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 4 Document count: 4 -Index: geneve-ut-332 +Index: geneve-ut-336 ```python event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" or "CHANGE_GMAIL_SETTING") @@ -4354,7 +4354,7 @@ event.dataset:"google_workspace.admin" and event.action:("CREATE_GMAIL_SETTING" Branch count: 105 Document count: 105 -Index: geneve-ut-333 +Index: geneve-ut-337 ```python file where event.dataset == "google_workspace.drive" and event.action : ("copy", "view", "download") and @@ -4371,7 +4371,7 @@ file where event.dataset == "google_workspace.drive" and event.action : ("copy", Branch count: 1 Document count: 1 -Index: geneve-ut-334 +Index: geneve-ut-338 ```python event.dataset:google_workspace.admin and event.provider:admin @@ -4385,7 +4385,7 @@ event.dataset:google_workspace.admin and event.provider:admin Branch count: 4 Document count: 8 -Index: geneve-ut-335 +Index: geneve-ut-339 ```python sequence by source.user.email with maxspan=3m @@ -4409,7 +4409,7 @@ sequence by source.user.email with maxspan=3m Branch count: 12 Document count: 12 -Index: geneve-ut-336 +Index: geneve-ut-340 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and @@ -4430,7 +4430,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 2 Document count: 2 -Index: geneve-ut-337 +Index: geneve-ut-341 ```python event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) @@ -4444,7 +4444,7 @@ event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETT Branch count: 2 Document count: 2 -Index: geneve-ut-338 +Index: geneve-ut-342 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE) @@ -4456,7 +4456,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 1 Document count: 1 -Index: geneve-ut-339 +Index: geneve-ut-343 ```python event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER @@ -4468,7 +4468,7 @@ event.dataset:google_workspace.admin and event.category:iam and event.action:UNS Branch count: 1 Document count: 1 -Index: geneve-ut-340 +Index: geneve-ut-344 ```python event.dataset:"google_workspace.admin" and event.type:change and event.category:iam @@ -4481,7 +4481,7 @@ event.dataset:"google_workspace.admin" and event.type:change and event.category: Branch count: 8 Document count: 8 -Index: geneve-ut-342 +Index: geneve-ut-346 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4494,7 +4494,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-344 +Index: geneve-ut-348 ```python file where event.type == "creation" and process.name == "chflags" @@ -4506,7 +4506,7 @@ file where event.type == "creation" and process.name == "chflags" Branch count: 12 Document count: 12 -Index: geneve-ut-353 +Index: geneve-ut-357 ```python any where @@ -4535,7 +4535,7 @@ any where Branch count: 12 Document count: 12 -Index: geneve-ut-354 +Index: geneve-ut-358 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4548,7 +4548,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-355 +Index: geneve-ut-359 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4563,7 +4563,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 3 Document count: 3 -Index: geneve-ut-356 +Index: geneve-ut-360 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500 @@ -4575,7 +4575,7 @@ Index: geneve-ut-356 Branch count: 8 Document count: 8 -Index: geneve-ut-359 +Index: geneve-ut-363 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4592,7 +4592,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-361 +Index: geneve-ut-365 ```python sequence with maxspan=1m @@ -4611,7 +4611,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-362 +Index: geneve-ut-366 ```python sequence by host.id with maxspan=1m @@ -4629,7 +4629,7 @@ sequence by host.id with maxspan=1m Branch count: 2 Document count: 4 -Index: geneve-ut-363 +Index: geneve-ut-367 ```python sequence by host.id with maxspan=5s @@ -4648,7 +4648,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 8 -Index: geneve-ut-364 +Index: geneve-ut-368 ```python sequence by host.id with maxspan = 30s @@ -4664,7 +4664,7 @@ sequence by host.id with maxspan = 30s Branch count: 4 Document count: 8 -Index: geneve-ut-365 +Index: geneve-ut-369 ```python sequence by host.id with maxspan=30s @@ -4680,7 +4680,7 @@ sequence by host.id with maxspan=30s Branch count: 2 Document count: 2 -Index: geneve-ut-366 +Index: geneve-ut-370 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4693,7 +4693,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-368 +Index: geneve-ut-372 ```python process where host.os.type == "windows" and event.type == "start" and @@ -4706,7 +4706,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-369 +Index: geneve-ut-373 ```python /* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */ @@ -4722,7 +4722,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-370 +Index: geneve-ut-374 ```python registry where host.os.type == "windows" and event.type in ("creation", "change") and @@ -4741,7 +4741,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" Branch count: 4 Document count: 4 -Index: geneve-ut-371 +Index: geneve-ut-375 ```python registry where host.os.type == "windows" and @@ -4760,7 +4760,7 @@ registry where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-372 +Index: geneve-ut-376 ```python process where container.id : "*" and event.type== "start" and @@ -4781,7 +4781,7 @@ process.interactive == true Branch count: 6 Document count: 6 -Index: geneve-ut-374 +Index: geneve-ut-378 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and @@ -4794,7 +4794,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 36 Document count: 36 -Index: geneve-ut-375 +Index: geneve-ut-379 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4812,7 +4812,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-376 +Index: geneve-ut-380 ```python event.action:modified-user-account and event.code:4738 and @@ -4825,7 +4825,7 @@ event.action:modified-user-account and event.code:4738 and Branch count: 2 Document count: 2 -Index: geneve-ut-377 +Index: geneve-ut-381 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -4839,7 +4839,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-379 +Index: geneve-ut-383 ```python network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and @@ -4898,7 +4898,7 @@ network where host.os.type == "windows" and event.type == "start" and network.di Branch count: 2 Document count: 2 -Index: geneve-ut-380 +Index: geneve-ut-384 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -4911,7 +4911,7 @@ auditd.data.syscall in ("init_module", "finit_module") Branch count: 2 Document count: 2 -Index: geneve-ut-381 +Index: geneve-ut-385 ```python driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and @@ -4924,7 +4924,7 @@ auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" Branch count: 24 Document count: 24 -Index: geneve-ut-382 +Index: geneve-ut-386 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -4937,7 +4937,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-383 +Index: geneve-ut-387 ```python process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" @@ -4949,7 +4949,7 @@ process where host.os.type == "linux" and event.type == "start" and process.name Branch count: 22 Document count: 22 -Index: geneve-ut-384 +Index: geneve-ut-388 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -4963,7 +4963,7 @@ process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh Branch count: 16 Document count: 16 -Index: geneve-ut-385 +Index: geneve-ut-389 ```python process where host.os.type == "macos" and event.type == "start" and @@ -4978,7 +4978,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-386 +Index: geneve-ut-390 ```python file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" @@ -4990,7 +4990,7 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten Branch count: 3 Document count: 3 -Index: geneve-ut-387 +Index: geneve-ut-391 ```python event.dataset:kubernetes.audit_logs @@ -5005,7 +5005,7 @@ event.dataset:kubernetes.audit_logs Branch count: 1 Document count: 1 -Index: geneve-ut-389 +Index: geneve-ut-393 ```python event.dataset: "kubernetes.audit_logs" @@ -5019,7 +5019,7 @@ event.dataset: "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-390 +Index: geneve-ut-394 ```python event.dataset : "kubernetes.audit_logs" @@ -5035,7 +5035,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-391 +Index: geneve-ut-395 ```python event.dataset : "kubernetes.audit_logs" @@ -5052,7 +5052,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-392 +Index: geneve-ut-396 ```python event.dataset : "kubernetes.audit_logs" @@ -5069,7 +5069,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 3 Document count: 3 -Index: geneve-ut-393 +Index: geneve-ut-397 ```python event.dataset : "kubernetes.audit_logs" @@ -5086,7 +5086,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 48 Document count: 48 -Index: geneve-ut-394 +Index: geneve-ut-398 ```python event.dataset : "kubernetes.audit_logs" @@ -5119,7 +5119,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-395 +Index: geneve-ut-399 ```python event.dataset : "kubernetes.audit_logs" @@ -5136,7 +5136,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-396 +Index: geneve-ut-400 ```python event.dataset : "kubernetes.audit_logs" @@ -5153,7 +5153,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 8 Document count: 8 -Index: geneve-ut-397 +Index: geneve-ut-401 ```python event.dataset : "kubernetes.audit_logs" @@ -5170,7 +5170,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 1 Document count: 1 -Index: geneve-ut-398 +Index: geneve-ut-402 ```python event.dataset : "kubernetes.audit_logs" @@ -5186,7 +5186,7 @@ event.dataset : "kubernetes.audit_logs" Branch count: 20 Document count: 20 -Index: geneve-ut-399 +Index: geneve-ut-403 ```python file where host.os.type == "windows" and event.action != "deletion" and @@ -5219,7 +5219,7 @@ file where host.os.type == "windows" and event.action != "deletion" and Branch count: 18 Document count: 18 -Index: geneve-ut-400 +Index: geneve-ut-404 ```python any where event.action == "File System" and event.code == "4656" and @@ -5254,7 +5254,7 @@ any where event.action == "File System" and event.code == "4656" and Branch count: 4 Document count: 4 -Index: geneve-ut-401 +Index: geneve-ut-405 ```python api where host.os.type == "windows" and @@ -5308,7 +5308,7 @@ api where host.os.type == "windows" and Branch count: 8 Document count: 8 -Index: geneve-ut-402 +Index: geneve-ut-406 ```python file where host.os.type == "windows" and event.type in ("creation", "change") and @@ -5326,7 +5326,7 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an Branch count: 6 Document count: 12 -Index: geneve-ut-403 +Index: geneve-ut-407 ```python sequence by host.id with maxspan=1m @@ -5342,7 +5342,7 @@ sequence by host.id with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-404 +Index: geneve-ut-408 ```python sequence by host.id with maxspan=1m @@ -5356,7 +5356,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-406 +Index: geneve-ut-410 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5371,7 +5371,7 @@ process.args != "1" Branch count: 609 Document count: 609 -Index: geneve-ut-407 +Index: geneve-ut-411 ```python process where host.os.type == "linux" and event.type == "start" and @@ -5433,7 +5433,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 64 Document count: 64 -Index: geneve-ut-408 +Index: geneve-ut-412 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( @@ -5449,7 +5449,7 @@ process where event.type == "start" and event.action in ("exec", "exec_event", " Branch count: 240 Document count: 240 -Index: geneve-ut-410 +Index: geneve-ut-414 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -5469,7 +5469,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 600 Document count: 1200 -Index: geneve-ut-413 +Index: geneve-ut-417 ```python sequence with maxspan=1m @@ -5494,7 +5494,7 @@ sequence with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-415 +Index: geneve-ut-419 ```python event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false @@ -5506,7 +5506,7 @@ event.dataset:google_workspace.admin and event.provider:admin and event.category Branch count: 48 Document count: 96 -Index: geneve-ut-417 +Index: geneve-ut-421 ```python sequence by host.id, user.id with maxspan=30s @@ -5520,7 +5520,7 @@ sequence by host.id, user.