Merge branch 'main' into onweek_research

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.2.0"
+version = "0.2.1"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/execution_github_app_deleted.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/10/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/execution_new_github_app_installed.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/impact_github_repository_deleted.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/08/29"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/persistence_github_org_owner_added.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/09/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/github/persistence_organization_owner_role_granted.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/09/11"
 integration = ["github"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/11/27"
+min_stack_version = "8.12.0"
+min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/08/19"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]

rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/11/10"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml

@@ -2,9 +2,9 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
-min_stack_version = "8.13.0"
-updated_date = "2024/10/09"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+min_stack_version = "8.14.0"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml

@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
-min_stack_version = "8.13.0"
-updated_date = "2024/10/09"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+min_stack_version = "8.14.0"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml

@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
-min_stack_version = "8.13.0"
-updated_date = "2024/10/09"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+min_stack_version = "8.14.0"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/07/16"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml

@@ -2,7 +2,9 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml

@@ -2,9 +2,9 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
-min_stack_version = "8.13.0"
-updated_date = "2024/10/09"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
+min_stack_version = "8.14.0"
+updated_date = "2024/11/27"
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml

@@ -2,7 +2,9 @@
 creation_date = "2022/01/05"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/credential_access_user_impersonation_access.toml

@@ -2,7 +2,9 @@
 creation_date = "2022/03/22"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml

@@ -2,7 +2,9 @@
 creation_date = "2024/09/11"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/28"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/08/19"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic", "@BenB196", "Austin Songer"]

rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/11/06"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]

rules/integrations/okta/impact_possible_okta_dos_attack.toml

@@ -2,7 +2,9 @@
 creation_date = "2020/05/21"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/11/27"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration."
 
 [rule]
 author = ["Elastic"]