From 3c3ecdf31617daaf06766b5420d4f684806304db Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 27 Nov 2024 09:34:54 -0500 Subject: [PATCH] Lock versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 (#4274) * Locked versions for releases: 8.11,8.12,8.13,8.14,8.15,8.16 * Update detection_rules/etc/version.lock.json * Update Patch version for version lock changes --------- Co-authored-by: shashank-elastic Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Shashank K S (cherry picked from commit 86cc61c233c385064c4f16c0c88d2d9521c5dbdb) --- detection_rules/etc/version.lock.json | 807 +++++++++++++++++++++++--- pyproject.toml | 2 +- 2 files changed, 733 insertions(+), 76 deletions(-) diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 03447aac79e..6731bd55b43 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,9 +1,19 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempt to Modify an Okta Policy Rule", + "sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "561c0d51c4c4e4beb9bcd901a8b3f7be2ed94911ca0dca31faf86088f75aec7a", "type": "query", - "version": 209 + "version": 310 }, "00140285-b827-4aee-aa09-8113f58a08f3": { "min_stack_version": "8.14", @@ -76,10 +86,20 @@ "version": 7 }, "01c49712-25bc-49d2-a27d-d7ce52f5dc49": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", + "sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of GitHub User Interaction with Private Repo", "sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28", "type": "new_terms", - "version": 2 + "version": 103 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.14", @@ -98,10 +118,20 @@ "version": 207 }, "0294f105-d7af-4a02-ae90-35f56763ffa2": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", + "sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of GitHub Repo Interaction From a New IP", "sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e", "type": "new_terms", - "version": 2 + "version": 103 }, "02a23ee7-c8f8-4701-b99d-e9038ce313cb": { "rule_name": "Process Created with an Elevated Token", @@ -411,10 +441,20 @@ "version": 312 }, "07639887-da3a-4fbf-9532-8ce748ff8c50": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "GitHub Protected Branch Settings Changed", + "sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333", + "type": "eql", + "version": 5 + } + }, "rule_name": "GitHub Protected Branch Settings Changed", "sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91", "type": "eql", - "version": 4 + "version": 105 }, "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "rule_name": "Suspicious Proc Pseudo File System Enumeration", @@ -517,10 +557,20 @@ "version": 110 }, "095b6a58-8f88-4b59-827c-ab584ad4e759": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Member Removed From GitHub Organization", + "sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a", + "type": "eql", + "version": 3 + } + }, "rule_name": "Member Removed From GitHub Organization", "sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7", "type": "eql", - "version": 2 + "version": 103 }, "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", @@ -720,10 +770,20 @@ "version": 111 }, "0e4367a0-a483-439d-ad2e-d90500b925fd": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", + "sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce", "type": "new_terms", - "version": 2 + "version": 103 }, "0e52157a-8e96-4a95-a6e3-5faae5081a74": { "rule_name": "SharePoint Malware File Upload", @@ -1136,10 +1196,20 @@ "version": 311 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "Successful Application SSO from Rare Unknown Client Device", + "sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "799665e748ad6c9758a0a4af1965fdd3bc188747f09e28e7ec1118da317d6a2b", "type": "new_terms", - "version": 2 + "version": 103 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", @@ -1571,10 +1641,20 @@ "version": 102 }, "1ca62f14-4787-4913-b7af-df11745a49da": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "New GitHub App Installed", + "sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe", + "type": "eql", + "version": 3 + } + }, "rule_name": "New GitHub App Installed", "sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec", "type": "eql", - "version": 2 + "version": 103 }, "1cd01db9-be24-4bef-8e7c-e923f0ff78ab": { "min_stack_version": "8.14", @@ -1593,10 +1673,20 @@ "version": 208 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Okta Sign-In Events via Third-Party