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-418 +Index: geneve-ut-422 ```python ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com @@ -5532,7 +5532,7 @@ ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.c Branch count: 1 Document count: 1 -Index: geneve-ut-419 +Index: geneve-ut-423 ```python ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com @@ -5544,7 +5544,7 @@ ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmclo Branch count: 2 Document count: 2 -Index: geneve-ut-421 +Index: geneve-ut-425 ```python process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") @@ -5556,7 +5556,7 @@ process where (problemchild.prediction == 1 or blocklist_label == 1) and not pro Branch count: 2 Document count: 2 -Index: geneve-ut-423 +Index: geneve-ut-427 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5568,7 +5568,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-424 +Index: geneve-ut-428 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) @@ -5580,7 +5580,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-426 +Index: geneve-ut-430 ```python configuration where event.dataset == "github.audit" and event.action == "org.remove_member" @@ -5592,7 +5592,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.rem Branch count: 1 Document count: 1 -Index: geneve-ut-428 +Index: geneve-ut-432 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-AntiPhishPolicy" and event.outcome:success @@ -5604,7 +5604,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-429 +Index: geneve-ut-433 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-AntiPhishRule" or "Disable-AntiPhishRule") and event.outcome:success @@ -5616,7 +5616,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-430 +Index: geneve-ut-434 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Set-DkimSigningConfig" and o365.audit.Parameters.Enabled:False and event.outcome:success @@ -5628,7 +5628,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-431 +Index: geneve-ut-435 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-DlpPolicy" and event.outcome:success @@ -5640,7 +5640,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-432 +Index: geneve-ut-436 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Remove-MalwareFilterPolicy" and event.outcome:success @@ -5652,7 +5652,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-433 +Index: geneve-ut-437 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-MalwareFilterRule" or "Disable-MalwareFilterRule") and event.outcome:success @@ -5664,7 +5664,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-434 +Index: geneve-ut-438 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success @@ -5676,7 +5676,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-435 +Index: geneve-ut-439 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeAttachmentRule" and event.outcome:success @@ -5688,7 +5688,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-436 +Index: geneve-ut-440 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"Disable-SafeLinksRule" and event.outcome:success @@ -5700,7 +5700,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-437 +Index: geneve-ut-441 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-TransportRule" and event.outcome:success @@ -5712,7 +5712,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 2 Document count: 2 -Index: geneve-ut-438 +Index: geneve-ut-442 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Remove-TransportRule" or "Disable-TransportRule") and event.outcome:success @@ -5724,7 +5724,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and Branch count: 1 Document count: 1 -Index: geneve-ut-439 +Index: geneve-ut-443 ```python event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and @@ -5737,7 +5737,7 @@ o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator" Branch count: 6 Document count: 6 -Index: geneve-ut-440 +Index: geneve-ut-444 ```python event.dataset:o365.audit and event.provider:Exchange and @@ -5756,7 +5756,7 @@ event.category:web and event.action:("New-InboxRule" or "Set-InboxRule") and Branch count: 1 Document count: 1 -Index: geneve-ut-441 +Index: geneve-ut-445 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Potential ransomware activity" and event.outcome:success @@ -5768,7 +5768,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-442 +Index: geneve-ut-446 ```python event.dataset:o365.audit and event.provider:MicrosoftTeams and @@ -5783,7 +5783,7 @@ o365.audit.NewValue:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-443 +Index: geneve-ut-447 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5797,7 +5797,7 @@ o365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success Branch count: 2 Document count: 2 -Index: geneve-ut-444 +Index: geneve-ut-448 ```python event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and @@ -5811,7 +5811,7 @@ o365.audit.Parameters.AllowGuestUser:True and event.outcome:success Branch count: 1 Document count: 1 -Index: geneve-ut-445 +Index: geneve-ut-449 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"Unusual volume of file deletion" and event.outcome:success @@ -5823,7 +5823,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 1 Document count: 1 -Index: geneve-ut-446 +Index: geneve-ut-450 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:"User restricted from sending email" and event.outcome:success @@ -5835,7 +5835,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.c Branch count: 2 Document count: 2 -Index: geneve-ut-449 +Index: geneve-ut-453 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5849,7 +5849,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-450 +Index: geneve-ut-454 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5870,7 +5870,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-451 +Index: geneve-ut-455 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5884,7 +5884,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-452 +Index: geneve-ut-456 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5907,7 +5907,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 48 -Index: geneve-ut-453 +Index: geneve-ut-457 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -5932,7 +5932,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 4 Document count: 4 -Index: geneve-ut-454 +Index: geneve-ut-458 ```python event.category: "process" and host.os.type:windows and @@ -5956,7 +5956,7 @@ event.category: "process" and host.os.type:windows and Branch count: 8 Document count: 8 -Index: geneve-ut-455 +Index: geneve-ut-459 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5971,7 +5971,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-456 +Index: geneve-ut-460 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5985,7 +5985,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-457 +Index: geneve-ut-461 ```python process where host.os.type == "windows" and event.type == "start" and @@ -5999,7 +5999,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-459 +Index: geneve-ut-463 ```python file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" @@ -6011,7 +6011,7 @@ file where host.os.type == "windows" and file.name : "mimilsa.log" and process.n Branch count: 4 Document count: 4 -Index: geneve-ut-461 +Index: geneve-ut-465 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6028,7 +6028,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-463 +Index: geneve-ut-467 ```python file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload" @@ -6040,7 +6040,7 @@ file where event.module== "cloud_defend" and event.type != "deletion" and file.p Branch count: 1 Document count: 1 -Index: geneve-ut-464 +Index: geneve-ut-468 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6065,7 +6065,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-465 +Index: geneve-ut-469 ```python event.category:file and host.os.type:linux and event.type:change and @@ -6084,7 +6084,7 @@ event.category:file and host.os.type:linux and event.type:change and Branch count: 1 Document count: 1 -Index: geneve-ut-466 +Index: geneve-ut-470 ```python event.category:process and host.os.type:macos and event.type:start and @@ -6106,7 +6106,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 1 Document count: 1 -Index: geneve-ut-469 +Index: geneve-ut-473 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -6120,7 +6120,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 2 Document count: 2 -Index: geneve-ut-470 +Index: geneve-ut-474 ```python event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete) @@ -6132,7 +6132,7 @@ event.dataset:okta.system and event.action:(application.policy.sign_on.update or Branch count: 2 Document count: 2 -Index: geneve-ut-471 +Index: geneve-ut-475 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6155,7 +6155,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-472 +Index: geneve-ut-476 ```python process where event.module == "cloud_defend" and event.type== "start" and @@ -6168,7 +6168,7 @@ process where event.module == "cloud_defend" and event.type== "start" and Branch count: 12 Document count: 12 -Index: geneve-ut-473 +Index: geneve-ut-477 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6187,7 +6187,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-474 +Index: geneve-ut-478 ```python sequence by process.entity_id @@ -6203,7 +6203,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-475 +Index: geneve-ut-479 ```python sequence by process.entity_id with maxspan=10m @@ -6221,7 +6221,7 @@ sequence by process.entity_id with maxspan=10m Branch count: 2 Document count: 2 -Index: geneve-ut-476 +Index: geneve-ut-480 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Authentication" and event.outcome:(Success or success) @@ -6233,7 +6233,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Disable Strong Branch count: 1 Document count: 6 -Index: geneve-ut-479 +Index: geneve-ut-483 ```python sequence by winlog.computer_name, source.ip with maxspan=5s @@ -6259,7 +6259,7 @@ sequence by winlog.computer_name, source.ip with maxspan=5s Branch count: 1 Document count: 10 -Index: geneve-ut-480 +Index: geneve-ut-484 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -6285,7 +6285,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 1 Document count: 2 -Index: geneve-ut-484 +Index: geneve-ut-488 ```python sequence by winlog.computer_name, winlog.process.pid with maxspan=1s @@ -6309,7 +6309,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-487 +Index: geneve-ut-491 ```python process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and @@ -6324,7 +6324,7 @@ not process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox- Branch count: 560 Document count: 560 -Index: geneve-ut-488 +Index: geneve-ut-492 ```python process where container.id: "*" and event.type== "start" @@ -6347,7 +6347,7 @@ process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") Branch count: 10 Document count: 10 -Index: geneve-ut-489 +Index: geneve-ut-493 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -6361,7 +6361,7 @@ process.args : "*l*" and process.args_count >= 4 Branch count: 2 Document count: 2 -Index: geneve-ut-490 +Index: geneve-ut-494 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -6377,7 +6377,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 16 Document count: 32 -Index: geneve-ut-492 +Index: geneve-ut-496 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -6400,7 +6400,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-494 +Index: geneve-ut-498 ```python network where host.os.type == "windows" and process.name : "certutil.exe" and @@ -6419,7 +6419,7 @@ network where host.os.type == "windows" and process.name : "certutil.exe" and Branch count: 1 Document count: 2 -Index: geneve-ut-495 +Index: geneve-ut-499 ```python sequence by process.entity_id @@ -6439,7 +6439,7 @@ sequence by process.entity_id Branch count: 1 Document count: 2 -Index: geneve-ut-496 +Index: geneve-ut-500 ```python sequence by process.entity_id @@ -6458,7 +6458,7 @@ sequence by process.entity_id Branch count: 3 Document count: 12 -Index: geneve-ut-497 +Index: geneve-ut-501 ```python sequence by host.id with maxspan=1m @@ -6476,7 +6476,7 @@ sequence by host.id with maxspan=1m Branch count: 18 Document count: 36 -Index: geneve-ut-498 +Index: geneve-ut-502 ```python sequence by process.entity_id @@ -6501,7 +6501,7 @@ sequence by process.entity_id Branch count: 16 Document count: 32 -Index: geneve-ut-499 +Index: geneve-ut-503 ```python sequence by process.entity_id @@ -6523,7 +6523,7 @@ sequence by process.entity_id Branch count: 3 Document count: 3 -Index: geneve-ut-504 +Index: geneve-ut-508 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6536,7 +6536,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-505 +Index: geneve-ut-509 ```python configuration where event.dataset == "github.audit" and event.action == "integration_installation.create" @@ -6548,7 +6548,7 @@ configuration where event.dataset == "github.audit" and event.action == "integra Branch count: 1 Document count: 1 -Index: geneve-ut-506 +Index: geneve-ut-510 ```python iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin" @@ -6560,7 +6560,7 @@ iam where event.dataset == "github.audit" and event.action == "org.add_member" a Branch count: 1 Document count: 1 -Index: geneve-ut-507 +Index: geneve-ut-511 ```python event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* @@ -6572,7 +6572,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* Branch count: 1 Document count: 1 -Index: geneve-ut-508 +Index: geneve-ut-512 ```python event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" @@ -6584,7 +6584,7 @@ event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and Branch count: 1 Document count: 1 -Index: geneve-ut-511 +Index: geneve-ut-515 ```python configuration where event.dataset == "github.audit" and event.action == "org.add_member" @@ -6596,7 +6596,7 @@ configuration where event.dataset == "github.audit" and event.action == "org.add Branch count: 6 Document count: 6 -Index: geneve-ut-512 +Index: geneve-ut-516 ```python event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or @@ -6610,7 +6610,7 @@ event.outcome:success Branch count: 4 Document count: 4 -Index: geneve-ut-513 +Index: geneve-ut-517 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -6623,7 +6623,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-515 +Index: geneve-ut-519 ```python event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish" @@ -6635,7 +6635,7 @@ event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.a Branch count: 3 Document count: 3 -Index: geneve-ut-517 +Index: geneve-ut-521 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and @@ -6649,7 +6649,7 @@ not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" Branch count: 1 Document count: 1 -Index: geneve-ut-518 +Index: geneve-ut-522 ```python event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success @@ -6661,7 +6661,7 @@ event.dataset:o365.audit and event.provider:Exchange and event.action:Set-Mailbo Branch count: 1 Document count: 1 -Index: geneve-ut-519 +Index: geneve-ut-523 ```python registry where host.os.type == "windows" and event.action != "deletion" and @@ -6674,7 +6674,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-521 +Index: geneve-ut-525 ```python event.dataset:okta.system and event.category:authentication and @@ -6687,7 +6687,7 @@ event.dataset:okta.system and event.category:authentication and Branch count: 10 Document count: 10 -Index: geneve-ut-522 +Index: geneve-ut-526 ```python event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and @@ -6710,7 +6710,7 @@ event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/ Branch count: 2 Document count: 2 -Index: geneve-ut-523 +Index: geneve-ut-527 ```python event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true) @@ -6722,7 +6722,7 @@ event.dataset:okta.system and (event.action:security.threat.detected or okta.deb Branch count: 1 Document count: 1 -Index: geneve-ut-524 +Index: geneve-ut-528 ```python event.dataset:okta.system and event.action:user.session.impersonation.initiate @@ -6734,7 +6734,7 @@ event.dataset:okta.system and event.action:user.session.impersonation.initiate Branch count: 1 Document count: 1 -Index: geneve-ut-526 +Index: geneve-ut-530 ```python event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -6746,7 +6746,7 @@ event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFi Branch count: 36 Document count: 72 -Index: geneve-ut-527 +Index: geneve-ut-531 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -6761,7 +6761,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-529 +Index: geneve-ut-533 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6775,7 +6775,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-530 +Index: geneve-ut-534 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6787,7 +6787,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-531 +Index: geneve-ut-535 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) @@ -6799,7 +6799,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-532 +Index: geneve-ut-536 ```python process where host.os.type == "windows" and event.type == "start" and @@ -6817,7 +6817,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-533 +Index: geneve-ut-537 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -6830,7 +6830,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 1 -Index: geneve-ut-534 +Index: geneve-ut-538 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -6844,7 +6844,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 66 Document count: 132 -Index: geneve-ut-535 +Index: geneve-ut-539 ```python sequence by host.id with maxspan=5s @@ -6860,7 +6860,7 @@ sequence by host.id with maxspan=5s Branch count: 12 Document count: 12 -Index: geneve-ut-536 +Index: geneve-ut-540 ```python /* Registry Path ends with backslash */ @@ -6885,7 +6885,7 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > Branch count: 32 Document count: 32 -Index: geneve-ut-537 +Index: geneve-ut-541 ```python file where host.os.type == "linux" and event.type != "deletion" and @@ -6911,7 +6911,7 @@ file where host.os.type == "linux" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-538 +Index: geneve-ut-542 ```python process where host.os.type == "macos" and event.type == "start" and @@ -6931,7 +6931,7 @@ process where host.os.type == "macos" and event.type == "start" and Branch count: 18 Document count: 18 -Index: geneve-ut-539 +Index: geneve-ut-543 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6950,7 +6950,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-540 +Index: geneve-ut-544 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6963,7 +6963,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 6 Document count: 6 -Index: geneve-ut-541 +Index: geneve-ut-545 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -6979,7 +6979,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-542 +Index: geneve-ut-546 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -7005,7 +7005,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-543 +Index: geneve-ut-547 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7024,7 +7024,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-544 +Index: geneve-ut-548 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7052,7 +7052,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-545 +Index: geneve-ut-549 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7067,7 +7067,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-548 +Index: geneve-ut-552 ```python registry where host.os.type == "windows" and registry.path : ( @@ -7082,7 +7082,7 @@ registry where host.os.type == "windows" and registry.path : ( Branch count: 18 Document count: 18 -Index: geneve-ut-549 +Index: geneve-ut-553 ```python event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and @@ -7100,7 +7100,7 @@ event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and Branch count: 4 Document count: 4 -Index: geneve-ut-551 +Index: geneve-ut-555 ```python event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation) @@ -7112,7 +7112,7 @@ event.dataset:okta.system and event.action:(application.integration.rate_limit_e Branch count: 16 Document count: 16 -Index: geneve-ut-553 +Index: geneve-ut-558 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7125,7 +7125,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-555 +Index: geneve-ut-560 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and @@ -7140,7 +7140,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 8 Document count: 16 -Index: geneve-ut-557 +Index: geneve-ut-562 ```python sequence by host.id, process.parent.entity_id with maxspan=5m @@ -7157,7 +7157,7 @@ sequence by host.id, process.parent.entity_id with maxspan=5m Branch count: 8 Document count: 8 -Index: geneve-ut-558 +Index: geneve-ut-563 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and @@ -7173,7 +7173,7 @@ user.name == "postgres" and ( Branch count: 2 Document count: 6 -Index: geneve-ut-559 +Index: geneve-ut-564 ```python sequence by host.id, user.name with maxspan = 5s @@ -7202,7 +7202,7 @@ sequence by host.id, user.name with maxspan = 5s Branch count: 1 Document count: 1 -Index: geneve-ut-560 +Index: geneve-ut-565 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7215,7 +7215,7 @@ event.type == "change" and file.name : "notify_on_release" Branch count: 1 Document count: 1 -Index: geneve-ut-561 +Index: geneve-ut-566 ```python file where event.module == "cloud_defend" and event.action == "open" and @@ -7228,7 +7228,7 @@ event.type == "change" and file.name : "release_agent" Branch count: 63 Document count: 63 -Index: geneve-ut-562 +Index: geneve-ut-567 ```python process where event.type in ("start", "process_started", "info") and @@ -7252,7 +7252,7 @@ process where event.type in ("start", "process_started", "info") and Branch count: 12 Document count: 12 -Index: geneve-ut-563 +Index: geneve-ut-568 ```python any where event.action : ("Directory Service Access", "object-operation-performed") and @@ -7287,7 +7287,7 @@ any where event.action : ("Directory Service Access", "object-operation-performe Branch count: 1 Document count: 1 -Index: geneve-ut-564 +Index: geneve-ut-569 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7305,7 +7305,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 2 Document count: 2 -Index: geneve-ut-565 +Index: geneve-ut-570 ```python process where host.os.type == "windows" and event.code == "10" and @@ -7328,7 +7328,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 4 Document count: 4 -Index: geneve-ut-566 +Index: geneve-ut-571 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -7382,7 +7382,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 2 Document count: 4 -Index: geneve-ut-567 +Index: geneve-ut-572 ```python sequence by process.entity_id with maxspan=1m @@ -7400,7 +7400,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 16 Document count: 32 -Index: geneve-ut-568 +Index: geneve-ut-573 ```python sequence by process.entity_id @@ -7415,7 +7415,7 @@ sequence by process.entity_id Branch count: 13 Document count: 13 -Index: geneve-ut-570 +Index: geneve-ut-575 ```python any where processor.name == "transaction" and @@ -7429,7 +7429,7 @@ url.fragment : ("", "", "*onerror=*", Branch count: 2 Document count: 2 -Index: geneve-ut-572 +Index: geneve-ut-577 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7450,7 +7450,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-573 +Index: geneve-ut-578 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7471,7 +7471,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-579 +Index: geneve-ut-584 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7484,7 +7484,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-580 +Index: geneve-ut-585 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7497,7 +7497,7 @@ process.parent.name == "proot" Branch count: 8 Document count: 8 -Index: geneve-ut-581 +Index: geneve-ut-586 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7513,7 +7513,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 4 Document count: 4 -Index: geneve-ut-582 +Index: geneve-ut-587 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7526,7 +7526,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 