diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 0a3ef9750ee..8fb71559133 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.10,8.11,8.12,8.13,8.14,8.15' + default: '8.11,8.12,8.13,8.14,8.15,8.16' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.16/8.16.base.json b/detection_rules/etc/api_schemas/8.16/8.16.base.json new file mode 100644 index 00000000000..23138b13640 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.base.json @@ -0,0 +1,412 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.eql.json b/detection_rules/etc/api_schemas/8.16/8.16.eql.json new file mode 100644 index 00000000000..30f489eed55 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.eql.json @@ -0,0 +1,490 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.esql.json b/detection_rules/etc/api_schemas/8.16/8.16.esql.json new file mode 100644 index 00000000000..b3e42f35b45 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.esql.json @@ -0,0 +1,478 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.machine_learning.json b/detection_rules/etc/api_schemas/8.16/8.16.machine_learning.json new file mode 100644 index 00000000000..7b1b42c2223 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.machine_learning.json @@ -0,0 +1,476 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.new_terms.json b/detection_rules/etc/api_schemas/8.16/8.16.new_terms.json new file mode 100644 index 00000000000..c0d7d437f87 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.new_terms.json @@ -0,0 +1,533 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.query.json b/detection_rules/etc/api_schemas/8.16/8.16.query.json new file mode 100644 index 00000000000..408c8bbb9dd --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.query.json @@ -0,0 +1,482 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.threat_match.json b/detection_rules/etc/api_schemas/8.16/8.16.threat_match.json new file mode 100644 index 00000000000..f10aa0d859e --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.threat_match.json @@ -0,0 +1,573 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.16/8.16.threshold.json b/detection_rules/etc/api_schemas/8.16/8.16.threshold.json new file mode 100644 index 00000000000..58469621412 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.16/8.16.threshold.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "revision": { + "min_compat": "8.8", + "type": "integer" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index c0457fa8f87..7319f76f84f 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Fri May 31 17:00:55 2024" + "saved_date": "Thu Nov 7 12:14:04 2024" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v15.1.0.json.gz b/detection_rules/etc/attack-v15.1.0.json.gz deleted file mode 100644 index 63e35112a32..00000000000 Binary files a/detection_rules/etc/attack-v15.1.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v16.0.0.json.gz b/detection_rules/etc/attack-v16.0.0.json.gz new file mode 100644 index 00000000000..5f1975e50c4 Binary files /dev/null and b/detection_rules/etc/attack-v16.0.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index d24a70f53dd..ce63796e567 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.15.3.json.gz b/detection_rules/etc/beats_schemas/v8.15.3.json.gz new file mode 100644 index 00000000000..b1c3e4684fe Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.15.3.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 03a09eedb43..905ff8cf971 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index 15d887f1f01..bcf5bf604d0 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index f6679d5af58..cfa290a41d3 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index d715af77f30..43c5e3bf75c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index ca79c9bc195..0c0b37e4f42 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 894ecd2eb4c..8e1acf49537 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index b1855e207d7..04070f9b941 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index 92bffa9ff71..d0a18e4eec8 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index f0f83df0a44..046214be755 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 32a4411e159..8df9c52f0ad 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index 87b25386741..160eb19ddf6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index 90cf9587029..7b0002c2afa 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 593e4c8eb84..6fd71b5d619 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index 794f80b9918..bcfbaee40e3 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index 664e19f6674..ab12a418933 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index fb21135d1ad..5eb6d4c2fbf 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 59d9d4707b0..0b9ca1bee9a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index e8b7b5a6774..912bf6664bf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 1264cd80661..beca84ebdf8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 1fe32d6e57a..d15510f8b8e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 90e809b5791..7fcc254d4b3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 9a521858f7a..a9785d3dc0c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 9a00f52cab8..c07dbbdf574 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index f15f27c154c..a0016d1dc4d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index efe67a67ef9..0ac20a7187c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 61ea9ac0d31..08b8a7666f3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 70da17a6373..9e44e737182 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 6e70d2a8043..67e6d128f7e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 5740e2d1fbe..556c77d9c10 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 7940dd35fe0..a85f08eb1da 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 4841454f5b2..aae0c046adc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 202e63b3922..0a1dddcce31 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index c080b04017d..823292663e3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 28a51a4e94e..b53add1cec0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 025a25ed6a3..67d79071621 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 7b3ba75c870..d19f713a226 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 945e18d3db1..4e3f3e3fb25 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 4dac7b8823d..4eba2b019e0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index e4777ebfdf8..afdf1bff9c6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 4a1f2a00ca9..37ff4d2c644 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 2258ae9dbb3..bf86b83bce0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 12d3e3cede5..ce6a189ed87 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 5b06dd6f09b..09853480ddf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 5109dc1346f..247dc05f2ca 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 5259b9b81e4..ddec8fa9d13 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 804cee2abb4..ee38260986c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 45214f870ee..8fd6b016231 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index f3857ba3695..a8fd7e59c91 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 46c4a18860d..e2930c1287e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 4bbe6195f03..4d39c36d8d0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 63d6551f699..72b3c8f78e0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 93164d33936..bfdb9783a72 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 7059c86e4e7..d44a31cf8c6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 66bef362e2a..35861963316 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index eb8a9225384..3a05cf4c4a4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 7c8a5851170..62ebcec021b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index a8007aef2d5..a19554c37ec 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 58112e1fe22..60f6599f4d0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index ad3cdfc35d4..7514023643a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 0e3e625565c..4abf68038ce 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz index e19c3e0f071..477b3b2df78 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index a7cbde751cb..7f8628d00f9 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 1ee34652fd4..26dccdd7a17 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index 39a654bb448..7216e4b95bd 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -1,19 +1,18 @@ ---- package: filter: maturity: - production log_deprecated: true - name: '8.16' + name: '8.17' registry_data: categories: - security conditions: elastic: - subscription: basic capabilities: - - security - kibana.version: ^8.16.0 + - security + subscription: basic + kibana.version: ^8.17.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -28,5 +27,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.16.0-beta.1 + version: 8.17.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 2a12dab7d80..98032662917 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -77,12 +77,12 @@ # ecs: "8.9.0" # endgame: "8.4.0" -## Supported +# "8.10.0": +# beats: "8.10.3" +# ecs: "8.10.0" +# endgame: "8.4.0" -"8.10.0": - beats: "8.10.3" - ecs: "8.10.0" - endgame: "8.4.0" +## Supported "8.11.0": beats: "8.11.2" @@ -105,11 +105,16 @@ endgame: "8.4.0" "8.15.0": - beats: "8.15.2" + beats: "8.15.3" ecs: "8.11.0" endgame: "8.4.0" "8.16.0": - beats: "8.15.2" + beats: "8.15.3" + ecs: "8.11.0" + endgame: "8.4.0" + +"8.17.0": + beats: "8.15.3" ecs: "8.11.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index da5024c862d..1cec53edeab 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,14 +1,14 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", "type": "query", "version": 208 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Potential Credential Access via Windows Utilities", "sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587", @@ -31,20 +31,13 @@ "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "System Shells via Services", "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", "type": "eql", "version": 110 }, - "8.11": { - "max_allowable_version": 311, - "rule_name": "System Shells via Services", - "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", - "type": "eql", - "version": 212 - }, "8.13": { "max_allowable_version": 413, "rule_name": "System Shells via Services", @@ -91,7 +84,7 @@ "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Potential Cookies Theft via Browser Debugging", "sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10", @@ -119,7 +112,7 @@ "02a4576a-7480-4284-9327-548a806b5e48": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 307, "rule_name": "Potential Credential Access via DuplicateHandle in LSASS", "sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac", @@ -153,7 +146,7 @@ "035889c4-2686-4583-a7df-67f89c292f2c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "High Number of Process and/or Service Terminations", "sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1", @@ -191,7 +184,6 @@ "version": 3 }, "0415258b-a7b2-48a6-891a-3367cd9d4d31": { - "min_stack_version": "8.10", "rule_name": "First Time AWS Cloudformation Stack Creation by User", "sha256": "94bf8efc1418d0c3dbcfad25b23fcfb931aaa7d34d5a718971956c00ce220f69", "type": "new_terms", @@ -212,7 +204,7 @@ "043d80a3-c49e-43ef-9c72-1088f0c7b278": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Potential Escalation via Vulnerable MSI Repair", "sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174", @@ -248,7 +240,7 @@ "053a0387-f3b5-4ba5-8245-8002cca2bd08": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0", @@ -270,7 +262,7 @@ "0564fb9d-90b9-4234-a411-82a546dc1343": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Microsoft IIS Service Account Password Dumped", "sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e", @@ -286,7 +278,7 @@ "05b358de-aa6d-4f6c-89e6-78f74018b43b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Conhost Spawned By Suspicious Parent Process", "sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e", @@ -321,7 +313,7 @@ "0635c542-1b96-4335-9b47-126582d2c19a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Remote System Discovery Commands", "sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4", @@ -337,7 +329,7 @@ "06568a02-af29-4f20-929c-f3af281e41aa": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "System Time Discovery", "sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261", @@ -359,7 +351,7 @@ "06a7a03c-c735-47a6-a313-51c354aef6c3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Enumerating Domain Trusts via DSQUERY.EXE", "sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a", @@ -382,7 +374,7 @@ "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Potential Evasion via Filter Manager", "sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1", @@ -398,7 +390,7 @@ "074464f9-f30d-4029-8c03-0ed237fffec7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", "sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3", @@ -433,20 +425,13 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", "type": "eql", "version": 8 }, - "8.11": { - "max_allowable_version": 209, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", - "type": "eql", - "version": 110 - }, "8.13": { "max_allowable_version": 311, "rule_name": "Local Account TokenFilter Policy Disabled", @@ -487,7 +472,7 @@ "0859355c-0f08-4b43-8ff5-7d2a4789fc08": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "First Time Seen Removable Device", "sha256": "629de40be19abc034ed2f876dd72df2fc72ce0397116eed55c08d790401d4da6", @@ -555,7 +540,6 @@ "version": 103 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { - "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", "type": "query", @@ -564,7 +548,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -593,7 +577,7 @@ "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Anomalous Windows Process Creation", "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", @@ -609,7 +593,7 @@ "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "User account exposed to Kerberoasting", "sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0", @@ -665,7 +649,7 @@ "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Peripheral Device Discovery", "sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b", @@ -743,7 +727,7 @@ "0e79980b-4250-4a50-a509-69294c14e84b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "MsBuild Making Network Connections", "sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960", @@ -777,7 +761,7 @@ "0f93cb9a-1931-48c2-8cd0-f173fd3e5283": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 