IdP", + "sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e", + "type": "query", + "version": 5 + } + }, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "b6e0d858fa2ce9ed087727cbe4fdca6b72491a94f2b9d7d418aff036ded365e3", "type": "query", - "version": 4 + "version": 105 }, "1d276579-3380-4095-ad38-e596a01bc64f": { "min_stack_version": "8.14", @@ -1755,10 +1845,20 @@ "version": 106 }, "1e9b271c-8caa-4e20-aed8-e91e34de9283": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", + "sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b", "type": "new_terms", - "version": 2 + "version": 103 }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", @@ -2025,17 +2125,36 @@ "version": 3 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", + "type": "esql", + "version": 3 + } + }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "8d389b42a08d52081e9578cc3b0867436b3a199a86d907384f5a6bbd857965a1", "type": "esql", - "version": 3 + "version": 103 }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "New GitHub Owner Added", + "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", + "type": "eql", + "version": 5 + } + }, "rule_name": "New GitHub Owner Added", "sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6", "type": "eql", - "version": 4 + "version": 105 }, "25224a80-5a4a-4b8a-991e-6ab390465c4f": { "min_stack_version": "8.14", @@ -2095,10 +2214,20 @@ "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "New Okta Authentication Behavior Detected", + "sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a", + "type": "query", + "version": 5 + } + }, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "33842fbf7fc226966855416ba8a5ac52112cf62c408fa0b5fa3420f4941cbb76", "type": "query", - "version": 4 + "version": 105 }, "2605aa59-29ac-4662-afad-8d86257c7c91": { "rule_name": "Potential Suspicious DebugFS Root Device Access", @@ -2411,10 +2540,20 @@ "version": 415 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "New Okta Identity Provider (IdP) Added by Admin", + "sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47", + "type": "query", + "version": 4 + } + }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "953c407d8ef9a6d6bfd9326baf1d26551ef58ef6df60ad6f153d5cfd92b78211", "type": "query", - "version": 3 + "version": 104 }, "29ef5686-9b93-433e-91b5-683911094698": { "rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line", @@ -2660,7 +2799,7 @@ "version": 105 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", "previous": { "8.11": { "max_allowable_version": 100, @@ -2668,12 +2807,19 @@ "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", "type": "threshold", "version": 1 + }, + "8.13": { + "max_allowable_version": 202, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", + "type": "esql", + "version": 103 } }, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "2d8cbe2bb53447876fb8943d0ef49ddbf04681215f96661df3c86af0602ba9ac", "type": "esql", - "version": 103 + "version": 203 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -2938,10 +3084,20 @@ "version": 1 }, "345889c4-23a8-4bc0-b7ca-756bd17ce83b": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 101, + "rule_name": "GitHub Repository Deleted", + "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", + "type": "eql", + "version": 2 + } + }, "rule_name": "GitHub Repository Deleted", "sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744", "type": "eql", - "version": 2 + "version": 102 }, "349276c0-5fcf-11ef-b1a9-f661ea17fbce": { "rule_name": "AWS CLI Command with Custom Endpoint URL", @@ -3104,10 +3260,20 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempted Bypass of Okta MFA", + "sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "2c41bd41d4c6255bf8ef120778c88fea260a76f8400e445def9e9ebb1b6bf146", "type": "query", - "version": 209 + "version": 310 }, "3838e0e3-1850-4850-a411-2e8c5ba40ba8": { "min_stack_version": "8.14", @@ -3260,10 +3426,20 @@ "version": 103 }, "3af4cb9b-973f-4c54-be2b-7623c0e21b2b": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of IP Address For GitHub User", + "sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of IP Address For GitHub User", "sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54", "type": "new_terms", - "version": 2 + "version": 103 }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", @@ -3526,10 +3702,20 @@ "version": 107 }, "4030c951-448a-4017-a2da-ed60f6d14f4f": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub User Blocked From Organization", + "sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub User Blocked From Organization", "sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e", "type": "eql", - "version": 2 + "version": 103 }, "403ef0d3-8259-40c9-a5b6-d48354712e49": { "min_stack_version": "8.14", @@ -3590,10 +3776,20 @@ "version": 313 }, "41761cd3-380f-4d4d-89f3-46d6853ee35d": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of User-Agent For a GitHub User", + "sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of User-Agent For a GitHub User", "sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952", "type": "new_terms", - "version": 2 + "version": 103 }, "41824afb-d68c-4d0e-bfee-474dac1fa56e": { "rule_name": "EggShell Backdoor Execution", @@ -3627,10 +3823,20 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "Okta Brute Force or Password Spraying Attack", + "sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8", + "type": "threshold", + "version": 211 + } + }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "28b663b19f5cf5fbe270dd54c5a6ab816765dd4ff6cb1fc3f6501ac8c353a669", "type": "threshold", - "version": 210 + "version": 311 }, "42eeee3d-947f-46d3-a14d-7036b962c266": { "min_stack_version": "8.14", @@ -4191,10 +4397,20 @@ "version": 209 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Unauthorized Access to an Okta Application", + "sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269", + "type": "query", + "version": 209 + } + }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "872ca06a3df823a9c316611272ac1752aab862fc1e64862d1975653a142152bd", "type": "query", - "version": 208 + "version": 309 }, "4f855297-c8e0-4097-9d97-d653f7e471c4": { "min_stack_version": "8.13", @@ -4227,10 +4443,20 @@ "version": 313 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb", + "type": "threshold", + "version": 5 + } + }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "80783610742a22be0730b4d1eb9099aba07a76dd22481771f6f15a4c8175b408", "type": "threshold", - "version": 4 + "version": 105 }, "50a2bdea-9876-11ef-89db-f661ea17fbcd": { "rule_name": "AWS SSM Command Document Created by Rare User", @@ -4577,10 +4803,20 @@ "version": 107 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a", + "type": "eql", + "version": 4 + } + }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "fd2d0b18230dba57e262ff15ef178339f367f10a09d997ff14b5585bb959da00", "type": "eql", - "version": 3 + "version": 104 }, "56557cde-d923-4b88-adee-c61b3f3b5dc3": { "min_stack_version": "8.14", @@ -5191,10 +5427,20 @@ "version": 208 }, "61336fe6-c043-4743-ab6e-41292f439603": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "New User Added To GitHub Organization", + "sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8", + "type": "eql", + "version": 3 + } + }, "rule_name": "New User Added To GitHub Organization", "sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4", "type": "eql", - "version": 2 + "version": 103 }, "61766ef9-48a5-4247-ad74-3349de7eb2ad": { "min_stack_version": "8.14", @@ -5258,11 +5504,21 @@ "version": 212 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", - "type": "threshold", - "version": 4 - }, + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba", + "type": "threshold", + "version": 5 + } + }, + "rule_name": "Multiple Okta Sessions Detected for a Single User", + "sha256": "423576354e7f258eab160410c869e75f9565dc6738adb0dc8d2474ac3bdd4cff", + "type": "threshold", + "version": 105 + }, "622ecb68-fa81-4601-90b5-f8cd661e4520": { "min_stack_version": "8.14", "previous": { @@ -5425,10 +5681,20 @@ "version": 6 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576", + "type": "new_terms", + "version": 4 + } + }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "adcbaa2beb059aabf96136315cfbe4630927b47551e9f53b583a61d7090ba20d", "type": "new_terms", - "version": 3 + "version": 104 }, "665e7a4f-c58e-4fc6-bc83-87a7572670ac": { "min_stack_version": "8.14", @@ -5487,10 +5753,20 @@ "version": 113 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Modify an Okta Policy", + "sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "391ca8b8d0dd19a954d1ac1c6117a4872d96d26fecde5c6fae0235674ac4c876", "type": "query", - "version": 208 + "version": 309 }, "675239ea-c1bc-4467-a6d3-b9e2cc7f676d": { "rule_name": "O365 Mailbox Audit Logging Bypass", @@ -5499,10 +5775,20 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Revoke