diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 8fb71559133..e165008a240 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.11,8.12,8.13,8.14,8.15,8.16' + default: '8.12,8.13,8.14,8.15,8.16,8.17' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.17/8.17.base.json b/detection_rules/etc/api_schemas/8.17/8.17.base.json new file mode 100644 index 00000000000..23138b13640 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.eql.json b/detection_rules/etc/api_schemas/8.17/8.17.eql.json new file mode 100644 index 00000000000..30f489eed55 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.esql.json b/detection_rules/etc/api_schemas/8.17/8.17.esql.json new file mode 100644 index 00000000000..b3e42f35b45 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json b/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json new file mode 100644 index 00000000000..7b1b42c2223 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json b/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json new file mode 100644 index 00000000000..c0d7d437f87 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.query.json b/detection_rules/etc/api_schemas/8.17/8.17.query.json new file mode 100644 index 00000000000..408c8bbb9dd --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json b/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json new file mode 100644 index 00000000000..f10aa0d859e --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.17/8.17.threshold.json b/detection_rules/etc/api_schemas/8.17/8.17.threshold.json new file mode 100644 index 00000000000..58469621412 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.17/8.17.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 7319f76f84f..0b5991536e8 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Thu Nov 7 12:14:04 2024" + "saved_date": "Mon Dec 9 14:04:15 2024" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v16.0.0.json.gz b/detection_rules/etc/attack-v16.0.0.json.gz deleted file mode 100644 index 5f1975e50c4..00000000000 Binary files a/detection_rules/etc/attack-v16.0.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v16.1.0.json.gz b/detection_rules/etc/attack-v16.1.0.json.gz new file mode 100644 index 00000000000..e54564e9cc5 Binary files /dev/null and b/detection_rules/etc/attack-v16.1.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index ce63796e567..9af8cc2f84d 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.16.1.json.gz b/detection_rules/etc/beats_schemas/v8.16.1.json.gz new file mode 100644 index 00000000000..6a4eb8ccfe7 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.16.1.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 905ff8cf971..2caceddfdc1 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index bcf5bf604d0..a12f1699bc2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index cfa290a41d3..e55b43a6f05 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 43c5e3bf75c..0ff8ab3f150 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 0c0b37e4f42..be4d764da19 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 8e1acf49537..c82393ecea6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 04070f9b941..13c43208077 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index d0a18e4eec8..636d7e05c50 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 046214be755..89a2995c50a 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 8df9c52f0ad..a8ab3b1d957 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 6fd71b5d619..eb5f0d3299c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index bcfbaee40e3..6accc696764 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index ab12a418933..0ee8d7c7dda 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index 5eb6d4c2fbf..b0a7260d2b0 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 0b9ca1bee9a..89fc4e8d780 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 912bf6664bf..ae93e149b05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index beca84ebdf8..668028e4707 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index d15510f8b8e..128bb4364a5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 7fcc254d4b3..a6cb6faac39 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index a9785d3dc0c..eea2a180a7a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index c07dbbdf574..f9ee6296f56 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index a0016d1dc4d..4bbd44f8f8c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 0ac20a7187c..74a914ebafc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 08b8a7666f3..4c5bd969367 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz similarity index 99% rename from detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz rename to detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 477b3b2df78..5e2b335b792 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz new file mode 100644 index 00000000000..66873892357 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 9e44e737182..2f470ec3048 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 67e6d128f7e..a6fe8b2c9bf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 556c77d9c10..eb57e0496f3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index a85f08eb1da..162f15df116 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index aae0c046adc..a83426a711e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 0a1dddcce31..1f1431f8397 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 823292663e3..b71c3e3fc02 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index b53add1cec0..71da355a153 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 67d79071621..dea732c4154 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index d19f713a226..be2e79f0020 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 4e3f3e3fb25..1429268aef7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 4eba2b019e0..3e79b4500d5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index afdf1bff9c6..b4721f3c061 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 37ff4d2c644..57f70a7b256 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index bf86b83bce0..64d8ac05cdb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index ce6a189ed87..f893a8f8f01 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 09853480ddf..ff4e6ec0e5f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 247dc05f2ca..1414b55a70e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index ddec8fa9d13..d78cbd8975d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index ee38260986c..8aae66e3896 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 8fd6b016231..b6c87f8eec1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index a8fd7e59c91..13681619cd9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index e2930c1287e..7c5a511a298 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 4d39c36d8d0..12a7eee8c03 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 72b3c8f78e0..42931dac2c4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index bfdb9783a72..8e71ea9eded 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index d44a31cf8c6..e1b1b5a27c9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 35861963316..ce17fcaef19 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 3a05cf4c4a4..2de2e9ba2a4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 62ebcec021b..c1e3c63f2a3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index a19554c37ec..d263134c85d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 60f6599f4d0..d92899978e9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 7514023643a..47155a41f66 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 4abf68038ce..03093f6b411 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz new file mode 100644 index 00000000000..43fa1b0eb21 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 7f8628d00f9..3b8487dab15 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 26dccdd7a17..f0aea01d839 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 98032662917..a46104d8679 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -82,12 +82,12 @@ # ecs: "8.10.0" # endgame: "8.4.0" -## Supported +# "8.11.0": +# beats: "8.11.2" +# ecs: "8.11.0" +# endgame: "8.4.0" -"8.11.0": - beats: "8.11.2" - ecs: "8.11.0" - endgame: "8.4.0" +## Supported "8.12.0": beats: "8.12.2" @@ -110,11 +110,16 @@ endgame: "8.4.0" "8.16.0": - beats: "8.15.3" - ecs: "8.11.0" + beats: "8.16.1" + ecs: "8.16.0" endgame: "8.4.0" "8.17.0": - beats: "8.15.3" - ecs: "8.11.0" + beats: "8.16.1" + ecs: "8.16.0" + endgame: "8.4.0" + +"8.18.0": + beats: "8.16.1" + ecs: "8.16.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 6731bd55b43..017769ac4ea 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -2,10 +2,10 @@ "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", "type": "query", "version": 210 } @@ -18,7 +18,7 @@ "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", @@ -41,7 +41,7 @@ "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "System Shells via Services", "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", @@ -86,16 +86,6 @@ "version": 7 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", - "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", @@ -104,7 +94,7 @@ "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", @@ -118,16 +108,6 @@ "version": 207 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", - "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", @@ -142,7 +122,7 @@ "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", @@ -176,7 +156,7 @@ "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "High Number of Process and/or Service Terminations", "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", @@ -234,7 +214,7 @@ "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", @@ -261,7 +241,6 @@ "version": 102 }, "04e65517-16e9-4fc4-b7f1-94dc21ecea0d": { - "min_stack_version": "8.12", "rule_name": "User Added to the Admin Group", "sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9", "type": "eql", @@ -270,7 +249,7 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", @@ -292,7 +271,7 @@ "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", @@ -308,7 +287,7 @@ "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", @@ -343,7 +322,7 @@ "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", @@ -359,7 +338,7 @@ "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "System Time Discovery", "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", @@ -381,7 +360,7 @@ "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", @@ -404,7 +383,7 @@ "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", @@ -420,7 +399,7 @@ "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", @@ -441,16 +420,6 @@ "version": 312 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "GitHub Protected Branch Settings Changed", - "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", - "type": "eql", - "version": 5 - } - }, "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", "type": "eql", @@ -465,7 +434,7 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", @@ -512,7 +481,7 @@ "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", "sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef", @@ -557,16 +526,6 @@ "version": 110 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "Member Removed From GitHub Organization", - "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", - "type": "eql", - "version": 3 - } - }, "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", @@ -605,19 +564,12 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", "type": "query", "version": 6 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", - "sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e", - "type": "query", - "version": 108 } }, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", @@ -634,7 +586,7 @@ "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", @@ -650,7 +602,7 @@ "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "User account exposed to Kerberoasting", "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", @@ -712,7 +664,7 @@ "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Peripheral Device Discovery", "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", @@ -770,16 +722,6 @@ "version": 111 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", - "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", @@ -800,7 +742,7 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "MsBuild Making Network Connections", "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", @@ -834,7 +776,7 @@ "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", @@ -880,7 +822,7 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", @@ -896,7 +838,7 @@ "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", @@ -931,7 +873,7 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 113, "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", @@ -947,7 +889,7 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", @@ -975,7 +917,7 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", @@ -1003,7 +945,7 @@ "128468bf-cab1-4637-99ea-fdf3780a4609": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", @@ -1031,7 +973,7 @@ "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", @@ -1054,7 +996,7 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", @@ -1077,7 +1019,7 @@ "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", @@ -1106,7 +1048,7 @@ "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7", @@ -1153,7 +1095,7 @@ "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", @@ -1175,7 +1117,7 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", @@ -1198,7 +1140,7 @@ "1502a836-84b2-11ef-b026-f661ea17fbcc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", @@ -1226,7 +1168,7 @@ "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", @@ -1242,7 +1184,7 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", @@ -1283,7 +1225,7 @@ "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", @@ -1317,7 +1259,7 @@ "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", @@ -1346,7 +1288,7 @@ "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Username", "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", @@ -1362,7 +1304,7 @@ "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Service", "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", @@ -1378,7 +1320,7 @@ "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", @@ -1394,7 +1336,7 @@ "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", @@ -1410,7 +1352,7 @@ "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", @@ -1432,7 +1374,7 @@ "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", @@ -1454,7 +1396,7 @@ "181f6b23-3799-445e-9589-0018328a9e46": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", @@ -1543,7 +1485,7 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", @@ -1572,7 +1514,7 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "User Account Creation", "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", @@ -1641,16 +1583,6 @@ "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "New GitHub App Installed", - "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", - "type": "eql", - "version": 3 - } - }, "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", @@ -1659,7 +1591,7 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", @@ -1675,7 +1607,7 @@ "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", @@ -1691,7 +1623,7 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", @@ -1719,7 +1651,7 @@ "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", @@ -1735,7 +1667,7 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", @@ -1764,7 +1696,7 @@ "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", @@ -1786,19 +1718,12 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", "type": "query", "version": 6 - }, - "8.12": { - "max_allowable_version": 208, - "rule_name": "PowerShell Script with Discovery Capabilities", - "sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1", - "type": "query", - "version": 109 } }, "rule_name": "PowerShell Script with Discovery Capabilities", @@ -1815,7 +1740,7 @@ "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", @@ -1831,7 +1756,7 @@ "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Creation of SettingContent-ms Files", "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", @@ -1845,16 +1770,6 @@ "version": 106 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", - "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", @@ -1869,7 +1784,7 @@ "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", @@ -1892,7 +1807,7 @@ "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", @@ -1914,7 +1829,7 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", @@ -1936,7 +1851,7 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", @@ -1965,7 +1880,7 @@ "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Creation or Modification of Root Certificate", "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", @@ -2000,7 +1915,7 @@ "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", @@ -2023,7 +1938,7 @@ "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", @@ -2063,7 +1978,7 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", @@ -2141,16 +2056,6 @@ "version": 103 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "New GitHub Owner Added", - "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", - "type": "eql", - "version": 5 - } - }, "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", @@ -2159,7 +2064,7 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Lateral Movement via Startup Folder", "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", @@ -2182,7 +2087,7 @@ "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", @@ -2216,7 +2121,7 @@ "260486ee-7d98-11ee-9599-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", @@ -2238,7 +2143,7 @@ "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", @@ -2260,7 +2165,7 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", @@ -2301,7 +2206,7 @@ "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", @@ -2317,19 +2222,12 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", "type": "query", "version": 5 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Archive Compression Capabilities", - "sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95", - "type": "query", - "version": 108 } }, "rule_name": "PowerShell Script with Archive Compression Capabilities", @@ -2352,7 +2250,7 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", @@ -2380,7 +2278,7 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", @@ -2403,7 +2301,7 @@ "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", @@ -2473,7 +2371,7 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", @@ -2496,7 +2394,7 @@ "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", @@ -2519,19 +2417,12 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", "type": "new_terms", "version": 211 - }, - "8.12": { - "max_allowable_version": 414, - "rule_name": "Enumeration of Privileged Local Groups Membership", - "sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4", - "type": "new_terms", - "version": 315 } }, "rule_name": "Enumeration of Privileged Local Groups Membership", @@ -2542,7 +2433,7 @@ "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", @@ -2588,7 +2479,7 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", @@ -2611,7 +2502,7 @@ "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", @@ -2634,7 +2525,7 @@ "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", @@ -2650,7 +2541,7 @@ "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", @@ -2673,7 +2564,7 @@ "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", @@ -2702,7 +2593,7 @@ "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", @@ -2730,7 +2621,7 @@ "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", @@ -2753,7 +2644,7 @@ "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", @@ -2769,7 +2660,7 @@ "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Potential Process Injection via PowerShell", "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", @@ -2785,7 +2676,7 @@ "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Accessing Outlook Data Files", "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", @@ -2801,7 +2692,7 @@ "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", @@ -2830,7 +2721,7 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Creation of a Hidden Local User Account", "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", @@ -2859,7 +2750,7 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", @@ -2893,7 +2784,7 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", @@ -2957,7 +2848,7 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", @@ -3004,7 +2895,7 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", @@ -3033,7 +2924,7 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", @@ -3084,16 +2975,6 @@ "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 101, - "rule_name": "GitHub Repository Deleted", - "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", - "type": "eql", - "version": 2 - } - }, "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", @@ -3120,7 +3001,7 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Port Forwarding Rule Addition", "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", @@ -3156,7 +3037,7 @@ "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", @@ -3197,7 +3078,7 @@ "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", @@ -3262,7 +3143,7 @@ "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", @@ -3278,7 +3159,7 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", @@ -3336,7 +3217,7 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", @@ -3365,7 +3246,7 @@ "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", @@ -3394,7 +3275,7 @@ "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", @@ -3426,16 +3307,6 @@ "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of IP Address For GitHub User", - "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", @@ -3450,7 +3321,7 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", @@ -3473,7 +3344,7 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", @@ -3502,7 +3373,7 @@ "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", @@ -3525,19 +3396,12 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", "type": "query", "version": 5 - }, - "8.12": { - "max_allowable_version": 207, - "rule_name": "PowerShell Script with Log Clear Capabilities", - "sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972", - "type": "query", - "version": 108 } }, "rule_name": "PowerShell Script with Log Clear Capabilities", @@ -3566,7 +3430,7 @@ "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", @@ -3607,7 +3471,7 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", @@ -3630,7 +3494,7 @@ "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", @@ -3688,7 +3552,7 @@ "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", @@ -3702,16 +3566,6 @@ "version": 107 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "GitHub User Blocked From Organization", - "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", - "type": "eql", - "version": 3 - } - }, "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", @@ -3720,7 +3574,7 @@ "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", @@ -3755,7 +3609,7 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", @@ -3776,16 +3630,6 @@ "version": 313 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of User-Agent For a GitHub User", - "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", @@ -3825,7 +3669,7 @@ "42bf698b-4738-445b-8231-c834ddefd8a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", @@ -3841,7 +3685,7 @@ "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", @@ -3875,7 +3719,7 @@ "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", @@ -3898,7 +3742,7 @@ "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", @@ -3920,7 +3764,7 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", @@ -3954,7 +3798,7 @@ "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Windows Event Logs Cleared", "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", @@ -3970,7 +3814,7 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", @@ -3986,7 +3830,7 @@ "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", @@ -4009,7 +3853,7 @@ "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", @@ -4056,7 +3900,7 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", @@ -4084,7 +3928,7 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", @@ -4119,7 +3963,7 @@ "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", @@ -4177,7 +4021,7 @@ "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Process Discovery Using Built-in Tools", "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", @@ -4217,7 +4061,7 @@ "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", @@ -4258,7 +4102,7 @@ "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", @@ -4281,7 +4125,7 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", @@ -4315,7 +4159,7 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", @@ -4338,7 +4182,7 @@ "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", @@ -4360,7 +4204,7 @@ "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", @@ -4383,7 +4227,7 @@ "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", @@ -4399,7 +4243,7 @@ "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", @@ -4422,7 +4266,7 @@ "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", @@ -4445,7 +4289,7 @@ "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", @@ -4467,7 +4311,7 @@ "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows System Information Discovery", "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", @@ -4489,7 +4333,7 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", @@ -4524,7 +4368,7 @@ "5188c68e-d3de-4e96-994d-9e242269446f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", @@ -4553,7 +4397,7 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", @@ -4593,7 +4437,7 @@ "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", @@ -4657,7 +4501,7 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Suspicious PDF Reader Child Process", "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", @@ -4680,7 +4524,7 @@ "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", @@ -4696,7 +4540,7 @@ "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", @@ -4712,19 +4556,12 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", "type": "query", "version": 8 - }, - "8.12": { - "max_allowable_version": 209, - "rule_name": "Exchange Mailbox Export via PowerShell", - "sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74", - "type": "query", - "version": 110 } }, "rule_name": "Exchange Mailbox Export via PowerShell", @@ -4735,7 +4572,7 @@ "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", @@ -4751,7 +4588,7 @@ "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", @@ -4767,7 +4604,7 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", @@ -4789,7 +4626,7 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", @@ -4805,7 +4642,7 @@ "5610b192-7f18-11ee-825b-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", @@ -4821,7 +4658,7 @@ "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", @@ -4855,19 +4692,12 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", "type": "query", "version": 110 - }, - "8.12": { - "max_allowable_version": 312, - "rule_name": "PowerShell PSReflect Script", - "sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d", - "type": "query", - "version": 213 } }, "rule_name": "PowerShell PSReflect Script", @@ -4902,7 +4732,7 @@ "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", @@ -4918,7 +4748,7 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", @@ -4934,7 +4764,7 @@ "57bfa0a9-37c0-44d6-b724-54bf16787492": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", @@ -4957,7 +4787,7 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", @@ -4980,7 +4810,7 @@ "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "RDP Enabled via Registry", "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", @@ -5051,7 +4881,7 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", @@ -5098,7 +4928,7 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", @@ -5145,7 +4975,7 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2", @@ -5180,7 +5010,7 @@ "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", @@ -5196,7 +5026,7 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 112, "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", @@ -5236,7 +5066,7 @@ "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", @@ -5252,7 +5082,7 @@ "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "User Added to Privileged Group", "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", @@ -5268,7 +5098,7 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", @@ -5297,7 +5127,7 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", @@ -5313,7 +5143,7 @@ "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", @@ -5366,7 +5196,7 @@ "5f2f463e-6997-478c-8405-fb41cc283281": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential File Download via a Headless Browser", "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", @@ -5413,7 +5243,7 @@ "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", @@ -5427,16 +5257,6 @@ "version": 208 }, "61336fe6-c043-4743-ab6e-41292f439603": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "New User Added To GitHub Organization", - "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", - "type": "eql", - "version": 3 - } - }, "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", @@ -5445,7 +5265,7 @@ "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", @@ -5461,19 +5281,12 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", "type": "query", "version": 113 - }, - "8.12": { - "max_allowable_version": 315, - "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", - "sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8", - "type": "query", - "version": 216 } }, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", @@ -5490,7 +5303,7 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", @@ -5506,7 +5319,7 @@ "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", @@ -5522,7 +5335,7 @@ "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", @@ -5544,7 +5357,7 @@ "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Account Configured with Never-Expiring Password", "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", @@ -5596,7 +5409,7 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", @@ -5642,7 +5455,7 @@ "65432f4a-e716-4cc1-ab11-931c4966da2d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", @@ -5683,7 +5496,7 @@ "6649e656-6f85-11ef-8876-f661ea17fbcc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", @@ -5699,7 +5512,7 @@ "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", @@ -5739,7 +5552,7 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", @@ -5755,7 +5568,7 @@ "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", @@ -5777,7 +5590,7 @@ "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", @@ -5811,7 +5624,7 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", @@ -5840,7 +5653,7 @@ "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", @@ -5856,7 +5669,7 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", @@ -5885,7 +5698,7 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", @@ -5907,7 +5720,7 @@ "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", @@ -5929,7 +5742,7 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", @@ -5970,7 +5783,7 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", @@ -6011,7 +5824,7 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", @@ -6034,7 +5847,7 @@ "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", @@ -6069,7 +5882,7 @@ "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", @@ -6091,7 +5904,7 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", @@ -6112,16 +5925,6 @@ "version": 308 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "GitHub Repo Created", - "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", - "type": "eql", - "version": 3 - } - }, "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", @@ -6130,7 +5933,7 @@ "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", @@ -6158,7 +5961,7 @@ "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", @@ -6174,7 +5977,7 @@ "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", @@ -6190,7 +5993,7 @@ "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", @@ -6212,7 +6015,7 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", @@ -6228,7 +6031,7 @@ "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Security Software Discovery using WMIC", "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", @@ -6256,7 +6059,7 @@ "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", @@ -6278,7 +6081,7 @@ "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", @@ -6318,7 +6121,7 @@ "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", @@ -6358,7 +6161,7 @@ "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", @@ -6381,7 +6184,7 @@ "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", @@ -6422,7 +6225,7 @@ "729aa18d-06a6-41c7-b175-b65b739b1181": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", @@ -6450,7 +6253,7 @@ "730ed57d-ae0f-444f-af50-78708b57edd5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", @@ -6485,7 +6288,7 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", @@ -6556,7 +6359,7 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", @@ -6578,7 +6381,7 @@ "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", @@ -6600,7 +6403,7 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", @@ -6623,7 +6426,7 @@ "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", @@ -6694,7 +6497,7 @@ "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", @@ -6753,7 +6556,7 @@ "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", @@ -6776,7 +6579,7 @@ "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", @@ -6828,7 +6631,7 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Windows Network Enumeration", "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", @@ -6850,7 +6653,7 @@ "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", @@ -6920,20 +6723,13 @@ "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", "type": "eql", "version": 4 }, - "8.12": { - "max_allowable_version": 203, - "rule_name": "Microsoft Management Console File from Unusual Path", - "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", - "type": "eql", - "version": 105 - }, "8.13": { "max_allowable_version": 304, "rule_name": "Microsoft Management Console File from Unusual Path", @@ -6956,7 +6752,7 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", @@ -7003,7 +6799,7 @@ "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", @@ -7025,7 +6821,7 @@ "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", @@ -7059,7 +6855,7 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", @@ -7088,19 +6884,12 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", "type": "query", "version": 111 - }, - "8.12": { - "max_allowable_version": 313, - "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", - "sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5", - "type": "query", - "version": 214 } }, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", @@ -7111,7 +6900,7 @@ "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", @@ -7151,7 +6940,7 @@ "83bf249e-4348-47ba-9741-1202a09556ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", @@ -7186,7 +6975,7 @@ "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", @@ -7214,7 +7003,7 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", @@ -7272,7 +7061,7 @@ "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Enumeration of Administrator Accounts", "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", @@ -7330,7 +7119,7 @@ "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", @@ -7346,7 +7135,7 @@ "894326d2-56c0-4342-b553-4abfaf421b5b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", @@ -7368,7 +7157,7 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", @@ -7384,7 +7173,7 @@ "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", @@ -7412,7 +7201,7 @@ "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", @@ -7426,16 +7215,6 @@ "version": 106 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "GitHub PAT Access Revoked", - "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", - "type": "eql", - "version": 3 - } - }, "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", @@ -7450,7 +7229,7 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", @@ -7466,7 +7245,7 @@ "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", @@ -7494,7 +7273,7 @@ "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", @@ -7517,7 +7296,7 @@ "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", @@ -7552,7 +7331,7 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", @@ -7623,7 +7402,7 @@ "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", @@ -7652,7 +7431,7 @@ "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Bitsadmin Activity", "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", @@ -7668,7 +7447,7 @@ "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", @@ -7690,7 +7469,7 @@ "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", @@ -7736,7 +7515,7 @@ "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "InstallUtil Activity", "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", @@ -7794,19 +7573,12 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", "type": "query", "version": 8 - }, - "8.12": { - "max_allowable_version": 209, - "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", - "sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f", - "type": "query", - "version": 110 } }, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", @@ -7817,7 +7589,7 @@ "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", @@ -7833,7 +7605,7 @@ "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", @@ -7867,7 +7639,7 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", @@ -7883,7 +7655,7 @@ "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", @@ -7930,7 +7702,7 @@ "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", @@ -7975,7 +7747,7 @@ "951779c2-82ad-4a6c-82b8-296c1f691449": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", @@ -7991,7 +7763,7 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Remote Scheduled Task Creation", "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", @@ -8007,7 +7779,7 @@ "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", @@ -8057,7 +7829,7 @@ "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Create Okta API Token", "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", @@ -8085,7 +7857,7 @@ "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", @@ -8125,7 +7897,7 @@ "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 311, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", @@ -8141,7 +7913,7 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", @@ -8206,7 +7978,7 @@ "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", @@ -8252,7 +8024,7 @@ "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", @@ -8268,7 +8040,7 @@ "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", @@ -8320,7 +8092,7 @@ "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", @@ -8343,7 +8115,7 @@ "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", @@ -8371,16 +8143,6 @@ "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 104, - "rule_name": "GitHub Owner Role Granted To User", - "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", - "type": "eql", - "version": 5 - } - }, "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", @@ -8389,7 +8151,7 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", @@ -8418,7 +8180,7 @@ "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", @@ -8440,7 +8202,7 @@ "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", @@ -8462,7 +8224,7 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", @@ -8497,7 +8259,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", @@ -8513,7 +8275,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", @@ -8536,7 +8298,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", @@ -8552,7 +8314,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", @@ -8568,7 +8330,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", @@ -8584,7 +8346,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", @@ -8624,7 +8386,7 @@ "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "Potential Credential Access via DCSync", "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", @@ -8652,7 +8414,7 @@ "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", @@ -8680,7 +8442,7 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", @@ -8702,7 +8464,7 @@ "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", @@ -8718,7 +8480,7 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", @@ -8765,7 +8527,7 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", @@ -8800,7 +8562,7 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", @@ -8816,7 +8578,7 @@ "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", @@ -8899,7 +8661,7 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious MS Office Child Process", "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", @@ -8946,7 +8708,7 @@ "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", @@ -9023,7 +8785,7 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", @@ -9057,7 +8819,7 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remotely Started Services via RPC", "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", @@ -9098,7 +8860,7 @@ "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", @@ -9120,7 +8882,7 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", @@ -9149,7 +8911,7 @@ "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Outlook Home Page Registry Modification", "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", @@ -9172,7 +8934,7 @@ "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", @@ -9200,7 +8962,7 @@ "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", @@ -9234,7 +8996,7 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", @@ -9257,7 +9019,7 @@ "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", @@ -9298,7 +9060,7 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", @@ -9344,7 +9106,7 @@ "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", @@ -9385,7 +9147,7 @@ "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", @@ -9425,7 +9187,7 @@ "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", @@ -9467,7 +9229,7 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Network Share Discovery", "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", @@ -9489,7 +9251,7 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.13", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", @@ -9511,7 +9273,7 @@ "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", @@ -9539,7 +9301,7 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", @@ -9562,7 +9324,7 @@ "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", @@ -9597,7 +9359,7 @@ "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "At.exe Command Lateral Movement", "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", @@ -9613,7 +9375,7 @@ "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", @@ -9635,7 +9397,7 @@ "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Clearing Windows Console History", "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", @@ -9658,7 +9420,7 @@ "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", @@ -9693,7 +9455,7 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", @@ -9709,7 +9471,7 @@ "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", @@ -9732,7 +9494,7 @@ "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", @@ -9754,7 +9516,7 @@ "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", @@ -9776,7 +9538,7 @@ "b8075894-0b62-46e5-977c-31275da34419": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", @@ -9798,7 +9560,7 @@ "b8386923-b02c-4b94-986a-d223d9b01f88": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", @@ -9814,7 +9576,7 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", @@ -9837,7 +9599,7 @@ "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", @@ -9853,7 +9615,7 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", @@ -9876,7 +9638,7 @@ "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", @@ -9917,7 +9679,7 @@ "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", @@ -9939,7 +9701,7 @@ "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", @@ -9968,7 +9730,7 @@ "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", @@ -9996,7 +9758,7 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", @@ -10096,7 +9858,7 @@ "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 214, "rule_name": "PowerShell Keylogging Script", "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", @@ -10112,7 +9874,7 @@ "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", @@ -10128,7 +9890,7 @@ "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", @@ -10150,7 +9912,7 @@ "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", @@ -10182,7 +9944,7 @@ "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", @@ -10204,7 +9966,7 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", @@ -10245,7 +10007,7 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", @@ -10267,7 +10029,7 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", @@ -10302,7 +10064,7 @@ "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", @@ -10348,7 +10110,7 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", @@ -10389,7 +10151,7 @@ "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", @@ -10417,7 +10179,7 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", @@ -10446,7 +10208,7 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", @@ -10469,7 +10231,7 @@ "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", @@ -10498,7 +10260,7 @@ "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Attempted Private Key Access", "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", @@ -10514,7 +10276,7 @@ "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Service Path Modification via sc.exe", "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", @@ -10530,7 +10292,7 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", @@ -10559,7 +10321,7 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", @@ -10575,7 +10337,7 @@ "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", @@ -10598,7 +10360,7 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", @@ -10627,7 +10389,7 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", @@ -10663,7 +10425,7 @@ "c749e367-a069-4a73-b1f2-43a3798153ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", @@ -10679,7 +10441,7 @@ "c74fd275-ab2c-4d49-8890-e2943fa65c09": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Modify an Okta Application", "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", @@ -10701,7 +10463,7 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", @@ -10723,7 +10485,7 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual File Modification by dns.exe", "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", @@ -10787,7 +10549,7 @@ "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", @@ -10810,7 +10572,7 @@ "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", @@ -10893,7 +10655,7 @@ "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Multiple Okta Client Addresses for a Single User Session", "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", @@ -10934,7 +10696,7 @@ "cc92c835-da92-45c9-9f29-b4992ad621a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", @@ -10956,7 +10718,7 @@ "cd16fb10-0261-46e8-9932-a0336278cdbe": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", @@ -10996,7 +10758,7 @@ "cd89602e-9db0-48e3-9391-ae3bf241acd8": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", @@ -11012,7 +10774,7 @@ "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 309, "rule_name": "Okta User Session Impersonation", "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", @@ -11028,19 +10790,12 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", "type": "query", "version": 11 - }, - "8.12": { - "max_allowable_version": 212, - "rule_name": "Potential PowerShell HackTool Script by Function Names", - "sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b", - "type": "query", - "version": 113 } }, "rule_name": "Potential PowerShell HackTool Script by Function Names", @@ -11055,16 +10810,6 @@ "version": 2 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", - "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", @@ -11073,7 +10818,7 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", @@ -11120,7 +10865,7 @@ "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", @@ -11161,7 +10906,7 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Registry Persistence via AppInit DLL", "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", @@ -11184,7 +10929,7 @@ "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", @@ -11237,7 +10982,7 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", @@ -11260,7 +11005,7 @@ "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Clearing Windows Event Logs", "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", @@ -11283,7 +11028,7 @@ "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", @@ -11299,7 +11044,7 @@ "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", @@ -11327,7 +11072,7 @@ "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Attempt to Delete an Okta Application", "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", @@ -11379,7 +11124,7 @@ "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", @@ -11402,7 +11147,7 @@ "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", @@ -11418,7 +11163,7 @@ "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", @@ -11458,7 +11203,7 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 113, "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", @@ -11480,7 +11225,7 @@ "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Modification of WDigest Security Provider", "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", @@ -11496,7 +11241,7 @@ "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", @@ -11573,7 +11318,7 @@ "d93e61db-82d6-4095-99aa-714988118064": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", @@ -11596,7 +11341,7 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", @@ -11619,7 +11364,7 @@ "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", @@ -11642,7 +11387,7 @@ "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", @@ -11671,7 +11416,7 @@ "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", @@ -11693,7 +11438,7 @@ "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", @@ -11715,7 +11460,7 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", @@ -11738,7 +11483,7 @@ "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", @@ -11791,7 +11536,7 @@ "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", @@ -11820,7 +11565,7 @@ "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", @@ -11843,7 +11588,7 @@ "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", @@ -11878,7 +11623,7 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", @@ -11908,7 +11653,7 @@ "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", @@ -11949,7 +11694,7 @@ "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", @@ -11996,7 +11741,7 @@ "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 102, "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", @@ -12031,7 +11776,7 @@ "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", @@ -12047,7 +11792,7 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", @@ -12063,7 +11808,7 @@ "e08ccd49-0380-4b2b-8d71-8000377d6e49": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", @@ -12133,19 +11878,12 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", "type": "query", "version": 112 - }, - "8.12": { - "max_allowable_version": 315, - "rule_name": "Suspicious .NET Reflection via PowerShell", - "sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2", - "type": "query", - "version": 216 } }, "rule_name": "Suspicious .NET Reflection via PowerShell", @@ -12160,7 +11898,6 @@ "version": 4 }, "e29599ee-d6ad-46a9-9c6a-dc39f361890d": { - "min_stack_version": "8.12", "rule_name": "Suspicious pbpaste High Volume Activity", "sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02", "type": "eql", @@ -12181,7 +11918,7 @@ "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", @@ -12204,7 +11941,7 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", @@ -12232,7 +11969,7 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", @@ -12267,7 +12004,7 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", @@ -12289,7 +12026,7 @@ "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", @@ -12305,7 +12042,7 @@ "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", @@ -12321,7 +12058,7 @@ "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", @@ -12337,7 +12074,7 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", @@ -12377,7 +12114,7 @@ "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Possible Okta DoS Attack", "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", @@ -12411,7 +12148,7 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", @@ -12427,7 +12164,7 @@ "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", @@ -12455,7 +12192,7 @@ "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", @@ -12496,7 +12233,7 @@ "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", @@ -12512,7 +12249,7 @@ "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", @@ -12535,7 +12272,7 @@ "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", @@ -12563,7 +12300,7 @@ "e90ee3af-45fc-432e-a850-4a58cf14a457": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 310, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", @@ -12591,7 +12328,7 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", @@ -12644,7 +12381,7 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", @@ -12684,7 +12421,7 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", @@ -12700,7 +12437,7 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", @@ -12728,7 +12465,7 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", @@ -12751,7 +12488,7 @@ "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "IIS HTTP Logging Disabled", "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", @@ -12774,7 +12511,7 @@ "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", @@ -12833,7 +12570,7 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "AdFind Command Activity", "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", @@ -12856,7 +12593,7 @@ "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 308, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", @@ -12872,7 +12609,7 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", @@ -12901,7 +12638,7 @@ "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 205, "rule_name": "Okta FastPass Phishing Detection", "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", @@ -12917,7 +12654,7 @@ "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", @@ -12969,7 +12706,7 @@ "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Whoami Process Activity", "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", @@ -12991,7 +12728,7 @@ "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", @@ -13013,7 +12750,7 @@ "f06414a6-f2a4-466d-8eba-10f85e8abf71": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", @@ -13071,7 +12808,7 @@ "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 104, "rule_name": "Service Path Modification", "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", @@ -13099,7 +12836,7 @@ "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", @@ -13122,7 +12859,7 @@ "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Creation", "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", @@ -13163,7 +12900,7 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", @@ -13210,7 +12947,7 @@ "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", @@ -13239,7 +12976,7 @@ "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 212, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", @@ -13280,7 +13017,7 @@ "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Windows Script Executing PowerShell", "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", @@ -13309,7 +13046,7 @@ "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", "sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2", @@ -13332,7 +13069,7 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", @@ -13348,7 +13085,7 @@ "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "WMIC Remote Command", "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", @@ -13370,7 +13107,7 @@ "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", @@ -13398,7 +13135,7 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", @@ -13427,7 +13164,7 @@ "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", @@ -13492,7 +13229,7 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", @@ -13521,7 +13258,7 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", @@ -13556,7 +13293,7 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 211, "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", @@ -13579,7 +13316,7 @@ "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", @@ -13595,7 +13332,7 @@ "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", @@ -13609,16 +13346,6 @@ "version": 101 }, "f94e898e-94f1-4545-8923-03e4b2866211": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", - "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", @@ -13639,7 +13366,7 @@ "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 101, "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", @@ -13662,7 +13389,7 @@ "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", @@ -13678,7 +13405,7 @@ "f994964f-6fce-4d75-8e79-e16ccc412588": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 307, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", @@ -13694,7 +13421,7 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", @@ -13729,7 +13456,7 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", @@ -13764,7 +13491,7 @@ "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", @@ -13778,16 +13505,6 @@ "version": 208 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "High Number of Cloned GitHub Repos From PAT", - "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", - "type": "threshold", - "version": 3 - } - }, "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", "type": "threshold", @@ -13808,7 +13525,7 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", @@ -13829,16 +13546,6 @@ "version": 309 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", - "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", - "type": "new_terms", - "version": 3 - } - }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", @@ -13851,16 +13558,6 @@ "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { - "min_stack_version": "8.12", - "previous": { - "8.11": { - "max_allowable_version": 102, - "rule_name": "GitHub App Deleted", - "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", - "type": "eql", - "version": 3 - } - }, "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", @@ -13881,7 +13578,7 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", @@ -13904,7 +13601,7 @@ "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", @@ -13927,7 +13624,7 @@ "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", "sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f", @@ -13962,7 +13659,7 @@ "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", @@ -13978,7 +13675,7 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 106, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", @@ -13994,7 +13691,7 @@ "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 213, "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", @@ -14029,7 +13726,7 @@ "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 207, "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", @@ -14088,7 +13785,7 @@ "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "min_stack_version": "8.14", "previous": { - "8.11": { + "8.12": { "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index edd79e39faa..a303c365ea3 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -287,6 +287,24 @@ def migrate_to_8_14(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.15") +def migrate_to_8_15(version: Version, api_contents: dict) -> dict: + """Default migration for 8.15.""" + return strip_additional_properties(version, api_contents) + + +@migrate("8.16") +def migrate_to_8_16(version: Version, api_contents: dict) -> dict: + """Default migration for 8.16.""" + return strip_additional_properties(version, api_contents) + + +@migrate("8.17") +def migrate_to_8_17(version: Version, api_contents: dict) -> dict: + """Default migration for 8.17.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/pyproject.toml b/pyproject.toml index ad459c11c78..654cd85ca30 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.0" +version = "0.3.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d0846202bfb..002d067f57f 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index 70c770e0e3e..a147621f698 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 08b5c096605..2fa66f01e28 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 57d22e5c037..3333aed0dcd 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index 614e7ade0fc..9e44a6d3a87 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,9 +2,7 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/12/03" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 124fd92d323..ff3b80f0750 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 79661548925..b2d9060a7f5 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_high_volume_of_pbpaste.toml b/rules/macos/credential_access_high_volume_of_pbpaste.toml index da9ef6501af..47d760866d1 100644 --- a/rules/macos/credential_access_high_volume_of_pbpaste.toml +++ b/rules/macos/credential_access_high_volume_of_pbpaste.toml @@ -2,17 +2,15 @@ creation_date = "2024/09/12" integration = ["endpoint", "jamf_protect"] maturity = "production" -min_stack_comments = "The jamf integration is available for stack versions 8.12 and above" -min_stack_version = "8.12.0" -updated_date = "2024/09/12" +updated_date = "2024/12/09" [transform] [[transform.investigate]] label = "Show events having the same responsible process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" } ] ] @@ -20,24 +18,23 @@ providers = [ label = "Show events having the same parent process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" } ] ] + [rule] author = ["Thijs Xhaflaire"] description = """ -Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information. +Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard +contents, potentially allowing an attacker to harvest user credentials or other sensitive information. """ from = "now-9m" index = ["logs-jamf_protect*", "logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious pbpaste High Volume Activity" -references = [ - "https://www.loobins.io/binaries/pbpaste/" -] note = """## Triage and analysis To investigate `pbpaste` activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps: @@ -69,6 +66,7 @@ To investigate `pbpaste` activity, focus on determining whether the binary is be By thoroughly investigating these aspects of `pbpaste` activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed. """ +references = ["https://www.loobins.io/binaries/pbpaste/"] risk_score = 47 rule_id = "e29599ee-d6ad-46a9-9c6a-dc39f361890d" setup = """## Setup @@ -96,7 +94,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Jamf Protect", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" type = "eql" @@ -115,7 +113,6 @@ name = "Input Capture" reference = "https://attack.mitre.org/techniques/T1056/" - [rule.threat.tactic] id = "TA0006" name = "Credential Access" diff --git a/rules/macos/privilege_escalation_user_added_to_admin_group.toml b/rules/macos/privilege_escalation_user_added_to_admin_group.toml index 09db6531e56..a6e67c46a4c 100644 --- a/rules/macos/privilege_escalation_user_added_to_admin_group.toml +++ b/rules/macos/privilege_escalation_user_added_to_admin_group.toml @@ -2,27 +2,25 @@ creation_date = "2024/09/12" integration = ["jamf_protect"] maturity = "production" -min_stack_comments = "The jamf integration is available for stack versions 8.12 and above" -min_stack_version = "8.12.0" -updated_date = "2024/09/12" +updated_date = "2024/12/09" [transform] [[transform.investigate]] label = "Show events after Privilege Escalation" -relativeFrom = "now" -relativeTo = "now+30m" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" } ] ] +relativeFrom = "now" +relativeTo = "now+30m" [[transform.investigate]] label = "Show events having the same reponsible process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" } ] ] @@ -30,26 +28,20 @@ providers = [ label = "Show events having the same parent process" providers = [ [ - {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}, - {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"} + { excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }, + { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" } ] ] + [rule] author = ["Thijs Xhaflaire"] -description = """ -Identifies users being added to the admin group. This could be an indication of privilege -escalation activity. -""" +description = "Identifies users being added to the admin group. This could be an indication of privilege\nescalation activity.\n" from = "now-9m" index = ["logs-jamf_protect*"] language = "eql" license = "Elastic License v2" name = "User Added to the Admin Group" -references = [ - "https://www.loobins.io/binaries/dscl/", - "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/" -] note = """## Triage and analysis To thoroughly investigate the actions that occurred **after a user was elevated to administrator**, it's essential to conduct a search on the Timeline. This allows you to review and understand the sequence of events that followed the elevation, helping to identify any potentially malicious or unauthorized activities that might have taken place. **Analyzing these actions is crucial for maintaining security and ensuring that the elevation was not exploited for harmful purposes.** @@ -67,6 +59,10 @@ $investigate_0 $investigate_1 $investigate_2 """ +references = [ + "https://www.loobins.io/binaries/dscl/", + "https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/", +] risk_score = 21 rule_id = "04e65517-16e9-4fc4-b7f1-94dc21ecea0d" setup = """## Setup diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index 37de0f6519c..8e86a15d30d 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index 21b0dea9192..25d5e9b206d 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index 7a9ad1b8d54..a0033b2f29f 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index ce5bbee58ce..8c023a636d7 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 41e8f17b7c2..97798e99e58 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 72a10f4947e..d50c75c9943 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index ebe23150035..125bafc4e7a 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index d3ef0921de1..616ee8e05d0 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 329431414b5..fd32b329841 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 6c88eb70515..8fb34fae282 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index d9f5e827a5a..5c83c4e356c 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 80920b39d18..5f709035392 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index 40f71ba31f9..e30e32ef376 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index d8d802bb285..3442fa65025 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/11/27" -min_stack_version = "8.12.0" -min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." +updated_date = "2024/12/09" [rule] author = ["Elastic"]