309, "rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735", @@ -823,7 +807,7 @@ "1160dcdb-0a0a-4a79-91d8-9b84616edebd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602", @@ -839,7 +823,7 @@ "1178ae09-5aff-460a-9f2f-455cd0ac4d8e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack", "sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd", @@ -874,7 +858,7 @@ "11dd9713-0ec6-4110-9707-32daae1ee68c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 113, "rule_name": "PowerShell Script with Token Impersonation Capabilities", "sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2", @@ -890,7 +874,7 @@ "11ea6bec-ebde-4d71-a8e9-784948f8e3e9": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Third-party Backup Files Deleted via Unexpected Process", "sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967", @@ -918,7 +902,7 @@ "1224da6c-0326-4b4f-8454-68cdc5ae542b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a User", "sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b", @@ -946,7 +930,7 @@ "128468bf-cab1-4637-99ea-fdf3780a4609": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Suspicious Lsass Process Access", "sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554", @@ -974,7 +958,7 @@ "12de29d4-bbb0-4eef-b687-857e8a163870": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a", @@ -997,7 +981,7 @@ "12f07955-1674-44f7-86b5-c35da0a6f41a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Suspicious Cmd Execution via WMI", "sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177", @@ -1020,20 +1004,13 @@ "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", "type": "eql", "version": 108 }, - "8.11": { - "max_allowable_version": 309, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", - "type": "eql", - "version": 210 - }, "8.13": { "max_allowable_version": 410, "rule_name": "Persistence via Scheduled Job Creation", @@ -1056,7 +1033,7 @@ "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", "sha256": "ac05cb0b596f7532273a85d11c32fdb6302791693df41953a29630139fe66853", @@ -1096,7 +1073,7 @@ "14dab405-5dd9-450c-8106-72951af2391f": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Office Test Registry Persistence", "sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2", @@ -1118,7 +1095,7 @@ "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Potential Persistence via Time Provider Modification", "sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937", @@ -1159,7 +1136,7 @@ "15a8ba77-1c13-4274-88fe-6bd14133861e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Scheduled Task Execution at Scale via GPO", "sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26", @@ -1175,7 +1152,7 @@ "15c0b7a7-9c34-4869-b25b-fa6518414899": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Remote File Download via Desktopimgdownldr Utility", "sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863", @@ -1216,7 +1193,7 @@ "166727ab-6768-4e26-b80c-948b228ffc06": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "File Creation Time Changed", "sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c", @@ -1250,7 +1227,7 @@ "16fac1a1-21ee-4ca6-b720-458e3855d046": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Startup/Logon Script added to Group Policy Object", "sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671", @@ -1279,7 +1256,7 @@ "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Unusual Windows Username", "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", @@ -1295,7 +1272,7 @@ "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows Service", "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", @@ -1311,7 +1288,7 @@ "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Suspicious Powershell Script", "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", @@ -1327,7 +1304,7 @@ "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Privilege Elevation Activity", "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", @@ -1343,7 +1320,7 @@ "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows Remote User", "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", @@ -1365,7 +1342,7 @@ "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Renamed Utility Executed with Short Program Name", "sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7", @@ -1387,7 +1364,7 @@ "181f6b23-3799-445e-9589-0018328a9e46": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Script Execution via Microsoft HTML Application", "sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5", @@ -1476,7 +1453,7 @@ "1a6075b0-7479-450e-8fe7-b8b8438ac570": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Execution of COM object via Xwizard", "sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be", @@ -1505,7 +1482,7 @@ "1aa9181a-492b-4c01-8b16-fa0735786b2b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "User Account Creation", "sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7", @@ -1582,7 +1559,7 @@ "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Incoming Execution via WinRM Remote Shell", "sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a", @@ -1604,7 +1581,7 @@ "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Remote File Download via Script Interpreter", "sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed", @@ -1632,7 +1609,7 @@ "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "PowerShell Script with Encryption/Decryption Capabilities", "sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344", @@ -1648,7 +1625,7 @@ "1dcc51f6-ba26-49e7-9ef4-2655abb2361e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f", @@ -1677,7 +1654,7 @@ "1defdd62-cd8d-426e-a246-81a37751bb2b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Execution of File Written or Modified by PDF Reader", "sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d", @@ -1699,7 +1676,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -1728,7 +1705,7 @@ "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Creation of a DNS-Named Record", "sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3", @@ -1744,7 +1721,7 @@ "1e6363a6-3af5-41d4-b7ea-d475389c0ceb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Creation of SettingContent-ms Files", "sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39", @@ -1772,7 +1749,7 @@ "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", "sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762", @@ -1795,7 +1772,7 @@ "1f460f12-a3cf-4105-9ebb-f788cc63f365": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Unusual Process Execution on WBEM Path", "sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8", @@ -1817,7 +1794,7 @@ "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Unusual Network Activity from a Windows System Binary", "sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74", @@ -1839,7 +1816,7 @@ "201200f1-a99b-43fb-88ed-f65a45c4972c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious .NET Code Compilation", "sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0", @@ -1868,7 +1845,7 @@ "203ab79b-239b-4aa5-8e54-fc50623ee8e4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Creation or Modification of Root Certificate", "sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332", @@ -1895,16 +1872,6 @@ "version": 206 }, "20457e4f-d1de-4b92-ae69-142e27a4342a": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 206, - "rule_name": "Access of Stored Browser Credentials", - "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", - "type": "eql", - "version": 107 - } - }, "rule_name": "Suspicious Web Browser Sensitive File Access", "sha256": "f285de9c9bf8851c505323409cd2daf9c3f4f430c5bae5b68541220f7acf0fbd", "type": "eql", @@ -1913,7 +1880,7 @@ "205b52c4-9c28-4af4-8979-935f3278d61a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Werfault ReflectDebugger Persistence", "sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982", @@ -1936,7 +1903,7 @@ "208dbe77-01ed-4954-8d44-1e5751cb20de": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Handle Access", "sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef", @@ -1976,7 +1943,7 @@ "220be143-5c67-4fdb-b6ce-dd6826d024fd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Full User-Mode Dumps Enabled System-Wide", "sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b", @@ -2053,7 +2020,7 @@ "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Lateral Movement via Startup Folder", "sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381", @@ -2076,7 +2043,7 @@ "2553a9af-52a4-4a05-bb03-85b2a479a0a0": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Potential PowerShell HackTool Script by Author", "sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4", @@ -2122,7 +2089,7 @@ "263481c8-1e9b-492e-912d-d1760707f810": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Potential Relay Attack against a Domain Controller", "sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2", @@ -2144,7 +2111,7 @@ "265db8f5-fc73-4d0d-b434-6483b56372e2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Persistence via Update Orchestrator Service Hijack", "sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800", @@ -2185,7 +2152,7 @@ "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 308, "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", "sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4", @@ -2201,7 +2168,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -2236,7 +2203,7 @@ "2772264c-6fb9-4d9d-9014-b416eed21254": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Incoming Execution via PowerShell Remoting", "sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b", @@ -2264,7 +2231,7 @@ "2820c9c2-bcd7-4d6e-9eba-faf3891ba450": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 215, "rule_name": "Account Password Reset Remotely", "sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799", @@ -2287,7 +2254,7 @@ "2856446a-34e6-435b-9fb5-f8f040bfa7ed": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Account Discovery Command via SYSTEM Account", "sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397", @@ -2319,7 +2286,6 @@ "version": 100 }, "28bc620d-b2f7-4132-b372-f77953881d05": { - "min_stack_version": "8.11", "rule_name": "Root Network Connection via GDB CAP_SYS_PTRACE", "sha256": "50b88f12b91fe3feb9118bf703666cee8eef3f3a6c36a426e7b43936ed0e50e2", "type": "eql", @@ -2352,7 +2318,7 @@ "290aca65-e94d-403b-ba0f-62f320e63f51": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "UAC Bypass Attempt via Windows Directory Masquerading", "sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c", @@ -2375,20 +2341,13 @@ "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", "type": "eql", "version": 111 }, - "8.11": { - "max_allowable_version": 312, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 414, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", @@ -2405,7 +2364,7 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -2464,20 +2423,13 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Adobe Hijack Persistence", "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", "type": "eql", "version": 112 }, - "8.11": { - "max_allowable_version": 312, - "rule_name": "Adobe Hijack Persistence", - "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 413, "rule_name": "Adobe Hijack Persistence", @@ -2494,7 +2446,7 @@ "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Windows Defender Exclusions Added via PowerShell", "sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1", @@ -2517,7 +2469,7 @@ "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Suspicious Microsoft Diagnostics Wizard Execution", "sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22", @@ -2533,7 +2485,7 @@ "2c6a6acf-0dcb-404d-89fb-6b0327294cfa": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Potential Foxmail Exploitation", "sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91", @@ -2556,7 +2508,7 @@ "2d62889e-e758-4c5e-b57e-c735914ee32a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Suspicious PowerShell Execution via Windows Scripts", "sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf", @@ -2585,7 +2537,7 @@ "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 310, "rule_name": "Suspicious Process Access via Direct System Call", "sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328", @@ -2613,7 +2565,7 @@ "2de87d72-ee0c-43e2-b975-5f0b029ac600": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Wireless Credential Dumping using Netsh Command", "sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727", @@ -2636,7 +2588,7 @@ "2e1e835d-01e5-48ca-b9fc-7a61f7f11902": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Renamed AutoIt Scripts Interpreter", "sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b", @@ -2652,7 +2604,7 @@ "2e29e96a-b67c-455a-afe4-de6183431d0d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Potential Process Injection via PowerShell", "sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029", @@ -2668,7 +2620,7 @@ "2e311539-cd88-4a85-a301-04f38795007c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Accessing Outlook Data Files", "sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473", @@ -2684,7 +2636,7 @@ "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", @@ -2706,7 +2658,7 @@ "2edc8076-291e-41e9-81e4-e3fcbc97ae5e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Creation of a Hidden Local User Account", "sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478", @@ -2735,7 +2687,7 @@ "2f2f4939-0b34-40c2-a0a3-844eb7889f43": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities", "sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652", @@ -2769,7 +2721,7 @@ "2ffa1f1e-b6db-47fa-994b-1512743847eb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 214, "rule_name": "Windows Defender Disabled via Registry Modification", "sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b", @@ -2833,7 +2785,7 @@ "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Bypass UAC via Event Viewer", "sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7", @@ -2880,7 +2832,7 @@ "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Program Files Directory Masquerading", "sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef", @@ -2909,20 +2861,13 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", "type": "eql", "version": 111 }, - "8.11": { - "max_allowable_version": 312, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 414, "rule_name": "Suspicious MS Outlook Child Process", @@ -2987,20 +2932,13 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Port Forwarding Rule Addition", "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", "type": "eql", "version": 110 }, - "8.11": { - "max_allowable_version": 311, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", - "type": "eql", - "version": 