Okta API Token", + "sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "ebbf273668b9ef832b26d92e659fded91a08edff772f6a8634ed0197355161f7", "type": "query", - "version": 208 + "version": 309 }, "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { "rule_name": "SMTP to the Internet", @@ -5552,10 +5838,20 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Okta ThreatInsight Threat Suspected Promotion", + "sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f", + "type": "query", + "version": 208 + } + }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "1f980273037b0848fed3861a25a250eff82adc719350a67dc34aaa61565776ac", "type": "query", - "version": 207 + "version": 308 }, "68921d85-d0dc-48b3-865f-43291ca2c4f2": { "min_stack_version": "8.14", @@ -5816,10 +6112,20 @@ "version": 308 }, "6cea88e4-6ce2-4238-9981-a54c140d6336": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub Repo Created", + "sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub Repo Created", "sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126", "type": "eql", - "version": 2 + "version": 103 }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "min_stack_version": "8.14", @@ -5970,10 +6276,20 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 103, + "rule_name": "First Occurrence of Okta User Session Started via Proxy", + "sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d", + "type": "new_terms", + "version": 4 + } + }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "7563691fd12cf3117704e5a587b34b6e55fca8fa5c50b684ee99bb65466e4ec9", "type": "new_terms", - "version": 3 + "version": 104 }, "6f435062-b7fc-4af9-acea-5b1ead65c5a5": { "rule_name": "Google Workspace Role Modified", @@ -6104,10 +6420,20 @@ "version": 3 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", + "sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "7df6d7af1f3b05fb54ceeb51357f79b43fe4a413cda240a9e75414376bf20cff", "type": "query", - "version": 208 + "version": 309 }, "72d33577-f155-457d-aad3-379f9b750c97": { "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", @@ -7084,16 +7410,36 @@ "version": 6 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 105, + "rule_name": "Potential Okta MFA Bombing via Push Notifications", + "sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031", + "type": "eql", + "version": 6 + } + }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "0b71b3bc220b822bcf49d55aaf5b6e785379cd4a77023a808ba154f6233e0a7d", "type": "eql", - "version": 5 + "version": 106 }, "8a0fd93a-7df8-410d-8808-4cc5e340f2b9": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub PAT Access Revoked", + "sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub PAT Access Revoked", "sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5", "type": "eql", - "version": 2 + "version": 103 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "rule_name": "SUID/SGID Bit Set", @@ -7118,10 +7464,20 @@ "version": 208 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Network Zone", + "sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "3d7de8f86edaeb3db241b7eb724790d7411ef73463ccc7cfed7ede991cf9d3e3", "type": "query", - "version": 208 + "version": 309 }, "8acb7614-1d92-4359-bfcf-478b6d9de150": { "rule_name": "Deprecated - Suspicious JAVA Child Process", @@ -7595,11 +7951,20 @@ "version": 210 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", + "type": "esql", + "version": 3 + } + }, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "15d93711d02522f4cc0cb04625d1b2a3213f4b14abf4e42b9b10f1f7fbdcb380", "type": "esql", - "version": 3 + "version": 103 }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", @@ -7656,11 +8021,26 @@ "version": 210 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", + "previous": { + "8.13": { + "max_allowable_version": 102, + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", + "type": "esql", + "version": 3 + } + }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "96b9820b5e4c84ca9db4bfedf6a6ed4f52d60865ad849274c922a4f9218be379", "type": "esql", - "version": 3 + "version": 103 + }, + "962a71ae-aac9-11ef-9348-f661ea17fbce": { + "rule_name": "AWS STS AssumeRoot by Rare User and Member Account", + "sha256": "85feced66a2d2b2c88a257f2aa26916b9bff95d08871035e142b35191149d8cd", + "type": "new_terms", + "version": 1 }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", @@ -7675,10 +8055,20 @@ "version": 112 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Create Okta API Token", + "sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Create Okta API Token", "sha256": "2cdb992ac7d1102df02c4ebc8d329dc538c2e5c9c67ca727b0e130a3ad873b19", "type": "query", - "version": 207 + "version": 308 }, "96d11d31-9a79-480f-8401-da28b194608f": { "rule_name": "Message-of-the-Day (MOTD) File Creation", @@ -7733,10 +8123,20 @@ "version": 207 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 311, + "rule_name": "Potentially Successful MFA Bombing via Push Notifications", + "sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee", + "type": "eql", + "version": 212 + } + }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "008509519ef384a0fe13547767628714a007b44d9504b72e47cd06f58eda5286", "type": "eql", - "version": 211 + "version": 312 }, "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.14", @@ -7971,10 +8371,20 @@ "version": 4 }, "9b343b62-d173-4cfd-bd8b-e6379f964ca4": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 104, + "rule_name": "GitHub Owner Role Granted To User", + "sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c", + "type": "eql", + "version": 5 + } + }, "rule_name": "GitHub Owner Role Granted To User", "sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68", "type": "eql", - "version": 4 + "version": 105 }, "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": { "min_stack_version": "8.14", @@ -9201,10 +9611,20 @@ "version": 105 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Policy", + "sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "2809e87ba46854079f02b132262f4babb3421ed1439ed5a93fa93365d8bfc5d9", "type": "query", - "version": 208 + "version": 309 }, "b51dbc92-84e2-4af1-ba47-65183fcd0c57": { "rule_name": "Potential Privilege Escalation via OverlayFS", @@ -9332,10 +9752,20 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Policy", + "sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "22ed71c03d4cb3f48d0f982ba99da15abf24f3e69cca06212522c11dbd8b7c48", "type": "query", - "version": 208 + "version": 309 }, "b7c05aaf-78c2-4558-b069-87fa25973489": { "rule_name": "Potential Buffer Overflow Attack Detected", @@ -9344,10 +9774,20 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Administrator Privileges Assigned to an Okta Group", + "sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60", + "type": "query", + "version": 208 + } + }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "f93d27a63ab602b347414513ec2b4a19c4b61d0750629e5f80bb1721d7e397ff", "type": "query", - "version": 207 + "version": 308 }, "b81bd314-db5b-4d97-82e8-88e3e5fc9de5": { "rule_name": "Linux System Information Discovery", @@ -10221,16 +10661,36 @@ "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Network Zone", + "sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "fe87eee2d50e3c74804fe1e519a14befd42e90b5b03257628e7406389d455ab9", "type": "query", - "version": 208 + "version": 309 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Modify an Okta Application", + "sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "74a88132078b114dc023a5b61f024dc9362e64c23274b892eed47d376b0d4010", "type": "query", - "version": 207 + "version": 308 }, "c75d0c86-38d6-4821-98a1-465cff8ff4c8": { "rule_name": "Egress Connection from Entrypoint in Container", @@ -10431,7 +10891,7 @@ "version": 106 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.13", + "min_stack_version": "8.14", "previous": { "8.11": { "max_allowable_version": 101, @@ -10439,12 +10899,19 @@ "sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5", "type": "threshold", "version": 2 + }, + "8.13": { + "max_allowable_version": 203, + "rule_name": "Multiple Device Token Hashes for Single Okta Session", + "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", + "type": "esql", + "version": 104 } }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "07fd1e33169ef40013d3c92bad14a349d83f6cf1d02d3c9faf3fc74d657e0f1f", "type": "esql", - "version": 104 + "version": 204 }, "cc653d77-ddd2-45b1-9197-c75ad19df66c": { "rule_name": "Potential Data Exfiltration Activity to an Unusual IP Address", @@ -10465,10 +10932,20 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Attempt to Deactivate an Okta Policy Rule", + "sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf", + "type": "query", + "version": 210 + } + }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "fd0aba3ff53989f01ee9078c0ea58ce24c9e6d309d6e62d54aaaf02f41f7d74e", "type": "query", - "version": 209 + "version": 310 }, "ccc55af4-9882-4c67-87b4-449a7ae8079c": { "rule_name": "Potential Process Herpaderping Attempt", @@ -10477,10 +10954,20 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", + "sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c", + "type": "query", + "version": 209 + } + }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "7e8147176fd51e46174c3524a9048c6878bdbb752d019c933df10a94925297d4", "type": "query", - "version": 208 + "version": 309 }, "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { "rule_name": "Socat Process Activity", @@ -10507,16 +10994,36 @@ "version": 3 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", + "sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31", + "type": "eql", + "version": 211 + } + }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "7f705d4fdcc46721e2773e18dad5230ea702911cc032bd3fac545a16e0119857", "type": "eql", - "version": 210 + "version": 311 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 309, + "rule_name": "Okta User Session Impersonation", + "sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7", + "type": "query", + "version": 210 + } + }, "rule_name": "Okta User Session Impersonation", "sha256": "0b588a73db66fc4e366209fa591307051cc0be8902e926d0e3c63e42df1695b4", "type": "query", - "version": 209 + "version": 310 }, "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.14", @@ -10548,10 +11055,20 @@ "version": 2 }, "ce08b55a-f67d-4804-92b5-617b0fe5a5b5": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", + "sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14", "type": "new_terms", - "version": 2 + "version": 103 }, "ce64d965-6cb0-466d-b74f-8d2c76f47f05": { "min_stack_version": "8.14", @@ -10808,10 +11325,20 @@ "version": 1 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Attempt to Delete an Okta Application", + "sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb", + "type": "query", + "version": 208 + } + }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "11f05dcf8137ce57f2d00d46f6ca15ed79efcce76b106b9790f8b24272236a4d", "type": "query", - "version": 207 + "version": 308 }, "d49cc73f-7a16-4def-89ce-9fc7127d7820": { "rule_name": "Web Application Suspicious Activity: sqlmap User Agent", @@ -10873,10 +11400,20 @@ "version": 308 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Delete an Okta Policy Rule", + "sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "039f4a7ce95ec9e9263fde6e222baf44ab21a47719f820afe63cdbd7442a1af2", "type": "query", - "version": 208 + "version": 309 }, "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": { "min_stack_version": "8.14", @@ -11524,10 +12061,20 @@ "version": 109 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "Attempts to Brute Force an Okta User Account", + "sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068", + "type": "threshold", + "version": 211 + } + }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "9bfcd68bbf114751fd78efc3b74026c22f9b576e4f7985482325cf2bdff6e238", "type": "threshold", - "version": 210 + "version": 311 }, "e0cc3807-e108-483c-bf66-5a4fbe0d7e89": { "rule_name": "Potentially Suspicious Process Started via tmux or screen", @@ -11756,10 +12303,20 @@ "version": 105 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Modify an Okta Network Zone", + "sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "f18c885e92e617b8feda9dc5a5cbd8c23e84c073e585485a552b5c4f9c86d1c5", "type": "query", - "version": 208 + "version": 309 }, "e4e31051-ee01-4307-a6ee-b21b186958f4": { "min_stack_version": "8.14", @@ -11818,10 +12375,20 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Possible Okta DoS Attack", + "sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e", + "type": "query", + "version": 208 + } + }, "rule_name": "Possible Okta DoS Attack", "sha256": "048e2b732c95e535f676081e8685ce53b76cd8569c7d433cc82e6fef1a54b579", "type": "query", - "version": 207 + "version": 308 }, "e6e8912f-283f-4d0d-8442-e0dcaf49944b": { "rule_name": "Screensaver Plist File Modified by Unexpected Process", @@ -11994,10 +12561,20 @@ "version": 107 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 310, + "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", + "sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4", + "type": "threshold", + "version": 211 + } + }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "d11da02598d181a9b5b98bd81d2ed0fa75917c9272927db866e2ca9fe71a1425", "type": "threshold", - "version": 210 + "version": 311 }, "e919611d-6b6f-493b-8314-7ed6ac2e413b": { "rule_name": "AWS EC2 VM Export Failure", @@ -12277,10 +12854,20 @@ "version": 314 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 308, + "rule_name": "Attempt to Deactivate an Okta Application", + "sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05", + "type": "query", + "version": 209 + } + }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "7355fba3ce55aec17442765a90407b699e366f736cc86d29b33b49d60ef6041a", "type": "query", - "version": 208 + "version": 309 }, "edf8ee23-5ea7-4123-ba19-56b41e424ae3": { "min_stack_version": "8.14", @@ -12312,10 +12899,20 @@ "version": 6 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 205, + "rule_name": "Okta FastPass Phishing Detection", + "sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c", + "type": "query", + "version": 106 + } + }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "c7814e9adfd30ef636099ce00d44774b41fdd034978678ed1f1da809a6766c54", "type": "query", - "version": 105 + "version": 206 }, "ee5300a7-7e31-4a72-a258-250abb8b3aa1": { "min_stack_version": "8.14", @@ -12414,10 +13011,20 @@ "version": 108 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Administrator Role Assigned to an Okta User", + "sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6", + "type": "query", + "version": 208 + } + }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "54113f776052fa20104f5a9fcf0ba1657432f62c148fdb06fefd8b06f63651d1", "type": "query", - "version": 207 + "version": 308 }, "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": { "rule_name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", @@ -13002,10 +13609,20 @@ "version": 101 }, "f94e898e-94f1-4545-8923-03e4b2866211": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", + "sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737", "type": "new_terms", - "version": 2 + "version": 103 }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", @@ -13059,10 +13676,20 @@ "version": 110 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { + "min_stack_version": "8.14", + "previous": { + "8.11": { + "max_allowable_version": 307, + "rule_name": "Suspicious Activity Reported by Okta User", + "sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b", + "type": "query", + "version": 208 + } + }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "aacb2192034b6b4b84c04bf19680030dac7c1101a41ba402d20ac154cf89f317", "type": "query", - "version": 207 + "version": 308 }, "fa01341d-6662-426b-9d0c-6d81e33c8a9d": { "min_stack_version": "8.14", @@ -13151,10 +13778,20 @@ "version": 208 }, "fb0afac5-bbd6-49b0-b4f8-44e5381e1587": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "High Number of Cloned GitHub Repos From PAT", + "sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234", + "type": "threshold", + "version": 3 + } + }, "rule_name": "High Number of Cloned GitHub Repos From PAT", "sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4", "type": "threshold", - "version": 2 + "version": 103 }, "fb9937ce-7e21-46bf-831d-1ad96eac674d": { "rule_name": "Auditd Max Failed Login Attempts", @@ -13192,10 +13829,20 @@ "version": 309 }, "fc909baa-fb34-4c46-9691-be276ef4234c": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", + "sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf", + "type": "new_terms", + "version": 3 + } + }, "rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010", "type": "new_terms", - "version": 2 + "version": 103 }, "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { "rule_name": "User or Group Creation/Modification", @@ -13204,10 +13851,20 @@ "version": 3 }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { + "min_stack_version": "8.12", + "previous": { + "8.11": { + "max_allowable_version": 102, + "rule_name": "GitHub App Deleted", + "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", + "type": "eql", + "version": 3 + } + }, "rule_name": "GitHub App Deleted", "sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7", "type": "eql", - "version": 2 + "version": 103 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", diff --git a/pyproject.toml b/pyproject.toml index ffa859a282f..6e8a158f2e7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.2.0" +version = "0.2.1" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"