From 5ab756592343f523caa6d9768535d4d81364f173 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Wed, 27 Nov 2024 18:39:41 +0530 Subject: [PATCH 1/2] Minstack versions for Okta and Github Integration (#4273) --- ...se_evasion_github_protected_branch_settings_changed.toml | 4 +++- rules/integrations/github/execution_github_app_deleted.toml | 4 +++- ...ecution_github_high_number_of_cloned_repos_from_pat.toml | 4 +++- .../github/execution_new_github_app_installed.toml | 4 +++- .../github/impact_github_repository_deleted.toml | 4 +++- .../github/persistence_github_org_owner_added.toml | 4 +++- .../github/persistence_organization_owner_role_granted.toml | 4 +++- .../credential_access_attempted_bypass_of_okta_mfa.toml | 4 +++- ...al_access_attempts_to_brute_force_okta_user_account.toml | 4 +++- ...ultiple_auth_events_from_single_device_behind_proxy.toml | 4 +++- ...ultiple_device_token_hashes_for_single_okta_session.toml | 6 +++--- ...uthentication_for_multiple_users_from_single_source.toml | 6 +++--- ..._for_multiple_users_with_the_same_device_token_hash.toml | 6 +++--- ...ential_access_okta_brute_force_or_password_spraying.toml | 4 +++- ...tial_access_okta_mfa_bombing_via_push_notifications.toml | 4 +++- ...s_okta_multiple_device_token_hashes_for_single_user.toml | 6 +++--- ...ally_successful_okta_bombing_via_push_notifications.toml | 4 +++- .../okta/credential_access_user_impersonation_access.toml | 4 +++- ...nse_evasion_attempt_to_deactivate_okta_network_zone.toml | 4 +++- ...defense_evasion_attempt_to_delete_okta_network_zone.toml | 4 +++- ...curence_public_app_client_credential_token_exchange.toml | 4 +++- ...ense_evasion_okta_attempt_to_deactivate_okta_policy.toml | 4 +++- ...evasion_okta_attempt_to_deactivate_okta_policy_rule.toml | 4 +++- .../defense_evasion_okta_attempt_to_delete_okta_policy.toml | 4 +++- ...nse_evasion_okta_attempt_to_delete_okta_policy_rule.toml | 4 +++- ...se_evasion_okta_attempt_to_modify_okta_network_zone.toml | 4 +++- .../defense_evasion_okta_attempt_to_modify_okta_policy.toml | 4 +++- ...nse_evasion_okta_attempt_to_modify_okta_policy_rule.toml | 4 +++- ...picious_okta_user_password_reset_or_unlock_attempts.toml | 4 +++- .../okta/impact_attempt_to_revoke_okta_api_token.toml | 4 +++- .../impact_okta_attempt_to_deactivate_okta_application.toml | 4 +++- .../impact_okta_attempt_to_delete_okta_application.toml | 4 +++- .../impact_okta_attempt_to_modify_okta_application.toml | 4 +++- .../integrations/okta/impact_possible_okta_dos_attack.toml | 4 +++- ...ess_first_occurrence_user_session_started_via_proxy.toml | 4 +++- ...nitial_access_new_authentication_behavior_detection.toml | 4 +++- .../okta/initial_access_okta_fastpass_phishing.toml | 4 +++- ...tial_access_okta_user_attempted_unauthorized_access.toml | 4 +++- ...a_user_sessions_started_from_different_geolocations.toml | 6 +++--- .../initial_access_sign_in_events_via_third_party_idp.toml | 4 +++- ...ccessful_application_sso_from_unknown_client_device.toml | 4 +++- ...al_access_suspicious_activity_reported_by_okta_user.toml | 4 +++- .../lateral_movement_multiple_sessions_for_single_user.toml | 4 +++- .../okta/okta_threatinsight_threat_suspected_promotion.toml | 4 +++- ...nce_administrator_privileges_assigned_to_okta_group.toml | 4 +++- ...ersistence_administrator_role_assigned_to_okta_user.toml | 4 +++- .../okta/persistence_attempt_to_create_okta_api_token.toml | 4 +++- ..._attempt_to_reset_mfa_factors_for_okta_user_account.toml | 4 +++- .../persistence_mfa_deactivation_with_no_reactivation.toml | 4 +++- .../persistence_new_idp_successfully_added_by_admin.toml | 4 +++- ...empt_to_modify_or_delete_application_sign_on_policy.toml | 4 +++- ...tials_used_to_login_to_okta_account_after_mfa_reset.toml | 4 +++- .../execution_github_new_event_action_for_pat.toml | 4 +++- .../execution_github_new_repo_interaction_for_pat.toml | 4 +++- .../execution_github_new_repo_interaction_for_user.toml | 4 +++- rules_building_block/execution_github_repo_created.toml | 4 +++- .../execution_github_repo_interaction_from_new_ip.toml | 4 +++- .../impact_github_member_removed_from_organization.toml | 4 +++- rules_building_block/impact_github_pat_access_revoked.toml | 4 +++- .../impact_github_user_blocked_from_organization.toml | 4 +++- .../initial_access_github_new_ip_address_for_pat.toml | 4 +++- .../initial_access_github_new_ip_address_for_user.toml | 4 +++- .../initial_access_github_new_user_agent_for_pat.toml | 4 +++- .../initial_access_github_new_user_agent_for_user.toml | 4 +++- .../persistence_github_new_pat_for_user.toml | 4 +++- .../persistence_github_new_user_added_to_organization.toml | 4 +++- 66 files changed, 198 insertions(+), 76 deletions(-) diff --git a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml index d85163a5c79..d0846202bfb 100644 --- a/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml +++ b/rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml index b49bc9b3389..70c770e0e3e 100644 --- a/rules/integrations/github/execution_github_app_deleted.toml +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml index 85da5ced62c..08b5c096605 100644 --- a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -2,7 +2,9 @@ creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/execution_new_github_app_installed.toml b/rules/integrations/github/execution_new_github_app_installed.toml index 8d63b58be15..57d22e5c037 100644 --- a/rules/integrations/github/execution_new_github_app_installed.toml +++ b/rules/integrations/github/execution_new_github_app_installed.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index c75c9c689d8..287db18a7c2 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2023/08/29" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index df89d4bd008..124fd92d323 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 7c31e52610b..79661548925 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -2,7 +2,9 @@ creation_date = "2023/09/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index de5419e0527..25f813764a4 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 4f0f19a9584..41fc653de0f 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index e27551037a9..4720f87e525 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index c52290412dc..85a526210bf 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." -min_stack_version = "8.13.0" -updated_date = "2024/10/09" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +min_stack_version = "8.14.0" +updated_date = "2024/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml index 76b585c314f..60db47af6d3 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." -min_stack_version = "8.13.0" -updated_date = "2024/10/09" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +min_stack_version = "8.14.0" +updated_date = "2024/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index 08f58a55a2b..516d6309b77 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." -min_stack_version = "8.13.0" -updated_date = "2024/10/09" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +min_stack_version = "8.14.0" +updated_date = "2024/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index c1bfee11024..a221d291841 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index fc158cefe1d..71c0ac2de36 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml index a97c25ddfda..58407a95f08 100644 --- a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -2,9 +2,9 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." -min_stack_version = "8.13.0" -updated_date = "2024/10/09" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +min_stack_version = "8.14.0" +updated_date = "2024/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index f65e4fc0c33..9dffe4995e6 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 5b1c06e5083..e10764d06e5 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,7 +2,9 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index ea048dfbf97..a393b4768d0 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index a89e190f88e..3c7dc064394 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index ce3bbd28b07..1bcd9cf4991 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,7 +2,9 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 30acf1a49fc..66bba3713e4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index b50418ba1d3..34e3219b7d6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 063a09b170a..05dafd11bad 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index ecdabb2216b..55872118829 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 6ee1d50fa0e..2dd141efcc8 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index b485eec0644..981b9cb1840 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index f541558e588..3c5a20608a0 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 92eed04d461..5f1998261a0 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,9 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index e21246c5d59..d2646e6596f 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 0d2319adf1b..82bd4f14fc3 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index b18b13630c4..58a590154ed 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 8a3a84e7743..5b7b92872dd 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index e85d110991a..7864c704eb2 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 8fc9d03cae8..f68d2784119 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 7623ecd5c1a..ac5998271b5 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 066c2b4a762..f3b4e496633 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,7 +2,9 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Austin Songer"] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 47a853e214f..6c45202679d 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index 5f42304c76f..f9efde51504 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,9 +2,9 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." -min_stack_version = "8.13.0" -updated_date = "2024/10/09" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." +min_stack_version = "8.14.0" +updated_date = "2024/11/27" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index c127cd0f9e8..bf4051a5f23 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index acb2a434d9b..0cd943dc369 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,7 +2,9 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2024/10/07" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 272dfd211b4..296376af7ba 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 33289094cca..e12e60de510 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index b90248f519e..795b1d799f2 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,7 +3,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 9b1bc5e9e8a..5347d0411a6 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 2631bf2930f..84a97457a26 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,7 +2,9 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 2996475c434..e7e70c32b17 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 3a6ad0886e2..a07e9b1a236 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index fc99f499c39..096f3a12b77 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 075937b532d..de6588f3a8c 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index e437c4fd7cd..428a0f1902f 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,9 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index 07ead8b7c05..e44251b069c 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,7 +2,9 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/27" +min_stack_version = "8.14.0" +min_stack_comments = "Breaking change at 8.14.0 for the Okta Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml index cc3256581ed..37de0f6519c 100644 --- a/rules_building_block/execution_github_new_event_action_for_pat.toml +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml index f8c429ed7cb..21b0dea9192 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml index eeb3716928a..7a9ad1b8d54 100644 --- a/rules_building_block/execution_github_new_repo_interaction_for_user.toml +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml index e8232137bfa..ce5bbee58ce 100644 --- a/rules_building_block/execution_github_repo_created.toml +++ b/rules_building_block/execution_github_repo_created.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml index 52daf9d6e29..41e8f17b7c2 100644 --- a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml index 9b6f36d684b..72a10f4947e 100644 --- a/rules_building_block/impact_github_member_removed_from_organization.toml +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml index 40804acb163..ebe23150035 100644 --- a/rules_building_block/impact_github_pat_access_revoked.toml +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml index 01bce32d75a..d3ef0921de1 100644 --- a/rules_building_block/impact_github_user_blocked_from_organization.toml +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml index 85b7086c02e..329431414b5 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml index 25ef2800c7d..6c88eb70515 100644 --- a/rules_building_block/initial_access_github_new_ip_address_for_user.toml +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml index b473839076e..d9f5e827a5a 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml index 8463648e69e..80920b39d18 100644 --- a/rules_building_block/initial_access_github_new_user_agent_for_user.toml +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml index a7cfbd7e476..40f71ba31f9 100644 --- a/rules_building_block/persistence_github_new_pat_for_user.toml +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml index 6de318f9160..d8d802bb285 100644 --- a/rules_building_block/persistence_github_new_user_added_to_organization.toml +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2023/10/11" integration = ["github"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/27" +min_stack_version = "8.12.0" +min_stack_comments = "Breaking change at 8.12.0 for the Github Integration." [rule] author = ["Elastic"] From 86cc61c233c385064c4f16c0c88d2d9521c5dbdb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 09:34:54 -0500 Subject: [PATCH 2/2] Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274) * Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 * Update detection_rules/etc/version.lock.json * Update Patch version for version lock changes --------- Co-authored-by: shashank-elastic Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Shashank K S --- detection_rules/etc/version.lock.json | 807 +++++++++++++++++++++++--- pyproject.toml | 2 +- 2 files changed, 733 insertions(+), 76 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 03447aac79e..6731bd55b43 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,9 +1,19 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", "type": "query", - "version": 209 + "version": 310 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -76,10 +86,20 @@ "version": 7 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", + "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", - "version": 2 + "version": 103 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", @@ -98,10 +118,20 @@ "version": 207 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", + "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", - "version": 2 + "version": 103 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -411,10 +441,20 @@ "version": 312 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "type": "eql", + "version": 5 + } + }, "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", "type": "eql", - "version": 4 + "version": 105 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -517,10 +557,20 @@ "version": 110 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Member Removed From GitHub Organization", + "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", + "type": "eql", + "version": 3 + } + }, "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", - "version": 2 + "version": 103 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -720,10 +770,20 @@ "version": 111 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", + "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", - "version": 2 + "version": 103 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -1136,10 +1196,20 @@ "version": 311 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", "type": "new_terms", - "version": 2 + "version": 103 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -1571,10 +1641,20 @@ "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "New GitHub App Installed", + "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "type": "eql", + "version": 3 + } + }, "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", - "version": 2 + "version": 103 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1593,10 +1673,20 @@ "version": 208 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "type": "query", + "version": 5 + } + }, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", "type": "query", - "version": 4 + "version": 105 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1755,10 +1845,20 @@ "version": 106 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", + "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", - "version": 2 + "version": 103 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -2025,17 +2125,36 @@ "version": 3 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "type": "esql", + "version": 3 + } + }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", - "version": 3 + "version": 103 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "New GitHub Owner Added", + "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "type": "eql", + "version": 5 + } + }, "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", - "version": 4 + "version": 105 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2095,10 +2214,20 @@ "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "type": "query", + "version": 5 + } + }, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", "type": "query", - "version": 4 + "version": 105 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -2411,10 +2540,20 @@ "version": 415 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "type": "query", + "version": 4 + } + }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", "type": "query", - "version": 3 + "version": 104 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2660,7 +2799,7 @@ "version": 105 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", "previous": { "8.11": { "max_allowable_version": 100, @@ -2668,12 +2807,19 @@ "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", "type": "threshold", "version": 1 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "type": "esql", + "version": 103 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", - "version": 103 + "version": 203 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2938,10 +3084,20 @@ "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "GitHub Repository Deleted", + "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "type": "eql", + "version": 2 + } + }, "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", - "version": 2 + "version": 102 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -3104,10 +3260,20 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", "type": "query", - "version": 209 + "version": 310 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3260,10 +3426,20 @@ "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of IP Address For GitHub User", + "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", - "version": 2 + "version": 103 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3526,10 +3702,20 @@ "version": 107 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub User Blocked From Organization", + "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", - "version": 2 + "version": 103 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", @@ -3590,10 +3776,20 @@ "version": 313 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of User-Agent For a GitHub User", + "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", - "version": 2 + "version": 103 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -3627,10 +3823,20 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "type": "threshold", + "version": 211 + } + }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", "type": "threshold", - "version": 210 + "version": 311 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4191,10 +4397,20 @@ "version": 209 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "type": "query", + "version": 209 + } + }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", "type": "query", - "version": 208 + "version": 309 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", @@ -4227,10 +4443,20 @@ "version": 313 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "type": "threshold", + "version": 5 + } + }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", "type": "threshold", - "version": 4 + "version": 105 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -4577,10 +4803,20 @@ "version": 107 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "type": "eql", + "version": 4 + } + }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", "type": "eql", - "version": 3 + "version": 104 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -5191,10 +5427,20 @@ "version": 208 }, "61336fe6-c043-4743-ab6e-41292f439603": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "New User Added To GitHub Organization", + "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", + "type": "eql", + "version": 3 + } + }, "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", - "version": 2 + "version": 103 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", @@ -5258,11 +5504,21 @@ "version": 212 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", - "type": "threshold", - "version": 4 - }, + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "type": "threshold", + "version": 5 + } + }, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", + "type": "threshold", + "version": 105 + }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", "previous": { @@ -5425,10 +5681,20 @@ "version": 6 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "type": "new_terms", + "version": 4 + } + }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", "type": "new_terms", - "version": 3 + "version": 104 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -5487,10 +5753,20 @@ "version": 113 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", "type": "query", - "version": 208 + "version": 309 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", @@ -5499,10 +5775,20 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", "type": "query", - "version": 208 + "version": 309 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5552,10 +5838,20 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "type": "query", + "version": 208 + } + }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", "type": "query", - "version": 207 + "version": 308 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -5816,10 +6112,20 @@ "version": 308 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub Repo Created", + "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", - "version": 2 + "version": 103 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", @@ -5970,10 +6276,20 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "type": "new_terms", + "version": 4 + } + }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", "type": "new_terms", - "version": 3 + "version": 104 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -6104,10 +6420,20 @@ "version": 3 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", "type": "query", - "version": 208 + "version": 309 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -7084,16 +7410,36 @@ "version": 6 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "type": "eql", + "version": 6 + } + }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", "type": "eql", - "version": 5 + "version": 106 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub PAT Access Revoked", + "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", - "version": 2 + "version": 103 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", @@ -7118,10 +7464,20 @@ "version": 208 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", "type": "query", - "version": 208 + "version": 309 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -7595,11 +7951,20 @@ "version": 210 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "type": "esql", + "version": 3 + } + }, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", - "version": 3 + "version": 103 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -7656,11 +8021,26 @@ "version": 210 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "type": "esql", + "version": 3 + } + }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", - "version": 3 + "version": 103 + }, + "962a71ae-aac9-11ef-9348-f661ea17fbce": { + "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", + "sha256": "85feced66a2d2b2c88a257f2aa26916b9bff95d08871035e142b35191149d8cd", + "type": "new_terms", + "version": 1 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", @@ -7675,10 +8055,20 @@ "version": 112 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Create Okta API Token", "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", "type": "query", - "version": 207 + "version": 308 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -7733,10 +8123,20 @@ "version": 207 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "type": "eql", + "version": 212 + } + }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", "type": "eql", - "version": 211 + "version": 312 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -7971,10 +8371,20 @@ "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "type": "eql", + "version": 5 + } + }, "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", - "version": 4 + "version": 105 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9201,10 +9611,20 @@ "version": 105 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", "type": "query", - "version": 208 + "version": 309 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", @@ -9332,10 +9752,20 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", "type": "query", - "version": 208 + "version": 309 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9344,10 +9774,20 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "type": "query", + "version": 208 + } + }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", "type": "query", - "version": 207 + "version": 308 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10221,16 +10661,36 @@ "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", "type": "query", - "version": 208 + "version": 309 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", "type": "query", - "version": 207 + "version": 308 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -10431,7 +10891,7 @@ "version": 106 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", "previous": { "8.11": { "max_allowable_version": 101, @@ -10439,12 +10899,19 @@ "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", "type": "threshold", "version": 2 + }, + "8.13": { + "max_allowable_version": 203, + "rule_name": "Multiple Device Token Hashes for Single Okta Session", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "type": "esql", + "version": 104 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", - "version": 104 + "version": 204 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -10465,10 +10932,20 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", "type": "query", - "version": 209 + "version": 310 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10477,10 +10954,20 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "type": "query", + "version": 209 + } + }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", "type": "query", - "version": 208 + "version": 309 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10507,16 +10994,36 @@ "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "type": "eql", + "version": 211 + } + }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", "type": "eql", - "version": 210 + "version": 311 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Okta User Session Impersonation", + "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "type": "query", + "version": 210 + } + }, "rule_name": "Okta User Session Impersonation", "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", "type": "query", - "version": 209 + "version": 310 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -10548,10 +11055,20 @@ "version": 2 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", + "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", - "version": 2 + "version": 103 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -10808,10 +11325,20 @@ "version": 1 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", "type": "query", - "version": 207 + "version": 308 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -10873,10 +11400,20 @@ "version": 308 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", "type": "query", - "version": 208 + "version": 309 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -11524,10 +12061,20 @@ "version": 109 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "type": "threshold", + "version": 211 + } + }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", "type": "threshold", - "version": 210 + "version": 311 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -11756,10 +12303,20 @@ "version": 105 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", "type": "query", - "version": 208 + "version": 309 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -11818,10 +12375,20 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Possible Okta DoS Attack", + "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "type": "query", + "version": 208 + } + }, "rule_name": "Possible Okta DoS Attack", "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", "type": "query", - "version": 207 + "version": 308 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -11994,10 +12561,20 @@ "version": 107 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "type": "threshold", + "version": 211 + } + }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", "type": "threshold", - "version": 210 + "version": 311 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", @@ -12277,10 +12854,20 @@ "version": 314 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", "type": "query", - "version": 208 + "version": 309 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -12312,10 +12899,20 @@ "version": 6 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "type": "query", + "version": 106 + } + }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", "type": "query", - "version": 105 + "version": 206 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -12414,10 +13011,20 @@ "version": 108 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "type": "query", + "version": 208 + } + }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", "type": "query", - "version": 207 + "version": 308 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -13002,10 +13609,20 @@ "version": 101 }, "f94e898e-94f1-4545-8923-03e4b2866211": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", + "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", - "version": 2 + "version": 103 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -13059,10 +13676,20 @@ "version": 110 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "type": "query", + "version": 208 + } + }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", "type": "query", - "version": 207 + "version": 308 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -13151,10 +13778,20 @@ "version": 208 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "High Number of Cloned GitHub Repos From PAT", + "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", + "type": "threshold", + "version": 3 + } + }, "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", "type": "threshold", - "version": 2 + "version": 103 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13192,10 +13829,20 @@ "version": 309 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", + "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", - "version": 2 + "version": 103 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", @@ -13204,10 +13851,20 @@ "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub App Deleted", + "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", - "version": 2 + "version": 103 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", diff --git a/pyproject.toml b/pyproject.toml index ffa859a282f..6e8a158f2e7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.2.0" +version = "0.2.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"