212 - }, "8.13": { "max_allowable_version": 412, "rule_name": "Port Forwarding Rule Addition", @@ -3030,7 +2968,7 @@ "35df0dd8-092d-4a83-88c1-5151a804f31b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Unusual Parent-Child Relationship", "sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0", @@ -3071,7 +3009,7 @@ "36a8e048-d888-4f61-a8b9-0f9e2e40f317": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious ImagePath Service Creation", "sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb", @@ -3128,16 +3066,6 @@ "version": 209 }, "37f638ea-909d-4f94-9248-edd21e4a9906": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 205, - "rule_name": "Finder Sync Plugin Registered and Enabled", - "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", - "type": "eql", - "version": 106 - } - }, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "858e1ed186fb82e360626319ec5bcc00cd623d9b58317239f8e44049e46d4916", "type": "eql", @@ -3152,7 +3080,7 @@ "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 214, "rule_name": "Network Connection via Certutil", "sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be", @@ -3210,7 +3138,7 @@ "397945f3-d39a-4e6f-8bcb-9656c2031438": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Persistence via Microsoft Outlook VBA", "sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3", @@ -3239,7 +3167,7 @@ "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447", @@ -3268,7 +3196,7 @@ "3a657da0-1df2-11ef-a327-f661ea17fbcc": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Rapid7 Threat Command CVEs Correlation", "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", @@ -3314,20 +3242,13 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", "type": "eql", "version": 110 }, - "8.11": { - "max_allowable_version": 311, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", - "type": "eql", - "version": 212 - }, "8.13": { "max_allowable_version": 412, "rule_name": "Unusual Parent Process for cmd.exe", @@ -3344,7 +3265,7 @@ "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "NTDS or SAM Database File Copied", "sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686", @@ -3373,7 +3294,7 @@ "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "ScreenConnect Server Spawning Suspicious Processes", "sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86", @@ -3396,7 +3317,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -3431,7 +3352,7 @@ "3e0eeb75-16e8-4f2f-9826-62461ca128b7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Suspicious Execution via Windows Subsystem for Linux", "sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de", @@ -3472,7 +3393,7 @@ "3ecbdc9e-e4f2-43fa-8cca-63802125e582": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Privilege Escalation via Named Pipe Impersonation", "sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864", @@ -3495,7 +3416,7 @@ "3ed032b2-45d8-4406-bc79-7ad1eabb2c72": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 307, "rule_name": "Suspicious Process Creation CallTrace", "sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927", @@ -3553,7 +3474,7 @@ "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a User", "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", @@ -3575,7 +3496,7 @@ "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Unusual Persistence via Services Registry", "sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a", @@ -3610,7 +3531,7 @@ "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Control Panel Process with Unusual Arguments", "sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72", @@ -3676,7 +3597,7 @@ "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Process Creation via Secondary Logon", "sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257", @@ -3710,7 +3631,7 @@ "440e2db4-bc7f-4c96-a068-65b78da59bde": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Startup Persistence by a Suspicious Process", "sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77", @@ -3733,7 +3654,7 @@ "445a342e-03fb-42d0-8656-0367eb2dead5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Unusual Windows Path Activity", "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", @@ -3755,7 +3676,7 @@ "44fc462c-1159-4fa8-b1b7-9b6296ab4f96": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 110, "rule_name": "Multiple Vault Web Credentials Read", "sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a", @@ -3789,7 +3710,7 @@ "45ac4800-840f-414c-b221-53dd36a5aaf7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Windows Event Logs Cleared", "sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27", @@ -3805,7 +3726,7 @@ "45d273fb-1dca-457d-9855-bcb302180c21": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Encrypting Files with WinRar or 7z", "sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060", @@ -3821,7 +3742,7 @@ "4630d948-40d4-4cef-ac69-4002e29bc3db": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Adding Hidden File Attribute via Attrib", "sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f", @@ -3844,7 +3765,7 @@ "4682fd2c-cfae-47ed-a543-9bed37657aa6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Potential Local NTLM Relay via HTTP", "sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e", @@ -3891,7 +3812,7 @@ "47e22836-4a16-4b35-beee-98f6c4ee9bf2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege", "sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40", @@ -3919,7 +3840,7 @@ "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f", @@ -3954,7 +3875,7 @@ "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Multiple Logon Failure from the same Source Address", "sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f", @@ -4012,7 +3933,7 @@ "4982ac3e-d0ee-4818-b95d-d9522d689259": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Process Discovery Using Built-in Tools", "sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1", @@ -4052,7 +3973,7 @@ "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Disable Windows Firewall Rules via Netsh", "sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de", @@ -4093,7 +4014,7 @@ "4bd1c1af-79d4-4d37-9efa-6e0240640242": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Unusual Process Execution Path - Alternate Data Stream", "sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45", @@ -4116,7 +4037,7 @@ "4c59cff1-b78a-41b8-a9f1-4231984d1fb6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 110, "rule_name": "PowerShell Share Enumeration Script", "sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1", @@ -4150,7 +4071,7 @@ "4de76544-f0e5-486a-8f84-eae0b6063cdc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Disable Windows Event and Security Logs Using Built-in Tools", "sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299", @@ -4173,7 +4094,7 @@ "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 110, "rule_name": "Multiple Logon Failure Followed by Logon Success", "sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8", @@ -4195,7 +4116,7 @@ "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure", "sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97", @@ -4218,7 +4139,7 @@ "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious Script Object Execution", "sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f", @@ -4247,7 +4168,7 @@ "4fe9d835-40e1-452d-8230-17c147cafad8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Execution via TSClient Mountpoint", "sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2", @@ -4276,7 +4197,7 @@ "51176ed2-2d90-49f2-9f3d-17196428b169": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Windows System Information Discovery", "sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155", @@ -4298,20 +4219,13 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", "type": "eql", "version": 108 }, - "8.11": { - "max_allowable_version": 309, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", - "type": "eql", - "version": 210 - }, "8.13": { "max_allowable_version": 411, "rule_name": "Registry Persistence via AppCert DLL", @@ -4340,7 +4254,7 @@ "5188c68e-d3de-4e96-994d-9e242269446f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Service DACL Modification via sc.exe", "sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d", @@ -4369,7 +4283,7 @@ "51ce96fb-9e52-4dad-b0ba-99b54440fc9a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Incoming DCOM Lateral Movement with MMC", "sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a", @@ -4409,7 +4323,7 @@ "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Unusual Network Connection via RunDLL32", "sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b", @@ -4465,7 +4379,6 @@ "version": 102 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { - "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity", "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", "type": "query", @@ -4474,7 +4387,7 @@ "53a26770-9cbd-40c5-8b57-61d01a325e14": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious PDF Reader Child Process", "sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12", @@ -4497,7 +4410,7 @@ "53dedd83-1be7-430f-8026-363256395c8b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Binary Content Copy via Cmd.exe", "sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b", @@ -4513,7 +4426,7 @@ "54902e45-3467-49a4-8abc-529f2c8cfb80": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Uncommon Registry Persistence Change", "sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a", @@ -4529,7 +4442,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -4552,7 +4465,7 @@ "54c3d186-0461-4dc3-9b33-2dc5c7473936": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Network Logon Provider Registry Modification", "sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698", @@ -4568,7 +4481,7 @@ "55c2bf58-2a39-4c58-a384-c8b1978153c2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Windows Service Installed via an Unusual Client", "sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347", @@ -4584,7 +4497,7 @@ "55d551c6-333b-4665-ab7e-5d14a59715ce": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "PsExec Network Connection", "sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66", @@ -4606,7 +4519,7 @@ "56004189-4e69-4a39-b4a9-195329d226e9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Host", "sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098", @@ -4628,7 +4541,7 @@ "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7", @@ -4642,16 +4555,6 @@ "version": 207 }, "565c2b44-7a21-4818-955f-8d4737967d2e": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 205, - "rule_name": "Potential Admin Group Account Addition", - "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", - "type": "query", - "version": 106 - } - }, "rule_name": "Potential Admin Group Account Addition", "sha256": "1e416a23a57946cd76fb3a0d31a22ba04b7d13ed78b7ea1c9beb9728961216f9", "type": "query", @@ -4672,7 +4575,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -4719,7 +4622,7 @@ "577ec21e-56fe-4065-91d8-45eb8224fe77": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "PowerShell MiniDump Script", "sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b", @@ -4735,7 +4638,7 @@ "57bccf1d-daf5-4e1a-9049-ff79b5254704": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "File Staged in Root Folder of Recycle Bin", "sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb", @@ -4751,7 +4654,7 @@ "57bfa0a9-37c0-44d6-b724-54bf16787492": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "DNS Global Query Block List Modified or Disabled", "sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773", @@ -4774,7 +4677,7 @@ "581add16-df76-42bb-af8e-c979bfb39a59": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2", @@ -4797,7 +4700,7 @@ "58aa72ca-d968-4f34-b9f7-bea51d75eb50": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "RDP Enabled via Registry", "sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1", @@ -4862,7 +4765,7 @@ "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4", @@ -4909,7 +4812,7 @@ "5aee924b-6ceb-4633-980e-1bde8cdb40c5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Potential Secure File Deletion via SDelete Utility", "sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30", @@ -4956,7 +4859,7 @@ "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Suspicious PrintSpooler Service Executable File Creation", "sha256": "91c753727cc93c11d0c14042e89f25f4662381aa6ed581df89352758ca0056f3", @@ -4976,7 +4879,6 @@ "version": 206 }, "5c351f54-4187-4ad8-abc8-29b0cfbef8b1": { - "min_stack_version": "8.11", "rule_name": "Process Capability Enumeration", "sha256": "05b761407363be97b58f3300673822b50467a2bde6e9040bed06c9132d77729a", "type": "eql", @@ -4985,7 +4887,7 @@ "5c602cba-ae00-4488-845d-24de2b6d8055": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Veeam Credential Access Capabilities", "sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0", @@ -5001,7 +4903,7 @@ "5c6f4c58-b381-452a-8976-f1b1c6aa0def": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 112, "rule_name": "FirstTime Seen Account Performing DCSync", "sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106", @@ -5041,7 +4943,7 @@ "5cd55388-a19c-47c7-8ec4-f41656c2fded": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Outbound Scheduled Task Activity via PowerShell", "sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80", @@ -5057,7 +4959,7 @@ "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "User Added to Privileged Group", "sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de", @@ -5073,7 +4975,7 @@ "5cf6397e-eb91-4f31-8951-9f0eaa755a31": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Persistence via PowerShell profile", "sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60", @@ -5102,7 +5004,7 @@ "5d1d6907-0747-4d5d-9b24-e4a18853dc0a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious Execution via Scheduled Task", "sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75", @@ -5118,7 +5020,7 @@ "5d676480-9655-4507-adc6-4eec311efff8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Unsigned DLL loaded by DNS Service", "sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7", @@ -5165,7 +5067,7 @@ "5f2f463e-6997-478c-8405-fb41cc283281": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Potential File Download via a Headless Browser", "sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670", @@ -5212,7 +5114,7 @@ "610949a1-312f-4e04-bb55-3a79b8c95267": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Unusual Process Network Connection", "sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c", @@ -5234,7 +5136,7 @@ "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Interactive Logon by an Unusual Process", "sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764", @@ -5250,7 +5152,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -5279,7 +5181,7 @@ "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "AdminSDHolder SDProp Exclusion Added", "sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7", @@ -5301,7 +5203,7 @@ "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement via MSHTA", "sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e", @@ -5317,7 +5219,7 @@ "62a70f6f-3c37-43df-a556-f64fa475fba2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Account Configured with Never-Expiring Password", "sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62", @@ -5369,7 +5271,7 @@ "63e65ec3-43b1-45b0-8f2d-45b34291dc44": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Network Connection via Signed Binary", "sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49", @@ -5415,7 +5317,7 @@ "65432f4a-e716-4cc1-ab11-931c4966da2d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "MsiExec Service Child Process With Network Connection", "sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287", @@ -5462,7 +5364,7 @@ "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "WebServer Access Logs Deleted", "sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977", @@ -5494,16 +5396,6 @@ "version": 3 }, "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 205, - "rule_name": "Suspicious macOS MS Office Child Process", - "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", - "type": "eql", - "version": 106 - } - }, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "a39e945c3402e4c0c2dbb298ac6967a111eed708c37dc104c0883a65040b4115", "type": "eql", @@ -5512,7 +5404,7 @@ "670b3b5a-35e5-42db-bd36-6c5b9b4b7313": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 112, "rule_name": "Modification of the msPKIAccountCredentials", "sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804", @@ -5564,7 +5456,7 @@ "6839c821-011d-43bd-bd5b-acff00257226": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Image File Execution Options Injection", "sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3", @@ -5599,7 +5491,7 @@ "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Persistence via TelemetryController Scheduled Task Hijack", "sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1", @@ -5628,7 +5520,7 @@ "689b9d57-e4d5-4357-ad17-9c334609d79a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Scheduled Task Created by a Windows Script", "sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07", @@ -5650,7 +5542,7 @@ "68ad737b-f90a-4fe5-bda6-a68fa460044e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Suspicious Access to LDAP Attributes", "sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef", @@ -5672,7 +5564,7 @@ "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e", @@ -5713,7 +5605,7 @@ "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Modification of Boot Configuration", "sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672", @@ -5754,7 +5646,7 @@ "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Unusual Service Host Child Process - Childless Service", "sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d", @@ -5777,20 +5669,13 @@ "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", "type": "eql", "version": 111 }, - "8.11": { - "max_allowable_version": 312, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 415, "rule_name": "Exporting Exchange Mailbox via PowerShell", @@ -5819,7 +5704,7 @@ "6bed021a-0afb-461c-acbe-ffdb9574d3f3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Remote Computer Account DnsHostName Update", "sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96", @@ -5841,7 +5726,7 @@ "6cd1779c-560f-4b68-a8f1-11009b27fe63": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Microsoft Exchange Server UM Writing Suspicious Files", "sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca", @@ -5870,7 +5755,7 @@ "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Unusual Process For a Windows Host", "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", @@ -5898,7 +5783,7 @@ "6e1a2cc4-d260-11ed-8829-f661ea17fbcc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution", "sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6", @@ -5914,7 +5799,7 @@ "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Anomalous Process For a Windows Population", "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", @@ -5930,7 +5815,7 @@ "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "AdminSDHolder Backdoor", "sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe", @@ -5952,7 +5837,7 @@ "6ea41894-66c3-4df7-ad6b-2c5074eb3df8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Potential Windows Error Manager Masquerading", "sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75", @@ -5968,7 +5853,7 @@ "6ea55c81-e2ba-42f2-a134-bccf857ba922": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Security Software Discovery using WMIC", "sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31", @@ -5996,7 +5881,7 @@ "6f024bde-7085-489b-8250-5957efdf1caf": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Active Directory Group Modification by SYSTEM", "sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce", @@ -6048,7 +5933,7 @@ "708c9d92-22a3-4fe0-b6b9-1f861c55502d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Suspicious Execution via MSIEXEC", "sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27", @@ -6088,7 +5973,7 @@ "71bccb61-e19b-452f-b104-79a60e546a95": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 214, "rule_name": "Unusual File Creation - Alternate Data Stream", "sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297", @@ -6111,7 +5996,7 @@ "71c5cb27-eca5-4151-bb47-64bc3f883270": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Suspicious RDP ActiveX Client Loaded", "sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8", @@ -6170,7 +6055,7 @@ "730ed57d-ae0f-444f-af50-78708b57edd5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Suspicious JetBrains TeamCity Child Process", "sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7", @@ -6199,7 +6084,7 @@ "7405ddf1-6c8e-41ce-818f-48bea6bcaed8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Potential Modification of Accessibility Binaries", "sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448", @@ -6213,16 +6098,6 @@ "version": 212 }, "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 205, - "rule_name": "Modification of Environment Variable via Launchctl", - "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", - "type": "query", - "version": 106 - } - }, "rule_name": "Modification of Environment Variable via Unsigned or Untrusted Parent", "sha256": "b170681fb44115e54ae79d975287efafd1d43ef7e8ee33af103b33ab76025f0e", "type": "query", @@ -6273,7 +6148,7 @@ "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 111, "rule_name": "Access to a Sensitive LDAP Attribute", "sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191", @@ -6295,7 +6170,7 @@ "76ddb638-abf7-42d5-be22-4a70b0bf7241": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation", "sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb", @@ -6317,20 +6192,13 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "b7ab17057206897d65dcad5a62262f342860ce34ca6624af13a3e70326b99e47", "type": "eql", "version": 111 }, - "8.11": { - "max_allowable_version": 311, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 413, "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -6347,7 +6215,7 @@ "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Enumeration Command Spawned via WMIPrvSE", "sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487", @@ -6418,20 +6286,13 @@ "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "416dce868f1a4876765a41cddaba8d8860afac5cca30502daf254f8f45cb337a", "type": "eql", "version": 2 }, - "8.11": { - "max_allowable_version": 202, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446", - "type": "eql", - "version": 104 - }, "8.13": { "max_allowable_version": 304, "rule_name": "Suspicious ScreenConnect Client Child Process", @@ -6484,7 +6345,7 @@ "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Potential File Transfer via Certreq", "sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319", @@ -6507,7 +6368,7 @@ "79f97b31-480e-4e63-a7f4-ede42bf2c6de": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Potential Shadow Credentials added to AD Object", "sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e", @@ -6559,7 +6420,7 @@ "7b8bfc26-81d2-435e-965c-d722ee397ef1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Windows Network Enumeration", "sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486", @@ -6581,7 +6442,7 @@ "7ba58110-ae13-439b-8192-357b0fcfa9d7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 307, "rule_name": "Suspicious LSASS Access via MalSecLogon", "sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1", @@ -6651,7 +6512,7 @@ "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91", @@ -6681,7 +6542,7 @@ "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", @@ -6728,7 +6589,7 @@ "8025db49-c57c-4fc0-bd86-7ccd6d10a35a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential PowerShell Obfuscated Script", "sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5", @@ -6750,7 +6611,7 @@ "808291d3-e918-4a3a-86cd-73052a0c9bdc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Suspicious Troubleshooting Pack Cabinet Execution", "sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059", @@ -6784,7 +6645,7 @@ "818e23e6-2094-4f0e-8c01-22d30f3506c6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "PowerShell Script Block Logging Disabled", "sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc", @@ -6813,7 +6674,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -6836,7 +6697,7 @@ "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Temporarily Scheduled Task Creation", "sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78", @@ -6850,16 +6711,6 @@ "version": 108 }, "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { - "min_stack_version": "8.11", - "previous": { - "8.10": { - "max_allowable_version": 206, - "rule_name": "Apple Scripting Execution with Administrator Privileges", - "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", - "type": "eql", - "version": 107 - } - }, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "e0f594ae73315999d039f6afdb74b17b186b2daeab2d37cf12f364225219128a", "type": "eql", @@ -6886,7 +6737,7 @@ "83bf249e-4348-47ba-9741-1202a09556ad": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Powershell Arguments", "sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff", @@ -6921,7 +6772,7 @@ "846fe13f-6772-4c83-bd39-9d16d4ad1a81": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Microsoft Exchange Transport Agent Install Script", "sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412", @@ -6949,7 +6800,7 @@ "84da2554-e12a-11ec-b896-f661ea17fbcd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Enumerating Domain Trusts via NLTEST.EXE", "sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0", @@ -7007,7 +6858,7 @@ "871ea072-1b71-4def-b016-6278b505138d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Enumeration of Administrator Accounts", "sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e", @@ -7065,7 +6916,7 @@ "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Suspicious WMI Image Load from MS Office", "sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443", @@ -7081,7 +6932,7 @@ "894326d2-56c0-4342-b553-4abfaf421b5b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential WPAD Spoofing via DNS Record Creation", "sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed", @@ -7103,7 +6954,7 @@ "897dc6b5-b39f-432a-8d75-d3730d50c782": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Kerberos Traffic from Unusual Process", "sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50", @@ -7119,7 +6970,7 @@ "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Command Prompt Network Connection", "sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271", @@ -7165,7 +7016,7 @@ "8a1d4831-3ce6-4859-9891-28931fa6101d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Suspicious Execution from a Mounted Device", "sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3", @@ -7199,7 +7050,7 @@ "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Executable File Creation with Multiple Extensions", "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", @@ -7222,7 +7073,7 @@ "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Enable Host Network Discovery via Netsh", "sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d", @@ -7257,7 +7108,7 @@ "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Unusual Child Process of dns.exe", "sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460", @@ -7296,7 +7147,6 @@ "version": 11 }, "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf": { - "min_stack_version": "8.10", "rule_name": "RPM Package Installed by Unusual Parent Process", "sha256": "024fc49f53a9fd7181c86315420fe4dccfb3bdd681a4137d7cdf9941fcb288fe", "type": "new_terms", @@ -7329,7 +7179,7 @@ "8e2485b6-a74f-411b-bf7f-38b819f3a846": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential WSUS Abuse for Lateral Movement", "sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3", @@ -7358,7 +7208,7 @@ "8eec4df1-4b4b-4502-b6c3-c788714604c9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Bitsadmin Activity", "sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e", @@ -7374,7 +7224,7 @@ "8f242ffb-b191-4803-90ec-0f19942e17fd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7", @@ -7396,7 +7246,7 @@ "8f919d4b-a5af-47ca-a594-6be59cd924a4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68", @@ -7442,7 +7292,7 @@ "90babaa8-5216-4568-992d-d4a01a105d98": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "InstallUtil Activity", "sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f", @@ -7500,7 +7350,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -7523,7 +7373,7 @@ "92a6faf5-78ec-4e25-bea1-73bacc9b59d9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "A scheduled task was created", "sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052", @@ -7539,7 +7389,7 @@ "92d3a04e-6487-4b62-892d-70e640a590dc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Potential Evasion via Windows Filtering Platform", "sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e", @@ -7573,7 +7423,7 @@ "93b22c0a-06a0-4131-b830-b10d5e166ff4": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Suspicious SolarWinds Child Process", "sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606", @@ -7589,20 +7439,13 @@ "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "e20bede2cf9f7765ae6d20ca1cf0c101e18b2cce36bd1404306fcfbdfc346d4c", "type": "eql", "version": 108 }, - "8.11": { - "max_allowable_version": 308, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", - "type": "eql", - "version": 209 - }, "8.13": { "max_allowable_version": 410, "rule_name": "Encoded Executable Stored in the Registry", @@ -7643,7 +7486,7 @@ "94a401ba-4fa2-455c-b7ae-b6e037afc0b7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Group Policy Discovery via Microsoft GPResult Utility", "sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1", @@ -7679,7 +7522,7 @@ "951779c2-82ad-4a6c-82b8-296c1f691449": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Potential PowerShell Pass-the-Hash/Relay Script", "sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897", @@ -7695,7 +7538,7 @@ "954ee7c8-5437-49ae-b2d6-2960883898e9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Remote Scheduled Task Creation", "sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8", @@ -7711,7 +7554,7 @@ "959a7353-1129-4aa7-9084-30746b256a70": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "PowerShell Suspicious Script with Screenshot Capabilities", "sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c", @@ -7764,7 +7607,7 @@ "97020e61-e591-4191-8a3b-2861a2b887cd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "SeDebugPrivilege Enabled by a Suspicious Process", "sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c", @@ -7810,20 +7653,13 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Suspicious Zoom Child Process", "sha256": "caeba78c336bb935017ea2fa0a4a71a5d66c521649882281fff349ee6094c4da", "type": "eql", "version": 111 }, - "8.11": { - "max_allowable_version": 311, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea", - "type": "eql", - "version": 213 - }, "8.13": { "max_allowable_version": 413, "rule_name": "Suspicious Zoom Child Process", @@ -7882,7 +7718,7 @@ "98843d35-645e-4e66-9d6a-5049acd96ce1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Indirect Command Execution via Forfiles/Pcalua", "sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc", @@ -7928,7 +7764,7 @@ "994e40aa-8c85-43de-825e-15f665375ee8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3", @@ -7944,7 +7780,7 @@ "9960432d-9b26-409f-972b-839a959e79e2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 309, "rule_name": "Potential Credential Access via LSASS Memory Dump", "sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3", @@ -7990,7 +7826,7 @@ "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious Explorer Child Process", "sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7", @@ -8013,7 +7849,7 @@ "9aa0e1f6-52ce-42e1-abb3-09657cee2698": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Scheduled Tasks AT Command Enabled", "sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88", @@ -8049,7 +7885,7 @@ "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Persistence via WMI Event Subscription", "sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662", @@ -8070,7 +7906,6 @@ "version": 312 }, "9b80cb26-9966-44b5-abbf-764fbdbc3586": { - "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "sha256": "818ec7b5077ef339d297c377bd56ef3592dbf978c6f01eab575e082d7ec31f59", "type": "eql", @@ -8079,7 +7914,7 @@ "9c260313-c811-4ec8-ab89-8f6530e0246c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Hosts File Modified", "sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2", @@ -8095,7 +7930,7 @@ "9c865691-5599-447a-bac9-b3f2df5f9a9d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Remote Scheduled Task Creation via RPC", "sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb", @@ -8117,7 +7952,7 @@ "9ccf3ce0-0057-440a-91f5-870c6ad39093": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Command Shell Activity Started via RunDLL32", "sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057", @@ -8152,7 +7987,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 310, "rule_name": "Microsoft Build Engine Started by a Script Process", "sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c", @@ -8168,7 +8003,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by a System Process", "sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641", @@ -8191,7 +8026,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Microsoft Build Engine Using an Alternate Name", "sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4", @@ -8207,7 +8042,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Potential Credential Access via Trusted Developer Utility", "sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5", @@ -8223,7 +8058,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 313, "rule_name": "Microsoft Build Engine Started an Unusual Process", "sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e", @@ -8239,7 +8074,7 @@ "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Process Injection by the Microsoft Build Engine", "sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc", @@ -8279,7 +8114,7 @@ "9f962927-1a4f-45f3-a57b-287f2c7029c1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 214, "rule_name": "Potential Credential Access via DCSync", "sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921", @@ -8307,7 +8142,7 @@ "a02cb68e-7c93-48d1-93b2-2c39023308eb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "A scheduled task was updated", "sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f", @@ -8335,7 +8170,7 @@ "a13167f1-eec2-4015-9631-1fee60406dcf": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "InstallUtil Process Making Network Connections", "sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f", @@ -8357,7 +8192,7 @@ "a16612dd-b30e-4d41-86a0-ebe70974ec00": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2", @@ -8373,7 +8208,7 @@ "a1699af0-8e1e-4ed0-8ec1-89783538a061": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Distribution Installed", "sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9", @@ -8420,7 +8255,7 @@ "a22a09c2-2162-4df0-a356-9aacbeb56a04": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "DNS-over-HTTPS Enabled via Registry", "sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36", @@ -8449,7 +8284,7 @@ "a2d04374-187c-4fd9-b513-3ad4e7fdd67a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "PowerShell Mailbox Collection Script", "sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58", @@ -8465,7 +8300,7 @@ "a3ea12f3-0d4e-4667-8b44-4230c63f3c75": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Execution via local SxS Shared Module", "sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525", @@ -8510,7 +8345,6 @@ "version": 2 }, "a577e524-c2ee-47bd-9c5b-e917d01d3276": { - "min_stack_version": "8.11", "rule_name": "CAP_SYS_ADMIN Assigned to Binary", "sha256": "00f42d57112c89636c565a010538b148ea16560e48c7e77209ae4aea7966ac84", "type": "new_terms", @@ -8549,7 +8383,7 @@ "a624863f-a70d-417f-a7d2-7a404638d47f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Suspicious MS Office Child Process", "sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed", @@ -8596,7 +8430,7 @@ "a7e7bfa3-088e-4f13-b29e-3986e0e756b8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Credential Acquisition via Registry Hive Dumping", "sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d", @@ -8617,7 +8451,6 @@ "version": 311 }, "a80d96cd-1164-41b3-9852-ef58724be496": { - "min_stack_version": "8.10", "rule_name": "Privileged Docker Container Creation", "sha256": "71a69d4b84ccadbd7640c534e386e6eb4f86321b6bc43973d840f1a936706df4", "type": "new_terms", @@ -8674,7 +8507,7 @@ "a9b05c3b-b304-4bf9-970d-acdfaef2944c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Persistence via Hidden Run Key Detected", "sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d", @@ -8708,7 +8541,7 @@ "aa9a274d-6b53-424d-ac5e-cb8ca4251650": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Remotely Started Services via RPC", "sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0", @@ -8749,7 +8582,7 @@ "abae61a8-c560-4dbd-acca-1e1438bff36b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows Process Calling the Metadata Service", "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", @@ -8771,20 +8604,13 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Suspicious WerFault Child Process", "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", "type": "eql", "version": 112 }, - "8.11": { - "max_allowable_version": 313, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", - "type": "eql", - "version": 214 - }, "8.13": { "max_allowable_version": 414, "rule_name": "Suspicious WerFault Child Process", @@ -8807,7 +8633,7 @@ "ac5a2759-5c34-440a-b0c4-51fe674611d6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Outlook Home Page Registry Modification", "sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83", @@ -8830,7 +8656,7 @@ "ac6bc744-e82b-41ad-b58d-90654fa4ebfb": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "WPS Office Exploitation via DLL Hijack", "sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5", @@ -8858,7 +8684,7 @@ "ac96ceb8-4399-4191-af1d-4feeac1f1f46": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Potential Invoke-Mimikatz PowerShell Script", "sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21", @@ -8892,7 +8718,7 @@ "acf738b5-b5b2-4acc-bad9-1e18ee234f40": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Suspicious Managed Code Hosting Process", "sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a", @@ -8915,7 +8741,7 @@ "ad0d2742-9a49-11ec-8d6b-acde48001122": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Signed Proxy Execution via MS Work Folders", "sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4", @@ -8956,7 +8782,7 @@ "ad84d445-b1ce-4377-82d9-7c633f28bf9a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Suspicious Portable Executable Encoded in Powershell Script", "sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d", @@ -9002,7 +8828,7 @@ "ae8a142c-6a1d-4918-bea7-0b617e99ecfa": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Suspicious Execution via Microsoft Office Add-Ins", "sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184", @@ -9037,7 +8863,7 @@ "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Local Scheduled Task Creation", "sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0", @@ -9077,7 +8903,7 @@ "b0638186-4f12-48ac-83d2-47e686d08e82": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Netsh Helper DLL", "sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9", @@ -9113,7 +8939,7 @@ "b2318c71-5959-469a-a3ce-3a0768e63b9c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Potential Network Share Discovery", "sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c", @@ -9135,7 +8961,7 @@ "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Remote File Copy via TeamViewer", "sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab", @@ -9157,7 +8983,7 @@ "b29ee2be-bf99-446c-ab1a-2dc0183394b8": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Network Connection via Compiled HTML File", "sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b", @@ -9185,7 +9011,7 @@ "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Suspicious Endpoint Security Parent Process", "sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817", @@ -9208,7 +9034,7 @@ "b43570de-a908-4f7f-8bdb-b2df6ffd8c80": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Code Signing Policy Modification Through Built-in tools", "sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b", @@ -9243,7 +9069,7 @@ "b483365c-98a8-40c0-92d8-0458ca25058a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "At.exe Command Lateral Movement", "sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402", @@ -9271,7 +9097,7 @@ "b5877334-677f-4fb9-86d5-a9721274223b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Clearing Windows Console History", "sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb", @@ -9294,7 +9120,7 @@ "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837", @@ -9329,7 +9155,7 @@ "b64b183e-1a76-422d-9179-7b389513e74d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Windows Script Interpreter Executing Process via WMI", "sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc", @@ -9345,7 +9171,7 @@ "b661f86d-1c23-4ce7-a59e-2edbdba28247": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Potential Veeam Credential Access Command", "sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d", @@ -9368,7 +9194,7 @@ "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", "sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62", @@ -9414,7 +9240,7 @@ "b8386923-b02c-4b94-986a-d223d9b01f88": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "PowerShell Invoke-NinjaCopy script", "sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21", @@ -9430,20 +9256,13 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", "type": "eql", "version": 108 }, - "8.11": { - "max_allowable_version": 309, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", - "type": "eql", - "version": 210 - }, "8.13": { "max_allowable_version": 410, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", @@ -9460,7 +9279,7 @@ "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Network Connection via MsXsl", "sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266", @@ -9476,20 +9295,13 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Kirbi File Creation", "sha256": "dac2e2c25e7dd1a182070fd822b152f0095457a92cc288cdb320b70210ac5506", "type": "eql", "version": 6 }, - "8.11": { - "max_allowable_version": 206, - "rule_name": "Kirbi File Creation", - "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", - "type": "eql", - "version": 107 - }, "8.13": { "max_allowable_version": 309, "rule_name": "Kirbi File Creation", @@ -9506,7 +9318,7 @@ "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d", @@ -9547,7 +9359,7 @@ "b9554892-5e0e-424b-83a0-5aef95aa43bf": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Group Policy Abuse for Privilege Addition", "sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233", @@ -9569,7 +9381,7 @@ "b9960fef-82c6-4816-befa-44745030e917": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "SolarWinds Process Disabling Services via Registry", "sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847", @@ -9598,7 +9410,7 @@ "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows Network Activity", "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", @@ -9620,7 +9432,7 @@ "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office", "sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671", @@ -9676,7 +9488,6 @@ "version": 104 }, "bc0fc359-68db-421e-a435-348ced7a7f92": { - "min_stack_version": "8.11", "rule_name": "Potential Privilege Escalation via Enlightenment", "sha256": "6401927f8fccbd1a2df04a2676ccbbb51a67242c1fed8afcc893fdff0e431642", "type": "eql", @@ -9721,7 +9532,7 @@ "bd2c86a0-8b61-4457-ab38-96943984e889": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 214, "rule_name": "PowerShell Keylogging Script", "sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e", @@ -9737,7 +9548,7 @@ "bd3d058d-5405-4cee-b890-337f09366ba2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Potential Defense Evasion via CMSTP.exe", "sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a", @@ -9753,7 +9564,7 @@ "bd7eefee-f671-494e-98df-f01daf9e5f17": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler Point and Print DLL", "sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c", @@ -9775,7 +9586,7 @@ "bdcf646b-08d4-492c-870a-6c04e3700034": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Potential Privileged Escalation via SamAccountName Spoofing", "sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8", @@ -9807,7 +9618,7 @@ "bdfebe11-e169-42e3-b344-c5d2015533d3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Host", "sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206", @@ -9829,7 +9640,7 @@ "be8afaed-4bcd-4e0a-b5f9-5562003dde81": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Searching for Saved Credentials via VaultCmd", "sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7", @@ -9870,7 +9681,7 @@ "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f", @@ -9892,7 +9703,7 @@ "c0429aa8-9974-42da-bfb6-53a0a515a145": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Creation or Modification of a new GPO Scheduled Task or Service", "sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210", @@ -9927,7 +9738,7 @@ "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "PowerShell Script with Windows Defender Tampering Capabilities", "sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2", @@ -9973,7 +9784,7 @@ "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Microsoft IIS Connection Strings Decryption", "sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f", @@ -10006,7 +9817,6 @@ "version": 107 }, "c296f888-eac6-4543-8da5-b6abb0d3304f": { - "min_stack_version": "8.11", "rule_name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "sha256": "ea98f3aeb649cfc57e8d9c4a04ecb8f4599dd683fc28415e8146ca925c02d14d", "type": "eql", @@ -10015,7 +9825,7 @@ "c2d90150-0133-451c-a783-533e736c12d7": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Mshta Making Network Connections", "sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624", @@ -10043,20 +9853,13 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", "type": "eql", "version": 107 }, - "8.11": { - "max_allowable_version": 308, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", - "type": "eql", - "version": 209 - }, "8.13": { "max_allowable_version": 409, "rule_name": "Persistence via BITS Job Notify Cmdline", @@ -10079,7 +9882,7 @@ "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Mounting Hidden or WebDav Remote Shares", "sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e", @@ -10102,7 +9905,7 @@ "c4818812-d44f-47be-aaef-4cfb2f9cc799": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Suspicious Print Spooler File Deletion", "sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff", @@ -10131,7 +9934,7 @@ "c55badd3-3e61-4292-836f-56209dc8a601": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Attempted Private Key Access", "sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa", @@ -10147,7 +9950,7 @@ "c5677997-f75b-4cda-b830-a75920514096": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Service Path Modification via sc.exe", "sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32", @@ -10163,7 +9966,7 @@ "c57f8579-e2a5-4804-847f-f2732edc5156": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Potential Remote Desktop Shadowing Activity", "sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a", @@ -10192,7 +9995,7 @@ "c5c9f591-d111-4cf8-baec-c26a39bc31ef": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Potential Credential Access via Renamed COM+ Services DLL", "sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f", @@ -10208,7 +10011,7 @@ "c5ce48a6-7f57-4ee8-9313-3d0024caee10": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Installation of Custom Shim Databases", "sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b", @@ -10231,7 +10034,7 @@ "c5dc3223-13a2-44a2-946c-e9dc0aa0449c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Microsoft Build Engine Started by an Office Application", "sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281", @@ -10260,7 +10063,7 @@ "c6453e73-90eb-4fe7-a98c-cde7bbfc504a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Remote File Download via MpCmdRun", "sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c", @@ -10314,7 +10117,7 @@ "c7894234-7814-44c2-92a9-f7d851ea246a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Unusual Network Connection via DllHost", "sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6", @@ -10336,7 +10139,7 @@ "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Unusual File Modification by dns.exe", "sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182", @@ -10400,7 +10203,7 @@ "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Suspicious Startup Shell Folder Modification", "sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78", @@ -10423,7 +10226,7 @@ "c8cccb06-faf2-4cd5-886e-2c9636cfcb87": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Disabling Windows Defender Security Settings via PowerShell", "sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f", @@ -10506,7 +10309,7 @@ "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { "min_stack_version": "8.13", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Multiple Okta Client Addresses for a Single User Session", "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", @@ -10594,7 +10397,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -10629,7 +10432,7 @@ "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65", @@ -10676,7 +10479,7 @@ "cff92c41-2225-4763-b4ce-6f71e5bda5e6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Execution from Unusual Directory - Command Line", "sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe", @@ -10717,7 +10520,7 @@ "d0e159cf-73e9-40d1-a9ed-077e3158a855": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Registry Persistence via AppInit DLL", "sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35", @@ -10740,7 +10543,7 @@ "d117cbb4-7d56-41b4-b999-bdf8c25648a0": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Symbolic Link to Shadow Copy Created", "sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20", @@ -10793,7 +10596,7 @@ "d31f183a-e5b1-451b-8534-ba62bca0b404": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Disabling User Account Control via Registry Modification", "sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7", @@ -10816,7 +10619,7 @@ "d331bbe2-6db4-4941-80a5-8270db72eb61": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Clearing Windows Event Logs", "sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548", @@ -10839,7 +10642,7 @@ "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Remote Windows Service Installed", "sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386", @@ -10855,7 +10658,7 @@ "d3551433-782f-4e22-bbea-c816af2d41c6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "WMI WBEMTEST Utility Execution", "sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766", @@ -10917,7 +10720,6 @@ "version": 5 }, "d55abdfb-5384-402b-add4-6c401501b0c3": { - "min_stack_version": "8.11", "rule_name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "sha256": "f6afb5d7d43edf7f2bb60691606cbc408d2e5790f4939177bdf5b9822c465fff", "type": "eql", @@ -10926,7 +10728,7 @@ "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Privilege Escalation via Windir Environment Variable", "sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625", @@ -10955,7 +10757,7 @@ "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Service Command Lateral Movement", "sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42", @@ -10995,7 +10797,7 @@ "d68e95ad-1c82-4074-a12a-125fe10ac8ba": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 113, "rule_name": "System Information Discovery via Windows Command Shell", "sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e", @@ -11017,7 +10819,7 @@ "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Modification of WDigest Security Provider", "sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e", @@ -11033,7 +10835,7 @@ "d72e33fc-6e91-42ff-ac8b-e573268c5a87": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Command Execution via SolarWinds Process", "sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9", @@ -11110,7 +10912,7 @@ "d93e61db-82d6-4095-99aa-714988118064": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "NTDS Dump via Wbadmin", "sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3", @@ -11133,7 +10935,7 @@ "d99a037b-c8e2-47a5-97b9-170d076827c4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738", @@ -11156,7 +10958,7 @@ "d9ffc3d6-9de9-4b29-9395-5757d0695ecf": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Suspicious Windows Command Shell Arguments", "sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb", @@ -11179,7 +10981,7 @@ "da7733b1-fe08-487e-b536-0a04c6d8b0cd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 110, "rule_name": "Code Signing Policy Modification Through Registry", "sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e", @@ -11208,7 +11010,7 @@ "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Suspicious Service was Installed in the System", "sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb", @@ -11230,7 +11032,7 @@ "daafdf96-e7b1-4f14-b494-27e0d24b11f6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "Potential Pass-the-Hash (PtH) Attempt", "sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d", @@ -11252,7 +11054,7 @@ "db65f5ba-d1ef-4944-b9e8-7e51060c2b42": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Network-Level Authentication (NLA) Disabled", "sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474", @@ -11275,7 +11077,7 @@ "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Execution via Windows Subsystem for Linux", "sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54", @@ -11328,7 +11130,7 @@ "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Volume Shadow Copy Deletion via WMIC", "sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75", @@ -11357,7 +11159,7 @@ "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Suspicious Execution from INET Cache", "sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da", @@ -11380,7 +11182,7 @@ "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Attempt to Install Kali Linux via WSL", "sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd", @@ -11415,7 +11217,7 @@ "ddab1f5f-7089-44f5-9fda-de5b11322e77": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "NullSessionPipe Registry Modification", "sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2", @@ -11445,7 +11247,7 @@ "de9bd7e0-49e9-4e92-a64d-53ade2e66af1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Unusual Child Process from a System Virtual Process", "sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8", @@ -11486,7 +11288,7 @@ "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Unusual Windows User Calling the Metadata Service", "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", @@ -11533,7 +11335,7 @@ "dffbd37c-d4c5-46f8-9181-5afdd9172b4c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 102, "rule_name": "Potential privilege escalation via CVE-2022-38028", "sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa", @@ -11568,7 +11370,7 @@ "e052c845-48d0-4f46-8a13-7d0aba05df82": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "KRBTGT Delegation Backdoor", "sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc", @@ -11584,7 +11386,7 @@ "e0881d20-54ac-457f-8733-fe0bc5d44c55": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "System Service Discovery through built-in Windows Utilities", "sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e", @@ -11660,7 +11462,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -11681,7 +11483,6 @@ "version": 316 }, "e28b8093-833b-4eda-b877-0873d134cf3c": { - "min_stack_version": "8.11", "rule_name": "Network Traffic Capture via CAP_NET_RAW", "sha256": "f5c6eb26668b0618457eb54076493de70230dd3c72adcd575923b13012ae0c45", "type": "new_terms", @@ -11709,7 +11510,7 @@ "e2e0537d-7d8f-4910-a11d-559bcf61295a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Windows Subsystem for Linux Enabled via Dism Utility", "sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576", @@ -11732,7 +11533,7 @@ "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Suspicious Process Execution via Renamed PsExec Executable", "sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff", @@ -11754,7 +11555,7 @@ "e3343ab9-4245-4715-b344-e11c56b0a47f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Process Activity via Compiled HTML File", "sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb", @@ -11789,7 +11590,7 @@ "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", "sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e", @@ -11811,7 +11612,7 @@ "e468f3f6-7c4c-45bb-846a-053738b3fe5d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "First Time Seen NewCredentials Logon Process", "sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f", @@ -11833,7 +11634,7 @@ "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Service Creation via Local Kerberos Authentication", "sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d", @@ -11849,7 +11650,7 @@ "e514d8cd-ed15-4011-84e2-d15147e059f1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Kerberos Pre-authentication Disabled for User", "sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03", @@ -11913,7 +11714,7 @@ "e7125cea-9fe1-42a5-9a05-b0792cf86f5a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 206, "rule_name": "Execution of Persistent Suspicious Program", "sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478", @@ -11929,7 +11730,7 @@ "e72f87d0-a70e-4f8d-8443-a6407bc34643": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 205, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20", @@ -11957,7 +11758,7 @@ "e760c72b-bb1f-44f0-9f0d-37d51744ee75": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Unusual Execution via Microsoft Common Console File", "sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35", @@ -11998,7 +11799,7 @@ "e8571d5f-bea1-46c2-9f56-998de2d3ed95": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Service Control Spawned via Script Interpreter", "sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70", @@ -12014,7 +11815,7 @@ "e86da94d-e54b-4fb5-b96c-cecff87e8787": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Installation of Security Support Provider", "sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7", @@ -12037,7 +11838,7 @@ "e88d1fe9-b2f4-48d4-bace-a026dc745d4b": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Host Files System Changes via Windows Subsystem for Linux", "sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006", @@ -12083,7 +11884,7 @@ "e94262f2-c1e9-4d3f-a907-aeab16712e1a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Unusual Executable File Creation by a System Critical Process", "sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f", @@ -12136,7 +11937,7 @@ "ea09ff26-3902-4c53-bb8e-24b7a5d029dd": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Unusual Process Spawned by a Parent Process", "sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879", @@ -12176,7 +11977,7 @@ "eb44611f-62a8-4036-a5ef-587098be6c43": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", "sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad", @@ -12192,7 +11993,7 @@ "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "PowerShell Kerberos Ticket Request", "sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb", @@ -12220,20 +12021,13 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", "type": "eql", "version": 109 }, - "8.11": { - "max_allowable_version": 310, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", - "type": "eql", - "version": 211 - }, "8.13": { "max_allowable_version": 411, "rule_name": "Mimikatz Memssp Log File Detected", @@ -12250,7 +12044,7 @@ "ebf1adea-ccf2-4943-8b96-7ab11ca173a5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "IIS HTTP Logging Disabled", "sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f", @@ -12273,7 +12067,7 @@ "ebfe1448-7fac-4d59-acea-181bd89b1f7f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Process Execution from an Unusual Directory", "sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce", @@ -12332,7 +12126,7 @@ "eda499b8-a073-4e35-9733-22ec71f57f3a": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "AdFind Command Activity", "sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1", @@ -12361,7 +12155,7 @@ "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "ImageLoad via Windows Update Auto Update Client", "sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8", @@ -12396,7 +12190,7 @@ "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Unusual Print Spooler Child Process", "sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961", @@ -12448,7 +12242,7 @@ "ef862985-3f13-4262-a686-5f357bbb9bc2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Whoami Process Activity", "sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508", @@ -12470,7 +12264,7 @@ "f036953a-4615-4707-a1ca-dc53bf69dcd5": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Unusual Child Processes of RunDLL32", "sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe", @@ -12540,7 +12334,7 @@ "f243fe39-83a4-46f3-a3b6-707557a102df": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 104, "rule_name": "Service Path Modification", "sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599", @@ -12568,7 +12362,7 @@ "f2c7b914-eda3-40c2-96ac-d23ef91776ca": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "SIP Provider Modification", "sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e", @@ -12591,7 +12385,7 @@ "f2f46686-6f3c-4724-bd7d-24e31c70f98f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "LSASS Memory Dump Creation", "sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4", @@ -12632,7 +12426,7 @@ "f3475224-b179-4f78-8877-c2bd64c26b88": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "WMI Incoming Lateral Movement", "sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e", @@ -12672,7 +12466,7 @@ "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Persistence via Microsoft Office AddIns", "sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc", @@ -12701,7 +12495,7 @@ "f494c678-3c33-43aa-b169-bb3d5198c41d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 212, "rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d", @@ -12722,7 +12516,6 @@ "version": 2 }, "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee": { - "min_stack_version": "8.10", "rule_name": "DPKG Package Installed by Unusual Parent Process", "sha256": "d1fdc0cf4916e52650e3c796851aa1b7ce6f2c33b18b0b7d62594435904c9876", "type": "new_terms", @@ -12743,7 +12536,7 @@ "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Windows Script Executing PowerShell", "sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c", @@ -12772,7 +12565,7 @@ "f580bf0a-2d23-43bb-b8e1-17548bb947ec": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 107, "rule_name": "Rare SMB Connection to the Internet", "sha256": "c40aac172f1cdf1b7ccb004c0801fc47510425f767724967677d2084cdbf562d", @@ -12788,7 +12581,7 @@ "f5861570-e39a-4b8a-9259-abd39f84cb97": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "WRITEDAC Access on Active Directory Object", "sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531", @@ -12804,7 +12597,7 @@ "f59668de-caa0-4b84-94c1-3a1549e1e798": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "WMIC Remote Command", "sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689", @@ -12826,7 +12619,7 @@ "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60", @@ -12854,7 +12647,7 @@ "f63c8e3c-d396-404f-b2ea-0379d3942d73": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Windows Firewall Disabled via PowerShell", "sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088", @@ -12883,7 +12676,7 @@ "f675872f-6d85-40a3-b502-c0d2ef101e92": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Delete Volume USN Journal with Fsutil", "sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503", @@ -12936,7 +12729,7 @@ "f7c4dc5a-a58d-491d-9f14-9b66507121c0": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Persistent Scripts in the Startup Directory", "sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac", @@ -12957,7 +12750,6 @@ "version": 312 }, "f7c70f2e-4616-439c-85ac-5b98415042fe": { - "min_stack_version": "8.11", "rule_name": "Potential Privilege Escalation via Linux DAC permissions", "sha256": "c019dc62df736fd44d9e738556bb88927bb5a3381f6dd541d60087ba788d3255", "type": "new_terms", @@ -12966,7 +12758,7 @@ "f81ee52c-297e-46d9-9205-07e66931df26": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes", "sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec", @@ -13001,7 +12793,7 @@ "f874315d-5188-4b4a-8521-d1c73093a7e4": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 211, "rule_name": "Modification of AmsiEnable Registry Key", "sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd", @@ -13024,7 +12816,7 @@ "f8822053-a5d2-46db-8c96-d460b12c36ac": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 103, "rule_name": "Potential Active Directory Replication Account Backdoor", "sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03", @@ -13040,7 +12832,7 @@ "f909075d-afc7-42d7-b399-600b94352fd9": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Untrusted DLL Loaded by Azure AD Sync Service", "sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea", @@ -13074,7 +12866,7 @@ "f97504ac-1053-498f-aeaa-c6d01e76b379": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 101, "rule_name": "Browser Extension Install", "sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a", @@ -13097,7 +12889,7 @@ "f9790abf-bd0c-45f9-8b5f-d0b74015e029": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 109, "rule_name": "Privileged Account Brute Force", "sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e", @@ -13119,7 +12911,7 @@ "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Remote File Copy to a Hidden Share", "sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca", @@ -13154,20 +12946,13 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 108, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", "type": "eql", "version": 9 }, - "8.11": { - "max_allowable_version": 210, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", - "type": "eql", - "version": 111 - }, "8.13": { "max_allowable_version": 312, "rule_name": "Suspicious Antimalware Scan Interface DLL", @@ -13196,7 +12981,7 @@ "fb02b8d3-71ee-4af1-bacd-215d23f17efa": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "Network Connection via Registration Utility", "sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d", @@ -13230,7 +13015,7 @@ "fc7c0fa4-8f03-4b3e-8336-c5feab0be022": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 208, "rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e", @@ -13283,7 +13068,7 @@ "fd4a992d-6130-4802-9ff8-829b89ae801f": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 210, "rule_name": "Potential Application Shimming via Sdbinst", "sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63", @@ -13306,7 +13091,7 @@ "fd70c98a-c410-42dc-a2e3-761c71848acf": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 209, "rule_name": "Suspicious CertUtil Commands", "sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c", @@ -13329,7 +13114,7 @@ "fd7a6052-58fa-4397-93c3-4795249ccfa2": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 317, "rule_name": "Svchost spawning Cmd", "sha256": "3496b237c65ce8b5c66a99b52546e49a3564913f15df60b8ab5ff3831bd56e7a", @@ -13357,7 +13142,7 @@ "fddff193-48a3-484d-8d35-90bb3d323a56": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "PowerShell Kerberos Ticket Dump", "sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3", @@ -13373,7 +13158,7 @@ "fe25d5bc-01fa-494a-95ff-535c29cc4c96": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 106, "rule_name": "PowerShell Script with Password Policy Discovery Capabilities", "sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9", @@ -13389,7 +13174,7 @@ "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 213, "rule_name": "Microsoft Windows Defender Tampering", "sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada", @@ -13424,7 +13209,7 @@ "feeed87c-5e95-4339-aef1-47fd79bcfbe3": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 207, "rule_name": "MS Office Macro Security Registry Modifications", "sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329", @@ -13483,7 +13268,7 @@ "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": { "min_stack_version": "8.14", "previous": { - "8.10": { + "8.11": { "max_allowable_version": 100, "rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb", diff --git a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml index 17d745b7ca1..6dcc33f9728 100644 --- a/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml +++ b/rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml @@ -2,18 +2,22 @@ creation_date = "2020/07/25" integration = ["aws"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/07/31" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ -This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account. +This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation +is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with +the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the +environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role +or IAM user within a particular account. """ false_positives = [ """ - Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to reflect the expected frequency of known activity within a particular environment. + Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is + causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to + reflect the expected frequency of known activity within a particular environment. """, ] from = "now-6m" @@ -46,6 +50,7 @@ event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and event.action: (CreateStack or CreateStackSet) and event.outcome:success ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -56,8 +61,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["cloud.account.id","user.name"] +value = ["cloud.account.id", "user.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index 4a2eb5c7020..9d4a5ba44d8 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "Beaconing package updates and support" -min_stack_version = "8.10.1" -updated_date = "2024/06/10" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", +] +risk_score = 21 +rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" setup = """## Setup The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. @@ -37,17 +42,10 @@ The Network Beaconing Identification integration consists of a statistical frame - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Follow the instructions under the **Installation** section. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/beaconing", - "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", -] -risk_score = 21 -rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' beacon_stats.is_beaconing: true and diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index d14ed4e45ea..aaef19e8d11 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "Beaconing package updates and support" -min_stack_version = "8.10.1" -updated_date = "2024/01/05" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity with High Confidence" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", +] +risk_score = 21 +rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" setup = """## Setup The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. @@ -37,17 +42,10 @@ The Network Beaconing Identification integration consists of a statistical frame - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Follow the instructions under the **Installation** section. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/beaconing", - "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", -] -risk_score = 21 -rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' beacon_stats.beaconing_score: 3 diff --git a/rules/linux/discovery_process_capabilities.toml b/rules/linux/discovery_process_capabilities.toml index 94d02137a92..eed13b1eb86 100644 --- a/rules/linux/discovery_process_capabilities.toml +++ b/rules/linux/discovery_process_capabilities.toml @@ -2,15 +2,13 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ -Identifies recursive process capability enumeration of the entire filesystem through the getcap command. -Malicious users may manipulate identified capabilities to gain root privileges. +Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users +may manipulate identified capabilities to gain root privileges. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -47,30 +45,33 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and process.name == "getcap" and process.args == "-r" and process.args == "/" and process.args_count == 3 and user.id != "0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/linux/execution_potentially_overly_permissive_container_creation.toml b/rules/linux/execution_potentially_overly_permissive_container_creation.toml index ed42a06c6af..d70d112d89b 100644 --- a/rules/linux/execution_potentially_overly_permissive_container_creation.toml +++ b/rules/linux/execution_potentially_overly_permissive_container_creation.toml @@ -2,17 +2,14 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/07/10" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an -unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, -which can lead to trivial privilege escalation, docker escaping and persistence. -access. +unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which +can lead to trivial privilege escalation, docker escaping and persistence. access. """ from = "now-9m" index = ["logs-endpoint.events.process*"] @@ -44,50 +41,52 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "Domain: Container", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "Domain: Container", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and process.args:(run and --privileged) ''' -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1609" -name = "Container Administration Command" -reference = "https://attack.mitre.org/techniques/T1609/" +[[rule.threat]] +framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat.technique]] +id = "T1609" +name = "Container Administration Command" +reference = "https://attack.mitre.org/techniques/T1609/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1611" name = "Escape to Host" reference = "https://attack.mitre.org/techniques/T1611/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -96,7 +95,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml index 26866fb15c8..b55731cca6e 100644 --- a/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml @@ -2,9 +2,7 @@ creation_date = "2024/07/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/07/09" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -48,69 +46,71 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and process.args:("-i" or "--install") ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml index 4d4eded679c..ae85b369470 100644 --- a/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml +++ b/rules/linux/persistence_rpm_package_installation_from_unusual_parent.toml @@ -2,15 +2,13 @@ creation_date = "2024/07/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/07/10" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. -RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM +RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence. """ from = "now-9m" @@ -43,69 +41,71 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and process.args:("-i" or "--install") ''' + [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1546" name = "Event Triggered Execution" reference = "https://attack.mitre.org/techniques/T1546/" - [[rule.threat.technique.subtechnique]] id = "T1546.016" name = "Installer Packages" reference = "https://attack.mitre.org/techniques/T1546/016/" -[[rule.threat.technique]] -id = "T1543" -name = "Create or Modify System Process" -reference = "https://attack.mitre.org/techniques/T1543/" [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1195" name = "Supply Chain Compromise" reference = "https://attack.mitre.org/techniques/T1195/" - [[rule.threat.technique.subtechnique]] id = "T1195.002" name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" + + [rule.threat.tactic] -name = "Initial Access" id = "TA0001" +name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/privilege_escalation_dac_permissions.toml b/rules/linux/privilege_escalation_dac_permissions.toml index f21e3105255..3cf2729319a 100644 --- a/rules/linux/privilege_escalation_dac_permissions.toml +++ b/rules/linux/privilege_escalation_dac_permissions.toml @@ -2,17 +2,15 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/10/17" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule -identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities -include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or -CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories). +identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include +CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a +process can read any file or perform any executable permission on the directories). """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,14 +47,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:exec and (process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and @@ -73,14 +72,15 @@ process.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -89,7 +89,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_enlightenment_window_manager.toml b/rules/linux/privilege_escalation_enlightenment_window_manager.toml index 9696ee928f8..facebb25242 100644 --- a/rules/linux/privilege_escalation_enlightenment_window_manager.toml +++ b/rules/linux/privilege_escalation_enlightenment_window_manager.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -18,9 +16,7 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via Enlightenment" -references = [ - "https://ubuntu.com/security/CVE-2022-37706", - "https://www.exploit-db.com/exploits/51180"] +references = ["https://ubuntu.com/security/CVE-2022-37706", "https://www.exploit-db.com/exploits/51180"] risk_score = 73 rule_id = "bc0fc359-68db-421e-a435-348ced7a7f92" setup = """## Setup @@ -50,8 +46,16 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.parent.entity_id with maxspan=5s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -59,15 +63,17 @@ sequence by host.id, process.parent.entity_id with maxspan=5s [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml index 8c972ff1b88..10697c46f3a 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -50,13 +48,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entry_leader.entity_id with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and @@ -66,24 +65,25 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=1m process.name != null and user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml index 73e05ff5b7f..68dcaefd123 100644 --- a/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml +++ b/rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml @@ -2,16 +2,14 @@ creation_date = "2024/01/09" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network -connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to -use the ptrace system call, which is typically used for debugging and allows the process to trace and control other +connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use +the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges. """ @@ -50,15 +48,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entry_leader.entity_id with maxspan=30s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and @@ -68,57 +67,56 @@ sequence by host.id, process.entry_leader.entity_id with maxspan=30s process.name != null and user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" - [[rule.threat.technique.subtechnique]] id = "T1055.008" name = "Ptrace System Calls" reference = "https://attack.mitre.org/techniques/T1055/008/" + [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] -name = "Command and Control" id = "TA0011" +name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" -[[rule.threat.technique]] -name = "Application Layer Protocol" -id = "T1071" -reference = "https://attack.mitre.org/techniques/T1071/" - diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index bd3cf501a50..438d47ec204 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -2,17 +2,15 @@ creation_date = "2024/01/08" integration = ["endpoint", "auditd_manager"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the -owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership -(like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. +owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like +reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files. """ from = "now-9m" index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -49,14 +47,15 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ - "Data Source: Auditd Manager", - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.pid with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and @@ -72,14 +71,15 @@ sequence by host.id, process.pid with maxspan=1s ] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" diff --git a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml index f38a290ad77..81d2c3ef6c1 100644 --- a/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml @@ -2,9 +2,7 @@ creation_date = "2024/01/08" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/10/17" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -12,7 +10,7 @@ description = """ Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage -a misconfiguration for exploitation in order to escalate their privileges to root. +a misconfiguration for exploitation in order to escalate their privileges to root. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -49,13 +47,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] type = "eql" + query = ''' sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name != null and @@ -81,9 +80,9 @@ sequence by host.id, process.entity_id with maxspan=1s and user.id == "0"] ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -93,13 +92,15 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml index 6055cc39cd5..6bbf5dbfbe9 100644 --- a/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml +++ b/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: file_access_events, process.Ext.effective_parent" -min_stack_version = "8.11.0" -updated_date = "2024/08/28" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "high" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 813d4acd2b9..4cd4dfee4f8 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.11.0" -updated_date = "2024/02/06" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 18cdbe5c8b0..c6fe7a360a3 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,9 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.11.0" -updated_date = "2024/05/17" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -47,7 +45,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 923a5586739..9d39f3a9d97 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.11.0" -updated_date = "2024/02/07" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -49,7 +47,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 2c2d8a15d15..b47455ab7a1 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,9 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.11.0" -updated_date = "2024/02/07" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -46,7 +44,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index cfc7e5bff65..8e00d539268 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -2,9 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -min_stack_comments = "New fields added: process.Ext.effective_parent" -min_stack_version = "8.11.0" -updated_date = "2024/02/07" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -46,7 +44,13 @@ For more details on Elastic Agent configuration settings, refer to the [helper g For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ severity = "medium" -tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml index 34242a8dabf..7fd2ca5a2a7 100644 --- a/rules_building_block/discovery_capnetraw_capability.toml +++ b/rules_building_block/discovery_capnetraw_capability.toml @@ -3,20 +3,18 @@ bypass_bbr_timing = true creation_date = "2024/01/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/10/18" +updated_date = "2024/11/07" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network -namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, -bypass network access controls, and otherwise tamper with host networking if a firewall is not in place -to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within -the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously -unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type. +namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass +network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet +types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available +namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes +executing with CAP_NET_RAW capabilities through the use of the new terms rule type. """ from = "now-9m" index = ["logs-endpoint.events.*"] @@ -57,24 +55,26 @@ tags = [ "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:"process" and host.os.type:"linux" and event.type:"start" and event.action:"exec" and process.name:* and (process.thread.capabilities.effective:"CAP_NET_RAW" or process.thread.capabilities.permitted:"CAP_NET_RAW") and not user.id:"0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1040" name = "Network Sniffing" reference = "https://attack.mitre.org/techniques/T1040/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" @@ -83,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml b/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml index 01db6e58132..6da7d3f2bff 100644 --- a/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml +++ b/rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml @@ -3,9 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/01/10" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" -min_stack_version = "8.11.0" -updated_date = "2024/03/08" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -13,7 +11,7 @@ building_block_type = "default" description = """ Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as -mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may +mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type. """ @@ -52,21 +50,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "low" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Elastic Defend", - "Rule Type: BBR" - ] -type = "new_terms" + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Rule Type: BBR", +] timestamp_override = "event.ingested" +type = "new_terms" + query = ''' event.category:"process" and host.os.type:"linux" and event.type:"start" and event.action:"exec" and process.name:* and (process.thread.capabilities.effective:"CAP_SYS_ADMIN" or process.thread.capabilities.permitted:"CAP_SYS_ADMIN") and not user.id:"0" ''' + [[rule.threat]] framework = "MITRE ATT&CK" @@ -78,7 +78,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["host.id", "user.id", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + +