Merge branch 'main' into mactuner

DefSecSentinel · web-flow · commit 28dddd9ca81a · 2025-03-20T06:54:49.000-05:00
diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "sysmon_linux"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad","okta"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml
@@ -3,6 +3,8 @@ creation_date = "2025/02/18"
 integration = ["pad", "endpoint", "windows"]
 maturity = "production"
 updated_date = "2025/02/18"
+min_stack_version = "8.18.0"
+min_stack_comments = "New PAD integration only available starting at 8.18.0."
 
 [rule]
 anomaly_threshold = 75
diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/02/03"
+updated_date = "2025/03/19"
 
 [transform]
 [[transform.osquery]]
@@ -133,8 +133,7 @@ event.category:process and host.os.type:windows and
   powershell.file.script_block_text : (
     "[System.Reflection.Assembly]::Load" or
     "[Reflection.Assembly]::Load" or
-    "Assembly.Load(" or
-    "System.Reflection"
+    "Assembly.Load("
   ) and
   not powershell.file.script_block_text : (
         ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and