4 -Index: geneve-ut-583 +Index: geneve-ut-588 ```python sequence by process.entity_id with maxspan=3m @@ -7550,7 +7550,7 @@ sequence by process.entity_id with maxspan=3m Branch count: 6 Document count: 6 -Index: geneve-ut-584 +Index: geneve-ut-589 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7575,7 +7575,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 4 -Index: geneve-ut-586 +Index: geneve-ut-591 ```python sequence by host.id, user.id with maxspan=1s @@ -7593,7 +7593,7 @@ sequence by host.id, user.id with maxspan=1s Branch count: 2 Document count: 2 -Index: geneve-ut-589 +Index: geneve-ut-594 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7606,7 +7606,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-590 +Index: geneve-ut-595 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -7619,7 +7619,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 4 Document count: 4 -Index: geneve-ut-591 +Index: geneve-ut-596 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7633,7 +7633,7 @@ process.args : "*hidepid=2*" Branch count: 60 Document count: 120 -Index: geneve-ut-594 +Index: geneve-ut-599 ```python sequence by host.id with maxspan=1m @@ -7669,7 +7669,7 @@ sequence by host.id with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-595 +Index: geneve-ut-600 ```python event.category:process and host.os.type:macos and event.type:start and @@ -7682,7 +7682,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 2 Document count: 2 -Index: geneve-ut-596 +Index: geneve-ut-601 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -7700,7 +7700,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-597 +Index: geneve-ut-602 ```python process where host.os.type == "windows" and event.code:"4688" and @@ -7714,7 +7714,7 @@ process where host.os.type == "windows" and event.code:"4688" and Branch count: 24 Document count: 48 -Index: geneve-ut-599 +Index: geneve-ut-604 ```python sequence by host.id with maxspan=30s @@ -7733,7 +7733,7 @@ sequence by host.id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-600 +Index: geneve-ut-605 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7746,7 +7746,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 3 Document count: 6 -Index: geneve-ut-601 +Index: geneve-ut-606 ```python sequence by host.id, process.parent.name with maxspan=1m @@ -7762,7 +7762,7 @@ sequence by host.id, process.parent.name with maxspan=1m Branch count: 2 Document count: 2 -Index: geneve-ut-602 +Index: geneve-ut-607 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7775,7 +7775,7 @@ process.name == "unshadow" and process.args_count >= 3 Branch count: 156 Document count: 156 -Index: geneve-ut-603 +Index: geneve-ut-608 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -7803,7 +7803,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 10 -Index: geneve-ut-604 +Index: geneve-ut-609 ```python sequence by host.id, process.parent.executable, user.id with maxspan=1s @@ -7821,7 +7821,7 @@ sequence by host.id, process.parent.executable, user.id with maxspan=1s Branch count: 72 Document count: 72 -Index: geneve-ut-606 +Index: geneve-ut-611 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -7835,7 +7835,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 458 Document count: 458 -Index: geneve-ut-607 +Index: geneve-ut-612 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -7863,7 +7863,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-608 +Index: geneve-ut-613 ```python process where host.os.type == "windows" and event.type == "start" and @@ -7882,7 +7882,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 54 Document count: 54 -Index: geneve-ut-610 +Index: geneve-ut-615 ```python process where host.os.type == "windows" and @@ -8020,7 +8020,7 @@ process where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-611 +Index: geneve-ut-616 ```python process where host.os.type == "windows" and @@ -8091,7 +8091,7 @@ process where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-614 +Index: geneve-ut-619 ```python library where host.os.type == "windows" and event.action == "load" and @@ -8108,7 +8108,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 12 Document count: 12 -Index: geneve-ut-615 +Index: geneve-ut-620 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -8125,7 +8125,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-617 +Index: geneve-ut-622 ```python event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip @@ -8137,7 +8137,7 @@ event.category:file and host.os.type:(macos and macos) and not event.type:deleti Branch count: 16 Document count: 16 -Index: geneve-ut-618 +Index: geneve-ut-623 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8178,7 +8178,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-623 +Index: geneve-ut-628 ```python network where process.name : ("http", "https") and destination.port not in (80, 443) and event.action in ( @@ -8192,7 +8192,7 @@ network where process.name : ("http", "https") and destination.port not in (80, Branch count: 2 Document count: 4 -Index: geneve-ut-624 +Index: geneve-ut-629 ```python sequence by process.entity_id with maxspan=1m @@ -8212,7 +8212,7 @@ sequence by process.entity_id with maxspan=1m Branch count: 84 Document count: 84 -Index: geneve-ut-626 +Index: geneve-ut-631 ```python file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and @@ -8253,7 +8253,7 @@ file where host.os.type == "linux" and event.type == "change" and process.execut Branch count: 2 Document count: 2 -Index: geneve-ut-627 +Index: geneve-ut-632 ```python network where host.os.type == "windows" and @@ -8279,7 +8279,7 @@ network where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-634 +Index: geneve-ut-639 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8292,7 +8292,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-635 +Index: geneve-ut-640 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8307,7 +8307,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 3 Document count: 3 -Index: geneve-ut-636 +Index: geneve-ut-641 ```python event.category:file and host.os.type:macos and not event.type:"deletion" and @@ -8320,7 +8320,7 @@ event.category:file and host.os.type:macos and not event.type:"deletion" and Branch count: 696 Document count: 696 -Index: geneve-ut-639 +Index: geneve-ut-644 ```python event.category:process and host.os.type:windows and @@ -8513,7 +8513,7 @@ event.category:process and host.os.type:windows and Branch count: 2 Document count: 2 -Index: geneve-ut-642 +Index: geneve-ut-647 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and @@ -8527,7 +8527,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-643 +Index: geneve-ut-648 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -8544,7 +8544,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 5 -Index: geneve-ut-644 +Index: geneve-ut-649 ```python sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s @@ -8558,7 +8558,7 @@ sequence by host.id, process.parent.entity_id, process.executable with maxspan=5 Branch count: 1 Document count: 1 -Index: geneve-ut-645 +Index: geneve-ut-650 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( @@ -8574,7 +8574,7 @@ process.interactive == true and process.parent.interactive == true Branch count: 3 Document count: 6 -Index: geneve-ut-649 +Index: geneve-ut-654 ```python sequence by process.parent.entity_id, host.id with maxspan=5s @@ -8590,7 +8590,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-650 +Index: geneve-ut-655 ```python file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" @@ -8602,7 +8602,7 @@ file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" Branch count: 4 Document count: 8 -Index: geneve-ut-651 +Index: geneve-ut-656 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8618,7 +8618,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 6 Document count: 24 -Index: geneve-ut-652 +Index: geneve-ut-657 ```python sequence by host.id with maxspan=1m @@ -8638,7 +8638,7 @@ sequence by host.id with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-653 +Index: geneve-ut-658 ```python event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) @@ -8650,7 +8650,7 @@ event.category:process and event.type:start and process.args:(echo and *NOPASSWD Branch count: 1 Document count: 1 -Index: geneve-ut-655 +Index: geneve-ut-660 ```python iam where event.action == "renamed-user-account" and @@ -8664,7 +8664,7 @@ iam where event.action == "renamed-user-account" and Branch count: 18 Document count: 18 -Index: geneve-ut-656 +Index: geneve-ut-661 ```python process where host.os.type == "windows" and event.action == "start" and @@ -8687,7 +8687,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-658 +Index: geneve-ut-663 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -8707,7 +8707,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-660 +Index: geneve-ut-665 ```python process where host.os.type == "linux" and event.type == "start" and @@ -8720,7 +8720,7 @@ process where host.os.type == "linux" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-663 +Index: geneve-ut-668 ```python file where host.os.type == "windows" and @@ -8735,7 +8735,7 @@ file where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-664 +Index: geneve-ut-669 ```python /* Identifies the modification of RDP Shadow registry or @@ -8762,7 +8762,7 @@ any where host.os.type == "windows" and Branch count: 5 Document count: 5 -Index: geneve-ut-665 +Index: geneve-ut-670 ```python process where host.os.type == "windows" and event.type == "start" and @@ -8777,7 +8777,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 48 Document count: 144 -Index: geneve-ut-666 +Index: geneve-ut-671 ```python sequence with maxspan=1m @@ -8819,7 +8819,7 @@ sequence with maxspan=1m Branch count: 864 Document count: 1728 -Index: geneve-ut-667 +Index: geneve-ut-672 ```python sequence by host.id with maxspan=5s @@ -8838,7 +8838,7 @@ sequence by host.id with maxspan=5s Branch count: 32 Document count: 32 -Index: geneve-ut-669 +Index: geneve-ut-674 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -8852,7 +8852,7 @@ process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish Branch count: 432 Document count: 864 -Index: geneve-ut-670 +Index: geneve-ut-675 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -8871,7 +8871,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 288 Document count: 576 -Index: geneve-ut-671 +Index: geneve-ut-676 ```python sequence by host.id with maxspan=5s @@ -8900,7 +8900,7 @@ sequence by host.id with maxspan=5s Branch count: 40 Document count: 40 -Index: geneve-ut-675 +Index: geneve-ut-680 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8916,7 +8916,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-677 +Index: geneve-ut-682 ```python file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" @@ -8928,7 +8928,7 @@ file where host.os.type == "windows" and event.type == "change" and file.name : Branch count: 1 Document count: 1 -Index: geneve-ut-678 +Index: geneve-ut-683 ```python event.action:"Directory Service Changes" and event.code:"5136" and @@ -8942,7 +8942,7 @@ event.action:"Directory Service Changes" and event.code:"5136" and Branch count: 72 Document count: 144 -Index: geneve-ut-681 +Index: geneve-ut-686 ```python sequence by host.id with maxspan=1s @@ -8961,7 +8961,7 @@ sequence by host.id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-686 +Index: geneve-ut-691 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -8974,7 +8974,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-687 +Index: geneve-ut-692 ```python sequence by host.id, process.session_leader.entity_id with maxspan=15s @@ -8990,7 +8990,7 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s Branch count: 2 Document count: 2 -Index: geneve-ut-689 +Index: geneve-ut-694 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9004,7 +9004,7 @@ not user.Ext.real.id == "0" and not group.Ext.real.id == "0" Branch count: 94 Document count: 94 -Index: geneve-ut-690 +Index: geneve-ut-695 ```python file where event.action in ("creation", "file_create_event") and file.extension == "swp" and @@ -9034,7 +9034,7 @@ file.path : ( Branch count: 8 Document count: 8 -Index: geneve-ut-691 +Index: geneve-ut-696 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9047,7 +9047,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-692 +Index: geneve-ut-697 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and ( @@ -9063,7 +9063,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 6 Document count: 6 -Index: geneve-ut-693 +Index: geneve-ut-698 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9080,7 +9080,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-694 +Index: geneve-ut-699 ```python sequence by host.id, process.entity_id with maxspan = 5s @@ -9096,7 +9096,7 @@ sequence by host.id, process.entity_id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-698 +Index: geneve-ut-703 ```python file where host.os.type == "windows" and @@ -9110,7 +9110,7 @@ file where host.os.type == "windows" and Branch count: 4 Document count: 16 -Index: geneve-ut-699 +Index: geneve-ut-704 ```python sequence by okta.actor.id with maxspan=10m @@ -9130,7 +9130,7 @@ sequence by okta.actor.id with maxspan=10m Branch count: 80 Document count: 80 -Index: geneve-ut-700 +Index: geneve-ut-705 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9146,7 +9146,7 @@ process.parent.name in ("screen", "tmux") and process.name : ( Branch count: 21 Document count: 21 -Index: geneve-ut-701 +Index: geneve-ut-706 ```python event.category:process and host.os.type:windows and @@ -9171,7 +9171,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 4 -Index: geneve-ut-703 +Index: geneve-ut-708 ```python event.category:process and host.os.type:windows and @@ -9190,7 +9190,7 @@ event.category:process and host.os.type:windows and Branch count: 5 Document count: 5 -Index: geneve-ut-705 +Index: geneve-ut-710 ```python event.category:process and host.os.type:windows and @@ -9213,7 +9213,7 @@ event.category:process and host.os.type:windows and Branch count: 3 Document count: 3 -Index: geneve-ut-706 +Index: geneve-ut-711 ```python event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" @@ -9225,7 +9225,7 @@ event.category:process and host.os.type:windows and powershell.file.script_block Branch count: 9 Document count: 9 -Index: geneve-ut-707 +Index: geneve-ut-712 ```python event.category:process and host.os.type:windows and @@ -9249,7 +9249,7 @@ event.category:process and host.os.type:windows and Branch count: 24 Document count: 24 -Index: geneve-ut-719 +Index: geneve-ut-724 ```python event.category:process and host.os.type:windows and @@ -9287,7 +9287,7 @@ event.category:process and host.os.type:windows and Branch count: 4 Document count: 8 -Index: geneve-ut-725 +Index: geneve-ut-730 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -9305,7 +9305,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 2 Document count: 4 -Index: geneve-ut-726 +Index: geneve-ut-731 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=1m @@ -9322,7 +9322,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m Branch count: 4 Document count: 4 -Index: geneve-ut-727 +Index: geneve-ut-732 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9336,7 +9336,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-728 +Index: geneve-ut-733 ```python file where host.os.type == "windows" and event.action : "Pipe Created*" and @@ -9350,7 +9350,7 @@ file where host.os.type == "windows" and event.action : "Pipe Created*" and Branch count: 1 Document count: 1 -Index: geneve-ut-729 +Index: geneve-ut-734 ```python event.category:file and host.os.type:macos and not event.type:deletion and @@ -9363,7 +9363,7 @@ event.category:file and host.os.type:macos and not event.type:deletion and Branch count: 1 Document count: 5 -Index: geneve-ut-731 +Index: geneve-ut-736 ```python sequence by winlog.computer_name, source.ip with maxspan=10s @@ -9380,7 +9380,7 @@ sequence by winlog.computer_name, source.ip with maxspan=10s Branch count: 7 Document count: 7 -Index: geneve-ut-733 +Index: geneve-ut-738 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9394,7 +9394,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-734 +Index: geneve-ut-739 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -9408,7 +9408,7 @@ user.id != "0" Branch count: 96 Document count: 96 -Index: geneve-ut-736 +Index: geneve-ut-741 ```python /* This rule is only compatible with Elastic Endpoint 8.4+ */ @@ -9483,7 +9483,7 @@ not (process.parent.executable : "?\\Windows\\System32\\spoolsv.exe" and Branch count: 2 Document count: 4 -Index: geneve-ut-737 +Index: geneve-ut-742 ```python sequence by winlog.computer_name with maxspan=1m @@ -9504,7 +9504,7 @@ sequence by winlog.computer_name with maxspan=1m Branch count: 8 Document count: 8 -Index: geneve-ut-738 +Index: geneve-ut-743 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9523,7 +9523,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-739 +Index: geneve-ut-744 ```python process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in ( @@ -9538,7 +9538,7 @@ not process.parent.name in ("amazon-ssm-agent", "snap") Branch count: 66 Document count: 66 -Index: geneve-ut-740 +Index: geneve-ut-745 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9593,7 +9593,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-741 +Index: geneve-ut-746 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -9605,7 +9605,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-742 +Index: geneve-ut-747 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) @@ -9617,7 +9617,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 1 Document count: 1 -Index: geneve-ut-743 +Index: geneve-ut-748 ```python process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" @@ -9629,7 +9629,7 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote Branch count: 3 Document count: 6 -Index: geneve-ut-745 +Index: geneve-ut-750 ```python sequence by host.id with maxspan=5s @@ -9661,7 +9661,7 @@ sequence by host.id with maxspan=5s Branch count: 4 Document count: 4 -Index: geneve-ut-746 +Index: geneve-ut-751 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -9674,7 +9674,7 @@ process.name : "* " Branch count: 1 Document count: 1 -Index: geneve-ut-747 +Index: geneve-ut-752 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9696,7 +9696,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-749 +Index: geneve-ut-754 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -9709,7 +9709,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 2 -Index: geneve-ut-750 +Index: geneve-ut-755 ```python sequence by process.entity_id @@ -9733,7 +9733,7 @@ sequence by process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-756 +Index: geneve-ut-761 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -9745,7 +9745,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:detection an Branch count: 2 Document count: 2 -Index: geneve-ut-757 +Index: geneve-ut-762 ```python event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) @@ -9757,7 +9757,7 @@ event.kind:alert and event.module:endgame and endgame.metadata.type:prevention a Branch count: 2 Document count: 2 -Index: geneve-ut-761 +Index: geneve-ut-766 ```python registry where host.os.type == "windows" and @@ -9774,7 +9774,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-762 +Index: geneve-ut-767 ```python registry where host.os.type == "windows" and @@ -9802,7 +9802,7 @@ registry where host.os.type == "windows" and Branch count: 18 Document count: 18 -Index: geneve-ut-764 +Index: geneve-ut-769 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9817,7 +9817,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 36 Document count: 72 -Index: geneve-ut-765 +Index: geneve-ut-770 ```python sequence with maxspan=1m @@ -9847,7 +9847,7 @@ sequence with maxspan=1m Branch count: 13 Document count: 13 -Index: geneve-ut-766 +Index: geneve-ut-771 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9864,7 +9864,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 22 Document count: 22 -Index: geneve-ut-767 +Index: geneve-ut-772 ```python file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and @@ -9885,7 +9885,7 @@ file where host.os.type == "windows" and event.type == "creation" and process.na Branch count: 2 Document count: 2 -Index: geneve-ut-768 +Index: geneve-ut-773 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9899,7 +9899,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-769 +Index: geneve-ut-774 ```python process where host.os.type == "windows" and event.type == "start" and @@ -9913,7 +9913,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 12 Document count: 24 -Index: geneve-ut-770 +Index: geneve-ut-775 ```python sequence by process.entity_id with maxspan=30s @@ -9937,7 +9937,7 @@ sequence by process.entity_id with maxspan=30s Branch count: 8 Document count: 16 -Index: geneve-ut-771 +Index: geneve-ut-776 ```python sequence by host.id, process.entity_id @@ -9953,7 +9953,7 @@ sequence by host.id, process.entity_id Branch count: 2 Document count: 2 -Index: geneve-ut-772 +Index: geneve-ut-777 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -9968,7 +9968,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 4 -Index: geneve-ut-773 +Index: geneve-ut-778 ```python /* Task Scheduler service incoming connection followed by TaskCache registry modification */ @@ -9987,7 +9987,7 @@ sequence by host.id, process.entity_id with maxspan = 1m Branch count: 1 Document count: 1 -Index: geneve-ut-774 +Index: geneve-ut-779 ```python iam where event.action == "scheduled-task-created" and @@ -10000,7 +10000,7 @@ iam where event.action == "scheduled-task-created" and Branch count: 1 Document count: 2 -Index: geneve-ut-776 +Index: geneve-ut-781 ```python sequence by winlog.logon.id, winlog.computer_name with maxspan=1m @@ -10042,7 +10042,7 @@ event.outcome=="success" and source.ip != null and source.ip != "127.0.0.1" and Branch count: 16 Document count: 32 -Index: geneve-ut-777 +Index: geneve-ut-782 ```python sequence with maxspan=1m @@ -10065,7 +10065,7 @@ sequence with maxspan=1m Branch count: 4 Document count: 8 -Index: geneve-ut-778 +Index: geneve-ut-783 ```python sequence with maxspan=1s @@ -10113,7 +10113,7 @@ sequence with maxspan=1s Branch count: 1 Document count: 1 -Index: geneve-ut-779 +Index: geneve-ut-784 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10126,7 +10126,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 4 -Index: geneve-ut-781 +Index: geneve-ut-786 ```python sequence by host.id, process.entry_leader.entity_id with maxspan=30s @@ -10143,7 +10143,7 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s Branch count: 4 Document count: 4 -Index: geneve-ut-785 +Index: geneve-ut-790 ```python (event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26 @@ -10155,7 +10155,7 @@ Index: geneve-ut-785 Branch count: 6 Document count: 6 -Index: geneve-ut-787 +Index: geneve-ut-792 ```python file where container.id:"*" and @@ -10168,7 +10168,7 @@ file where container.id:"*" and Branch count: 2 Document count: 2 -Index: geneve-ut-788 +Index: geneve-ut-793 ```python process where container.id: "*" and event.type == "start" and @@ -10189,7 +10189,7 @@ process.interactive== true Branch count: 6 Document count: 6 -Index: geneve-ut-789 +Index: geneve-ut-794 ```python process where container.id: "*" and event.type== "start" and @@ -10203,7 +10203,7 @@ process.name: ("sshd", "ssh", "autossh") Branch count: 36 Document count: 36 -Index: geneve-ut-790 +Index: geneve-ut-795 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10221,7 +10221,7 @@ process.name == "find" and process.args : "-perm" and process.args : ( Branch count: 60 Document count: 120 -Index: geneve-ut-792 +Index: geneve-ut-797 ```python sequence by host.id with maxspan = 30s @@ -10240,7 +10240,7 @@ sequence by host.id with maxspan = 30s Branch count: 9 Document count: 9 -Index: geneve-ut-795 +Index: geneve-ut-800 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10255,7 +10255,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 27 Document count: 27 -Index: geneve-ut-796 +Index: geneve-ut-801 ```python file where host.os.type == "macos" and event.type != "deletion" and @@ -10296,7 +10296,7 @@ file where host.os.type == "macos" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-797 +Index: geneve-ut-802 ```python any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and @@ -10330,7 +10330,7 @@ any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Secur Branch count: 2 Document count: 2 -Index: geneve-ut-798 +Index: geneve-ut-803 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10344,7 +10344,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-799 +Index: geneve-ut-804 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10358,7 +10358,7 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" Branch count: 270 Document count: 270 -Index: geneve-ut-803 +Index: geneve-ut-808 ```python process where container.id: "*" and event.type== "start" and @@ -10401,7 +10401,7 @@ and process.args: ( Branch count: 60 Document count: 60 -Index: geneve-ut-804 +Index: geneve-ut-809 ```python process where container.id: "*" and event.type== "start" and @@ -10425,7 +10425,7 @@ or Branch count: 1 Document count: 1 -Index: geneve-ut-805 +Index: geneve-ut-810 ```python event.action:"Authorization Policy Change" and event.code:4704 and @@ -10438,7 +10438,7 @@ event.action:"Authorization Policy Change" and event.code:4704 and Branch count: 16 Document count: 32 -Index: geneve-ut-806 +Index: geneve-ut-811 ```python sequence by process.entity_id with maxspan = 1m @@ -10455,7 +10455,7 @@ sequence by process.entity_id with maxspan = 1m Branch count: 96 Document count: 96 -Index: geneve-ut-807 +Index: geneve-ut-812 ```python /* This rule is not compatible with Sysmon due to user.id issues */ @@ -10475,7 +10475,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-808 +Index: geneve-ut-813 ```python sequence by winlog.computer_name with maxspan=5m @@ -10499,7 +10499,7 @@ sequence by winlog.computer_name with maxspan=5m Branch count: 2 Document count: 2 -Index: geneve-ut-810 +Index: geneve-ut-815 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -10522,7 +10522,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 1 Document count: 1 -Index: geneve-ut-811 +Index: geneve-ut-816 ```python process where event.type == "start" and process.name : "sc.exe" and @@ -10535,7 +10535,7 @@ process where event.type == "start" and process.name : "sc.exe" and Branch count: 2 Document count: 2 -Index: geneve-ut-812 +Index: geneve-ut-817 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -10548,7 +10548,7 @@ process.name == "setcap" and process.args : "cap_set?id+ep" and not process.pare Branch count: 1 Document count: 1 -Index: geneve-ut-814 +Index: geneve-ut-819 ```python event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected @@ -10560,7 +10560,7 @@ event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePoint Branch count: 6 Document count: 12 -Index: geneve-ut-817 +Index: geneve-ut-822 ```python sequence by host.id with maxspan=5s @@ -10574,7 +10574,7 @@ sequence by host.id with maxspan=5s Branch count: 162 Document count: 162 -Index: geneve-ut-818 +Index: geneve-ut-823 ```python file where host.os.type == "windows" and event.type != "deletion" and file.extension == "lnk" and @@ -10596,7 +10596,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.exten Branch count: 1 Document count: 1 -Index: geneve-ut-819 +Index: geneve-ut-824 ```python process where host.os.type == "windows" and event.type == "start" @@ -10610,7 +10610,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 4 Document count: 4 -Index: geneve-ut-820 +Index: geneve-ut-825 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10624,7 +10624,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 12 Document count: 24 -Index: geneve-ut-835 +Index: geneve-ut-840 ```python sequence by host.id, process.entity_id with maxspan=5s @@ -10649,7 +10649,7 @@ sequence by host.id, process.entity_id with maxspan=5s Branch count: 36 Document count: 36 -Index: geneve-ut-836 +Index: geneve-ut-841 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -10682,7 +10682,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-839 +Index: geneve-ut-844 ```python beacon_stats.is_beaconing: true and @@ -10695,7 +10695,7 @@ not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or " Branch count: 1 Document count: 1 -Index: geneve-ut-840 +Index: geneve-ut-845 ```python beacon_stats.beaconing_score: 3 @@ -10707,7 +10707,7 @@ beacon_stats.beaconing_score: 3 Branch count: 2 Document count: 6 -Index: geneve-ut-841 +Index: geneve-ut-846 ```python sequence by user.name with maxspan=12h @@ -10722,7 +10722,7 @@ sequence by user.name with maxspan=12h Branch count: 4 Document count: 4 -Index: geneve-ut-842 +Index: geneve-ut-847 ```python file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and @@ -10747,7 +10747,7 @@ file where host.os.type == "macos" and event.type in ("change", "creation") and Branch count: 8 Document count: 8 -Index: geneve-ut-843 +Index: geneve-ut-848 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10762,7 +10762,7 @@ not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args Branch count: 16 Document count: 16 -Index: geneve-ut-846 +Index: geneve-ut-851 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10776,7 +10776,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-847 +Index: geneve-ut-852 ```python event.category:process and host.os.type:windows and @@ -10801,7 +10801,7 @@ event.category:process and host.os.type:windows and Branch count: 16 Document count: 16 -Index: geneve-ut-848 +Index: geneve-ut-853 ```python process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -10816,7 +10816,7 @@ process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.en Branch count: 152 Document count: 304 -Index: geneve-ut-849 +Index: geneve-ut-854 ```python sequence by host.id with maxspan=5s @@ -10838,7 +10838,7 @@ sequence by host.id with maxspan=5s Branch count: 8 Document count: 16 -Index: geneve-ut-850 +Index: geneve-ut-855 ```python sequence by host.id with maxspan=5s @@ -10857,7 +10857,7 @@ sequence by host.id with maxspan=5s Branch count: 1 Document count: 1 -Index: geneve-ut-852 +Index: geneve-ut-857 ```python event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser @@ -10869,7 +10869,7 @@ event.dataset:okta.system and event.action:user.account.report_suspicious_activi Branch count: 2 Document count: 2 -Index: geneve-ut-853 +Index: geneve-ut-858 ```python file where host.os.type == "windows" and event.type != "deletion" and file.path != null and @@ -10882,7 +10882,7 @@ file where host.os.type == "windows" and event.type != "deletion" and file.path Branch count: 2 Document count: 4 -Index: geneve-ut-854 +Index: geneve-ut-859 ```python sequence by host.id with maxspan=30s @@ -10896,7 +10896,7 @@ sequence by host.id with maxspan=30s Branch count: 1 Document count: 1 -Index: geneve-ut-856 +Index: geneve-ut-861 ```python event.category:file and host.os.type:macos and event.action:modification and @@ -10920,7 +10920,7 @@ event.category:file and host.os.type:macos and event.action:modification and Branch count: 14 Document count: 14 -Index: geneve-ut-857 +Index: geneve-ut-862 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10934,7 +10934,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-858 +Index: geneve-ut-863 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -10957,7 +10957,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-859 +Index: geneve-ut-864 ```python process where host.os.type == "windows" and event.type == "start" and @@ -10971,7 +10971,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-862 +Index: geneve-ut-867 ```python file where host.os.type == "macos" and event.type != "deletion" and process.name != null and @@ -10984,7 +10984,7 @@ file where host.os.type == "macos" and event.type != "deletion" and process.name Branch count: 189 Document count: 189 -Index: geneve-ut-863 +Index: geneve-ut-868 ```python any where host.os.type == "windows" and @@ -11017,7 +11017,7 @@ any where host.os.type == "windows" and Branch count: 20 Document count: 20 -Index: geneve-ut-865 +Index: geneve-ut-870 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11033,7 +11033,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 44 Document count: 44 -Index: geneve-ut-866 +Index: geneve-ut-871 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11069,7 +11069,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 4 Document count: 4 -Index: geneve-ut-867 +Index: geneve-ut-872 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11105,7 +11105,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-868 +Index: geneve-ut-873 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11120,7 +11120,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-869 +Index: geneve-ut-874 ```python process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and @@ -11136,7 +11136,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex Branch count: 14 Document count: 14 -Index: geneve-ut-874 +Index: geneve-ut-879 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11160,7 +11160,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-877 +Index: geneve-ut-882 ```python file where event.action in ("creation", "file_create_event") and process.name : "kworker*" and not ( @@ -11175,7 +11175,7 @@ file where event.action in ("creation", "file_create_event") and process.name : Branch count: 2 Document count: 2 -Index: geneve-ut-880 +Index: geneve-ut-885 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -11188,7 +11188,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 30 Document count: 30 -Index: geneve-ut-881 +Index: geneve-ut-886 ```python any where host.os.type == "windows" and @@ -11203,7 +11203,7 @@ any where host.os.type == "windows" and Branch count: 6 Document count: 6 -Index: geneve-ut-884 +Index: geneve-ut-889 ```python process where container.id: "*" and @@ -11224,7 +11224,7 @@ process.args: "*/*sh" Branch count: 1 Document count: 1 -Index: geneve-ut-887 +Index: geneve-ut-892 ```python process where host.os.type == "linux" and event.action == "session_id_change" and process.name : "kworker*" and @@ -11237,7 +11237,7 @@ user.id == "0" Branch count: 1 Document count: 1 -Index: geneve-ut-888 +Index: geneve-ut-893 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11256,7 +11256,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 1 Document count: 1 -Index: geneve-ut-889 +Index: geneve-ut-894 ```python process where host.os.type == "windows" and event.code == "10" and @@ -11291,7 +11291,7 @@ process where host.os.type == "windows" and event.code == "10" and Branch count: 52 Document count: 52 -Index: geneve-ut-891 +Index: geneve-ut-896 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11312,7 +11312,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-892 +Index: geneve-ut-897 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11332,7 +11332,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 24 Document count: 24 -Index: geneve-ut-893 +Index: geneve-ut-898 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11345,7 +11345,7 @@ process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack Branch count: 14 Document count: 14 -Index: geneve-ut-896 +Index: geneve-ut-901 ```python file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and @@ -11358,7 +11358,7 @@ file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.servic Branch count: 2 Document count: 2 -Index: geneve-ut-898 +Index: geneve-ut-903 ```python library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and @@ -11437,7 +11437,7 @@ library where host.os.type == "windows" and process.executable : "?:\\Windows\\S Branch count: 2 Document count: 2 -Index: geneve-ut-900 +Index: geneve-ut-905 ```python network where host.os.type == "linux" and event.type == "start" and @@ -11450,7 +11450,7 @@ event.action in ("connection_attempted", "ipv4_connection_attempt_event") and pr Branch count: 28 Document count: 28 -Index: geneve-ut-902 +Index: geneve-ut-907 ```python process where container.id: "*" and event.type== "start" and @@ -11467,7 +11467,7 @@ process where container.id: "*" and event.type== "start" and Branch count: 212 Document count: 212 -Index: geneve-ut-903 +Index: geneve-ut-908 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11491,7 +11491,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 2 -Index: geneve-ut-904 +Index: geneve-ut-909 ```python sequence by host.id, process.parent.pid with maxspan=1m @@ -11507,7 +11507,7 @@ sequence by host.id, process.parent.pid with maxspan=1m Branch count: 1 Document count: 1 -Index: geneve-ut-905 +Index: geneve-ut-910 ```python event.category:process and host.os.type:windows and @@ -11522,7 +11522,7 @@ event.category:process and host.os.type:windows and Branch count: 1 Document count: 1 -Index: geneve-ut-908 +Index: geneve-ut-913 ```python file where host.os.type == "windows" and event.type : "deletion" and @@ -11536,7 +11536,7 @@ file where host.os.type == "windows" and event.type : "deletion" and Branch count: 1 Document count: 1 -Index: geneve-ut-910 +Index: geneve-ut-915 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -11571,7 +11571,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-911 +Index: geneve-ut-916 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -11595,7 +11595,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 1 Document count: 1 -Index: geneve-ut-915 +Index: geneve-ut-920 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11608,7 +11608,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 180 Document count: 180 -Index: geneve-ut-916 +Index: geneve-ut-921 ```python process where event.type == "start" and event.action : ("exec", "exec_event") and @@ -11646,7 +11646,7 @@ not ( Branch count: 48 Document count: 48 -Index: geneve-ut-917 +Index: geneve-ut-922 ```python any where host.os.type == "windows" and @@ -11679,7 +11679,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 2 -Index: geneve-ut-918 +Index: geneve-ut-923 ```python sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m @@ -11697,7 +11697,7 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= Branch count: 9 Document count: 9 -Index: geneve-ut-919 +Index: geneve-ut-924 ```python file where host.os.type == "linux" and event.action == "rename" and @@ -11711,7 +11711,7 @@ and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", Branch count: 1 Document count: 1 -Index: geneve-ut-920 +Index: geneve-ut-925 ```python file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and @@ -11724,7 +11724,7 @@ file.Ext.original.path : "/usr/lib/vmware/*" Branch count: 152 Document count: 152 -Index: geneve-ut-921 +Index: geneve-ut-926 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11754,7 +11754,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 8 -Index: geneve-ut-922 +Index: geneve-ut-927 ```python any where host.os.type == "windows" and @@ -11788,7 +11788,7 @@ any where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-924 +Index: geneve-ut-929 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11819,7 +11819,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-929 +Index: geneve-ut-934 ```python process where host.os.type == "linux" and event.type == "end" and process.name in ("vmware-vmx", "vmx") @@ -11832,7 +11832,7 @@ and process.parent.name == "kill" Branch count: 160 Document count: 160 -Index: geneve-ut-930 +Index: geneve-ut-935 ```python process where host.os.type == "windows" and event.action == "start" and @@ -11856,7 +11856,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 136 Document count: 136 -Index: geneve-ut-931 +Index: geneve-ut-936 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -11873,7 +11873,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 2 Document count: 2 -Index: geneve-ut-932 +Index: geneve-ut-937 ```python any where event.dataset == "windows.sysmon_operational" and event.code == "21" and @@ -11886,7 +11886,7 @@ any where event.dataset == "windows.sysmon_operational" and event.code == "21" a Branch count: 30 Document count: 30 -Index: geneve-ut-933 +Index: geneve-ut-938 ```python any where host.os.type == "windows" and @@ -11901,7 +11901,7 @@ any where host.os.type == "windows" and Branch count: 1 Document count: 1 -Index: geneve-ut-935 +Index: geneve-ut-940 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11920,7 +11920,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-939 +Index: geneve-ut-944 ```python process where host.os.type == "windows" and event.type == "start" and @@ -11933,7 +11933,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 114 Document count: 114 -Index: geneve-ut-940 +Index: geneve-ut-945 ```python process where host.os.type == "macos" and event.type in ("start", "process_started") and @@ -11979,7 +11979,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start Branch count: 2 Document count: 2 -Index: geneve-ut-941 +Index: geneve-ut-946 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and @@ -11998,7 +11998,7 @@ process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh" Branch count: 992 Document count: 1984 -Index: geneve-ut-944 +Index: geneve-ut-949 ```python sequence by host.id, process.entity_id with maxspan=1s @@ -12036,7 +12036,7 @@ sequence by host.id, process.entity_id with maxspan=1s Branch count: 20 Document count: 20 -Index: geneve-ut-945 +Index: geneve-ut-950 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -12049,7 +12049,7 @@ process.name in ("vi", "nano", "cat", "more", "less") and process.args == "/etc/ Branch count: 2 Document count: 2 -Index: geneve-ut-946 +Index: geneve-ut-951 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12063,7 +12063,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 11 Document count: 11 -Index: geneve-ut-947 +Index: geneve-ut-952 ```python file where host.os.type == "linux" and event.type == "deletion" and @@ -12090,7 +12090,7 @@ file where host.os.type == "linux" and event.type == "deletion" and Branch count: 16 Document count: 16 -Index: geneve-ut-948 +Index: geneve-ut-953 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -12103,7 +12103,7 @@ process.name in ("netstat", "lsof", "who", "w") Branch count: 20 Document count: 20 -Index: geneve-ut-949 +Index: geneve-ut-954 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -12116,7 +12116,7 @@ process.name : ("whoami", "w", "who", "users", "id") Branch count: 14 Document count: 14 -Index: geneve-ut-950 +Index: geneve-ut-955 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12135,7 +12135,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-951 +Index: geneve-ut-956 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12152,7 +12152,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-952 +Index: geneve-ut-957 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12172,7 +12172,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-953 +Index: geneve-ut-958 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and @@ -12185,7 +12185,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 2 Document count: 2 -Index: geneve-ut-954 +Index: geneve-ut-959 ```python event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and @@ -12198,7 +12198,7 @@ event.category:process and host.os.type:macos and event.type:(start or process_s Branch count: 180 Document count: 180 -Index: geneve-ut-957 +Index: geneve-ut-962 ```python process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and @@ -12221,7 +12221,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte Branch count: 1 Document count: 2 -Index: geneve-ut-958 +Index: geneve-ut-963 ```python sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m @@ -12235,7 +12235,7 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m Branch count: 30 Document count: 30 -Index: geneve-ut-959 +Index: geneve-ut-964 ```python file where host.os.type == "windows" and event.type == "deletion" and @@ -12274,7 +12274,7 @@ file where host.os.type == "windows" and event.type == "deletion" and Branch count: 4 Document count: 4 -Index: geneve-ut-964 +Index: geneve-ut-969 ```python process where event.type == "start" and @@ -12291,7 +12291,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-965 +Index: geneve-ut-970 ```python process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and @@ -12304,7 +12304,7 @@ process.name == "trap" and process.args : "SIG*" Branch count: 1 Document count: 1 -Index: geneve-ut-966 +Index: geneve-ut-971 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12321,7 +12321,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 6 Document count: 6 -Index: geneve-ut-967 +Index: geneve-ut-972 ```python file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and @@ -12337,7 +12337,7 @@ file where host.os.type == "windows" and event.type : "change" and process.name Branch count: 2 Document count: 2 -Index: geneve-ut-968 +Index: geneve-ut-973 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12350,7 +12350,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-969 +Index: geneve-ut-974 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and @@ -12365,7 +12365,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 1 Document count: 1 -Index: geneve-ut-970 +Index: geneve-ut-975 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12381,7 +12381,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-971 +Index: geneve-ut-976 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12396,7 +12396,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-972 +Index: geneve-ut-977 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12412,7 +12412,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-974 +Index: geneve-ut-979 ```python event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt @@ -12424,7 +12424,7 @@ event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt Branch count: 1 Document count: 1 -Index: geneve-ut-976 +Index: geneve-ut-981 ```python process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" @@ -12436,7 +12436,7 @@ process where host.os.type == "macos" and event.type == "start" and process.pare Branch count: 60 Document count: 60 -Index: geneve-ut-977 +Index: geneve-ut-982 ```python process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") @@ -12454,7 +12454,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action Branch count: 1 Document count: 1 -Index: geneve-ut-979 +Index: geneve-ut-984 ```python library where dll.name : "Bitsproxy.dll" and process.executable != null and @@ -12468,7 +12468,7 @@ not process.code_signature.status : ("errorExpired", "errorCode_endpoint*") Branch count: 1 Document count: 1 -Index: geneve-ut-983 +Index: geneve-ut-988 ```python driver where host.os.type == "windows" and process.pid == 4 and @@ -12482,7 +12482,7 @@ driver where host.os.type == "windows" and process.pid == 4 and Branch count: 1 Document count: 1 -Index: geneve-ut-985 +Index: geneve-ut-990 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12496,7 +12496,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-986 +Index: geneve-ut-991 ```python process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and @@ -12509,7 +12509,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa Branch count: 2 Document count: 4 -Index: geneve-ut-987 +Index: geneve-ut-992 ```python sequence with maxspan=1h @@ -12527,7 +12527,7 @@ sequence with maxspan=1h Branch count: 18 Document count: 18 -Index: geneve-ut-994 +Index: geneve-ut-999 ```python file where host.os.type == "windows" and event.type != "deletion" and @@ -12549,7 +12549,7 @@ file where host.os.type == "windows" and event.type != "deletion" and Branch count: 29 Document count: 29 -Index: geneve-ut-995 +Index: geneve-ut-1000 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -12622,7 +12622,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 6 Document count: 6 -Index: geneve-ut-996 +Index: geneve-ut-1001 ```python file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and @@ -12636,7 +12636,7 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type Branch count: 400 Document count: 800 -Index: geneve-ut-1009 +Index: geneve-ut-1015 ```python sequence by process.entity_id with maxspan=5m @@ -12704,7 +12704,7 @@ sequence by process.entity_id with maxspan=5m Branch count: 1 Document count: 2 -Index: geneve-ut-1010 +Index: geneve-ut-1016 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -12723,7 +12723,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 1 Document count: 2 -Index: geneve-ut-1011 +Index: geneve-ut-1017 ```python sequence by host.id, process.entity_id with maxspan=1m @@ -12742,7 +12742,7 @@ sequence by host.id, process.entity_id with maxspan=1m Branch count: 32 Document count: 32 -Index: geneve-ut-1014 +Index: geneve-ut-1020 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12783,7 +12783,7 @@ process.parent.name != null and Branch count: 1 Document count: 1 -Index: geneve-ut-1017 +Index: geneve-ut-1023 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12796,7 +12796,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1018 +Index: geneve-ut-1024 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12820,7 +12820,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 256 Document count: 256 -Index: geneve-ut-1019 +Index: geneve-ut-1025 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12860,7 +12860,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 144 Document count: 288 -Index: geneve-ut-1023 +Index: geneve-ut-1029 ```python sequence by process.entity_id @@ -12897,7 +12897,7 @@ sequence by process.entity_id Branch count: 1 Document count: 20 -Index: geneve-ut-1035 +Index: geneve-ut-1041 ```python sequence by host.id, process.parent.entity_id with maxspan=1s @@ -12912,7 +12912,7 @@ sequence by host.id, process.parent.entity_id with maxspan=1s Branch count: 4 Document count: 4 -Index: geneve-ut-1046 +Index: geneve-ut-1052 ```python process where host.os.type == "windows" and event.type == "start" and @@ -12927,7 +12927,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1047 +Index: geneve-ut-1053 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to application" and event.outcome:(Success or success) @@ -12939,7 +12939,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to a Branch count: 2 Document count: 2 -Index: geneve-ut-1048 +Index: geneve-ut-1054 ```python event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to service principal" and event.outcome:(Success or success) @@ -12951,7 +12951,7 @@ event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add owner to s Branch count: 8 Document count: 8 -Index: geneve-ut-1049 +Index: geneve-ut-1055 ```python iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and @@ -12971,7 +12971,7 @@ iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" a Branch count: 1 Document count: 1 -Index: geneve-ut-1050 +Index: geneve-ut-1056 ```python event.action:"Directory Service Changes" and event.code:5136 and @@ -12986,7 +12986,7 @@ event.action:"Directory Service Changes" and event.code:5136 and Branch count: 9 Document count: 9 -Index: geneve-ut-1051 +Index: geneve-ut-1057 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and @@ -13032,7 +13032,7 @@ Index: geneve-ut-1051 Branch count: 9 Document count: 9 -Index: geneve-ut-1052 +Index: geneve-ut-1058 ```python (event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and @@ -13078,7 +13078,7 @@ Index: geneve-ut-1052 Branch count: 10 Document count: 10 -Index: geneve-ut-1053 +Index: geneve-ut-1059 ```python library where host.os.type == "windows" and event.action == "load" and @@ -13096,7 +13096,7 @@ library where host.os.type == "windows" and event.action == "load" and Branch count: 10 Document count: 10 -Index: geneve-ut-1054 +Index: geneve-ut-1060 ```python event.category:process and host.os.type:linux and event.type:(start or process_started) and @@ -13114,7 +13114,7 @@ event.category:process and host.os.type:linux and event.type:(start or process_s Branch count: 6 Document count: 6 -Index: geneve-ut-1055 +Index: geneve-ut-1061 ```python process where event.type == "start" and @@ -13129,7 +13129,7 @@ process where event.type == "start" and Branch count: 4 Document count: 4 -Index: geneve-ut-1057 +Index: geneve-ut-1063 ```python process where host.os.type == "windows" and event.type == "start" @@ -13143,7 +13143,7 @@ process where host.os.type == "windows" and event.type == "start" Branch count: 60 Document count: 60 -Index: geneve-ut-1058 +Index: geneve-ut-1064 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13159,7 +13159,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1059 +Index: geneve-ut-1065 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13173,7 +13173,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 8 Document count: 16 -Index: geneve-ut-1060 +Index: geneve-ut-1066 ```python sequence by host.id with maxspan = 2s @@ -13206,7 +13206,7 @@ sequence by host.id with maxspan = 2s Branch count: 1 Document count: 1 -Index: geneve-ut-1061 +Index: geneve-ut-1067 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" @@ -13218,7 +13218,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 3 Document count: 3 -Index: geneve-ut-1062 +Index: geneve-ut-1068 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13234,7 +13234,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1063 +Index: geneve-ut-1069 ```python host.os.type: "windows" and event.action : ("Directory Service Access" or "object-operation-performed") and @@ -13247,7 +13247,7 @@ host.os.type: "windows" and event.action : ("Directory Service Access" or "objec Branch count: 1 Document count: 1 -Index: geneve-ut-1064 +Index: geneve-ut-1070 ```python http.response.status_code:403 and http.request.method:post @@ -13259,7 +13259,7 @@ http.response.status_code:403 and http.request.method:post Branch count: 1 Document count: 1 -Index: geneve-ut-1065 +Index: geneve-ut-1071 ```python http.response.status_code:405 @@ -13271,7 +13271,7 @@ http.response.status_code:405 Branch count: 1 Document count: 1 -Index: geneve-ut-1066 +Index: geneve-ut-1072 ```python user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" @@ -13283,7 +13283,7 @@ user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)" Branch count: 3 Document count: 3 -Index: geneve-ut-1068 +Index: geneve-ut-1074 ```python event.category:process and host.os.type:macos and event.type:start and @@ -13299,7 +13299,7 @@ event.category:process and host.os.type:macos and event.type:start and Branch count: 5 Document count: 5 -Index: geneve-ut-1069 +Index: geneve-ut-1075 ```python file where event.type == "deletion" and @@ -13316,7 +13316,7 @@ file where event.type == "deletion" and Branch count: 2 Document count: 2 -Index: geneve-ut-1070 +Index: geneve-ut-1076 ```python registry where host.os.type == "windows" and event.type == "change" and @@ -13332,7 +13332,7 @@ registry where host.os.type == "windows" and event.type == "change" and Branch count: 53 Document count: 53 -Index: geneve-ut-1071 +Index: geneve-ut-1077 ```python process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and @@ -13369,7 +13369,7 @@ process where host.os.type == "windows" and event.type == "start" and process.na Branch count: 36 Document count: 36 -Index: geneve-ut-1072 +Index: geneve-ut-1078 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13407,7 +13407,7 @@ and not process.parent.name : "LTSVC.exe" and not user.id : "S-1-5-18" Branch count: 12 Document count: 12 -Index: geneve-ut-1075 +Index: geneve-ut-1081 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13422,7 +13422,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1076 +Index: geneve-ut-1082 ```python event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" and @@ -13435,7 +13435,7 @@ event.action:("audit-log-cleared" or "Log clear") and winlog.api:"wineventlog" a Branch count: 16 Document count: 16 -Index: geneve-ut-1077 +Index: geneve-ut-1083 ```python process where host.os.type == "windows" and event.action == "start" and @@ -13451,7 +13451,7 @@ process where host.os.type == "windows" and event.action == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1080 +Index: geneve-ut-1086 ```python file where host.os.type == "windows" and event.type == "creation" and @@ -13472,7 +13472,7 @@ file where host.os.type == "windows" and event.type == "creation" and Branch count: 216 Document count: 432 -Index: geneve-ut-1082 +Index: geneve-ut-1088 ```python sequence by host.id with maxspan = 5s @@ -13512,7 +13512,7 @@ sequence by host.id with maxspan = 5s Branch count: 2 Document count: 2 -Index: geneve-ut-1083 +Index: geneve-ut-1089 ```python event.action:"service-installed" and @@ -13529,7 +13529,7 @@ event.action:"service-installed" and Branch count: 2 Document count: 2 -Index: geneve-ut-1084 +Index: geneve-ut-1090 ```python registry where host.os.type == "windows" and @@ -13544,7 +13544,7 @@ registry where host.os.type == "windows" and Branch count: 4 Document count: 4 -Index: geneve-ut-1086 +Index: geneve-ut-1092 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13572,7 +13572,7 @@ process.parent.executable : ( Branch count: 18 Document count: 18 -Index: geneve-ut-1087 +Index: geneve-ut-1093 ```python process where event.type == "start" and @@ -13597,7 +13597,7 @@ process where event.type == "start" and Branch count: 2 Document count: 2 -Index: geneve-ut-1088 +Index: geneve-ut-1094 ```python process where host.os.type == "windows" and event.type == "start" and @@ -13611,7 +13611,7 @@ process where host.os.type == "windows" and event.type == "start" and Branch count: 1 Document count: 1 -Index: geneve-ut-1089 +Index: geneve-ut-1095 ```python event.type:creation and event.module:zoom and event.dataset:zoom.webhook and diff --git a/tests/reports/documents_from_rules-8.10.md b/tests/reports/documents_from_rules-8.10.md index 30562558..d06af486 100644 --- a/tests/reports/documents_from_rules-8.10.md +++ b/tests/reports/documents_from_rules-8.10.md @@ -5,7 +5,7 @@ can learn what rules are still problematic and for which no documents can be gen Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.10.17 +Rules version: 8.10.18 ## Table of contents 1. [Skipped rules](#skipped-rules) diff --git a/tests/reports/documents_from_rules-8.11.md b/tests/reports/documents_from_rules-8.11.md index ca4f751f..cf9c5bd0 100644 --- a/tests/reports/documents_from_rules-8.11.md +++ b/tests/reports/documents_from_rules-8.11.md @@ -5,7 +5,7 @@ can learn what rules are still problematic and for which no documents can be gen Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.11.14 +Rules version: 8.11.15 ## Table of contents 1. [Skipped rules](#skipped-rules) diff --git a/tests/reports/documents_from_rules-8.12.md b/tests/reports/documents_from_rules-8.12.md index a3a17ed0..0b0d931b 100644 --- a/tests/reports/documents_from_rules-8.12.md +++ b/tests/reports/documents_from_rules-8.12.md @@ -5,7 +5,7 @@ can learn what rules are still problematic and for which no documents can be gen Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.12.10 +Rules version: 8.12.11 ## Table of contents 1. [Skipped rules](#skipped-rules) diff --git a/tests/reports/documents_from_rules-8.13.md b/tests/reports/documents_from_rules-8.13.md index e7a4f136..2053f6d2 100644 --- a/tests/reports/documents_from_rules-8.13.md +++ b/tests/reports/documents_from_rules-8.13.md @@ -5,13 +5,14 @@ can learn what rules are still problematic and for which no documents can be gen Curious about the inner workings? Read [here](signals_generation.md). -Rules version: 8.13.5 +Rules version: 8.13.6 ## Table of contents 1. [Skipped rules](#skipped-rules) 1. [Unsupported rule type: machine_learning (72)](#unsupported-rule-type-machine_learning-72) 1. [Unsupported rule type: new_terms (63)](#unsupported-rule-type-new_terms-63) 1. [Unsupported rule type: threshold (29)](#unsupported-rule-type-threshold-29) + 1. [Unsupported rule type: esql (6)](#unsupported-rule-type-esql-6) 1. [Unsupported query language: lucene (5)](#unsupported-query-language-lucene-5) 1. [Unsupported rule type: threat_match (4)](#unsupported-rule-type-threat_match-4) 1. [Generation errors](#generation-errors) @@ -261,6 +262,17 @@ Rules version: 8.13.5 * Sudo Heap-Based Buffer Overflow Attempt * Suspicious Proc Pseudo File System Enumeration +### Unsupported rule type: esql (6) + +6 rules: + +* AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User +* AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request +* AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session +* AWS S3 Bucket Enumeration or Brute Force +* Potential Abuse of Resources by High Token Count and Large Response Sizes +* Unusual High Confidence Misconduct Blocks Detected + ### Unsupported query language: lucene (5) 5 rules: